Internal Audit and its Growing Role in Emerging Technologies
The internal audit business function has steadily seen its role in Emerging Technologies grow exponentially. With data breaches frequently appearing in the news, executives are becoming increasingly anxious about data privacy and security matters. There has been an increase in the risk of IT security breaches, customer data misuse, and reputational harm. The increase can be attributed to the widespread adoption of social media, mobile devices, and cloud computing. As a result, organizations are seeking assistance from internal audit teams. With hopes to effectively address the novel and distinct risks associated with emerging technologies.
Many internal audit teams have become proficient in auditing established corporate IT systems and technologies facilitating remote work. Data analytics and Big Data are increasingly being leveraged to enhance audit effectiveness. Nevertheless, internal auditors must keep a close eye on new emerging technologies. This is especially true for those that may be less common but are expected to develop rapidly. Being one step ahead in identifying and addressing potential risks or assurance gaps arising from these technologies is essential.
A year-2021 poll conducted during a Wolters Kluwer webinar on emerging technology revealed interesting insights. Of the attendees, 20 percent reported their organizations were using robotics process automation (RPA). Additionally, 12 percent were utilizing artificial intelligence (AI), and 3 percent were adopting blockchain technology. Interestingly, half of the participants disclosed that their organizations had not yet implemented any of these technologies. Only 15 percent mentioned using more than one. This indicates that while internal auditors must comprehend the implications of these technologies, there is still time to adapt proactively.
According to Wolters Kluwer, there is a myriad of emerging technologies, ranging from very new ones to those that have existed for some time. Some will become widespread across industries, while others might be more relevant in specific sectors, such as autonomous vehicles.
Examples of emerging technologies include virtual reality, the Internet of Things, bioinformatics, natural language processing, quantum computing, and 5G. However, the most widely used and firmly established ones are RPA, AI, and blockchain, making them primary targets for future internal audits.
When organizations adopt emerging technologies, internal auditors may be required to assess the strategic decision-making process. This is similar to auditing other significant corporate decisions. The primary challenges for auditors lie in evaluating the new risks associated with adopting emerging technologies and examining how management monitors and controls these risks. Hence, internal audit teams must thoroughly understand the purposes, applications, and users of these technologies.
In this two-part blog, we examine the following threats and opportunities of emerging technologies:
- Cloud computing
- Smart devices
- Cyber security
- Social media
We delve into the current business challenges, highlight improved practices we’ve observed, and identify critical areas where internal audit can proactively address emerging trends.
Need an expert IBM OpenPages implementation partner to help you develop a comprehensive GRC solution?
Our certified consultants can assist you in making the most out of IBM OpenPages to achieve your GRC goals now and in the future.
Cloud Computing and Internal Audit – The Cloud Offers Advantages, But What About Risks?
Cloud computing has demonstrated its capacity to deliver significant advantages. Advantages that go beyond reduced IT costs, simplified infrastructure, enhanced flexibility, and improved operating efficiencies. As this technology becomes more mainstream, organizations are discovering that cloud computing can foster innovation. Ranging from lowering financial barriers to developing new products and services.
Nonetheless, achieving these gains requires careful planning and considering market concerns, as various risks can overshadow the benefits. Any organization contemplating a move to the cloud must fully grasp its inherent limitations and strengths. Otherwise, it won’t be able to harness its complete potential and value.
Consequently, significant security hurdles must be addressed before businesses adopt cloud computing. Organizations should carefully evaluate which applications and data are suitable for migration to a cloud environment. A thorough assessment of potential cloud service providers is crucial, including factors like data security, privacy, compliance, availability, and scalability. Additionally, consideration should be given to data and application portability to ensure the ability to switch to a new provider if the existing vendor fails to meet agreed-upon service levels.
Cloud Computing and Internal Audit – Real-life Instances of Potential Pitfalls
While cloud computing technologies have seen successful implementation in many cases, there have been several examples where they resulted in disruptions to business operations. These instances include:
- Amazon Web Services – Technical issues caused outages lasting 36 hours for over 70 clients, in contrast to their marketing promise of only 4.4 hours annually.
- Sony PlayStation Network (PSN) – A network outage resulting from an external intrusion led to the theft of personally identifiable information from all 77 million accounts.
- A domain registrar and website hosting company experienced a breach in their environment, destroying live data and all associated backups. Consequently, 4,800 websites were lost or unrecoverable; in some cases, businesses had to close down.
Cloud Computing and Internal Audit – Effective Approaches to Handle Dynamic Risks
Because of this technology’s rapid evolution and emerging nature, there is currently no singular industry standard or definitive best practice for managing risk, particularly in the context of changing risk. Nonetheless, several frameworks have been developed by drawing on existing outsourcing standards. Among them are the ‘Cloud Security Alliance’s Cloud Controls Matrix and ISACA’s Control Objectives for Cloud Computing: Controls and Assurance in the Cloud.’
Given the increasing adoption of cloud technology, it is inevitable that novel and improved risk management practices and an industry-standard maturity model will be needed to ensure successful risk management and execution.
Cloud Computing and Internal Audit – Strategic Focus Areas for Internal Audit
The internal audit must reevaluate its traditional focus on IT and procurements to address the impact on the company’s risk profile. It should now encompass a broader perspective that considers potential shifts in IT governance structures, challenges related to managing outsourcing risks, and the company’s compliance with federal and state privacy regulations. Internal audit plays a vital role in helping the business assess, manage, and govern the risks associated with cloud computing to ensure the realization of business benefits. Here are key areas where internal audit should concentrate its efforts:
Contractual Agreements: Gain a clear understanding of the service provider’s responsibilities and determine the rights and recourse available in case of security breaches or incidents. Monitor Service Level Agreements (SLAs) closely and ensure compliance with specific contractual requirements and relevant local and global regulations.
Access Controls: Verify that the cloud provider has implemented and enforced administrative controls to limit access to company information for employees, partners, and the supply chain. Thoroughly investigate the background of employees who will have access to data, both logically and physically.
Certification and Third-Party Audits: Ensure service providers undergo accepted third-party reviews of controls, such as SSAE16, ISAE 3402, or ISO 27001 certification.
Compliance Requirements: Assess whether the supplier meets the company’s compliance needs, considering the geographic locations of the provider’s servers and the relevant laws that impact data in each country where it may reside or be processed.
Availability, Reliability, and Resilience: Establish agreements and responsibilities for measurable service levels concerning the availability and reliability of cloud services.
Backup and Recovery: Define precise disaster recovery requirements and ensure that responsibilities for data recovery are well understood before engaging a provider.
Decommissioning: Ensure that data will be securely deleted when no longer needed, adhering to appropriate data disposal practices.
Portability: Evaluate whether data and applications can be easily moved to another cloud provider or migrated back to an on-premises environment if needed. Ensure the cloud provider does not rely on specialized or proprietary technologies before finalizing the selection.
By focusing on these critical areas, internal audits can play a crucial role in safeguarding the company’s interests and ensuring a smooth and secure transition to cloud computing.
Internal Audit and Smart Devices – Smart Devices are Evolving to Become More Intelligent, Posing Increased Risks
Most organizations strive for flexibility and meet business needs by equipping their teams with mobile devices. However, they must balance the benefits of smart devices and the associated risks. The primary risks that companies should consider are as follows:
- Increased risk of information loss: Smart devices pose a higher security risk due to the possibility of theft or loss, making it easier for a security incident to occur.
- Monitoring: The proliferation of malware and espionage software designed for mobile devices requires heightened vigilance in monitoring and security measures.
- Awareness and communication: Educating staff and users about practicing proper security measures (e.g., strong PINs and passwords, secure configuration settings) becomes increasingly crucial, especially for those using personal devices at work.
- Treating devices as any other end-point: Mobile device architecture can create potential entry points into the corporate network, potentially leading to the leakage of highly sensitive information.
- Education of IT staff: IT team members might not possess expertise in mobile device management, which could lead to insecure configurations, infrequent patching, and other security vulnerabilities.
Internal Audit and Smart Devices – Real-life Example of What Can Go Wrong?
In 2010, an Apple employee lost an iPhone prototype in a high-profile case, resulting in a security breach that exposed around 114,000 records, including CEOs, military officials, and politicians. The leaked information included subscribers’ email addresses and authentication IDs used for network access. While mobile device thefts have been lower than laptops, research indicates that employees are 15-20 times more likely to lose a mobile device due to their smaller size.
Internal Audit and Smart Devices – Effective risk management practices, particularly concerning evolving risks
Organizations’ risk appetites may differ significantly, but one effective method of managing the risks associated with smart devices is to choose a Mobile Device Management Solution that suits your organization. Clients implementing this practice often base their vendor selection on reliable research publications.
Organizations should work closely with the chosen vendor to design a secure architecture for their environment and establish secure policies, device protection measures, and efficient device management. The Defense Signals Directorate’s guides for smart devices can be extremely beneficial in this regard. Additionally, organizations should develop comprehensive mobile strategies, policies, and procedures.
Internal Audit and Smart Devices – Areas of Focus for Internal Audit
Internal audits should pay attention to the following aspects concerning smart devices:
Smart device strategy: Review and verify whether mobile device solutions align with the corporate strategy and effectively meet the business needs, maximizing the advantages of using mobile devices.
Policy, Procedure, and Awareness: Investigate the existing policies, procedures, and awareness programs, ensuring their currency, relevance, and staff’s familiarity with their responsibilities to safeguard corporate information.
Technology Review: Examine the technology utilized for mobile device management and the devices themselves, ensuring they adhere to industry-leading practices and the organization’s security policies. Continuous monitoring of mobile security developments, including emerging malware, is vital, as security assessments hold significance only at specific times.
Continued in the Next Part Two…
In this part of the blog, we delved into the current business challenges, highlighted improved practices we’ve observed, and identified critical areas where internal audit can proactively address cloud computing and smart devices. In the second part, we will similarly discuss cybersecurity and social media.
iTech has a pool of experienced and certified internal audit solutions experts and consultants.
To know how we can help you implement the latest version of IBM OpenPages to meet your auditing needs, you can connect with us by sharing your details.