The rise of emerging markets, rapid shifts in information technology, privacy, cybersecurity, changing consumer and market demands, rapid shifts in global laws and regulations and heightened investor pressures have produced a new environment of uncertainty, complexity and risk.
Faced with those new realities, management, audit committees, boards, and other stakeholders have begun asking internal audit (IA) to provide them with comfort as well as insight into these risks. However, it is becoming increasingly difficult for IA departments to staff the requisite skills to effectively meet stakeholder demands.
The need for IA to embrace an expanded advisory role is acute, because the risk landscape keeps shifting, and IA functions are expected to keep pace. While top executives surveyed for the PricewaterhouseCoopers 2013 Risk in Review study cited potential economic shocks and increased political and regulatory pressures as top risks, those executives’ attention had shifted significantly by the time we conducted our 2014 study. Today, our executive respondents’ most oft-cited concern is technological change and information technology (IT) risk.
In December 2013, hackers stole 40 million credit card numbers from the records of a retail giant. A month earlier, data from some 152 million user accounts had been stolen from a major technology company, along with source code to several of the company’s software products.
Many organizations have been scrutinized by regulators for privacy concerns. For example, regulators closely monitor how companies collect, store, use, share, and destroy data, and whether or not they are complying with their own privacy notices.
Meanwhile, other news stories are showing that threats arise not only from beyond company walls but also from within the corporate sphere. Recent massive leaks of classified documents provide a prime case in point, exposing the dangers of giving third-party contractors access to sensitive information or failing to properly control employee access to confidential or sensitive information.
Beyond the potential for catastrophic data breaches and privacy incidents, businesses are also concerned about the broader disruptive effects of technological change, including the potential for system failures, exposures stemming from cloud storage or mobile device usage, third-party data risks, reputational risks from social media, and the tendency of rapid innovation to drive customer demand and thereby shorten the shelf life of new products and services.
Consumers’ expectations also continue to evolve. For example, the TRUSTe 2014 U.S. Consumer Confidence Index (registration required) showed that 89% of consumers say they avoid doing business with companies they think do not protect their privacy online.
At least 50 countries have enacted data privacy laws, and more are expected to follow. While some countries (including the United States) lack general data-privacy laws covering all industries, they often have regulations that apply to certain sectors.
Regardless of industry, all companies that collect consumer data must comply with the privacy and security commitments made to their customers in their privacy policies/notices or face potential regulatory action from agencies such as the Federal Trade Commission.
So, where does IA come in?
With the confluence of cyberthreats, rapid technology and process change, and evolving consumer and regulatory privacy and security expectations, IT isn’t just about keeping the lights on anymore.
Today, IT, privacy and information security can be either value enhancers or brand killers—depending on an organization’s skills and focus. But where do those skills live and how robust are they?
With so many businesses moving to solutions involving the cloud, managed hosting or outsourced services, the need for in-house IT capabilities has been reduced, potentially leading to a collateral reduction in the company’s level of control over its IT environment.
As that environment continues to evolve, businesses need IA to take the initiative and be more involved in the entire lifecycle of data. For example, IA should be strengthening processes and controls before a security or privacy problem emerges.
Post-breach, IA can provide objective assessments of IT systems, privacy notices, processes, and procedures, offer assurance around controls, and recommend improvements in IT and privacy control structures and governance.
Even at companies whose in-house IT and privacy resources remain robust, IA can add value by performing regular, managed assessments of controls and providing an assertive voice on upping the company’s game in IT, privacy and cybersecurity.
The name of that game? Guarding against security and privacy weaknesses, ensuring the uptime of operations, protecting the brand and increasing shareholder value through innovation.
At a high level, IA needs to ask such questions as: Are we as a company thinking about IT, security and privacy strategically—the way we think about the business?
Are our IT, privacy, and information security strategies aligned with our business strategy?
And are we managing our IT portfolio and setting our resource allocations in ways that align with our IT and business strategies? For example, if we have an IT strategy that involves implementing a new enterprise-resource-planning (ERP) system and a new data warehouse during the current fiscal year, do we have sufficient personnel with ERP specialization and data-warehouse experience? If not, what is the strategy to fill this critical gap?
If the gap is to be filled with third parties, how does that affect the company’s risk profile? If we make a change to an IT system or process, have the privacy and security implications been considered?
At a granular level, IA can provide assessments of:
In the face of persistent IT privacy and security threats, accelerating IT infrastructure demands and market pressures for constant technical evolution, businesses’ need for security assurance is profound.
Even if an organization has strong IT and data- security policies and controls, it shouldn’t be satisfied with the adequacy of those defenses if it doesn’t continually verify that they’re sound, uncompromised, and applied consistently. Making those assessments, providing that assurance, and offering recommendations for improvement is where IA comes in.
Clearly, IA has a significant role to play in helping their company understand, monitor and mitigate IT related risks of all kinds. The question then becomes, does your IA department have the capabilities to make a difference?
Frequently, IA functions do not have the technical capabilities to complete thorough security and privacy assessments. Assigned a wider mandate over data and systems, some IA functions take a can-do stance that belies their limited skill sets.
For instance, an internal auditor might perform a perfunctory, one-off website security audit that tests only against known threats and leave unaddressed certain risks from emerging threats and zero-day system or application vulnerabilities.
With so much at stake, such low-level audits fail to fulfill even IA’s basic mandate of value protection, much less an expanded mandate of value creation and innovation. They also run the added risk of giving companies a false sense of comfort.
With both the present and the future so clearly dominated by technology, it’s no wonder executivesexpressed deep concern about capability gaps around risk data and analysis, deficient cybersecurity and a lack of technology skills to support new digital strategies in PwC’s 2014 Risk in Review study .
To correct those gaps and meet stakeholders’ expanded expectations, IA leaders must reevaluate their talent models and bring in resources with specific skills around such critical business risk areas as cybersecurity, data privacy, specific IT platforms, and business continuity.
Dave Roath is the IT risk and security leader at PricewaterhouseCoopers (PwC), and a partner in the firm’s risk assurance practice. Carolyn Holcomb is the data protection and privacy practice leader at PwC and a partner in the firm’s risk assurance practice.