IIA Miami

Top Challenges

Facing

Internal Audit Departments

Baptist Health South Florida

2016

1. Cybersecurity

2. Culture

3. Timely Identification of Risk

4. Data Analysis

Agenda

Cybersecurity

Cybersecurity

90% of all organizations (worldwide) have been breached in some way (whether they know it or not)*

Healthcare information highly coveted by cyber criminals• #1 for cyber attacks in 2015• 5 of the 8 largest breaches in healthcare since 2010 happened

in 1st half of 2015 – more than 111 million health records compromised (35% of U.S. population)

* Study published by Cryptozone

Ransomware

Ransomware“Ransomware is a form of malware that targets both human and technical weaknesses in organizations and individual networks in an effort to deny the availability of critical data and systems”

Ransomware

• From March to April 2016 >159% jump*

• Hollywood Presbyterian Medical Center paid $17,000 ransom in “the best interest of restoring normal operations”

• 50% of hospitals have been targeted by ransomware in the past year**

• Ransomware attacks expected to increase in 2016***

* Report by Engima Software** HIMSS Analytics 2015 Survey*** 2015 Report by Intel

RansomwareHave a plan

Education• 46% of breaches come from

negligent insiders*• Fake phishing campaign• What to do if you get phished

Backup your data Limit system access Filter your email “Whitelist” of websites and apps Test recovery and remediation

plan * HIMSS Analytics 2015 Survey

Ransomware

Audit Response

• Technical Vulnerability Assessment─ Available through public internet─ Accessible within our environment

• Cyber Security Incident Response─ Simulation of significant incident

Culture

Culture

CultureRoot Cause of Non-Compliance*

Areas of Compliance Focus*Convercent

Culture

Toxic culture common theme in corporate scandalsCulture is a key element in the control environment

and governance58% of audit departments do not audit culture*More than 50% of auditors see organizational culture

as high risk*

But internal audit’s focus is usually here

Problems with the culture start here and affect the whole organization

Source: The Pulse of Internal Audit survey: © 2016 The IIA Audit Executive Center.

Culture

21%

55%

9%

13%

17%

33%

20%

Enforcement of a code of conduct through disciplinary measures

Formal training on a code of conduct

Behavior modeled by other employees

Establishment of a code of conduct

Direct communication from other employees

Behavior modeled by executive management

What is culture?

Ranked first Ranked second

3%

1%

1%

17%

5%

Source: The Pulse of Internal Audit survey: © 2016 The IIA Audit Executive Center.

World’s Most Ethical Companies

131 HonoreesPublicly Traded (74%)Fewer than 25,000 Employees (56%)Manufacturing (10%)Insurance (8%)Over $5B Revenue (80%)21 Countries

Who are they?

World’s Most Ethical

Compliance & Ethics Program

35%

Leadership, Innovation &

Reputation 10%Governance 15%

Citizenship, Sustainability &

Corporate Responsibility

20%

Culture of Ethics20%

A Measurable Difference

6X Honoree

Culture

Identifying Healthy Organizational Culture• Strong governance with clear policy and procedures

• Communication of policy and procedures throughout the organization

• Clear and consistent “tone at the top” communication from senior management regarding their expectations around control and appropriate behavior

• Consistent application of policy and procedures to all levels of management without exception

• Alignment of rewards to the right behaviors

Source: The Pulse of Internal Audit survey: © 2016 The IIA Audit Executive Center.

Culture

Sample audit techniques:• Checklist (policies, code of conduct, leadership

communication)• Surveys• Consider incentive programs (perverse incentives)• Interviews• Start small – department level• Review of social media

Culture

Barriers to Addressing Culture

35% 23%Do not believe internal audit has freedom to assess the entire organization and staff.

Do not believe internal audit has full support of the board or audit committee to assess the entire organization and staff.

Do not believe internal audit has full support of executive management to assess the entire organization and staff.

24%

45%Reported that they agree or strongly agree that internal audit is able to identify and assess measure of organizational culture.

Among those who DO NOT audit organizational culture

Timely Risk Identification

• 93% of CAEs use risk-based methodologies when planning

• But, emerging risks present a challenge

• Risks often materialize with little or no warning

• Decades of accumulated value can evaporate

• We must be able to “audit at the speed of risk”

Assessing Emerging and Evolving Risks

Source: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center.

Source: The North American Pulse of the Profession Survey: © 2013 The IIA Audit Executive Center

Source: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center. Total may not equal 100% due to rounding.

52 percent of CAEs consider identifying emerging risks to be their biggest challenge.

Organization’s ability Identify RespondExtremely confident 3% 4%Very confident 32% 31%Moderately confident 45% 42%Slightly confident 15% 17%No confidence 5% 6%

Identifying Emerging Risks is Critical: But Confidence is Lacking

Source: The Pulse of Internal Audit Survey Conducted in collaboration with the 2015 Common Body of Knowledge Study, © 2015 The IIA and The IIA Research Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from The IIA.

Continuous Risk Assessment is Still Aspirational for Many

41% of audit departments do periodic updates to their risk assessment• Interviews

• Surveys

• Headline checks

13% do “Continuous Risk Assessment”• Monitoring of KRIs (manually or automated)

• Analytical Review

Source: The Pulse of Internal Audit Survey Conducted in collaboration with the 2015 Common Body of Knowledge Study, © 2015 The IIA and The IIA Research Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from The IIA. Note: 1.3% indicated “other” as a response to this question.

How would you describe the development of the audit plan at your organization? Frequency

Developed once each year and not changed during the year 12%

Developed once each year and updated 1 or 2 times per year 40%

Developed once each year and updated 3 or more times per year as risks change 27%

Highly flexible plan matched to the organization’s changing risk profile 19%

Typical Internal Audit Plans Are Not Very Dynamic

Source: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center.

70 percent of CAEs viewed cyberattacks as a high or critical priority – AEC Pulse of Internal Auditing

But,

Only 53 percent say auditing cybersecurity risk is part of this year’s plan – Protiviti 2015 IA Capabilities and Needs Survey Report

Taking Action When Risks Emerge is Vital!

Data Analysis

90% of all data in the world was created in the past two years*

Every day, 3 times per second, we produce the equivalent of the amount of data in the Library of Congress**

Unstructured data will account for nearly 80% of all enterprise data by 2017***

*IBM**Nate Silver, American Statistician***FDC

Data Analysis

BIGData

Really, Really….

Data Analysis

Data Analysis

Definition

Big Data:

“…data sets with sizes beyond the ability of commonly-used software tools…”

Data Analysis

Indicated that data mining and analytics skills are very or extremely essential to their internal audit function’s ability to perform its responsibilities.

37%

Source: The Pulse of Internal Audit survey: © 2016 The IIA Audit Executive Center.

Data Reliance

Problems can arise from data collection, data analysis and decisions made based on data

• Is collection and use of the data legal and ethical?• Has the organization confirmed the data’s

appropriateness, accuracy, and completeness? Data often contains gaps and inaccuracies.

• Was the right expertise involved in evaluating the data to ensure the evaluation is not biased or flawed? The difference between correlation and causation is not always well understood.

USE OF DATA IS GROWING. IS INTERNAL AUDIT SUFFICIENTLY INVOLVED?

17% 47%36%

Reported that internal audit is very or extremely involved in

evaluating the quality of data used in their organization.

Reported that internal audit is moderately involved in evaluating

the quality of data used in their organization.

Reported that internal audit is slightly or not at all involved in

evaluating the quality of data used in their organization.

Data Reliance

Source: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center.

Summary

We must move out of our comfort zone

We must stay current on risks

Status quo doesn’t work any more