Institute of Internal Auditors (IIA) of Thailand Conference Internal Audit Technology at the Forefront

Transcription

1 Institute of Internal Auditors (IIA) of Thailand Conference Internal Audit Technology at the Forefront Gary Tan Director Enterprise Risk Services 2 November 2015

2 Agenda 1 Introduction 2 Cybersecurity 3 Big Data 4 Cloud Computing 5 IT Implementation 6 Wrap-up

3 1. Introduction

4 Introduction The New Digital Age Spending on cloud, mobile, analytics, and social technology soars CIO s dual role builder of technology and builder of the business Today s IT organization is increasingly focused on revenue growth, customer experience, and data-based insight. this shift is due to the growing importance of digitization 4

5 Introduction Market and Opportunity in ASEAN 5 ASEAN is poised to be 5th largest economy (USD4.7 trillion) This represent a significant increase adoption of technologies across all types of businesses which mirrors the rapid expansion of high-tech devices and digital technologies Management of Strategic, Operational, Cyber and Technology Risks are acknowledged as important business matters greater role for audit and compliance

6 Introduction (cont d) Given their significance, technology implementations and related security activities can no longer be considered just the purview of the IT function but to broader business, governance and risk activities for the audit committee, board members and management. Key Highlights of IT Spending: 2.4% Global IT spending in % Asia Pacific highest increase in % Thailand s IT spending in 2015 Generally SEA region has seen increased in IT spending but with slower outlook for 2015 China is the new global economy powerhouse SEA region is still growing and emerging Source: Gartner IT Key Metrics Data 6

7 Introduction (cont d) Top Five IT Spending in 2015: Source: Computerworld 7

8 2. Cyber Security

9 Cyber Risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government and regulatory focus Up from 8.1% Global headlines: Up from 3.3% Down from 28.5% Home Depot faced major data breaches; 40 million cardholders info respectively Source: Verizon 2015 Data Breach Investigations Report 9

10 Cyber Risk High on the agenda Recent U.S. Securities and Exchange Commission (SEC) guidance regarding disclosure obligations relating to cybersecurity risks and incidents.. Registrants should address cybersecurity risks and cyber incidents in their Management s Discussion and Analysis of Financial Condition and Results of Operations (MD&A), Risk Factors, Description of Business, Legal Proceedings and Financial Statement Disclosures. SEC Division of Corporate Finance Disclosure Guidance: Topic No. 2 - Cybersecurity Ever-growing concerns about cyber-attacks affecting the nation s critical infrastructure prompted the signing of the Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. The Executive Order highlights the focus on an improved cybersecurity framework and the rapid changes of regulatory agency expectations and oversight 10

11 Case Study 11

12 Cyber Security Headlines Southeast Asia Southeast Asia quietly dealt with its share of cyber attacks. Like the U.S., companies in this region face a complex threat landscape filled with advanced cyber attackers intent on stealing corporate data and state secrets. Note: APT is considered to be an indicator of hacking activity TOP three cyber threats in Thailand for 2015 Online banking malware, malware on mobile devices and attacks on open-source vulnerabilities Southeast Asian companies regularly attract the interest of cyber spies and criminals looking to steal information Government about the region s growing and industry authorities sectors energy, are telecommunications, taking high-tech, transportation, and finance. serious countermeasures to curb these Territorial disputes in the South China Sea drive cyber espionage activity in Southeast Asia. Both government and private industries attacks/breaches are targets of threat actors seeking to steal information in these disputes. Source: Special Report by FireEye 12

13 The Audit Committee s Role in Cyber Security The audit committee s involvement in cybersecurity issues varies significantly by company and industry In some organizations, cybersecurity risk is tasked directly to the audit committee, while in others, there is a separate risk committee. Key questions that AC should keep in mind How do we know what data is leaving the company, and what associated monitoring activities are in place? How are critical infrastructure and regulatory requirements met? What is the overall strategy and plan for protecting assets from cyber attacks? Do we have a cyber incident response plan? Is it up to date and have we practiced it? 13

14 What most organizations are doing Take a business view 1 Senior management accountability Assess your risk and share results with business stakeholders Measure and report. Continuous monitoring Educate on cybersecurity 5 Partner with business, agency, vendors and regulators 4 3 $ Invest 2 in cybersecurity solutions Develop a cybersecurity plan Strategize to address risks and threats 14

15 Deloitte Cybersecurity Framework Certain cybersecurity domains may be partially covered by existing IT audits, however many capabilities have historically not been reviewed by internal audit. 15

16 Deloitte Cybersecurity Framework (cont d) Cybersecurity plans should take into account the past, the present, and the future with regard to cyber risks. Important attributes of an effective cybersecurity plan include the following: Secure: Are controls in place to guard against known and emerging threats? Vigilant: Can we detect malicious or unauthorized activities? Resilient: Can we act and recover quickly to minimize impact? 3 Design Objectives Secure systems and controls Vigilant towards cyber threats Resilient in recovery 16

17 Deloitte s Cyber Security Operations Centre (SOC) Recently launched the Cyber Security Operations Centre (SOC) in two countries Singapore and Malaysia. This centre will provide our clients with security coverage across all times zones, and it is linked into Deloitte Global s Cyber Intelligence Centre (CIC). These centres complements services that Deloitte has been providing globally to combat the increasing complexity and frequency of cybercrimes around the world. 17

18 Closing Thoughts 18

19 3. Big Data Analytics

20 Key Highlights The world of big data is expanding exponentially in both volume and complexity, and continued growth makes each year a virtually new landscape for data management. Fun Facts: The number of mobile devices and wireless connections grew to 7 billion globally in 2013, an increase of $500 million in one year. Enterprises spent more than $30 billion globally on big data hardware, software, and services in 2013/14. Social media advertising increased by 60% between 2011 and 2013 to $6 billion 20

21 Big Data De-Hyped Big data is high-volume, -velocity, and -variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making. Companies are no longer suffering from a lack of data they re suffering from a lack of the right data and face sometimes daunting prospect of efficiently storing and analyzing this diversely sourced data. 21

22 Data Analytics Maturity Roadmap Most internal audit should aim to be here 22

23 Role of Internal Audit Two key questions to keep in mind when considering data analytics: How can we help our clients/stakeholders better compete through data insights which they can act upon? How could we infuse analytics into what we do already? 23

24 Harnessing the Power of Analytics 24

25 Internal Audit Approach Analytics Driven Our internal audit approach allows 100% review of the population size to gain insights on the profile of the transactions as well as the pervasiveness of any audit findings. Aspect Typical Internal Audit Internal Audit with Analytics Understand the Business Understand the Business Work Flow Random Sampling Test Samples Understand the Data Perform Data Analysis Focused sampling Test Sample/s Identify Audit Findings Identify Audit Findings Testing Random sampling 100% analysis and focused sampling Correlating data Audit findings Data correlation from different sources is manuallyintensive, almost impossible Higher possibility of being arbitrary, ambiguous and subjective Ensures data from different sources are correlated and supports conclusion Fact-based and data driven (incontestable) resulting in more insightful recommendations Audit errors Higher risk of human errors Reduces risk of human errors 25

26 Audit Analytics Technologies Productivity / Database Excel / Access SQL Most organizations use a combination of traditional audit and statistical/analytics tools Traditional Audit Data discovery and visualization are deployed as next generation in analytics Data Discovery Many of these tools have desktop and server versions fit and risk considerations need to be assessed Visualization / Self Organizing Maps Majority of these tools are inexpensive and easy to implement and use Self Service Business Intelligence IT support to focus on necessary infrastructure and accelerators such that the IA teams can focus on analytics vs. routine tasks The shift from baseline reporting to data discovery & visualization 26

27 Traditional BI vs. Data Discovery / Visualization New frontier in analytics Old days of data marts and data warehouses are giving way to a new era in which the data flows like a river and must be analyzed as it changes. 27

28 Analytics Technology Overview Vendor comparison was derived from Gartner s Magic Quadrant for Business Intelligence Platforms as well as Deloitte s internal resources and expertise. Tier 1 Tier 2 Category Criteria IBM Microsoft SAP SAS Qlik Tibco Tableau Vendor capabilities Technical capabilities Market and Industry Footprint Range of Business Intelligence Capabilities Scalability and Upgradeability Platform Compatibility Security Analytical Capabilities Performance 1. Vendor and technical capabilities differentiate IBM Cognos, SAP BO, and Microsoft Reporting and Analysis Services when it comes to standard and OLAP reporting. 2. SAS offers robust analytical capabilities with their strength in statistical analysis and predictive modeling. People and training Customer Experience /Visualisation Ease of Use Data Mining Capabilities 3. Qlik Tibco, and Tableau provide an enhanced user experience by providing business users with easy-touse advanced visualisation and data mining capabilities. Capability completely supported Capability mostly supported Some support for capability Limited support for capability 28

29 Internal Audit Leveraging Analytics Understand LTA Business Processes Phased approach to perform Data Analysis Design Audit Integrated with Data Analytics Perform Audit Deliver Results Data Aggregation Analytics Application Process Data Analysis Report Exceptions & Continuous Monitoring Source Systems ETL Ongoing Knowledge Transfer & PMO Communication Integrating traditional internal audit approach with the right data analytic 29

30 Audit Analytics Maturity Model Internal Audit should target to achieve a sustainable data analytics model 30

31 Closing Thoughts Data analytics requires innovative thinking about sourcing data and identifying risks is as much, if not more, about asking the right questions as it is about the mathematical contortions going on behind the scenes can be applied to more aspects of Internal Audit than simply continuous monitoring and look back audits 31

32 4. Cloud Computing

33 What is Cloud? Cloud computing represents a major change in IT sourcing and services delivery. Cloud computing is changing in how businesses purchase, deploy, and support IT services, and many companies now are responding to the new opportunities. Top Five IT Spending in 2015: The cloud services market is expanding 5 times faster than traditional IT spending Cloud services, for instance, still account for less than 10% of the IT services market. Not widely adopted in this region particularly local companies 33

34 Types of Cloud Computing Services 34

35 Key Drivers for Cloud Computing 35

36 Main Drivers vs. Inhibitors of Cloud Computing in the Enterprise Security Remains the Top Concern for adopting Cloud 36

37 Cloud Computing Environment Security and Privacy Risks 37

38 Tackling the Cloud Security Challenge Governance and compliance Privacy and data protection Security incident response Monitoring usage of cloud Monitoring compliance with regulatory requirements Compliance with multijurisdictional data privacy laws Delineating ownership of data across organizational Managing access to appropriate levels of data Implementing data storage and retention policies at the cloud vendor Managing incident investigations in a virtualized environment Limiting incident spill over to multiple cloud tenants Handling complicated troubleshooting due to continuous environment changes Access control Access controls for cloud management interfaces Access controls for segregation of duties Due diligence prior to assignment of access privileges Vulnerability management Vendor management Managing virtualization induced vulnerabilities Ensuring timely security patches Adequate vulnerability testing of cloud components Obtaining assurance on cloud vendor s solution Monitoring vendor s performance Building in cloud portability and interoperability 38

39 Security Standards for Cloud Computing ISO/IEC provide guidance on the information security elements of cloud computing, recommending and assisting with the implementation of cloudspecific information security controls for both Cloud Service Providers and Cloud Service Customers. Multi-Tier Cloud Security Standards that covers multiple tiers and can be applied by Cloud Service Providers (CSPs) to meet differing cloud user needs for data sensitivity and business criticality. This standard seeks to assist in driving cloud adoption across industries by giving clarity around the security service levels of cloud providers, while also increasing the level of accountability and transparency from these companies. 39

40 Closing Thoughts Business will continue to innovative to use of cloud computing Assess the risk implication on the services when moving to cloud Assess the control gap of the cloud service provider and determine the residual risk exposure can be mitigated ensure they meet your company s standards Clarity in the roles and responsibility between the cloud user and cloud service provider Ultimately, you can outsource responsibility but you can t outsource accountability. 40

41 5. IT Implementation

42 Introduction IT implementations generally affect the entire organization organizational, process and technology changes More than 90% of implementation projects completed late or over budget, or both Common audit risk includes controls gaps, security and access rights issues and data conversion/migration. Growing IT Implementation Trends in 2015: Hybrid cloud goes mainstream Subscription based enterprise software Mobile technology In-memory computing for ERP Deeper ERP integration / upgrade Open source continues to grow Auditing standards place specific requirements on the auditor to understand how a Client has responded to risks arising from their major IT implementations by obtaining an understanding of control activities. 42

43 Top IT Implementation Audit Consideration Scope your audit correctly Impact of new system functionality Security, sensitive access & segregation of duties User acceptance testing Data conversion/migration Reports Key control impact assessment Business requirements & design documentation Issues log and defect tracking Project governance & status reporting to support the go-live decision Throughout the IT implementation, internal audit has a vital role in verifying that project controls and best practices are followed.. 43

44 Top IT Implementation Audit Consideration (cont d) Scope your audit correctly No single template selecting the right audit approach to evaluate your company s move to a new system depends on their business objectives and evolving needs. 44

45 Internal Audit Approaches Three Internal Audit Approaches In practice, there are three common approaches to internal audit s involvement in IT implementations: 1. Internal audit is involved in each phase of implementation; 2. Internal audit is involved during or after testing is completed, and before going live; 3. Internal audit is involved only after the system has gone live. Clearly the first approach, as we have described, is the most effective, least risky, and least costly IT Strategy & Planning Business Requirements & Blueprint Risk, Controls, Access, Process and Reports Design Configure & Implement Testing Go Live Approach 1 Approach 2 Approach 3 45

46 Bottom-line Benefits with Internal Audit Involvement Help aligns IT implementation with business goals. Improve security efficiently monitor, remediate and highlight system or business risks to improve decision making and enforcement. Facilitates compliance with laws and regulations, including those relating to corporate governance, internal controls, risk management and privacy. Enable smooth transition and drive adoption through end-user engagement. Involving internal audit at the start and in every phase throughout the project will save significant time and effort as well as reduce the risks inherent in any such project, thus increasing the implementation s chance for success. 46

47 Wrap Up

48 Conclusion Technologies also offer tremendous potential for data analytics, innovation, enhanced business efficiencies and customer and investor engagement when successfully implemented. Audit Committee and Internal Audit need to understand how these new technologies and trends are impacting the company implication of technology innovations to security and privacy, financial reporting processes and the viability of the company s business model. 48

49 Q & A

50 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu L imited and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple ind ustries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s more than 195,000 professionals are committed to becoming the standard of excellence. About Deloitte Southeast Asia Deloitte Southeast Asia Ltd a member firm of Deloitte Touche Tohmatsu Limited comprising Deloitte practices operating in Brunei, Guam, Indonesia, Malaysia, Philippines, Singapore, Thailand and Vietnam was established to deliver measurable value to the particular demands of increasingly intra -regional and fast growing companies and enterprises. Comprising over 250 partners and 5,500 professionals in 22 office locations, the subsidiaries and affiliates of Deloitte Sout heast Asia Ltd combine their technical expertise and deep industry knowledge to deliver consistent high quality services to companies in the region. All services are provided through the individual country practices, their subsidiaries and affiliates which are separate and independent legal entities. About Deloitte Singapore In Singapore, services are provided by Deloitte & Touche LLP and its subsidiaries and affiliates Deloitte & Touche Enterprise Risk Services Pte Ltd