Six ways internal audit can help mitigate digital risk

Internal audit can help assess tomorrow’s risks today – and one key area is in the organization’s use of technology.

Management is aggressively embracing new technologies to transform their business models, drive growth and improve efficiency. They are leveraging big data to drive competitive insights. And, they are entering into strategic transactions (e.g., mergers, acquisitions, divestitures, alliances and joint ventures) to enhance their competitive advantage. Management is also looking at their existing operating model to identify ways to become more agile and efficient so they can deliver results and still be able to respond quickly when a new challenge arises.

All of these pressures, whether from internal or external sources, create both an opportunity and a challenge for the internal audit (IA) function. IA must maintain a focus on basic and core activities, but also be ready to take on more of an advisory role and be able to “look around the corner” to see tomorrow’s risks today. The risk assessment should be enterprise-wide and include all categories of risk —including technology.

1. Blockchain

Blockchain is a type of database known as a distributed ledger that does not have a central administrator and operates on a consensus basis. It enables decentralized groups to work together, from anywhere in the world, in a secure, trusted and verifiable way. Because blockchain-based systems enable secure, distributed work processes, they also enable tasks to be executed by distributed teams operating together in a much looser way — but with as much security as if they were working side-by-side.
Because blockchain blurs the boundaries of organizations and requires data and processes to be shared outside the organization, companies must fully understand how the technology is implemented to establish appropriate risk management strategies.

One risk associated with blockchain is the use of a private digital key for identity verification. If the private digital key were compromised, outside agents could gain access to the blockchain. Another blockchain risk exists with smart contracts, which contain a self-executing code that is designed to execute specific rules when defined conditions are met. As these smart contracts become more complex, they are more prone to errors that could provide external agents an opportunity to compromise the system. Companies should implement risk and control strategies to facilitate the integrity of these smart contracts.

Example audits could include:

• Blockchain implementation governance: evaluate the organization’s strategy for governing the implementation of blockchain usage
• Blockchain security and risk assessment: evaluate the organization’s controls and strategy in place to manage and mitigate risks surrounding blockchain

2. Cloud computing

Cloud computing enables organizations to shed their complex internal IT structure, allowing them to focus on strategy rather than operations and respond quickly to changing marketplace conditions. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing is evolving rapidly, giving companies a variety of choices; however, like most technology changes, the cloud presents its share of risks and challenges that are often overlooked or not fully understood.

Example audits could include:

• Cloud strategy and governance: evaluate whether the organization’s cloud strategy is aligned to overall business objectives
• Cloud security and privacy: assess the information security practices and procedures of the cloud provider
• Cloud provider services: assess the ability of the cloud provider to meet or exceed the agreed-upon SLAs in the contract and the contingency plans in case of failure, liability agreements, extended support, and the inclusion of other terms and conditions as part of the service contracts, as well as availability, incident and capacity management, and scalability

3. Cybersecurity

Cybersecurity threats continue to evolve and grow with seemingly no rules or restrictions as to who can unpredictably be attacked. Users no longer need to gain physical access to a facility to cause harm to an organization. They can now gain access through malware or phishing attacks, connections with third parties, new technologies, and other new and evolving paths.
Organizations must focus on IT security and information security to avoid falling victim to cyber threats by developing a cyber audit program that addresses areas such as:

• Security awareness: evaluate the processes and controls over the training of users to heighten their awareness and sensitivity to attempts to gain unauthorized physical or logical access to the entity’s information and systems
• Asset management: evaluate the processes and controls over the retention of a comprehensive inventory of technology assets that have the ability to connect the entity’s network
• Vendor risk management: evaluate the processes and controls over third-party service and supply chain vendors
• Incident response: evaluate the processes and controls over the response procedures management employs when unusual activity is detected

4. Mobile computing

The modern mobile device sits at the crossroads of personal use and highly sensitive business information. As the old saying goes, the chain is only as strong as its weakest link and business data residing on mobile devices is no exception.

This technology allows employees to access and distribute organizational information anytime, anywhere, increasing the efficiency and productivity of employees. However, this same access and distribution capability also introduces significant risks. For example, increased usage of public Wi-Fi networks by business users exposes sensitive information to complete strangers, if not properly encrypted.

As with any technological advancement, an organization must first identify and address the risks and then monitor the environment to better understand the impact mobility has on the corporate risk profile.

Potential audits could include:

• Device configuration: identify risks in mobile device settings and vulnerabilities
• Mobile application black box: use front-end and black box testing techniques in an attempt to exploit the vulnerabilities identified in mobile applications
• Mobile application gray box: prioritize high-risk areas of the code, maximize code coverage and identify root cause of identified vulnerabilities

RPA audits could include:

• Governance: assess whether a robotics governance framework has been designed to address key organization risks and if it provides a definition of the oversight required to determine if support is aligned to business objectives
• Investments: assess whether the organization has defined key performance indicators with the ability to deploy suitable monitoring related to robotics process governance
• User access: evaluate the organization’s strategy to determine if it defines 1) how access is provisioned to robotics capabilities, 2) how the organization protects its robotics assets, and 3) the method the organization uses to determine its security risks related to the use of robotics

6. Social media

Lack of a robust and comprehensive social media strategy gives rise to potentially significant and unforeseen business risk. Companies should consider various organizational and cultural aspects of their social media usage along with technology platforms and infrastructure as they seek to mitigate their risks.
Without a social media strategy in place the following risks may arise:

• Inadvertent leakage of confidential information by company employees 
• Intentional transmission and distribution of confidential information by an external party 
• Brand and reputational damage 
• Greater risk of hacking or fake executive accounts across social media platforms 
• Greater risk of viruses, malware and phishing 
• Employee improper use or misuse of social media platforms 
• Employee payments to external parties via social media platforms

Risk assessments should include management participation and a direct link to the organization’s overall strategy and enterprise risk management program.
Additionally, in light of the fast pace of change in the market place, IA should embrace technology (e.g., advanced data analytics and predictive and behavioral modeling) to enable timely identification of changes to an organization’s risk profile.
While this is a journey, not something that can be done overnight, leading IA functions are implementing these tools today to prepare for tomorrow. Conducting a risk assessment more frequently, ideally on a continuous basis, will go a long way to help IA and the business focus on the risks that matter.