Integrating Data Analytics Into a Risk-Based IT Audit

Although most would agree that internal audit is an assurance function, I like to think of internal auditors as value-added trusted advisors. A given mandate will provide assurance on processes that are functioning appropriately; however, the real value is in identifying areas of improvement that add tangible value back to the organisation. Data analytics has long been my tool of choice to help accomplish this value in an effective and efficient manner.

At ISACA’s 2015 North America Computer Audit, Control and Security (CACS) conference, I will be presenting alongside Bob Cuthbertson, COO of CaseWare IDEA Inc., on successful integration of data analytics within a risk-based IT audit universe. In a prelude to our session, I would like to provide examples from my own work in the past that I will be adding to, along with others, during the session on 16 March in Orlando, Florida.

Getting Started—Scoping the Audit Engagement

Understanding the business is the first and most crucial step in the audit process. It is what determines the amount of value you can potentially provide to key stakeholders. Shown in scenario 1 below, data analytics can be used before the audit begins as a status indicator of the risks facing an organization. And with this information, internal audit is able to improve the audit effectiveness as well, with the ultimate effort of providing value to the organisation.

Scenario 1: Driving the Audit Scope

Areas of Risk Identified:

  • Change Management
  • Project Management

Challenge:  Time limitations allowed only one area of focus for the audit year.
Solution:  High-level analytics of change logs and project management databases uncovered significant internal development projects.
Results:  The System Development Life Cycle (SDLC) process was therefore identified as an area of immediate value to the organization.

Homing in on Insights Gained (Audit Execution)

To save time and resources, the use of data analytics in the planning phase helps develop greater understanding of where the hotspots are in terms of risk. Outlined in scenario 2 below, utilizing 100 percent of the available data enables internal audit to truly focus and identify anomalies within areas that have been identified as high risk.

Scenario 2: Testing Compliance

Mandate:  Operational efficiency—IT help desk tickets

Challenge:  More than 140,000 tickets were opened and closed during the year.

Solution:  Use data analytics to identify trends to ensure the IT department meets the service level requirements—as delineated in the service level agreement (SLA).

Steps:

  1. Obtain an extract from the ticket management system (Footprints). Confirm data completeness by verifying record count on screen (from the system) to the csv dump.
  2. Execute a trend analysis based on tickets closed by employee, criticality and category type, amount of time from “Ticket Open date” to “Ticket Close date.”
  3. Confirm compliance to SLA.

Results:  The analytics showed that the IT group was in compliance with the agreed-upon SLA. Encouragingly, management was very interested in our data analysis, which led to the development of a dashboard for both operational efficiency (which was performed manually at the time by the director) and employee performance. The employee performance KPIs were then linked to their respective annual evaluations for a more objective evaluation of the core performance of the help desk employee.

Reporting Results

The insights found during the audit execution are what allow you to create a report that will provide value to the organization. They are the first step to providing a tangible root cause analysis and shedding light on the compliance and governance failures that matter most to companies.

The reporting phase is crucial when it comes to providing the added value for which we strive. If you have performed your audit effectively, the report will only include validated control deficiencies. The use of data analytics throughout the audit process should allow time to report on exact findings, highlight root causes and provide tangible recommendations. Furthermore, data analytics, namely data visualisation, can be used to convey high amounts of data and information in one image. I always remind myself that information is what the other party receives and not what I say. Therefore, the use of data visualisation to ensure the identified efficiencies make it across to the reader is yet another way in which data analytics helps me become the value-added trusted advisor I strive to be.

Conclusion

We have been using data analytics and attaining value by operating in a systematic and structured manner. We maximize our investment through these efficiencies and are able to provide stakeholders with the answers to questions before they even have them. This can and will continue to increase our value as internal auditors and trusted advisors to the business. During the session at North America CACS in March, I will be expanding on the processes behind these scenarios along with more examples using analytics tactics and visualisation methods. I hope to see you there!

Seren Dagdeviren, CPA, CIA
Manager, Internal Audit, Ivanhoé Cambridge
Montreal, QC, Canada

Seren Dagdeviren will present “Building Momentum” at 2015 North America CACS in Orlando, Florida, USA, 16-18 March 2015. For information and to register, visit www.isaca.org/northamericacacs2015.

[ISACA]

Will Government Be An Effective Cybersecurity Leader or Passive Bystander?

Our industry has been discussing the need for updates to critical public electronic communications laws and policies; reductions in corporate liability for intelligence sharing; national data breach legislation to replace the morass of US state laws; and increases in funding for cybersecurity education, research and standards for many years.

There are two milestones that make a transition from conversation and confusion to clear and decisive action so important now. The first is that we’ve reached critical mass in both corporate and consumer understanding and perception of the importance of cybersecurity. While mega breaches are not new, consumers’ inconvenience of swapping credit card numbers has largely been the extent of impact for most Americans in the past and attention has quickly waned. This year, consumers and corporate citizens at all levels experienced multiple breaches that created a saga of compounding and widespread impact—from credit cards, to corporate espionage, to threats of physical terrorism—and sustained attention for months.

The second, more troubling factor is escalation. While some of the nation state saber- rattling may be just that, the ease with which cybercriminals compromised a significant footprint of the retail and digital advertising sector—and the aggressive and calculated manner in which they compromised and then meted out damage on Sony and other very mature organizations—is a major milestone and also an unsettling indicator of things to come.

It is critical that we begin to disrupt the cyber adversaries and their economic and political incentives. This disruption requires a concerted effort , and the government either can play a modern and effective leadership role or be a passive bystander commenting on the state of affairs. In the State of the Union speech President Barack Obama will provide a clear indicator of which direction the US government is heading on this issue.

ISACA is seeking to address cybersecurity challenges, including the global skills gap and need for guidance, in 2015 and beyond. With the critical skills gap in cybersecurity and the need for greater industry engagement and peer conversations around security governance, cyber career progression, standards, training curricula and professional certification, ISACA’s Cybersecurity Nexus(CSX) plays a pivotal role in bringing practitioners together worldwide and creating a launchpad for cybersecurity experts and solutions of the future.

Eddie Schwartz, CISA, CISM, president of WhiteOps and chair of ISACA’s Cybersecurity Task Force

[ISACA]

Enterprise IT Governance: What? Why? How?

2014 has been called the year of the breach, with organizations from Home Depot to Sony experiencing attacks.

Information technology failures are serious—to the point that companies can lose customers and market share.

Now the question is: what measures should be taken to encounter severe threats? After having a lot of experience through years of working with diverse people from multinational financial institutes, I conclude that only having effective and efficient IT governance in place can fulfill the expectations of stakeholders.
Why do we need governance?
Stakeholders expect:

  • Business is secure and creates value
  • The organization is responsive to changing business paragons.

What do we get from governing?
The board and executives have a better understanding of IT and have a clear picture of its performance as every opportunity and mishap are totally based on decision making. This enables them to make effective decisions regarding the investment and also assures the required IT objectives. “Effective governance” leads management toward better execution of strategies to achieve a desired behavior. “Transparency in governance” develops stakeholder confidence in responsibility and accountability, provides a competitive edge to the enterprise, and is helpful in improving the customer satisfaction level.
Enterprise IT governance provides balanced operations, which means IT can respond to the business needs and at the same time maintain and improve the stability and quality of services in a cost-effective manner. Outsourced services can be directed and controlled clearly as this approach enables effective, efficient and adaptable relationships.

Effective governance (improved return on investment and value on investment) helps to minimize failures, optimize productivity, enhance efficiency, and provide a compliance with rules and regulations by eliminating redundancy, overlap and lack of clarity.

How do we implement enterprise governance of IT?
Companies based on matured IT strategic plans that enable the business tend to be the most successful, having an established and fully integrated operating environment. With these best practices they are securing their information assets in terms of their confidentiality (reveal to authorized individuals only), integrity (confidence in data and assets) and availability (accessible when required).

So, taking all these benefits into account, how do we get started in generating, transforming and sustaining IT governance? First and foremost, one thing we must keep in mind is that we cannot adopt IT governance using a one-size-fits-all approach. Each organization is distinctive, with unique needs and priorities, so it should adapt or form its own governance model based on the nature of its business. Organizations that have no IT governance at all should take a slow start (perhaps with an advisory body, external consultant with strategic planning, standards making, and project prioritization) and add more functions to the governing body as the organization matures. Those organizations that are employing some variety of IT governance may wish to widen their body further into decision-making and performance management.

Best practices for information system governance can be evaluated within the perspective of industry-wide accepted standards, such as processes like information workflow, application and infrastructure development and maintenance, and support services (both operational in-house and external). These need to be gauged and then should be benchmarked with similar industry leaders and peer organizations of a similar size and IT infrastructure. After benchmarking, performance advancement activities can be started using industry standards and/or frameworks such as ITIL. I personally prefer and recommend ISACA’s COBIT 5 as a framework for effective governance and management of enterprise IT.

COBIT 5 has integrated all industry best practices into one framework, and this single integrated framework makes the point that to achieve alignment of best practices to business requirements COBIT 5 can be used at the highest as well as lowest level. This provides a framework for overall control based on a model of IT processes that should generically suit most organizations regardless of industry and whether private or public.

Security breaches? Their proactive/reactive defensive approaches? Strategic alignment? Value delivery? Risk and resource management? Performance measurement? The only answer to all these questions is to have effective and efficient enterprise governance of IT in place.

Organizations with highly effective IT governance prioritize and communicate the structure and essential changes across the organization. Involving both IT and business leaders and bringing them together at the upper management level is vital for ensuring how closely IT is related to business performance. Effective IT governance is a journey, but success can be realized by those who understand the path and the best IT governance practices that keep them on course.

Ali Nouman, CISA
Information Security at The Bank of Punjab, Pakistan

COBIT 5 and related documents are available for free download at www.isaca.org/cobit and http://cobitonline.isaca.org.

[ISACA]

Insider Threat, Shadow IT Concerns Spur Cloud Security

Surveys show cloud tops 2015 priorities.

As security professional prioritize for 2015, cloud security initiatives once again sit on top of their to-do lists. According to two surveys out in the past week, insider threat and shadow IT concerns continue to thrust cloud security to the forefront, with cloud identity and access management and cloud governance among those controls needing the most help.

“As companies move data to the cloud, they are looking to put in place policies and processes so that employees can take advantage of cloud services that drive business growth without compromising the security, compliance, and governance of corporate data,” said Jim Reavis, CEO of the Cloud Security Alliance, which together with vendor Skyhigh released a reportthat showed cloud security as the top security priority for IT organizations in 2015.

The highlights from the survey detailed in that report showed that only about 8 percent of organizations today believe they truly know the scope of unauthorized cloud purchasing—so-called shadow IT.  This jibes with findings in another report released last week from Netskope, which showed that IT professionals constantly underestimate the extent of shadow IT in their organization—with organizations estimating one-tenth of the actual number of apps found by cloud app audits.

This poses scary consequences as organizational data exits corporate boundaries within unsanctioned apps. For example, 17 percent of organizations last year experienced an insider incident, according to the CSA report, and 15 percent of corporate cloud users have had their credentials compromised, according to the Netskope report.

Part of the reason this situation has arisen is that security organizations are ill-equipped help their businesses move quickly toward the cloud through well-crafted and balanced cloud governance policies. According to the CSA survey, about a third of organizations today are full-steam ahead with cloud adoption and 51 percent of respondents feel pressured to approve services that don’t meet security or compliance requirements. But just 16 percent of organizations have a fully enforced cloud governance policy.

What’s more, even among organizations with policies or in the middle of creating a policy through a cloud governance committee, just 43 percent of them include line-of-business representation.

“Employees today have shifted from thinking of apps as a nice-to-have to a must-have, and CISOs must continue to adapt to that trend to secure their sensitive corporate and customer data across all cloud apps, including those unsanctioned by IT,” says Sanjay Beri, CEO and founder of Netskope.

As the CSA concludes in its report, IT in 2015 must find better ways to govern data in the cloud similar to data on premises. Not only will that take investment in enforcement technology, but also collaboration with the very stakeholders who are driving cloud adoption in the first place.

“IT will also need to work more collaboratively with busiess users to understand the motivations behind shadow IT and enable the cloud services that drive employee productivity and growth in the business without sacrificing security,” the report concludes.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. 

[DarkReading]

Cloud Services Adoption: Rates, Reasons & Security Fears

Concern over data breaches and privacy are two reasons enterprises in the European Union didn’t increase their use of cloud services in 2014, according to the EU’s recent Eurostat report.

“Heaven’s not beyond the clouds, it’s just beyond the fear.” – Garth Brooks

A lot of Europeans believe that the European Union is really an employment scheme for bureaucrats who want to live in Brussels — which is, admittedly, a nice place to live. But for those of us in the analyst business, the EU is one of our best sources of the data we need to advise people on their technology needs.

I firmly believe that cloud services are no longer optional. Any business, large or small, needs cloud services to both remain competitive as well as to get better control over its bottom line. So I eagerly looked forward to the release last month of the EU’s Eurostat report on “Cloud computing – statistics on the use by enterprises,” which was broken out by country.

It wasn’t really a surprise that Finland led the way, nor that Hungary, Bulgaria, Greece, Poland, Latvia, and Romania were the trailers among the 28 member states. What was surprising, though, was the low percentages of adoption. Finland, the leader, barely passed 50% when counting those enterprises that used at least some cloud services. Those listed above as “trailers” were all under 10%. And the seemingly “advanced” countries of France, Austria, and Germany barely reached above the trailers, coming in at 11 to 12%.

When broken out by sector, information and communication were, not surprisingly, the leaders at 45%, followed by professional, scientific, and technical activities at 27%. Enterprises reported that they relied on the cloud mainly for their email services (66%) and, in second place, for file storage (53%).

Those organizations already using cloud services viewed the fear of security breaches as the main reason they hadn’t increased their use. In light of the spectacular breaches (such as Sony’s) revealed recently, that’s not an unwarranted fear. Well, until you realize that it was datacenter — and not cloud — resources that were stolen in the Sony incident.

Another fear is the proliferation of data privacy issues among the various member countries of the EU. That, and the various spying revelations that have come from the Snowden incident, have made a number of enterprises wary of putting personal and privileged information into the cloud. It was hoped that a new EU Data Protection Regulation would clear up the privacy issues when it was promulgated this year, but there are now fears that serious differences remaining between the European Parliament and the 28 member states will push the regulation into 2016, further clouding (pun intended) the issue for commercial organizations.

But by far the biggest surprise, to me, in the Eurostat survey was the reason given by those enterprises that have yet to use any cloud services as to why that is so; for the 81% of European enterprises not using the cloud, the main stumbling block was insufficient knowledge of cloud computing! In fact, though, while there are many good reasons for adopting cloud services, there is little guidance for planning it. The first step is for companies to take a strategic approach to cloud migration rather than a tactical response to business unit demands.

Once the strategy is in place, a clear definition of the business objectives of cloud-based services can be developed, the attendant risks can be quantified, the necessary policies for operating in the cloud can be documented, and board-level direction of cloud adoption can occur. Then the pitfalls can be avoided.

You need to know that with cloud services, as with most things in your corporate life, ignorance can be fatal.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe’s leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity management to a generation of technologists.

[DarkReading]

English
Exit mobile version