More Related Content
Similar to Tackling Data Privacy and Security in Your Audit Plan
Similar to Tackling Data Privacy and Security in Your Audit Plan (20)
More from Ron Steinkamp (20)
Tackling Data Privacy and Security in Your Audit Plan
- 2. Each year organization leaders have the opportunity to consider
how to focus their limited internal audit resources and budget. Many
organizations approach this annually by identifying an audit universe,
performing a risk assessment, and developing an audit plan. Taking the
same approach year after year may not focus your resources in the right
places.
Are you focusing your efforts on areas that present the greatest risk or
opportunity? Are you receiving appropriate value from your internal audit
spend? Based upon our experience helping numerous organizations
design and execute their internal audit plans, we have compiled 10
key risk areas that may need more attention within your organization.
Whether or not your internal audit plans have already been finalized, this
information can be leveraged to identify areas within the organization that
may warrant more attention – maybe some that have never been given
attention before.
Cybersecurity issues are top of mind for organization leaders, as many
high-profile cyberattacks have occurred in recent years that have had far
reaching financial, regulatory and reputational implications. JP Morgan
Chase was the target of one of these attacks – which reportedly occurred
due to a “neglected server” and affected the private account information
of 83 million individual consumer and small business accounts. The
financial institution spent $250 million to upgrade its systems reactively
after the attack.
As personally identifiable information (PII) becomes more disseminated
– and, therefore, more vulnerable – lawmakers across the world are
creating more regulations for organizations to protect PII. Additionally,
there are wide-reaching data privacy regulations, such as the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), that come
into play as hackers seek to steal medical information to sell on the black
market. At the start of 2015, hackers targeted health insurer Anthem and
stole more than 80 million records of current and former policyholders.
Although threats to information security are continually evolving,
organizations can take proactive steps to understand and address these
risks. Auditors should be part of the process to determine if current
security measures are effective or if some improvements are necessary.
Consider the following internal audit emphasis:
• Evaluate the adequacy and effectiveness of the organization’s overall
security program and related resources against industry standards (e.g.,
COBIT, ISO 27001 and ISO 27002).
• Perform technical security reviews, which may include external
and internal penetration testing and vulnerability assessments. Don’t
forget to perform audit procedures to assess the effectiveness of other
parts of your IT environment (e.g., operating systems, databases and
applications).
INFORMATION SECURITY AND DATA PRIVACY
© 2015 Brown Smith Wallace LLC
Audit Hot Spots // 1
Are you focusing your
efforts on areas that
present the greatest risk
or opportunity?
10 key risk areas that may
need more attention within
your organization:
1 Information Security and
Data Privacy p1
2 Compliance Programs p2
3 Business Strategy and
Initiatives p3
4 Fraud p4
5 Decentralized and/or
International Operations p4
6 Business Processes p5
7 Insurance Programs p5
8 Social Media p6
9 Third-Party Relationships p6
10 Financial Reporting p7
- 3. • Verify policies and procedures are in place to identify and understand
the risk associated with key third-party service providers or vendors,
communication of responsibilities (e.g., in contracts) and monitoring to
ensure information assets are being appropriately safeguarded.
• Evaluate the approach to understanding, addressing and monitoring
legal and regulatory compliance requirements that are applicable to the
company (e.g., PCI, HIPAA and GLBA).
• Incorporate procedures into each audit to evaluate information
security risks (e.g., evaluate password policies, user access rights and
segregation of duties, etc.).
The goal is to identify and audit those risk-mitigation activities, which will
require auditors to have some information security expertise.
Compliance requirements in industries such as financial services and
healthcare continue to grow in number and complexity. In recent years,
the impact has spread across industries due to the prevalence of more
broad-based regulatory requirements (e.g., handling and protecting
sensitive data such as personal and credit card information, healthcare
reform, employment laws, etc.). This has resulted in regulatory
compliance being a top risk for many organizations.
As executives anticipate more regulatory risks to come, they are
increasing their investment in compliance programs and taking on more
costs. It is critical that internal audit work with management to ensure
controls are properly designed and operating effectively within these
programs by taking a risk-based approach and focusing on those items
that pose the greatest risks to the organization.
Some organizations are spreading compliance across more individuals,
but this can present its own unique risks. While it may appear to
be cost effective in the interim, internal audit must be involved and
knowledgeable about compliance risks impacting their organizations.
They should verify these risks are adequately understood and addressed
by the organization through policies, procedures, programs and other
methods.
Consider the following internal audit emphasis:
• Assess the organization’s overall approach to addressing compliance
(compliance program) and whether it is comprehensive, appropriately
designed and effectively operating.
• Conduct detailed audits of the organization’s higher risk compliance
requirements.
COMPLIANCE PROGRAMS
© 2015 Brown Smith Wallace LLC
Audit Hot Spots // 2
Compliance
requirements in
industries such as
financial services and
healthcare continue
to grow.
- 4. New business initiatives (new products or services, organizational
realignment, mergers and acquisitions, reengineering of business
processes, system implementations, etc.) are often the panacea to
helping organizations grow and prosper. But studies indicate that almost
two-thirds of these efforts are not successful, and a 2014 study by
Forbes Insight and Medidata indicates that half of organizations are not
prepared to take on these types of transformational changes.
Many factors impact the success of these efforts – insufficient resources
(leadership, staff, time and money), clarity of direction, buy-in and
discipline, to name a few. Moreover, organizations underestimate the
impact these changes will have on the existing culture and operating
environment.
Internal audit should be aware of and adequately understand ongoing or
planned changes and the potential risk and impact these may have on
the initiative and the organization overall. It is imperative for internal audit
to have proactive communication channels established with executives
and key organization leaders in order to be able to effectively carry out
these responsibilities.
Consider the following internal audit emphasis:
• Collaborate with management to identify risks that may negatively
or positively impact the initiative; assess the likelihood and impact;
and identify ways to monitor and/or mitigate the risks. These risk
assessments can be leveraged to monitor key risks throughout the
initiative or they may identify areas where further auditing is warranted.
• Evaluate effectiveness of project management tools and techniques,
including clarity of project charter, project plans and reporting. Review
delayed initiatives to verify they are properly communicated and approved
by management.
• Assess the organization’s approach to addressing the risk associated
with necessary or beneficial changes, including communication, training
and other change management activities.
• Validate the completeness and accuracy of key reports being relied
upon by initiative.
• For recently completed projects, perform a post-completion review to
compare the actual requirements and benefits with those anticipated in
the original justification, including relevant business assumptions, tactics,
and the associated ramifications.
© 2015 Brown Smith Wallace LLC
Audit Hot Spots // 3
BUSINESS STRATEGY AND INITIATIVES
Almost two-thirds
of new business
initiative efforts are
not successful.
- 5. The risk of fraud exists within all organizations and it comes in many
different shapes and sizes. The Association of Certified Fraud Examiners
(ACFE) estimates that fraud costs a typical organization 5% of revenue.
COSO’s recently updated Internal Control — Integrated Framework:
Framework and Appendices (COSO 2013), effective December 15, 2014,
emphasizes the need for organizations to perform a fraud risk assessment
as part of an overall internal control program. Expectations of internal audit
vary across organizations, but addressing fraud risk tends to be a common
theme – what that means and how organizations approach this area can
vary.
Consider the following internal audit emphasis:
• Conduct a fraud risk assessment to enhance understanding and bring
focus to an organization’s most significant, enterprise-wide fraud risks.
• Evaluate the organization’s policies and procedures in fraud prevention
and detection, including whistleblower hotline validation.
• Evaluate anti-bribery and anti-corruption policies and procedures,
particularly for organizations that conduct business internationally.
• Identify and test for fraud risks as part of each audit.
• Utilize data analysis tools to search for potential fraud (e.g., T&E activity).
As organizations evolve, visibility into policies, procedures and practices
can become increasingly difficult as new operations are added and
business practices diverge from those in the U.S. The risks associated
with these decentralized or international operations will vary based upon
the culture, staffing, responsibilities, technology and many other factors.
In some geographies, political instability is a risk that must be considered.
Shifting political environments and uncertainty regarding policies can
impact the viability of operating in some countries. Security risks – for both
infrastructure and personnel – may also be a concern.
It’s incumbent upon internal audit to have an understanding of the risk
profiles associated with these locations in order to be able to help the
organization ensure these are being appropriately addressed.
Consider the following internal audit emphasis:
• Identify locations with high risk profiles due to volume, location, type of
business, etc.
• Perform periodic audits at locations focusing on consistency in business
practices, compliance with policies and procedures, and other key risks.
DECENTRALIZED AND/OR INTERNATIONAL
OPERATIONS
© 2015 Brown Smith Wallace LLC
Audit Hot Spots // 4
FRAUD
- 6. • Evaluate contingency plans for addressing risks that may be unique to a
particular geographic location.
• Conduct balance sheet reviews to evaluate whether accounting records
are being properly maintained.
• Put in place monitoring controls that allow management to routinely
evaluate areas of greater risk (e.g., completion of reconciliations and other
critical period end closing activities).
A business process is an activity or set of activities that is put in place to
help accomplish a specific organizational goal. Business processes are
often looked upon as the blocking and tackling of the organization, but
their importance to an organization’s success should not be overlooked.
Well-designed processes are important to an organization as it seeks to
grow and prosper. For a variety of reasons, these can degrade over time
and become less effective and efficient at supporting those goals.
Internal audit can provide organizations with a fresh perspective on their
business processes, independence and objectivity, and exposure to how
other organizations operate.
Consider the following internal audit emphasis:
• Take a holistic approach to auditing by focusing on an entire business
process. Incorporate business process mapping into the audit approach
and keep an eye out for inefficient or ineffective practices or opportunities
to automate.
• Leverage data analysis tools to conduct audit procedures, search for
trends and interpret data about performance, operations, controls and
financial results.
Insurance is used in a variety of ways to address an organization’s risk
profile and it is typically one of the more significant expenses. It is equally
important for management and the Board to understand what is and is not
insured, whether coverage is appropriate for the company’s risk profile, and
whether the associated costs are reasonable.
Consider the following internal audit emphasis:
• Evaluate the reasonableness of existing coverage, including self-insured
risks, and assess the costs of the organization’s insurance program.
• Conduct audits of self-insured programs, such as medical plans and
workers’ compensation, focusing on eligibility, administration, claims
adjudication, and liability and reserve calculations.
BUSINESS PROCESSES
INSURANCE PROGRAMS
© 2015 Brown Smith Wallace LLC
Audit Hot Spots // 5
Business processes
can degrade over
time and become less
effective and efficient.
- 7. Digital marketing and social media are areas where organizations may
need more oversight from internal audit. This starts with determining
whether the organization has a digital marketing policy, particularly
addressing social media. Once a post hits Facebook, Twitter or
another platform, it can spread quickly. Depending on the nature of an
inappropriate post, the consequences can impact an organization’s
reputation, financial health or have other ramifications, particularly posts
from an organization’s account that may be interpreted as representing
the organization’s thoughts and beliefs.
Consider the following internal audit emphasis:
• Evaluate the organization’s policies and procedures regarding social
media and digital marketing. This includes both professional and personal
risks the professionals of the organization face by posted work related
comments or actions.
• Consider whether there is adequate restriction on who can post on
social media and through other digital channels
• Task individuals with keeping an eye on keywords related to the
organization, including negative posts from consumers.
As a result of resource gaps, cash flow and other issues, many
organizations are turning to third-party vendors to handle some of their
day-to-day operations. This is particularly true for information technology,
as organizations require more sophisticated technology and security
protocols. Regulators are placing more rules on and closely examining
these relationships, which can lead to operating bans, fines, reputational
damage and lawsuits. Yet many executives give little attention to these
risks, regulations or concerns when selecting and managing vendors.
Organizations should have well-defined approaches to evaluating and
responding to vendor risks. While putting controls in place can be
challenging, internal audit can help by identifying critical vendors and
selecting a sample to review risk management activities, including:
• Identify risks and how the organization selects, assesses and oversees
third parties.
• Develop due diligence procedures and activities.
• Create contracts that outline rights and responsibilities.
• Monitor the third party’s activities and performance.
• Create contingency plans for critical relationships. Roles and
responsibilities for overseeing and managing the relationship.
SOCIAL MEDIA
THIRD-PARTY RELATIONSHIPS
© 2015 Brown Smith Wallace LLC
Audit Hot Spots // 6
- 8. All organizations are impacted by financial reporting risks. Public
companies have invested a lot of time and resources over the last decade
addressing Sarbanes-Oxley compliance requirements. Interestingly, we
are finding many non-public companies taking a strategic, methodical
approach to adopting SOX best practices because it provides a
framework for good business controls. Some are preparing themselves
for an eventual exit, while others recognize and value the benefits
of having an effective internal control program (studies have shown
these companies experience increased profitability over the long term).
Whatever the case may be, internal audit is well positioned to help the
company identify and cost-effectively address these efforts by ensuring
the company is taking a risk-based approach.
And just when we thought we had this figured out, the PCAOB
and public accounting firms have made sure public companies and
auditors continue to give financial reporting the attention it deserves.
Communications from the PCAOB, public accounting firms and the
industry in general have highlighted several key areas of emphasis related
to financial reporting, including:
• Ensuring the completeness and accuracy of information used to
support the financial reporting process and related controls. There has
been a lot of emphasis on ad hoc or non-systemic reports such as
those developed and maintained in spreadsheets. Far too many financial
reporting misstatements occur because of bad data used for financial
reporting processes, so companies need to understand and make sure
they have controls in place to address these risks.
• Sufficiently testing the design and operating effectiveness of
management review controls that are used to monitor the results of
operations (e.g., monthly budget to actual comparison, sales and margin
reports, balance sheet reviews). It’s important for auditors to link how
these reviews specifically identify and address risks and potential issues
in a company’s financial reporting process.
• Focusing on controls to address risks of material misstatements. Does
internal audit spend the adequate time understanding where those risks
lie and identifying the controls in place to address those risks? Internal
audit is typically well versed in the routine, transaction-based areas,
but what about non-routine areas that are subject to estimates and
judgments?
• Focusing a lot of attention and scrutiny on related-party activity.
PCAOB rules require auditors to perform specific procedures to evaluate
a company’s identification of, accounting for, and disclosure of the
transactions and relationships between a company and its related parties.
This is an area where companies with significant related-party activity can
get themselves into trouble.
© 2015 Brown Smith Wallace LLC
Audit Hot Spots // 7
FINANCIAL REPORTING
Many non-public
companies are taking
a strategic, methodical
approach to adopting
SOX best practices.
- 9. COMPREHENSIVE ACCOUNTING & TAX CONSULTING | INTERNATIONAL CORPORATE TAX STRATEGIES
AUDIT & RISK MANAGEMENT SERVICES | MANAGEMENT CONSULTING | TRANSACTION ADVISORY AND LITIGATION SUPPORT
St. Louis, MO 314.983.1200 St. Charles, MO 636.255.3000 Glen Carbon, IL 618.654.3100 Toll-Free 1.888.279.2792 bswllc.com
A
A common theme across every industry is having a sound risk culture
within the organization. And this step itself is a key risk for 2015.
Creating a risk culture starts with management and the senior executives.
They must set the tone for taking risk seriously, and that paradigm
trickles down to the rest of the organization. Another step is defining how
much risk the organization is willing to take. While the flip side of risk
is opportunity, performance shouldn’t mean cutting corners, especially
when those corners are controls.
Much of the advice here is consistent with enterprise risk management.
As a part of understanding risks, internal auditors should:
• Focus on helping their organizations monitor the risks that might pose
a threat to the organization today and in the future.
• Go out and assess – see how risk could be impacting the
organization.
• Make recommendations on how the organization can better manage
or mitigate risk.
DEVELOP A RISK CULTURE TO ADDRESS
THE 2015 AUDIT HOT SPOTS
To discuss your
organization’s
internal audit needs,
please contact:
Ron Steinkamp
CPA, CIA, CFE, CRMA, CGMA
Partner
Advisory Services
Brown Smith Wallace
314.983.1238
rsteinkamp@bswllc.com
© 2015 Brown Smith Wallace LLC
Audit Hot Spots // 8
View our infographic
to learn the benefits
of co-sourcing or
full outsourcing your
internal audit function.
Click here or visit bswllc.com/IA_infographic
Or visit bswllc.com