top ten emerging it audit issues - isaca...
TRANSCRIPT
Copyright © 2013 Deloitte Development LLC. All rights reserved.1 Top ten emerging IT audit issues
• IT controls continue to increase in importance to organizations– Corporate reliance on technology increases.– Compliance requirements increase.
• Deficiencies in IT controls can have a significant impact on the organization.
Overview
Copyright © 2013 Deloitte Development LLC. All rights reserved.2 Top ten emerging IT audit issues
IT audits
Value
Risk
Where we have been
Where we need to be
Copyright © 2013 Deloitte Development LLC. All rights reserved.3 Top ten emerging IT audit issues
• Repetitive services• Compliance focused• Comprises most of
current audit universes• Commoditized audits
IT Internal Audit Overview
Core
ITGCsSOX TestingDRPOther ComplianceSoD
A
B
C
D
E
• Maturing technologies that haven’t been a focus
• Some compliance aspects
• Opportunities to add value
Advanced
IT GovernanceAttack and PenIAMEnd User ComputingSoftware Asset MgmtGRC
F
G
H
I
J
• New technologies• High visibility/risk• Highly strategic• Significant opportunities
to provide additional value
Emerging
Mobile EndpointCyber TerrorismPrivacyIT Risk MgmtEnterprise Record MgmtSocial Media
L
M
N
O
P
Level 1 Level 2 Level 3
KQ
Copyright © 2013 Deloitte Development LLC. All rights reserved.4 Top ten emerging IT audit issues
Current State
Level 1Level 2Level 3
IT Internal Audit Universe Allocation
Future State
Level 1Level 2Level 3
Copyright © 2013 Deloitte Development LLC. All rights reserved.5 Top ten emerging IT audit issues
• By no means a comprehensive list.• Will vary by environment.
– May be greater/lesser risk depending on industry, technology, business processes, etc.• This list is based on what we see in the marketplace.• Designed to get you thinking about your environments and if currently scheduled
IT audit procedures will evaluate these risks.• List is in no particular order.
Top 10 IT audit issues
Copyright © 2013 Deloitte Development LLC. All rights reserved.6 Top ten emerging IT audit issues
• Issue– Businesses are migrating from the use of mobile devices to enhance processes to
“mobile only” businesses. This dramatically shifts the risks and key control points.• Risk
– Failure to manage mobile risk could have significant impact on operations.– Solutions are still rapidly evolving.– Requires architecture changes, impacting controls in other areas of IT.
• Recommendation– Inventory and assess current mobile initiatives. Specifically detail out mobile initiatives
that impact operational and/or customer facing processes. Evaluate security policies and procedures which may not have evolved to address mobile issues. Assess mobile device management (MDM) processes and controls, e.g., distribution of patches, wipe-cleans, and security requirements. Assess use of mobile middleware applications and processes for identifying and escalating issues.
1. Mobile only
Copyright © 2013 Deloitte Development LLC. All rights reserved.7 Top ten emerging IT audit issues
Mobile payments are fast reaching a “tipping point” of growth in North America driven by rapid smart-phone growth, shifts in consumer preferences and significant capability build out
Increased Penetration of smart-phones in the U.S. Changing Consumer Behavior Projected Exponential Growth
Source: Deloitte Research & Analysis, eMarketer , Gartner Report
Current smart-phone growth forecast: 13% CAGR over the
next 5 years
smart-phone adoption represents convergence in
technologies
Source: Deloitte Research & Analysis Source: Gartner Report (2011)
43%
34%
36%
10%
20%
12%
4%
1%
AccountMaintenance
Transactions
MobilePayments
Acquisition /New Products
Currently Use Would Use
Increasing consumer interest in mobile payments functionalities
and capabilities
Growth opportunities for services not available online, such as remote check deposit services and Person to Person
(P2P) Payments
Mobile Payment users, transaction volume, and
transaction value all projected to grow exponentially
73 492 3,434 8,99517,29
128,98
843,90
662,75
5Transaction
Value
Growth of Mobile Payment Users in North America
60.2
90.1106.7
119.9133
148.6
0%10%20%30%40%50%60%70%
020406080
100120140160
U.S
. sm
art-p
hone
Sal
es(M
M U
nits
)
Year
% of Mobile Phone Users
% of Population
0.7 1.96.6
13.1
20.7
29.2
38.9
50.1
00.20.40.60.811.21.41.61.8
0
10
20
30
40
50
60
20082009201020112012201320142015
Use
rs (i
n M
M)
Transactions (in thousands)
Copyright © 2013 Deloitte Development LLC. All rights reserved.8 Top ten emerging IT audit issues
Mobile PaymentsRemote Payments Proximity Payments
Channel SMS Mobile Web App-based QR Code NFC -Hardware
NFC - SIM Based NFC – MicroSD
Use Case
Customers send payments
using simple text messaging
commands
Customers use online paymentswith the browser on their mobile
phones
Customers use apps built out by the FI to make payment or use
payment functionalities
built into merchants apps
QR code specific to the customer is
scanned at the POS to make
payment
Customers use their phones as
touchless payment devices based on built-in
chips
Customers use their phones as
contactless payment devices based on the SIM
Customers use their phones as
contactless payment devices
based on microSD cards
that can be inserted into most
phones
Key Risks
Messages can be hacked and PINs can be captured.
Malware can send messages without
customer’s consent
Java-based security protocols may not be safe enough;
Mobile malware can hack into customer
data
Keylogger software can crack a user’s
PIN used to access the app
A hacker can get access to
customer’s QR code or merchant can mismanage data
OTA Traffic between device and
reader can be intercepted.
Financial information on the
secure element can be compromised in
stolen phones
Financial information on the
secure element can be compromised if the SIM is stolen
Financial information on the
secure element can be compromised if
the SD card is stolen is stolen
Marketplace Examples M-PESA in Kenya PayPal, Amazon
Payments, Google,
Chase, Dwolla, LevelUp, Square,
Google in-app payments
Starbucks, Paycent Google WalletISIS,Turkcell, Smart and Globe Telecom Moneto
Risks associated with mobile payments are enhanced by evolving standards and technologies used in ‘proximity and ‘remote’ payment environments
Mature/More control to Banks
Emerging / More control to Banks
Emerging / Shared Infrastructure and less controlSource: Deloitte Research & Analysis
Copyright © 2013 Deloitte Development LLC. All rights reserved.9 Top ten emerging IT audit issues
Mobile payments have seen significant interest over the years with a significant number of trials, pilots and niche commercial successes
However, banks have not yet built out significant mobile payments capabilities and adoption rates have remained low in North America among customers and merchants until recently
Less than 20% of banks have deployed mobile payments and most are still in a position to assess the risks prior to going to market
Survey level data indicates that the primary cause of lower adoption rates has been security concerns among customers
Financial Institutions that do not focus on limiting risk in mobile payments will be left behind with lower adoption rates and possible customer defections
What is the most important factor to you when making mobile
payments?
Security 73%
Speed9%
Simplicity12%
Choice of Payment
Type3%
Other3%
Source: Deloitte Future of Mobile Payment Survey, Mobio, "Mobile Commerce Handcuffs"
Copyright © 2013 Deloitte Development LLC. All rights reserved.10 Top ten emerging IT audit issues
Mobile Payment deployments pose a serious risk to FSIs due to the complexity of the architecture, technology and number of partners involved While the legacy threats and vulnerabilities inherent to the Banks, the payment service provider (PSP’s) and Mobile Network Operators (MNO’s) still hold valid, there are some threats and vulnerabilities that are more prevalent throughout the mobile payment lifecycle due to the complexity of the architecture and the high number of providers involved in the transaction.
* The architecture above is illustrative and does not include all of the components in the Mobile Payment Architecture
Common Threats and AttacksIdentity theft Malware / Intrusion Man-In-Middle AttacksUnauthorized Access
Privacy Infringement Data disclosure Message Interception Replay attacksCoercion
Platform and Protocol Related Design flaws in the mobile standards /
protocols (e.g., GSM encryption vulnerabilities, data protocols, OTA
transmission vulnerabilities) Design flaws / Lack of Standards / protocols for mobile payments (e.g.,
Absence of two-factor authentication, Auto-Storage of Cookies on Server Request,
Auto-Disclosure of Cookies)
Device Related Hardware vulnerabilities (e.g., Side Channel
Attack, SIM Card Cloning) Operating System vulnerabilities (e.g.,
Zitmo.C (simple SMS forwarder for Blackberry, Symbian iOS), HT4803 (Buffer overflow, issues with type conversion for
Apple iOS), Tcent.A, Crusewin.A Software vulnerabilities (e.g., Vulnerable APIs
in the Development Platform (e.g. J2ME)) Sophisticated Sensory Malware (e.g,
Soundminer – first “sensory malware” trojan on Android platform – identifies when the
user is calling a bank IVR to only capture the spoken or typed credit card number)
User and Process Related Lost / Stolen phones
smart-phone Internet and relocation capabilities
Issues in Authentication of User (lack of authentication, capture of authenticators
(man-in-middle attack), weak authentication protocols, password issues, weak
passwords) User misuse / lack of awareness (e.g.,
downloading malware, Susceptibility to Masquerade, Social Engineering (phishing),
Initiation by an Unauthorized User, auto-Initiation)
POS / PSP / FSP vulnerabilities (e.g., Infrastructure / Network vulnerabilities
Common Vulnerabilities
Copyright © 2013 Deloitte Development LLC. All rights reserved.11 Top ten emerging IT audit issues
• Issue– Significant emerging regulatory requirements and disclosures related to cyber security,
intersecting with increased cyber threat.• Risk
– Failure to meet regulatory requirements.– Brand exposure.– Loss of data, denial of service.
• Recommendation– Historic cyber threat IT audit activities have been limited to point specific issues (e.g.,
attack and penetration audits). Need to perform detailed cyber security audits encompassing defend, detect, recover and respond components of cyber threat management.
2. Cyber security
Copyright © 2013 Deloitte Development LLC. All rights reserved.12 Top ten emerging IT audit issues
The true cost of cybercrime is not easy to tabulate. While many have experienced its wrath first hand, even more have suffered from cybercrime unknowingly through higher cost, operational issues, brand erosion and lower quality products. Moreover, consider the lost benefit from products that never even made it to the market as a result of Intellectual Property theft.
As a result, Boards of Directors have a responsibility to take a more active role – in fact they have a duty – to ensure that management protects and maximizes the value of their digital assets both within and outside the company walls; and to position the organization for the opportunities and disruptions that arise through digital technology. These risks and opportunities may even warrant board-level leadership – a Cyber Chair.
Cyber in the BoardroomNow is the time for directors to ensure senior management focus
Related content:
Cyber crime fightingRead the DU Press article by Vikram Mahidhar and David Schatsky.
2013 TMT global security studyExplore Deloitte's sixth annual worldwide study report of information security practices.
Read the full USA Today article on this topic:Cyber in the boardroom – The true cost of cybercrime
http://www.usatoday.com/story/cybertruth/2013/11/08/cybercrimes-bottom-line-500-
billion/3478235/?id=us:el:pd:cybercrime:awa:tmt:111213
Copyright © 2013 Deloitte Development LLC. All rights reserved.13 Top ten emerging IT audit issues
• Issue– Current internet protocol has been in place since 1970s. Proliferation of devices has
exhausted IP address availability. Telecommunication utilities and Internet Engineering Task Force (IETF) have been pushing for change, which is now upon us. This will impact network architecture and devices.
• Risk– Loss of network communication.– Network appliances rendered unusable.– Risk assessment has been de-prioritized historically.
• Recommendation– Determine organizational readiness for IPv6 deployment. At a minimum, organization
should have begun a risk assessment process to assess the readiness of the organization to implement IPv6 and identify potential areas that require remediation. Assess current organization structure and plan to deal with these issues, as well as determine how this thinking is being incorporated into current and planned IT initiatives.
3. IPv6
Copyright © 2013 Deloitte Development LLC. All rights reserved.14 Top ten emerging IT audit issues
• Issue– Everyone is talking about Big Data, which by itself is meaningless without the
ability to analyze and interpret data. Analytic technologies and methods have evolved significantly in the last 18 months.
• Risk– Struggling to produce relevant operational reports, but driving business decision
making off of unstructured analyses (e.g., web statistics).– Investment in big data does not produce results.– Increased data life cycle risk (e.g., personally identifiable information).
• Recommendation– Effective analytics are based on foundational data layers. Need to understand
what analytics are planned and then assess risk based on usage. Perform detailed audit which evaluates foundational data layers, data governance, statistical methodology used, and use of technologies (e.g., visualization).
4. Analytics
Copyright © 2013 Deloitte Development LLC. All rights reserved.15 Top ten emerging IT audit issues
From sourcing facts to driving understanding to generating knowledgeDefining Internal Audit Analytics
• The use of analytics can enhance your ability to better manage risks associated with your audits.
• It will help identify the facts that will provide clear understanding of risks and provide the knowledge required to manage these risks across the group.
• The ultimate objective is to develop and implement an analytics capability that provides greater ability provide you the confidence and insights into each of your audits.
Understanding KnowledgeFacts
What is happening in each of the audits?
Once data is sourced and reliable, the process should maintain the integrity of the data.
Some of the tests that can be performed to better address the risks and controls are:
• Bespoke test creation based on risks identified in audit planning
• Finding correlation between the multiple data sources to learn more about the behavior and patterns of processes
Why is it happening?
Once a control failure has been identified and quantified, the focus moves towards developing real knowledge of the impact to customer, products and understanding the root cause of failure.
Data Analytics moves from providing simple metrics to informing more sophisticated questions:
• Allows quantification of control breakdowns
• Facilitates root cause identification
• Drives control improvements
What data do we need to understand our audits?
There is a need to understand which systems and data are required to support the processes and themes that are being audited.
There is also a need to understand how these systems and data are managed and governed to ensure their accuracy, completeness and reliability. Without good governance, data quality cannot be assured and the outcome compromised.
Copyright © 2013 Deloitte Development LLC. All rights reserved.16 Top ten emerging IT audit issues
• Issue– Proliferation of cheap 3D printing technology has potential significant impact on
production industry and consumer business.• Risk
– Impact on strategic positioning.– Impact on brand.– Piracy.
• Recommendation– Risk assess your environment to determine if 3D printing technology is a potential
enabler or threat for your business (or both). Plan corresponding audits to assess security of intellectual property schematics, strategic threat of new entrants into market, lack of organizational awareness or momentum, and evaluation of current and planned programs around 3D printing.
5. Product duplication and Intellectual Property
Copyright © 2013 Deloitte Development LLC. All rights reserved.17 Top ten emerging IT audit issues
• Issue– Evolution of IT risk requires greater degrees of specialization within the IT audit function;
at the same time, IT audit resources are becoming more scarce and more expensive.• Risk
– Failure to execute annual IT audit plan.– Execution of IT audits without appropriate resources results in suboptimal audits.– Decreased collaboration and support from IT function and business units.
• Recommendation– Develop long term strategy for sourcing and developing IT audit resources, which is
discrete from traditional internal audit resource planning. Consider atypical options such as IT department rotational programs (both in and out). Define training paths to incorporate higher levels of training investment, such as emerging certification pathways (e.g., CGEIT) or specialized training (e.g., cloud, cyber). Consider alternative compensation methods (e.g., retention bonuses or sabbatical/rotational programs).
6. IT audit resources
Copyright © 2013 Deloitte Development LLC. All rights reserved.18 Top ten emerging IT audit issues
New recommendations for Internal Auditors*The Role of Internal Audit
2nd Line of DefenseGuide, Support, and Challenge
Operations and Technology Risk Management
1st Line of DefenseOwn and Operate (The Business)
3rd Line of DefenseIndependent Assurance
Corporate Internal A
udit
External Audit
RegulatorManagement
Controls
Operational and Accounting Controls
Policy
Technology Controls
Global Compliance
Independent Risk Organization
Controllership Organization
Risk and Internal Control Functions(in business)
Operations and Technology
Legal
Internal Audit’s scope should be unrestricted and it should be freely able to challenge the executive and report any concerns from the first and second line of defence.
Confidence/Impact Testing: There is a high expectation for internal audit to understand what they are doing to support their customer.
Insight Testing: Internal audit should be testing the operational effectiveness of the processes in scope for the audit.
Root Cause Testing: There should be a focus on significant control breakdowns with a detailed root cause analysis.
Impact Testing: Internal Audit should consider the outcome achieved by the implementation of policies and procedures.
Recommendations
* Source: Institute of Internal Auditors — Effective Internal Audit in Financial Services Sector
Copyright © 2013 Deloitte Development LLC. All rights reserved.19 Top ten emerging IT audit issues
IT Auditor Career Life Cycle
• 1-2 years of experience• Development of core IT
auditing skills• Attendance at
fundamentals training courses
• Working towards CISA certification
• Knowledge transfer from advanced auditors
• Attendance and participation in local association meetings
Core
• 3-5 years of experience • Development of specific
audit skills (e.g. ERP or networking)
• Attendance at focused technical trainings (e.g. ERP)
• Attendance at regional conferences, potential national conferences
• Knowledge transfer from emerging auditors
• Working towards advanced certifications (CRMA, CRISC, CGEIT)
Advanced
• 6 years+ experience• Continued attendance
at advanced technical seminars
• Attendance at national conferences
• Advanced detailed certifications
Emerging
Level 1 Level 2 Level 3
Copyright © 2013 Deloitte Development LLC. All rights reserved.20 Top ten emerging IT audit issues
• Issue– Proliferation of numerous IT vendors, potentially sourced and managed by other
business departments. Usage of smaller or less mature vendors. • Risk
– Poor or inadequate service delivery.– Increased spend.– Suboptimal performance management.
• Recommendation– Inventory IT service providers. Consider beyond IT department. Evaluate organizational
IT Services Management (ITSM) standardization and capabilities (e.g., ITIL, ISO). Audit current relationships against corporate standards and procedures with specific attention to vendors sourced and managed by non-IT business units. Also evaluate internal IT functions that operate in a service delivery model.
7. IT services management
Copyright © 2013 Deloitte Development LLC. All rights reserved.21 Top ten emerging IT audit issues
• Issue– Significant increase in evaluation of spreadsheets and other end user computing
solutions by auditors and regulators. Additional regulations promulgated (e.g., Solvency II). Uncontrolled EUCs still impacting financial statements and business operations.
• Risk– Loss of critical data– Potentially inaccurate financial or management reporting– Exposure to regulatory sanctions or fines
• Recommendation– Perform an extensive EUC audit. Evaluate criteria such as criticality determination,
governance model, and use of technical accelerators. Audits should also evaluate programming structure. A policy-based audit and/or access-based audit may likely be insufficient.
8. End User Computing (EUC) or Information Produced by the Entity (IPE)
Copyright © 2013 Deloitte Development LLC. All rights reserved.22 Top ten emerging IT audit issues
Considerations for SOX audits Oct. 24, 2013PCAOB – Staff Audit Practice No 11
The practice alert highlights certain requirements of the auditing standards of the PCAOB in aspects of audits of internal control in which significant auditing deficiencies have been cited frequently in PCAOB inspection report
Copyright © 2013 Deloitte Development LLC. All rights reserved.23 Top ten emerging IT audit issues
Controls: report logic
IPE
Application or Program
Controls: source data
Database
General IT Controls
Source Data Report Logic (extraction and calculations)
Transactions
Transactions
Controls: parameters
IT Environment
Identifying Controls that Address the Accuracy and Completeness of IPE This diagram shows an example depiction of the creation of IPE, including the three elements: • Source Data includes the flow of information from initiation of the data to recording into a database.• Report Logic and User-Entered Parameters includes the extraction of the data from the database by the
application or program (including any user-entered parameters); the important calculations that are performed by the application or program; and the final presentation of the resulting information in the IPE/report (“report logic”).
The red circle signifies the activities for which general IT controls may be relevant (in this graphic, it is a system-generated report and thus general IT controls are relevant to the application).
Copyright © 2013 Deloitte Development LLC. All rights reserved.24 Top ten emerging IT audit issues
• Issue– Increased spend in IT projects, with emphasis on non IT business units spending money
on IT. Agile development deployed by marketing and other business units pushing post-digital solutions, but without regard to traditional project control mechanisms and security and control requirements.
• Risk– Projects fail or do not meet objectives– Projects succeed but do not provide adequate security, audit and control (for
development projects)• Recommendation
– Perform Project Management audit. Evaluate enterprise project management policies and procedures, staffing, and monitoring. Consider use of emerging tools such as predictive project analytics and/or independent verification and validation processes. Include projects managed by non IT business units.
9. Project portfolio management
Copyright © 2013 Deloitte Development LLC. All rights reserved.25 Top ten emerging IT audit issues
• Issue– Emerging technologies create new risks and laws, bolstered by an
emerging wave of both industry-specific and non-industry specific regulatory requirements for security and audit of IT. Historic IT audit universes have been very SOX-focused. Decentralization of responsibilities (e.g., CIO, CISO, CRO, CCO).
• Risk– Regulatory fines, censures, or penalties.– Brand impact.– Litigation.
• Recommendation– Perform an inventory of current IT controls regulatory requirements.
Develop RACI chart to determine current responsibilities vis-à-vis regulatory requirements. Map current IT controls testing to requirements. Perform gap analysis to identify control gaps and responsibility gaps. Identify opportunities for “test once, use many”.
10. Regulatory change
Copyright © 2013 Deloitte Development LLC. All rights reserved.26 Top ten emerging IT audit issues
Review Controls – Considerations for SOX audits Oct. 24, 2013
PCAOB – Staff Audit Practice No 11
The practice alert highlights certain requirements of the auditing standards of the PCAOB in aspects of audits of internal control in which significant auditing deficiencies have been cited frequently in PCAOB inspection report
Copyright © 2013 Deloitte Development LLC. All rights reserved.27 Top ten emerging IT audit issues
• Need to understand which items may be relevant in your business and technical environment.
• Ensure that risk assessment and audit universe address relevant items.• Don’t walk the plank alone — communicate with management and the audit
committee.• Plan resource requirements
– Be careful not to underestimate.
Summary
Questions
Deloitte & Touche LLPSuite 2500925 Fourth AvenueSeattle WA 98104
Chris Dahl USAAdvisory Senior Manager
Tel: +1 [email protected]
Member ofDeloitte Touche Tohmatsu Limited