عرض العناصر حسب علامة : IIA
الأربعاء, 11 أغسطس 2021 15:01
ندوة عبر الإنترنت للمحترفين الشباب -الجزء 2: استراتيجيات لتكون أكثر استعدادًا وملاءمة واستجابة
معلومات إضافية
- البلد عالمي
- نوع الفعالية مجانا
- بداية الفعالية الخميس, 19 أغسطس 2021
- نهاية الفعالية الخميس, 19 أغسطس 2021
- التخصص مراجعة داخلية
- مكان الفعالية أونلاين
نشر في
فعاليات مهنية
موسومة تحت
الثلاثاء, 10 أغسطس 2021 13:55
المؤتمر الوطني الافتراضي لمعهد المدققين الداخليين IIA كندا
معلومات إضافية
- البلد عالمي
- نوع الفعالية برسوم
- بداية الفعالية الإثنين, 20 سبتمبر 2021
- نهاية الفعالية الخميس, 23 سبتمبر 2021
- التخصص محاسبة ومراجعة
- مكان الفعالية أونلاين
نشر في
فعاليات مهنية
موسومة تحت
الخميس, 05 أغسطس 2021 14:08
ندوة معهد المدققين الداخليين الافتراضية: القطاع العام -الشراكات بين القطاعين العام والخاص (P3s)
معلومات إضافية
- البلد عالمي
- نوع الفعالية برسوم
- بداية الفعالية الثلاثاء, 24 أغسطس 2021
- نهاية الفعالية الخميس, 26 أغسطس 2021
- التخصص محاسبة ومراجعة
- مكان الفعالية أونلاين
نشر في
فعاليات مهنية
موسومة تحت
الخميس, 05 أغسطس 2021 14:09
تقييم ممارسات التدقيق الداخلي عالميًا
تجري مؤسسة التدقيق الداخلي دراسة بحثية عالمية حول ممارسات التدقيق الداخلي.
معلومات إضافية
-
المحتوى بالإنجليزية
Assessing Internal Audit Practices Globally
Thank you for your interest and willingness to participate in this survey. It will take approximately 20 minutes to complete.
The purpose of this research is to establish a global snapshot of the practices of the internal audit profession, which will help The IIA review the current usage of the International Standards for the Professional Practice of Internal Auditing and plan for future development.
Please note that your responses are anonymous. In addition, information will only be reported in aggregate and we will only disclose general information about respondents. The outcome of this research will be shared with practitioners, academics, and stakeholders.
نشر في
موضوعات متنوعة
موسومة تحت
الإثنين, 28 مارس 2022 12:27
ما هو دور التدقيق الداخلي في "كبح جماح المخاطر الإلكترونية"؟
عامًا بعد عام، احتل الأمن السيبراني مكانة بارزة في سجلات المخاطر بالمنظمات. الأسباب بسيطة بما يكفي: تتطور المخاطر السيبرانية باستمرار، في حين أن مستوى الضرر الذي يمكن أن تتسبب فيه قد ازداد إلى حد أنها يمكن أن تشكل تهديدًا وجوديًا للشركات.
معلومات إضافية
-
المحتوى بالإنجليزية
Year on year, cybersecurity has featured prominently on organizations' risk registers. The reasons why are simple enough: Cyber risks are constantly evolving, while the level of harm they are capable of has grown to such an extent that they can pose an existential threat to businesses.
Unfortunately, rapid changes in technological risks are not necessarily being matched with increased IT awareness among executives, potentially fueling an unrealistic (and unjustified) belief that organizations are adequately prepared to meet emerging cyber and IT threats. During The IIA's General Audit Management conference held in March, Nathan Anderson, senior director of internal audit at fast food chain McDonald's, warned that more times than not, management will have an overly confident take on the company's coverage of cybersecurity risks. "That's the kind of reassuring message you often want to give to a board, but in many cases … the level of confidence might be above what is justified," Anderson said.
Now more than ever, internal auditors need to understand and continually stay abreast of cyber threats. They must also understand what those charged with cybersecurity are doing to manage risks, what measures business unit leaders are taking, how well employees are complying with established procedures, and where vulnerabilities may lie in the extended enterprise.
Securing the Supply Chain
The recent hack on U.S. tech firm SolarWinds has shown just how vulnerable companies and their supply chains can be. The cyberattack — believed to have been conducted by Russian hackers and which went undetected for months — spread to the company's clients and allowed the attackers to spy on their activities: a serious problem when the client list includes the elite cybersecurity firm FireEye and the upper echelons of the U.S. government, including the Department of Homeland Security and Treasury Department. The high-profile hack prompted U.S. President Biden to issue an executive order for federal agencies to address supply chain security throughout the life cycle of software procured and used by the government. The message is clear: Software security vulnerabilities in one organization can open doors to others if preventive measures aren't taken.
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center in Mountain View, Calif., says over the past year software supply chain attacks have become "one of the most significant cyberthreats" organizations face. As such, he says, internal auditors should be pushing for the risk to be part of their cybersecurity reviews, if it isn't already included. In particular, internal auditors should check how much of an IT application or program is based on open-source software, he says. These are freely downloadable software components that account for the majority of code in commercial applications because they don't cost any money. Unfortunately, Mackey says, these components can easily bypass the normal vetting processes that an IT vendor would use if it were developing its own software, which means vulnerabilities are likely.
The best way to gain assurance, he says, is to attain a full inventory of software assets "to identify if there are any unpatched open source vulnerabilities, but more importantly to also identify if there are missing updates or patches" to keep the organization's IT infrastructure and data safe. Indeed, ineffective patch management policies are often cited as one of the key IT threats to organizations as IT departments either forget to check for patches, or employees ignore calls to download and install them.
Experts agree that third-party IT security flaws pose serious risks to organizations and therefore require a robust preventive response — with internal audit providing strong input. Shawn Chaput, strategy consultant at cybersecurity management and strategy consulting business Privity in Vancouver, British Columbia, says there are several key risks that should be on internal audit's radar, particularly around the use of cloud services and other third-party IT service providers.
Identity and Access Management Chaput says organizations' increasing reliance on identity and access management programs has become the most important risk since cloud computing came to prominence. "As everyone moved to the cloud or started working from home, organizations had to adapt to this new 'zero trust' architecture where identity is the new perimeter," Chaput says. Though unfortunately, he says, these measures often fall short. "Even with authenticating individuals and hardware, phishing and spear-phishing appears to be highly effective in exploiting this decentralization of cybersecurity and granting nefarious actors unauthorized access to company funds or administrative access to cloud infrastructure," Chaput says.
Supplier Management Supplier or third-party management program deficiencies is another key risk area. According to Chaput, with the transition to cloud services, organizations are more reliant on third parties to do the tasks they're supposed to, including handling data security. However, auditors should read the small print first. "The fact that clients may expect a cloud service provider (CSP) to do something and they don't is where due diligence prior to contract signing is important," he says. "The other relevant part of supplier management is the portability of the data you send to the CSP and whether you can actually get it back in some reasonable and useful format. Additionally, there is an increasing possibility that your CSP will be subject to a data breach of some sort — how you handle that needs to be determined well before it happens. The importance of this risk has increased, specifically since the SolarWinds hack."
Chaput says the risk of a service provider having a breach — and what the organization should do if that happens — should also be on every internal auditor's cybersecurity risk agenda. "If you're not expecting to have a breach or for one of your major service providers to have a breach, you haven't been paying attention," Chaput explains. To mitigate the risk, he says, organizations need to consider how they should respond to the incident, how they should communicate the news internally and externally, and whether they need to switch providers immediately.
Data Classification Internal auditors also should question the levels of security their organizations give to certain kinds of data they store in the cloud, Chaput says. "Many of our clients who use cloud service providers say 'we protect all of our data as though it is the highest sensitivity' instead of classifying and labeling the data to allow it to have different levels of security controls," he says. "If you don't classify your data, you're either underprotecting some of your data or overprotecting most of your data — and paying significantly more to the CSP than you need to."
Talent Deficiencies Ultimately, Chaput says, the fact that the cloud encompasses so many different technologies and services lends itself to another difficult risk for organizations to manage — finding and retaining IT staff familiar with constantly evolving technology. "It used to be that you'd hire an individual based on their experience with a specific enterprise resource planning package, like SAP, or with some deep technical knowledge in a vendor platform like Cisco routing and switching," he says. "Now, it's different: You're hiring someone today to use something that may not actually exist yet but will become a dominant feature of your environment in less than a year." Chaput adds that the impact of such skills shortages "has been increasing substantially over the last few years as technology changes accelerate."
Get to Know the Technology Team
The ever-changing nature of cybersecurity threats means that internal audit needs to understand not only technology, but also the people in charge of implementing, overseeing, and using it. "If internal audit is to understand technological risks, it has to understand technology," says Kamal Dua, senior vice president and chief audit executive at U.S. defense, aviation, IT, and biomedical research company Leidos in Reston, Va. Likewise, he says, if the profession is to help mitigate cybersecurity risks, it needs to know how the chief information officer (CIO) and the chief information security officer (CISO) identify and mitigate these challenges and the approach they take to cyber risk management.
"Internal audit needs to talk with and get to know the CIO and the CISO," Dua says. "Internal auditors need to understand how these functions work, and they need to form a deep and trusting relationship with them to provide the appropriate level of assurance to the company that cybersecurity risks are being properly identified, prioritized, and mitigated."
He also says internal audit has a strong role to play in establishing a solid response to cybersecurity risks. Working alongside other assurance functions such as enterprise risk management (ERM) and, in his organization, the cyber counsel, Dua says organizations should establish — and regularly review and update — a cybersecurity risk framework, as well as examine the governance around the organization's IT architecture and cybersecurity risks. Moreover, he says, internal audit should review the cybersecurity policies and standards in place to see if they are appropriately aligned to the corporation's risk tolerance and whether they are understood and circulated internally. After reviewing the organization's risk registers, internal audit also should develop a heat map to see where critical cyber risks may appear, what impact they could have on operations, and how the risks are being mitigated.
"It is important for internal audit to understand the company's ERM program, as well as understand where cybersecurity appears in the organization's risk heat map," Dua says. "You also need to develop a cyber risk assessment plan to assess what actions management is taking to mitigate cybersecurity risks and whether these need to be improved. At times internal audit functions can struggle to do this because they don't have the necessary level of in-house talent."
Dua adds that audit functions often presume IT auditors have the knowledge and skills required to audit cybersecurity, even when those skills are lacking. "It is important for IT auditors to continuously upgrade their skills by obtaining academic qualifications or professional certifications that are focused on identifying and managing cybersecurity risks," he says.
Some believe organizations should adopt a mix of low-tech and high-tech approaches to combat cybersecurity risks. In terms of low-tech, Jane Loginova, CEO of Radar Payments in London, says internal auditors should first focus on the "basics" — namely, ensuring that security policies are enforced internally and across channels and distributed networks, including core and cloud networks. "A lot of risk can be minimized by conducting regular checks and plugging security holes, settling on a unified security framework based on interoperability, centralizing visibility and control, segmenting the network to restrict the fluidity of malware, and deep integration," she says.
In terms of high-tech, she advises organizations to invest in artificial intelligence (AI) capabilities. "Investing in AI-based security systems can significantly reduce digital attacks and spot suspicious activity," she says. "The best ones are integrated with artificial neural networks, which combined with deep-learning models can speed up data analysis and decision-making. The technology also enables the network to nimbly adapt to new information it encounters in the network."
Faults on the Front Line
Still, not all cybersecurity risks are technologically complicated. Indeed, the most often cited cybersecurity threat is from people — usually employees — ignoring protocols or using the technology incorrectly.
Mark Guntrip, senior director, cybersecurity strategy, at cloud security firm Menlo Security in Mountain View, Calif., says one of the biggest cybersecurity challenges is end users circumventing security. "Companies put in place the security policies that they consider necessary to manage risk," he says. "However, if end users perceive policies as impacting their ability to get their job done, it's highly likely that they will attempt to work around the controls — not in a way to try and steal data or with any bad intention, but in fact to help the company, which puts security teams at a disadvantage." To address this problem, Guntrip says organizations should look to implement solutions that are "invisible" to end users. "Security that cannot be seen or felt cannot be circumvented," he says.
Simon Hodgkinson, senior development director at IT security management specialist Reliance acsn in London, says internal audit must push for effective leadership from the top. "It should be clear everyone is accountable for cybersecurity, much like safety, and this should not be viewed as a problem the security team owns alone," he says. "The leadership team should sponsor behavioral awareness campaigns, and the board and executive team should regularly undertake crisis exercising for a cyber event."
Hodgkinson adds that CAEs should work more closely with CISOs to jointly develop the internal audit plan and target resources to areas of the most concern and risk to the company. "Having the CAE and the CISO articulating a consistent and coherent view of the risk to the executive team and audit committee is a powerful way of balancing cyber and operational risk," he says.
Other experts agree that effective cybersecurity requires a strong "human touch." George Finney, chief security officer at Southern Methodist University in Dallas, says forming strong relationships more widely is vital if internal audit is going to play a key role in improving cybersecurity risk management and resilience. "Relationships are our most important currency when it comes to effective change," he says. "Employees are the biggest threat surface in an organization — but they are also the ones on the front lines that are in the best position to understand the business and what controls will work in the real world."
Partnering With Business Units
Finney says it is also important for internal audit to develop relationships with department heads. "While talking to the IT department is obviously a good start, it is also important to talk to other department heads," he says. "What IT risks have they identified and prioritized? What methodologies were used to assess these risks? And are they the same as those that the IT department has identified? If other department heads invite internal audit in to help with project reviews and to test risk controls, it sends a signal throughout the rest of the organization that the audit function is one to call in a crisis — and that is a huge win."
In fact, Finney says one of the cornerstones to any successful cybersecurity risk management policy is to get enterprisewide buy-in. "I don't go out with a checklist and tell people where they are going wrong — I see every meeting/review as an opportunity to plan more effectively and to improve," he says. "It is more important to understand the thinking behind why people have taken the actions and decisions they have. If you approach audits from a positive perspective — rather than from the 'internal policeman' approach — you get fuller engagement."
Finney says that since cybersecurity is such a key risk to every organization, it "should be used as an opportunity by internal audit to push for executive support for initiatives that you know need to happen." And he adds that when internal audit assesses cybersecurity policies and controls in different areas of the organization, it presents an opportunity to build relationships with clients. "We don't want people to be afraid of internal audit: We want them to partner with us and collaborate to improve."
An Ongoing Threat
Cybersecurity risks are here to stay — and they will continue to evolve, constantly calling into question controls and procedures put in place to minimize and mitigate the dangers. Recent high-profile hacks and other IT security disasters should remind internal audit to widen its focus away from just the technology to other equally dangerous aspects of cybersecurity risk, such as policy noncompliance among employees or lack of third-party cyber-resiliency. They should also be a reminder of vulnerabilities that could appear anywhere in the organization and the importance of collaborative effort. Internal audit can help bind together different parts of the enterprise to form a unified front against cyber threats and help keep the organization protected from would-be attackers.
نشر في
تكنولوجيا المعلومات
الثلاثاء, 24 مايو 2022 08:22
تقدم بطلب للحصول على شهادة ضمان إدارة المخاطر المعتمدة مجانًا في عام 2021
يتنازل معهد المدققين الداخليين (IIA) عن رسوم التقديم (تصل إلى 210 دولارًا أمريكيًا) لاعتماد شهادة ضمان إدارة المخاطر المعتمدة CRMA حتى 31 ديسمبر 2021!
معلومات إضافية
-
المحتوى بالإنجليزية
Follow the Road to CRMA Savings & Risk Readiness
The IIA is waiving the application fee (up to a $210 value) for the CRMA credential* through 31 December 2021!
Certification in Risk Management Assurance® (CRMA®)
If you’re already a CIA and your goal is to become a trusted advisor to the audit committee and executive management in the critical areas of risk assurance, governance processes, or quality assurance, the CRMA credential is for you.
Earning a certification is the best way to articulate your expertise in this essential area without saying a word. You can apply and register now then sit for the exam starting in October.
Get Started.
Risk Resources
Risk-focused Training and Development
Books & Research
These new releases provide the latest risk assessment and management tools:
NEW! CRMA Exam Study Guide and Practice Questions, 2nd Edition
Managing Risk in Uncertain Times: Leveraging COSO’S New ERM Framework
OnRisk 2021: A Guide to Understanding, Aligning, and Optimizing Risk- FREE DOWNLOAD
The Internal Auditor's Guide to Risk Assessment, 2nd Edition
The Speed of Risk: Lessons Learned on the Audit Trail, 2nd Edition
Online Training
Sharpen skills and prove competencies through online courses.
Assessing Fraud Risks
COSO Enterprise Risk Management Certificate Program (Self-study & Seminar/eSeminar)
COSO Internal Control Certificate Program (Self-study and Seminar/eSeminar)
Developing a Risk-based Audit Plan
نشر في
شهادات مهنية
موسومة تحت
الأربعاء, 21 سبتمبر 2022 13:58
توسيع برنامج منحة التدقيق الداخلي
اعلان عن توسيع برنامج Elevate للمنح الدراسية ليشمل منح CIA الدراسية الجديدة القائمة على الجدارة والتي تغطي تكاليف التقديم والتدريب والاختبار! إذا كنت أنت أو أي شخص تعرفه قد يستفيد، تقدم بطلب اليوم!
معلومات إضافية
-
المحتوى بالإنجليزية
Elevate Internal Audit Scholarship Program
The IIA and AuditBoard are proud to support the internal audit community through the Elevate Internal Audit Scholarship.
Supporting The Internal Audit Community
Supporting The Internal Audit Community
Elevate is a scholarship program that provides access to training for internal auditors through need-based and merit-based application criteria.
نشر في
موضوعات متنوعة
الخميس, 08 يوليو 2021 13:14
دعوة للمتحدثين لمؤتمر IIA الدولي لعام 2022
دعوة مقدمي العروض الديناميكيين لمشاركة أفكارهم وأدواتهم ومواردهم مع المدققين الداخليين من جميع أنحاء العالم في مؤتمر IIA الدولي لعام 2022، الذي سيعقد في 17-20 يوليو في شيكاغو. أرسل قبل 22 أغسطس 2021.
معلومات إضافية
-
المحتوى بالإنجليزية
Call for Speakers
2022 International Conference
July 17–20
McCormick Place Convention Center, Chicago
Submission Deadline: August 22, 2021, 11:59 p.m. ET
Overview
This document has been developed as a guide for proposal submissions for the 2022 International Conference. We encourage all potential speakers to review this document prior to submitting a proposal for consideration.
The theme for The IIA’s 2022 International Conference sets the stage to share new and forward-looking information and leading practices in the pursuit of excellence in internal audit. As internal auditors are increasingly becoming trusted advisors and an integral part of their organizations, they are compelled to broaden their arsenal of skills. This conference will prepare industry professionals to embrace and learn new technologies, and implement new tools and techniques to effectively respond to shifting business and risk landscapes. The goal is to equip the profession with the resources it needs to stay current with the latest developments and advancements to bring significant value to businesses around the world.
We seek dynamic presenters who can engage their audience and conduct thought-provoking discussions. You are encouraged to participate by submitting a proposal to speak, noting the topic on which you would like to present within the education formats noted below.
Topics of interest for the conference include:
نشر في
موضوعات متنوعة
موسومة تحت
الثلاثاء, 05 أكتوبر 2021 13:54
Certified Public Accountant CIA شهادة مدقق داخلي معتمد
إذا كنت تسعى لإثبات كفاءتك المهنية في المراجعة الداخلية وتريد تحقيق ميزة مهنية كمراجع داخلي فأنت تبحث عن شهادة المدقق الداخلي المعتمد
نشر في
شهادات مهنية