Baptist Health South Florida IIA Miami Top Challenges Facing Internal Audit Departments 2016
Agenda 1. Cybersecurity 2. Culture 3. Timely Identification of Risk 4. Data Analysis
Cybersecurity
Cybersecurity 90% of all organizations (worldwide) have been breached in some way (whether they know it or not)* Healthcare information highly coveted by cyber criminals #1 for cyber attacks in 2015 5 of the 8 largest breaches in healthcare since 2010 happened in 1 st half of 2015 more than 111 million health records compromised (35% of U.S. population) * Study published by Cryptozone
Ransomware Ransomware Ransomware is a form of malware that targets both human and technical weaknesses in organizations and individual networks in an effort to deny the availability of critical data and systems
Ransomware From March to April 2016 >159% jump* Hollywood Presbyterian Medical Center paid $17,000 ransom in the best interest of restoring normal operations 50% of hospitals have been targeted by ransomware in the past year** Ransomware attacks expected to increase in 2016*** * Report by Engima Software ** HIMSS Analytics 2015 Survey *** 2015 Report by Intel
Education Have a plan 46% of breaches come from negligent insiders* Fake phishing campaign What to do if you get phished Backup your data Limit system access Filter your email Ransomware Whitelist of websites and apps Test recovery and remediation plan * HIMSS Analytics 2015 Survey
Ransomware Audit Response Technical Vulnerability Assessment Available through public internet Accessible within our environment Cyber Security Incident Response Simulation of significant incident
Culture
Culture
Culture Root Cause of Non-Compliance* *Convercent Areas of Compliance Focus
Culture Toxic culture common theme in corporate scandals Culture is a key element in the control environment and governance 58% of audit departments do not audit culture* More than 50% of auditors see organizational culture as high risk* But internal audit s focus is usually here Problems with the culture start here and affect the whole organization Source: The Pulse of Internal Audit survey: 2016 The IIA Audit Executive Center.
Culture What is culture? Behavior modeled by executive management 55% 20% Direct communication from other employees 21% 33% Establishment of a code of conduct 17% 17% Behavior modeled by other employees 13% 3% Formal training on a code of conduct 9% 1% Enforcement of a code of conduct through disciplinary measures 5% 1% Ranked first Ranked second Source: The Pulse of Internal Audit survey: 2016 The IIA Audit Executive Center.
World s Most Ethical Companies Who are they? 131 Honorees Publicly Traded (74%) Fewer than 25,000 Employees (56%) Manufacturing (10%) Insurance (8%) Over $5B Revenue (80%) 21 Countries
World s Most Ethical Culture of Ethics 20% Compliance & Ethics Program 35% Citizenship, Sustainability & Corporate Responsibility 20% Governance 15% Leadership, Innovation & Reputation 10%
A Measurable Difference 6X Honoree
Culture Identifying Healthy Organizational Culture Strong governance with clear policy and procedures Communication of policy and procedures throughout the organization Clear and consistent tone at the top communication from senior management regarding their expectations around control and appropriate behavior Consistent application of policy and procedures to all levels of management without exception Alignment of rewards to the right behaviors Source: The Pulse of Internal Audit survey: 2016 The IIA Audit Executive Center.
Culture Sample audit techniques: Checklist (policies, code of conduct, leadership communication) Surveys Consider incentive programs (perverse incentives) Interviews Start small department level Review of social media
Culture Barriers to Addressing Culture 24% 35% 23% Do not believe internal audit has freedom to assess the entire organization and staff. Do not believe internal audit has full support of executive management to assess the entire organization and staff. Do not believe internal audit has full support of the board or audit committee to assess the entire organization and staff. Among those who DO NOT audit organizational culture that they agree strongly agree that 45%Reported internal audit is able to identify and assess measure of organizational culture.
Timely Risk Identification
Assessing Emerging and Evolving Risks 93% of CAEs use risk-based methodologies when planning But, emerging risks present a challenge Risks often materialize with little or no warning Decades of accumulated value can evaporate We must be able to audit at the speed of risk Source: The Pulse of Internal Audit survey: 2015 The IIA Audit Executive Center.
Identifying Emerging Risks is Critical: But Confidence is Lacking Organization s ability Identify Respond Extremely confident 3% 4% Very confident 32% 31% Moderately confident 45% 42% Slightly confident 15% 17% No confidence 5% 6% 52 percent of CAEs consider identifying emerging risks to be their biggest challenge. Source: The North American Pulse of the Profession Survey: 2013 The IIA Audit Executive Center Source: The Pulse of Internal Audit survey: 2015 The IIA Audit Executive Center. Total may not equal 100% due to rounding.
Continuous Risk Assessment is Still Aspirational for Many 41% of audit departments do periodic updates to their risk assessment Interviews Surveys Headline checks 13% do Continuous Risk Assessment Monitoring of KRIs (manually or automated) Analytical Review Source: The Pulse of Internal Audit Survey Conducted in collaboration with the 2015 Common Body of Knowledge Study, 2015 The IIA and The IIA Research Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from The IIA.
Typical Internal Audit Plans Are Not Very Dynamic How would you describe the development of the audit plan at your organization? Developed once each year and not changed during the year Developed once each year and updated 1 or 2 times per year Frequency 12% 40% Developed once each year and updated 3 or more times per year as risks change 27% Highly flexible plan matched to the organization s changing risk profile 19% Source: The Pulse of Internal Audit Survey Conducted in collaboration with the 2015 Common Body of Knowledge Study, 2015 The IIA and The IIA Research Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from The IIA. Note: 1.3% indicated other as a response to this question.
70 percent of CAEs viewed cyberattacks as a high or critical priority AEC Pulse of Internal Auditing But, Only 53 percent say auditing cybersecurity risk is part of this year s plan Protiviti 2015 IA Capabilities and Needs Survey Report Taking Action When Risks Emerge is Vital! Source: The Pulse of Internal Audit survey: 2015 The IIA Audit Executive Center.
Data Analysis
Data Analysis 90% of all data in the world was created in the past two years* Every day, 3 times per second, we produce the equivalent of the amount of data in the Library of Congress** Unstructured data will account for nearly 80% of all enterprise data by 2017*** *IBM **Nate Silver, American Statistician ***FDC
Data Analysis Really, Really. BIG Data
Data Analysis Definition Big Data: data sets with sizes beyond the ability of commonly-used software tools
Data Analysis 37% Indicated that data mining and analytics skills are very or extremely essential to their internal audit function s ability to perform its responsibilities. Source: The Pulse of Internal Audit survey: 2016 The IIA Audit Executive Center.
Data Reliance Problems can arise from data collection, data analysis and decisions made based on data Is collection and use of the data legal and ethical? Has the organization confirmed the data s appropriateness, accuracy, and completeness? Data often contains gaps and inaccuracies. Was the right expertise involved in evaluating the data to ensure the evaluation is not biased or flawed? The difference between correlation and causation is not always well understood.
Data Reliance USE OF DATA IS GROWING. IS INTERNAL AUDIT SUFFICIENTLY INVOLVED? 17% 36% 47% Reported that internal audit is very or extremely involved in evaluating the quality of data used in their organization. Reported that internal audit is moderately involved in evaluating the quality of data used in their organization. Reported that internal audit is slightly or not at all involved in evaluating the quality of data used in their organization. Source: The Pulse of Internal Audit survey: 2015 The IIA Audit Executive Center.
Summary We must move out of our comfort zone We must stay current on risks Status quo doesn t work any more