RISK IN FOCUS - TheIIA
21RISK IN FOCUSHOT TOPICS FOR INTERNAL AUDIT 2018A REPORT FROM EUROPEAN INSTITUTES OF INTERNAL AUDITORS
2CONTENTS3INTRODUCTION4GDPR AND THE DATA PROTECTION CHALLENGE8CYBERSECURITY: A PATH TO MATURITY12REGULATORY COMPLEXITY AND UNCERTAINTY16PACE OF INNOVATION20POLITICAL UNCERTAINTY: BREXIT AND OTHER UNKNOWNS24VENDOR RISK AND THIRD PARTY ASSURANCE28THE CULTURE CONUNDRUM32WORKFORCES: PLANNING FOR THE FUTURE36EVOLVING THE INTERNAL AUDIT FUNCTION
7HOT TOPICSFOR INTERNALAUDIT 20182018In 2016, IFACI , IIA Italy and IIA Spain published ‘Hot Topics for Internal Audit2017’. This year, a wider group of European Institutes of Internal Auditors have takena more ambitious approach, interviewing Chief Audit Executives (CAEs) from majororganisations in six European countries – France, Italy, the Netherlands, Spain,Switzerland and the UK – to home in on key themes requiring the attention ofinternal audit to mitigate risk and protect and add value in their organisations.These Hot Topics were identified through in-depth,qualitative interviews with CAEs across a diverse range ofcritically important sectors – construction/infrastructure,financial services, IT, manufacturing, public sector, retail/consumer, telecoms and utilities/energy – and fromorganisations that truly lead these industries. To put thisinto perspective, these organisations have an aggregatemarket capitalisation in excess of 724bn, revenues ofover 441bn, employ more than 1.86 million staff andare present in no less than 173 countries. In the financialservices sector alone, the CAEs represent internal auditfunctions in firms collectively worth 325bn and turningover upwards of 207bn.We are truly grateful to those who participated in ourresearch. Their knowledge and insights provide aninvaluable snapshot of the thinking of leading internalaudit professionals across Europe.The Hot Topics included in this report reflect risk areasthat are being prioritised by CAEs as they preparetheir audit plans for 2018 and make longer-term riskassessments. For some readers, these themes will alreadybe fully reflected in their audit plans for the coming year.They may want to use our research to highlight to theiraudit committees that they are indeed on the right track.For others, this report may serve as a timely reminder asthey finalise their plans for 2018 and beyond of issuesthat merit serious reflection. And for all, we hope thatour publication will provide a fresh and relevant talkingpoint, both for internal audit professionals and for auditcommittees and other stakeholders.Contrasts and changesRisks are not static and even the most fixed audit plans aresubject to change as new risks emerge at the operational,strategic and wider environmental level. What constitutesa potential threat to one organisation may be deemedinconsequential by another. The most commonlyidentified risk area amongst CAEs of all nationalities andsectors is cybersecurity. This is no surprise given the scaleof the threat and the extent to which all organisations havecome to depend on technology. This is followed by theEU’s General Data Protection Regulation and the broaderchallenge of managing data, with the pace of innovationbusinesses face the third most widely cited risk concern.There are some observable differences in the priorities ofCAEs in different sectors and, to a lesser extent, countries.From the sample we selected, it was found that politicaluncertainty was cited far more frequently by CAEs oforganisations based in the UK, prompted by the prospectof Brexit and the potential impacts this may have asnegotiations get under way. Spanish CAEs too citedpolitical uncertainty as an area that could expose theirorganisations to emerging risks but also opportunities.This is the result of multinationals from the countryhaving expanded into Mexico and the implications ofthe Trump administration’s hostile position towardsthe country.The financial services cohort were more concerned byregulatory complexity than any other sector. This is dueto the passing of recent regulations and the impendingintroduction of new rules across the European Union.Notably, for CAEs at institutions in France, Italy, theNetherlands and Spain there is an added dimension inthe expectations of the European Central Bank under theSingle Supervisory Mechanism that came into play threeyears ago and which continues to develop.The defining theme of this report, however, is thefundamental impact that technology has in shaping,enabling and disrupting organisations’ operations andstrategies – a pressure that requires internal auditors tolearn new skills and adopt innovative tools to bolster theircapabilities in an increasingly digital world.We hope you enjoy this report and we welcome yourfeedback and engagement.
4GDPR AND THEDATA PROTECTIONCHALLENGEThe General Data Protection Regulation (GDPR) could have been filed under thetopic of compliance or even the wider cybersecurity umbrella. However, thisincoming regulation deserves particular attention for a number of reasons.First, personal data is so pervasive in today’s worldthat virtually every organisation of scale processes orholds such information in substantial quantities interms of both customers and employees, making thescope of GDPR unmatched. Secondly, the deadlinefor compliance is fast approaching (implementationis required by 25 May 2018). Finally, and perhapsmost importantly, penalties for failing to comply arepotentially huge: for the most damaging breaches, finesof up to 4% of annual turnover, or 20m, whichever ishigher may be imposed.To put this into perspective, it is estimated thatunder GDPR the 400,000 fine issued by the UK’sInformation Commissioner’s Office to broadbandgroup TalkTalk for its publicised data security failingstwo years ago would have potentially risen to a massive 59m1.Further, a recent poll of 900 business decision makersaround the world indicates that only 31% believe theirorganisations are compliant with GDPR, while analysisshowed that only 2% of respondents actually appearedto be fully compliant2.The financial stakes for non-compliance are highand with much work still to be done to reach fullcompliance, boards should have already prioritisedGDPR. Whatever progress an organisation has made todate, internal audit has an important role to play inassessing compliance from 25 May 2018 onwards.Beyond securityThe regulation foresees a strengthened role for securitymeasures such as robust firewalls and encryption,and obliges companies (data controllers) to reportany personal data breaches within 72 hours, even ifit occurs at the third party (data processor) level. Thiswill require enshrining data protection and governancemeasures into supplier contracts.It is worth noting, however, that GDPR is not solely acybersecurity issue. While it concerns the protectionof personal data from hacks and leaks, the regulationis just as concerned with how organisations collect,store, use and disclose this data. (By contrast, the EU’sSecurity of Network and Information Systems (NIS)Directive, which applies only to “operators of essentialservices”, focuses exclusively on network security - seepage 12.)For instance, the new rules set higher standards forthe “unambiguous” and “explicit” consent to collectdata and in many cases will broaden the definitionof personal data, encompassing potential onlineidentifiers such as IP addresses.Governance is another focus, with firms expected toshow that they are implementing data protectionby design when developing new products, andmaintaining a register of personal data processingactivities for companies with 250-plus employees. Aswell, under the regulation organisations whose coreactivity is monitoring data subjects and processinglarge volumes of sensitive data will be expected toappoint a data protection officer (DPO) who reportsto the chief executive or other senior management, aresponsibility that in practice can be shared amongstkey people as long as the role can be identified.Another major consideration is the geographic reach ofGDPR, which not only applies to organisations locatedwithin the EU, but also to organisations located outsideof the Union that offer goods or services to, or monitorthe behaviour of, EU data subjects. Cross-border datatransfers are possible if the destination countries’ owndata protection rules are up to the same standard asGDPR. For example, US-based companies can use theEU-US Privacy Shield, a framework for personal dataexchanges that has been assessed as compliant with theEU’s incoming regulation.
5Is your organisationready for GDPR?31%Only 31% of decision makers believetheir organisations are compliantwith GDPRSource: Veritas2%Only 2% of organisations actually appearto be fully compliant with GDPRSource: Veritas“Data privacy is anarea we are focusedon, particularly inview of the GDPRcoming into play nextyear. Data and datamanagement isbecoming more of anemerging themebecause datagovernance andmanagement of datais not only related tosecurity and privacy- it’s also related tothe internal processesto really optimise, toown data, to be awareof which data areavailable and the waythey are utilised andmanaged forcommercialpurposes.”Chief Audit Executive,multinational UK mobile network provider
6“We’ve done some audit work on preparednessfor GDPR this year, but as a topic data - thecreation, protection, management of data - ispartially driven by our maturity and ourdependence on data as an organisation. For us itis an important area and the new legislationhelps to bring focus and momentum. We’velooked at it to some degree this year and we willhave something on the plan next year, which willlikely fall under the broader data umbrella givenour dependence on data.”Chief Audit Executive, multinational UK engineering and manufacturing companyChina’s standardIt is not only the EU that is bearing down on data privacy.In June 2017, China introduced its own extensive lawthat bridges the gap between cybersecurity and dataprotection, in essence merging the provisions of theEU’s NIS Directive and GDPR. In many respects theCybersecurity Law of the People’s Republic of China(CSL) accords with the GDPR, such as requiring consentfor data collection and protections against loss throughencryption, for example. However, there are othermajor considerations for multinationals since “criticalinfrastructure” such as utilities companies and banksmust store personal information collected in Chinainside the country, which may require repatriating datafrom overseas Cloud services. In addition, companieswill have to submit to a review by regulators beforetransferring large amounts of personal data abroad.Any organisation concerned that they may be exposedto compliance risk in relation to CSL should seekexpert legal advice.An internal audit perspectiveLegal and IT teams are already addressing GDPR compliance and internal audit is well placed to provide assuranceby conducting a top-down risk assessment of how likely the organisation is to comply, by using gap analysistechniques to review existing controls and identify key areas that require improvement, and by consulting on thepractical implementation of new controls and processes.Key questions: Has a risk assessment been conducted Does the organisation process personalto understand whether the organisationis compliant and where further work isrequired?Has the organisation mapped out itspersonal data assets (as distinct fromother data assets)?Is the organisation’s cyber perimetersecure and are personal data assetsprotected, e.g. encrypted? data on a “large scale” and if so has aninternal/external DPO been appointed?Do assurance providers have access tothe DPO role however it is provided?Has a reporting procedure to therelevant national authority beenestablished for use in the event of apersonal data breach?Has the organisation established a programme to raise awareness and trainpersonnel on the mangement, securityand disclosure of personal data?Have data protection principles beenenshrined into contracts with relevantthird parties/data processors?Are measures in place to ensure theorganisation remains compliant after25 May 2018, including adding a workprogramme to the audit plan for 2018/19?
7US companies areprioritising GDPRGDPR awareness92% of US companies consider compliancewith the EU’s GDPR a top priority on theirdata-privacy and security agenda in 201751% of executives and IT security professionalsbelieve GDPR will impact their companies, 33%don’t see it impacting them, 11% are unsure and5% are not familiar with GDPR100%Source: PwCSource: Imperva Would impact Would not impact Unsure Not familiar0%PriorityNot a priority“GDPR and the implications of that aregaining prominence. The company has set upa multi-disciplinary team with externalsupport to look at how we get from where weare today to where we need to get to at thepoint the legislation goes live, and beyond.From an assurance perspective, the auditcommittee will want us initially to assess theprogramme itself but then for us to developour own programme on an ongoing basis tomake sure the business has the right processesin place in order to continue complying.”Chief Audit Executive, Euro Stoxx 50 multinational banking group
8CYBERSECURITY:A PATH TOMATURITYThe global Wannacry attack, which was reported to have infected more than twomillion computers in over 150 countries, brought cyber resilience and informationsecurity into sharp focus in 2017.Within 24 hours the cryptoworm, a type of selfpropagating ransomware, had taken hostage theIT systems of major organisations from the UK’sNational Health Service to Spain’s Telefónica, FedExand Deutsche Bahn, to name just a few. If boards werealready thinking about prioritising cyber assurancethen Wannacry, and later Petya, a global attack thatfollowed shortly after, escalated this item to the top ofaudit committee agendas for 2017 and it will continueto be a high priority through 2018.Of course, cybersecurity has by now already establisheditself as a key business risk. Digital informationpermeates practically all aspects of businesses’operations, regardless of sector, from customer data tointellectual property to HR records. This trend is onlyset to increase as organisations exploit the Internet ofThings, migrate more of their operations to the Cloudand transition to data-dependent, digital-led businessmodels. This means that virtually all organisations areexposed, both to external cyber criminals and hackers,but also malicious employees and careless workers whofail to follow procedures.Awareness versus preparednessThere is a persistent gap between organisations’ cyberrisk awareness and their preparedness to withstandpotential attacks, which must be closed. Notably, 62%of organisations expect cyber risk to cause disruptionin the next three years, and yet 74% have low or nocyber risk maturity3. Clearly this is a cause for seriousconcern.In recent years governments have responded to therising threat by launching centre’s of expertise, suchas the UK’s National Cyber Security Centre andSpain’s National Cryptologic Centre, to defend publicadministration systems and warn the private sectorof emerging threats. Europe-wide bodies such as theEuropean Cyber Security Organisation have also beenestablished to promote cyber innovation and bestpractice.Additionally, government guidance and certificationprogrammes are a good place for organisations to startfortifying themselves against breaches and give internalaudit a foundation for providing fundamental assuranceto the board. For example, by now every UK organisationshould have undergone a Cyber Essentials Plusevaluation, and while this is only open to organisationsbased in the UK, all businesses should at the very leasthave adopted the scheme’s five key controls (see page 13).Once the basics are covered, organisations have achoice of guides and frameworks to adopt, such asNIST Framework for Improving Critical InfrastructureCybersecurity, ISACA COBIT 5 and the Emerging CyberNexus, SANS Institute and the Top 20 Critical SecurityControls and PCI DSS Control Catalog. As well, internalaudit functions should consult the Institute of InternalAuditors’ Global Technology Audit Guide ‘AssessingCyber security Risk: Roles of the Three Lines of Defence’for guidance on how it can add assurance value.Installing basic controls, adopting a framework thatsuits the organisation and positioning internal auditto assess the effectiveness of these initial measures areessential to reaching at least a modest level of cyber riskmaturity.Cyber cultureUnderstandably, organisations tend to view cybersecurity through a technical lens by investing in thelatest security tools, then seek assurance that theseare working and controls and procedures are of asufficiently high standard. However, while the behaviourof correctly configured and maintained software andtechnology is relatively predictable, the same cannotbe said for user behaviour. Mission critical data canbe compromised or lost through the carelessness ofemployees. It is therefore critical that - in additionto controls and technical defences such as firewalls organisations embed a cyber culture that manifestsitself in staff behaviour and is developed throughcompany-wide training and awareness programmes.
“We have been doing audits regardingcyber threats, data loss, network security,mobile devices and so on for three or fouryears, and it’s an area where we need toincrease our focus. Unlike the moretraditional, operational risks, technologyis constantly changing, so just beingstable doesn’t help you for the future. Wehave to keep track of what is changing sothat our situation doesn’t erode further.”Chief Audit Executive, multinational Spanish construction and infrastructure groupThe gap between cyber awareness andcyber preparedness persists62%62% of organisations expect cyber risk tocause disruption in the next three yearsSource: PwC74%Yet 74% of organisations have low or nocyber risk maturitySource: PwC
10“People talk about digital disruption and innovation and how that will impact uponthem, but are they still doing what they should about their legacy systems? Whathappened earlier in the year with the global Wannacry attack shows what can happenwhen organisations forget about all of the open back doors. We’re setting up an ITaudit specialism at the moment, bringing together our people with capabilities inthat area and seeing how we can enhance our offering.”Director, UK government agencyAll employees, including contractors and remoteworkers, must understand exactly what is expectedof them with regards to policies and behaviours. Thisorganisational response is one of the most crucialsteps in mitigating cyber/IT vulnerability risk. Inthis respect, internal audit can play a valuable role byproviding assurance that, not only cyber controls are inplace and working, but cyber risk awareness is high andbest practice is reflected in employee behaviour.Cyber complianceIn addition to the need to protect valuable informationassets and the organisation’s reputation, there isa compliance component to consider. We havededicated a topic to the EU’s incoming GDPR (seepage 6) because it applies to all businesses andis distinct in that it concerns personal data only.What gets less attention is the Security of Networkand Information Systems (NIS) Directive, which by9 May 2018 will be implemented into national law.NIS, which applies to “operators of essential services”in both the private and public sectors, is moreconcerned with network security and the continuityof services. Unlike GDPR, NIS does not imposefines for data breaches, only for not reporting hacks.The first step for all organisations is to determinewhether they fall under the scope of the directive, whichcovers energy, transport, banking and financial marketinfrastructures, health, water, elements of publicadministration, and certain digi
RISK IN FOCUS HOT TOPICS FOR INTERNAL AUDIT 2018 A REPORT FROM EUROPEAN INSTITUTES OF INTERNAL AUDITORS. 2 GDPR AND THE DATA PROTECTION CHALLENGE CYBERSECURITY: A PATH TO MATURITY . In 2016, IFACI , IIA Italy and IIA Spain published ‘Hot Topics for Internal Audit 2017’. !is year, a wider group of European Institutes of Internal Auditors .
environmental information of the product in the Ecophon family Focus. The values presented in this EPD are represented for the following products: Focus A, Focus B, Focus C, Focus Ds, Focus Dg, Focus D/A, Focus E, Focus Ez, Focus F, Focus Lp, Focus SQ, Focus Flexiform Supplemental product inf
manual apply when including The IIA logo in an institute signature. Below are examples of actual institute logos. Any institute seeking suggestions on signature design and implementation is encouraged to contact The IIA’s Marketing Department at marketing@theiia.org. 10 www.theiia
Ecophon Focus Fixiform E A T24 1200x600x20 Focus E Ecophon Focus Flexiform A A T24 1200x600x30 1600x600x30, 2000x600x30, 2400x600x30 Focus A Ecophon Focus Frieze A T24 2400x600x20 Focus A, Focus Ds, Focus Dg, Focus E Ecophon Focus Wing A T24 1200x200x5
Risk Matrix 15 Risk Assessment Feature 32 Customize the Risk Matrix 34 Chapter 5: Reference 43 General Reference 44 Family Field Descriptions 60 ii Risk Matrix. Chapter 1: Overview1. Overview of the Risk Matrix Module2. Chapter 2: Risk and Risk Assessment3. About Risk and Risk Assessment4. Specify Risk Values to Determine an Overall Risk Rank5
www.theiia.org Auditing Credit Risk Management 3 Design an audit engagement that assesses the appropriateness and effectiveness of the credit risk management framework and the adequacy of the institution's credit profile. Be able to apply IPPF and risk-based internal audit techniques to assess and audit credit risk in their organization. .
F FOCUS ON PHOTOGRAPHY: A CURRICULUM GUIDE Focus Lesson Plans and Actvities INDEX TO FOCUS LINKS Focus Links Lesson Plans Focus Link 1 LESSON 1: Introductory Polaroid Exercises Focus Link 2 LESSON 2: Camera as a Tool Focus Link 3 LESSON 3: Photographic Field Trip Focus Link 4 LESSON 4: Discussing Images/Developing a Project Theme Focus Link 5 LESSON 5: Creating Images/Point-of-View Activity
Risk is the effect of uncertainty on objectives (e.g. the objectives of an event). Risk management Risk management is the process of identifying hazards and controlling risks. The risk management process involves four main steps: 1. risk assessment; 2. risk control and risk rating; 3. risk transfer; and 4. risk review. Risk assessment
via PHP (PHP Hypertext Preprocessor), a scripting language whose primary focus is to manipulate HTML for a webpage on the server before it is delivered to a client’s machine. A user can submit queries to a database via PHP, allowing insertion, retrieval and manipulation of information into/from the database. Databases: MySQL introduction 9 IT Learning Programme 2 Installation Guide to use .
