Internal Audit and its Growing Role in Emerging Technologies – Part 2
In part 1 of this blog, we delved into the current business challenges and the role of internal audit in addressing them. Through doing so we highlighted improved practices we’ve observed, and identified critical areas where internal audit can proactively address cloud computing and smart devices. In part 2, we will focus on cyber security and internal audit as well as Internal audit and Social Media.
Cyber Security and Internal Audit – Cybersecurity has brought forth numerous previously unidentified risks
Traditional IT security controls, which focus on establishing strong barriers to thwart attackers, are no longer sufficient. They fail to consider the diverse internet channels, intricate partnerships with vendors and providers, the influence of social media, and the rapid proliferation of mobile access.
Organizations must now comprehend the value of their information, its specific locations, the potential financial repercussions of loss or theft, and the likelihood of attracting attackers’ interest. As businesses increasingly operate online, sensitive information may reside within the organization’s systems, on employees’ mobile devices, under the management of IT service providers, communicated to business partners, or even downloaded onto customers’ personal devices as they utilize online services.
Cyber Security and Internal Audit – Real-life Illustrations of Potential Pitfalls
The media continues to report several high-profile attacks on large and small organizations, to access and remove sensitive intellectual property, financial information, and private customer data.
One of the world’s leading IT security companies publicly admitted it had lost the computer code at the heart of its security software. This gave rise to widespread concern as its software is used to control access to many organizations’ most critical and sensitive information. So the organization’s most valuable information was able to be stolen by a remote attacker through a series of undetected (at the time) targeted attacks.
A common theme is that these organizations rarely understand the real risk to their information until after the event, leaving them to deal with high-impact and often reputation-damaging business incidents not previously on the corporate risk radar.
Cyber Security and Internal Audit – Effective Approaches to Risk Management, Particularly in Dynamic Environments
To effectively address the ever-evolving threat landscape, organizations must begin by identifying the locations of valuable business information and creating a centralized register of information assets. With a clear understanding of the critical information and its storage locations, the organization can conduct a comprehensive risk analysis and implement robust security controls.
The primary objective is to protect against well-known threats and potential high-impact events, even those with a lower likelihood of occurrence, such as the exposure of sensitive commercial information, including product innovations and acquisition targets.
Once a risk management framework is established, it becomes imperative to continuously assess the threat environment and adjust the security controls accordingly to keep pace with rapidly changing risks. Valuable insights can be gained from analyzing serious incidents experienced by other organizations, enabling the application of relevant lessons to fortify one’s organization and reduce the likelihood of becoming the next victim.
Cyber Security and Internal Audit – What Internal Audit Should Prioritize
In order for the relationship between cyber security and Internal audit to be beneficial in addressing cyber security challenges, internal audit must focus on the following vital inquiries, at a minimum:
Identification of Important Information Repositories: Has the organization identified repositories containing crucial information, including potential business differentiators?
Central Register of Information Assets: Is there a centralized register in place to manage and track important information assets effectively?
Calculating and Agreeing on Risk Appetite: Has the risk to these information assets been assessed, and has an appropriate risk appetite been established and agreed upon?
Mapping of Information Assets in IT Networks and Systems: Have information assets within the IT networks and systems been thoroughly mapped and documented?
Internal Security Controls: What internal security controls are implemented to segregate and restrict access to important information, ensuring only authorized personnel can access it?
Addressing Customer Privacy and Security Expectations: Is the organization adapting its responses to meet customers’ increasing privacy and security expectations?
Continual Review of Threat Environment and Controls: Is the organization consistently reviewing the threat environment and its existing controls and making necessary adjustments to counter emerging risks effectively?
Action Plan for Handling Information Loss: Does the organization have a comprehensive action plan to respond to the loss of sensitive or damaging information? Is this plan integrated with crisis and media management protocols?
By addressing these crucial questions, internal audit can play a vital role in safeguarding the organization’s valuable information and mitigating potential risks effectively.
Internal Audit and Social Media – Companies are Widely Embracing Social Media for Both Internal and External Purposes
There is significant potential for organizations to leverage social media to engage customers and employees, and this opportunity should not be underestimated. Companies can foster brand loyalty through this new channel and easily share ideas with their customer base. However, along with this opportunity, there are increased risks to consider:
Negative Brand Image: Social networking allows customers to express their opinions about a company, its products, and its services. While constructive feedback can be valuable, malicious or excessive comments can harm a company’s brand image.
Data Loss: The direct connection between employees and a broad audience through social media increases the risk of unintentional or intentional leaks of proprietary information. The numerous connections can also lead to potential customer data loss through hacking or malware attacks.
Distribution of Malware: The interconnected nature of social networking platforms can facilitate the rapid spread of malware. Services like TinyURL, Bit.ly, and Cligs, commonly used by Twitter users to shorten URLs, can inadvertently carry malware.
Organizations must be aware of these risks and implement robust strategies to mitigate potential threats while harnessing the benefits of social media engagement.
Internal Audit and Social Media – An Illustrative Real-Life Scenario of Adverse Consequences?
Not long ago, Cligs experienced a hacking incident where over two million URLs were altered to direct users to a single URL containing an article on Twitter hashtags. A senior technology consultant cautioned that the situation could have been far more severe. He expressed concerns that the hackers’ intentions might have included redirecting these millions of shortened URLs to a website hosting malware.
Internal Audit and Social Media – Effective Approaches to Risk Management, Especially in Evolving Circumstances
Awareness Programs: Conduct awareness programs to educate staff about acceptable practices using a code of conduct. Clearly define roles and responsibilities for various types of communication.
Policy & Procedures: Establish comprehensive policies covering security, social media, and ethics. Ensure these policies are referenced in employment terms and conditions.
Communication: Before implementing new technologies, pilot them internally. Clearly communicate acceptable and unacceptable practices to all employees. Foster regular communication between employees and the social media team to stay informed about social landscape developments and company-related matters.
Security Technology: Evaluate and employ technologies that help control, monitor, and enforce your policies, particularly in regulated advice-based businesses.
Risk Assessment: Continuously monitor social media usage and assess associated risks. Regularly review risk management strategies and contingency plans in case of adverse events.
Time Quotas: Set time limitations for social media usage in line with your risk appetite and profile.
Crisis Management and Mitigation: Implement formal crisis management plans, including various scenarios, to effectively respond to critical situations.
By incorporating these practices, organizations can better manage social media risks and safeguard their reputation and operations.
Internal Audit and Social Media – What areas should internal audit prioritize
Internal audit should inquire about the following:
- Is the organization’s social media strategy well-defined? Does the organization clearly understand how its employees and customers use social media in relation to the organization?
- How is the organization utilizing social networking technologies internally and externally? Is the organization leveraging data from these technologies to inform business strategy and monitor its brand presence in the market?
- Have metrics been established based on social networking analysis concepts? These metrics may include:
- How does the use of social networking impact the organization’s brand?
- How does it heighten the risk of data loss for the organization, its employees, and its customers?
- How does it increase the risk associated with e-commerce transactions?
Conclusion – The Role of Internal Audit in Emerging Technologies is Growing Fast
Businesses should establish an ongoing education plan to keep their internal audit staff updated on emerging technologies. Engaging an expert adviser is crucial to stay informed about the rapidly evolving trends and practices in technology, enterprise risk, governance, security, and privacy, all relevant to the specific technologies being utilized. For existing implementations, such as cloud services, businesses need to involve an independent party to assess their provider’s controls or ensure that the provider itself engages an independent party to provide this assurance.