33
INTERNAL AUDIT FUTURE TRENDS, CHALLENGES AND INNOVATIONS Ahmed Rehan MBA, CFE, CISSP, CISA, MCSE, CCSP, MCSA 1
INTERNAL AUDIT FUTURE TRENDS, CHALLENGES AND INNOVATIONS
Ahmed Rehan MBA, CFE, CISSP, CISA, MCSE, CCSP, MCSA
1
ABOUT AHMED REHAN MBA, CFE, CISSP, CISA, MCSE, CCSP, MCSA
Head IT Audit / Fraud Investigation ‐Burgan Bank Group
Mr. Rehan has over 18 years of experience in the field of
Information Security, Information Systems Audit, Risk
Management, Fraud investigations and computer forensics.
He has worked on senior positions across global Islamic and
commercial banks in Middle East and North Africa. Mr. Rehan
has a master degree in Business Administration (MBA) form
Maastricht school of business and a B.Sc. degree in computer
engineering from Ain Shams University (Egypt).
2
CYBER SECURITY
Agenda
HOW INTERNAL AUDITORS ARE PERCEIVED
SURVEY RESULTS – TOP RISKS
Enter your text here (EU‐GDPR)
DIGITALIZATION, INDUSTRY 4.0 , IOT
CLOUD COMPUTING 3
HOW INTERNAL AUDITORS ARE PERCEIVED
4
THE STRATEGIC ROLE OF THE INTERNAL AUDITA study highlighted a general misperception regarding the role of the Internal
Audit within the organization. traditionally, IA functions have mostly focused
on topics related to compliance and internal controls systems (ICS). Adding
value and providing insights on the key risks of an organization has typically
not been a key priority to IA.
Source : KPMG 20 key risks to consider by Internal Audit before 20205
SURVEY HIGHLIGHTING THE DIFFERENT PERCEPTIONS OFINTERNAL AUDIT WITHIN ORGANIZATIONS
85%
46% 46%
52%
60%55%
10%
82%78%
24%
46% 45%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Provides insightinto efficiency
and effectiveness
Finds potentialrevenue
enhancement
Providescompliancefeedback
Increasescommunication
across theorganization
Reveals existingand emerging
risks
Providesoperationalfeedback
Self‐perception by IA External view held by executive
Source : KPMG 20 key risks to consider by Internal Audit before 20206
7
RISK RADAR – TOP 5 RISKS BEFORE 2020
1
2
3
4
5
EmergingEstablished Key Risk
Non Standard / Exceptional
To be considered on a recurring basis
Digitalization, Industry 4.0 & the Internet of Things1
2
3
4
5
Source : KPMG 20 key risks to consider by Internal Audit before 2020
Cloud computing
EU General Data Protection Regulation (EU‐GDPR)
Cyber security
Business continuity and crisis response
8
TECHNOLOGY RISKS
Rank 2019 2018 2017 2016
1 Cyber Security Cyber Security Cyber Security Cyber Security
2 Technology Transformation& Change Strategic Change Strategic Change Strategic Change
3 Data Protection &Governance
Data Management & Governance
Data Management & Governance
Third Party Management
4 Technology Resilience IT Disaster Recover &Resilience Third Party Management IT Disaster Recover &
Resilience
5 Extended Enterprise Risk Management
Information Security/Identity & Access Man.
IT Disaster Recover &Resilience
Data Management & Governance
6 Cognitive Automation & AI
Third PartyManagement
IT Governance and ITRisk Management Information Security
7 Cloud Computing IT Governance and ITRisk Management
Information Security/Identity & Access Man. Digital & Mobile Risk
8 Legacy Architecture Cloud Computing Enterprise Tech. Architecture IT Governance and ITRisk Management
9 Application Development Digital and Mobile Risk Cloud Computing Enterprise Technology Architecture
10 Payment Technologies Enterprise Technology Architecture Digital And Mobile risk Payment systems
Topics which appear in more than two years have been color‐coded to help illustrate their movement in the top 10 over time.Source: Deloitte & Touché (M.E.). Annual Survey 9
AUDIT HOT TOPICSClassification of the top Internal Audit Hot Topics in 2019
Emerging/New Digital Risks
Internal Environment
“Known” Risks
External Environment
3. Data Governance
4. Tech Resilience
12 IT Governance
8
Legacy Architecture
11
Identity and &AM
15Application Controls
2. Tech Transformation
9Application Development
13Blockchain
10
Payments
14
Social Media
1. Cyber Security
7 Cloud Computing
5. Extended Enterprise
The size of the bubble reflects the ranking in this year’s list, while thehorizontal axis shows the threat environment (internal or external to theorganization). The vertical axis classifies the topics across the spectrum ofexisting / known, new and emerging risks.
6.
Automation & AI
10
CYBER SECURITY
11
12
13
IBM‐ TASK FORCE THREAT INTELLIGENCE INDEX ‐2019
Source : X‐Force threat intelligence index
Key Findings
Ransomware has become popular over the past years. However, criminals seem to leverage
coin mining malware ( Crypto‐Jacking)
Risks ‐ Negative impact on system performance and power consumption
‐ Impacts network performance
‐ Regulatory concerns
14
IBM‐ TASK FORCE THREAT INTELLIGENCE INDEX ‐2019 MOST FREQUENTLY TARGETED INDUSTRIES
6%
6%
6%
8%
8%
10%
11%
12%
13%
19%
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
Healthcare
Education
Energy
Media
Government
Manufacturing
Retail
Professional services
Transportation
Finance and insurance
Source : X‐Force threat intelligence index 15
IA ROLE IN CYBERSECURITY
Start with a cyber security governance assessment
1st Line of defense
2nd Line of defense
3rd Line of defense
Evaluate the cyber security strategy and policy.
Recognize that cyber security risk is not only external
Leverage relationships with the audit committee and board to
increase awareness and knowledge on cyber threats
16
IA ROLE IN CYBERSECURITY
Develop an audit plan for the coming quarters and years based on the
assessment and risk ranking of the domains
Seek out opportunities to communicate to management that, with regard to cyber
security, the strongest preventive capability requires a combination of human and
technology security—a complementary blend of education, awareness, vigilance and
technology tools.
Develop and keep current an understanding of how emerging technologies and trends
are affecting the company and its cyber security risk profile.
17
EU GENERAL DATA PROTECTION REGULATION (EU‐GDPR)
18
EU GENERAL DATA PROTECTION REGULATION (EU‐GDPR)
DRIVERS
As of May 2018, the European Union General Data Protection Regulation (EU‐GDPR) is
applicable to:
• Organizations located within the EU, and
• Organizations located outside the EU if they offer goods or services to, or monitor the
behavior of data subjects in the EU
19
OBLIGATIONS
As a result, organizations must demonstrate continuous data protection compliance.
This can include, for example:
Potential impact of the EU‐GDPR on the organization’s bottom line can include fines as high as 4% of global turnover or up to EUR 20 million, and increased reputational risks.
Obligation to report personal data breaches within 72 hours
Appointment of data protection officers positioned independently within the organization
Requirements to obtain unambiguous or explicit consent from data subjects regarding the
usage of their personal data
20
WHY WE SHOULD BE CONCERNED ABOUT GDPR
GDPR Applies to everyone involved in processing data about individuals in the context
of selling goods or services to citizens in the EU, regardless of whether the
organization is located in the EU
21
INTERNAL AUDIT ROLE IN GDPR
Assess the impact of the EU‐GDPR on the organization’s strategic goals
GDPR‐related audits should be incorporated into the IA Risk Assessment and internal
audit planning processes
Evaluate the organization’s current degree of data protection compliance and areas for
improvement
Assess the compliance of business partners or third‐party providers and understand what
compliance initiatives they are undertaking.
22
DIGITALIZATION, INDUSTRY 4.0 & THEINTERNET OF THINGS (IOT)
23
DIGITALIZATION, INDUSTRY 4.0 & THE INTERNET OF THINGS(IOT)
DRIVERSGrowing pressure on the efficiency and quality of operational processing
continues to drive organizations towards digitalization and automation.
Increasing investments in robotics, machine learning, artificial intelligence and
advanced analytics is driving a new form of business transformation that is
commonly referred to as Industry 4.0.
24
“Our products, services and/or business model significantly change within six months. So, I don’t know what I'll need in two years. I don’t have a three‐year audit plan. my one‐year plan changes every three months”.Melvin Flowers, Corporate Vice President, Internal Audit, Microsoft Corporation
25
Be proactive and enable the organization to act on risks in real time
Find the right fit for emerging technologies
Upskill and inject new talent to move at the speed of the organization
Internal Audit Digital Transformation ModelInternal audit plan considerations
26
Based on interviews withmanagement.
Ad hoc data analytic
Success is measured bycompletion of the plan
Traditional Internal Audit
Automated and real-timekey risk indicators
Predictive analytics, and AIdrive the audit plan
The audit plan evolvesfrom an annual plan to areal-time plan
Modern IA Function
Risk Assessment and Planning
Traditional Internal Audit Model VS. Internal Audit Digital Transformation Model
27
Generally linear as auditors progress from one step to the next
Data comes from the business unit or from IT as “requests” from the auditor
Data analytics are ad hoc and/or forced as separate steps in the engagement
Internal audit’s real-time access to systems and data drives the engagementAuditors are armed with the information they need to drill down to root causes and can more effectively prioritize Internal audit’s broad view of the organization and its data allows it to more effectively connect the dots for management and the board
Traditional Internal Audit Modern IA Function
Audit Engagements
28
Deliverables
Internal audit collaborates closely with management throughout the engagement. The audit is seen as an opportunity to educate and inform. Auditors share data, information, and lessons learned thought the audit. The need for a formal audit report is replaced with continuous communication via a knowledge‐sharing platform
Internal audit delivers an audit report detailing itsmethodology and laying out findings andrecommendations. Management responds with anaction plan and internal audit follows upperiodically to ensure implementation.
Traditional Internal Audit Modern IA Function
29
CLOUD COMPUTING
30
CLOUD COMPUTING
DRIVERSCloud computing refers to any type of services where data, applications and/or infrastructure is being stored online
and accessible remotely. This can include services such as:
• Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). The flexible
delivery models and customization of such services has contributed to the widespread adoption of cloud
computing. Some of the benefits of cloud computing include:
• Scalability – the ability to scale up or down depending on business needs with reduced CAPEX investment
• Increased mobility of information – remote access to large amounts of data e.g. access to company software
via mobile phones
• Business continuity – uninterrupted and reliable central storage of data, accessible to various stakeholders
31
HOW INTERNAL AUDIT CAN HELP
05
04
03
02
01
Conduct reviews of the Service Level Agreements (SLAs) with third-party
Ensure mandatory and minimum security guideline and regulations are applied
Assess the coverage and clarity of the roles and responsibilities assigned between the organization and the cloud service provider, e.g. crisis management
Conduct an independent assessment of the existing governance framework
Perform an independent assessment of any third-party cloud service provider
32
CPE Code ‐16385 33
