NEWSLETTER Progress Through Sharing

March 2015

1

IT Audit Corner

Malware

Malware is short for “malicious software." It includes viruses and spyware that get installed on your computer, phone, or mobile device without your consent. These programs can cause your device to crash and can be used to monitor and control your online activity. Criminals use malware to steal personal information, send spam, and commit fraud.

Avoid Malware Scam artists try to trick people into clicking on links that will download malware and spyware to their computers, especially computers that don't use adequate security software. To reduce your risk of downloading unwanted malware and spyware:

Keep your security software updated. At a minimum, your computer should have anti-virus and anti-spyware software, and a firewall. Set your security software, internet browser, and operating system (like Windows or Mac OS) to update automatically.

Instead of clicking on a link in an email, type the URL of the site you want directly into your browser. Criminals send emails that appear to be from companies you know and trust. The links may look legitimate, but clicking on them could download malware or send you to a spoof site designed to steal your personal information.

Don’t open attachments in emails unless you know who sent it and what it is. Opening attachments — even in emails that seem to be from friends or family — can install malware on your computer.

Download and install software only from websites you know and trust. Downloading free games, file-sharing programs, and customized toolbars may sound appealing, but free software can come with malware.

Minimize "drive-by" downloads. Make sure your browser security setting is high enough to detect unauthorized downloads. For Internet Explorer, for example, use the "medium" setting at a minimum.

Use a pop-up blocker and don't click on any links within pop-ups. If you do, you may install malware on your computer. Close pop-up windows by clicking on the "X" in the title bar.

Resist buying software in response to unexpected pop-up messages or emails, especially ads that claim to have scanned your computer and detected malware. That's a tactic scammers use to spread malware.

2

Talk about safe computing. Tell your kids that some online actions can put the computer at risk: clicking on pop-ups, downloading "free" games or programs, opening chain emails, or posting personal information.

Back up your data regularly. Whether it's text files or photos that are important to you, back up any data that you'd want to keep in case your computer crashes.

Detect Malware Monitor your computer for unusual behavior. Your computer may be infected with malware if it:

slows down, crashes, or displays repeated error messages

won't shut down or restart

serves up a barrage of pop-ups

displays web pages you didn't intend to visit, or sends emails you didn't write Other warning signs of malware include:

new and unexpected toolbars

new and unexpected icons in your shortcuts or on your desktop

a sudden or repeated change in your computer's internet home page

a laptop battery that drains more quickly than it should

Get Rid of Malware If you suspect there is malware is on your computer, take these steps:

Stop shopping, banking, and doing other online activities that involve user names, passwords, or other sensitive information.

Update your security software, and then run it to scan your computer for viruses and spyware. Delete anything it identifies as a problem. You may have to restart your computer for the changes to take effect.

If your computer is covered by a warranty that offers free tech support, contact the manufacturer. Before you call, write down the model and serial number of your computer, the name of any software you've installed, and a short description of the problem.

Many companies – including some affiliated with retail stores – offer tech support on the phone, online, at their store, and in your home. Decide which is most convenient for you. Telephone and online help generally are the least expensive, but you may have to do some of the work yourself. Taking your computer to a store usually is less expensive than hiring a repair person to come into your home.

Once your computer is back up and running, think about how malware could have been downloaded to your machine, and what you could do differently to avoid it in the future.

Report Malware If you think your computer has malware, the Federal Trade Commission wants to know. File a complaint at www.ftc.gov/complaint.

http://www.onguardonline.gov/articles/0011-malware

3

Upcoming Training Opportunities

Chapter Luncheons

MARCH 2015

COSO 2013

March 11, 2015

11:30 AM to 2:00 PM

AmericanWest Bank

The Committee of

Sponsoring Organizations of

the Treadway Commission

(COSO) released its updated

Internal Control Integrated

Framework in 2013. The changes made were

revolutionary, and take into account changes in the

business environment and operations over the last 20

years. The 2013 Framework retains the definition of

internal control and the COSO cube, including the five

components of internal control: Control Environment,

Risk Assessment, Control Activities, Information and

Communication, and Monitoring Activities.

Colin Wallace DIRECTOR, ADVISORY SERVICES

Moss Adams, LLP

Colin has over 11 years of relevant internal audit and SOX

404 experience. He has organized and performed financial,

operational and compliance reviews throughout the United

States and abroad. In this capacity, he has been involved

with every aspect of the internal audit process including

planning, analysis, reporting, and project management. In

addition, Colin has managed significant SOX 404

assessment projects from initial implementation to final

reporting, and has lead multiple COSO 2013

implementations.

Colin’s Professional Certifications:

Certified Internal Auditor (CIA)

Certified Public Accountant (CPA)

Certified in Financial Forensics (CFF)

Certified Fraud Examiner (CFE)

Certified Government Auditing Professional (CGAP)

APRIL 2015

PROFESSIONAL SKEPTICISM

STAY TUNED FOR ADDITIONAL DETAILS.

4

Schedule of Events

Spokane Chapter - Institute of Internal Auditors

2014 – 2015 Chapter Year

SEPTEMBER

Tuesday, 23rd

Excel: Intro to Macros

1 CPE

OCTOBER

Tuesday, 28th

IT Risk – Keeping

Your Business Off the Front Page of the

Newspaper

1 CPE

NOVEMBER

CANCELLED in lieu of the Annual ACFE Fraud Conference

DECEMBER

Thursday, 18th

Joint Holiday

Luncheon with the ACFE

2 CPEs

JANUARY

Thursday, 22nd

Cancelled

FEBRUARY

Thursday, 19th

Managing

Compliance Risk with Third-Party Vendors

2 CPEs

MARCH

Wednesday, 11th

COSO 2013

2 CPEs

APRIL

Date TBD

Professional Skepticism

2 CPEs

MAY

Date TBD

TBD Seminar

8 CPEs

JUNE

No scheduled events

JULY

No scheduled events

AUGUST

No scheduled events

5

Certification Corner

Internal Auditor Magazine

Earn 3 CPE credits by reading Internal Auditor (Ia) magazine articles and answering questions about them here.

Other CPE Opportunities

Individuals can also earn CPE credits by giving presentations, writing exam questions, and more. Visit your individual

CPE certification page (above) for details or see the administrative directive.

Member Spotlight The IIA Spokane Chapter will be spotlighting various chapter members each month to find out why the member chose their profession, what they do for fun (besides audit), and what has made them successful.

Q: How did you become an internal auditor?

The path I took to becoming an internal auditor was not a direct route from A to B. With the completion of my coursework toward an accounting degree coming to an end I remained undecided as to the accounting field I would pursue. I didn’t know if I should continue working at Banner Bank, where I’ve been for nearly 10 years, or explore options with an accounting firm. With three months left in my schooling, an unexpected opportunity presented itself—a position in the bank’s Internal Audit department. One of my recent classes was an audit course, which I

had thoroughly enjoyed; so I decided to apply. At the very least, the job would provide experience and expose me to a unique discipline of accounting. After four years in my new career in Banner’s Internal Audit department, I’m continuing to grow in the department, I love the work I do and am happy that I was able to remain a part of the Banner Bank family

Q: What do you enjoy the most in your current position?

The challenge of developing new audits is enjoyable, interesting and rewarding. A lot of

Member: Erin Keenan Position: Senior Staff Auditor

Company: Banner Bank

Certifications: N/A Education: BA in Business Administration with a concentration in

Accounting from DeVry University; graduated Cum Laude

6

research and investigative work goes into the creation of a new audit. I enjoying being able to apply my knowledge toward programs that play a part in Banner’s growth and continuing efforts to constantly improve as a company.

Q: What are some of the challenges you face in your current position?

The greatest challenge I face is ensuring that the information I provide is reliable and accurate. We view Internal Audit’s role at Banner Bank as a partner to the business units. By working together our work can provide valuable analysis that helps the departments enhance their efficiency as we all strive to make Banner the best it can be.

Q: If you were not an auditor, what would you be doing?

I enjoy the day-to-day work in Internal Audit, and the interaction I have with my colleagues. However, if I had my choice, I would love to be a stay-at-home mom.

Q: Any special skills or experiences you are proud of as an internal auditor?

My organizational skills and strong attention to detail are essential to my work in Internal Audit. Utilizing these skills I am able to manage a multitude of audits simultaneously. Whether managing an ongoing audit or developing a new one, each has many moving parts, timelines and specific processes that requires meticulous observation and management to ensure accurate on-time analysis.

Q: What are your passions or hobbies outside

of internal audit?

Besides reading and spending time with my family, I love to play the piano. I often serve as a pianist and organist for the Church of Jesus Christ of Latter-Day Saints.

Q: Any word of advice to fellow internal

auditors?

Follow your passions and do what you love. I believe that is the key to happiness in both your work and personal lives.

Volunteers to

serve as

Institute of

Internal

Auditors

Spokane

Chapter Board

members We need you. Please contact David

Gifford, Chapter President, if you or

someone you know would do a

great job of helping the chapter.

7

Back to Basics

Sometimes it’s good to get back to the basics of something we do every day. In this section of the newsletter we will review some of the basic skills and practices that internal auditors use on a daily basis. This month’s article comes from Norman Marks’ Governance, Risk Management, and Audit blog (https://normanmarks.wordpress.com/).

Advancing the Practice of Internal Audit

I was honored to be a member of the Re-Look Task Force that has proposed changes to the IIA’s standards framework (IPPF). One of the changes is to introduce Core Principles for the Professional Practice of Internal Auditing. The first nine are “motherhood and apple pie” restatements of what I hope we all know are necessary attributes of internal auditing, such as our integrity, resources, and ability to communicate. They are important to restate because although they may be obviously necessary, they are not all always present in practice. For example, I continue to meet CAEs who don’t have sufficient resources to address more than a handful of critical risks. The last has been charged with all the SOX work without being given the resources necessary to provide both his core internal audit assurance work and the consulting services necessary to manage the SOX program. The three that I think will help advance the professional practice of internal auditing are the last three on the list (which should be the first three). 1. Provides reliable assurance to those charged with

governance.

2. Is insightful, proactive, and future-focused.

3. Promotes positive change. What is “assurance”? Our stakeholders need to know if the processes for governance, management of risk, and the related controls can be relied upon to manage critical risks at acceptable levels: whether they will enable the organization to take the right risks with confidence and achieve or surpass objectives.

They need our professional opinion.

I hope this principle will advance the practice of providing such an opinion, a formal one, to the board and top management. A list of deficiencies is not assurance. #11 is very interesting. Surveys continue to tell us that our stakeholders on the board and in executive management want more from us. In addition to focusing on the right risks (a deficiency in our practice according to recent PwC and KPMG surveys), they value our insight – what we can tell them about management processes and practices beyond what we might put in the audit report. Our traditional role is to report on what has happened (and gone wrong) in the past – hindsight. We should instead help our organizations, their executive team and board, manage into the future. This means moving from hindsight to foresight with insight into current and foreseeable conditions. We should be proactive in looking at changes in business systems and processes, organizational structures and staffing, and more – providing consulting services to help ensure our future is one with adequate management of risk, including security and controls. The great Canadian ice hockey player, Wayne Gretzky, was asked “what is the secret of your success?” His answer: “I skate to where the puck is going to be” We need to audit where the risk is going to be. The last talks about the need to do more than make a recommendation and let management respond. We need to promote positive change. I ask that you read and comment on my article in the August issue of the Internal Auditor magazine on “The Internal Audit Evangelist”.

8

In another article in the same issue, the author talks about his department achieving an acceptance rate of 84% on its recommendations. Management accepted and implemented 84% of internal audit ratings. My comment? That is a 16% failure rate! Where is the value when management only occasionally listens to us? How will management see us if we frequently are unable to see business risks and needs in the same light as they see them? There is zero value in recommendations. There is only value in positive change.

We should work with management to ensure we agree on the facts, agree on the risk to objectives (specifying which are at risk), agree on whether that risk should be accepted or treated, and then agree and help them determine the best path forward. If the great majority of internal audit departments are able to say that: 1. We provide our stakeholders with the assurance they

need to manage and direct the organization with confidence

2. We provide insight into current conditions and our work is focused on the risks that will face the organization as it moves forward, and

3. We work with management to effect positive change the professional practice of internal audit will be one worthy of pride.

9

2014 – 2015 IIA Spokane Chapter Officers Spokane IIA Chapter Officers elected for the 2014-2015 Chapter Year):

Title Officer Organization

Chapter President David Gifford AmericanWest Bank

VP Membership & Programs Melanie Shanks Spokane Teacher’s Credit Union

VP Communications Stephen Hunt AmericanWest Bank

Treasurer Terra Kile DeCoria Maichel and Teague P.S.

Secretary Vanessa Scarpelli Umpqua Bank

2014 – 2015 IIA Spokane Chapter Board of Governors Spokane IIA Chapter Board of Governors for the 2014-2015 Chapter Year:

Governor Organization

Penny Brown AmericanWest Bank

Debra Peterson Washington Trust Bank

Cathy Cook Washington Trust Bank

Colleen Warner Global Credit Union

Click here to opt-out of future communications from the IIA Spokane Chapter.