With advent of constant changes of the corporate environment and transformation of business process from traditional to digital and smart applications, it is becoming important that internal auditors stay up- to-date on this subject to provide assurance to their stakeholders.
There is also greater need for internal auditors to understand how new technological innovations are enhancing and impacting their businesses and its relevance.
Therefor the priority for today’s’ Internal auditors is to ensure continuous update of their knowledge on current technologies , their risk trends and advise their stakeholders on the best possible way to address these current and emerging IT risks. The IPPF list three implementation standards that mandates the responsibilities of internal auditors pertaining to technology:
- 1210 – Proficiency (1210.A3) – Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.
- 1220 – Due Professional Care (1220.A2) – In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques.
- 2110 – Governance (2110.A2) – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.
Now let us look at some of the key risk areas that are required to be considered, in terms of emerging technology that pose greater risk to organization:
According to the Protiviti 2015 survey, most of Chief Audit Executive views strengthening data security, adhering to the standards/frameworks for improving data privacy issues are among their highest priority.
The magnitude and frequency of cybersecurity incidents are increasing dramatically, in fact, the attacks that are reported these days are only “the tip of a vast iceberg”.
Organizations have to stay abreast of a wide variety of cyber threats in order to avoid falling prey to cyber-criminal attacks. As cybersecurity threats continue to rise, there is shortage of security experts / professionals worldwide.
In order to provide assurance on the cybersecurity risk, internal auditor can conduct network vulnerability scan and penetration test, review network architecture, review recent security breach incident and carry out simulation exercise to ensure the organization crisis management plan is resilient and effective.
- Social Media
These days there will be hardly any enterprise which does not have online presence through Social Media. Along with the known bright side of the social media, it has a dark side too. Social media sites can be used by dissatisfied customers, employees or individuals with a grudge against an enterprise to disseminate misinformation and negative information.
In addition, employees sharing daily activities with friends may inadvertently and unintentionally disclose information that could be damaging to the enterprise’s reputation or provide information otherwise considered confidential.
In this area of review, internal auditor can provide management with an independent assessment relating to the effectiveness of controls over the enterprise’s social media. Internal auditor can perform audit of social media policies and procedures, review the adequacy of awareness training on social media usage and content sharing, perform scan of social media sites to determine the organization content that is available.
- Mobile Computing
In current environment mobile devices have become an integral part of the IT infrastructure and mobile computing is taking over traditional web based applications. Mobile computing devices include smart phones, laptops, PDAs, USB, digital cameras, RFIDs, IrDA etc.
These devices may contain an enterprise’s confidential information. They may also contain intellectual property, industrial secrets and information under regulatory monitoring.
The internal auditor should consider the risks associated with the use of mobile devices and relate them to the criticality of the information they store and access and the transactions they process, from the business, law and regulatory perspectives.
Internal auditor can perform audit of the mobile devices inventory and review how stolen and lost devices are managed, ensure the controls are in place for lost devices, review how organization categories the type of information that can be stored on mobile devices, ensure sensitive organization either not stored on mobile devices or that it is securely encrypted.
- Cloud Computing
The world is moving from onsite computing to using shared resources available as service through internet from Cloud Service Providers, also broadly known as cloud computing. In the simplest terms, cloud computing means storing and accessing data and programs over the internet instead of your onsite computer’s hard drive.
In a survey conducted by Grant Thornton, 43% CAEs responded they haven’t really given a thought about risk and control implication in cloud environment.
Internal auditor can play an important role in the adoption of cloud computing. In the early stages internal auditor can become part of technological task force to determine the risk introduced by such an environment.
The cloud model requires that internal auditor to understand the technology and processes underlying cloud computing, as well as the complex processes used to assess provider performance. Internal auditor should also understand its company’s contractual, operational, and regulatory requirements that might be affected.
Internal audit can determine if the service provider is meeting the company’s data security requirement and analyze the security based on standards such as ISO, PCI, DSS etc. Internal auditor can review the Service Level Agreement (SLA) to ensure organization rights to audit and gain access to cloud and perform limited audit procedure.
Some other area of concerns are inquiring about the data location and potential risk in a foreign country in regards to privacy and data access issue, review of quality parameters in terms of service outage, timing of upgrades and patches with the SLA.
Lastly, determine if the service provider can meet the organization anticipated growth requirement, in case if they cannot, determine if the organization has contingency plan in the event the service provider systems cannot scale to meet the Company’s need.
IT Skills Among Internal Auditor
The need for the IT skills arise through a convergence of accounting and technology field in a computer driven economy. The next generation auditors need IT knowledge as well as the traditional competencies in accounting and finance.
According to a recent survey by Deloite in which more than 1,200 CAEs participated, half of CAEs (57%) are not convinced that their teams have the skills and expertise needed to deliver on stakeholders’ current expectations.
The survey further reveal that the top 2 skill gap in internal auditor capabilities are specialized IT (42%) and data analytics (41%) skills
In the domain of specialized IT domain, generally two type of certification geared, one toward information system auditing such as CISA, QiCA, CRISC ect. and the other concentrating toward information security such as CISM, CISSP, CSP, CISRCP etc.
Another area where there is significant potential in the transformation of the audit is data mining and data analytics. The purpose of data mining and data analytics is to search for patterns, plausible interrelationships and anomalies, which will help in improving operational efficiency and effectiveness, detection and prevention of fraud, reliable financial reporting and adequate compliance with laws and regulations.
Experts estimate that there will be 35 trillion gigabytes of stored data in the world by 2020. Considering the vast amount of data at auditor disposal, internal auditor will not only require to evaluate past trends but will also supposed to explore the future trend in the audit practice.
Software tools such as ACL and IDEA are used to extract data from other systems and run data analysis routines against this information. These types of systems require auditor to gain specialized knowledge through intensive training sessions.
The Institute of Internal Auditors (IIA) recommends use of data analytics across all levels of the audit staff and in all audit
The need and challenge for the internal auditors is to keep up with the pace of addressing these dynamic changes to stay relevant.
The success of internal auditors lies with their commitment to ongoing learning and improvement, along with deep understanding of the emerging trend in the profession and business around.