Top ten emerging IT audit issues - ISACA ten emerging IT audit issues • • questions: • • •

  • Published on

  • View

  • Download

Embed Size (px)


  • Top ten emerging IT audit issues

    Deloitte & Touche LLP

  • Copyright 2013 Deloitte Development LLC. All rights reserved.1 Top ten emerging IT audit issues

    IT controls continue to increase in importance to organizations Corporate reliance on technology increases. Compliance requirements increase.

    Deficiencies in IT controls can have a significant impact on the organization.


  • Copyright 2013 Deloitte Development LLC. All rights reserved.2 Top ten emerging IT audit issues

    IT audits



    Where we have been

    Where we need to be

  • Copyright 2013 Deloitte Development LLC. All rights reserved.3 Top ten emerging IT audit issues

    Repetitive services Compliance focused Comprises most of

    current audit universes Commoditized audits

    IT Internal Audit Overview


    ITGCsSOX TestingDRPOther ComplianceSoD






    Maturing technologies that havent been a focus

    Some compliance aspects

    Opportunities to add value


    IT GovernanceAttack and PenIAMEnd User ComputingSoftware Asset MgmtGRC






    New technologies High visibility/risk Highly strategic Significant opportunities

    to provide additional value


    Mobile EndpointCyber TerrorismPrivacyIT Risk MgmtEnterprise Record MgmtSocial Media






    Level 1 Level 2 Level 3


  • Copyright 2013 Deloitte Development LLC. All rights reserved.4 Top ten emerging IT audit issues

    Current State

    Level 1Level 2Level 3

    IT Internal Audit Universe Allocation

    Future State

    Level 1Level 2Level 3

  • Copyright 2013 Deloitte Development LLC. All rights reserved.5 Top ten emerging IT audit issues

    By no means a comprehensive list. Will vary by environment.

    May be greater/lesser risk depending on industry, technology, business processes, etc. This list is based on what we see in the marketplace. Designed to get you thinking about your environments and if currently scheduled

    IT audit procedures will evaluate these risks. List is in no particular order.

    Top 10 IT audit issues

  • Copyright 2013 Deloitte Development LLC. All rights reserved.6 Top ten emerging IT audit issues

    Issue Businesses are migrating from the use of mobile devices to enhance processes to

    mobile only businesses. This dramatically shifts the risks and key control points. Risk

    Failure to manage mobile risk could have significant impact on operations. Solutions are still rapidly evolving. Requires architecture changes, impacting controls in other areas of IT.

    Recommendation Inventory and assess current mobile initiatives. Specifically detail out mobile initiatives

    that impact operational and/or customer facing processes. Evaluate security policies and procedures which may not have evolved to address mobile issues. Assess mobile device management (MDM) processes and controls, e.g., distribution of patches, wipe-cleans, and security requirements. Assess use of mobile middleware applications and processes for identifying and escalating issues.

    1. Mobile only

  • Copyright 2013 Deloitte Development LLC. All rights reserved.7 Top ten emerging IT audit issues

    Mobile payments are fast reaching a tipping point of growth in North America driven by rapid smart-phone growth, shifts in consumer preferences and significant capability build out

    Increased Penetration of smart-phones in the U.S. Changing Consumer Behavior Projected Exponential Growth

    Source: Deloitte Research & Analysis, eMarketer , Gartner Report

    Current smart-phone growth forecast: 13% CAGR over the

    next 5 years

    smart-phone adoption represents convergence in


    Source: Deloitte Research & Analysis Source: Gartner Report (2011)












    Acquisition /New Products

    Currently Use Would Use

    Increasing consumer interest in mobile payments functionalities

    and capabilities

    Growth opportunities for services not available online, such as remote check deposit services and Person to Person

    (P2P) Payments

    Mobile Payment users, transaction volume, and

    transaction value all projected to grow exponentially

    73 492 3,434 8,99517,29






    Growth of Mobile Payment Users in North America









    . sm





    M U




    % of Mobile Phone Users

    % of Population

    0.7 1.96.6















    rs (i

    n M


    Transactions (in thousands)

  • Copyright 2013 Deloitte Development LLC. All rights reserved.8 Top ten emerging IT audit issues

    Mobile PaymentsRemote Payments Proximity Payments

    Channel SMS Mobile Web App-based QR Code NFC -HardwareNFC - SIM

    Based NFC MicroSD

    Use Case

    Customers send payments

    using simple text messaging


    Customers use online paymentswith the browser on their mobile


    Customers use apps built out by the FI to make payment or use

    payment functionalities

    built into merchants apps

    QR code specific to the customer is

    scanned at the POS to make


    Customers use their phones as

    touchless payment devices based on built-in


    Customers use their phones as

    contactless payment devices based on the SIM

    Customers use their phones as

    contactless payment devices

    based on microSD cards

    that can be inserted into most


    Key Risks

    Messages can be hacked and PINs can be captured.

    Malware can send messages without

    customers consent

    Java-based security protocols may not be safe enough;

    Mobile malware can hack into customer


    Keylogger software can crack a users

    PIN used to access the app

    A hacker can get access to

    customers QR code or merchant can mismanage data

    OTA Traffic between device and

    reader can be intercepted.

    Financial information on the

    secure element can be compromised in

    stolen phones

    Financial information on the

    secure element can be compromised if the SIM is stolen

    Financial information on the

    secure element can be compromised if

    the SD card is stolen is stolen

    Marketplace Examples M-PESA in Kenya

    PayPal, Amazon Payments, Google,

    Chase, Dwolla, LevelUp, Square,

    Google in-app payments

    Starbucks, Paycent Google WalletISIS,Turkcell, Smart and Globe Telecom Moneto

    Risks associated with mobile payments are enhanced by evolving standards and technologies used in proximity and remote payment environments

    Mature/More control to Banks

    Emerging / More control to Banks

    Emerging / Shared Infrastructure and less controlSource: Deloitte Research & Analysis

  • Copyright 2013 Deloitte Development LLC. All rights reserved.9 Top ten emerging IT audit issues

    Mobile payments have seen significant interest over the years with a significant number of trials, pilots and niche commercial successes

    However, banks have not yet built out significant mobile payments capabilities and adoption rates have remained low in North America among customers and merchants until recently

    Less than 20% of banks have deployed mobile payments and most are still in a position to assess the risks prior to going to market

    Survey level data indicates that the primary cause of lower adoption rates has been security concerns among customers

    Financial Institutions that do not focus on limiting risk in mobile payments will be left behind with lower adoption rates and possible customer defections

    What is the most important factor to you when making mobile


    Security 73%



    Choice of Payment



    Source: Deloitte Future of Mobile Payment Survey, Mobio, "Mobile Commerce Handcuffs"

  • Copyright 2013 Deloitte Development LLC. All rights reserved.10 Top ten emerging IT audit issues

    Mobile Payment deployments pose a serious risk to FSIs due to the complexity of the architecture, technology and number of partners involved While the legacy threats and vulnerabilities inherent to the Banks, the payment service provider (PSPs) and Mobile Network Operators (MNOs) still hold valid, there are some threats and vulnerabilities that are more prevalent throughout the mobile payment lifecycle due to the complexity of the architecture and the high number of providers involved in the transaction.

    * The architecture above is illustrative and does not include all of the components in the Mobile Payment Architecture

    Common Threats and AttacksIdentity theft Malware / Intrusion Man-In-Middle AttacksUnauthorized Access

    Privacy Infringement Data disclosure Message Interception Replay attacksCoercion

    Platform and Protocol Related Design flaws in the mobile standards /

    protocols (e.g., GSM encryption vulnerabilities, data protocols, OTA

    transmission vulnerabilities) Design flaws / Lack of Standards / protocols for mobile payments (e.g.,

    Absence of two-factor authentication, Auto-Storage of Cookies on Server Request,

    Auto-Disclosure of Cookies)

    Device Related Hardware vulnerabilities (e.g., Side Channel

    Attack, SIM Card Cloning) Operating System vulnerabilities (e.g.,

    Zitmo.C (simple SMS forwarder for Blackberry, Symbian iOS), HT4803 (Buffer overflow, issues with type conversion for

    Apple iOS), Tcent.A, Crusewin.A Software vulnerabilities (e.g., Vulnerable APIs

    in the Development Platform (e.g. J2ME)) Sophisticated Sensory Malware (e.g,

    Soundminer first sensory malware trojan on Android platform identifies when the

    user is calling a bank IVR to only capture the spoken or typed credit card number)

    User and Process Related Lost / Stolen phones

    smart-phone Internet and relocation capabilities

    Issues in Authentication of User (lack of authentication, capture of authenticators

    (man-in-middle attack), weak authentication protocols, password issues, weak

    passwords) User misuse / lack of awareness (e.g.,

    downloading malware, Susceptibility to Masquerade, Social Engineering (phishing),

    Initiation by an Unauthorized User, auto-Initiation)

    POS / PSP / FSP vulnerabilities (e.g., Infrastructure / Network vulnerabilities

    Common Vulnerabilities

  • Copyright 2013 Deloitte Development LLC. All rights reserved.11 Top ten emerging IT audit issues

    Issue Significant emerging regulatory requirements and disclosures related to cyber security,

    intersecting with increased cyber threat. Risk

    Failure to meet regulatory requirements. Brand exposure. Loss of data, denial of service.

    Recommendation Historic cyber threat IT audit activities have been limited to point specific issues (e.g.,

    attack and penetration audits). Need to perform detailed cyber security audits encompassing defend, detect, recover and respond components of cyber threat management.

    2. Cyber security

  • Copyright 2013 Deloitte Development LLC. All rights reserved.12 Top ten emerging IT audit issues

    The true cost of cybercrime is not easy to tabulate. While many have experienced its wrath first hand, even more have suffered from cybercrime unknowingly through higher cost, operational issues, brand erosion and lower quality products. Moreover, consider the lost benefit from products that never even made it to the market as a result of Intellectual Property theft.

    As a result, Boards of Directors have a responsibility to take a more active role in fact they have a duty to ensure that management protects and maximizes the value of their digital assets both within and outside the company walls; and to position the organization for the opportunities and disruptions that arise through digital technology. These risks and opportunities may even warrant board-level leadership a Cyber Chair.

    Cyber in the BoardroomNow is the time for directors to ensure senior management focus

    Related content:

    Cyber crime fightingRead the DU Press article by Vikram Mahidhar and David Schatsky.

    2013 TMT global security studyExplore Deloitte's sixth annual worldwide study report of information security practices.

    Read the full USA Today article on this topic:Cyber in the boardroom The true cost of cybercrime


  • Copyright 2013 Deloitte Development LLC. All rights reserved.13 Top ten emerging IT audit issues

    Issue Current internet protocol has been in place since 1970s. Proliferation of devices has

    exhausted IP address availability. Telecommunication utilities and Internet Engineering Task Force (IETF) have been pushing for change, which is now upon us. This will impact network architecture and devices.

    Risk Loss of network communication. Network appliances rendered unusable. Risk assessment has been de-prioritized historically.

    Recommendation Determine organizational readiness for IPv6 deployment. At a minimum, organization

    should have begun a risk assessment process to assess the readiness of the organization to implement IPv6 and identify potential areas that require remediation. Assess current organization structure and plan to deal with these issues, as well as determine how this thinking is being incorporated into current and planned IT initiatives.

    3. IPv6

  • Copyright 2013 Deloitte Development LLC. All rights reserved.14 Top ten emerging IT audit issues

    Issue Everyone is talking about Big Data, which by itself is meaningless without the

    ability to analyze and interpret data. Analytic technologies and methods have evolved significantly in the last 18 months.

    Risk Struggling to produce relevant operational reports, but driving business decision

    making off of unstructured analyses (e.g., web statistics). Investment in big data does not produce results. Increased data life cycle risk (e.g., personally identifiable information).

    Recommendation Effective analytics are based on foundational data layers. Need to understand

    what analytics are planned and then assess risk based on usage. Perform detailed audit which evaluates foundational data layers, data governance, statistical methodology used, and use of technologies (e.g., visualization).

    4. Analytics

  • Copyright 2013 Deloitte Development LLC. All rights reserved.15 Top ten emerging IT audit issues

    From sourcing facts to driving understanding to generating knowledgeDefining Internal Audit Analytics

    The use of analytics can enhance your ability to better manage risks associated with your audits.

    It will help identify the facts that will provide clear understanding of risks and provide the knowledge required to manage these risks across the group.

    The ultimate objective is to develop and implement an analytics capability that provides greater ability provide you the confidence and insights into each of your audits.

    Understanding KnowledgeFacts

    What is happening in each of the audits?

    Once data is sourced and reliable, the process should maintain the integrity of the data.

    Some of the tests that can be performed to better address the risks and controls are:

    Bespoke test creation based on risks identified in audit planning

    Finding correlation between the multiple data sources to learn more about the behavior and patterns of processes

    Why is it happening?

    Once a control failure has been identified and quantified, the focus moves t...


View more >