Information Technology Risks in Today s Environment

Similar documents
Data Standards in Oil & Gas

Managing FTI Data Compliance. Addressing Publication 1075

Implementing Analytics in Internal Audit. Jordan Lloyd Senior Manager Ravindra Singh Manager

Deloitte Governance Framework and Maturity Model

Mid-market technology trends: Leveraging disruption to drive value The Dbriefs Private Companies series Anthony Stephan, Principal, Deloitte

Software asset management: Where is the market headed?

Are Containers the New Golden Hammer? Tracy Bannon Lori Olson

Securing Enterprise Social Media and Mobility Apps

Budgetary Resource Risk Management Unliquidated Obligations (ULOs) - Recovery and Prevention September 2014

Internal Audit and Technology Sustainable Analytics

Appointing, Assessing, and Compensating the Independent Auditor The Role of the Audit Committee

Courageous Principals From Insight to Action. Deloitte University, The Leadership Center

Internal Audit (IA) for Social Media

Legacy System Modernization. Imperatives. Challenges. Approach. Case Studies. PA TechCon. May 4, Considerations

Creating a Risk Intelligent Enterprise: Risk governance

Four faces of the CFO

Extended Enterprise Risk Management

SATURN th Annual SEI Architecture Technology User Network Conference

Creating a Cyber Competencies Model Tool for Workforce Development

COSO Updates and Expectations. IIA San Diego Chapter January 8, 2014

ISACA San Francisco Chapter

Securing Capabilities in the Cloud: Security and Privacy in the Evolution of Cloud Computing

DevSecOps Embedded Security Within the Hyper Agile Speed of DevOps

Modernizing compliance: Moving from value protection to value creation

Federal CFO Insights Real solutions to win the fight against improper payments and fraud, waste and abuse

Capability-led Transformation in Banking. A robust approach for today s banking challenges

An intelligent approach to unlocking value in service delivery transformation Focus on risk from the start

It s time to revisit your anti-corruption compliance program How to design an effective and defensible compliance program in response to global trends

A View from the C-Suite: The Value Proposition of Shared and Global Business Services The Conference Board 20th Annual Global Business and Shared

Enterprise Risk Management in Health Care

Enterprise Risk Management Discussion American Gas Association Risk Management Committee Meeting

Ensuring Organizational & Enterprise Resiliency with Third Parties

Audit quality Independent Audit

Partnering with the business to create a successful self-service analytics framework

Welcome to the postmodern era for public sector ERP

Unlock your digital marketing potential

Outsourcing Transparency Evolution: Creating Value Across the Third-Party Extended Enterprise

2017 NASC Annual Conference SESSION G: Postmodern ERP: Back to The Future

Online Risk and Digital Reputation Management For private circulation only. Risk Advisory

Proposed Attestation Requirements for FR Y-14A/Q/M reports. Overview and Implications for Banking Institutions

Extended Enterprise Risk Management

CFOs and CIOs: How do you know when to reach for the clouds?

GAIT FOR BUSINESS AND IT RISK

Internal audit insights High impact areas of focus

International Finance Corporation

Federal Reserve Guidance on Supervisory Assessment of Capital Planning and Positions for Large Financial Institutions.

Strategic Considerations of Major Capital Projects

Securing Intel s External Online Presence

Why Is Third Party Risk Management Important?

Creating a Risk Intelligent Enterprise: Risk sensing

Achieve Continuous Compliance via Business Service Management (BSM)

A guide to assessing your risk data aggregation strategies. How effectively are you complying with BCBS 239?

On the board s agenda US Board oversight of algorithmic risk. Board Effectiveness. Center for. Summary. November 2017

Gross-to-Net Estimates and Accruals - Master Class

Rich Mobile Content. by DigitalMIX. Dynamically publish content without changing a single line of code

ORACLE ADVANCED ACCESS CONTROLS CLOUD SERVICE

Taking labs to the next level with cloud and IoT VELP Scientifica tightens the customer connection

Oracle Cloud ERP - Oil and Gas Industry Enabler for Digital Finance Transformation

Managing Fraud Risk: New Professional Guidance

Four Things That Matter When Choosing Technology for Career Management

Integrate, Optimize, Orchestrate, and Unify One Digital Ecosystem Throughout the Enterprise

Navigating the PCAOB s and SEC s internal control expectations A discussion. June 2015

Integrating Oracle EBS R12 and Maximo EAM Using the Maximo Enterprise Adapter Michigan Oracle Users Summit (MOUS) November 8th, 2017

ERM 101. Casualty Loss Reserve Seminar, Fall /5/ Practical Enterprise Risk Management (ERM) Agenda ERM 101 2

Value-added governance and controls: The need and application of strategic risk Paul Campbell, Katie Pavlovsky and Jeff Suchadoll

Online Risk and Digital Reputation Management. September Risk Advisory

Internal audit insights High impact areas of focus

Risk Management For and By the BOT. Secured BOT Series

Modernizing Compliance: Evolving From a Foundational Program to a Value-Creating Strategic Partner

Deloitte Accelerated Value: SaaS innovation for the digital core. Extending the potential of core systems, addressing tomorrow s needs

Indirect Tax Conference Developing your Customs Function

Audit Committee Performance Evaluation Form

How and Where Organizations are Investing to Help Close Employee Skills Gaps. Corporate Learning Benchmarks & Trends

Where digital HR and the cloud meet Transform engagement, transform work, transform the enterprise

Board Bio Leading Practices. Building your Board Bio Pre-Work for Deloitte Workshop

Risk Analysis (Project Impact Analysis)

Accelerating application management services automation Time to break out the bots?

Enterprise compliance Acting on today s risks to avoid tomorrow s crises

TOP 6 SECURITY USE CASES

The Role of the Board in Strategy & Risk. NACD National Conference Power Breakfast October 15, 2012

Beyond EDI Unlocking new value with transactions enabled by SAP Ariba and the Ariba Network

Take Control. Eliminate Random Acts of Marketing.

ERP IMPLEMENTATION RISK

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Effective implementation of COSO s new anti-fraud guidance

Third Party Risk Management ( TPRM ) Transformation

Becoming Digital May 2017

Enabling a Digital India. Rajarshi Sengupta Senior Director, Deloitte 26 June 2015

High-Impact Succession Management The Performance Model: Key Drivers and Talent Outcomes Andrea Derler, Ph.D., Research Manager, Leadership &

Quality Assessments what you need to know

Modernize Your Device Management Practices Using The Cloud

Building A Holistic and Risk Based Insider Threat Program. An Approach to Preventing, Detecting and Responding to Insider Threats

Solve for now. Build for next. The Deloitte Audit

Deloitte s Third Party Monitor

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

WARRANTY WASTE ANALYTICS

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

HR and Business Collaboration for Leadership Development Why It Is Important and How to Make It Happen Andrea Derler, Ph.D.

EFFICIENT USE OF AUDIT COMMITTEES

Transcription:

Information Technology s in Today s Environment - Traci Mizoguchi Enterprise Services Senior Manager, Deloitte & Touche LLP

Agenda Overview Top 10 Emerging IT s Summary Q&A 1

Overview Technology continues to increase in strategic importance and risk to organizations Rapid deployment of emerging technologies creates risk Regulatory requirements and scrutiny is ever increasing Deficiencies in IT controls can have a significant impact on the organization 2

Top 10 Emerging IT s By no means a comprehensive list Will vary by environment May be greater/lesser risk depending on industry, technology, business processes, etc. This list is based on what we see in the marketplace Designed to get you thinking about your IT environments and risk assessment process List is in no particular order 3

1. Social Networking Use of social media technologies is expanding into new areas. Examples include user communities, business collaboration, and commerce. Regulatory requirements are catching up (e.g. financial services organizations). Brand protection Unauthorized access to confidential data Regulatory or legal violations Current company policies may not readily apply Historical audits are insufficient as risks are rapidly evolving. Need to complete an inventory of social media usage, and existing policies, procedures and controls. Draft and execute new audit plan based on emerging risks and current usage within the organization may need to include the HR, IT, and Legal departments. Determine whether a training course should be delivered to employees. 4

2. Mobile Devices Rapid expansion of number of devices, and functionality (e.g., 15+ million ipads in current circulation). mcommerce enabling technologies within companies introduces new risks as well. Loss / release of critical business data Security and identity management Application development challenges ERP integration issues Historical audit procedures are insufficient. Need an inventory of all current allowable devices and corresponding policies & procedures. Evaluate effectiveness of push controls. Understand mcommerce activities and processes/technology. Ensure that controls are in place for lost devices. 5

3. Malware Malware continues to increase in sophistication, and has more avenues for execution (e.g. mobile devices and traditional computing). Most PCs still provide local admin access. Work-at-home flexibility increases issues. Loss or theft of critical information Hardware impacts Cash impact Lost productivity Understand organizational approach to malware identification, isolation, and remediation. Consider impacts beyond traditional spamware/firewalls (e.g., remote users, mobile devices). Consider update schedules and monitoring (beyond responsiveness to patch updates). Control contractor / consultant access to the corporate network. 6

4. End User Computing End User Computing (EUC) applications continue to evolve given resource constraints of economic downturn. Increased scrutiny is being applied by auditors and regulators, particularly to financial models. False sense of security provided by current efforts. Misstated financial statements Unsupported decision making Regulatory concerns Loss or corruption of data Understand current approach to managing and controlling EUCs. Policy-based approaches are typically insufficient. Evaluate use of technology and critical technical settings. Evaluate other program aspects including governance, security, management processes, and training/awareness. 7

5. Corporate Espionage More specific targeted efforts (often for gain), assisted by increase in mobile computing technologies. Increased access to government defense toolkits. Specific verticals hardest hit e.g. oil firms, gaming platform networks, defense contractors. Loss or release of corporate data Denial of service Intellectual Property loss This should be a component of information security audits. SOX monitoring controls generally insufficient. Need to understand specific threats, user awareness, hardening of critical devices and access points (via firewalls and network traffic monitoring devices / software), vulnerability assessments, and detection/escalation procedures. 8

6. Project Backlog Economic downturn caused decrease in IT investment and deferral of critical projects resulting in large project backlogs. Recent increase in resumption of large corporate IT projects, now being performed with reduced staff levels and/or weak project management oversight. Project delays or failure Completed projects shortchanging security and controls Failure to achieve business objectives Poor or inadequate vendor management Current projects should be included in enterprise risk assessments and IT audit universe. Ensure that controls are built into projects; deferral until after project goes live creates substantial risk and remediation can be expensive. 9

7. IT Governance Reduced enterprise IT support / budgets and increased ease of technology deployments has led to multiple shadow IT organizations within enterprises. Shadow groups tend to not follow established control procedures. Failure to comply with corporate IT policies and controls Operational impacts Information security risks Regulatory violations Duplication of efforts, increased costs and inefficiencies Determine extent of shadow IT deployment. Identify applications and environments deployed outside of usual channels, and assess compliance with corporate policies. Evaluate and assess duplicative systems, licensing, and support issues. 10

8. Electronic Records Management (ERM) Increased deployment of ERM solutions, with corresponding data conversions and process changes. Specific verticals more highly impacted (e.g., health care and financial services). Loss of data in conversion process Regulatory violations if inadequate controls exist Storage, retention, and forensic issues Determine extent of ERM deployment. Identify impacted data and processes. Ensure data is mapped against existing data management strategies, policies and legal requirements. Evaluate storage controls and monitoring. 11

9. Data Management Increased regulatory requirement for management and security of types of data. Lack of ability to identify types/location of enterprise data. Lack of robust data stratification schema to categorize sensitive data. Exacerbated by cloud deployments, shadow IT organizations, mobile computing, and electronic records management. Regulatory penalties Brand damage Increased cost of compliance Evaluate current data management program. Assess level of adequacy to current business requirements and emerging regulations. Identify specific data management controls and perform focused audit procedures. 12

10. Cloud Computing Proliferation of external cloud computing solutions, corporate- and user-based. Different deployments available; data, applications, services. Administrative access Data management location/compliance/recovery/security Dependent upon availability of cloud provider and internet connection Investigative support Long-term viability Identify cloud computing strategies deployed or planned. Determine applications and data impacted. Perform a risk assessment for the items impacted and determine the organization s risk tolerance. Identify controls that mitigate risks identified above. 13

Summary Need to understand which items may be relevant in your business and technical environment Ensure that risk assessments (and internal audit s universe) address relevant items Investigate / audit and prove that risks are adequately addressed to comply with regulatory requirements, company policies, and/or best practices 14

Contact Traci Mizoguchi trmizoguchi@deloitte.com Office: (619) 237-6904 Cell: (617) 605-4752 15

Questions?

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2011 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback