37WCARS-K 2 M Loeb - RAWraw.rutgers.edu/docs/wcars/37wcars/Presentations/...Security Matters to...

MattLoebISACACEO

September17,201637WCARS

Agenda

� ADisruptiveandChangingWorld� ImpactonAuditors� ImplicationsfortheFutureWorkforce

ADisruptedWorld

� Digitaldisruptionisalreadyhere� World’sbiggesttaxiservice…hasnotaxis(Uber)� Popular‘banks’…don’thavevaults(Venmo,M-Pesa)� Mostpopular‘hotelservice’…doesn’townahotel(AirBnB)

� Transitioningfrom‘valuechain’businessmodelstodigital‘ecosystems’

Source:PeterWeillandStephanieWoerner:ThrivinginanIncreasinglyDigitalEcosystem;MITSloanManagementReview,Summer2015

BusinessModelsfortheDigitalEconomy

Source:PeterWeillandStephanieWoerner:ThrivinginanIncreasinglyDigitalEcosystem;MITSloanManagementReview,Summer2015

Towards21,000,000,000+Devices

� Gartnerpredictsthatby2020,20.8billiondeviceswillbeinuseworldwide.Thisincludes:• Connectedvehicles

• IndustrialandconsumerIoT

• Mobiledevices

• Operationaltechnology(e.g.biomedicalandindustrialcontrolsystems)

Source:www.gartner.com/newsroom/id/3165317

IncreasingTechComplexity� Inadditiontothenumberofdevices,technologycomplexityisalsoincreasingwithintheinfrastructure

� Containers� Virtualization� Externalization(cloud)� Softwaredefinedinfrastructure

Source:Ruxit

ImpactonPractitioners� Relativetobusinessandtechnologypeers,auditorsneedtodomore toevaluaterisk…andtheyhavelesstime todoitin.

� Tworeasonsaredrivingtheseconstraints:• Differentialinriskvs.usagedecisionmaking

• Adoptiondynamics

Source:F.Schettini;KeyLessonsfromtheITAuditDirectorForums;June14,2016

DifferentialinRiskvs.UsageDecisionMaking

� Consideranautomobile…

Image:Source:commons.wikimedia.org/wiki/File:Citroen_concept_car_-_Flickr_-_Supermac1961.jpg

Answering“howdoIuseit?”:• Learnrulesoftheroad• Learntodrive• Understandvehiclemaintenancerequirements• Anythingelse?

Answering“isitsafe?”:• Learnrulesoftheroad• Learntodrive• Weather/trafficconditions• Seatbelts/safetyfeatures• Steeringanddrivecolumncondition• Route/stobetraveled• Tirecondition• Engineservicehistory• Roadmaintenance/condition

AdoptionDynamics

� Askyourself:whendoestheauditorlearnaboutusage?� Insomecases,itmayonlybeafterusageisalreadyprevalent:

• ShadowIT

• Auditcycleplanning(typicallyannually)

• “Discoverygap”fornewapplicationsandusage

•Individualuse•Usedinisolation•Limitedusescenarios

“Solo”phase

•Usagebroadens•Smallteams•Usageintegratesintobroaderworkflow

Smallteamphase •Smallteamsjoinforces

asusagegrows•Usageintegratesbetweenteamsandotherapps

Integration

•Usagebecomesenterprise-wide•Partofnormativeoperations

Standardization

TheImpact

• “…shorteneddeploymentlifecycle[s]willrequiremoreagileauditingtechniquessuchascontinuousauditingandauditautomation…Theprofessionmustbecometechnologicallyastute,notonlytounderstandit[technology]butalsothecapabilitytouseitinnovelmannerstosupporttheauditfunction aswellastheforesighttoproposenewtechnologyadvancementstosupporttheprofession.”

—ISACAFutureofITAuditReport

• Some“hardquestions”:� Isyourteam“technicallyastute”

enoughtofacewhat’scoming?

� Areyoustayingontopofthenewestadvancementsintechnology?

� Areyourauditingtechniquesagile,continuous,andautomated?

TopTechnologyChallenges:YoYTrends

Source:Protiviti andISACAjointITauditsurvey,“AGlobalLookatITAuditBestPractices”

TheRoadAhead

DigitalSolutionsBringDigitalConcerns

� Increasedsystemscomplexityandrisk� GreaterBoard-levelinvolvementinIToperations,strategy,etc.� Fastercyclesofinnovation� RobustROIontechnologyinvestmentsexpected

� IncreasedandmoreprominentrolesforITRisk,Audit,andGovernance,aswellasCyberSecurity

HolisticPerspective

• Rapidchangeisthenorm:organizationsmustevolvetheirpolicies,processes,people

• Agileandflexibleistheorderoftheday

• Technologyexpandingandmaturing• NewdevelopmentslikeIoT,mobile,cloud,changebusinessesandcanbenefitauditors

• What’syourplan toleveragethem?

• ChangesneedtobeassessedmorebroadlythanjustIT

• Doyouhaveaprocesstoidentifynewrisks?• Toupgradeagingtechnology?• Topreventsecurityandprivacybreakdowns?• Havingaplanmeansaddressingthesequestionsheadon.

BestPractices:Actions� Keepbusinessinformedaboutemergingriskandperspectivesinstrategy

� Auditmustalwaysaskandanswer:Arewemakingprogress?Arewedoingwhatweneedtodotogetwherewewanttogo?

� Answeringmeansbothan“elevatorpitch”andsystemicmetrics

� CommunicatewithmanagementandtheauditcommitteeregularlytoemphasizetheimportanceofconductinganITriskassessment

� ConsiderlinkingyourITauditriskassessmentwiththeERMcatalogtoshowtheintegrationbetweenthetwo

� EnsurethatITandcybersecurityrisksareunderstoodandmonitoredasstrategic-levelrisks,whenwarranted,andasamatterfortheboardofdirectorsandauditcommitteetomonitorregularly

BigData,Analytics,andVisualization:PotentialImpacttoITAudit� OrganizationalimpactIftheorganizationisusingbigdatatodrivedecisionmaking,ITAuditshouldaudithowbigdataismanaged.

� DataintegrityIftheorganizationreliesheavilyonbigdata,ITAuditshouldauditdataintegrity.

� ITauditexecutionITAuditcanusebigdatatoperforminternalauditsinnewways.

� VisualizationNewwaysoflookingatdatacanopenupopportunitiesforauditors

BigData,Analytics,andVisualization:ActionItems� “Checkingthebox”isnotDataAnalytics

� Theorganizationmusthaveastrategytomanagethedatalifecycle– creation,integrity,normalization,destruction,etc.

� It’saprocess,notaproject� Don’tstopexpandingthescopeofdataanalytics.Startsmallandbuild.

� Visualization=opportunity� Investigatefreeorlow-costdatavisualizationtoolstofindvalue,proveworth.

CloudandShadowIT:KeyCloudRisks

CloudandShadowIT:MainConcerns

� ShadowIT� CloudServiceProviderOperations� PoorDueDiligenceandDecisionMaking� PoorVendorManagement� MultipleJurisdictions=MultipleRegulations� PoorGovernanceoverCloud� LegacyApplicationsarenotCloudReady� ROIErodesbyUnexpectedExpenses

AuditingCyberSecurity:WhyCyberSecurityMatterstoAudit� Securityhasbecomeaboardandexecutivelevelissue.

� Mustensuretheenterprise’scybersecurityprogramisdefensibleincourt.

� ITandITSecurityhavetechnicalexperience,butauditunderstandsthatallriskisbusinessrisk.

� Thereisalotofinformationoncybersecurity.Butthereisnotanequivalentamountofinformationonhowauditshouldaddresseffortstodealwithcybersecurityrisk.

� Withinthenextfewyears,externalauditingfirmsmaycountcybersecuritycontrolsas“inscope”aspartoffinancialaudits.

� Theproblemisnotalackofexpertise;itisalackofdialogue.

AuditingCyberSecurity:ActionItems� Ensurecybersecurityriskisintegratedformallyintotheauditplan.

� Leverageapplicablenationalcybersecurityframeworks(suchasNISTintheU.S.)toincreasedefensibilityandefficiency.

� Identifyandactonopportunitiestoimprovetheorganization’sabilitytoidentify,assess,andmitigatecybersecurityrisktoacceptablelevels.

� Recognizethatcybersecurityriskisnotonlyexternal;assessandmitigatepotentialthreatsthatcouldresultfromtheactionsofanemployeeorbusinesspartner.

TalentAcquisitionandRetention:InternalAuditIncreasingExpectations

Source:PwC’s18thAnnualGlobalCEOSurvey(2015)

TalentAcquisitionandRetention:InternalAuditIncreasingExpectations

Source:PwC’s18thAnnualGlobalCEOSurvey(2015)

TalentAcquisitionandRetention:Modern-DayChallengesinRecruiting� Riseofthecontingentworkforce,growthoffreelanceeconomyAsmorepeopleseekflexibleworkopportunities,theyareturningtopart-timepositionsandfreelancework.

� TechnologicaladvancementsPeoplewanttowork,accessandshareinformationthewaytheylive—constantlyconnectedwithanybody,anytime,andanywhere.

� Multi-generationalworkforceFourgenerationscomprisetoday’sworkforce;eachonebringsuniqueperspectives,attitudesandcommunicationandworkingstyles.

Source:PwC’s18th AnnualGlobalCEOSurvey(2015)

TalentAcquisitionandRetention:ActionItems� Usethemostmoderntechniques.

Ifanorganizationisusingoutdatedtechniques,andnotbecomingautomated,itwilllosemillennialsanddigitalnativesquickly.

� Buildanexperiencethatmatchesthetypeoftalentyouaretryingtoattract.

� Speaktheirlanguage.

� Sellwhatthebusinesshasratherthanonlythejobitself.

� Givethemmorethanjust“gruntwork”;focusonwhatmotivatesthem.

� Givethemexperiencesoutsideoftheoffice.

� Giveunexpected,surpriserecognition

� Offerflexibleworkarrangements

FutureofWork� Thecoming“newnormal”:

• “On-demand”economyaschiefdriverofglobaleconomy

• “Mobile-first”workforcesutilizingSMACtechnologiestomaximizetheirorganizations’effortsasdigitalleaderswillbestandard,acrossallindustries,atalllevels

• Robustandcontinualupskillingandreskilling,withlearningdeliveredfromformal,informalsources

Source:2016,Volume2,McKinseyQuarterly:DigitalStrategy:TheEconomicsofDisruption;LearningattheSpeedofBusiness

DigitalNatives:TheDriversofTomorrow’sDigitalEcosystemsAreAlreadyArriving� Digitalcompaniesthrivingasdriversofdigitalecosystemsarealready hiringdigitalnativesandcreatingdigitalworkplaces

� Fordigitalnatives:� Theworldison-demand,flexible,andborderless� Personal/organizationalinterfacesareexpectedtobedigital—liketherestoftheirworld

Source:2016EMC2 WhitePaper:CompetingforDigitalCustomers:WhyCompaniesMustEmbraceDigitalTransformationNow

FutureofLearning� Corporatelearningexpectedtochangedramaticallyinfuture� Increasingpresenceofdigitalnativesintheworkforcewillbeaprimarydriverofthesechanges

� TheNewNormal:Contentinthecloud,accessedbymobiledevicesemployingmultiplelearningenvironments,andoftengenerated,sharedandcuratedbytheusercommunityitself

NextGen LearningEnvironments:LearningattheSpeedofBusiness

37WCARS-K 2 M Loeb - RAWraw.rutgers.edu/docs/wcars/37wcars/Presentations/...Security Matters to...

Documents

Use Cases for Text Mining in the Audit - RAWraw.rutgers.edu/docs/wcars/37wcars/Presentations/... · • Text (e.g. “Vendor is responsible for shipping and return cost”) – Proposed

O Tribunal de Contas da União e a Auditoria Contínua - 12th CONTECSI 34th WCARS

Problems of Defining and Reforming Auditor Liability - RAWraw.rutgers.edu/docs/wcars/24wcars/24 WCARS Abstract.pdf · Problems of Defining and Reforming Auditor Liability Timothy

Artificial Intelligence: Déjà vu all over - RAWraw.rutgers.edu/docs/wcars/47wcars/Presentations/10. 2019... · 2019-11-13 · Artificial Intelligence: Déjà vu all over again Miklos

PRESENTATIONS Alexander Koganaccounting.rutgers.edu/docs/wcars/37wcars/Presentations...Excel VBA application. We created a model on the fraudulent code detection process. Second, we

A Maturing Focus - RAWraw.rutgers.edu/docs/wcars/21wcars/presentations/simpsonCA.pdfA Maturing Focus Presented by: ... SOX/SAS automation, etc 6. ... • She enters and approves excessive

Continuous Auditing at Siemens - RAWraw.rutgers.edu/docs/wcars/8wcars/RodBrennan_presentation.pdf · environment for product ional model •Implement a limited Scope Productional

Anytime, Anywhere, .. 1 - RAWraw.rutgers.edu/docs/wcars/38wcars/Presentations/Presentation-See… · Anytime, Anywhere, .. Ive really appreciated working with SeekEdgar. The flexibility

SPED, XBRL and Continuos Auditing - 12th CONTECSI 34th WCARS

Automated Clustering Project - 12th CONTECSI 34th WCARS

Exceptional Exceptions - 12th CONTECSI 34th WCARS

Speaker Profiles - RAWraw.rutgers.edu/docs/wcars/28wcars/speaker bios.pdf · solutions using a variety of software applications and worked on a centralized risk and internal ... XBRL

Insights On Demand - RAWraw.rutgers.edu/docs/wcars/40wcars/Presentations/PatrickTaylor.pdfOracle SAP Corporate Card MC AMEX VISA ... Exception Rate: A measure of Behavior (change):

Insights On Demand - RAWraw.rutgers.edu/docs/wcars/38wcars/Presentations/Michael Cangemi... · –OK -----so one out of three isn’t bad Seriously he had an important Board meeting

25º. WCARS – World Continuous Auditing and Reporting Symposium

the PFGBest Fraud - Rutgers Accounting Web | RAWraw.rutgers.edu/docs/wcars/26wcars/26WCARS_Presentations/Brian Fo… · ... CPA, MBA • Founder and Chief Marketing Officer, Capital

Rutgers Accounting Web | RAW - Platinum Sponsorsraw.rutgers.edu/docs/wcars/47wcars/47 WCARS Preliminary... · 2019-10-25 · 47th World Continuous Auditing & Reporting Symposium Preliminary

Dr. Kishore Singh & Prof. Peter Best Department of Accounting, …raw.rutgers.edu/docs/wcars/37wcars/Presentations/37WCARS-1_6-K… · Griffith University. Introduction Modern ERP

Cybersecurity Myths & Fallacies - RAWraw.rutgers.edu/docs/wcars/38wcars/Presentations/Sensato... · Cybersecurity Myths & Fallacies. ... Cyber-Terrorism. Cyber levels the worldwide

25º. WCARS – World Continuous Auditing and Reporting …