Post on 20-Jul-2020
IIA Miami
Top Challenges
Facing
Internal Audit Departments
Baptist Health South Florida
2016
1. Cybersecurity
2. Culture
3. Timely Identification of Risk
4. Data Analysis
Agenda
Cybersecurity
Cybersecurity
90% of all organizations (worldwide) have been breached in some way (whether they know it or not)*
Healthcare information highly coveted by cyber criminals• #1 for cyber attacks in 2015• 5 of the 8 largest breaches in healthcare since 2010 happened
in 1st half of 2015 – more than 111 million health records compromised (35% of U.S. population)
* Study published by Cryptozone
Ransomware
Ransomware“Ransomware is a form of malware that targets both human and technical weaknesses in organizations and individual networks in an effort to deny the availability of critical data and systems”
Ransomware
• From March to April 2016 >159% jump*
• Hollywood Presbyterian Medical Center paid $17,000 ransom in “the best interest of restoring normal operations”
• 50% of hospitals have been targeted by ransomware in the past year**
• Ransomware attacks expected to increase in 2016***
* Report by Engima Software** HIMSS Analytics 2015 Survey*** 2015 Report by Intel
RansomwareHave a plan
Education• 46% of breaches come from
negligent insiders*• Fake phishing campaign• What to do if you get phished
Backup your data Limit system access Filter your email “Whitelist” of websites and apps Test recovery and remediation
plan * HIMSS Analytics 2015 Survey
Ransomware
Audit Response
• Technical Vulnerability Assessment─ Available through public internet─ Accessible within our environment
• Cyber Security Incident Response─ Simulation of significant incident
Culture
Culture
CultureRoot Cause of Non-Compliance*
Areas of Compliance Focus*Convercent
Culture
Toxic culture common theme in corporate scandalsCulture is a key element in the control environment
and governance58% of audit departments do not audit culture*More than 50% of auditors see organizational culture
as high risk*
But internal audit’s focus is usually here
Problems with the culture start here and affect the whole organization
Source: The Pulse of Internal Audit survey: © 2016 The IIA Audit Executive Center.
Culture
21%
55%
9%
13%
17%
33%
20%
Enforcement of a code of conduct through disciplinary measures
Formal training on a code of conduct
Behavior modeled by other employees
Establishment of a code of conduct
Direct communication from other employees
Behavior modeled by executive management
What is culture?
Ranked first Ranked second
3%
1%
1%
17%
5%
Source: The Pulse of Internal Audit survey: © 2016 The IIA Audit Executive Center.
World’s Most Ethical Companies
131 HonoreesPublicly Traded (74%)Fewer than 25,000 Employees (56%)Manufacturing (10%)Insurance (8%)Over $5B Revenue (80%)21 Countries
Who are they?
World’s Most Ethical
Compliance & Ethics Program
35%
Leadership, Innovation &
Reputation 10%Governance 15%
Citizenship, Sustainability &
Corporate Responsibility
20%
Culture of Ethics20%
A Measurable Difference
6X Honoree
Culture
Identifying Healthy Organizational Culture• Strong governance with clear policy and procedures
• Communication of policy and procedures throughout the organization
• Clear and consistent “tone at the top” communication from senior management regarding their expectations around control and appropriate behavior
• Consistent application of policy and procedures to all levels of management without exception
• Alignment of rewards to the right behaviors
Source: The Pulse of Internal Audit survey: © 2016 The IIA Audit Executive Center.
Culture
Sample audit techniques:• Checklist (policies, code of conduct, leadership
communication)• Surveys• Consider incentive programs (perverse incentives)• Interviews• Start small – department level• Review of social media
Culture
Barriers to Addressing Culture
35% 23%Do not believe internal audit has freedom to assess the entire organization and staff.
Do not believe internal audit has full support of the board or audit committee to assess the entire organization and staff.
Do not believe internal audit has full support of executive management to assess the entire organization and staff.
24%
45%Reported that they agree or strongly agree that internal audit is able to identify and assess measure of organizational culture.
Among those who DO NOT audit organizational culture
Timely Risk Identification
• 93% of CAEs use risk-based methodologies when planning
• But, emerging risks present a challenge
• Risks often materialize with little or no warning
• Decades of accumulated value can evaporate
• We must be able to “audit at the speed of risk”
Assessing Emerging and Evolving Risks
Source: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center.
Source: The North American Pulse of the Profession Survey: © 2013 The IIA Audit Executive Center
Source: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center. Total may not equal 100% due to rounding.
52 percent of CAEs consider identifying emerging risks to be their biggest challenge.
Organization’s ability Identify RespondExtremely confident 3% 4%Very confident 32% 31%Moderately confident 45% 42%Slightly confident 15% 17%No confidence 5% 6%
Identifying Emerging Risks is Critical: But Confidence is Lacking
Source: The Pulse of Internal Audit Survey Conducted in collaboration with the 2015 Common Body of Knowledge Study, © 2015 The IIA and The IIA Research Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from The IIA.
Continuous Risk Assessment is Still Aspirational for Many
41% of audit departments do periodic updates to their risk assessment• Interviews
• Surveys
• Headline checks
13% do “Continuous Risk Assessment”• Monitoring of KRIs (manually or automated)
• Analytical Review
Source: The Pulse of Internal Audit Survey Conducted in collaboration with the 2015 Common Body of Knowledge Study, © 2015 The IIA and The IIA Research Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from The IIA. Note: 1.3% indicated “other” as a response to this question.
How would you describe the development of the audit plan at your organization? Frequency
Developed once each year and not changed during the year 12%
Developed once each year and updated 1 or 2 times per year 40%
Developed once each year and updated 3 or more times per year as risks change 27%
Highly flexible plan matched to the organization’s changing risk profile 19%
Typical Internal Audit Plans Are Not Very Dynamic
Source: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center.
70 percent of CAEs viewed cyberattacks as a high or critical priority – AEC Pulse of Internal Auditing
But,
Only 53 percent say auditing cybersecurity risk is part of this year’s plan – Protiviti 2015 IA Capabilities and Needs Survey Report
Taking Action When Risks Emerge is Vital!
Data Analysis
90% of all data in the world was created in the past two years*
Every day, 3 times per second, we produce the equivalent of the amount of data in the Library of Congress**
Unstructured data will account for nearly 80% of all enterprise data by 2017***
*IBM**Nate Silver, American Statistician***FDC
Data Analysis
BIGData
Really, Really….
Data Analysis
Data Analysis
Definition
Big Data:
“…data sets with sizes beyond the ability of commonly-used software tools…”
Data Analysis
Indicated that data mining and analytics skills are very or extremely essential to their internal audit function’s ability to perform its responsibilities.
37%
Source: The Pulse of Internal Audit survey: © 2016 The IIA Audit Executive Center.
Data Reliance
Problems can arise from data collection, data analysis and decisions made based on data
• Is collection and use of the data legal and ethical?• Has the organization confirmed the data’s
appropriateness, accuracy, and completeness? Data often contains gaps and inaccuracies.
• Was the right expertise involved in evaluating the data to ensure the evaluation is not biased or flawed? The difference between correlation and causation is not always well understood.
USE OF DATA IS GROWING. IS INTERNAL AUDIT SUFFICIENTLY INVOLVED?
17% 47%36%
Reported that internal audit is very or extremely involved in
evaluating the quality of data used in their organization.
Reported that internal audit is moderately involved in evaluating
the quality of data used in their organization.
Reported that internal audit is slightly or not at all involved in
evaluating the quality of data used in their organization.
Data Reliance
Source: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center.
Summary
We must move out of our comfort zone
We must stay current on risks
Status quo doesn’t work any more