top ten emerging it audit issues - isaca...

Top ten emerging IT audit issues

Deloitte & Touche LLP

Copyright © 2013 Deloitte Development LLC. All rights reserved.1 Top ten emerging IT audit issues

• IT controls continue to increase in importance to organizations– Corporate reliance on technology increases.– Compliance requirements increase.

• Deficiencies in IT controls can have a significant impact on the organization.

Overview


IT audits

Value

Risk

Where we have been

Where we need to be


• Repetitive services• Compliance focused• Comprises most of

current audit universes• Commoditized audits

IT Internal Audit Overview

Core

ITGCsSOX TestingDRPOther ComplianceSoD

A

B

C

D

E

• Maturing technologies that haven’t been a focus

• Some compliance aspects

• Opportunities to add value

Advanced

IT GovernanceAttack and PenIAMEnd User ComputingSoftware Asset MgmtGRC

F

G

H

I

J

• New technologies• High visibility/risk• Highly strategic• Significant opportunities

to provide additional value

Emerging

Mobile EndpointCyber TerrorismPrivacyIT Risk MgmtEnterprise Record MgmtSocial Media

L

M

N

O

P

Level 1 Level 2 Level 3

KQ


Current State

Level 1Level 2Level 3

IT Internal Audit Universe Allocation

Future State

Level 1Level 2Level 3


• By no means a comprehensive list.• Will vary by environment.

– May be greater/lesser risk depending on industry, technology, business processes, etc.• This list is based on what we see in the marketplace.• Designed to get you thinking about your environments and if currently scheduled

IT audit procedures will evaluate these risks.• List is in no particular order.

Top 10 IT audit issues


• Issue– Businesses are migrating from the use of mobile devices to enhance processes to

“mobile only” businesses. This dramatically shifts the risks and key control points.• Risk

– Failure to manage mobile risk could have significant impact on operations.– Solutions are still rapidly evolving.– Requires architecture changes, impacting controls in other areas of IT.

• Recommendation– Inventory and assess current mobile initiatives. Specifically detail out mobile initiatives

that impact operational and/or customer facing processes. Evaluate security policies and procedures which may not have evolved to address mobile issues. Assess mobile device management (MDM) processes and controls, e.g., distribution of patches, wipe-cleans, and security requirements. Assess use of mobile middleware applications and processes for identifying and escalating issues.

1. Mobile only


Mobile payments are fast reaching a “tipping point” of growth in North America driven by rapid smart-phone growth, shifts in consumer preferences and significant capability build out

Increased Penetration of smart-phones in the U.S. Changing Consumer Behavior Projected Exponential Growth

Source: Deloitte Research & Analysis, eMarketer , Gartner Report

Current smart-phone growth forecast: 13% CAGR over the

next 5 years

smart-phone adoption represents convergence in

technologies

Source: Deloitte Research & Analysis Source: Gartner Report (2011)

43%

34%

36%

10%

20%

12%

4%

1%

AccountMaintenance

Transactions

MobilePayments

Acquisition /New Products

Currently Use Would Use

Increasing consumer interest in mobile payments functionalities

and capabilities

Growth opportunities for services not available online, such as remote check deposit services and Person to Person

(P2P) Payments

Mobile Payment users, transaction volume, and

transaction value all projected to grow exponentially

73 492 3,434 8,99517,29

128,98

843,90

662,75

5Transaction

Value

Growth of Mobile Payment Users in North America

60.2

90.1106.7

119.9133

148.6

0%10%20%30%40%50%60%70%

020406080

100120140160

U.S

. sm

art-p

hone

Sal

es(M

M U

nits

)

Year

% of Mobile Phone Users

% of Population

0.7 1.96.6

13.1

20.7

29.2

38.9

50.1

00.20.40.60.811.21.41.61.8

0

10

20

30

40

50

60

20082009201020112012201320142015

Use

rs (i

n M

M)

Transactions (in thousands)


Mobile PaymentsRemote Payments Proximity Payments

Channel SMS Mobile Web App-based QR Code NFC -Hardware

NFC - SIM Based NFC – MicroSD

Use Case

Customers send payments

using simple text messaging

commands

Customers use online paymentswith the browser on their mobile

phones

Customers use apps built out by the FI to make payment or use

payment functionalities

built into merchants apps

QR code specific to the customer is

scanned at the POS to make

payment

Customers use their phones as

touchless payment devices based on built-in

chips


contactless payment devices based on the SIM


contactless payment devices

based on microSD cards

that can be inserted into most

phones

Key Risks

Messages can be hacked and PINs can be captured.

Malware can send messages without

customer’s consent

Java-based security protocols may not be safe enough;

Mobile malware can hack into customer

data

Keylogger software can crack a user’s

PIN used to access the app

A hacker can get access to

customer’s QR code or merchant can mismanage data

OTA Traffic between device and

reader can be intercepted.

Financial information on the

secure element can be compromised in

stolen phones


secure element can be compromised if the SIM is stolen


secure element can be compromised if

the SD card is stolen is stolen

Marketplace Examples M-PESA in Kenya PayPal, Amazon

Payments, Google,

Chase, Dwolla, LevelUp, Square,

Google in-app payments

Starbucks, Paycent Google WalletISIS,Turkcell, Smart and Globe Telecom Moneto

Risks associated with mobile payments are enhanced by evolving standards and technologies used in ‘proximity and ‘remote’ payment environments

Mature/More control to Banks

Emerging / More control to Banks

Emerging / Shared Infrastructure and less controlSource: Deloitte Research & Analysis


Mobile payments have seen significant interest over the years with a significant number of trials, pilots and niche commercial successes

However, banks have not yet built out significant mobile payments capabilities and adoption rates have remained low in North America among customers and merchants until recently

Less than 20% of banks have deployed mobile payments and most are still in a position to assess the risks prior to going to market

Survey level data indicates that the primary cause of lower adoption rates has been security concerns among customers

Financial Institutions that do not focus on limiting risk in mobile payments will be left behind with lower adoption rates and possible customer defections

What is the most important factor to you when making mobile

payments?

Security 73%

Speed9%

Simplicity12%

Choice of Payment

Type3%

Other3%

Source: Deloitte Future of Mobile Payment Survey, Mobio, "Mobile Commerce Handcuffs"


Mobile Payment deployments pose a serious risk to FSIs due to the complexity of the architecture, technology and number of partners involved While the legacy threats and vulnerabilities inherent to the Banks, the payment service provider (PSP’s) and Mobile Network Operators (MNO’s) still hold valid, there are some threats and vulnerabilities that are more prevalent throughout the mobile payment lifecycle due to the complexity of the architecture and the high number of providers involved in the transaction.

* The architecture above is illustrative and does not include all of the components in the Mobile Payment Architecture

Common Threats and AttacksIdentity theft Malware / Intrusion Man-In-Middle AttacksUnauthorized Access

Privacy Infringement Data disclosure Message Interception Replay attacksCoercion

Platform and Protocol Related Design flaws in the mobile standards /

protocols (e.g., GSM encryption vulnerabilities, data protocols, OTA

transmission vulnerabilities) Design flaws / Lack of Standards / protocols for mobile payments (e.g.,

Absence of two-factor authentication, Auto-Storage of Cookies on Server Request,

Auto-Disclosure of Cookies)

Device Related Hardware vulnerabilities (e.g., Side Channel

Attack, SIM Card Cloning) Operating System vulnerabilities (e.g.,

Zitmo.C (simple SMS forwarder for Blackberry, Symbian iOS), HT4803 (Buffer overflow, issues with type conversion for

Apple iOS), Tcent.A, Crusewin.A Software vulnerabilities (e.g., Vulnerable APIs

in the Development Platform (e.g. J2ME)) Sophisticated Sensory Malware (e.g,

Soundminer – first “sensory malware” trojan on Android platform – identifies when the

user is calling a bank IVR to only capture the spoken or typed credit card number)

User and Process Related Lost / Stolen phones

smart-phone Internet and relocation capabilities

Issues in Authentication of User (lack of authentication, capture of authenticators

(man-in-middle attack), weak authentication protocols, password issues, weak

passwords) User misuse / lack of awareness (e.g.,

downloading malware, Susceptibility to Masquerade, Social Engineering (phishing),

Initiation by an Unauthorized User, auto-Initiation)

POS / PSP / FSP vulnerabilities (e.g., Infrastructure / Network vulnerabilities

Common Vulnerabilities


• Issue– Significant emerging regulatory requirements and disclosures related to cyber security,

intersecting with increased cyber threat.• Risk

– Failure to meet regulatory requirements.– Brand exposure.– Loss of data, denial of service.

• Recommendation– Historic cyber threat IT audit activities have been limited to point specific issues (e.g.,

attack and penetration audits). Need to perform detailed cyber security audits encompassing defend, detect, recover and respond components of cyber threat management.

2. Cyber security


The true cost of cybercrime is not easy to tabulate. While many have experienced its wrath first hand, even more have suffered from cybercrime unknowingly through higher cost, operational issues, brand erosion and lower quality products. Moreover, consider the lost benefit from products that never even made it to the market as a result of Intellectual Property theft.

As a result, Boards of Directors have a responsibility to take a more active role – in fact they have a duty – to ensure that management protects and maximizes the value of their digital assets both within and outside the company walls; and to position the organization for the opportunities and disruptions that arise through digital technology. These risks and opportunities may even warrant board-level leadership – a Cyber Chair.

Cyber in the BoardroomNow is the time for directors to ensure senior management focus

Related content:

Cyber crime fightingRead the DU Press article by Vikram Mahidhar and David Schatsky.

2013 TMT global security studyExplore Deloitte's sixth annual worldwide study report of information security practices.

Read the full USA Today article on this topic:Cyber in the boardroom – The true cost of cybercrime

http://www.usatoday.com/story/cybertruth/2013/11/08/cybercrimes-bottom-line-500-

billion/3478235/?id=us:el:pd:cybercrime:awa:tmt:111213


• Issue– Current internet protocol has been in place since 1970s. Proliferation of devices has

exhausted IP address availability. Telecommunication utilities and Internet Engineering Task Force (IETF) have been pushing for change, which is now upon us. This will impact network architecture and devices.

• Risk– Loss of network communication.– Network appliances rendered unusable.– Risk assessment has been de-prioritized historically.

• Recommendation– Determine organizational readiness for IPv6 deployment. At a minimum, organization

should have begun a risk assessment process to assess the readiness of the organization to implement IPv6 and identify potential areas that require remediation. Assess current organization structure and plan to deal with these issues, as well as determine how this thinking is being incorporated into current and planned IT initiatives.

3. IPv6


• Issue– Everyone is talking about Big Data, which by itself is meaningless without the

ability to analyze and interpret data. Analytic technologies and methods have evolved significantly in the last 18 months.

• Risk– Struggling to produce relevant operational reports, but driving business decision

making off of unstructured analyses (e.g., web statistics).– Investment in big data does not produce results.– Increased data life cycle risk (e.g., personally identifiable information).

• Recommendation– Effective analytics are based on foundational data layers. Need to understand

what analytics are planned and then assess risk based on usage. Perform detailed audit which evaluates foundational data layers, data governance, statistical methodology used, and use of technologies (e.g., visualization).

4. Analytics


From sourcing facts to driving understanding to generating knowledgeDefining Internal Audit Analytics

• The use of analytics can enhance your ability to better manage risks associated with your audits.

• It will help identify the facts that will provide clear understanding of risks and provide the knowledge required to manage these risks across the group.

• The ultimate objective is to develop and implement an analytics capability that provides greater ability provide you the confidence and insights into each of your audits.

Understanding KnowledgeFacts

What is happening in each of the audits?

Once data is sourced and reliable, the process should maintain the integrity of the data.

Some of the tests that can be performed to better address the risks and controls are:

• Bespoke test creation based on risks identified in audit planning

• Finding correlation between the multiple data sources to learn more about the behavior and patterns of processes

Why is it happening?

Once a control failure has been identified and quantified, the focus moves towards developing real knowledge of the impact to customer, products and understanding the root cause of failure.

Data Analytics moves from providing simple metrics to informing more sophisticated questions:

• Allows quantification of control breakdowns

• Facilitates root cause identification

• Drives control improvements

What data do we need to understand our audits?

There is a need to understand which systems and data are required to support the processes and themes that are being audited.

There is also a need to understand how these systems and data are managed and governed to ensure their accuracy, completeness and reliability. Without good governance, data quality cannot be assured and the outcome compromised.


• Issue– Proliferation of cheap 3D printing technology has potential significant impact on

production industry and consumer business.• Risk

– Impact on strategic positioning.– Impact on brand.– Piracy.

• Recommendation– Risk assess your environment to determine if 3D printing technology is a potential

enabler or threat for your business (or both). Plan corresponding audits to assess security of intellectual property schematics, strategic threat of new entrants into market, lack of organizational awareness or momentum, and evaluation of current and planned programs around 3D printing.

5. Product duplication and Intellectual Property


• Issue– Evolution of IT risk requires greater degrees of specialization within the IT audit function;

at the same time, IT audit resources are becoming more scarce and more expensive.• Risk

– Failure to execute annual IT audit plan.– Execution of IT audits without appropriate resources results in suboptimal audits.– Decreased collaboration and support from IT function and business units.

• Recommendation– Develop long term strategy for sourcing and developing IT audit resources, which is

discrete from traditional internal audit resource planning. Consider atypical options such as IT department rotational programs (both in and out). Define training paths to incorporate higher levels of training investment, such as emerging certification pathways (e.g., CGEIT) or specialized training (e.g., cloud, cyber). Consider alternative compensation methods (e.g., retention bonuses or sabbatical/rotational programs).

6. IT audit resources


New recommendations for Internal Auditors*The Role of Internal Audit

2nd Line of DefenseGuide, Support, and Challenge

Operations and Technology Risk Management

1st Line of DefenseOwn and Operate (The Business)

3rd Line of DefenseIndependent Assurance

Corporate Internal A

udit

External Audit

RegulatorManagement

Controls

Operational and Accounting Controls

Policy

Technology Controls

Global Compliance

Independent Risk Organization

Controllership Organization

Risk and Internal Control Functions(in business)

Operations and Technology

Legal

Internal Audit’s scope should be unrestricted and it should be freely able to challenge the executive and report any concerns from the first and second line of defence.

Confidence/Impact Testing: There is a high expectation for internal audit to understand what they are doing to support their customer.

Insight Testing: Internal audit should be testing the operational effectiveness of the processes in scope for the audit.

Root Cause Testing: There should be a focus on significant control breakdowns with a detailed root cause analysis.

Impact Testing: Internal Audit should consider the outcome achieved by the implementation of policies and procedures.

Recommendations

* Source: Institute of Internal Auditors — Effective Internal Audit in Financial Services Sector


IT Auditor Career Life Cycle

• 1-2 years of experience• Development of core IT

auditing skills• Attendance at

fundamentals training courses

• Working towards CISA certification

• Knowledge transfer from advanced auditors

• Attendance and participation in local association meetings

Core

• 3-5 years of experience • Development of specific

audit skills (e.g. ERP or networking)

• Attendance at focused technical trainings (e.g. ERP)

• Attendance at regional conferences, potential national conferences

• Knowledge transfer from emerging auditors

• Working towards advanced certifications (CRMA, CRISC, CGEIT)

Advanced

• 6 years+ experience• Continued attendance

at advanced technical seminars

• Attendance at national conferences

• Advanced detailed certifications

Emerging

Level 1 Level 2 Level 3


• Issue– Proliferation of numerous IT vendors, potentially sourced and managed by other

business departments. Usage of smaller or less mature vendors. • Risk

– Poor or inadequate service delivery.– Increased spend.– Suboptimal performance management.

• Recommendation– Inventory IT service providers. Consider beyond IT department. Evaluate organizational

IT Services Management (ITSM) standardization and capabilities (e.g., ITIL, ISO). Audit current relationships against corporate standards and procedures with specific attention to vendors sourced and managed by non-IT business units. Also evaluate internal IT functions that operate in a service delivery model.

7. IT services management


• Issue– Significant increase in evaluation of spreadsheets and other end user computing

solutions by auditors and regulators. Additional regulations promulgated (e.g., Solvency II). Uncontrolled EUCs still impacting financial statements and business operations.

• Risk– Loss of critical data– Potentially inaccurate financial or management reporting– Exposure to regulatory sanctions or fines

• Recommendation– Perform an extensive EUC audit. Evaluate criteria such as criticality determination,

governance model, and use of technical accelerators. Audits should also evaluate programming structure. A policy-based audit and/or access-based audit may likely be insufficient.

8. End User Computing (EUC) or Information Produced by the Entity (IPE)


Considerations for SOX audits Oct. 24, 2013PCAOB – Staff Audit Practice No 11

The practice alert highlights certain requirements of the auditing standards of the PCAOB in aspects of audits of internal control in which significant auditing deficiencies have been cited frequently in PCAOB inspection report


Controls: report logic

IPE

Application or Program

Controls: source data

Database

General IT Controls

Source Data Report Logic (extraction and calculations)

Transactions

Transactions

Controls: parameters

IT Environment

Identifying Controls that Address the Accuracy and Completeness of IPE This diagram shows an example depiction of the creation of IPE, including the three elements: • Source Data includes the flow of information from initiation of the data to recording into a database.• Report Logic and User-Entered Parameters includes the extraction of the data from the database by the

application or program (including any user-entered parameters); the important calculations that are performed by the application or program; and the final presentation of the resulting information in the IPE/report (“report logic”).

The red circle signifies the activities for which general IT controls may be relevant (in this graphic, it is a system-generated report and thus general IT controls are relevant to the application).


• Issue– Increased spend in IT projects, with emphasis on non IT business units spending money

on IT. Agile development deployed by marketing and other business units pushing post-digital solutions, but without regard to traditional project control mechanisms and security and control requirements.

• Risk– Projects fail or do not meet objectives– Projects succeed but do not provide adequate security, audit and control (for

development projects)• Recommendation

– Perform Project Management audit. Evaluate enterprise project management policies and procedures, staffing, and monitoring. Consider use of emerging tools such as predictive project analytics and/or independent verification and validation processes. Include projects managed by non IT business units.

9. Project portfolio management


• Issue– Emerging technologies create new risks and laws, bolstered by an

emerging wave of both industry-specific and non-industry specific regulatory requirements for security and audit of IT. Historic IT audit universes have been very SOX-focused. Decentralization of responsibilities (e.g., CIO, CISO, CRO, CCO).

• Risk– Regulatory fines, censures, or penalties.– Brand impact.– Litigation.

• Recommendation– Perform an inventory of current IT controls regulatory requirements.

Develop RACI chart to determine current responsibilities vis-à-vis regulatory requirements. Map current IT controls testing to requirements. Perform gap analysis to identify control gaps and responsibility gaps. Identify opportunities for “test once, use many”.

10. Regulatory change


Review Controls – Considerations for SOX audits Oct. 24, 2013

PCAOB – Staff Audit Practice No 11

The practice alert highlights certain requirements of the auditing standards of the PCAOB in aspects of audits of internal control in which significant auditing deficiencies have been cited frequently in PCAOB inspection report


• Need to understand which items may be relevant in your business and technical environment.

• Ensure that risk assessment and audit universe address relevant items.• Don’t walk the plank alone — communicate with management and the audit

committee.• Plan resource requirements

– Be careful not to underestimate.

Summary

Questions

Deloitte & Touche LLPSuite 2500925 Fourth AvenueSeattle WA 98104

Chris Dahl USAAdvisory Senior Manager

Tel: +1 [email protected]

Member ofDeloitte Touche Tohmatsu Limited

top ten emerging it audit issues - isaca...

Documents