Presentation is loading. Please wait.

Presentation is loading. Please wait.

Navigating Technology’s Top Risks: Internal Audit’s Role

Published byWidya Iskandar Modified over 6 years ago

Similar presentations

Presentation on theme: "Navigating Technology’s Top Risks: Internal Audit’s Role"— Presentation transcript:

1 Navigating Technology’s Top Risks: Internal Audit’s Role
By Philip E. Flora Sajay Rai The IIARF encourages those who are presenting this slideshow to download the full report from The IIA Research Foundation and make it available to their audience. Based on the time available for the presentation the presenter/group discussion leader may want to focus on the top 3-5 risks identified from their perspective. Also, the presenter should briefly mention the other risks listed in the report and encourage attendees to consider their organization’s IT risks, threats and vulnerabilities in relation to the report and compare those during the next annual risk assessment. Finally, it is suggested that you compare your organization’s action steps to reduce risk to an acceptable level (based on your organization’s risk appetite). Please remember for each section a list of key questions for IA to ask is provided to help gather information and a list of key activities is also provided for IA to perform. Available free of charge:

2 CBOK 2015 Practitioner Study
CBOK is the Global Internal Audit Common Body of Knowledge: The global practitioner survey is the largest ongoing study of internal audit professionals in the world. More than 25 free reports about practitioners and the profession will be released from July 2015 to July Download free reports from the CBOK Resource Exchange at The IIA website at any time ( Review what CBOK is & how it benefits the Internal Audit profession. Emphasis the number of participants from all over the world and that the 25 CBOK reports are provided to members/other interested parties to further the profession and strengthen overall organizational governance.

3 CBOK 2015 Practitioner Survey
Practitioner Survey Results Survey completed April 1, 2015 14,518 usable survey responses Participation Levels 100% representation from IIA institutes Responses from 166 countries 23 languages

4 CBOK 2015 Practitioner Study
Global Regions are based on World Bank Categories. Percentages are the percentage of total survey responses from that region compared to all survey responses. North America: 19% Latin America & Caribbean: 14% Middle East & North Africa: 8% Sub-Saharan Africa: 6% Europe & Central Asia: 23% South Asia: 5% East Asia & Pacific: 25%

5 CBOK 2015 Practitioner Study
The speaker does not necessarily need to say this, but it’s important to remember that each pie chart is based only on those who answered that particular question (in other words, not all 14,518 survey respondents provided an answer to every question.) Below are the specific number of responses for each question shown on the slide. Age was obtained from 12,780 respondents; Organization Type was obtained from 13,032 respondents; Gender was obtained from 14,357 respondents; Staff Level was obtained from 12,716 respondents. Age was obtained from 12,780 respondents; Organization Type was obtained from 13,032 respondents; Gender was obtained from 14,357 respondents; Staff Level was obtained from 12,716 respondents.

6 Presentation Objectives
Use this report to further educate the IA team, management, & board about IT risks. Consider the 10 risk areas as your annual risk assessment/audit plan is developed. Determine that you have the resources to address the following risk areas. Use the key questions & activities to strengthen IA’s role in auditing IT. Consider the above objectives in using this report. Share the top 10 technology risks with the group and make brief comments about each identified risk area. After review of the top 10 risks with the group share information about the CBOK project and how the risk list was developed.

7 Introduction As you read this report, consider how each of these IT risks are managed in your organization. Listed at the end of each section is the following information for your use: Key questions for IA to ask Key activities for IA to perform Consider using this report as a resource as you develop your next annual risk assessment/audit plan. Share the top 10 technology risks with the group and make brief comments about each identified risk area. After review of the top 10 risks with the group share information about the CBOK project and how the risk list was developed.

8 Technology’s Top 10 Risks
Cybersecurity Information Security IT Systems Development Projects IT Governance Outsourced IT Services Share the top 10 technology risks with the group and make brief comments about each identified risk area. After review of the top 10 risks with the group share information about the CBOK project and how the risk list was developed.

9 Technology’s Top 10 Risks
Social Media Use 7. Mobile Computing IT Skills Among Internal Auditors Emerging Technologies Board and Audit Committee Technology Awareness See the prior slide’s comments.

10 1. Cybersecurity Discuss how your organization manages cybersecurity risks (request positive & negative experiences/challenges that auditors have observed/experienced). Determine that your organization has a Crisis Management Plan in place and that it is tested/updated on an ongoing basis. Consider reviewing the reported problems other organizations have been experienced in related to data breaches/cybersecurity issues. This is a very complex area that requires appropriate controls, monitoring, reporting, communication, specialized HR skills and a plan to deal with potential problems. 2 -Examples of Reports to gather more Knowledge about Cybersecurity follow. Internal Audit’s Role in Cyber Preparedness - Joint ISACA & IIA project. -

11 Risk Level for Data Breaches
Note: Q93: In your opinion, what is the level of inherent risk at your organization for the following emerging information technology (IT) areas? Those who answered “not applicable/ I don’t know” were excluded from the calculations. Due to rounding, some totals may not equal 100%. n = 1,038 for IT; n = 1,139 for risk management; n = 1,678 for accounting; n = 9,426 for all respondents. Ask the group the following. Does this data surprise you? What is your perspective?

12 2. Information Security What guidelines/standards/framework(s) are being followed in your organizations (ISO & 27002, COBIT/ISACA, NIST, etc.)? Is maintaining your customer’s personally identifiable information considered a priority? What processes/controls are in place to promote success? Ask questions and start a discussion on strengths & opportunities for improvement that auditors in attendance have experienced.

13 2. Information Security Are tools & qualified professionals available to administer your information security program? When was information security last audited? Ask questions and start a discussion on strengths & opportunities for improvement that auditors in attendance have experienced.

14 Audit Coverage Note: Q94: In the next two to three years, do you think the internal audit activity related to these technology areas will increase, decrease, or stay the same? n = 11,163.

15 3. IT Systems Development Projects
Why are projects successful? Why do projects fail? What can IA do to assist the organization with improvement in this area? Ask questions about your organization’s success with IT projects. If successful inquire about the keys for success. How many organizations conduct project post-mortem reviews for process improvement. Discuss the project success & failure drivers and why, when, how & how much the key projects should be audited? Should IA consider performing more consulting engagements than audits in this area? IA needs to be involved in projects in the beginning & throughout to fulfill its role.

16 Assurance for Major IT Projects
Note: Q94: In the next two to three years, do you think the internal audit activity related to these technology areas will increase, decrease, or stay the same? Topic: Audits/project management assurance of major projects. n = 11,019.

17 4. IT Governance How many people have been involved in IT governance audits? What standards were used? How does your organization identify a successful IT governance program? What can IA do to help the organization improve IT governance? Discuss what IT governance is and how IA can help the organization develop a more robust/comprehensive IT governance program.

18 IT Governance Activity
Note: Q72: What is the extent of activity for your internal audit department related to governance reviews? Topic: Reviews of governance policies and procedures related to the organization’s use of information technology (IT) in particular. CAEs only. Those who answered “not applicable/I don’t know” were excluded from the calculations. n = 2,545. Are you surprised that about 30% of IA functions perform minimal or no IT governance auditing? Why?

19 IT Governance Activity Compare to IA Department Size
Note: Q72: What is the extent of activity for your internal audit department related to governance reviews? Topic: Reviews of governance policies and procedures related to the organization’s use of information technology (IT) in particular. CAEs only. Those who answered “not applicable/I don’t know” were excluded from the calculations. n = 2,497. Does size make a difference if you’re performing risk-based auditing? It will impact audit coverage, but should it impact IT audits? Is this size or IT audit resources? What’s your perspective?

20 5.Outsourced IT Services
Do you have in your contracts the right to audit the service provider? If not, why not? Does a SSAE No Reporting on Controls at a Service Organization engagement/report provide all the assurance your organization needs in this area? SSAE No. 16 Reporting on Controls at a Service Organization This section addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting.

21 Future Audits of Outsourced IT
Note: Q94: In the next two to three years, do you think the internal audit activity related to these technology areas will increase, decrease, or stay the same? Topic: Audits of IT procurement, including third parties or outsourced services. n = 11,020. If appears appropriate for audits of outsourced IT to increase with cloud services increasing.

22 6. Social Media Use Does your organization have a social media policy?
Is the policy practical for enforcement purposes and to hire/retain employees that consider social media an important part of their lives? Is your company using social media to engage your current customers & acquire new customers? If not, why not? Consider looking at social media is a broader way – not just compliance. Shouldn’t most companies being using and/or considering using social media? An excellent source of information about auditing social media is the IIARF book Auditing Social Media – A Governance and Risk Guide by Peter R. Scott and J. Mike Jacka.  The use of social media will continue to grow based on the user popularity that also translates into significant opportunities for business. With social media sites being relatively new *(LinkedIn – 2003 – 255,000,000 Estimated monthly visitors (EMV), Twitter – 2006 – 310,000,000 EMV, Facebook – 2004 – 900,000,000 EMV) some organizations haven’t embraced using social media from a business perspective. However, many organizations monitor social media traffic and have learned how to communicate effectively with current/prospective customers *Source: eBIZ/MBA – The eBusiness Guide – July 2015 Auditor should become familiar with social media to better understand the potential risks and opportunities it provides to businesses.

23 Assurance for Employee Use of Social Media
Note: Q92: For information technology (IT) security in particular, what is the extent of the activity for your internal audit department related to the following areas? Those who answered “not applicable/I don’t know” were excluded from the calculations. n = 9,747.

24 Social Media Assurance Compared to IA Department Size
Note: Q92: For information technology (IT) security in particular, what is the extent of the activity for your internal audit department related to the following areas? Topic: The organization’s procedures for how employees use social media. Those who answered “not applicable/I don’t know” were excluded from the calculations. n = 8,980.

25 7. Mobile Computing What guidelines do you have in place to protect customer & proprietary information on mobile devices? Do you ever audit executive mobile devices to determine compliance with the organizational policies & procedures? What risk does the organization have if inappropriate information is on the company mobile device? Discuss the approaches of the group and lessons they have learned, both positive and negative. The challenges of handling other people’s/organization’s confidential, proprietary, sensitive information has been highlighted by US government departments and at least one high level official that is being questioned and in the national news about handling others information. Understanding and protecting sensitive information needs to be more of a focus and less a marketing assurance by many of our organizations.

26 Assurance for Use of Mobile Devices
Note: Q92: For information technology (IT) security in particular, what is the extent of the activity for your internal audit department related to the following areas?

27 8. IT Skills Among Internal Auditors
What percent of your IA team is IT literate? Do you expect staff that are CPAs & CIAs to also become CISAs? If not, why not? Isn’t IT involved in most things we audit? Do you buy/acquire IT/IT audit skills and/or develop them within your organization? What level of creditability do you have with your IT staff? Good? Average? Poor? Do you have an IT audit staffing plan? If not, why not? Do you hire from the IT staff for audit? If not, is it a salary amount issue?

28 Technical Specializations Among Survey Respondents
Note: Q11: In addition to performing general internal audit activities, do you have an area of technical specialization for which you have had formal training and in which you spend a majority of your time working? n = 13,144.

29 Big Data Reliability Risk Compared by Organization
Note: Q93: In your opinion, what is the level of inherent risk at your organization for the following emerging information technology areas? Those who answered “not applicable/I don’t know” were excluded from the calculations. Due to rounding, some totals may not equal 100%. n = 9,373.

30 9. Emerging Technologies
What level of Continuing Professional Education (CPE) do you support for staff each year? 40 hours? 60 hours? 80 hours? 100 or more hours? What does it take to keep up with standards, regulations, IT, and business, industry? Certainly at least 80 hours! Have you assigned a team or individuals to keep up with & report on emerging technologies? How do you keep up with emerging technologies? If you don’t how would this be factored into your annual risk assessment?

31 10. Board & Audit Committee Technology Awareness
Has the board assessed the level of IT expertise possessed by current members? How could internal audit assist the board/ audit committee with this potential risk? IT board knowledge and strategic planning―how does one impact the other? Consider starting a dialogue with executive leadership & the audit committee on how IA can help bridge this gap. Consider that this area could have a much greater organizational impact to your company than in the #10 position of this report. Ask if Board/Audit Committee members receive/read reports on cybersecurity, 20 questions Board should ask IT/IA/Strategy, IT emerging issues, third party servicer issues/challenges, etc. Ask if Board members receive reports/information from the NACD regarding IT issues/IT Board member knowledge, skills & abilities. Board members are extremely busy and whatever interaction you have with them or opportunity to provide information it must be focused and meet a specific need/gap. Does your organization have a governance process that holds IT accountable based on performance measures, metrics, service level agreements, industry benchmarks, etc.? When IT performance fails to meet performance expectations and/or enable the business do the Board members ask the difficult questions? Does IT routinely/periodically report on significant IT issues/emerging issues? Is this an area that you have the appropriate level of IT knowledge/creditability on the IA team? Is this and area that would be sensitive/not well received if you asked the questions identified above?

32 In Closing Consider the 10 risks identified in this report for your next annual risk assessment. Consider using this report & other reports, whitepapers, and articles to start a dialogue with management & the audit committee/board. Last, but not least, build strong relationships, communicate continuously/effectively, & develop/maintain IT audit skills. Identify and meet your primary stakeholder needs and expectations. Think strategically and critically plus continue to improve communication and your business knowledge/IT skills.

33 CBOK 2015: What’s Coming Jul. 2015 Aug. 2015 Sept. 2015 Oct. 2015
IIA International Conference Governance, Risk, and Control Conference South Africa Conference IIA Financial Services Exchange ECIIA Conference All Star Conference Southern Regional Conference ACIIA Conference IIA Midyear Committee Meetings Jul. 2015 Aug. 2015 Sept. 2015 Oct. 2015 Nov. 2015 Dec. 2015 Driving Success in a Changing World: 10 Imperatives for Internal Audit Navigating Technology’s Top 10 Risks: Internal Audit’s Role Staying a Step Ahead: Internal Audit’s Use of Technology A Global View of Financial Services Audits: Challenges, Opportunities, and the Future Who Owns Risk? A Look at Internal Audit’s Changing Role Combined Assurance: One Language, One Voice, One View Responding to Fraud: Exploring Where Internal Auditing Stands Public Sector Outlook Measuring Internal Audit Value and Performance Core Competency Levels for Internal Auditors Interacting with Audit Committees Please share information about the publication of upcoming CBOK reports and where to go for the free download.

34 CBOK 2015: What’s Coming GAM Conference SoPac Conference
Leadership Conference IIA International Conference Jan. 2016 Feb. 2016 Mar. 2016 Apr. 2016 May 2016 Jun. 2016 The Skills Most Desired by IA Managers for Their Staffs Use of Third Parties by Internal Audit CAE Career Path Women in IA: Representation and Trends Maturity Levels for IA Dept. Around the World How to Evaluate and Motivate Your Staff Certifications Held by Internal Auditors Ethical Pressures Faced by Internal Auditors IIA Standards: Conformance and Trends Quality Assurance and Improvement Program Trends Integrated Reporting Organizational Governance: Internal Audit's Role Additional reports that will be available for a free download..

35 YOUR DONATION DOLLARS AT WORK
FREE thanks to generous contributions from individuals, organizations, IIA chapters, and IIA institutes around the world. Download your FREE copy today at the CBOK Resource Exchange. The IIARF encourages those who are presenting this slideshow to download the full report from The IIA Research Foundation and make it available to their audience. This research report is made possible through a sponsorship with:

36 About The IIA Research Foundation
CBOK is administered through The IIA Research Foundation (IIARF), which has provided groundbreaking research for the internal audit profession for the past four decades. Through initiatives that explore current issues, emerging trends, and future needs, The IIARF has been a driving force behind the evolution and advancement of the profession. For more information, visit:

37 Copyright and Disclaimer
The IIARF publishes this document for information and educational purposes only. IIARF does not provide legal or accounting advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. Copyright © 2015 by The Institute of Internal Auditors Research Foundation (IIARF). All rights reserved. For permission to reproduce or quote, please contact

Download ppt "Navigating Technology’s Top Risks: Internal Audit’s Role"

Similar presentations

. . . a step-by-step guide to world-class internal auditing

. . . a step-by-step guide to world-class internal auditing
1 ACI Annual Audit Committee Survey - Global M A R K E T I N G & C O M M U N I C A T I O N S R E S E A R C H Charles Garbowski Research February 21, 2006.

1 ACI Annual Audit Committee Survey - Global M A R K E T I N G & C O M M U N I C A T I O N S R E S E A R C H Charles Garbowski Research February 21, 2006.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Copyright © 2015 McGraw-Hill Education. All rights reserved

Copyright © 2015 McGraw-Hill Education. All rights reserved
External Quality Assessments

External Quality Assessments
Purpose of the Standards

Purpose of the Standards
Views of Value and Competency How Stakeholder and Internal Auditor Perspectives Compare.

Views of Value and Competency How Stakeholder and Internal Auditor Perspectives Compare.
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Internal auditing for credit unions Nuala Comerford, Chair IIA Irish Region Committee Pamela McDonald Council Member IIA Credit Union Summer School Thursday,

Internal auditing for credit unions Nuala Comerford, Chair IIA Irish Region Committee Pamela McDonald Council Member IIA Credit Union Summer School Thursday,
ISMMMO, Antalya 25-29 April Internal Audit, Best Practices Özlem Aykaç, CIA,CCSA CAE Coca-Cola İçecek.

ISMMMO, Antalya April Internal Audit, Best Practices Özlem Aykaç, CIA,CCSA CAE Coca-Cola İçecek.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Staying a Step Ahead Internal Audit’s Use of Technology By Michael P. Cangemi Coauthor – Managing the Audit Function; former CAE, CFO, CEO, and AC Chair.

Staying a Step Ahead Internal Audit’s Use of Technology By Michael P. Cangemi Coauthor – Managing the Audit Function; former CAE, CFO, CEO, and AC Chair.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the Preface to the Standards on Internal.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
1 Kingsley Karunaratne, Department of Accounting, University of Sri Jayewardenepura, Colombo - Sri Lanka Practice Management.

1 Kingsley Karunaratne, Department of Accounting, University of Sri Jayewardenepura, Colombo - Sri Lanka Practice Management.
Practice Management Quality Control

Practice Management Quality Control
INSIGHT – Delivering Value to Stakeholders San Francisco Chapter of the IIA Tuesday, September 11, 2012 Patricia K. Miller Former IIA Chairman of the Board.

INSIGHT – Delivering Value to Stakeholders San Francisco Chapter of the IIA Tuesday, September 11, 2012 Patricia K. Miller Former IIA Chairman of the Board.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.

Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
An Overview THE AUDIT PROCESS. MAJOR PHASES IN AN AUDIT Client acceptance and retention Establish terms of the engagement Plan the audit Consider internal.

An Overview THE AUDIT PROCESS. MAJOR PHASES IN AN AUDIT Client acceptance and retention Establish terms of the engagement Plan the audit Consider internal.
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.

ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.

Similar presentations

Ads by Google