October 2016 Issue 07/16

Transcription

1 IPPF: NEW IMPLEMENTATION GUIDES - IG 1100, IG 1110, IG 1111, IG 1120 and IG 1130 The IIA has released new Implementation Guides (IG) addressing the following standards: Standard 1100: Independence and Objectivity Standard 1110: Organisational Independence Standard 1111: Direct Interaction With the Board Standard 1120: Individual Objectivity Standard 1130: Impairment to Independence and Objectivity IG 1100 Independence and Objectivity (NEW) CAE often has a direct functional reporting line to the board and an administrative reporting line to a member of senior management. This provides the CAE with direct board access for sensitive matters and enables sufficient organisational status. However, CAE should be aware of any requirements from regulators or other governing bodies that require certain reporting relationships. CAE should not have operational responsibilities beyond internal audit (IA). Where this is not the case, CAE typically discusses the independence concerns and the potential objectivity impairment with the board and senior management, who will implement safeguards to limit the impairment. To manage IA objectivity effectively, CAEs have an internal audit policy manual or handbook that describes expectations and requirements for an unbiased mindset. When assigning internal auditors to specific engagements, CAE will consider potential objectivity impairments and avoid assigning team members who may have a conflict. CAE needs to be thoughtful in designing the IA performance evaluation and compensation system and consider if the measurements used could impair an internal auditor s objectivity. IA charter itself Organisational chart with reporting responsibilities IA policy manual that includes policies on independence, objectivity, addressing conflicts and performance evaluation Training records Conflict-of-interest disclosure forms IG 1110 Organisational Independence (Supersedes: PA Organisational Independence) Organisational independence is effectively achieved when the CAE reports functionally to the board. A functional reporting line to the board ensures that the CAE has unrestricted access to the board. Functional oversight requires the board to create the right working conditions to permit the operation of an independent and effective IA activity. The board also monitors the ability of IA to operate independently. The CAE facilitates the board oversight by routinely providing performance updates on a quarterly basis. These updates cover IA s performance relative to its plan, key findings or emerging risks that require the board s attention. To ensure that organisational independence is discussed annually, as required by Standard 1110, the CAE will often create a standing board agenda item for a specific board meeting each year. In terms of administrative reporting line, the IIA recommends that the CAE report administratively to the CEO so that the CAE is in a clearly senior position, giving internal audit the requisite stature and authority to fulfil its responsibilities. IA charter and audit committee (AC) charter which describes the AC s oversight duties CAE s job description and performance evaluation would note reporting relationship and supervisory oversight CAE hiring documentation to indicate person responsible for hiring decision IA policy manual that addresses policies like independence and board communication requirements Organisation chart with reporting responsibilities Board reports, meeting minutes and agendas demonstrating the communication between the IA and the Board. 1

2 IG 1111 Direct Interaction with the Board (Supersedes: PA Board Interaction) With a direct functional reporting relationship with the board, the CAE will have many opportunities to communicate and interact directly with the board. This also gives CAE the ability to contact the chair or any member of the board to communicate sensitive matters or issues facing internal audit or the organisation. At least annually, a private meeting with the board or AC and the CAE (without senior management present) is formally conducted to discuss such matters or issues. To ensure direct and open communication, it is also helpful for the CAE to participate in one-on-one meetings or phone calls periodically with the board or AC chair, either before scheduled meetings or routinely during the year. Board meeting agendas and minutes to demonstrate the CAE s communication and interaction directly with the board. CAE s calendar (scheduled meetings with the board) A policy that requires the CAE to meet privately with the board periodically may be documented in board or AC charters IG 1120 Individual Objectivity (Supersedes: PA Individual Objectivity) Objectivity refers to an internal auditor s impartial and unbiased mindset, which is facilitated by avoiding conflicts of interest. An IA manual or handbook may be used to enable the CAE to manage the internal audit objectivity effectively. Workshops or training can be conducted on these fundamental concepts. This allows internal auditors to better understand objectivity by considering objectivity-impairing scenarios and how to address them. When assigning internal auditors to specific engagements, the CAE considers potential objectivity impairments and avoid assigning team members who may have a conflict (example, where internal auditors are transferred from other departments). Encouraging internal auditors to share any concerns they may have helps IA management determine whether the internal auditor may participate on the engagement. In designing the IA performance evaluation and compensation system, CAE needs to consider whether the measurements used could impair an internal auditor s objectivity. Ideally, the evaluation process will balance auditor performance, audit results, and client feedback measurements. IA policy manual which contains performance evaluation and compensation processes; and a clear policy on objectivity and avoiding and reporting conflicts of interest Training records or materials to demonstrate that internal auditors are made aware of the importance of objectivity, the nature of threats to objectivity and examples of conflicts of interest Signed acknowledgement forms to disclose the existence (or non-existence) of conflicts, where such policy exists Engagement workpapers documenting the team assigned (this could be compared to employment records or acknowledgement forms to confirm that known conflicts were avoided) IG 1130 Impairment to Independence or Objectivity (Supersedes: PA Independence or Objectivity) Consideration for Implementation An IA manual or handbook can be used to describe the expectations and requirements of independence and objectivity. It can include the types of situations that could create, or appear to create, impairments; and the expected actions the internal auditor should take if faced with a potential impairment. The IA policy manual often describes the appropriate actions for an internal auditor to take should he/she become aware of, or concerned about, such impairments. 2

3 Both the nature of the impairment and board/senior management expectations will determine the appropriate parties to be notified of the impairment and the ideal communication approach (several scenarios are provided as examples). The CAE is usually personally involved in determining the best disclosure approach. Examples of organisational independence impairments which can undermine internal auditor objectivity: CAE has broader functional responsibility than IA and executes an audit of a functional area that is also under his/her oversight. CAE s supervisor has broader responsibility than IA, and the CAE executes an audit within his/her supervisor s functional responsibility. CAE does not have direct communication or interaction with the board. The budget for the IA activity is reduced to the point that IA cannot fulfil its responsibilities as stated in the charter. Examples of objectivity impairments: where an internal auditor: audits an area in which he/she recently worked. audits an area where a relative or close friend is employed. assumes, without evidence, that an area being audited has effectively mitigated risks based solely on a prior positive audit or personal experiences. modifies the planned approach or results based on the undue influence of another person, without appropriate justification. IA policy manual which includes policies on independence, objectivity, addressing conflicts and the nature of impairments, and how to communicate them Board meeting minutes, if impairments to independence or objectivity were discussed Memos to file or reports that contain such disclosures. guidance/recommended-guidance/pages/newly- Released-IPPF-Guidance.aspx Global Technology Audit Guide (GTAG): An Internal Auditor s Guide to Understanding and Auditing Smart Devices (NEW) This supplemental guidance on Auditing Smart Devices provides guidance to internal auditors on how to better understand smart device technology and the associated risks and controls. This GTAG covers the following: Introduction on smart devices Risks related to the use of smart devices Controls to mitigate those risks to an acceptable level Engagement work program to effectively assess the organisation s governance, risk management and controls related to smart devices What are smart devices? Smart devices provide organisational users with portable computing power, internet connectivity wherever there is Wi-Fi or cellular service, and the possibility of having one convenient device for personal and business use. Examples include: smartphones, tablets, portable digital assistants (PDAs), wearable devices (e.g. watches and glasses) and handheld gaming devices. The characteristics associated with smart devices are also included in this guide. In some organisations, employees may be required to use their own devices to conduct business, or they may request to do so, a circumstance known as bring your own device (BYOD). Risks related to smart devices Compliance Risks In BYOD situations, organisations may rely heavily on users to comply with applicable policies and procedures, such as guidelines for updating software or operating systems. Users who consider updates overly intrusive or degrading to the performance of the device might bypass controls or not install the updates. Privacy Risks BYOD practices may raise privacy concerns from the perspectives of the organisation and the employee. Organisation: It may be difficult to protect a stakeholder s privacy when personally identifiable information is accessed or stored on a smart device. 3

4 Employee: Privacy concerns that their smart device enables intrusive monitoring by the organisation. Additional risk is introduced when third parties (e.g. vendors, guests) access organisational networks and systems using their own smart devices. Security Risks 1. Physical Security Risks - due to their mobile nature, smart devices are used in multiple locations and are susceptible to being lost or stolen. Sensitive data may be at risk if the device is used to store or access such information. 2. Information Security Risks Data storage and backup - data recovery from device or system failure also may be a concern if devices are not backed up properly. Operating systems (OSs) - Each of the various smart device OSs presents unique security features and risks that may need to be managed, configured, and secured differently. Network connections - untrusted networks (e.g. unsecure wireless networks or Bluetooth) are susceptible to various security risks that could compromise data in transit. Applications - Viruses, Trojan horses, and other malware may infect the smart device if mobile device platforms and app stores do not place security restrictions or other limitations on third-party app publishing. Location - A GPS, which enables location services, could be used to track smart devices, monitor user behaviour and plan cyberattacks. Related Controls Smart Device Security Controls Smart devices offer a number of security features that organisations can use to reduce risks. Authentication It prevents unauthorised users from accessing the smart device s apps and data. Typically, 1 or more of the following authentication methods are employed: passcode, swipe pattern, biometrics, security questions, or a personal identification number (PIN). Remote Wipe Remote wipe is the ability of the user or an IT administrator to wipe data and applications via the network, without having physical possession of the device. Remote wipe can also restore default settings and lock encrypted data from further access. Hardware or Device Encryption This is a key control for protecting data on smart devices. When enabled, the data and apps remain encrypted until a passcode is entered. Software Encryption This is a must for all organisational apps, especially . For devices that do not support hardware encryption, software encryption, which requires a second passcode to access an app, can be used to protect the organisation s apps and data. Encryption of Data in Transit Many smart devices support Transport Layer Security for encrypting , web traffic and virtual private networks (VPN). IT Policy Control Considerations In addition to instituting controls at the device level, the guide lists security features that management may put in place at the policy and procedural levels. Anti-malware Software This software detects and removes malicious software that negatively impacts smart devices and may allow access to private data. To protect against malware, smart device policy should require users to: a. Install anti-malware software, and ensure that all smart devices remain currently protected. b. Keep operating systems (OSs) updated. c. Download apps only from reputable mobile app stores. d. Update apps timely as app developers enhance security features often. e. Refrain from jailbreaking/rooting BYOD Policy If employees are permitted to use personal smart devices for business purposes, then a comprehensive BYOD policy should be implemented. The policy should cover, among other things: a. Approved devices and possibly OSs and responsibilities for maintenance. 4

5 b. Expectations and responsibilities related to organisational and personal information stored on the smart device. c. Minimum security requirements (e.g. strong passwords and up-to-date OSs) d. Timely reporting of a security breach and lost or stolen devices. e. Access to the organisation s data, apps, and network resources, including who can access what apps and by what means f. Backups and transfers g. Remote wiping. Users should enable the remote wipe option and identify specific applications to be remotely wiped. h. Process for retiring smart devices i. Employee acknowledgement and sign-off of all appropriate policies and procedures. Data/Attachment Download Downloading sensitive data to a smart device should be discouraged. Similarly, it is important to consider controlling the ability to take screenshots. Data Backup Secure backup for data on smart devices enables data from a lost, damaged, or remotely wiped device to be restored to a new device. Organisational data and apps should be backed up at the organisation s data center (controlled by IT administrator), instead of the device s native backup storage, which is usercontrolled. Mobile Application Management (MAM) This software aims to manage and protect data on specific applications. Mobile Device Management (MDM) This software is more effective when MDM software solutions are implemented. It can protect critical data by interfacing with security controls embedded in the smart device OS. Wi-Fi Restrictions These restrict the use of Wi-Fi networks, which are secured according to industry best practices. VPN solutions are preferred when accessing an organisation s applications and data on smart devices. Internal-Auditor%27s-Guide-to-Understanding-and- Auditing-Smart-Devices.aspx TONE AT THE TOP Regulation Roulette: Best Bets for Managing Compliance Risk With regulation on the rise, how can boards and audit committees ensure their organisations are properly managing compliance risk? In this October 2016 issue, learn how clearly defined roles, together with coordination and cooperation among departments, can promote good outcomes for the organisation. 5