SlideShare a Scribd company logo

Tackling Data Privacy and Security in Your Audit Plan

Ron Steinkamp
Ron Steinkamp
1 of 9
Download to read offline
TACKLING THIS YEAR’S AUDIT HOT SPOTS © 2015 Brown Smith Wallace LLC
Each year organization leaders have the opportunity to consider how to focus their limited internal audit resources and budget. Many organizations approach this annually by identifying an audit universe, performing a risk assessment, and developing an audit plan. Taking the same approach year after year may not focus your resources in the right places. Are you focusing your efforts on areas that present the greatest risk or opportunity? Are you receiving appropriate value from your internal audit spend? Based upon our experience helping numerous organizations design and execute their internal audit plans, we have compiled 10 key risk areas that may need more attention within your organization. Whether or not your internal audit plans have already been finalized, this information can be leveraged to identify areas within the organization that may warrant more attention – maybe some that have never been given attention before. Cybersecurity issues are top of mind for organization leaders, as many high-profile cyberattacks have occurred in recent years that have had far reaching financial, regulatory and reputational implications. JP Morgan Chase was the target of one of these attacks – which reportedly occurred due to a “neglected server” and affected the private account information of 83 million individual consumer and small business accounts. The financial institution spent $250 million to upgrade its systems reactively after the attack. As personally identifiable information (PII) becomes more disseminated – and, therefore, more vulnerable – lawmakers across the world are creating more regulations for organizations to protect PII. Additionally, there are wide-reaching data privacy regulations, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), that come into play as hackers seek to steal medical information to sell on the black market. At the start of 2015, hackers targeted health insurer Anthem and stole more than 80 million records of current and former policyholders. Although threats to information security are continually evolving, organizations can take proactive steps to understand and address these risks. Auditors should be part of the process to determine if current security measures are effective or if some improvements are necessary. Consider the following internal audit emphasis: • Evaluate the adequacy and effectiveness of the organization’s overall security program and related resources against industry standards (e.g., COBIT, ISO 27001 and ISO 27002). • Perform technical security reviews, which may include external and internal penetration testing and vulnerability assessments. Don’t forget to perform audit procedures to assess the effectiveness of other parts of your IT environment (e.g., operating systems, databases and applications). INFORMATION SECURITY AND DATA PRIVACY © 2015 Brown Smith Wallace LLC Audit Hot Spots // 1 Are you focusing your efforts on areas that present the greatest risk or opportunity? 10 key risk areas that may need more attention within your organization: 1 Information Security and Data Privacy p1 2 Compliance Programs p2 3 Business Strategy and Initiatives p3 4 Fraud p4 5 Decentralized and/or International Operations p4 6 Business Processes p5 7 Insurance Programs p5 8 Social Media p6 9 Third-Party Relationships p6 10 Financial Reporting p7
• Verify policies and procedures are in place to identify and understand the risk associated with key third-party service providers or vendors, communication of responsibilities (e.g., in contracts) and monitoring to ensure information assets are being appropriately safeguarded. • Evaluate the approach to understanding, addressing and monitoring legal and regulatory compliance requirements that are applicable to the company (e.g., PCI, HIPAA and GLBA). • Incorporate procedures into each audit to evaluate information security risks (e.g., evaluate password policies, user access rights and segregation of duties, etc.). The goal is to identify and audit those risk-mitigation activities, which will require auditors to have some information security expertise. Compliance requirements in industries such as financial services and healthcare continue to grow in number and complexity. In recent years, the impact has spread across industries due to the prevalence of more broad-based regulatory requirements (e.g., handling and protecting sensitive data such as personal and credit card information, healthcare reform, employment laws, etc.). This has resulted in regulatory compliance being a top risk for many organizations. As executives anticipate more regulatory risks to come, they are increasing their investment in compliance programs and taking on more costs. It is critical that internal audit work with management to ensure controls are properly designed and operating effectively within these programs by taking a risk-based approach and focusing on those items that pose the greatest risks to the organization. Some organizations are spreading compliance across more individuals, but this can present its own unique risks. While it may appear to be cost effective in the interim, internal audit must be involved and knowledgeable about compliance risks impacting their organizations. They should verify these risks are adequately understood and addressed by the organization through policies, procedures, programs and other methods. Consider the following internal audit emphasis: • Assess the organization’s overall approach to addressing compliance (compliance program) and whether it is comprehensive, appropriately designed and effectively operating. • Conduct detailed audits of the organization’s higher risk compliance requirements. COMPLIANCE PROGRAMS © 2015 Brown Smith Wallace LLC Audit Hot Spots // 2 Compliance requirements in industries such as financial services and healthcare continue to grow.
New business initiatives (new products or services, organizational realignment, mergers and acquisitions, reengineering of business processes, system implementations, etc.) are often the panacea to helping organizations grow and prosper. But studies indicate that almost two-thirds of these efforts are not successful, and a 2014 study by Forbes Insight and Medidata indicates that half of organizations are not prepared to take on these types of transformational changes. Many factors impact the success of these efforts – insufficient resources (leadership, staff, time and money), clarity of direction, buy-in and discipline, to name a few. Moreover, organizations underestimate the impact these changes will have on the existing culture and operating environment. Internal audit should be aware of and adequately understand ongoing or planned changes and the potential risk and impact these may have on the initiative and the organization overall. It is imperative for internal audit to have proactive communication channels established with executives and key organization leaders in order to be able to effectively carry out these responsibilities. Consider the following internal audit emphasis: • Collaborate with management to identify risks that may negatively or positively impact the initiative; assess the likelihood and impact; and identify ways to monitor and/or mitigate the risks. These risk assessments can be leveraged to monitor key risks throughout the initiative or they may identify areas where further auditing is warranted. • Evaluate effectiveness of project management tools and techniques, including clarity of project charter, project plans and reporting. Review delayed initiatives to verify they are properly communicated and approved by management. • Assess the organization’s approach to addressing the risk associated with necessary or beneficial changes, including communication, training and other change management activities. • Validate the completeness and accuracy of key reports being relied upon by initiative. • For recently completed projects, perform a post-completion review to compare the actual requirements and benefits with those anticipated in the original justification, including relevant business assumptions, tactics, and the associated ramifications. © 2015 Brown Smith Wallace LLC Audit Hot Spots // 3 BUSINESS STRATEGY AND INITIATIVES Almost two-thirds of new business initiative efforts are not successful.
The risk of fraud exists within all organizations and it comes in many different shapes and sizes. The Association of Certified Fraud Examiners (ACFE) estimates that fraud costs a typical organization 5% of revenue. COSO’s recently updated Internal Control — Integrated Framework: Framework and Appendices (COSO 2013), effective December 15, 2014, emphasizes the need for organizations to perform a fraud risk assessment as part of an overall internal control program. Expectations of internal audit vary across organizations, but addressing fraud risk tends to be a common theme – what that means and how organizations approach this area can vary. Consider the following internal audit emphasis: • Conduct a fraud risk assessment to enhance understanding and bring focus to an organization’s most significant, enterprise-wide fraud risks. • Evaluate the organization’s policies and procedures in fraud prevention and detection, including whistleblower hotline validation. • Evaluate anti-bribery and anti-corruption policies and procedures, particularly for organizations that conduct business internationally. • Identify and test for fraud risks as part of each audit. • Utilize data analysis tools to search for potential fraud (e.g., T&E activity). As organizations evolve, visibility into policies, procedures and practices can become increasingly difficult as new operations are added and business practices diverge from those in the U.S. The risks associated with these decentralized or international operations will vary based upon the culture, staffing, responsibilities, technology and many other factors. In some geographies, political instability is a risk that must be considered. Shifting political environments and uncertainty regarding policies can impact the viability of operating in some countries. Security risks – for both infrastructure and personnel – may also be a concern. It’s incumbent upon internal audit to have an understanding of the risk profiles associated with these locations in order to be able to help the organization ensure these are being appropriately addressed. Consider the following internal audit emphasis: • Identify locations with high risk profiles due to volume, location, type of business, etc. • Perform periodic audits at locations focusing on consistency in business practices, compliance with policies and procedures, and other key risks. DECENTRALIZED AND/OR INTERNATIONAL OPERATIONS © 2015 Brown Smith Wallace LLC Audit Hot Spots // 4 FRAUD
• Evaluate contingency plans for addressing risks that may be unique to a particular geographic location. • Conduct balance sheet reviews to evaluate whether accounting records are being properly maintained. • Put in place monitoring controls that allow management to routinely evaluate areas of greater risk (e.g., completion of reconciliations and other critical period end closing activities). A business process is an activity or set of activities that is put in place to help accomplish a specific organizational goal. Business processes are often looked upon as the blocking and tackling of the organization, but their importance to an organization’s success should not be overlooked. Well-designed processes are important to an organization as it seeks to grow and prosper. For a variety of reasons, these can degrade over time and become less effective and efficient at supporting those goals. Internal audit can provide organizations with a fresh perspective on their business processes, independence and objectivity, and exposure to how other organizations operate. Consider the following internal audit emphasis: • Take a holistic approach to auditing by focusing on an entire business process. Incorporate business process mapping into the audit approach and keep an eye out for inefficient or ineffective practices or opportunities to automate. • Leverage data analysis tools to conduct audit procedures, search for trends and interpret data about performance, operations, controls and financial results. Insurance is used in a variety of ways to address an organization’s risk profile and it is typically one of the more significant expenses. It is equally important for management and the Board to understand what is and is not insured, whether coverage is appropriate for the company’s risk profile, and whether the associated costs are reasonable. Consider the following internal audit emphasis: • Evaluate the reasonableness of existing coverage, including self-insured risks, and assess the costs of the organization’s insurance program. • Conduct audits of self-insured programs, such as medical plans and workers’ compensation, focusing on eligibility, administration, claims adjudication, and liability and reserve calculations. BUSINESS PROCESSES INSURANCE PROGRAMS © 2015 Brown Smith Wallace LLC Audit Hot Spots // 5 Business processes can degrade over time and become less effective and efficient.
Digital marketing and social media are areas where organizations may need more oversight from internal audit. This starts with determining whether the organization has a digital marketing policy, particularly addressing social media. Once a post hits Facebook, Twitter or another platform, it can spread quickly. Depending on the nature of an inappropriate post, the consequences can impact an organization’s reputation, financial health or have other ramifications, particularly posts from an organization’s account that may be interpreted as representing the organization’s thoughts and beliefs. Consider the following internal audit emphasis: • Evaluate the organization’s policies and procedures regarding social media and digital marketing. This includes both professional and personal risks the professionals of the organization face by posted work related comments or actions. • Consider whether there is adequate restriction on who can post on social media and through other digital channels • Task individuals with keeping an eye on keywords related to the organization, including negative posts from consumers. As a result of resource gaps, cash flow and other issues, many organizations are turning to third-party vendors to handle some of their day-to-day operations. This is particularly true for information technology, as organizations require more sophisticated technology and security protocols. Regulators are placing more rules on and closely examining these relationships, which can lead to operating bans, fines, reputational damage and lawsuits. Yet many executives give little attention to these risks, regulations or concerns when selecting and managing vendors. Organizations should have well-defined approaches to evaluating and responding to vendor risks. While putting controls in place can be challenging, internal audit can help by identifying critical vendors and selecting a sample to review risk management activities, including: • Identify risks and how the organization selects, assesses and oversees third parties. • Develop due diligence procedures and activities. • Create contracts that outline rights and responsibilities. • Monitor the third party’s activities and performance. • Create contingency plans for critical relationships. Roles and responsibilities for overseeing and managing the relationship. SOCIAL MEDIA THIRD-PARTY RELATIONSHIPS © 2015 Brown Smith Wallace LLC Audit Hot Spots // 6
All organizations are impacted by financial reporting risks. Public companies have invested a lot of time and resources over the last decade addressing Sarbanes-Oxley compliance requirements. Interestingly, we are finding many non-public companies taking a strategic, methodical approach to adopting SOX best practices because it provides a framework for good business controls. Some are preparing themselves for an eventual exit, while others recognize and value the benefits of having an effective internal control program (studies have shown these companies experience increased profitability over the long term). Whatever the case may be, internal audit is well positioned to help the company identify and cost-effectively address these efforts by ensuring the company is taking a risk-based approach. And just when we thought we had this figured out, the PCAOB and public accounting firms have made sure public companies and auditors continue to give financial reporting the attention it deserves. Communications from the PCAOB, public accounting firms and the industry in general have highlighted several key areas of emphasis related to financial reporting, including: • Ensuring the completeness and accuracy of information used to support the financial reporting process and related controls. There has been a lot of emphasis on ad hoc or non-systemic reports such as those developed and maintained in spreadsheets. Far too many financial reporting misstatements occur because of bad data used for financial reporting processes, so companies need to understand and make sure they have controls in place to address these risks. • Sufficiently testing the design and operating effectiveness of management review controls that are used to monitor the results of operations (e.g., monthly budget to actual comparison, sales and margin reports, balance sheet reviews). It’s important for auditors to link how these reviews specifically identify and address risks and potential issues in a company’s financial reporting process. • Focusing on controls to address risks of material misstatements. Does internal audit spend the adequate time understanding where those risks lie and identifying the controls in place to address those risks? Internal audit is typically well versed in the routine, transaction-based areas, but what about non-routine areas that are subject to estimates and judgments? • Focusing a lot of attention and scrutiny on related-party activity. PCAOB rules require auditors to perform specific procedures to evaluate a company’s identification of, accounting for, and disclosure of the transactions and relationships between a company and its related parties. This is an area where companies with significant related-party activity can get themselves into trouble. © 2015 Brown Smith Wallace LLC Audit Hot Spots // 7 FINANCIAL REPORTING Many non-public companies are taking a strategic, methodical approach to adopting SOX best practices.
COMPREHENSIVE ACCOUNTING & TAX CONSULTING | INTERNATIONAL CORPORATE TAX STRATEGIES AUDIT & RISK MANAGEMENT SERVICES | MANAGEMENT CONSULTING | TRANSACTION ADVISORY AND LITIGATION SUPPORT St. Louis, MO 314.983.1200 St. Charles, MO 636.255.3000 Glen Carbon, IL 618.654.3100 Toll-Free 1.888.279.2792 bswllc.com A A common theme across every industry is having a sound risk culture within the organization. And this step itself is a key risk for 2015. Creating a risk culture starts with management and the senior executives. They must set the tone for taking risk seriously, and that paradigm trickles down to the rest of the organization. Another step is defining how much risk the organization is willing to take. While the flip side of risk is opportunity, performance shouldn’t mean cutting corners, especially when those corners are controls. Much of the advice here is consistent with enterprise risk management. As a part of understanding risks, internal auditors should: • Focus on helping their organizations monitor the risks that might pose a threat to the organization today and in the future. • Go out and assess – see how risk could be impacting the organization. • Make recommendations on how the organization can better manage or mitigate risk. DEVELOP A RISK CULTURE TO ADDRESS THE 2015 AUDIT HOT SPOTS To discuss your organization’s internal audit needs, please contact: Ron Steinkamp CPA, CIA, CFE, CRMA, CGMA Partner Advisory Services Brown Smith Wallace 314.983.1238 rsteinkamp@bswllc.com © 2015 Brown Smith Wallace LLC Audit Hot Spots // 8 View our infographic to learn the benefits of co-sourcing or full outsourcing your internal audit function. Click here or visit bswllc.com/IA_infographic Or visit bswllc.com

Recommended

2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - ProtivitiSimone Luca Giargia
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015CBIZ, Inc.
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016CBIZ, Inc.
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideAstalapulosListestos
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guideAstalapulosListestos
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 

Recommended

2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - ProtivitiSimone Luca Giargia
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015CBIZ, Inc.
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016CBIZ, Inc.
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideAstalapulosListestos
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guideAstalapulosListestos
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016jennyhollingworth
 
Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Deloitte UK
 
BIZGrowth Strategies Summer 2016
BIZGrowth Strategies Summer 2016BIZGrowth Strategies Summer 2016
BIZGrowth Strategies Summer 2016CBIZ, Inc.
 
Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Hiten Sethi
 
An industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsAn industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsGrant Thornton LLP
 
Root cause analysis questionnaire
Root cause analysis questionnaireRoot cause analysis questionnaire
Root cause analysis questionnaireAstalapulosListestos
 
it grc
it grc it grc
it grc 9535814851
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
Setting Up and Managing an Anonymous Fraud Hotline
Setting Up and Managing an Anonymous Fraud HotlineSetting Up and Managing an Anonymous Fraud Hotline
Setting Up and Managing an Anonymous Fraud HotlineFraudBusters
 
How Audit Committees Can Help with Third-Party Risks
How Audit Committees Can Help with Third-Party RisksHow Audit Committees Can Help with Third-Party Risks
How Audit Committees Can Help with Third-Party RisksMHM (Mayer Hoffman McCann P.C.)
 
Third Party Risk Management Introduction
Third Party Risk Management IntroductionThird Party Risk Management Introduction
Third Party Risk Management IntroductionNaveen Grover
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, incFixNix Inc.,
 
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Mohammed J. Khan
 
Balancing risk with opportunity
Balancing risk with opportunityBalancing risk with opportunity
Balancing risk with opportunityGrant Thornton LLP
 
Regulatory Change is a Business Opportunity, not a Burden
Regulatory Change is a Business Opportunity, not a Burden Regulatory Change is a Business Opportunity, not a Burden
Regulatory Change is a Business Opportunity, not a Burden Amit Agrawal
 
CAEs speak out: Cybersecurity seen as key threat to growth
CAEs speak out: Cybersecurity seen as key threat to growthCAEs speak out: Cybersecurity seen as key threat to growth
CAEs speak out: Cybersecurity seen as key threat to growthGrant Thornton LLP
 
Taking the road to advanced approaches and heightened standards in risk manag...
Taking the road to advanced approaches and heightened standards in risk manag...Taking the road to advanced approaches and heightened standards in risk manag...
Taking the road to advanced approaches and heightened standards in risk manag...Grant Thornton LLP
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
 
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016CBIZ, Inc.
 
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)Keith Darcy
 
Lean Auditing
Lean AuditingLean Auditing
Lean AuditingCorporate Excellence - Centre for Reputation Leadership
 
White paper pragmatic safety solutions
White paper pragmatic safety solutionsWhite paper pragmatic safety solutions
White paper pragmatic safety solutionsCraig Tappel
 

More Related Content

What's hot

Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016jennyhollingworth
 
Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Deloitte UK
 
BIZGrowth Strategies Summer 2016
BIZGrowth Strategies Summer 2016BIZGrowth Strategies Summer 2016
BIZGrowth Strategies Summer 2016CBIZ, Inc.
 
Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Hiten Sethi
 
An industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsAn industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsGrant Thornton LLP
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
Setting Up and Managing an Anonymous Fraud Hotline
Setting Up and Managing an Anonymous Fraud HotlineSetting Up and Managing an Anonymous Fraud Hotline
Setting Up and Managing an Anonymous Fraud HotlineFraudBusters
 
Third Party Risk Management Introduction
Third Party Risk Management IntroductionThird Party Risk Management Introduction
Third Party Risk Management IntroductionNaveen Grover
 
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Mohammed J. Khan
 
Balancing risk with opportunity
Balancing risk with opportunityBalancing risk with opportunity
Balancing risk with opportunityGrant Thornton LLP
 
Regulatory Change is a Business Opportunity, not a Burden
Regulatory Change is a Business Opportunity, not a Burden Regulatory Change is a Business Opportunity, not a Burden
Regulatory Change is a Business Opportunity, not a Burden Amit Agrawal
 
CAEs speak out: Cybersecurity seen as key threat to growth
CAEs speak out: Cybersecurity seen as key threat to growthCAEs speak out: Cybersecurity seen as key threat to growth
CAEs speak out: Cybersecurity seen as key threat to growthGrant Thornton LLP
 
Taking the road to advanced approaches and heightened standards in risk manag...
Taking the road to advanced approaches and heightened standards in risk manag...Taking the road to advanced approaches and heightened standards in risk manag...
Taking the road to advanced approaches and heightened standards in risk manag...Grant Thornton LLP
 

What's hot (17)

Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016
 
Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018
 
BIZGrowth Strategies Summer 2016
BIZGrowth Strategies Summer 2016BIZGrowth Strategies Summer 2016
BIZGrowth Strategies Summer 2016
 
Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011Risk & Compliance Outlook 2011
Risk & Compliance Outlook 2011
 
An industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsAn industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessments
 
Root cause analysis questionnaire
Root cause analysis questionnaireRoot cause analysis questionnaire
Root cause analysis questionnaire
 
it grc
it grc it grc
it grc
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance framework
 
Setting Up and Managing an Anonymous Fraud Hotline
Setting Up and Managing an Anonymous Fraud HotlineSetting Up and Managing an Anonymous Fraud Hotline
Setting Up and Managing an Anonymous Fraud Hotline
 
How Audit Committees Can Help with Third-Party Risks
How Audit Committees Can Help with Third-Party RisksHow Audit Committees Can Help with Third-Party Risks
How Audit Committees Can Help with Third-Party Risks
 
Third Party Risk Management Introduction
Third Party Risk Management IntroductionThird Party Risk Management Introduction
Third Party Risk Management Introduction
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, inc
 
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
 
Balancing risk with opportunity
Balancing risk with opportunityBalancing risk with opportunity
Balancing risk with opportunity
 
Regulatory Change is a Business Opportunity, not a Burden
Regulatory Change is a Business Opportunity, not a Burden Regulatory Change is a Business Opportunity, not a Burden
Regulatory Change is a Business Opportunity, not a Burden
 
CAEs speak out: Cybersecurity seen as key threat to growth
CAEs speak out: Cybersecurity seen as key threat to growthCAEs speak out: Cybersecurity seen as key threat to growth
CAEs speak out: Cybersecurity seen as key threat to growth
 
Taking the road to advanced approaches and heightened standards in risk manag...
Taking the road to advanced approaches and heightened standards in risk manag...Taking the road to advanced approaches and heightened standards in risk manag...
Taking the road to advanced approaches and heightened standards in risk manag...
 

Similar to Tackling Data Privacy and Security in Your Audit Plan

POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
 
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016CBIZ, Inc.
 
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)Keith Darcy
 
White paper pragmatic safety solutions
White paper pragmatic safety solutionsWhite paper pragmatic safety solutions
White paper pragmatic safety solutionsCraig Tappel
 
Designing Effective Financial Controls - Leveraging the Internal Control Fram...
Designing Effective Financial Controls - Leveraging the Internal Control Fram...Designing Effective Financial Controls - Leveraging the Internal Control Fram...
Designing Effective Financial Controls - Leveraging the Internal Control Fram...Stephen G. Lynch
 
Internal Audit And Review Reports
Internal Audit And Review ReportsInternal Audit And Review Reports
Internal Audit And Review ReportsLaura Martin
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Board matters quarterly – volume 3
Board matters quarterly – volume 3Board matters quarterly – volume 3
Board matters quarterly – volume 3elithomas202
 
Key considerations for your internal audit plan
Key considerations for your internal audit planKey considerations for your internal audit plan
Key considerations for your internal audit planessbaih
 
5 steps for better risk assessment
5 steps for better risk assessment5 steps for better risk assessment
5 steps for better risk assessmentDrMohammedFarid
 
Thought Leadership on Ethics & Compliance scale Final
Thought Leadership on Ethics & Compliance scale FinalThought Leadership on Ethics & Compliance scale Final
Thought Leadership on Ethics & Compliance scale FinalSundaraparipurnan Narayanan
 
Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...
Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...
Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...Cognizant
 
Assessing risks and internal controls training
Assessing risks and internal controls trainingAssessing risks and internal controls training
Assessing risks and internal controls trainingshifataraislam
 
3 Questions Every Board Needs to Ask About Enterprise Risks
3 Questions Every Board Needs to Ask About Enterprise Risks 3 Questions Every Board Needs to Ask About Enterprise Risks
3 Questions Every Board Needs to Ask About Enterprise Risks CBIZ, Inc.
 
The importance of value for money and perfomance based audits
The importance of value for money and perfomance based auditsThe importance of value for money and perfomance based audits
The importance of value for money and perfomance based auditspaul young cpa, cga
 
Effective Internal Controls over Financial Reporting with Business Process Ou...
Effective Internal Controls over Financial Reporting with Business Process Ou...Effective Internal Controls over Financial Reporting with Business Process Ou...
Effective Internal Controls over Financial Reporting with Business Process Ou...RNayak3
 

Similar to Tackling Data Privacy and Security in Your Audit Plan (20)

POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
 
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
 
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
 
Lean Auditing
Lean AuditingLean Auditing
Lean Auditing
 
White paper pragmatic safety solutions
White paper pragmatic safety solutionsWhite paper pragmatic safety solutions
White paper pragmatic safety solutions
 
Designing Effective Financial Controls - Leveraging the Internal Control Fram...
Designing Effective Financial Controls - Leveraging the Internal Control Fram...Designing Effective Financial Controls - Leveraging the Internal Control Fram...
Designing Effective Financial Controls - Leveraging the Internal Control Fram...
 
Internal Audit And Review Reports
Internal Audit And Review ReportsInternal Audit And Review Reports
Internal Audit And Review Reports
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
 
Board matters quarterly – volume 3
Board matters quarterly – volume 3Board matters quarterly – volume 3
Board matters quarterly – volume 3
 
eob_dec14.artok
eob_dec14.artokeob_dec14.artok
eob_dec14.artok
 
Ey segregation of_duties
Ey segregation of_dutiesEy segregation of_duties
Ey segregation of_duties
 
Key considerations for your internal audit plan
Key considerations for your internal audit planKey considerations for your internal audit plan
Key considerations for your internal audit plan
 
5 steps for better risk assessment
5 steps for better risk assessment5 steps for better risk assessment
5 steps for better risk assessment
 
Thought Leadership on Ethics & Compliance scale Final
Thought Leadership on Ethics & Compliance scale FinalThought Leadership on Ethics & Compliance scale Final
Thought Leadership on Ethics & Compliance scale Final
 
Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...
Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...
Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...
 
Assessing risks and internal controls training
Assessing risks and internal controls trainingAssessing risks and internal controls training
Assessing risks and internal controls training
 
3 Questions Every Board Needs to Ask About Enterprise Risks
3 Questions Every Board Needs to Ask About Enterprise Risks 3 Questions Every Board Needs to Ask About Enterprise Risks
3 Questions Every Board Needs to Ask About Enterprise Risks
 
The importance of value for money and perfomance based audits
The importance of value for money and perfomance based auditsThe importance of value for money and perfomance based audits
The importance of value for money and perfomance based audits
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditing
 
Effective Internal Controls over Financial Reporting with Business Process Ou...
Effective Internal Controls over Financial Reporting with Business Process Ou...Effective Internal Controls over Financial Reporting with Business Process Ou...
Effective Internal Controls over Financial Reporting with Business Process Ou...
 

More from Ron Steinkamp

Q4-2016 Public Sector Risk Briefing - Third Party Contract Reviews (STL)
Q4-2016 Public Sector Risk Briefing - Third Party Contract Reviews (STL)Q4-2016 Public Sector Risk Briefing - Third Party Contract Reviews (STL)
Q4-2016 Public Sector Risk Briefing - Third Party Contract Reviews (STL)Ron Steinkamp
 
2016 MSCPA Fraud Conference Presentation
2016 MSCPA Fraud Conference Presentation2016 MSCPA Fraud Conference Presentation
2016 MSCPA Fraud Conference PresentationRon Steinkamp
 
2016 MSCPA Fraud Conference Presentation
2016 MSCPA Fraud Conference Presentation2016 MSCPA Fraud Conference Presentation
2016 MSCPA Fraud Conference PresentationRon Steinkamp
 
Public Sector Fraud - Mid-MO AGA
Public Sector Fraud - Mid-MO AGAPublic Sector Fraud - Mid-MO AGA
Public Sector Fraud - Mid-MO AGARon Steinkamp
 
Public Sector Fraud - Central MO IIA
Public Sector Fraud - Central MO IIAPublic Sector Fraud - Central MO IIA
Public Sector Fraud - Central MO IIARon Steinkamp
 
Occupational Fraud The Facts and How to Protect Your Organization Webinar_FIN...
Occupational Fraud The Facts and How to Protect Your Organization Webinar_FIN...Occupational Fraud The Facts and How to Protect Your Organization Webinar_FIN...
Occupational Fraud The Facts and How to Protect Your Organization Webinar_FIN...Ron Steinkamp
 
Q2-2016 Public Sector Risk Briefing Employee Engagement Trends
Q2-2016 Public Sector Risk Briefing Employee Engagement TrendsQ2-2016 Public Sector Risk Briefing Employee Engagement Trends
Q2-2016 Public Sector Risk Briefing Employee Engagement TrendsRon Steinkamp
 
Internal Controls and Effective Report Writing - sent to MSCPA
Internal Controls and Effective Report Writing - sent to MSCPAInternal Controls and Effective Report Writing - sent to MSCPA
Internal Controls and Effective Report Writing - sent to MSCPARon Steinkamp
 
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...Ron Steinkamp
 
Trends in Local Government
Trends in Local GovernmentTrends in Local Government
Trends in Local GovernmentRon Steinkamp
 
Q1 2016 Fraud Detection, Prevention & Risk Management
Q1 2016 Fraud Detection, Prevention & Risk ManagementQ1 2016 Fraud Detection, Prevention & Risk Management
Q1 2016 Fraud Detection, Prevention & Risk ManagementRon Steinkamp
 
Contract Performance Fraud
Contract Performance FraudContract Performance Fraud
Contract Performance FraudRon Steinkamp
 
Contract Procurement Fraud
Contract Procurement FraudContract Procurement Fraud
Contract Procurement FraudRon Steinkamp
 
Q4-2015 Public Sector Risk Briefing Presentation by Ron Steinkamp
Q4-2015 Public Sector Risk Briefing Presentation by Ron SteinkampQ4-2015 Public Sector Risk Briefing Presentation by Ron Steinkamp
Q4-2015 Public Sector Risk Briefing Presentation by Ron SteinkampRon Steinkamp
 
BSW Value of Muni Audits
BSW Value of Muni AuditsBSW Value of Muni Audits
BSW Value of Muni AuditsRon Steinkamp
 
Steps to Prevent Detect Occupational Fraud in Government (Final)
Steps to Prevent Detect Occupational Fraud in Government (Final)Steps to Prevent Detect Occupational Fraud in Government (Final)
Steps to Prevent Detect Occupational Fraud in Government (Final)Ron Steinkamp
 
Emotional Intelligence - St. Charles - June 3, 2015
Emotional Intelligence - St. Charles - June 3, 2015Emotional Intelligence - St. Charles - June 3, 2015
Emotional Intelligence - St. Charles - June 3, 2015Ron Steinkamp
 
Emotional Intelligence - St. Louis - June 5, 2015
Emotional Intelligence - St. Louis - June 5, 2015Emotional Intelligence - St. Louis - June 5, 2015
Emotional Intelligence - St. Louis - June 5, 2015Ron Steinkamp
 
Steps to Prevent Detect Occupational Fraud in Government (Final)
Steps to Prevent Detect Occupational Fraud in Government (Final)Steps to Prevent Detect Occupational Fraud in Government (Final)
Steps to Prevent Detect Occupational Fraud in Government (Final)Ron Steinkamp
 

More from Ron Steinkamp (20)

Q4-2016 Public Sector Risk Briefing - Third Party Contract Reviews (STL)
Q4-2016 Public Sector Risk Briefing - Third Party Contract Reviews (STL)Q4-2016 Public Sector Risk Briefing - Third Party Contract Reviews (STL)
Q4-2016 Public Sector Risk Briefing - Third Party Contract Reviews (STL)
 
2016 MSCPA Fraud Conference Presentation
2016 MSCPA Fraud Conference Presentation2016 MSCPA Fraud Conference Presentation
2016 MSCPA Fraud Conference Presentation
 
2016 MSCPA Fraud Conference Presentation
2016 MSCPA Fraud Conference Presentation2016 MSCPA Fraud Conference Presentation
2016 MSCPA Fraud Conference Presentation
 
Public Sector Fraud - Mid-MO AGA
Public Sector Fraud - Mid-MO AGAPublic Sector Fraud - Mid-MO AGA
Public Sector Fraud - Mid-MO AGA
 
Public Sector Fraud - Central MO IIA
Public Sector Fraud - Central MO IIAPublic Sector Fraud - Central MO IIA
Public Sector Fraud - Central MO IIA
 
Occupational Fraud The Facts and How to Protect Your Organization Webinar_FIN...
Occupational Fraud The Facts and How to Protect Your Organization Webinar_FIN...Occupational Fraud The Facts and How to Protect Your Organization Webinar_FIN...
Occupational Fraud The Facts and How to Protect Your Organization Webinar_FIN...
 
Q2-2016 Public Sector Risk Briefing Employee Engagement Trends
Q2-2016 Public Sector Risk Briefing Employee Engagement TrendsQ2-2016 Public Sector Risk Briefing Employee Engagement Trends
Q2-2016 Public Sector Risk Briefing Employee Engagement Trends
 
Internal Controls and Effective Report Writing - sent to MSCPA
Internal Controls and Effective Report Writing - sent to MSCPAInternal Controls and Effective Report Writing - sent to MSCPA
Internal Controls and Effective Report Writing - sent to MSCPA
 
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
 
Contract Risks
Contract RisksContract Risks
Contract Risks
 
Trends in Local Government
Trends in Local GovernmentTrends in Local Government
Trends in Local Government
 
Q1 2016 Fraud Detection, Prevention & Risk Management
Q1 2016 Fraud Detection, Prevention & Risk ManagementQ1 2016 Fraud Detection, Prevention & Risk Management
Q1 2016 Fraud Detection, Prevention & Risk Management
 
Contract Performance Fraud
Contract Performance FraudContract Performance Fraud
Contract Performance Fraud
 
Contract Procurement Fraud
Contract Procurement FraudContract Procurement Fraud
Contract Procurement Fraud
 
Q4-2015 Public Sector Risk Briefing Presentation by Ron Steinkamp
Q4-2015 Public Sector Risk Briefing Presentation by Ron SteinkampQ4-2015 Public Sector Risk Briefing Presentation by Ron Steinkamp
Q4-2015 Public Sector Risk Briefing Presentation by Ron Steinkamp
 
BSW Value of Muni Audits
BSW Value of Muni AuditsBSW Value of Muni Audits
BSW Value of Muni Audits
 
Steps to Prevent Detect Occupational Fraud in Government (Final)
Steps to Prevent Detect Occupational Fraud in Government (Final)Steps to Prevent Detect Occupational Fraud in Government (Final)
Steps to Prevent Detect Occupational Fraud in Government (Final)
 
Emotional Intelligence - St. Charles - June 3, 2015
Emotional Intelligence - St. Charles - June 3, 2015Emotional Intelligence - St. Charles - June 3, 2015
Emotional Intelligence - St. Charles - June 3, 2015
 
Emotional Intelligence - St. Louis - June 5, 2015
Emotional Intelligence - St. Louis - June 5, 2015Emotional Intelligence - St. Louis - June 5, 2015
Emotional Intelligence - St. Louis - June 5, 2015
 
Steps to Prevent Detect Occupational Fraud in Government (Final)
Steps to Prevent Detect Occupational Fraud in Government (Final)Steps to Prevent Detect Occupational Fraud in Government (Final)
Steps to Prevent Detect Occupational Fraud in Government (Final)
 

Tackling Data Privacy and Security in Your Audit Plan

  • 1. TACKLING THIS YEAR’S AUDIT HOT SPOTS © 2015 Brown Smith Wallace LLC
  • 2. Each year organization leaders have the opportunity to consider how to focus their limited internal audit resources and budget. Many organizations approach this annually by identifying an audit universe, performing a risk assessment, and developing an audit plan. Taking the same approach year after year may not focus your resources in the right places. Are you focusing your efforts on areas that present the greatest risk or opportunity? Are you receiving appropriate value from your internal audit spend? Based upon our experience helping numerous organizations design and execute their internal audit plans, we have compiled 10 key risk areas that may need more attention within your organization. Whether or not your internal audit plans have already been finalized, this information can be leveraged to identify areas within the organization that may warrant more attention – maybe some that have never been given attention before. Cybersecurity issues are top of mind for organization leaders, as many high-profile cyberattacks have occurred in recent years that have had far reaching financial, regulatory and reputational implications. JP Morgan Chase was the target of one of these attacks – which reportedly occurred due to a “neglected server” and affected the private account information of 83 million individual consumer and small business accounts. The financial institution spent $250 million to upgrade its systems reactively after the attack. As personally identifiable information (PII) becomes more disseminated – and, therefore, more vulnerable – lawmakers across the world are creating more regulations for organizations to protect PII. Additionally, there are wide-reaching data privacy regulations, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), that come into play as hackers seek to steal medical information to sell on the black market. At the start of 2015, hackers targeted health insurer Anthem and stole more than 80 million records of current and former policyholders. Although threats to information security are continually evolving, organizations can take proactive steps to understand and address these risks. Auditors should be part of the process to determine if current security measures are effective or if some improvements are necessary. Consider the following internal audit emphasis: • Evaluate the adequacy and effectiveness of the organization’s overall security program and related resources against industry standards (e.g., COBIT, ISO 27001 and ISO 27002). • Perform technical security reviews, which may include external and internal penetration testing and vulnerability assessments. Don’t forget to perform audit procedures to assess the effectiveness of other parts of your IT environment (e.g., operating systems, databases and applications). INFORMATION SECURITY AND DATA PRIVACY © 2015 Brown Smith Wallace LLC Audit Hot Spots // 1 Are you focusing your efforts on areas that present the greatest risk or opportunity? 10 key risk areas that may need more attention within your organization: 1 Information Security and Data Privacy p1 2 Compliance Programs p2 3 Business Strategy and Initiatives p3 4 Fraud p4 5 Decentralized and/or International Operations p4 6 Business Processes p5 7 Insurance Programs p5 8 Social Media p6 9 Third-Party Relationships p6 10 Financial Reporting p7
  • 3. • Verify policies and procedures are in place to identify and understand the risk associated with key third-party service providers or vendors, communication of responsibilities (e.g., in contracts) and monitoring to ensure information assets are being appropriately safeguarded. • Evaluate the approach to understanding, addressing and monitoring legal and regulatory compliance requirements that are applicable to the company (e.g., PCI, HIPAA and GLBA). • Incorporate procedures into each audit to evaluate information security risks (e.g., evaluate password policies, user access rights and segregation of duties, etc.). The goal is to identify and audit those risk-mitigation activities, which will require auditors to have some information security expertise. Compliance requirements in industries such as financial services and healthcare continue to grow in number and complexity. In recent years, the impact has spread across industries due to the prevalence of more broad-based regulatory requirements (e.g., handling and protecting sensitive data such as personal and credit card information, healthcare reform, employment laws, etc.). This has resulted in regulatory compliance being a top risk for many organizations. As executives anticipate more regulatory risks to come, they are increasing their investment in compliance programs and taking on more costs. It is critical that internal audit work with management to ensure controls are properly designed and operating effectively within these programs by taking a risk-based approach and focusing on those items that pose the greatest risks to the organization. Some organizations are spreading compliance across more individuals, but this can present its own unique risks. While it may appear to be cost effective in the interim, internal audit must be involved and knowledgeable about compliance risks impacting their organizations. They should verify these risks are adequately understood and addressed by the organization through policies, procedures, programs and other methods. Consider the following internal audit emphasis: • Assess the organization’s overall approach to addressing compliance (compliance program) and whether it is comprehensive, appropriately designed and effectively operating. • Conduct detailed audits of the organization’s higher risk compliance requirements. COMPLIANCE PROGRAMS © 2015 Brown Smith Wallace LLC Audit Hot Spots // 2 Compliance requirements in industries such as financial services and healthcare continue to grow.
  • 4. New business initiatives (new products or services, organizational realignment, mergers and acquisitions, reengineering of business processes, system implementations, etc.) are often the panacea to helping organizations grow and prosper. But studies indicate that almost two-thirds of these efforts are not successful, and a 2014 study by Forbes Insight and Medidata indicates that half of organizations are not prepared to take on these types of transformational changes. Many factors impact the success of these efforts – insufficient resources (leadership, staff, time and money), clarity of direction, buy-in and discipline, to name a few. Moreover, organizations underestimate the impact these changes will have on the existing culture and operating environment. Internal audit should be aware of and adequately understand ongoing or planned changes and the potential risk and impact these may have on the initiative and the organization overall. It is imperative for internal audit to have proactive communication channels established with executives and key organization leaders in order to be able to effectively carry out these responsibilities. Consider the following internal audit emphasis: • Collaborate with management to identify risks that may negatively or positively impact the initiative; assess the likelihood and impact; and identify ways to monitor and/or mitigate the risks. These risk assessments can be leveraged to monitor key risks throughout the initiative or they may identify areas where further auditing is warranted. • Evaluate effectiveness of project management tools and techniques, including clarity of project charter, project plans and reporting. Review delayed initiatives to verify they are properly communicated and approved by management. • Assess the organization’s approach to addressing the risk associated with necessary or beneficial changes, including communication, training and other change management activities. • Validate the completeness and accuracy of key reports being relied upon by initiative. • For recently completed projects, perform a post-completion review to compare the actual requirements and benefits with those anticipated in the original justification, including relevant business assumptions, tactics, and the associated ramifications. © 2015 Brown Smith Wallace LLC Audit Hot Spots // 3 BUSINESS STRATEGY AND INITIATIVES Almost two-thirds of new business initiative efforts are not successful.
  • 5. The risk of fraud exists within all organizations and it comes in many different shapes and sizes. The Association of Certified Fraud Examiners (ACFE) estimates that fraud costs a typical organization 5% of revenue. COSO’s recently updated Internal Control — Integrated Framework: Framework and Appendices (COSO 2013), effective December 15, 2014, emphasizes the need for organizations to perform a fraud risk assessment as part of an overall internal control program. Expectations of internal audit vary across organizations, but addressing fraud risk tends to be a common theme – what that means and how organizations approach this area can vary. Consider the following internal audit emphasis: • Conduct a fraud risk assessment to enhance understanding and bring focus to an organization’s most significant, enterprise-wide fraud risks. • Evaluate the organization’s policies and procedures in fraud prevention and detection, including whistleblower hotline validation. • Evaluate anti-bribery and anti-corruption policies and procedures, particularly for organizations that conduct business internationally. • Identify and test for fraud risks as part of each audit. • Utilize data analysis tools to search for potential fraud (e.g., T&E activity). As organizations evolve, visibility into policies, procedures and practices can become increasingly difficult as new operations are added and business practices diverge from those in the U.S. The risks associated with these decentralized or international operations will vary based upon the culture, staffing, responsibilities, technology and many other factors. In some geographies, political instability is a risk that must be considered. Shifting political environments and uncertainty regarding policies can impact the viability of operating in some countries. Security risks – for both infrastructure and personnel – may also be a concern. It’s incumbent upon internal audit to have an understanding of the risk profiles associated with these locations in order to be able to help the organization ensure these are being appropriately addressed. Consider the following internal audit emphasis: • Identify locations with high risk profiles due to volume, location, type of business, etc. • Perform periodic audits at locations focusing on consistency in business practices, compliance with policies and procedures, and other key risks. DECENTRALIZED AND/OR INTERNATIONAL OPERATIONS © 2015 Brown Smith Wallace LLC Audit Hot Spots // 4 FRAUD
  • 6. • Evaluate contingency plans for addressing risks that may be unique to a particular geographic location. • Conduct balance sheet reviews to evaluate whether accounting records are being properly maintained. • Put in place monitoring controls that allow management to routinely evaluate areas of greater risk (e.g., completion of reconciliations and other critical period end closing activities). A business process is an activity or set of activities that is put in place to help accomplish a specific organizational goal. Business processes are often looked upon as the blocking and tackling of the organization, but their importance to an organization’s success should not be overlooked. Well-designed processes are important to an organization as it seeks to grow and prosper. For a variety of reasons, these can degrade over time and become less effective and efficient at supporting those goals. Internal audit can provide organizations with a fresh perspective on their business processes, independence and objectivity, and exposure to how other organizations operate. Consider the following internal audit emphasis: • Take a holistic approach to auditing by focusing on an entire business process. Incorporate business process mapping into the audit approach and keep an eye out for inefficient or ineffective practices or opportunities to automate. • Leverage data analysis tools to conduct audit procedures, search for trends and interpret data about performance, operations, controls and financial results. Insurance is used in a variety of ways to address an organization’s risk profile and it is typically one of the more significant expenses. It is equally important for management and the Board to understand what is and is not insured, whether coverage is appropriate for the company’s risk profile, and whether the associated costs are reasonable. Consider the following internal audit emphasis: • Evaluate the reasonableness of existing coverage, including self-insured risks, and assess the costs of the organization’s insurance program. • Conduct audits of self-insured programs, such as medical plans and workers’ compensation, focusing on eligibility, administration, claims adjudication, and liability and reserve calculations. BUSINESS PROCESSES INSURANCE PROGRAMS © 2015 Brown Smith Wallace LLC Audit Hot Spots // 5 Business processes can degrade over time and become less effective and efficient.
  • 7. Digital marketing and social media are areas where organizations may need more oversight from internal audit. This starts with determining whether the organization has a digital marketing policy, particularly addressing social media. Once a post hits Facebook, Twitter or another platform, it can spread quickly. Depending on the nature of an inappropriate post, the consequences can impact an organization’s reputation, financial health or have other ramifications, particularly posts from an organization’s account that may be interpreted as representing the organization’s thoughts and beliefs. Consider the following internal audit emphasis: • Evaluate the organization’s policies and procedures regarding social media and digital marketing. This includes both professional and personal risks the professionals of the organization face by posted work related comments or actions. • Consider whether there is adequate restriction on who can post on social media and through other digital channels • Task individuals with keeping an eye on keywords related to the organization, including negative posts from consumers. As a result of resource gaps, cash flow and other issues, many organizations are turning to third-party vendors to handle some of their day-to-day operations. This is particularly true for information technology, as organizations require more sophisticated technology and security protocols. Regulators are placing more rules on and closely examining these relationships, which can lead to operating bans, fines, reputational damage and lawsuits. Yet many executives give little attention to these risks, regulations or concerns when selecting and managing vendors. Organizations should have well-defined approaches to evaluating and responding to vendor risks. While putting controls in place can be challenging, internal audit can help by identifying critical vendors and selecting a sample to review risk management activities, including: • Identify risks and how the organization selects, assesses and oversees third parties. • Develop due diligence procedures and activities. • Create contracts that outline rights and responsibilities. • Monitor the third party’s activities and performance. • Create contingency plans for critical relationships. Roles and responsibilities for overseeing and managing the relationship. SOCIAL MEDIA THIRD-PARTY RELATIONSHIPS © 2015 Brown Smith Wallace LLC Audit Hot Spots // 6
  • 8. All organizations are impacted by financial reporting risks. Public companies have invested a lot of time and resources over the last decade addressing Sarbanes-Oxley compliance requirements. Interestingly, we are finding many non-public companies taking a strategic, methodical approach to adopting SOX best practices because it provides a framework for good business controls. Some are preparing themselves for an eventual exit, while others recognize and value the benefits of having an effective internal control program (studies have shown these companies experience increased profitability over the long term). Whatever the case may be, internal audit is well positioned to help the company identify and cost-effectively address these efforts by ensuring the company is taking a risk-based approach. And just when we thought we had this figured out, the PCAOB and public accounting firms have made sure public companies and auditors continue to give financial reporting the attention it deserves. Communications from the PCAOB, public accounting firms and the industry in general have highlighted several key areas of emphasis related to financial reporting, including: • Ensuring the completeness and accuracy of information used to support the financial reporting process and related controls. There has been a lot of emphasis on ad hoc or non-systemic reports such as those developed and maintained in spreadsheets. Far too many financial reporting misstatements occur because of bad data used for financial reporting processes, so companies need to understand and make sure they have controls in place to address these risks. • Sufficiently testing the design and operating effectiveness of management review controls that are used to monitor the results of operations (e.g., monthly budget to actual comparison, sales and margin reports, balance sheet reviews). It’s important for auditors to link how these reviews specifically identify and address risks and potential issues in a company’s financial reporting process. • Focusing on controls to address risks of material misstatements. Does internal audit spend the adequate time understanding where those risks lie and identifying the controls in place to address those risks? Internal audit is typically well versed in the routine, transaction-based areas, but what about non-routine areas that are subject to estimates and judgments? • Focusing a lot of attention and scrutiny on related-party activity. PCAOB rules require auditors to perform specific procedures to evaluate a company’s identification of, accounting for, and disclosure of the transactions and relationships between a company and its related parties. This is an area where companies with significant related-party activity can get themselves into trouble. © 2015 Brown Smith Wallace LLC Audit Hot Spots // 7 FINANCIAL REPORTING Many non-public companies are taking a strategic, methodical approach to adopting SOX best practices.
  • 9. COMPREHENSIVE ACCOUNTING & TAX CONSULTING | INTERNATIONAL CORPORATE TAX STRATEGIES AUDIT & RISK MANAGEMENT SERVICES | MANAGEMENT CONSULTING | TRANSACTION ADVISORY AND LITIGATION SUPPORT St. Louis, MO 314.983.1200 St. Charles, MO 636.255.3000 Glen Carbon, IL 618.654.3100 Toll-Free 1.888.279.2792 bswllc.com A A common theme across every industry is having a sound risk culture within the organization. And this step itself is a key risk for 2015. Creating a risk culture starts with management and the senior executives. They must set the tone for taking risk seriously, and that paradigm trickles down to the rest of the organization. Another step is defining how much risk the organization is willing to take. While the flip side of risk is opportunity, performance shouldn’t mean cutting corners, especially when those corners are controls. Much of the advice here is consistent with enterprise risk management. As a part of understanding risks, internal auditors should: • Focus on helping their organizations monitor the risks that might pose a threat to the organization today and in the future. • Go out and assess – see how risk could be impacting the organization. • Make recommendations on how the organization can better manage or mitigate risk. DEVELOP A RISK CULTURE TO ADDRESS THE 2015 AUDIT HOT SPOTS To discuss your organization’s internal audit needs, please contact: Ron Steinkamp CPA, CIA, CFE, CRMA, CGMA Partner Advisory Services Brown Smith Wallace 314.983.1238 rsteinkamp@bswllc.com © 2015 Brown Smith Wallace LLC Audit Hot Spots // 8 View our infographic to learn the benefits of co-sourcing or full outsourcing your internal audit function. Click here or visit bswllc.com/IA_infographic Or visit bswllc.com