This document discusses emerging technology challenges and solutions for internal audit and compliance. It covers the current technology landscape of on-premise hardware and software and contrasts it with emerging technologies like cloud computing, mobile computing, and data analytics. These emerging technologies can potentially increase complexity for internal audit through issues around availability, security, privacy, and auditability. However, the document provides solutions for addressing these challenges such as encrypting data, implementing security architectures, and conducting security audits. It concludes by discussing future trends around distributed computing, cybersecurity, analytics tools, and new data standards.

1. Emerging Technology Challenges and Solutions for Internal Audit and ComplianceDanny Miller, CISA, CGEIT, CRISC, ITIL, QSAPrincipal

2. TopicsCurrent Technology LandscapeEmerging TechnologyCloud computingMobile computingCybersecurityPotential IA ComplexitiesSolutionsWhat’s Next?

3. Current Technology LandscapeOn-premise hardware, software, and managementSupport may be on-shore, near-shore or off-shore

4. Current Technology Landscape (continued)Localized processes and controlsPrompt remediation when requiredClear data ownershipStraightforward compliance approach

5. Current Technology Landscape (continued)Challenges/benefitsIt's expensive and requires a lot of overheadDifficult to scale and react quicklySignificant embedded cost structureInflexible to meet business needEasier to maintain audit trail

6. Emerging Technology TrendsSpending on public IT cloud services will grow at more than five times the rate of the IT industry in 2011-2012Enterprise IT planners begin to include cloud-computing expertise in some of their job searches to be prepared for the projects of the short-term and mid-term futureHosted private clouds will outnumber internal clouds 3:1…But service providers have been incrementally ready. Cloud management and monitoring will fuel enterprise cloud adoption 32% of CIOs expect virtualization to be their top investment in 2011

7. Emerging TechnologyCloud computingSaas, PaaS, IaaS, DaaSMobile computingMobile platforms that are blurring the line between a hand-held and complex computingData analyticsMaster Data ManagementCybersecurityTrends

8. Emerging Technology Platforms (continued)Models of Cloud:Software as a Service(SaaS)

9. Software applications delivered over the Internet

10. Platform as a Service (PaaS)

11. Full or partial operating system/development environment delivered over the Internet

12. Infrastructure as a Service (IaaS)

13. Computer infrastructure delivered over the Internet

14. Desktop as a Service (DaaS)

15. Virtualization of desktop systems serving thin clients, delivered over the Internet or a private CloudTypes of CloudsPublic

16. Shared computer resources provided by an off-site third-party provider

17. Private

18. Dedicated computer resources provided by an off-site third-party or use of Cloud technologies on a private internal network

19. Hybrid

20. Consisting of multiple public and private CloudsEmerging Technology Platforms (continued)Public Cloud Private Cloud

21. Emerging Technology Platforms (continued)Cloud computing – Hybrid cloud

22. Emerging Technology Platforms (continued)Mobile computing

23. Emerging Technology Platforms (continued)Mobile computing is:WirelessUtilizes tablet platforms and smartphonesInternet-basedCommunication via 4G and WiFiScaled applications

24. Potential New IA ComplexityCloud computingAvailability & performanceBusiness continuityCybersecurityData encryptionPrivacy (especially in Healthcare & Life Sciences)

25. Potential New IA Complexity (continued)Cloud computing (continued)ComplianceFISMAHIPAASOXPCI DSS (card payments)EU Data Protection Directive, et al.

26. Potential New IA Complexity (continued)Mobile computingSecurity (physical and virtual)Data ownershipService interruption and recoveryData archivingAvailability

27. Potential New IA Complexity (continued)Mobile computingWiFi/4G securitySurveillance and access controlAvailabilityData ownership and recoveryAuditabilityBluetooth “hijacking”AIDC

28. SolutionsCloud computingDemand good security in the contract with providerHave a "return of data" plan at end of contractKnow where the data is and who has accessDeploy a layered security architectureAssess and inventory risksConduct annual security policy auditsDeploy and authenticate user credentialsEncrypt all stored data (P2P encryption)Actively manage passwords and segregation of dutiesImplement layered firewalls

29. Solutions (continued)Mobile computingEncrypt all WiFi accessClarify data ownershipImplement service interruption planDisable Bluetooth communicationsDeploy device specific security softwareEncrypt all communications

30. What’s Next?Distributed computing (the Cloud)Cybersecurity & Privacy focusVirtualizationAdvanced IA toolsAnalyticsProvenance enginesEnhanced hardware firewallsAdvanced encryption technologyNew data segregation and security standardsSecure digital communicationsStandards such as ITIL, COBIT and PCI are integrating and are now complimentary

31. What’s Next? (PCI Data Security Standards v2.0)

32. What’s Next? (PCI Data Security Standards v2.0)

33. What’s Next? (PCI Data Security Standards v2.0)

34. What’s Next? (Enterprise Master Data Management) Companies are awash in data, but which data is the right data to use? Data grows by 50%+ each year.

35. Company leadership needs "one version of the truth" on dashboards, reports and in analytical datasets.

36. Internal Audit and Compliance departments should be concerned about controls, availability, integrity and quality of data.

37. Conceptually:

38. Data and information are valuable corporate assets and should be treated as such

39. Data must be managed carefully and should have quality, integrity, security and availability addressed.What’s Next? (Enterprise Master Data Management)MDM is the management of an institution’s fundamental data that is shared across multiple business units, everything from project budgets to donor contacts to employee contact information. You can think of master data as all of the enterprise data (people, places, things and activities) that the institution needs to conduct its business. The goal of MDM, consequently, is to ensure the accuracy, consistency and availability of this data to the various business users.We believe that all organizations would benefit greatly from creating a strategy for MDM and implementing an MDM program in light of its current state and an organization's future data and information needs.

40. What’s Next? (Enterprise Master Data Management)Table 1: Scope of Data Management

41. What’s Next? (Data Governance Activities)Establish institutional data standards

42. Identify and resolve data disputes

43. Implement necessary changes to data standards and policies

44. Communicate actions to the organization as appropriate

45. Ensure accountability of institutional data policies and standards

46. Escalate issues to Governance Team as necessaryQuestions?

47. Emerging Technology Challenges for Internal Audit and ComplianceDanny Miller, CISA, CGEIT, CRISC, ITIL, QSANational Solutions Lead – CybersecurityRegional Solutions Lead – Business ConsultingPrincipal, Grant Thornton LLPDanny.Miller@us.gt.comhttp://grantthornton.com/