Top ten emerging IT audit issues
Deloitte & Touche LLP
Copyright 2013 Deloitte Development LLC. All rights reserved.1 Top ten emerging IT audit issues
IT controls continue to increase in importance to organizations Corporate reliance on technology increases. Compliance requirements increase.
Deficiencies in IT controls can have a significant impact on the organization.
Copyright 2013 Deloitte Development LLC. All rights reserved.2 Top ten emerging IT audit issues
Where we have been
Where we need to be
Copyright 2013 Deloitte Development LLC. All rights reserved.3 Top ten emerging IT audit issues
Repetitive services Compliance focused Comprises most of
current audit universes Commoditized audits
IT Internal Audit Overview
ITGCsSOX TestingDRPOther ComplianceSoD
Maturing technologies that havent been a focus
Some compliance aspects
Opportunities to add value
IT GovernanceAttack and PenIAMEnd User ComputingSoftware Asset MgmtGRC
New technologies High visibility/risk Highly strategic Significant opportunities
to provide additional value
Mobile EndpointCyber TerrorismPrivacyIT Risk MgmtEnterprise Record MgmtSocial Media
Level 1 Level 2 Level 3
Copyright 2013 Deloitte Development LLC. All rights reserved.4 Top ten emerging IT audit issues
Level 1Level 2Level 3
IT Internal Audit Universe Allocation
Level 1Level 2Level 3
Copyright 2013 Deloitte Development LLC. All rights reserved.5 Top ten emerging IT audit issues
By no means a comprehensive list. Will vary by environment.
May be greater/lesser risk depending on industry, technology, business processes, etc. This list is based on what we see in the marketplace. Designed to get you thinking about your environments and if currently scheduled
IT audit procedures will evaluate these risks. List is in no particular order.
Top 10 IT audit issues
Copyright 2013 Deloitte Development LLC. All rights reserved.6 Top ten emerging IT audit issues
Issue Businesses are migrating from the use of mobile devices to enhance processes to
mobile only businesses. This dramatically shifts the risks and key control points. Risk
Failure to manage mobile risk could have significant impact on operations. Solutions are still rapidly evolving. Requires architecture changes, impacting controls in other areas of IT.
Recommendation Inventory and assess current mobile initiatives. Specifically detail out mobile initiatives
that impact operational and/or customer facing processes. Evaluate security policies and procedures which may not have evolved to address mobile issues. Assess mobile device management (MDM) processes and controls, e.g., distribution of patches, wipe-cleans, and security requirements. Assess use of mobile middleware applications and processes for identifying and escalating issues.
1. Mobile only
Copyright 2013 Deloitte Development LLC. All rights reserved.7 Top ten emerging IT audit issues
Mobile payments are fast reaching a tipping point of growth in North America driven by rapid smart-phone growth, shifts in consumer preferences and significant capability build out
Increased Penetration of smart-phones in the U.S. Changing Consumer Behavior Projected Exponential Growth
Source: Deloitte Research & Analysis, eMarketer , Gartner Report
Current smart-phone growth forecast: 13% CAGR over the
next 5 years
smart-phone adoption represents convergence in
Source: Deloitte Research & Analysis Source: Gartner Report (2011)
Acquisition /New Products
Currently Use Would Use
Increasing consumer interest in mobile payments functionalities
Growth opportunities for services not available online, such as remote check deposit services and Person to Person
Mobile Payment users, transaction volume, and
transaction value all projected to grow exponentially
73 492 3,434 8,99517,29
Growth of Mobile Payment Users in North America
% of Mobile Phone Users
% of Population
Transactions (in thousands)
Copyright 2013 Deloitte Development LLC. All rights reserved.8 Top ten emerging IT audit issues
Mobile PaymentsRemote Payments Proximity Payments
Channel SMS Mobile Web App-based QR Code NFC -HardwareNFC - SIM
Based NFC MicroSD
Customers send payments
using simple text messaging
Customers use online paymentswith the browser on their mobile
Customers use apps built out by the FI to make payment or use
built into merchants apps
QR code specific to the customer is
scanned at the POS to make
Customers use their phones as
touchless payment devices based on built-in
Customers use their phones as
contactless payment devices based on the SIM
Customers use their phones as
contactless payment devices
based on microSD cards
that can be inserted into most
Messages can be hacked and PINs can be captured.
Malware can send messages without
Java-based security protocols may not be safe enough;
Mobile malware can hack into customer
Keylogger software can crack a users
PIN used to access the app
A hacker can get access to
customers QR code or merchant can mismanage data
OTA Traffic between device and
reader can be intercepted.
Financial information on the
secure element can be compromised in
Financial information on the
secure element can be compromised if the SIM is stolen
Financial information on the
secure element can be compromised if
the SD card is stolen is stolen
Marketplace Examples M-PESA in Kenya
PayPal, Amazon Payments, Google,
Chase, Dwolla, LevelUp, Square,
Google in-app payments
Starbucks, Paycent Google WalletISIS,Turkcell, Smart and Globe Telecom Moneto
Risks associated with mobile payments are enhanced by evolving standards and technologies used in proximity and remote payment environments
Mature/More control to Banks
Emerging / More control to Banks
Emerging / Shared Infrastructure and less controlSource: Deloitte Research & Analysis
Copyright 2013 Deloitte Development LLC. All rights reserved.9 Top ten emerging IT audit issues
Mobile payments have seen significant interest over the years with a significant number of trials, pilots and niche commercial successes
However, banks have not yet built out significant mobile payments capabilities and adoption rates have remained low in North America among customers and merchants until recently
Less than 20% of banks have deployed mobile payments and most are still in a position to assess the risks prior to going to market
Survey level data indicates that the primary cause of lower adoption rates has been security concerns among customers
Financial Institutions that do not focus on limiting risk in mobile payments will be left behind with lower adoption rates and possible customer defections
What is the most important factor to you when making mobile
Choice of Payment
Source: Deloitte Future of Mobile Payment Survey, Mobio, "Mobile Commerce Handcuffs"
Copyright 2013 Deloitte Development LLC. All rights reserved.10 Top ten emerging IT audit issues
Mobile Payment deployments pose a serious risk to FSIs due to the complexity of the architecture, technology and number of partners involved While the legacy threats and vulnerabilities inherent to the Banks, the payment service provider (PSPs) and Mobile Network Operators (MNOs) still hold valid, there are some threats and vulnerabilities that are more prevalent throughout the mobile payment lifecycle due to the complexity of the architecture and the high number of providers involved in the transaction.
* The architecture above is illustrative and does not include all of the components in the Mobile Payment Architecture
Common Threats and AttacksIdentity theft Malware / Intrusion Man-In-Middle AttacksUnauthorized Access
Privacy Infringement Data disclosure Message Interception Replay attacksCoercion
Platform and Protocol Related Design flaws in the mobile standards /
protocols (e.g., GSM encryption vulnerabilities, data protocols, OTA
transmission vulnerabilities) Design flaws / Lack of Standards / protocols for mobile payments (e.g.,
Absence of two-factor authentication, Auto-Storage of Cookies on Server Request,
Auto-Disclosure of Cookies)
Device Related Hardware vulnerabilities (e.g., Side Channel
Attack, SIM Card Cloning) Operating System vulnerabilities (e.g.,
Zitmo.C (simple SMS forwarder for Blackberry, Symbian iOS), HT4803 (Buffer overflow, issues with type conversion for
Apple iOS), Tcent.A, Crusewin.A Software vulnerabilities (e.g., Vulnerable APIs
in the Development Platform (e.g. J2ME)) Sophisticated Sensory Malware (e.g,
Soundminer first sensory malware trojan on Android platform identifies when the
user is calling a bank IVR to only capture the spoken or typed credit card number)
User and Process Related Lost / Stolen phones
smart-phone Internet and relocation capabilities
Issues in Authentication of User (lack of authentication, capture of authenticators
(man-in-middle attack), weak authentication protocols, password issues, weak
passwords) User misuse / lack of awareness (e.g.,
downloading malware, Susceptibility to Masquerade, Social Engineering (phishing),
Initiation by an Unauthorized User, auto-Initiation)
POS / PSP / FSP vulnerabilities (e.g., Infrastructure / Network vulnerabilities
Copyright 2013 Deloitte Development LLC. All rights reserved.11 Top ten emerging IT audit issues
Issue Significant emerging regulatory requirements and disclosures related to cyber security,
intersecting with increased cyber threat. Risk
Failure to meet regulatory requirements. Brand exposure. Loss of data, denial of service.
Recommendation Historic cyber threat IT audit activities have been limited to point specific issues (e.g.,
attack and penetration audits). Need to perform detailed cyber security audits encompassing defend, detect, recover and respond components of cyber threat management.
2. Cyber security
Copyright 2013 Deloitte Development LLC. All rights reserved.12 Top ten emerging IT audit issues
The true cost of cybercrime is not easy to tabulate. While many have experienced its wrath first hand, even more have suffered from cybercrime unknowingly through higher cost, operational issues, brand erosion and lower quality products. Moreover, consider the lost benefit from products that never even made it to the market as a result of Intellectual Property theft.
As a result, Boards of Directors have a responsibility to take a more active role in fact they have a duty to ensure that management protects and maximizes the value of their digital assets both within and outside the company walls; and to position the organization for the opportunities and disruptions that arise through digital technology. These risks and opportunities may even warrant board-level leadership a Cyber Chair.
Cyber in the BoardroomNow is the time for directors to ensure senior management focus
Cyber crime fightingRead the DU Press article by Vikram Mahidhar and David Schatsky.
2013 TMT global security studyExplore Deloitte's sixth annual worldwide study report of information security practices.
Read the full USA Today article on this topic:Cyber in the boardroom The true cost of cybercrime
Copyright 2013 Deloitte Development LLC. All rights reserved.13 Top ten emerging IT audit issues
Issue Current internet protocol has been in place since 1970s. Proliferation of devices has
exhausted IP address availability. Telecommunication utilities and Internet Engineering Task Force (IETF) have been pushing for change, which is now upon us. This will impact network architecture and devices.
Risk Loss of network communication. Network appliances rendered unusable. Risk assessment has been de-prioritized historically.
Recommendation Determine organizational readiness for IPv6 deployment. At a minimum, organization
should have begun a risk assessment process to assess the readiness of the organization to implement IPv6 and identify potential areas that require remediation. Assess current organization structure and plan to deal with these issues, as well as determine how this thinking is being incorporated into current and planned IT initiatives.
Copyright 2013 Deloitte Development LLC. All rights reserved.14 Top ten emerging IT audit issues
Issue Everyone is talking about Big Data, which by itself is meaningless without the
ability to analyze and interpret data. Analytic technologies and methods have evolved significantly in the last 18 months.
Risk Struggling to produce relevant operational reports, but driving business decision
making off of unstructured analyses (e.g., web statistics). Investment in big data does not produce results. Increased data life cycle risk (e.g., personally identifiable information).
Recommendation Effective analytics are based on foundational data layers. Need to understand
what analytics are planned and then assess risk based on usage. Perform detailed audit which evaluates foundational data layers, data governance, statistical methodology used, and use of technologies (e.g., visualization).
Copyright 2013 Deloitte Development LLC. All rights reserved.15 Top ten emerging IT audit issues
From sourcing facts to driving understanding to generating knowledgeDefining Internal Audit Analytics
The use of analytics can enhance your ability to better manage risks associated with your audits.
It will help identify the facts that will provide clear understanding of risks and provide the knowledge required to manage these risks across the group.
The ultimate objective is to develop and implement an analytics capability that provides greater ability provide you the confidence and insights into each of your audits.
What is happening in each of the audits?
Once data is sourced and reliable, the process should maintain the integrity of the data.
Some of the tests that can be performed to better address the risks and controls are:
Bespoke test creation based on risks identified in audit planning
Finding correlation between the multiple data sources to learn more about the behavior and patterns of processes
Why is it happening?
Once a control failure has been identified and quantified, the focus moves t...