The Internet of Things: A Game Changer for IT Audit

By Anthony Chalker, Managing Director
IT Audit Practice




I recently had the honor of attending the ISACA’s 2017 North America CACS Conference in Las Vegas, where I discussed how the Internet of Things (IoT) continues to transform the mission of IT auditors. The IoT is a perfect example of an all-around disruptor, including in IT audit departments, as businesses collect, analyze and act on data captured outside of the traditional IT boundaries. As a result, IT auditors now routinely must take steps to provide assurance over systems that are no longer under their direct control.

Auditors are fully aware of the challenge. Participants in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey acknowledge that they need to improve their IoT technical knowledge, or they’ll be unable to do their job. Technical knowledge ranked as a top-five issue among the most important internal audit priorities in the survey report. Without an in-depth understanding of the IoT, the technology that enables it and the business opportunities and risks it presents, we as auditors will be unable to quickly recognize innovations and how they could affect the organization’s business model or strategic objectives in the midst of a disruptive environment.

Below are just a few baseline points we covered during the conference discussion panel:

What is the IoT?
The IoT is an environment in which virtually any object, animal or person with a unique identifier on the internet has the ability to communicate over a network with another device, without the need for human-to-human or human-to-computer interaction. The IoT evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS) and the internet. In short, the IoT is giving the world a digital nervous system that’s connecting people, processes and systems, from devices, such as smartphones and tablets on the consumer level, to machine sensors on the industrial level.

What is driving the IoT’s growth?
The explosive growth of IoT is supported by several converging supporting technologies including:

  • Adoption of IpV6 – The ability to have a seemingly unlimited number of unique identifiers on the Internet. To put this in perspective, IpV6 allows every atom on the face of the earth to have its own identifier, with enough left over for another 100 Earths.
  • Enhanced sensors – The dramatic drop in cost combined with the equally dramatic increase in capabilities of sensors to capture, analyze, store and transmit data.
  • Low-power/wide area communications – The ability to transmit data from a wide range of sensors across a simplified and secure communication infrastructure utilizing batteries or other low-power sources designed for the expected useful life of the sensor.

The convergence of these developments is ushering in a new digital platform that allows organizations to devise new and inventive methods of reaching strategic objectives. In a recent McKinsey article, the authors estimate that the IoT will have a $4 to $11 trillion economic impact over the next eight years.

What is the role of the IT auditor in an IoT environment?
The IoT integrates technologies to enhance business information needs. However, this does not mean that IoT projects necessarily originate in the IT organization. Many of the current IoT projects are occurring outside of the traditional walls of IT. As such, the IoT does not represent as much of a change in the purpose of the IT landscape or the types of issues that auditors typically address as it represents a change in where strategy is being implemented. We need to acknowledge this shift and ensure that we have a seat at the table to understand how the organization’s strategy is driving the IoT vision and the related IT risks that need to be addresses to successfully fulfill that vision.

To be sure, IoT discussions are happening across organizations today, from purchasing to research and development. IoT is not limited to a single industry or business process. As an IT auditor, are you part of these conversations? Are you in the loop of your organization’s IoT strategic initiatives? Again, we need to ensure a seat at the table to effectively perform our role as risk counselors and assurance advisors to management and the board about this rapidly evolving area. Unlike many areas on our traditional risk plan, IoT does not have an embedded platform of existing policies and procedures to leverage.  If we are not part of the strategic discussion, it will be difficult to fulfill our risk advisory role. Simply stated, we need to get in the loop, or we’ll find ourselves  on the outside looking in.

IoT does not inherently require a new IT audit skill set as much as it demands a new approach to identifying the linkage of strategy to IoT solutions. Here are a few questions we as auditors should consider as we continue to develop and refine strategies and solutions to help businesses maximize their IoT experience:

  • How is the IoT deployed in our organization today, and who owns it or its respective components? This includes determining an organization’s potential IoT inventory and IoT’s business activity role. The IoT could play a part in the end products that a business sells, for example, or in internal process management. It most likely does not reside in the IT organization. In many cases, projects will not include the wording “IoT” in their project plans or definitions. This underscores the importance of having skilled IT auditors who are able to link strategy and the underlying implementation mechanisms to identify where the IoT exists within the organization.
  • Do we know what data is collected, stored and analyzed, and have we assessed the potential legal, security and privacy implications? If IoT technology is found within a company’s solution offerings, for example, customer agreements may require disclosures regarding what information the devices are capturing and sharing. Do the organization’s data governance policies cover the tremendous amount of data being captured through the thousands of deployed sensors? Does the collection of sensor data pose risks that data may be aggregated in a manner that would create privacy concerns?
  • Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Among other considerations, it is critical to identify how an organization uses IoT devices and how a partial or full network shutdown would impact the business. Does the loss of these devices pose a risk to our organizations or other organizations? Is there a risk that our devices sold to others could be compromised on a large scale? One well-publicized example was the utilization of thousands of internet-connected devices as part of a denial of service attack on Dyn in October of 2016.

Auditors recognize that they need to improve their IoT technical knowledge, a skill set that is only going to grow in demand given the rapid deployment of connected devices throughout industry. We need to continually communicate with IoT experts and company managements and boards to create policies and procedures that address IoT opportunities and risks for organizations and industries alike. Perhaps the biggest risk on the auditor’s side of the ledger is failing to help his or her organization utilize IoT to make the most of its growth potential.

IT Audit Webinar: Your Questions Answered

By Gordon Braun, Managing Director
IT Audit




Following up on a recent blog post discussing the results of the 6th Annual IT Audit Benchmarking Study from ISACA and Protiviti, I want to revisit the subject by answering some of the audience questions we were unable to address live during the webinar, which I co-hosted with my Protiviti colleague David Brand and ISACA director Ed Moyle.

(I want to stress that we receive many great questions during our webinars but they may not always be answered in the limited window allowed by our webinar time constraints. I invite you to subscribe to our blog as we often follow up with these questions here.)

Q: How can growing organizations move from a reactionary approach to IT risk management to a more proactive approach and get ahead of emerging risk issues?

To be proactive, I think it is very important to invest in relationship-building activities with IT. Find a way to get invited to IT meetings and town halls and get added to key IT distribution lists. If you are not being included in those meetings, if you are not receiving IT organization announcements/distributions, and if you are not generally being considered a part of the IT “family,” you need to revisit your approach and take action to change your relationship status.

The goal should be to establish an ongoing dialogue so that internal audit knows what projects are in the pipeline and what technologies may be emerging in order to be appropriately  involved at the earliest stages of these projects. I’ve seen a lot of IT audit organizations struggle with this. It’s hard to see the risks around the corner if the IT auditor does not know in which direction IT is headed. Too often, IT audit is reacting well after the fact, and that’s not a good position to be in.

I also suggest that IT auditors partner with enterprise risk management to maintain a good understanding of the strategic direction of the company. An IT auditor needs to understand the direction of an organization in order to identify risks associated with the future demand for technology, as well as the technology skill sets likely to be required.

For IT, the most important incentive for building a strong relationship with IT audit is the value IT audit can bring to that organization, and IT audit should be able to communicate that benefit. IT auditors are not only good evaluators, but they are individuals that can help the IT organization be successful in achieving its objectives. When reporting on IT, it is important to consider the context in which IT is operating. How information is presented — whether it is perceived as collaborative and constructive — can have a significant impact on the IT / IT audit relationship.

Q: Do you see more IT audit shops leveraging continuous auditing to focus on some of the challenges highlighted in the survey?

I see the second line of defense doing more continuous monitoring and then IT audit shops allowing for flexibility in the IT audit plan to allow for a shift based on the findings of continuous monitoring activities. As issues are identified in the second line, top-performing audit shops are able to shift activities and focus on emerging or more urgent items that require attention.

Q: Should the IT audit director report directly to the audit committee?

Not usually. While we are seeing the IT audit director attend more audit committee meetings, the line of reporting is typically up through the chief audit executive.

Q: Where does the responsibility for IT risk assessment live with the IT organization or the IT audit function?

Certainly, IT has to be responsible for managing its own risk. But it is very common today to have a specific IT risk assessment process occurring through the internal audit organization. As technology, automation and digitization become a more integral part of our lives, boards and management are going to want more assurance around the tech environment, and that starts with an effective risk assessment process.

A coordinated or collaborative activity is the smart approach. It is best practice that IT does its own risk assessment. The trouble starts when there is a significant disconnect between the assessment results coming from IT and IT audit. Parallel assessments are perfectly legitimate and expected but there should be some effort to coordinate, collaborate and understand/reconcile any major differences.

Ultimately, you want to have an efficient risk management and IT governance process that delivers results that are easily understandable and interpreted by executive management and the board.

You can access the archived version of the webinar and more Q&As from it here.

Top Technology Challenges for Internal Audit: Results From Protiviti’s IT Audit Survey

By Gordon Braun, Managing Director
IT Audit




Process automation and digital transformation are near the top of most corporate agendas, and the IT audit function has never held a more crucial role. The results of the 6th Annual IT Audit Benchmarking Study from ISACA and Protiviti illustrate the increasingly integrated role IT audit leaders and professionals are assuming in regard to technology initiatives in their organizations.

I had the opportunity, along with my colleague David Brand and ISACA director Ed Moyle, to discuss the results at length in a recent webinar. You can view an archived version by registering here. In the meantime, I wanted to give you a quick rundown of the top technology challenges expressed by respondents, and how those challenges compare with the previous year’s results.

No surprise on the top tech challenge: Nearly all organizations are struggling with data privacy and cybersecurity. It’s an area where boards want assurance — even with an understanding that assurance can never be 100 percent, regardless of the amount of money spent. The challenge for IT audit, therefore, lies in determining the right amount of IT audit time and focus to be dedicated to cyber risk and ensuring coverage is in alignment with the risk appetite and priorities of the organization. Though cybersecurity is always a business issue, the risk is typically assigned to IT. IT audit’s effectiveness in this area is strongly related to the experiences and discreet knowledge that the IT auditors in the group bring to the audit. There continues to be a strong push for education and for using the right tools, frameworks, approaches and resources; all are critical elements to ensuring IT auditors to stay in front of the cyber risks they are auditing.

Emerging technology (automation, digitization, cloud, etc.) remains a top challenge for IT auditors, though not ranked as high as last year. Effective IT governance in the face of emerging tech remains a goal for many organizations, and those that ignore it or get it wrong are going to struggle. IT auditors can help their organizations in this area by challenging the effectiveness of IT governance from both a design and operating perspective — this healthy and critical evaluation of the  alignment between the business and IT is required in today’s environment. In organizations with enterprise risk management (ERM) functions, there may be a natural overlap in interest between IT governance and ERM and IT auditors are well-positioned to seek out this partnership to share and receive perspectives from the ERM group.

Infrastructure management, regulatory compliance, and budget/cost concerns all moved up the list this year — a risk triumvirate that I think contributed to the return of third party/vendor management as a top-ten challenge, after dropping below the top ten last year. Infrastructure management and third-party vendor management are closely related as organizations increase reliance on infrastructure as a service (IAAS) and software as a service (SAAS) providers in an attempt to reduce their IT footprint. To ensure maturity in third-party risk management and ease related challenges, IT audit should be involved in the early stages of significant infrastructure projects, evaluating the processes and controls around third-party vendor management, ensuring upfront due diligence activities are completed, and reviewing service level agreements (SLAs) and contracts before they are signed. There are a number of efforts in the market to provide IT auditors with more avenues for assurance for these relationships – an area I fully expect will continue to see growth.

Missing from this year’s top-ten list is big data — a surprise, to say the least. In all my conversation with colleagues, big data remains a top priority, and is closely tied to many of the other top ten challenges. Its absence on the list, in my opinion, has more to do with the temporary elevation of other priorities, and a growing familiarity with the features, risks and benefits of big data, rather than any lessening of focus. Big data also looms large in this year’s Internal Audit Capabilities and Needs Survey, so the conversations around it are certainly not over.

Last, but certainly not least, staffing and skills cut across every other top technology challenge mentioned. Although it dropped slightly from last year’s ranking, it remains a top-five challenge — a reflection of the critical need for internal audit functions to hire and train tech-savvy auditors capable of understanding IT risks. This is particularly relevant for addressing the top challenge of cybersecurity, where expertise is key to gaining the cooperation and trust of IT. Co-sourcing, or even outsourcing of IT audit, can provide that expertise without straining internal resources. Each organization must decide on whether and how to augment its skills based on its specific level of reliance on technology.

Clearly, there is much to unpack from this year’s IT Audit survey results, and we will continue to analyze the findings and track progress in how companies address them. For the full ranking of challenges and a more in-depth analysis, visit our 6th Annual IT Audit Benchmarking Study page.


Taking a Global Look at IT Audit Best Practices – ISACA/Protiviti Survey

infographic-6th-annual-it-audit-benchmarking-survey-isaca-protivitiProtiviti and ISACA, a global business technology professional association for IT audit/assurance, governance, risk and information security professionals, have released the results of our joint annual IT Audit Benchmarking Survey. Key takeaways from this year’s study include the following:

  • Cybersecurity is viewed as the top technology challenge.
  • There appears to be more executive-level interest in IT audit.
  • More CAEs are assuming a direct leadership role for IT audit.
  • Most IT audit shops have a significant or moderate level of involvement in key technology projects.
  • Most IT audit shops perform IT audit risk assessments, though a majority do so annually or less frequently.

Take a look at our infographic and video here. For more information and to download a complimentary copy of our report, A Global Look at IT Audit Best Practices – Assessing the International Leaders in an Annual ISACA/Protiviti Survey, visit

Considerations for SOC 2 Readiness

david-lehmannBy David Lehmann, Managing Director
IT Audit




As more organizations trade in-house IT applications, systems and related processes for third-party services to enhance capabilities, simplify operations and lower costs, it is critical to demonstrate that data and systems are well-controlled, regardless of where the data resides. While the COSO Internal Control – Integrated Framework clearly states that management is responsible for the design and operation of its controls over IT risk (including the controls that are outsourced to service providers), the burden of organizing the necessary assurance activities directed to the controls in place for outsourced processes and systems falls on service providers. For many, the service organization control report (SOC 2), issued by a service auditor, has become the assurance standard of choice — to the point that many organizations now contractually require vendors to provide annual SOC 2 reports.

A SOC 2 is an attestation report that provides control assurance over a defined set of the service provider’s systems. Each report covers a defined period of time (usually nine months), agreed to between the auditor and the service provider. The report encompasses between one and five trust services principles (TSPs), depending on the needs of the service organization. The five TSPs include security, availability, processing integrity, confidentiality and privacy. The security principle is one of the most commonly selected and is used to determine whether relevant systems are protected against unauthorized access, use or modification.

Deciding to obtain a SOC 2 report is not a one-time event; it requires an ongoing commitment of both management time and financial resources. Consistent execution of controls is critical and often requires significant remediation before an organization is ready to submit to the service auditor’s testing. Most service organizations have yet to develop the control frameworks and tools required to meet the rigorous SOC 2 audit standards. To assist in that process, Protiviti recently published a white paper — On the Road to SOC 2 Readiness, What Service Organizations Need to Know — available for free download from our website.

Getting ready for an initial SOC 2 audit can be an arduous process. It begins with developing an understanding of what is driving the need for a SOC 2 audit and what are the systems relevant to those drivers. It continues through a gap assessment and an iterative cycle of remediation and readiness testing, correcting control and process design gaps along the way until results fall consistently within an acceptable range of outcomes.

The scope of a SOC 2 report depends on the type of service a vendor provides, as well as the needs of its customer base. A thorough scoping should seek to determine for which TSP(s) customers will require assurance and which systems and components must be assessed to achieve the objective. A service organization can select any number and combination of TSPs for inclusion in the report, based on customer need and relevant contractual requirements.

In some cases, organizations may deem two or more TSPs to be relevant to their customers’ needs. In our experience, and depending on process maturity and culture, it is sometimes best to follow a staged approach, focusing on the most important TSP first and increasing the scope of the report over time. Organizations that attempt to address multiple TSPs as part of their first SOC 2 project increase the risk of disruption to normal operations, missed target dates and, potentially, a qualified initial report.

Given the critical importance of a positive report, and the potential reputational and economic consequences of a negative one, service organizations are turning to outside consultants to help them prepare. Service organizations should work with their advisers to determine the best approach that fits the needs of their customers, as well as their own organization.

More than just an IT exercise, SOC 2 readiness should be viewed as a company-wide opportunity for service providers to gain competitive advantage through risk management maturity.

2016 Audit Committee Agenda Webinar Q & A (Part 2)

We are continuing our Q&A series stemming from our January 7 webinar on the 2016 Audit Committee Agenda. We’ve been exploring audit committee priorities for 2016, based on the findings published in the latest issue of The Bulletin. This four-part Q&A blog series provides our responses to some of the many interesting questions from our 1,500 webinar participants that we were unable to address during the webinar itself. Jim DeLoach and David Brand address the questions below.

In our first installment, we touched on the relationship between the audit committee and independent auditors, new rules on lease accounting, and board-level engagement with cybersecurity. Cybersecurity is a top concern for audit committees right now, and it should be. For additional insight, see Issue 67 of our Board Perspectives series, which is devoted entirely to briefing board members on IT matters in a manner that directors can understand.

Q: Are you seeing cybersecurity experts being added to the audit committee?

David: Generally speaking, no. Organizations face a broad and ever-changing spectrum of risks. For that reason, boards and audit committees should be staffed with people from a variety of backgrounds who stay well-informed on the current risk landscape and emerging risks, and know where to go and whose advice to seek to educate themselves as needed – through the CIO, CISO, or independent cybersecurity experts. An exception to this, of course, would be technology companies, or organizations where technology is the centerpiece of the business strategy, and in such cases we see some boards setting up a separate technology committee. But from a purely risk oversight perspective, no.

Q: Do you see differences between cybersecurity risk and data privacy risk, and should a risk profile have both? Or do you see in the industry that these risks are combined?

David: Although there tends to be a heavy focus on cybersecurity these days, it is important to remember that information – including personally identifiable information (PII), non-public financial information, drug formulas, customer lists and price sheets – often exist in non-electronic formats, including paper printouts on people’s desks. Cybersecurity deals exclusively with electronic data that’s housed in computer systems. Data privacy risk encompasses information in all forms, and is therefore both distinct from, and inclusive of, cybersecurity risk.

It’s a misnomer to say if a company is doing cybersecurity, it has achieved data privacy. Data privacy is related to cybersecurity, but broader than cybersecurity.

Jim: Let me add that our 2016 Top Risks Survey report, which will be released in March, reports on cybersecurity risk and privacy/identity management risks separately, and both were highly rated in our global survey results.

Q: Do you have a toolkit available for auditing cyber risks?

Jim: The National Institute of Standards and Technology (NIST) has developed and publicized a cybersecurity framework that has become the de facto standard for control areas that need to be addressed. That’s the best place to start in the public domain.

Q: Why don’t more organizations use data analytics to support internal audit?

Jim: Good question. It’s hard to pin down the why. Improved data analytics has been one of the top-rated capabilities and needs in our annual survey of chief audit executives for the past ten years. If you are asking whether your organization should be investing in analytics to keep pace with an increasingly complex environment, the answer is yes.

We’ll pick up with this discussion of technology in Part 3 of this series. The archived version of the webinar can be accessed here.

2016 Audit Committee Agenda Webinar Q & A (Part 1)

Our January 7 webinar, The 2016 Audit Committee Agenda, based on our latest issue of The Bulletin, drew more than 1,500 participants. The audience was diverse and included a large number of directors and executives, so it’s not surprising that a lot of interesting and relevant questions were asked.

We promised we would get to as many questions as we could but, due to our time constraints, we were only able to answer a few in real time. Here, in the first of several posts, we want to answer some questions we did not have time to address in the live session. Jim DeLoach and David Brand, Protiviti’s IT Audit practice leader, take turns with the answers.

Q: How involved should the audit committee be in inspecting its independent auditor? (Question submitted by a new audit committee member.)

Jim: As set forth in the listing standards for U.S. exchanges, the audit committee oversees the hiring, retention and independence of the external auditor and the quality of the external audit process. So the audit committee’s job, insofar as the external auditor is concerned, is not a matter of “inspection” as it is providing oversight. As part of the hiring and retention process, audit committee members are encouraged to be mindful of the firm’s PCAOB inspection reports. These reports may have an impact on the demands and expectations issuers receive from their external auditors and, therefore, warrant the audit committee’s attention.

Furthermore, the committee should inquire of the auditor if PCAOB inspections of the firm and recent PCAOB guidance are impacting the audit approach in any significant way and, if so, how and in which areas. For a good reference on the responsibilities of an audit committee, see the standards for listed companies established by Sarbanes-Oxley and promulgated by the Securities and Exchange Commission.

Q: Does the new Financial Accounting Standards Board (FASB) lease accounting standard (requiring both financing and operating leases to be accounted for on the balance sheet) apply to both public and private companies, and are there any exceptions?

Jim: To the best of our knowledge, the new rule, which will primarily affect lessees, will apply to all companies in all industries – although the effect will be greater on companies that have previously relied on leases as a form of off-balance-sheet financing. We won’t know with certainty, however, until the FASB issues its new standard, which is expected soon.

Q: Have you seen any best practices that organizations have used to get everyone on board with the idea that cybersecurity is a business issue, not simply an IT issue?

David: The only way to get people to see that this is a business issue is to start at the top. You have to start with a clear understanding of what assets the organization wants to protect. These so-called “crown jewels” have to be defined by the business. IT can’t decide. Once the organization has decided what’s important, then the capital committee and risk management committee must decide how much they want to spend protecting those crown jewels. IT’s role is to execute the protection scheme.

Q: Our board engagement and level of understanding of cybersecurity are not aligned. How would you address this?

David: Board members are always looking for educational opportunities, and internal audit can play an important role in this process. There’s nothing to stop internal audit from scheduling an educational briefing session with the board, or hiring a third party to come in and facilitate. For additional insight, see Issue 67 of our Board Perspectives series on board risk oversight, which is devoted entirely to briefing the board on IT matters in a manner that directors can understand.

In our next installment, we’ll pick up on this thread with a discussion of whether boards should be recruiting members with cybersecurity expertise. The entire webinar can be found here.