عرض العناصر حسب علامة : الامن السيبراني
هل أنت مستعد لإعادة صياغة العمليات لتحقيق المرونة والاستدامة؟
يقوم مديرو العمليات الذين يتعاملون مع تعقيدات عالم متغير ومتقلب بإعادة بناء عملياتهم من الألف إلى الياء لتزدهر في المستقبل.
معلومات إضافية
-
المحتوى بالإنجليزية
COOs navigating the complexities of a changed and volatile world are rebuilding their operations from the ground up to thrive in the future.
Three questions to ask
How are you turning your supply chain into an agile supply network?
Are you ready for the data and technology risks that come with connected operations?
How does the workforce fit into your plans for resilient and sustainable operations?
Until recently chief operating officers (COOs) have focused primarily on fine-tuning the value chain for speed to market, efficiency and profitability. But the world has changed — at first gradually and now suddenly. Over the last several years, empowered consumers, employees and investors, climate change, geopolitics and technology innovations have disrupted organizations, pushing them to change how they operate. Over the last 18 months, the COVID-19 pandemic turned that slow push into a giant, forceful shove. And COOs have had to figure out on the fly how to operate in this changed environment.
Organizations may still be making the same products and services, but everything about how these products and services are designed, manufactured and delivered to customers is different. This shift is forcing COOs to reimagine their supply chains for agility and sustainability as much as optimization. Across the enterprise, technology innovations are helping COOs transform how the business operates to meet multiple, simultaneous demands from a range of stakeholders — and increasing the chances of cyber infection. Reskilling and upskilling the workforce can help accelerate digital transformations and address cyber risks. And all this in the global context of economic and techno-nationalism.
To navigate this increasingly complex and volatile world, COOs need to reframe their future for operational resilience and sustainability.
Low angle view of lighthouse by rocky mountain against sky1
Chapter 1
Resiliency begins with visibility
Leading COOs are making the leap from linear supply chains to agile networked ecosystems.
How EY can help
Supply Chain Transformation
Consulting at EY can turn your supply chain transformation ambitions into reality through the power of people, technology and innovation. Find out more.
Read more
Operational resilience begins with the value chain. As a leading COO, you need to transform your organization’s rigid, linear value chain into an agile, networked ecosystem. There are three areas to prioritize for measurable results.
1. Create real-time, end-to-end visibility
Today’s technology allows you to cost-effectively build a virtual model of your physical end-to-end supply chain. Known as a digital twin, this virtual model gathers and connects data from various sources and systems across the supply chain network to create a virtual replica, containing the same supply entities, parameters and financial targets. Leveraging digital twins paired with simulation capability, you can then use control towers to make data-driven decisions using real-time data, improving agility in both sensing and responding to disruptions. With the accelerated speed of disruption today, simulations need to be repeated and acted upon continuously to manage the risks.
2. Develop resilient and sustainable sourcing
Resilient and sustainable decision-making relies on constantly finding the right sourcing balance. Diversity of sources can help maintain competitiveness. However, over-diversification can limit your ability to develop trusted relationships with suppliers. At the same time, vendor and geographic concentration could leave you vulnerable to disruptions such as vendor insolvency or civil unrest. Today’s volatile and ESG-focused environment demands prioritizing trusted partnerships and ecosystems to mitigate risk, improve operational assurance, and support sustainable strategies.
To know who to trust and where the risks are, you need a sourcing strategy that maps and tracks suppliers, facilities and products down to raw materials. This approach will help to improve operational transparency and traceability, and allow analysis of supplier compliance, KPIs and supply chain risks.
3. Build omni-capable networks
Delivering products and services when, where and how customers expect them requires agility and the right capabilities. This may mean fulfilling a customer’s need faster and cost-effectively from a store rather than a distribution center if it’s closer and has the inventory. Building the right distributed order management (DOM) capabilities coupled with digital control towers for Tier N visibility can help maximize the value of inventory through accuracy and visibility, positioning it where it’s most needed.
Windmills on field against sky2
Chapter 2
Net-zero operations provide net positive business benefits
Leading COOs see stakeholder demands for improved ESG performance as more than a compliance exercise.
Related article
Why net-zero supply chains are the next big opportunity for business
Why net-zero supply chains are the next big opportunity…
Focusing on sustainability encourages you to rethink your business for the f…
2 Aug 2021 Velislava Ivanova
Value chains also hold the key to sustainable operations. Many organizations have committed to or have ambitions to decarbonize their operations through net-zero targets. Leading COOs have three ways to turn what is often seen as a compliance exercise into a new source of competitive advantage and an important driver of transformation.
1. Decarbonize the value chain
Efforts to decarbonize the value chain begin by assessing your organization’s carbon footprint — as well as the carbon footprint of every partner and supplier in your ecosystem. In doing so, you can identify ways to reduce greenhouse gas emissions, set emissions reduction goals, prepare reporting and improve rating scores against global guidelines. Real-time visibility, quantification and traceability of data throughout your extended operations are prerequisites for this kind of assessment and action — as is a clear business case to support it. However, the benefits of improving ESG performance across the entire value chain are clear: enhanced processes, lower costs, increased productivity, innovation, differentiation and improved societal outcomes.
2. Build circular product lifecycles
In addition to your decarbonization efforts, as the COO, you’ll want to take the lead in working with other business units to design products for a second life, or that can be recycled or repurposed. To engage in the circular economy, you’ll need to implement circular operating models with closed material loops. As always, gathering data along the value chain and conducting analyses are critical to identify circular market opportunities.
3. Embrace tax planning
Tax penalties and incentives are playing a key role in driving sustainability initiatives globally. Work closely with the tax leader to align the organization’s tax profile with your operational footprint. You may decide, for example, based on tax implications, to relocate heavy-emitting operations to jurisdictions where tax penalties are lower or incentives are higher. However, in doing so, you will need to balance the benefit of relocating with potential downside implications, such as transfer pricing adjustments that may not be favorable, or the reputational risk of moving emissions rather than reducing them. By teaming with tax, you can help to reduce the impact of carbon taxes, while taking full advantage of sustainability incentives — with a particular focus on circular supply chains.
Low angle view of industry against clear sky3
Chapter 3
Tech and data ecosystems balance rewards and risks
Opening operations to better, faster decision-making also increases third-party risks and cyber attacks.
A suite of new technology tools — intelligent automation, data and analytics, internet of things (IoT), cloud — are helping COOs gather real-time data, sense and measure current reality, and predict and act in near real time. Used to maximum effect, these tools can help you build agile supply networks and elevate business performance across the enterprise.
Many COOs undertaking digital transformations to incorporate these new tools continue to make decisions using statistics, intuition and experience. As a COO, you need to be making decisions that are predictive and data-driven. But with this expanded potential comes increased risk. Data-driven decisions require petabytes of data. As a result, you may be integrating third-party technologies and acquiring third-party data to better anticipate customer needs, build networked supply chains that can manufacture personalized products, and innovate a new generation of logistics that can deliver products faster and more cost-effectively.
In the quest to gather as much first-party data as possible, you may also be more willing to open operations, networks and systems to wide-ranging connectivity, including areas that have never before been connected to the internet. The more connections an organization has — to systems, networks, suppliers, partners and ecosystems — the greater the risk of infection and attacks such as ransomware.
According to the EY Global Information Security Survey 2021, many organizations are still accustomed to a reactive cybersecurity mindset. As a COO, you must adopt a mindset of security by design. Security by design requires integrity analyses when the technology is acquired and then testing of the technology as it’s introduced into the organization. Cybersecurity is also easier to manage in a cloud environment than in a legacy environment. But the integrity of data in the cloud is only as good as the integrity of the third parties that supply it. Developing trust among third-party suppliers requires a change in governance and management operations.
You’ll also need to rethink the definition of workforce. It’s harder today to distinguish between a third-party provider, customer, employee and contractor. In this context, the workforce acts as a mechanism for propagating malicious code and a vulnerable point of attack by threat actors.
Pigeons flying in city4
Chapter 4
Resilient operations require a resilient workforce
Employees need to feel good about where they work and confident in their contribution.
Today’s supply chain and operations workforce needs to analyze data, identify outcomes and offer recommendations. This requires a digital fluency and familiarity with information and processes that may not come naturally to traditionally trained workers. In a recent EY survey, Reinventing the supply chain for an autonomous future, only 44% of respondents said their employees were prepared for digital innovation in the supply chain.
As a COO, knowing your people are at the center of any successful rebound strategy, you’ll want to work with the chief human resources officer (CHRO) to mix recruiting with upskilling, retooling and continuous improvement. Additionally, consider a redesign of your workforce to access capabilities across people, process, technology, analytics and metrics. This may include working with both the CHRO and the chief information security officer (CISO) to upskill employees to become “citizen developers.” This approach will have the advantage of gaining a combined skillset that blends IT skills with knowledge of the business. By working directly with the CISO and the cybersecurity team to nurture “citizen developers,” you also improve your function’s ability to better manage the rising torrent of cyber risks.
In addition to assisting in skills development, you’ll want to motivate your people by creating a purpose-led vision of the future. This includes a clear development path with performance incentives. You’ll want to work with the CHRO to design individual programs that support the health and well-being of each of your employees. These efforts provide employees with more confidence in what they do and more satisfaction about where they work.
لماذا يعد الأمن السيبراني أمرًا بالغ الأهمية لجميع المنظمات
معلومات إضافية
-
المحتوى بالإنجليزية
Cybersecurity Is Critical for all Organizations – Large and Small
Steve Ursillo, Jr., Christopher Arnold | November 4, 2019 |
Introduction
In today’s computerized world, new risks emerge every hour of every day. Connecting to the Internet opens up the possibility of a hacker targeting your organization. Cybercrime is becoming big business and cyber risk a focus of organizations and governments globally. Monetary and reputational risks are high if organizations don’t have an appropriate cybersecurity plan.
A ‘Cyber Security Breaches Survey 2018’ revealed that over four in ten (43%) businesses and two in ten (19%) charities in the UK suffered a cyberattack. The survey found that 38% of small businesses had spent nothing at all to protect themselves from cybersecurity threats. A separate survey also found that a third of UK small businesses are risking their online safety by operating at or below the “security poverty line”. The most frequent types of cyber-criminal activity were sending fraudulent e-mails and impersonating organizations online. Malicious e-mails were also found to be the most common type of cyberattack in the Internet Security and Threat Report. The consequences of cyber-crime are costly as the total average cost of a data breach in 2019 is $3.92 million in research conducted by the Ponemon Institute.
What is Cybersecurity?
Cybersecurity is making sure your organization's data is safe from attacks from both internal and external bad actors. It can encompass a body of technologies, processes, structures, and practices used to protect networks, computers, programs, and data from unauthorized access or damage. The goal of any cybersecurity strategy is to ensure confidentiality, data integrity, and availability.
There are several primary means by which cybersecurity issues can affect (or even destroy) an organization and its reputation. There is the risk that a hacker might obtain sensitive information such as bank account or credit cards details. There are open markets for such information on the “dark web”. If others access such sensitive information, the organization might find its banking or credit card facilities withdrawn or in breach of privacy laws. Each month high-profile security breaches impacting individual data are reported globally.
A second but related issue is that when a hacker obtains sensitive information about the organization it may find its reputation ruined. Few small organizations can survive the damage to its reputation that such lost data might cause. The damage to reputation and goodwill might be more crippling than the actual data loss itself. Loss of customer data may result in legal or regulatory action against the organization. A third party might file a suit against an organization as they have themselves incurred a loss. Organizations might also be subject to significant penalties and/or legal action arising from breaches of the privacy laws in many jurisdictions.
The most recent and alarming aspect of cybersecurity that causes considerable problems for organizations is ransomware. As early as 2012, reports of ransomware campaigns have adopted commercially focused business models. In many cases, a piece of malware is disguised and embedded within another type of document only waiting to be executed by the target user. Upon execution, the malware may encrypt the organization’s data with a secret 2,048-bit encryption key or communicate to a centralized command and control server to await instructions carried out by the adversary. Once infected, the organization’s data continues to be inaccessible as the encrypts the data using the attackers encryption key. Once all the data accessible is encrypted, including in many instances the backup data and systems, the organization will be instructed on how to pay a ransom within days, or the adversary will remove the encryption key and the data will be lost. Literally, the adversary holds the data to ransom—hence, ransomware. The encryption key is sufficiently strong enough that cracking the key instead of paying the ransom is uneconomic—some estimate that an average desktop computer would take five quadrillion years to decrypt the data without the key In some cases, the target organization can hope that some researchers may have discovered a way to decrypt the data based on a design flaw. Otherwise the organization will have to look to restore the systems and data from a safe back up or consider paying the ransom. Keep in mind that even data restoration does not eliminate the risk the ransomware will not be reenabled or return based on the compromised integrity of the environment.
Cybersecurity Governance
A cybersecurity governance and risk management program should be established which is appropriate for the size of the organization. Cybersecurity risk needs to be considered as a significant business risk by the owners and directors. This should be at the same level as compliance, operational, financial and reputational risks with suitable measurement criteria and results monitored and managed.
There are voluntary frameworks which can be used to consider the risk assessment and related best practices. For example, the National Institute of Standards and Technology (NIST) Cybersecurity Framework includes five concurrent and continuous functions:
Identify: Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data and capabilities.
Protect: Develop and implement appropriate safeguards to ensure delivery of critical services.
Detect: Develop and implement appropriate activities to identity the occurrence of a cybersecurity event.
Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
Protection from Malicious Software and External Attack
New threats continue to emerge and each organization needs to be sure it is equipped to deal with a dynamic threat landscape. The following are some of the more critical system utilities and solutions used to help mitigate these malicious attacks:
Firewalls are software (and also hardware) designed to protect the system from attack from people accessing the organization’s systems via both internal and external communication links.
Malware/spyware and web proxy protection solutions protect the system from software code that may be from pop-up windows or have more insidious intent, such as logging usernames and passwords for fraudulent purposes.
Anti-spam software protects email inboxes from being clogged by unwanted broadcasted email.
Anti-phishing software protects users visiting websites that are designed to trap user information that can then be used for fraudulent purposes.
All are mandatory for any well-managed system utilizing a defence in depth strategy. The cost of an attack can be significant, involving loss of data, fraud, and the cost of rebuilding systems and should be analysed against the cost to defend against such threats.
It is recommended to use a well-known, reputable supplier. Some companies purport to supply these utilities but in fact the utilities themselves can be malicious software. Be cautious about using free software or software from an unknown vendor. Generally, it is best to use the utilities recommended by the business’s systems integration (technical support) organization, as they will be responsible for its installation, configuration, and maintenance.
Maintenance of these applications is critical. New malicious software emerges every day. Most software vendors provide at least a daily automatic update to their databases to ensure that the system continues to be effectively protected. Ensuring that these updates are correctly implemented is essential.
Hardware Maintenance Plans
Maintenance contracts should be maintained with hardware suppliers so that hardware failures can be quickly rectified. These contracts should specify the service levels that the supplier will meet in the event of failure. Critical hardware such as servers, switches, and backup technologies require prompt attention. Many contracts specify four-hour response for failure of these components. Other, less critical hardware such as individual workstations can have longer response times.
Some organizations, particularly in remote areas, purchase some critical components that have a higher potential to fail, such as power supplies, as spare parts that can quickly replace a failed component. Organizations that rely on maintenance contracts should ensure that the support company maintains an adequate supply of spare components to meet the organizations service level commitments.
The quality of the organization’s external IT support company is critical in ensuring the systems are correctly implemented and supported. Issues that need to be considered in selecting an appropriate company include:
Their knowledge and experience with the organization’s hardware and operating system configuration.
Their knowledge and experience with the organization’s application software.
Certifications held with major hardware and software companies, which provides an assurance as to the competency of the people in the organization.
The number of people within the company who have the required knowledge to support the system—this is critical as a reliance on a single individual can result in significant delays and cost should that individual be unavailable for any reason.
Their ability to provide support services remotely to enable rapid response to issues at a reasonable cost.
Proper due diligence and vendor risk management to ensure that the third party is providing the services based on the organizations expectations.
People and Documentation
Every organization should establish a plan to mitigate the risk of key people being unavailable in the event of a system failure. Keep a list of contact details for backup technicians. Document the configuration of hardware and software applications and keep this up to date so that a new technician can quickly rebuild the system.
Policies and Procedures
Proper IT governance procedures within an organization are critical. Implement a formal risk assessment process and develop policies to ensure that systems are not misused and ensure that applicable policies are continually reviewed and updated to reflect the most current risks. This includes developing incident response policies and procedures to properly respond to, account for and help mitigate the cost of a potential breach.
Ongoing education to all employees on technology risks should form part of the organizations risk management framework, with potential security breaches being mitigated as a result of education and policies being promulgated to all levels of staff. Policies should include but are not limited to:
User Account Management: rules and policies for all levels of users; procedures to ensure the timely discovery of security incidents; IT systems and confidential data are protected from unauthorized users.
Data Management: establishing effective procedures to manage the repositories, data backup and recovery, and proper disposal of media. Effective data management helps ensure the quality, timeliness, and availability of business data.
IT Security and Risk Management: process that maintains the integrity of information and protection of IT assets. This process includes establishing and maintaining IT security roles and responsibilities, polices, standards, and procedures.
Individual jurisdictions are likely to have enacted legislation that may require particular policies, or issues within a particular policy, to be addressed. Common policies are listed below and cover system use, e-mail use, internet use and remote access.
System Use Policy
A system use policy generally outlines the rules by which the organizations IT systems can be used. Example elements to be considered in this policy include:
Mandatory use of passwords on all systems, such as phones and tablets, including the need for passwords to be changed regularly and a prohibition of providing passwords to other team members or third parties.
Prohibition of copying organization data and removing the data from the office without approval.
The encryption of memory/USB sticks.
The physical security of equipment.
Use of the system during business hours.
Rules for the private use of the system, if allowed, outside office hours.
Multifactor authentication - using more than one method of authentication from independent categories of credentials to verify the user’s identity for login.
Email Use Policy
Example elements to be considered in an e-mail use policy include:
Prohibiting the use of personal email accounts for business matters.
Prohibiting opening email attachments from unknown sources (as they may contain malicious software).
Prohibiting accessing email accounts of other individuals.
Prohibiting sharing email account passwords.
Prohibiting excessive personal use of the organization’s email.
Notification that the organization will monitor email.
Internet Use Policy
Example elements to be considered in an internet use policy include:
Limiting Internet use to business purposes.
Notification of the ability of the organization to track Internet usage.
Prohibiting access to sites that are offensive to a person’s gender, sexuality, religion, nationality, or politics.
Ensuring that downloads occur only from a safe and reputable website.
Prohibiting downloading executable (program) files as they may contain malicious software, and also prohibiting downloading pirated music, movies, or software.
Prohibiting providing the user’s business email address in order to limit the likelihood of spam.
Consequences of violation.
Remote Access Policy
Example elements to be considered in a remote access policy include:
Approvals required for external access.
Reimbursement of external access costs.
Security procedures (including disclosure of passwords, third-party use of system, disconnection from other networks while accessing the organization’s systems, use of firewalls and installation of appropriate software to protect the remote system from malicious attack and multifactor authentication).
Physical security of organization-supplied equipment such as laptops.
Reporting of any possible breach of security, unauthorized access, or disclosure of the organizations data.
Agreement that the organization can monitor the activities of the external user to identify unusual patterns of usage or other activities that may appear suspicious.
Consequences of noncompliance.
Insurance
Adequate insurance should cover the cost of replacing damaged infrastructure as well as the labor costs to investigate the incident, rebuild systems and restore data. Consider also insurance for productivity loss resulting from a major system failure or catastrophic event.
الخطوة التالية في الأمن السيبراني: "الثقة المعدومة"
ذات مرة، تجولنا في العالم الرقمي. كان لدى الشركات ضوابط أمنية محيطية (لحماية شبكتها وبياناتها، وبمجرد أن تمسح حركة المرور نقطة التفتيش الفردية أو "الجدار الحدودي\ border wall “، يمكنها الاتصال بحرية داخل الشبكة دون مزيد من عمليات الفحص. هذا عمل بشكل جيد لبعض الوقت. ولكن نظرًا لأن الإنترنت والشبكات أصبحت أكثر تعقيدًا، وتوزيعًا، ويوجد مخاطر بطبيعتها -خاصة مع الترحيل إلى السحابة -لم يعد بإمكان الشركات الاعتماد على حارس البوابة وعمليات التحقق لمرة واحدة بعد الآن. يتطلب انفجارنا الحديث للأجهزة وعملنا المعقد على الويب للشبكات المترابطة ضوابط أمنية أكثر ذكاءً وموثوقية -عندما أصبح عالمًا تنعدم فيه الثقة، اعتمدنا فلسفة انعدام الثقة.
معلومات إضافية
-
المحتوى بالإنجليزية
The next step in cybersecurity: ‘Zero Trust’
By Avani M. Desai
September 22, 2021, 9:00 a.m. EDT
4 Min Read
Facebook
Twitter
LinkedIn
Email
Show more sharing options
Once, we navigated the digital world on a “trust but verify” policy. Companies had perimetric security controls (e.g., a firewall) to safeguard their network and data, and once traffic cleared that single checkpoint or “border wall,” it could freely communicate within the network without further checks. This worked well, for a time. But as the internet and networking became more convoluted, distributed, and innately riskier — especially with the cloud migration — companies couldn’t just rely on a gateway guard and one-time validations any longer. Our modern explosion of devices and complex webwork of interconnected networks demand much savvier and more reliable security controls — when it became a zero-trust world, we adopted a zero-trust philosophy.
Zero trust is a concept and security framework introduced by Forrester Research years ago: “Never trust, always verify.” To achieve zero trust security, there are three guiding principles, as outlined by software company Varonis:
Require secure and authenticated access to all resources: Authenticate and verify all attempts to access the network, assuming they are threats until proven otherwise).
Adopt a least-privilege model and enforce access control: Limit user access to only the access each needs to do their job, thereby limiting the scope of a potential breach.
Inspect and log all activities using data security analytics: Introduce proper individualized baselines per user account that will detect abnormal behaviors based on perimeter telemetry, data access, and user account behavior).
In short, zero trust requires all users, within and outside a network (be it local, in the cloud, or hybrid), to be authenticated, authorized and validated continuously for security configuration and posture before being given (or retaining) access to applications and data. To verify user identity and uphold the network’s security, this framework relies on advanced technologies — such as multifactor authentication, identity protection, endpoint security technology, etc. — to achieve real-time visibility into user credentials and attributes. This added layer of protection becomes even more essential as companies increase their network endpoints, expand their infrastructure, and are exposed to increasingly sophisticated attacks by rogue (insider or compromised) credentials.
Greater security and better auditing
Inflo Digital Audit: The profession's first end-to-end digital audit platform
Do more with data, automate compliance, and improve your value with Inflo’s Digital Audit -- the accounting profession's first data driven audit solution...
SPONSOR CONTENT FROM INFLO
With that being said, successful establishment of zero trust depends on how quickly and effectively each organization can implement end-to-end, multi-cloud security solutions and uphold the requisite methodologies. Because of the added risk when dealing with any cloud deployments, endpoint security must stay top-of-mind during these migrations to satisfy compliance models such as the GDPR and the NIST Cybersecurity Framework.
To protect data — especially cloud data — software company MobileIron’s 10-point security audit checklist lists the best practices for designing a data security and access control framework on every endpoint across borderless enterprises:
Enforce device encryption and password protection.
Prevent business apps from sharing data with personal apps.
Automatically delete business data from compromised devices.
Tunnel business traffic without tunnelling personal traffic.
Stop unauthorized devices from accessing business cloud services.
Stop unauthorized apps from accessing business cloud services.
Detect and remediate zero-day exploits.
Provide rich security controls across a variety of different operating systems (e.g., Android, iOS, macOS, and Windows 10 now support unified, cross-platform security solutions).
Certify for device security (e.g., Common Criteria Protection Profile for Mobile Device Management).
Certify for cloud security (i.e., SOC 2 Type 2 and FedRAMP).
Already a boon to internal security, a company’s implementation of zero trust also forecasts favorably when it comes to auditing. As noted in Internal Audit 360, “Zero trust eliminates traditional security tooling implementation nightmares, yet provides the fine-grained controls security practitioners seek, the auditability auditors need, and the network flexibility IT operators want.”
Inherently providing visibility and automation, zero trust streamlines compliance by first evaluating and then logging (with detail) each access request. Orchestration tools that are already working to detect suspicious user behavior or potential cyberthreats also create an effortless chain of evidence that paves a smooth audit trail.
Given that each asset in such a network is “fingerprinted” before it’s allowed in the system (and that each is constantly getting re-verified), zero trust networking enables organizations to easily demonstrate how their data has been accessed, collected and used. It also encourages another critical element of auditing data and systems security: data flow mapping, or understanding where an organization’s data is, and how and with what it’s communicating. This superior visibility provided by a zero-trust network supports compliance initiatives and enables auditors to achieve better insight into how and where the data flows, how users and workloads are protected, and how the system is overall secured.
The benefits to this approach are clearly laid out — the amount of transparency and meticulous control permitted by zero trust help mitigate the risk of security breaches and exploitations, as well as that of negative audit findings. It stands to reason that, as the internet continues to evolve, with more and more processes turning to digital alternatives, the focus on protection of data will only increase and zero trust methodology should absolutely be discussed as an option for every organization.
أخطاء الأمن السيبراني التي ما زالت شركتك ترتكبها
كما أوضحت الانتهاكات الأخيرة والغرامات الرئيسية ذات الصلة التي فرضتها هيئة الأوراق المالية والبورصات، فإن الأمن السيبراني ليس شيئًا يمكن للمستشارين الماليين والمحاسبين تحمله لمعالجته مرة واحدة في نشرة السياسة، وعدم إعادة النظر فيه أبدًا.
معلومات إضافية
-
المحتوى بالإنجليزية
As recent breaches and related major SEC-imposed fines have made clear, cybersecurity is not something that financial advisors and accountants can afford to address once in a policy handout, never to revisit.
Indeed, breaches keep occurring and mistakes keep happening because of non-adherence to firms’ cybersecurity policies and because of a lack of oversight and enforcement of those policies. This has become more true over the past year or so as firms have shifted operations and applications to cloud-based environments. The financial services industry is a long way from being cybersecure.
Wes Stillman
Forewarned is forearmed. Here are the most common cybersecurity mistakes that advisors and accountants are still making.
Misunderstanding the cloud
Overestimating the protection offered by the cloud and software as a service (SaaS) applications is still a key mistake. The cloud generally offers security for data and documents stored within it, but it is not a cybersecurity solution.
Accounting Power: The Premiere Professional Accounting System
Increase profitability, and build stronger bonds with your clients. Accounting Power includes all the capabilities not found in other cloud-based...
SPONSOR CONTENT FROM ACCOUNTANTSWORLD
When information is used outside of the cloud, there are no guarantees. Owners of RIAs and accounting firms should be concerned with how, when and where documents and applications are accessed — regardless of where they are stored. Information that is accessed, downloaded and used on unsecure, unencrypted devices can potentially expose the firm to cybersecurity issues.
Low cybersecurity awareness
Another major blunder firms make is assuming that employees are equally up-to-date on what the cyberthreats are and how to protect the firm from them. Unless firms work actively to create a culture of cybersecurity awareness, this is never the case. Security threats are constantly evolving as the sophistication of the bad actors increases.
Servers and hard drives stand inside pod one of IBM's Softlayer data center in Dallas.
TECHNOLOGY
The case for 'buy' when it comes to your firm’s IT system
September 23, 2021 12:23 PM
A firm owner can elevate the level of cybersecurity awareness in their existing culture by leading through example with ongoing verbal, written and electronic reminders. Budget time in team meetings to address these issues and consider bringing in outside consultants from groups like Infosec or KnowBe4 for occasional briefings, training or updates.
Lax enforcement of security policies
As the SEC showed with its sanctions and collective $750,000 in fines against Cetera, Cambridge and KMS Financial Services, cybersecurity is not just about instituting comprehensive policy, but about meticulously enforcing it. When a firm allows data to be accessed using any unsecure, unprotected device or application, it is exposing itself to real cybersecurity issues.
For example, an RIA may have an encrypted, password-protected email system. But once the firm email is synced to an unprotected device, the email becomes unsecure and the entire firm is potentially exposed to malware and phishing viruses.
SEC entrance - Bloomberg News
REGULATION AND COMPLIANCE
SEC fines 3 independent brokerages a collective $750K over email hacks that hit thousands of clients
September 1, 2021 2:01 PM
Today’s firms should consider secure identity management platforms that minimize the need for passwords by using single sign-on with adaptive multifactor authentication (MFA). In fact, MFA and end-device protection should be non-negotiable, particularly in remote work environments where users can access firm and client data through personal devices.
Firm owners need to keep cybersecurity management at the forefront by continually asking themselves, "Where's the data?" Remember, the issue is often not about storing data or email inside the firm. The increased risk can happen when information leaves the safe environment and ends up on unprotected personal devices, such as laptops, tablets and mobile phones — all of which are vulnerable to data breaches and cybersecurity attacks.
Client service overriding client security
It is natural to want to help clients with requests that seem to merit an immediate response. But excellent client service also includes policies that validate these requests to ensure they are legitimate.
Advisors must have procedures for validating email and telephone requests for wire transfers and for identifying and confirming clients. For example, a client who has forgotten their account login can be directed to re-register themselves and answer their own security questions rather than being given a password prompt or other personal information over the telephone.
Delegating cybersecurity/IT oversight to employees
There is too much at stake to continue delegating cybersecurity and IT oversight entirely to the staff member who is the firm's default technology expert. Cybersecurity threats are increasingly sophisticated, and the regulatory environment is evolving, too. Ultimately, it is the business owner's responsibility when something goes wrong.
Putting checks and balances in place serves to protect the firm owner, as well as to monitor how IT policies and procedures are executed. Owners of RIAs and accounting firms also need to know and document who is logging in to what, when and where in the event of a cybersecurity breach.
Skimping on the cybersecurity budget
Cybersecurity management requires commitment of time and resources. Unfortunately, many advisors and accountants fall short when budgeting for this, which increases their firm's exposure to a potential breach. Firm owners need to consider cybersecurity as part of their firm's larger risk management budget and as an investment in brand protection and cost avoidance. For those with some security measures already in place, a good rule of thumb is to consider their annual IT budget and add on an additional 25% for cybersecurity protection, in addition to ongoing training and policy management.
5 عوامل رئيسية لتعزيز فعالية لجنة التدقيق
إخفاقات الشركات وفضائحها عبر البلدان، بما في ذلك الانهيارات الأخيرة لشركة Carillion و Patisserie Valerie و London Capital & Finance في المملكة المتحدة، والاخفاقات في الكيانات المملوكة للدولة في جنوب إفريقيا Transnet و Eskom و South African Airways، وTransnet و Eskom و South African Airways، وفضيحة 1MDB في ماليزيا على سبيل المثال لا الحصر، ركزت جميعها علي الاهتمام السياسي والتنظيمي على مهنة التدقيق وكشفت أيضًا عن إخفاقات خطيرة في حوكمة الشركات.
معلومات إضافية
-
المحتوى بالإنجليزية
5 Key Factors to Enhance Audit Committee Effectiveness
Laurie Tugman, Laura Leka | September 20, 2019 | 2
Corporate failures and scandals across countries, including the recent collapses of Carillion, Patisserie Valerie and London Capital & Finance in the UK, failings in South Africa’s state-owned entities Transnet, Eskom, and South African Airways, and the 1MDB scandal in Malaysia to name a few, have all focused political and regulatory attention on the audit profession and also exposed serious corporate governance failings.
The result is increased debate globally on audit and governance regulatory reform.
Companies do not fail because of poor quality audits. An audit is designed to enhance confidence in financial reporting, but it does not relieve management or those charged with governance of their responsibilities. Ultimately, corporate failures and the resulting impacts on financial statements are consequences of poor governance and decisions.
Effective governance is underpinned by purpose, vision, values and ethics, that are reflected in the behaviors and actions of the board and management team and cascaded throughout the organization. The board in conjunction with management is responsible for setting the tone at the top, shaping the culture of the organization, and setting strategic direction. Organizations need to be proactive in driving improvements in their governance beyond adherence only to minimum requirements.
The board has ultimate responsibility for the integrity and accuracy of the company’s financial reporting, which includes ensuring implementation of internal controls over financial reporting, adoption of appropriate accounting policies, and appointment and oversight of independent external auditors. These responsibilities are often delegated by the board to its audit committee. But this delegation does not absolve the board of its obligations and accountability to shareholders and other stakeholders.
IFAC strongly supports efforts to strengthen and clarify the roles of boards and audit committees in exercising oversight of the statutory audit and financial reporting processes led by management, including addressing perceptions that audit committees are not sufficiently independent of management, or that there is insufficient communication from the audit committee to shareholders.
Effective audit committees are a critical part of delivering trust and confidence in reporting and risk management. However, globally audit committee responsibilities are widening beyond their core financial reporting oversight responsibilities, putting them under increasing pressure both in terms of time and expertise to oversee the major risks on their agendas in addition to fulfilling their core mandates.
Often if the board is not directly dealing with a matter or there isn’t another appropriate committee, by default whatever is left over falls to the audit committee to oversee: for example, cyber security and other technology related matters, as well as risk management beyond financial risk.
Audit committee responsibilities vary widely across jurisdictions, sectors and between companies. It is important to recognize that there is no one-size-fits-all model for audit committees and therefore enhancing their effectiveness will be more dependent on adoption of good practices rather than further prescriptive legislation or additional regulatory scrutiny.
With the input of IFAC’s Professional Accountants in Business (PAIB) Committee we have been exploring ways to enhance audit committee effectiveness and have identified five key factors:
1. Audit committee transparency
Increased transparency on how an audit committee has discharged its duties is crucial and enables a more informed assessment of its performance and effectiveness.
Many corporate governance codes and regulations include requirements around audit committee disclosure. In addition, voluntary disclosures continue to grow, reflecting that audit committees are responding to evolving expectations of investors and other stakeholders.
But while audit committee reporting may be increasing, the usefulness of disclosures varies.
In the US the CAQ 2018 Audit Committee Transparency Barometer, a review of audit committee disclosures by S&P 500 companies, revealed increased disclosure around audit firm appointment, length of audit firm engagement, change in audit fees, and criteria used to evaluate the audit firm. However, decreased disclosure was found around key questions such as:
Is there a discussion of audit fees and their connection to audit quality? 5% of companies included this, representing a continued downward trend since 2014 when 13% included this discussion
Is there a disclosure of significant areas addressed with the auditor? 0% included this vs 3% in 2014.
For audit committee reporting to be meaningful, there needs to be strong and candid disclosure of the audit committee’s work and key areas of its agenda and discussions. Such disclosure should provide insights on the significant issues the audit committee considered in relation to the financial statements, and how these issues were addressed.
If enhanced reporting by auditors through disclosure of key audit matters is mirrored by the audit committee in their own reporting, this could drive improved audit committee disclosure. It would be unusual for the audit committee not to give their perspective on an issue that the auditor considers a key audit matter. Analysis of audit committee reporting in the UK, shows how disclosure on material financial reporting risk is strongly aligned to auditor reporting on key audit matters.
2. Effective communication
The importance of effective communication flows to and from the audit committee cannot be overstated. This includes written and in person, formal and informal, communication with management, internal and external audit, the CFO and finance function, and the board.
For support in its oversight role, the audit committee relies on:
Meaningful insight from management on emerging risks on the horizon and focused updates on what is happening in the business, moving beyond the basics of what they do to focus on specific challenges, risks and opportunities
Concise and understandable meeting materials from management, the CFO and finance function, as well as internal and external audit. The volume of materials an audit committee must review can become unmanageable. Written information presented to the audit committee needs to communicate only the most important and relevant information for their attention
Unrestricted access to the auditors without management present, as well as ongoing dialogue with the auditors outside of the audit window, to deal with issues on an ongoing basis and not just at the time of the audit
Informal communication with management and the CFO between audit committee meetings
Direct access to teams and departments, including those outside of finance, when appropriate (and ensuring the audit committee does not overstep its governance role).
The audit committee also needs to communicate with the board how it has discharged its responsibilities. It is not enough for the board to simply ‘rubber stamp’ reports from the audit committee; there needs to be full discussion and deliberation on key aspects of the audit committee’s work and any significant issues they have identified that warrant the full board’s attention.
3. Committee composition – including appropriate skills, competencies and expertise
Ensuring the right composition of the audit committee is vital but can be challenging. Requirements vary across jurisdictions, but generally there must be at least one member who is financially literate. This can put a huge burden on one individual if they are the only person on the audit committee to have financial reporting and accounting expertise.
Diversity of experience, perspectives and expertise, as well as industry knowledge are also extremely important, particularly given the widening mandates of audit committees beyond financial reporting oversight.
Audit committee members need continuing development and education to help them keep up-to-date on current issues. But often there is no formal education for audit committee members and even cases where audit committee members have never interacted with auditors prior to joining the audit committee.
Training programs, guidance and other support tools are essential to ensure the audit committee maintains knowledge of relevant developments in accounting and corporate reporting, as well as new technologies and their impact on the business and future of audit. Approaches to ensuring sustained expertise of the audit committee can be varied and include formal training and education, mentoring, and engagement with experts inside and outside the organization.
While the audit committee can rely on outside expertise, it is important that an effort is made to provide continuing professional education in order to understand emerging issues and develop an awareness of best practices.
4. How it gets its work done – efficient and effective ways of working
Audit committee mandates typically always widen, but nothing is generally removed. With increased workload along with increased complexity of risks on their agendas, audit committees need efficient and effective ways of working to ensure they can successfully discharge their oversight responsibilities.
Good practices include:
Having well-defined terms of reference setting out a clear scope of responsibilities, which are widely understood by the audit committee members, as well as by others in the organization including the board, CFO and finance function
Coordination between auditor, audit committee, and internal auditor to prevent duplicated effort, increased cost and poor effectiveness
Appropriate frequency and efficiency of meetings with focused agendas that allow sufficient time and attention for in-depth discussion on critical areas, as well as flexibility to add additional items as they arise
Producing short summaries to circulate to audit committee members in advance of meetings outlining key areas of focus for discussion
Holding a call or prep meeting between the audit committee chair and the auditor before each audit committee meeting.
5. Strength of the finance function
The finance function is responsible for producing reliable and auditable information for external disclosure. The strength of the finance function is therefore critical in supporting the oversight role of the audit committee, which can be severely inhibited by a weak finance function that lacks capacity, expertise or effective CFO leadership.
Considerations for the audit committee include whether the finance function is appropriately staffed and resourced, has suitably qualified people in key positions, as well as whether it has support for its continued development.
The audit committee also needs to consider whether they should have a role in appointment of key finance staff and finance function succession planning. The EY UK report Appointing CFOs for a rapidly changing world: the role of the Audit Committee suggests that “When it comes to appointing a new CFO, the audit committee chair should be an integral part of the interview process.” Indeed, “It’s a brave CEO who vetoes the audit committee chair’s recommendation.”
Much of the transactional work of the finance function including preparation of the financial statements is being enabled by technology, giving the finance function opportunities to improve its productivity, efficiency and effectiveness, and focus its attention on other value adding activities. To meet the future needs and demands of business, finance functions must transform themselves from technical support functions to business partners that enable and support decision making across their organizations.
To maximize the finance function’s value to the business, organizations need mechanisms in place to assess its effectiveness and support its development. Ultimately this responsibility lies with the board but may too be delegated to a committee of the board such as the audit committee.
In South Africa, which adopts a combined assurance model, the King IV Code on Corporate Governance recommends that the audit committee should provide independent oversight of the effectiveness of the organization’s combined assurance arrangements, including external assurance service providers, internal audit and the finance function. It also recommends that the audit committee discloses their views on the effectiveness of the CFO and finance function.
To support finance function transformation, IFAC has recently launched its “Future-Fit” series, which includes a high-level evaluation tool designed to support dialogue at the board (or audit committee) on the importance of finance function development, as well as help to identify priority areas for finance function investment.
تضمين الأمن السيبراني في دورات المحاسبة الخاصة بك
في هذا المقال يقدم أربعة خبراء في المحاسبة والأكاديميين المشورة بشأن تدريس هذا الموضوع المهم للغاية.
معلومات إضافية
-
المحتوى بالإنجليزية
June 8, 2021
6 ways to include more technology in the accounting curriculum
April 13, 2021
How one accounting program introduces students to RPA
TOPICS
Accounting Education
Technology
Information Security & Privacy
Many years ago, Scott Boss, Ph.D., associate professor of accountancy at Bentley University in Waltham, Mass., was conversing over Skype with his 6-year-old daughter, who was visiting her grandparents. "Why are you on Mommy's computer?" he recalled his daughter saying. "Daddy, we don't share passwords in our family.”
That moment was a proud one for Boss, who shared this story to reflect on something he's passionate about: cybersecurity. The topic, he said, needs to be mentioned over and over again to accounting and other students so the very nature of it is ingrained into their psyches.
"The point is to bring up the topic from the very beginning," said Boss, who teaches advanced Accounting Information Systems courses, both undergraduate and graduate.
Without question, cybersecurity is a hot topic. Data breaches make the news frequently; companies lose millions of dollars in what are accounting and reputational nightmares; and organizations, including public accounting firms, need internal controls to ensure their data and their clients' data remains secure.
CPAs are at the forefront of this rapidly escalating wave. They must protect their firms and clients' companies from hackers, assess cybersecurity risks during IT audits, and consult with clients regarding their own cybersecurity systems. Today, all Big Four firms have large cybersecurity consulting practices, and opportunities in the field abound for new college graduates in accounting, business, and computer science. "This isn't a topic for IT people," Boss summarized. "It's a topic for everybody. And it's cooler than debits and credits."
Accounting faculty will likely soon feel the need to learn about cybersecurity and to integrate the topic into their courses, if they haven’t already, as knowledge of the subject can help students find jobs. The Bureau of Labor Statistics has estimated information security jobs will grow 31% through 2029. "People are very hungry for talent in this area, so students who have that knowledge are better poised to identify risks,” said Nancy Bagranoff, CPA, DBA, professor of accounting at the University of Richmond, in Virginia. She began teaching a stand-alone course, Cybersecurity for Business, in the fall of 2020.
Employers need graduates with cybersecurity acumen, said Tawei (David) Wang, Ph.D., an associate professor of accounting and management information systems at DePaul University in Chicago. Firms and companies are hard-pressed to hire graduates who not only understand accounting and auditing, "but also have a solid understanding of the risks and governance issues from the cybersecurity point of view,” he said.
Faculty may question where to fit cybersecurity into their already-packed classes, however. And, as Wang noted, cybersecurity is a broad topic, which requires different perspectives across disciplines.
Another hurdle is the fact that there's no real consensus on how universities should teach cybersecurity: Some courses are offered through the computer science division; others, like Bagranoff's, are taught in the business school; and others in accounting departments. But all too often, cybersecurity is not included in accounting programs at all.
"Historically, accounting has been reluctant to consider cybersecurity as an important part of the curriculum," Boss said.
Despite these issues, accounting professors armed with some basic guidance can bring cybersecurity into their classrooms without too much difficulty. Experienced faculty offer the following six tips for teaching cybersecurity and getting up to speed on the topic:
Tell students why cybersecurity matters. Some accounting students may wonder why they need to learn about cybersecurity, viewing it as solely a matter for IT. So discuss the "why and how" with students. "The most important tip would be to get your students to understand how, as an information system, accounting relies on cybersecurity, as do all information systems," said Lawrence A. Gordon, Ph.D., professor of managerial accounting and information assurance at the University of Maryland's Smith School of Business, and co-author of Managing Cybersecurity Resources: A Cost-Benefit Analysis.
Explain how cybersecurity is a vital component of internal controls, and how disclosure issues and decisions must be addressed. "What's the cost of a cybersecurity breach? That's an accounting issue," he said, as an example.
In addition, noted Boss, mention high-profile incidents like the Equifax Inc., and Target Corp., breaches, where data from millions of customers was compromised. Students like to hear about real-life events.
Tap resources. It doesn't take long to get trained on the basics of cybersecurity. Bagranoff strongly advises taking the AICPA's certificate course. "It's a quick way for an accounting professor to get a good handle on [the subject]," she said. Or monitor websites such as the Cybersecurity & Infrastructure Security Agency (CISA) homepage.
YouTube can also be a source of information, Bagranoff said. There are "cybersecurity-related videos on any topic, and full-length courses and course modules on specific topics," she said, including on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Harvard University also offers a podcast on teaching cybersecurity, and outlets like Coursera provide many courses on the topic. Bagranoff also receives "cybersecurity alerts" from a host of sources, including the Washington Post.
Don't expect to be an expert. You don't need to be a cybersecurity specialist to integrate the subject into your class. Talk about it here and there and continue to acknowledge cybersecurity as important. "You don't have to go in-depth," Boss said. You can incorporate, say, newspaper articles about someone being hacked into your classes, he said.
Bring in guest speakers. Many people, like Boss, love to talk about cybersecurity and can make interesting speakers in a classroom. Ask other faculty members, public accounting firm representatives, or alumni to speak to your students. "Don't be afraid to reach out," Boss advised. Fellow academics who already teach cybersecurity may also be a great resource for offering teaching advice.
Vary the assignments. Accounting faculty can offer a mix of assignments for students around the topic of cybersecurity. Gordon provides students with "problems and little scenarios" and asks them probing questions, such as "How much should a firm invest in cybersecurity?” and “What's the impact of COVID-19 on cybersecurity?" He also asks students to read articles online that explain topics such as how to do a penetration test, a way of testing a computer network or application to find security holes.
Wang suggests covering topics such as risk management and governance policies and programs, and how to respond to a cybersecurity crisis should it occur. You can do so through a variety of methods, whether “an exercise, a bigger project, a case study, or a teaching simulation," he said. Harvard University offers case materials to help in the teaching process.
Repeat. Repeat. Repeat. Cybersecurity can be woven throughout the accounting curriculum, from introductory accounting courses to graduate-level classes. Cybersecurity "should be covered in audit, financial accounting, managerial accounting, IT audit, and fraud and forensics” courses, said Boss. “One of the things we've learned from education is repetition makes the habit.”
ارنست اند يونج EY معترف بها كشركة رائدة في تقييم موردي خدمات الأمن الاحترافية لدول الخليج
معلومات إضافية
-
المحتوى بالإنجليزية
EY has been named a Leader in Professional Security Services in the GCC region by the IDC MarketScape.
The report is based on a comprehensive framework assessing 20 providers in the regional professional security services market on their current capabilities and future strategies in addressing the cybersecurity challenges faced by end-user organizations across the region.
According to the IDC MarketScape: GCC Professional Security Services 2020 Vendor Assessment, “EY has been able to create one of the largest teams of cybersecurity professionals in the region. Alongside the company's history of cybersecurity consulting worldwide and its partnerships with local and global technology and services players, this SOC makes EY one of the strongest cybersecurity services providers in the region. The company has invested in developing local talent and creating a large staff of cybersecurity professionals who are bilingual (in Arabic and English) and are nationals of GCC countries, which gives EY an added advantage in driving customer relations and satisfaction.”1
Wasim Khan, EY MENA Consulting Leader, says:
“We are extremely proud to be recognized by the IDC MarketScape as a GCC Leader in Professional Security Services. The diversity, depth and breadth of our team are a testament to our dedication to supporting security practices in the GCC region. The COVID-19 pandemic fast-tracked digitalization across all sectors, leaving no room for security uncertainty. Our broad cyber consulting portfolio which includes managed security services, have been crucial to executing critical turnkey programs quickly and efficiently for our clients in uncertain times.”
Clinton Firth, EY Africa, India and Middle East Cybersecurity Leader, says:
“The EY Cybersecurity team is very happy for recognition of the hard work over the years to build a world leading practice in the GCC, that is absolutely focused and driven to solve the most complex issues that our clients face. We will continue to invest and grow our cybersecurity business from strength to strength with the right professionals and assets to solely serve the continuing client demand; all in the face of the ever-increasing cybersecurity threats our client face.”
Varun Kukreja, Senior Program Manager at IDC, says:
“Though EY has been a critical Digital Transformation player in the region for more than a decade, their Cybersecurity practice has been pivotal in differentiating itself in almost all facets of portfolio offerings. More so, EY cybersecurity team dedicates itself towards co-innovating with their client base and taking problem solving to an elevated level."
EY continues to expand its security offerings, talents, and investments in the five core competencies of: strategy, risk, compliance, and resilience; data protection and privacy; identity and access management; architecture, engineering, and emerging tech; and next-gen security operations and response.
التوظيف من أجل النجاح
حفز الدور الرئيسي للتدقيق الداخلي في معالجة التهديدات الرقمية الحاجة إلى خبرة في مجال الأمن السيبراني في فريق التدقيق.
معلومات إضافية
-
المحتوى بالإنجليزية
Internal audit's key role in addressing digital threats has spurred the need for cybersecurity expertise on the audit team.
Geoffrey NordhoffAugust 24, 2021Comments
Organizations are moving gingerly into the post-pandemic world with a heightened focus on cybersecurity, with overall cybersecurity spending projected to grow as much as 10% this year, according to IT research firm Canalys. Regulators — already concerned about cybersecurity — have ratcheted up their oversight, vividly illustrated by the U.S. Office of the Comptroller of the Currency's $80 million fine against Capital One last year (see "Capital One Data Breach" below). In fact, cybersecurity was one of the top-ranked risks identified by board members, management, and chief audit executives (CAEs) in The IIA's OnRisk 2021 report.
In this environment, internal audit, as part of its oversight function, has a critical role of helping organizations manage cyber threats by evaluating risks and providing an independent assessment of controls. In turn, this role has spurred the need for cybersecurity skills in internal audit functions.
The heightened concern around cybersecurity has inevitably increased the demand for suitably experienced auditors, says Jamie Burbidge, founder of Bickham Montgomery, a London-based internal audit recruiting firm. "Due to cybersecurity being a relatively recent concern for business leaders, the number of internal auditors at the senior level with relevant experience is quite small," he noted. At present, potential internal audit hires who have the experience and a good grasp of cybersecurity likely are coming from the Big Four accounting firms at slightly more junior levels.
Regardless of the talent source, experts point to several skills and qualifications to look for when hiring. They also cite the importance of soft competencies, the need to plan ahead for resource needs, and the advantages of developing skills internally.
The Right Expertise
Shawna Flanders, director, IT Curriculum Development, at The IIA, says two general skills are important for internal auditors who will be involved in cybersecurity audits: data analysis capabilities and critical thinking. "Deploying critical thinking skills gives auditors the ability to determine how a cyber threat in the wild could impact their organization," Flanders says. Plus, they need to be able to use data to discover unusual activity, inappropriate access, and fraud, and possess a broad understanding of IT general controls as well as application, network, and information security controls, she adds.
In addition, practitioners need to have a deep understanding of relevant threats, such as malware, ransomware or spyware, denials of service, phishing, and password attacks. Given the demands, internal audit functions should consider building dedicated expertise on their team, says Jim Enstrom, senior vice president and CAE at Cboe Global Markets of Chicago. The type of person who can fill this role probably has come up through a technology, cybersecurity, or consulting background, rather than internal audit, he adds.
Ongoing training and an emphasis on more technical cybersecurity-related certifications should also be a focus area, Enstrom says. Certifications demonstrate a basic level of aptitude and indicate that a person is motivated for self-improvement and self-learning. The IIA offers several seminars on IT topics, including cybersecurity, as well as more than a dozen IT courses on-demand. In mid-July, The Institute launched its IT General Controls Certificate, demonstrating the certificate holder's ability to assess IT risks and controls.
In addition, more universities are offering advanced degrees in cybersecurity, in which students also are learning the principles of assurance, as well as how to evaluate controls and risk. For example, the University of Central Florida in Orlando, which offers a certificate in cybersecurity, will begin offering a master's degree in cybersecurity and privacy this fall that will include a technical track covering topics such as hardware, software, and security, and an interdisciplinary track that addresses the human aspects of cyberattacks. These types of programs are an opportunity for recruiting, Enstrom says.
Robert Berry, former executive director of internal audit at the University of South Alabama and now president of consulting firm That Audit Guy, says hands-on experience in cybersecurity is important in considering a hire. Berry says he would look for someone experienced in technology, especially with experience in how networks operate and are secured. "You want to look for somebody who is actively engaged and involved in the craft," he adds — the kind of person who builds his or her own network and tinkers with it, and who is active in chat rooms and forums.
Capital One Data Breach
The U.S. federal government's enforcement actions against Capital One in August 2020, which included an $80 million fine from the Office of the Comptroller of the Currency (OCC), illustrates its increased oversight of cybersecurity issues. The actions stemmed from a 2019 cyberattack that stole the personal information of about 100 million individuals. The OCC fine was the first significant penalty against a bank in connection with a data breach or alleged failure to comply with OCC guidelines. The OCC specifically called out Capitol One's internal audit function, saying it failed to identify numerous control weaknesses and gaps and did not effectively report them to the audit committee.
Training, Sourcing, and Collaboration
Rather than hiring from outside, developing skills internally is sometimes a better option, especially in small- to moderate-size departments, Berry says. That way, the auditor is already familiar with the organization and with the procedures involved in conducting engagements, he explains. This approach also might be advantageous for a small department in an industry that does not pay well, which likely will have a hard time recruiting cybersecurity expertise, Berry adds.
In a midsize department or a midsize organization with a small audit department, audit staff might not have the necessary IT knowledge. Keeping in mind The IIA's International Standards for the Professional Practice of Internal Auditing, the organization might consider a co-source provider, Enstrom says, adding that training, skill building, and certifications also are important for these departments. In addition, where the Standards allow, internal audit should consider collaboration with the organization's information security department, he says. Standard 1210: Proficiency, and Standard 2050: Coordination and Reliance, provide guidance in these areas.
Seek Out Soft Skills
"Curiosity is the cornerstone of internal audit," Berry says. "If you can't be curious and ask really good questions, you will fail in your career in audit." Soft skills are probably the most important skills, he says, because a person who possesses them can be taught audit skills. Critical thinking and other soft skills give internal auditors, especially those dealing in a technical area such as cybersecurity, the ability to communicate outside their area and to understand how a cyber threat could affect the organization.
When he started Bickham Montgomery about 10 years ago, Burbidge found that technical proficiency was by far the most sought-after trait for companies when hiring internal auditors. Now, he sees more emphasis on communication skills as part of an internal auditor's role. "You need to be able to communicate, need to be able to persuade, need to be able to partner with the business," he says.
Jeannie Alday, director of Internal Audit for Chatham County, Ga., says in hiring someone with an IT background, she wants to determine whether the candidate will be able to communicate with IT staff, and IT management, but also with county management and others who may have limited background in IT. "Those soft skills are huge, and they're not always easy to spot in the limited interview process," Alday says.
Looking Ahead on Hiring
Given the rapidly changing environment, cyber awareness is fundamental to the execution of an organization's strategy. "In any organization today, cybersecurity is one of the top risks," Enstrom says. In the present environment, boards, management, and other stakeholders need to focus continually on cyber risk and whether their organization has the right skills and resource strategy, he says. Importantly, organizations need to make necessary investments in skills and resources.
Post-pandemic, hiring likely will become more challenging because of pent-up demand, Enstrom says, and demand already exceeds the number of candidates. As a result, audit hiring managers should think more creatively about compensation and other job benefits. He also notes that many cybersecurity professional have had limited exposure to internal auditing and assurance, may see auditing as having limited opportunity for advancement, and might not consider going into the field.
This perception underscores the necessity of selling the opportunities and value proposition of the profession to prospective job candidates. Compared with going directly into information security, internal audit offers the potential for greater diversity of experience and breadth of opportunity — working with senior executives and board members — and exposure to different projects, Enstrom says. Moreover, because of the importance of good communication skills, time spent in internal audit can be a great learning opportunity for someone who is less comfortable in this area.
"Early in a person's career, working in internal audit really represents a great learning opportunity because you have so many different projects you can work on," Enstrom says. "I think we don't sell that enough as a profession."
As another area of focus for hiring, Enstrom emphasized the importance of partnering with outside firms, or organizations that can help with the candidate sourcing process. He highlights one example — the Greenwood Project. "The Greenwood Project is a nonprofit organization dedicated to introducing Black and Latinx students to careers within the financial industry," he says. "We've had success working with Greenwood Project and we continue to look for ways to strengthen our relationship and promote the profession of internal auditing to Greenwood students and diversity candidates. In addition to accounting and business students interested in financial services, we have been working with Greenwood to promote an interest in IT audit, data analytics, and cybersecurity roles in the internal audit profession."
Meanwhile, when recruiting through universities, internal audit functions need to look beyond the accounting and finance departments and build relationships with computer science and cybersecurity programs. "In my experience, many students in computer science or other IT disciplines are unaware of job opportunities in the internal audit profession," Enstrom says. "Given this, it's really important for the company and recruiter to understand and have relationships with faculty and staff in these colleges, not just the business schools."
The bottom line? "You have to offer competitive salaries, and you have to be very clear and crisp in your value proposition — how internal audit will benefit them in their career," Enstrom says. Moreover, companies recruiting in the post-COVID-19 marketplace will need to think more broadly and consider hiring candidates from outside their geographic area.
ما هي عوامل النجاح الحاسمة للتحولات الرقمية لمنظمات المحاسبة المهنية؟
تقدم أسماء الرسموقي مستشار البنك الدولي 5 ركائز أساسية يجب أن تضعها منظمات المحاسبة المهنية لإحراز تقدم ناجح في التحول الرقمي.
معلومات إضافية
-
المحتوى بالإنجليزية
What Are Critical Success Factors for PAO Digital Transformations?
ASMÂA RESMOUKI, WORLD BANK CONSULTANT | AUGUST 12, 2021
There is a significant opportunity for Professional Accountancy Organizations (PAOs) to accelerate digital transformation to improve the delivery of their mandate. This was evident through a recent World Bank project that engaged with Board members and senior management of 20 PAOs in Sub-Saharan Africa, Middle East & North Africa (MENA), Latin America, and the Caribbean regions regarding their digital transformation journeys.
“We need to accelerate adoption of digital transformation to enhance services to our members and public”
“We need to design a digital transformation strategy supported by financial and human resources to leapfrog our service offering during the COVID 19 period”
“Digital transformation will assist us to support prospective accountants in rural areas”.
These were some of the sentiments that were expressed by Board members, and by speakers and participants during the knowledge event hosted by IFAC and the World Bank on PAO digital transformation (available in English and French).
Based on the conversations, the following are 5 key pillars that PAOs should put in place to successfully progress their digital transformation.
1. Governance: Tone at the top should set direction
Throughout the project, it was noticeable that when the PAO President and Board members had a clear vision and were committed to the digital transformation reform, there was commendable and concrete progress. The opposite was also true: i.e., minimal digital transformation among PAOs where leadership did not show enough enthusiasm for the reform or consider it a priority. Therefore, it is important for the Board to take the leading role in setting direction and really driving the necessary changes.
2. Design and implement a user-centric digital transformation strategy
Digital transformation requires a clearly articulated strategy that defines strategic objectives, implementation plans, and performance targets with timelines (Key Performance Indicators).
When designing the strategy, the Board should engage with the membership and all relevant stakeholders to ensure their needs and expectations are incorporated. The final strategy should then be shared and communicated with them. Subsequently, the PAO leadership should regularly request feedback from members and stakeholders on any new digital tools and request suggestions to improve the user-experience. This would create a virtuous circle between the PAO and its stakeholders.
Ideally, the digital strategy should be linked to the overall strategy of the PAO, since digitalization serves as a tool to execute the overall strategy. The Ordre National des Experts Comptables et des Comptables Agréés du Burkina Faso is a good example of a small PAO which has designed its digital transformation strategy using guidance from IFAC’s Information and Communications Technology (ICT) Guide.
3. Be connected and benefit from the country digital economy eco-system
PAOs should be aware of digital transformation reforms in their country and maintain close working relationships with the governmental departments and officials driving the reform. Government reforms seem to be focused on strengthening national infrastructure to improve access and reduce cost, enhancing digital skills, offering digital public and business platforms to accelerate the use of e-services, and strengthening digital enablers like cybersecurity and data protection. These initiatives can have a direct impact on PAOs’ digitalizlation initiatives.
Therefore, it is crucial for PAOs to follow and engage with the right stakeholders regarding national digital transformation reforms to determine they can benefit from such a reform and related activities. This could include empowering their members with greater digital skills by including technology skills in the accounting qualification curriculum and offering regular digital courses in the CPD program.
4. Adequate human and financial resources
Without dedicated human and financial resources, it is a challenge to implement a successful digital transformation reform. This does not necessarily mean having massive and seemingly unlimited resources. It means making smart investments now for better returns and savings in the future. Therefore, PAOs might need to be creative in securing the financial and human resources required to implement their digital transformation strategy.
Securing funding could mean re-prioritizing the available budget to focus on digitalization activities which will add value to members and save costs in future, requesting members to contribute to a special fund for the reform, securing sponsorship, and/or applying for government funding or donor funding, etc.
For example, the Ordre des Experts-Comptables de Côte d’Ivoire partnered with the national tax authority to support taxpayers in filing their financial statements on an online platform. Whenever a member does an online filing, a specific fee is submitted to the PAO, in turn, creating a new alternative revenue stream.
Human resources are also essential. Depending on the financial resources available, PAOs could either designate someone from their secretariat to lead the initiative, engage a consultant, outsource the function or set up a special Digital Transformation Committee with a clear terms of reference.
5. Partnering with others
PAOs should explore partnerships and leverage their IFAC membership and IFAC’s Network Partners. Such partnerships would enable them to benefit from global and regional resources and knowledge-sharing opportunities.
Similarly, PAOs should partner with other PAOs, especially those who have progressed with digitalization reforms already. Such PAOs can serve as mentors: sharing experiences on how they have walked the transformation journey, provide advice and guidance on when and where to purchase new softwares or technologies, and/or provide input to a PAO that is developing its digital strategy, etc. PAOs are encouraged to raise their hands and seek help and support whenever needed.
In closing, while the level of progress varies from PAO to PAO, the challenges for smaller PAOs oftentimes remain greater given their limited resources. Yet, “small streams make big rivers” — starting with small actions and building on them with regularity and consistency should allow PAOs to be successful in achieving their digital transformation goals. All PAOs are invited to consider the above pillars to start or accelerate their digital transformation to efficiently and effectively deliver on their mandates.
ما هو دور التدقيق الداخلي في "كبح جماح المخاطر الإلكترونية"؟
عامًا بعد عام، احتل الأمن السيبراني مكانة بارزة في سجلات المخاطر بالمنظمات. الأسباب بسيطة بما يكفي: تتطور المخاطر السيبرانية باستمرار، في حين أن مستوى الضرر الذي يمكن أن تتسبب فيه قد ازداد إلى حد أنها يمكن أن تشكل تهديدًا وجوديًا للشركات.
معلومات إضافية
-
المحتوى بالإنجليزية
Year on year, cybersecurity has featured prominently on organizations' risk registers. The reasons why are simple enough: Cyber risks are constantly evolving, while the level of harm they are capable of has grown to such an extent that they can pose an existential threat to businesses.
Unfortunately, rapid changes in technological risks are not necessarily being matched with increased IT awareness among executives, potentially fueling an unrealistic (and unjustified) belief that organizations are adequately prepared to meet emerging cyber and IT threats. During The IIA's General Audit Management conference held in March, Nathan Anderson, senior director of internal audit at fast food chain McDonald's, warned that more times than not, management will have an overly confident take on the company's coverage of cybersecurity risks. "That's the kind of reassuring message you often want to give to a board, but in many cases … the level of confidence might be above what is justified," Anderson said.
Now more than ever, internal auditors need to understand and continually stay abreast of cyber threats. They must also understand what those charged with cybersecurity are doing to manage risks, what measures business unit leaders are taking, how well employees are complying with established procedures, and where vulnerabilities may lie in the extended enterprise.
Securing the Supply Chain
The recent hack on U.S. tech firm SolarWinds has shown just how vulnerable companies and their supply chains can be. The cyberattack — believed to have been conducted by Russian hackers and which went undetected for months — spread to the company's clients and allowed the attackers to spy on their activities: a serious problem when the client list includes the elite cybersecurity firm FireEye and the upper echelons of the U.S. government, including the Department of Homeland Security and Treasury Department. The high-profile hack prompted U.S. President Biden to issue an executive order for federal agencies to address supply chain security throughout the life cycle of software procured and used by the government. The message is clear: Software security vulnerabilities in one organization can open doors to others if preventive measures aren't taken.
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center in Mountain View, Calif., says over the past year software supply chain attacks have become "one of the most significant cyberthreats" organizations face. As such, he says, internal auditors should be pushing for the risk to be part of their cybersecurity reviews, if it isn't already included. In particular, internal auditors should check how much of an IT application or program is based on open-source software, he says. These are freely downloadable software components that account for the majority of code in commercial applications because they don't cost any money. Unfortunately, Mackey says, these components can easily bypass the normal vetting processes that an IT vendor would use if it were developing its own software, which means vulnerabilities are likely.
The best way to gain assurance, he says, is to attain a full inventory of software assets "to identify if there are any unpatched open source vulnerabilities, but more importantly to also identify if there are missing updates or patches" to keep the organization's IT infrastructure and data safe. Indeed, ineffective patch management policies are often cited as one of the key IT threats to organizations as IT departments either forget to check for patches, or employees ignore calls to download and install them.
Experts agree that third-party IT security flaws pose serious risks to organizations and therefore require a robust preventive response — with internal audit providing strong input. Shawn Chaput, strategy consultant at cybersecurity management and strategy consulting business Privity in Vancouver, British Columbia, says there are several key risks that should be on internal audit's radar, particularly around the use of cloud services and other third-party IT service providers.
Identity and Access Management Chaput says organizations' increasing reliance on identity and access management programs has become the most important risk since cloud computing came to prominence. "As everyone moved to the cloud or started working from home, organizations had to adapt to this new 'zero trust' architecture where identity is the new perimeter," Chaput says. Though unfortunately, he says, these measures often fall short. "Even with authenticating individuals and hardware, phishing and spear-phishing appears to be highly effective in exploiting this decentralization of cybersecurity and granting nefarious actors unauthorized access to company funds or administrative access to cloud infrastructure," Chaput says.
Supplier Management Supplier or third-party management program deficiencies is another key risk area. According to Chaput, with the transition to cloud services, organizations are more reliant on third parties to do the tasks they're supposed to, including handling data security. However, auditors should read the small print first. "The fact that clients may expect a cloud service provider (CSP) to do something and they don't is where due diligence prior to contract signing is important," he says. "The other relevant part of supplier management is the portability of the data you send to the CSP and whether you can actually get it back in some reasonable and useful format. Additionally, there is an increasing possibility that your CSP will be subject to a data breach of some sort — how you handle that needs to be determined well before it happens. The importance of this risk has increased, specifically since the SolarWinds hack."
Chaput says the risk of a service provider having a breach — and what the organization should do if that happens — should also be on every internal auditor's cybersecurity risk agenda. "If you're not expecting to have a breach or for one of your major service providers to have a breach, you haven't been paying attention," Chaput explains. To mitigate the risk, he says, organizations need to consider how they should respond to the incident, how they should communicate the news internally and externally, and whether they need to switch providers immediately.
Data Classification Internal auditors also should question the levels of security their organizations give to certain kinds of data they store in the cloud, Chaput says. "Many of our clients who use cloud service providers say 'we protect all of our data as though it is the highest sensitivity' instead of classifying and labeling the data to allow it to have different levels of security controls," he says. "If you don't classify your data, you're either underprotecting some of your data or overprotecting most of your data — and paying significantly more to the CSP than you need to."
Talent Deficiencies Ultimately, Chaput says, the fact that the cloud encompasses so many different technologies and services lends itself to another difficult risk for organizations to manage — finding and retaining IT staff familiar with constantly evolving technology. "It used to be that you'd hire an individual based on their experience with a specific enterprise resource planning package, like SAP, or with some deep technical knowledge in a vendor platform like Cisco routing and switching," he says. "Now, it's different: You're hiring someone today to use something that may not actually exist yet but will become a dominant feature of your environment in less than a year." Chaput adds that the impact of such skills shortages "has been increasing substantially over the last few years as technology changes accelerate."
Get to Know the Technology Team
The ever-changing nature of cybersecurity threats means that internal audit needs to understand not only technology, but also the people in charge of implementing, overseeing, and using it. "If internal audit is to understand technological risks, it has to understand technology," says Kamal Dua, senior vice president and chief audit executive at U.S. defense, aviation, IT, and biomedical research company Leidos in Reston, Va. Likewise, he says, if the profession is to help mitigate cybersecurity risks, it needs to know how the chief information officer (CIO) and the chief information security officer (CISO) identify and mitigate these challenges and the approach they take to cyber risk management.
"Internal audit needs to talk with and get to know the CIO and the CISO," Dua says. "Internal auditors need to understand how these functions work, and they need to form a deep and trusting relationship with them to provide the appropriate level of assurance to the company that cybersecurity risks are being properly identified, prioritized, and mitigated."
He also says internal audit has a strong role to play in establishing a solid response to cybersecurity risks. Working alongside other assurance functions such as enterprise risk management (ERM) and, in his organization, the cyber counsel, Dua says organizations should establish — and regularly review and update — a cybersecurity risk framework, as well as examine the governance around the organization's IT architecture and cybersecurity risks. Moreover, he says, internal audit should review the cybersecurity policies and standards in place to see if they are appropriately aligned to the corporation's risk tolerance and whether they are understood and circulated internally. After reviewing the organization's risk registers, internal audit also should develop a heat map to see where critical cyber risks may appear, what impact they could have on operations, and how the risks are being mitigated.
"It is important for internal audit to understand the company's ERM program, as well as understand where cybersecurity appears in the organization's risk heat map," Dua says. "You also need to develop a cyber risk assessment plan to assess what actions management is taking to mitigate cybersecurity risks and whether these need to be improved. At times internal audit functions can struggle to do this because they don't have the necessary level of in-house talent."
Dua adds that audit functions often presume IT auditors have the knowledge and skills required to audit cybersecurity, even when those skills are lacking. "It is important for IT auditors to continuously upgrade their skills by obtaining academic qualifications or professional certifications that are focused on identifying and managing cybersecurity risks," he says.
Some believe organizations should adopt a mix of low-tech and high-tech approaches to combat cybersecurity risks. In terms of low-tech, Jane Loginova, CEO of Radar Payments in London, says internal auditors should first focus on the "basics" — namely, ensuring that security policies are enforced internally and across channels and distributed networks, including core and cloud networks. "A lot of risk can be minimized by conducting regular checks and plugging security holes, settling on a unified security framework based on interoperability, centralizing visibility and control, segmenting the network to restrict the fluidity of malware, and deep integration," she says.
In terms of high-tech, she advises organizations to invest in artificial intelligence (AI) capabilities. "Investing in AI-based security systems can significantly reduce digital attacks and spot suspicious activity," she says. "The best ones are integrated with artificial neural networks, which combined with deep-learning models can speed up data analysis and decision-making. The technology also enables the network to nimbly adapt to new information it encounters in the network."
Faults on the Front Line
Still, not all cybersecurity risks are technologically complicated. Indeed, the most often cited cybersecurity threat is from people — usually employees — ignoring protocols or using the technology incorrectly.
Mark Guntrip, senior director, cybersecurity strategy, at cloud security firm Menlo Security in Mountain View, Calif., says one of the biggest cybersecurity challenges is end users circumventing security. "Companies put in place the security policies that they consider necessary to manage risk," he says. "However, if end users perceive policies as impacting their ability to get their job done, it's highly likely that they will attempt to work around the controls — not in a way to try and steal data or with any bad intention, but in fact to help the company, which puts security teams at a disadvantage." To address this problem, Guntrip says organizations should look to implement solutions that are "invisible" to end users. "Security that cannot be seen or felt cannot be circumvented," he says.
Simon Hodgkinson, senior development director at IT security management specialist Reliance acsn in London, says internal audit must push for effective leadership from the top. "It should be clear everyone is accountable for cybersecurity, much like safety, and this should not be viewed as a problem the security team owns alone," he says. "The leadership team should sponsor behavioral awareness campaigns, and the board and executive team should regularly undertake crisis exercising for a cyber event."
Hodgkinson adds that CAEs should work more closely with CISOs to jointly develop the internal audit plan and target resources to areas of the most concern and risk to the company. "Having the CAE and the CISO articulating a consistent and coherent view of the risk to the executive team and audit committee is a powerful way of balancing cyber and operational risk," he says.
Other experts agree that effective cybersecurity requires a strong "human touch." George Finney, chief security officer at Southern Methodist University in Dallas, says forming strong relationships more widely is vital if internal audit is going to play a key role in improving cybersecurity risk management and resilience. "Relationships are our most important currency when it comes to effective change," he says. "Employees are the biggest threat surface in an organization — but they are also the ones on the front lines that are in the best position to understand the business and what controls will work in the real world."
Partnering With Business Units
Finney says it is also important for internal audit to develop relationships with department heads. "While talking to the IT department is obviously a good start, it is also important to talk to other department heads," he says. "What IT risks have they identified and prioritized? What methodologies were used to assess these risks? And are they the same as those that the IT department has identified? If other department heads invite internal audit in to help with project reviews and to test risk controls, it sends a signal throughout the rest of the organization that the audit function is one to call in a crisis — and that is a huge win."
In fact, Finney says one of the cornerstones to any successful cybersecurity risk management policy is to get enterprisewide buy-in. "I don't go out with a checklist and tell people where they are going wrong — I see every meeting/review as an opportunity to plan more effectively and to improve," he says. "It is more important to understand the thinking behind why people have taken the actions and decisions they have. If you approach audits from a positive perspective — rather than from the 'internal policeman' approach — you get fuller engagement."
Finney says that since cybersecurity is such a key risk to every organization, it "should be used as an opportunity by internal audit to push for executive support for initiatives that you know need to happen." And he adds that when internal audit assesses cybersecurity policies and controls in different areas of the organization, it presents an opportunity to build relationships with clients. "We don't want people to be afraid of internal audit: We want them to partner with us and collaborate to improve."
An Ongoing Threat
Cybersecurity risks are here to stay — and they will continue to evolve, constantly calling into question controls and procedures put in place to minimize and mitigate the dangers. Recent high-profile hacks and other IT security disasters should remind internal audit to widen its focus away from just the technology to other equally dangerous aspects of cybersecurity risk, such as policy noncompliance among employees or lack of third-party cyber-resiliency. They should also be a reminder of vulnerabilities that could appear anywhere in the organization and the importance of collaborative effort. Internal audit can help bind together different parts of the enterprise to form a unified front against cyber threats and help keep the organization protected from would-be attackers.