The Internet of Things: A Game Changer for IT Audit

By Anthony Chalker, Managing Director
IT Audit Practice

 

 

 

I recently had the honor of attending the ISACA’s 2017 North America CACS Conference in Las Vegas, where I discussed how the Internet of Things (IoT) continues to transform the mission of IT auditors. The IoT is a perfect example of an all-around disruptor, including in IT audit departments, as businesses collect, analyze and act on data captured outside of the traditional IT boundaries. As a result, IT auditors now routinely must take steps to provide assurance over systems that are no longer under their direct control.

Auditors are fully aware of the challenge. Participants in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey acknowledge that they need to improve their IoT technical knowledge, or they’ll be unable to do their job. Technical knowledge ranked as a top-five issue among the most important internal audit priorities in the survey report. Without an in-depth understanding of the IoT, the technology that enables it and the business opportunities and risks it presents, we as auditors will be unable to quickly recognize innovations and how they could affect the organization’s business model or strategic objectives in the midst of a disruptive environment.

Below are just a few baseline points we covered during the conference discussion panel:

What is the IoT?
The IoT is an environment in which virtually any object, animal or person with a unique identifier on the internet has the ability to communicate over a network with another device, without the need for human-to-human or human-to-computer interaction. The IoT evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS) and the internet. In short, the IoT is giving the world a digital nervous system that’s connecting people, processes and systems, from devices, such as smartphones and tablets on the consumer level, to machine sensors on the industrial level.

What is driving the IoT’s growth?
The explosive growth of IoT is supported by several converging supporting technologies including:

  • Adoption of IpV6 – The ability to have a seemingly unlimited number of unique identifiers on the Internet. To put this in perspective, IpV6 allows every atom on the face of the earth to have its own identifier, with enough left over for another 100 Earths.
  • Enhanced sensors – The dramatic drop in cost combined with the equally dramatic increase in capabilities of sensors to capture, analyze, store and transmit data.
  • Low-power/wide area communications – The ability to transmit data from a wide range of sensors across a simplified and secure communication infrastructure utilizing batteries or other low-power sources designed for the expected useful life of the sensor.

The convergence of these developments is ushering in a new digital platform that allows organizations to devise new and inventive methods of reaching strategic objectives. In a recent McKinsey article, the authors estimate that the IoT will have a $4 to $11 trillion economic impact over the next eight years.

What is the role of the IT auditor in an IoT environment?
The IoT integrates technologies to enhance business information needs. However, this does not mean that IoT projects necessarily originate in the IT organization. Many of the current IoT projects are occurring outside of the traditional walls of IT. As such, the IoT does not represent as much of a change in the purpose of the IT landscape or the types of issues that auditors typically address as it represents a change in where strategy is being implemented. We need to acknowledge this shift and ensure that we have a seat at the table to understand how the organization’s strategy is driving the IoT vision and the related IT risks that need to be addresses to successfully fulfill that vision.

To be sure, IoT discussions are happening across organizations today, from purchasing to research and development. IoT is not limited to a single industry or business process. As an IT auditor, are you part of these conversations? Are you in the loop of your organization’s IoT strategic initiatives? Again, we need to ensure a seat at the table to effectively perform our role as risk counselors and assurance advisors to management and the board about this rapidly evolving area. Unlike many areas on our traditional risk plan, IoT does not have an embedded platform of existing policies and procedures to leverage.  If we are not part of the strategic discussion, it will be difficult to fulfill our risk advisory role. Simply stated, we need to get in the loop, or we’ll find ourselves  on the outside looking in.

IoT does not inherently require a new IT audit skill set as much as it demands a new approach to identifying the linkage of strategy to IoT solutions. Here are a few questions we as auditors should consider as we continue to develop and refine strategies and solutions to help businesses maximize their IoT experience:

  • How is the IoT deployed in our organization today, and who owns it or its respective components? This includes determining an organization’s potential IoT inventory and IoT’s business activity role. The IoT could play a part in the end products that a business sells, for example, or in internal process management. It most likely does not reside in the IT organization. In many cases, projects will not include the wording “IoT” in their project plans or definitions. This underscores the importance of having skilled IT auditors who are able to link strategy and the underlying implementation mechanisms to identify where the IoT exists within the organization.
  • Do we know what data is collected, stored and analyzed, and have we assessed the potential legal, security and privacy implications? If IoT technology is found within a company’s solution offerings, for example, customer agreements may require disclosures regarding what information the devices are capturing and sharing. Do the organization’s data governance policies cover the tremendous amount of data being captured through the thousands of deployed sensors? Does the collection of sensor data pose risks that data may be aggregated in a manner that would create privacy concerns?
  • Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Among other considerations, it is critical to identify how an organization uses IoT devices and how a partial or full network shutdown would impact the business. Does the loss of these devices pose a risk to our organizations or other organizations? Is there a risk that our devices sold to others could be compromised on a large scale? One well-publicized example was the utilization of thousands of internet-connected devices as part of a denial of service attack on Dyn in October of 2016.

Auditors recognize that they need to improve their IoT technical knowledge, a skill set that is only going to grow in demand given the rapid deployment of connected devices throughout industry. We need to continually communicate with IoT experts and company managements and boards to create policies and procedures that address IoT opportunities and risks for organizations and industries alike. Perhaps the biggest risk on the auditor’s side of the ledger is failing to help his or her organization utilize IoT to make the most of its growth potential.

No More Waiting Game for Manufacturers: Industry 4.0 Is Already Here

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

 

 

 

The term “Industry 4.0” isn’t new to manufacturers. What is new, for many of these businesses, is the recognition that the next wave of the Industrial Revolution is already breaking. There is no more time for “Let’s wait and see what this means for our business.” No manufacturer can afford to sit on the sidelines and watch as their industry is transformed by major innovations in digital technology — from cloud computing to big data analytics to advanced robotics to the Internet of Things (IoT). They must be in the game. And to be in it, they must transform their operations digitally.

Embracing big data analytics is an important step on the path to smart manufacturing. A new Protiviti white paper, “Big Data Adoption in Manufacturing,” explains it like this: “Big data analytics has the potential to affect every step of a manufacturing process. […] Ultimately, advances in big data analytics are expected to augment the interconnectivity of equipment on the factory floor as part of a larger movement toward the Internet of Things and greater manufacturing intelligence.”

That’s a pretty big deal. Yet manufacturers, generally, have been slow to adopt big data analytics, especially in manufacturing operations. This is not necessarily due to lack of interest, or worry about costs, privacy, security or even change itself. The real hindrance is a combination of several significant roadblocks that many manufacturers must overcome before they can implement and execute big data analytics successfully.

These common barriers include:

  • Unwieldy data and processes — Manufacturers facing this problem can take comfort in knowing it’s an issue that plagues most any company pursuing digital transformation. Certainly, there is no shortage of data being produced by the business. The challenge is figuring out how exactly to bring together that ever-ballooning volume of raw data from different systems and sources so it can be analyzed and turned into actionable insights for the business.
  • Disparate systems — This barrier relates to the one above, obviously. Integrating data is complicated by inaccessibility. It is often the case that a business’s legacy technologies have not been designed to facilitate open access to data. The complexity of a typical IT ecosystem makes it very difficult to mine quality data and convert it into a workable format for analysis.
  • Expertise shortage — Finding specialized talent to work with big data — especially professionals with knowledge of the manufacturer’s business and industry — can be a tremendous hurdle. Manufacturers are finding that talent is in very short supply, and extremely competitive to recruit and retain. Over time, as the industry becomes more digitized, manufacturers are likely to face talent shortages in even more areas of their business.

Again, these are just some of the roadblocks manufacturers face. They are not trivial, and companies will find that some are quite persistent. But a manufacturer that wants to be a relevant player in Industry 4.0 must address them sooner than later.

Make sure big data projects have a purpose

As manufacturers work to overcome big data analytics obstacles they must not forget an important aspect of their effort: keeping their business strategy in focus. I will come back to this subject and offer a few tips for success in this area in a future post, but the one I want to mention here is extremely important: Identify a specific use case.

Manufacturers should not just “do” big data analytics because they are under pressure to evolve their operations. Any big data initiative should have a clear purpose. Lack of purpose is often the root cause of a company’s struggles to harness its data effectively and turn it into meaningful insights.

Some may consider it an upside that the manufacturing industry has not moved as quickly as other industries to jump on the big data bandwagon. And it is true that manufacturers that have so far taken a “wait and see” approach with big data analytics and similar digital innovations have the benefit of learning from the missteps of early adopters, and can develop a strategy for success based on lessons learned. But they must make their move now, or they risk falling too far behind the digital curve and becoming obsolete in Industry 4.0.

 

 

From the GAM Conference: Changing Priorities, Analytics in Auditing and More

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

On Day 2 of the conference, Protiviti Managing Director Jordan Reed shared some thoughts on the panel discussion titled “The Internet of Things: What Does This Mean to Internal Audit?” Jordan led the panel together with Jeff Rowland, Vice President, Audit Services at USAA. Below in Jordan’s own words are highlights from the discussion. For more on why the Internet of Things matters, and the risks and expectations arising from it, read the recently published Protiviti white paper (download).

Share on Twitter

Also hear Protiviti Managing Director and The Protiviti View blog host Jim DeLoach share his view on stakeholder expectations as reflected in the Global Internal Audit CBOK Stakeholder Study.

Share on Twitter

Finally, Protiviti Managing Director Matt McGivern discusses the current state of data analytics in internal auditing, including findings from Protiviti’s latest internal audit survey. Listen below.

Share on Twitter

Assessing the Expectations of Internal Audit Stakeholders at The IIA GAM Conference

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

Panel Session at the 2017 IIA GAM Conference:
Stakeholder Expectations (Updates from CBOK Stakeholder Studies)

Today at The IIA 2017 GAM Conference, Brian Christensen, Executive Vice President, Global Internal Audit for Protiviti, participated in a panel discussion before more than 1,000 conference attendees, on the expectations of internal audit stakeholders and how internal audit can continue to improve its performance. The panel was moderated by Paul Sobel, Vice President and Chief Audit Executive, Georgia-Pacific LLC. Panelists were Angela Witzany, Chair, IIA Board of Directors and Head of Internal Audit at Sparkassen Versicherung AG; Larry Harrington, Vice President, Internal Audit at Raytheon Company; and Brian Christensen, Executive Vice President, Global Internal Audit at Protiviti.

Following are some highlights from Brian’s comments:

  • Are we in the so-called “golden age” of internal audit? Membership in The IIA is at an all-time high. Conferences and programs are near capacity. As internal auditors, we are part of the conversation in the boardroom and management circles. And internal audit has been rated one of the 10 best professions to start a career. But, it’s important to ask, what can we do better? How do we remain relevant and serve our constituents better? Answering these questions was the goal of the 2016 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study.
  • Stakeholders agree that internal audit is focused on the most significant areas in their organizations. Internal audit is keeping up with changes in the business and is communicating well with management and the board.
  • Internal audit needs to further leverage its positive reputation for quality in other areas of the business where it can add value.
  • Management and the board want internal audit to “move beyond its comfort zone” to help organizations bring internal audit perspective on strategic initiatives and changes – digitalization, cybersecurity, Internet of Things and more. Change is all around us. In light of these many changes, what are new and emerging risks that organizations need to understand and manage? Internal audit can and is expected to provide information and insights to board members and management on these new risks.

Brian also offered some calls to action:

  • As internal auditors, we need to rise up to the expectations of our stakeholders. We’ve been told we’re doing a great job, but we can do more, and our stakeholders want us to do more.
  • We need to break out of historical thinking and approaches. We’ve earned a solid reputation – we now need to build on it.
  • We need to focus on and embrace the four C’s – Culture, Compliance, Competitiveness, Cybersecurity.
  • We need to ask ourselves: Where do we want to be in five years? In 10 years? How do we continue our “golden age”? The answer: Take on bold ideas and new concepts.
  • Finally, we need to own the discourse to fulfill the expectations of our stakeholders.

We have a great opportunity – not just for ourselves, but to create a path for those behind us. Stakeholders have given us a road map to success. Let’s fulfill our destiny and continue our golden age.

Listen to Brian Christensen summarize the highlights:

Share on Twitter

Partly Cloudy: Outage Raises Resiliency Concerns

By Jeff Weber, Managing Director
Technology Strategy and Operation

 

 

 

Everyone needs a little downtime – critical IT infrastructure, not so much. Security and reliability have long been the two primary enterprise concerns when it comes to the cloud. And while security has been the dominant concern over the past couple of years, recent high-profile cloud outages have brought reliability front and center.

A recent outage affected almost 150,000 sites. In the not so distant, cloud-less past, most companies would have had in-house servers, and the disruption would have been limited and isolated. Included in the outage was an internet messaging and chat service popular among IT professionals, who were quick to notice and spread the word. More importantly, this service enables IT services and communication and impacted organizations in their ability to maintain service levels.

Even companies with on-premise enterprise systems could find themselves unexpectedly cut off from critical services, vendor portals and clients, in the event of a service interruption at a cloud-based communications provider.

Cloud functionality affects virtually everyone. These days, if any company thinks it doesn’t have significant cloud exposure, it needs to think again. Now is the time for companies to be asking themselves whether their risk management framework is robust enough to identify risk exposure they may not have thought about.

The worst time to discover a critical exposure to a cloud outage is…well, always. Protiviti recommends that companies act now to conduct a cloud risk assessment and impact analysis and develop an effective response plan. Key elements include:

  • Conducting a thorough process review to identify any hidden cloud exposures
  • Identifying and prioritizing “crown jewels” – in this case, critical functions that must be protected from disruption
  • Comparing exposures against the company’s risk appetite and establishing a remediation threshold – for example, frequency and duration of outage
  • Creating an awareness of susceptibilities and developing response procedures

Although for many companies this type of exercise is new when it comes to cloud computing, it is essentially the same process they have applied in the past to telecommunications, infrastructure and other “always-on” systems and applications. The chief information officer should lead, or at least be at the table for this discussion, and ensure that the right people are involved in the conversation. Furthermore, the discussion should be conducted in business-relevant terms (risk, effect on operations) rather than IT terms (systems downtime, for example).

Public reaction to cloud outages, to date, has been relatively muted. That is likely to change, and quickly, as connectivity increases and digitization and the Internet of Things transforms existing business models. No one is really shocked that cloud outages happen, but now that they are on the radar, it is important to plan for the occasional yet inevitable “inclement weather.”

Customer Loyalty Through Better Security — and How to Achieve It

Rick ChildsBy Rick Childs, Managing Director
Consumer Products and Services Industry Leader

 

 

 

Customer loyalty programs are among the basic building blocks of successful consumer products and services companies today. These programs are not only competitive differentiators, but also key drivers of revenue and profits for retailers, restaurants, hotels, airlines and many other businesses. The success of loyalty programs, however, hinges on more than inspiring customers to opt in and offering them rewards that they find compelling. Consumer trust is also essential.

Consumers want to be assured that the companies they interact with through various touch points — online, offline and through mobile applications — are doing everything possible to protect their personal data and privacy. Even millennial consumers, who are generally more willing than customers in other demographic groups to share personal information with businesses in exchange for rewards, have high expectations that companies will keep their data secure and respect their privacy. And if the companies don’t, they are quick to hold them accountable.

Privacy concerns are weighing on the minds of executives in the consumer products and services industry this year, according to a survey, Executive Perspectives on Top Risks for 2017, from Protiviti and North Carolina State University’s ERM Initiative. Representatives of this industry group who took the survey ranked the following concern third among the top five risks: Ensuring privacy/identity management and information security/system protection may require significant resources for us.

Digitalization, the IoT and cyberthreats add to the challenge

Like most things related to information security in a digital world, privacy, customer identity management and information security are all easier said than done. In fact, they are becoming only more challenging for consumer products and services companies as these businesses:

  • Introduce more mobile and digital offerings to their customers
  • Collect, store and analyze more and more customer data from applications and devices
  • Develop and use applications and devices designed for the rapidly emerging and highly interconnected Internet of Things (IoT)
  • Embrace digitalization and migrate “analog” approaches to customers, products, services and operating models to an “always-on,” real-time and information-rich marketplace

It is hardly surprising then that consumer products and services businesses face a constant barrage of sophisticated and stealthy cyberthreats designed to target customer and payment information.

Recent high-profile data breaches and targeted hacks involving major retailers, fast food chains and hotels are just the latest headache-causing wrinkle as consumer products and services companies are scrambling to evaluate their ability to protect customer and payment information. (Executives no doubt had these incidents on their minds when responding to the latest risk survey: they also ranked cyberthreats among the top five risks for their industry in 2017.)

Drive results through strategy and collaboration

Certainly, there is no getting around the need for consumer products and services companies to devote more resources toward ensuring privacy, addressing identity management issues, and protecting information and systems. This is an imperative for any business that handles customer and financial data in a digital world. But organizations also must be very strategic when aligning and deploying these resources if they want to see results.

Developing the right strategy requires effective collaboration between the business and IT. If they are not doing so already, business executives in consumer products and services organizations should resolve to reach out to their counterparts in IT sooner rather than later.

Another party to include in discussions about privacy risk and cyberthreats this year: internal audit. We are seeing more organizations increasing business, IT and internal audit collaboration not only to address known risks, but also to help the business prepare for new challenges related to digitalization and the IoT. As Protiviti’s white paper, The Internet of Things: What Is It and Why Should Internal Audit Care?, explains, “Businesses developing and using applications and devices within the IoT must be aware of how the data they are collecting, analyzing and sharing impacts user privacy.”

Engaging business, IT and internal audit leaders to share their perspectives on these risks will help consumer products and services companies to ensure they are doing everything necessary to protect their customers’ privacy and information in a digital and hyperconnected world. It will also give them more confidence to interact with consumers through more channels, and to innovate programs and other offerings that will earn — and keep — their business.

Digital Transformation, Data Governance, and Internal Audit

Ari Sagett

By Ari Sagett, Managing Director
Internal Audit and Financial Advisory

 

 

Digital advances, such as big data analytics, mobility and smart connected devices are radically changing not just business processes, but entire operations. Companies across industries are racing to migrate analog approaches to customer interactions, products, services and operating models to an automated, always-on, real-time and information-rich marketplace. For internal audit, this means that IT risk is no longer limited to the traditional audit focus areas, but now spans the breadth of a firm’s operations (including areas that may not have been featured prominently in internal audit’s annual audit plan). And as companies store and process higher volumes of data in support of these automated routines, data governance remains critical.

Accordingly, internal audit departments need to consider the elevated risks this wave of digitization and automation may bring to day-to-day enterprise operations. Take customer service, for example. If routines are automated and customer service representatives now have lots of personally identifiable information on customers stored on workstations and network servers, then the risk profile of that department is elevated, and internal audit should evaluate controls to ensure that these potentially lower priority business functions are being considered and addressed in the context of technology risk.

We explored these challenges in our September 14th webinar, Digitization: What Does This Mean for Internal Audit. A recorded version is available on our website. More than 1,000 practitioners logged in for the live broadcast, which isn’t surprising considering that technology and data concerns topped the list of internal audit priorities in our 2016 Internal Audit Capabilities and Needs Survey.

Big data has also given rise to new, or emerging, risks. Cybercriminals are working both inside and outside of companies to capitalize on the massive and growing universe of valuable personal and private information. Regulators are promulgating policy and guidelines governing the security and privacy of the expanding universe of valuable and sensitive data. New technology-driven competitors are changing the competitive landscape. And older companies are trying to become more agile and innovative, replacing in-house data centers with cloud infrastructure.

As organizations embark on the digital transformation journey, it is incumbent upon the internal audit function to work with operational managers, risk managers, senior executives and the board to provide assurance that organizations continue to have the right controls, data governance, and compliance practices in place. In some cases, the internal audit function may serve a valuable role in educating stakeholders about the nuances of digitization and the associated risks.

Of course, all of these new responsibilities are over and above the traditional core functions, which cannot be neglected. Chief audit executives should ask themselves the following questions:

  • Does the current internal audit plan consider digitization risks?
  • Does IT leadership have a solid understanding of potential control impacts associated with digitization?
  • Does the audit team understand digitization?
  • Do our auditors have the right skills to effectively evaluate digitization risks and controls?
  • Does the internal audit function understand the impacts that digitization may have on data privacy, cybersecurity and other regulatory compliance obligations?

There is no doubt that by embracing digitization, organizations can maximize opportunities and drive competitive advantage. By providing assurance over the organizational risks posed by digitization, the internal audit department can give senior management and the board the information and confidence they need to embrace the digital future.

Is your internal audit team ready for the digital transformation? Share your thoughts in the comment section below.