emerging risks and the impact on … risks and the impact on your audit plan iia luncheon –...
TRANSCRIPT
Emerging Risks and theImpact on Your Audit Plan
IIA Luncheon – October 2012
www.pwc.com
Speakers
Denise McCurryPricewaterhouseCoopers Director
Husam BrohiPricewaterhouseCoopers Director
PwC 2October 2012
Agenda
Why are we here
Identification/Management of Emerging Risk
Potential Emerging Risk
PwCOctober 2012
3
Why are we here
Internal audit’s role in emerging risk
PwC 4October 2012
State of the internal audit profession study
• 8th Annual State of the Internal Audit Profession Study
• Focus on the rising importance of risk managementand the increasing expectations of internal audit’scontribution to the effort
• New methodology: For the first time, an “outside-in”look at the internal audit profession through points of
PwC
look at the internal audit profession through points ofview of:
- Over 660 stakeholders and 870 chief auditexecutives through an online survey
- Nearly 100 stakeholders, including board membersand executives in one-on-one interviews
- 64 countries globally
- 16 industry sectors
• Full study available at:www.pwc.com/us/2012internalauditstudy
5October 2012
Stakeholders value internal audit’s contribution…Importance of internal audit’s contribution to monitoringrisks
Important Very important
Fraud and ethics
Data privacy and security
Business continuity
Large program risk
Mergers, acquisitions, and JVs
Regulations and government policies 47%
58%
47%
54%
39%
26%
38%
30%
45%
39%
59%
71%
42%
54%
42%
49%
27%
30%
36%
26%
40%
38%
69%
67%
PwC 6October 2012
Regulations and government policies
Reputation and brand
Financial markets
New product introductions
Talent and labor
Energy and commodity costs
Government spending and taxation
Economic uncertainty
Commercial market shifts
Competition 38%
41%
46%
50%
56%
59%
48%
59%
64%
47%
5%
6%
5%
10%
9%
10%
19%
15%
21%
38%
34%
35%
40%
39%
44%
50%
46%
46%
50%
42%
7%
8%
10%
11%
11%
10%
19%
21%
26%
36%
0 20 40 60 80 100Stakeholders CAEs
… and stakeholders want more from internal auditWhich risks are receiving too little attention from internalaudit
25%
29%
29%
31%
32%
33%
Economic uncertainty
Commercial market shifts
Mergers, acquisitions, and JVs
New product introductions
Competition
Talent and labor
PwC 7October 2012
12%
16%
18%
20%
21%
21%
22%
23%
25%
Fraud and ethics
Regulations and government policies
Financial markets
Business continuity
Government spending and taxation
Reputation and brand
Data privacy and security
Energy and commodity costs
Large program risk
Stakeholders want focus in all critical risk areasRisk areas in which stakeholders and CAEs want/plan toadd IA capabilities
32%
21%
27%
22%
31%
46%
34%
22%
24%
32%
47%
52%
Regulations and government policies
Reputation and brand
Talent and labor
Business continuity
Fraud and ethics
Data privacy and security
PwC 8October 2012
11%
14%
10%
10%
26%
29%
23%
29%
22%
7%
12%
10%
12%
27%
23%
21%
33%
24%
Government spending and taxation
Energy and commodity costs
Commercial market shifts
Competition
Mergers, acquisitions and JVs
New product introductions
Economic uncertainty
Large program risk
Financal markets
CAEs Stakeholders
Barriers to internal audit playing a moresubstantive role
43%
44%
57%
Lack of expertise
Lack of resources
Organizational/cultural resistance
PwC 9October 2012
6%
34%
35%
36%
43%
Other/none
Lack of budget
Lack of awareness of internal audit
Lack of mandate
Lack of expertise
Identification & Management ofemerging risk
Responding to stakeholder expectations
PwCOctober 2012
10
The new floor
The “new floor” for effective internal audit
Navigate the new risklandscape
• Think and act strategically
• Align resource allocations
• Leverage the second line ofdefense
Provide deeper insight
• Understand the business
• Deliver advice and bestpractices
• Leverage specialists
Cut through the clutter
• Build trust through ongoingdialogue
• Simplify reporting, make itconsumable
• Connect the dots
New risklandscape
Higherstakeholderexpectations
PwC 11October 2012
Eight core attributes
defense • Connect the dots
The foundation
1 Focus on criticalrisks and issues 2 Align value proposition with
stakeholders’ expectations
3 Match talent model tothe value proposition 4 Engage and manage
stakeholder relationships 5 Enable a clientservice culture
6 Deliver cost-effective services 7 Leverage technology
efficiently 8 Promote qualityimprovement and innovation
Traditional risk assessment and audit planning
Shareholder Value Based Approach
"Top-down" approach where coverage isdriven by issues that directly impactshareholder value, with clear and explicitlinkage to strategic issues of theorganization. The approach focuses onemerging risks and their impact on theorganization.
Identify Shareholder ValueCreating Activities
Understanding EnterpriseRisks (Strategic, Financial,Operations, Compliance)
Evaluate Impact toShareholder Value
PwC
Audit Plan
Traditional Approach
Traditional "bottom-up" approach based onstakeholder interviews and analysis. Focusis on coverage of identified riskareas, geography, andbusiness operations.
Evaluate Impactof Risks withinAudit Universe
Identify Risks (Financial,Operations, Compliance)
Define Audit Universe(e.g. geography, business unit, etc.)
12October 2012
A sample monitoring emerging risks
Continuousrisk assessment
• Periodic update of bottom-up and top-down risk assessment
• Provides early warning of high risk activities
• Can trigger changes to risk assessment and/or audit plan
Key attributes:
• Frequency and focus of all threeprocesses will be based on the priorityand risks identified foreach risk unit.
• Formal process for elevatingand reporting output from allthree processes.
Benefits/Attributes
PwC
Linkage to audit plan - Business/risk monitoring as required in the audit frequency and intensity matrix ideallyentails a well-developed continuous risk assessment and monitoring process for each risk unit
Continuous monitoring
Continuous auditing
• Involves monitoring of KRIs and KPIs
• Provides insights into current performance, changes,emerging risks, etc.
• Can trigger changes to risk assessment and/oran audit
• Can detect control deficiencies
• Can trigger and/or direct additionalaudit procedures
• Involves independent automated testing(e.g., use of CAATs)
• Findings require management responseand remediation
13October 2012
The current state of risk partner convergence
The business and regulatory environments have become increasingly complex, raising corporate risk profiles. Strategic consequences exist ifcompanies are unable to systemically manage governance, risk and compliance requirements effectively. Most attempts to date have been adhoc and produced limited results.
Internal audit Compliance Risk management Finance
PwC
SOXNew Regulation
Anti-fraud
Businesses
Internal audits New Product
development
Lack of coordination
Competition for attention
Risks/issues fallingthrough the cracks
Duplicate efforts
PrivacyCost Efficiency
14October 2012
How have organizations made it work
• Utilize a standard framework
• Consider structure across/within functions, businesses and regulatory requirements
• Align with regulatory expectations
• Choose the right place to start: new and developing functions, union of similar silos,areas ripe with duplication, integrated/related environments
PwC
Internal audit Compliance Risk management Finance
Businesses
Objective setting Risk ID/assess Control ID/assess Deficiency mgmt
15October 2012
Potential emerging risk
PwCOctober 2012
16
Current emerging risk
• Cloud computing
• Social media
• Customs import/export
• Cyber security
• Mobile devices
PwC
• Mobile devices
• IT governance
• Software asset management
• Spreadsheet management
• ERM
• New regulations
17October 2012
Cyber security
PwC 18October 2012
CEOs/Boards are no longer ignoring cybersecurity
Cyber Security is an enterprise-wide issue. Specific types of Cyber Securityrisks organizations are facing include:
• Increase in Privacy and Security regulatory mandates in recent years, as well asexpected changes in upcoming years.
• Boards are no longer willing to accept the risk that technology can pose to thebusiness.
PwC
business.
• Growing demand by business leaders to understand how security integrates withprivacy (“what” data is sensitive to the business) and security (“how” they protect thedata deemed sensitive).
• Increase in threats and vulnerabilities to sensitive data and corporate assets.
• Businesses continue to struggle to maintain accountability to their stakeholders andestablish effective strategies and standards for security risk management and privacycontrol activities.
19October 2012
CEOs/Boards are no longer ignoring cybersecurity
Security Hot Topics: Balancing Business Enablers vs Business Risks
Organizations looking to improve privacymanagement in the event of a breach "haveto continually plan and prepare.
PrivacySocial media can make or break a brandand the fine line between the two must bemanaged.
Social Media
Organizations in all industries are underincreased scrutiny by regulatoryRegulatory
Cloud computing, Mobile platforms andaccelerated product life cycles are just the
Mobile & EmergingTech
PwC
increased scrutiny by regulatorygovernance bodies.
Regulatory accelerated product life cycles are just thelatest contributors to risk of an enterprise.
Tech
Company’s reputation is paramount andthe risk of loss of sensitive customer datathreaten this fragile asset.
Data LossPrevention
A Major bank’s share price dropped threepercent after Wiki Leaks threatened to ‘takedown a major American bank and reveal anecosystem of corruption’ using documentsfrom an executive’s hard drive
Threat & VulnerabilityManagement
While risks associated with third partiescontinue to increase, many companies areless prepared to defend their data.
3rd Parties
The cyber threat landscape continues toyield an increasingly sophisticatedunderworld of criminals. Companies needto remain prepared for such cyber crises.
Cyber CrisisManagement
20October 2012
Mobile security
PwCOctober 2012
21
Level Set – Basic mobile device characteristics
• Generally, “mobile devices” refers to mobile phones, smart phones, tablets andspecialized mobile computing devices that primarily connect to a wireless carrier forcommunications. Excluded are traditional portable computing platforms such aslaptops and touch screen computers running a laptop operating system (i.e. Windows).
• Mobile devices will normally include a tailored purpose operating system such as iOS,Android, Blackberry OS, Windows Phone, Symbian or a proprietary device OS
PwC
• Mobile devices generally include the option to connect to available wireless broadbandservices in addition to the carrier network
• Many types of mobile devices will be able to download applications from the Internetor proprietary services unless specifically blocked by the device configuration
• Generally, users will be able to synchronize their devices with enterprise applicationsvia desktop/laptop computers and/or wirelessly
22October 2012
Mobile access at work – Use cases and risk profiles
• Organization provides only Internet access via Wi-Fi,normally via a guest network arrangement
• Organization provides access to e-mail and calendar viamobile browser (i.e. Outlook Web Access)
• Organization provides synchronization of e-mail andcalendar via a mobile application
Low Low
Fu
nct
ion
ali
ty
PwC
Ris
k
calendar via a mobile application
• Organization provides access to corporate applications anddata via a thin client model (e.g. Citrix)
• Organization provides access to corporate applications anddata with on-device data storage
• Organization develops and delivers custom applications tomobile users with data modification, direct input and on-device storage
Fu
nct
ion
ali
ty
High High
23October 2012
Lost or stolen devices – The number one threatassociated with mobility programs
• 56% of us misplace our cell phone or laptop each month
• 113 cell phones are lost or stolen every minute in the U.S.
• 120,000 cell phones are lost annually in Chicago taxi cabs
• 25% of Americans lose or damage their cell phone each year
• Major city transit authorities receive over 200 lost items per day
PwC
• Major city transit authorities receive over 200 lost items per day
24October 2012
“Bring your own” device security considerations
• Many organizations have now opted to allow employees to procure their own deviceswhich will ultimately connect to enterprise data and resources
• A “Bring Your Own” strategy presents additional security and privacy challengeswhich should be carefully considered prior to implementation
• Policies must be carefully crafted that mandate certain restrictions on the employee’saccess to corporate data with a personally owned device. Policies should coverminimum device security standards, use of anti-virus or endpoint security software
PwC
minimum device security standards, use of anti-virus or endpoint security softwarebased on legal or compliance requirements and clear language regarding consent forthe enterprise to access enterprise data on the device on a timely basis.
• The enterprise should aggressively monitor access by employees with personallyowned devices and consider restricting access to the minimum level required toperform the employee’s role (e.g. e-mail and calendar)
• The enterprise should reserve the right to rapidly bar access to data and resources byemployees with personally owned devices if necessary to protect enterprise data,address newly identified risks or to comply with legal or compliance requirements
• It is becoming increasingly hard to efficiently operate a BYOD program without usinga Mobile Device Management (MDM) platform
25October 2012
Common BYOD Challenges and risks
• BYOD increasingly reopens traditional debates on use of personally owned laptopsand computing equipment (i.e. Macs, external storage, printers)
• Use of personally owned devices blurs owner responsibilities regarding devicesupport, ownership of data and how much access and control the organization mayhave to data on the device
• There is still frequent resistance by users to sign acknowledgements or acceptable useagreements (“It’s my device!”)
PwC
agreements (“It’s my device!”)
• Users want the latest smartphone, regardless of what operating system or features theorganization is able to support
• Users have little incentive to report lost or stolen devices on a timely basis. In manycases the organization will only learn of a lost device when the user requests access fora new device
• If the user cancels carrier service, it is impossible to complete over the air devicewiping
26October 2012
Mobile security – Controls
Policies and Procedures *
• Acceptable Use Policy
• Data Classification and Handling Policy
• Social Media Policy
• Information Security
• Policy
• Device Loss Process/Workflow
User Acknowledgement and Opt-In
• Signed User Acceptance Form
• Clear Instructions For Reporting Loss of Device
• Consent to Geo-Track (As Applicable)
• Potential Tax Impact (Certain States and Countries)
• Specific Security Training for Users
• Limits on Supported Devices
PwC
• Device Loss Process/Workflow
• Incident Management Plan
• Limits on Supported Devices
Technical Controls and Platforms
• Blackberry Enterprise Server• Exchange ActiveSync• Vendor Security Controls• On Device Encryption• Mobile Management Platform (MDM)• Mobile Device Anti-Virus/Malware (As Warranted)
Auditing, Logging and Monitoring
• Periodic Audits of Mobile Program and Key Controls
• Integration with Log Management and SIEM Platforms
• Periodic Survey of Users to Confirm Compliance
Risk ReductionOptions
* With Specific Content for Mobile Device Use
27October 2012
Social media
PwCOctober 2012
28
What is social media today
It is a channel for engagement that enables involvement, interaction,intimacy and influence between you, your customers and your employees
Outlet Type Microblogs Blogs Media Sharing SocialNetworks
Collaboration
Description Content is muchshorter than ablog.
Publishingplatforms to postfree-form UserGenerated
Share variousmedia types(photo, video,slides)
Onlinecommunity ofinterest withblogging and
Enterpriseplatforms to enableexternal or internalcollaboration.
PwC
GeneratedContent (UGC)
slides) blogging andsharing features.
collaboration.
KeyCharacteristics
Limited amountof characters;Strong following;extensiveoutreach.
Un-edited usercontent posted;User can makemoney blogging.
Media oftenranked bypopularity basedon views.
Hybrid platformscan share fromother outlets.
Private/publiccommunities fortargeted objectives.
Popular Outlets
29October 2012
Social media in the news
Social media opens the door to new methods of engaging customers and employees. Therapid adoption of social networking, blogs and user-created videos is revolutionizingcustomer expectations of how they want to interact with each other.
Unfortunately, there are also implications, including reputational risk, regulatoryrequirements, intellectual property, employee relations, informationsecurity and international considerations.
PwC
• Multi-million dollar headache for a large healthcare as a result of social media revoltover an offensive ad campaign.
• Food chain loses 10% of its value in one week, resulting in multi-million dollar losses,due to negative videos posted on YouTube.
• Several banks face severe security challenges – fake Facebook pages and phishing.
30October 2012
Social media: New rules and new risks
Organizations are beginning to implement strategies to keep pace with employeeadoption of mobile devices and social networking, as well as use of personal technologywithin the enterprise. Yet much remains to be done: Less than half of respondents haveimplemented safeguards to protect the enterprise from the security hazards that mobiledevices and social media can introduce.
50%
PwC
43%
37%
32%
10%
20%
30%
40%
Have a security strategy foremployee use of personal devices
Have a security strategyfor mobile devices
Have a security strategyfor social media
Question 17: “What process information security safeguards does your organization currently have in place?” (Not all factors shown. Total doesnot add up to 100%.)
31October 2012
Typical social media risks
Data Security andProtection
1. Identify theft
2. Malware propagation
3. Social engineering
Financial andOperational
1. Lack of centralizedgovernance
2. Measuring success
Legal &Compliance
1. Foreign and domesticprivacy laws
2. Data retention
Information risk imperatives
Reputational &Perception
1. Reputational threat
2. Lack of Monitoring
3. Negative brand
PwC
3. Social engineering
4. Disclosure ofintellectual property orother sensitiveinformation
5. Unauthorized accessand breaches throughphishing, spam, andtrojan horses.
3. Lack of employeeproductivity
4. Regulatoryinquiries andpossible fines
3. Regulatory compliance(PCI, FINRA, FDA)
4. Content ownership
5. Civil litigation
6. Lack of separation ofpersonal andprofessionalcommunication
3. Negative brandimpacts
4. Crisis management
5. Insufficient employeetraining
32October 2012
Social enterprise
Social Media Governance and Executive Sponsorship
Social Media Strategy, Objectives, and Policy
PwC 33October 2012
Social Media Strategy, Objectives, and Policy
BusinessSponsorship
Marketing &Communications
HumanResourcesand Legal
InformationSecurity
Risk, Compliance,and Audit
• Risk assessments• Risk management• Regulatory
compliance• Internal controls• Internal audit
enforcement
• Authentication andauthorization
• Certification &accreditation
• Monitoring &incident response
• Vulnerabilityscanning
• Terms of use• Code of conduct and
staff rules• Partnership
agreements• Training and
awareness
• Social mediauniverse and policy
• Communitymanagement
• Brand management• Crisis management
• Business objectivesand KPIs
• Monitoring metricsand ROImeasurement
• Informationmanagement
• Staffing
Cloud computing
PwCOctober 2012
34
Introduction to cloud computingOverview
What is cloud computing?
Cloud computing is defined by the US National Institute of Standards and Technology(NIST) as a:
Model for enabling convenient, on-demand network access to a shared pool ofconfigurable computing resources (e.g., networks, servers, storage, applications, andservices) that can be rapidly provisioned and released with minimal management effort
PwC
services) that can be rapidly provisioned and released with minimal management effortor service provider interaction.
• Cloud computing is often likened to utility service. Utilities, such as electricity, areavailable as needed and users only pay for the amount used.
• Cloud Service Providers (CSP’s) have adopted the bill-for-service model, whichenables companies to save money by not paying for unused or underutilizedequipment, power, etc.
• Particular service offerings vary, but the largest cloud services providers (such asAmazon.com, Google, and Salesforce.com) provide computing services on what isessentially a commoditized basis – much like a utility company provides water, gas,or electricity
October 201235
Threats to cloud computing
• Compliance Complexity – Moving data to a 3rd party cloud provider does notrelieve the organization of its compliance responsibilities. A cloud based data breachcan negatively impact both the organization and the cloud provider.
• Cloud Resilience – Moving critical data to the cloud – and then having a cloudprovider go out of business or be acquired – will have some level of disruption on theorganization.
PwC
• Data Format Impact – Some cloud providers have proprietary data formats forcloud based data. This can add complexity to change providers or terminate contractsfor non-performance.
• Security Expertise – The level of in-house security and monitoring expertise varieswidely between cloud providers. This should be a key consideration during cloudprovider selection.
• Trust But Verify – Organizations tend to lower their guard once they outsource to acloud provider. In reality, organizations should increase their oversight andmonitoring activities.
October 201236
Service delivery models and deployment modelsOverview
Three Service Delivery Models:
1. Infrastructure as a Service (IaaS)
2. Platform as a Service (PaaS)
3. Software as a Service (SaaS)
Four Deployment Models:
PwC
Four Deployment Models:
1. Private Cloud
2. Public Cloud
3. Hybrid Cloud
October 201237
Considerations for internal audit
Regulatory/Legal:
• Physical location of data storage
• Ownership of data in the cloud
• Notifications of breaches/incidents
• Responsibility for non-compliance
PwC
• Responsibility for non-compliance
• Impact on SOX requirements
Due Diligence:
• Right to audit
• Assured continuity
• Security policy and process transparency
• Vendor selection/management process
October 201238
Cloud computing – Controls
Policies and Procedures *
• Policy for Approval of Virtualization/Cloud
• Acceptable Use Policy
• Data Classification and Handling Policy
• Social Media Policy
• Information Security Policy
• Incident Management Plan
Contractual Controls
• Clear delineation of responsibilities betweenorganization and cloud provider
• Standardized or generally accepted language in cloudcontracts
• Service Level Agreements (SLAs) that can bemeasured and enforced
• Right to Audit Clause
PwC
• Incident Management Plan
Technical Controls
• Access to cloud provider’s dashboards and monitoringtools
• Plug Ins to Organization’s Ticketing System• Real Time Access to Cloud Provider’s Change and
Issue Management platform• Requirement for Vulnerability Scans and
Attack/Penetration Testing
Other Considerations
• Exit strategy at end of contract
• Process to get data back from provider
• Contingency plan for data format conversion
• Contingency plan if cloud provider is acquired or goesout of business
• Cure provisions in the event of a data breach
Risk ReductionOptions
* With Specific Content for Virtualization/Cloud
39October 2012
Questions
PwCOctober 2012
40
© 2012 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United Statesmember firm, and may sometimes refer to the PwC network. Each member firm is a separatelegal entity. Please see www.pwc.com/structure for further details.