السحابة الالكترونية - شبكة المحاسبين العرب

الأربعاء, 18 أغسطس 2021 11:06

المدققون الداخليون يتجهون نحو السحابة

يعتزم ما يقرب من ربع فرق التدقيق الداخلي تنفيذ إدارة التدقيق المستندة إلى السحابة أو برامج الحوكمة والمخاطر والامتثال هذا العام، وفقًا لمسح جديد.

معلومات إضافية

المحتوى بالإنجليزية Nearly a quarter of internal audit teams intend to implement cloud-based audit management or governance, risk and compliance software this year, according to a new survey.

The report, by the Institute of Internal Auditors’ Internal Audit Foundation and the audit, risk and compliance software developer AuditBoard, surveyed 134 internal audit leaders and found that 22 percent of the respondents indicated they intend to implement cloud-based technology this year, resulting in a majority of internal audit teams using a cloud-based audit management or GRC software for the first time.

The findings come as more auditors implement cloud-based technology, especially during the pandemic when many organizations have shifted much of their workforce to remote work from home arrangements. Hesitancy over adoption of cloud technology is giving way to practical necessity.

“While automation of administrative functions offers clear and immediate benefits, internal audit is discovering the technology’s potential to drive departmental and business value,” said IIA COO William Michalisin in a statement last month. “This survey shows a positive step forward, with 22 percent of respondents saying they plan to implement cloud-based technology this year. As this report suggests, technology doesn’t merely complement the internal audit function, it’s crucial to more effective practices, allowing us to focus where it matters most and to elevate our value to stakeholders.”

Managing Your Firm in a Post-COVID World
Think beyond the pandemic with exclusive resources to help you build a thriving virtual practice.

SPONSORED BY INTUIT ACCOUNTANTS
Plans for greater use of cloud technology indicates that internal audit departments are moving nearer to the cloud technology adoption rates of other business functions like the IT department. Internal auditors cited a number of challenges they encountered last year. A 52 percent majority of the respondents said identifying and evaluating new and emerging risks was their top challenge in 2020, while 43 percent cited the need to collaborate remotely with internal and external audit stakeholders. Communication and follow-up with business owners was considered a top concern by 38 percent of the internal auditors who responded to the survey.

The top uses for audit management software cited by the survey respondents were document management, issue and action plan management, and testing and work reviews. One respondent indicated that internal auditors have more time for strategic activities when their administrative activities are automated.

“Many internal audit teams that have not yet shifted to a cloud approach are now set to reap the benefits of modernization — including gaining greater bandwidth for strategic, value-add activities — and will be better positioned to protect their organizations from new and emerging risks,” said AuditBoard chief marketing officer John Reese in a statement. “They'll also get to equal footing with other functions within their organization who have already made the move to cloud-based solutions.”

The report points to some of the advantages of cloud-based solutions compared to other technologies in that they are often more secure than manual solutions and are easier to implement and administer than on-premise systems. Cloud-based systems are typically offered as a service, reducing the cost of maintenance and offering increasing value over time, as new features and improvements are added to benefit older and newer customers. Cloud-based investments are considered operational expenses, which are often favored by CFOs and may have a streamlined purchase process compared to on-premise investments, which are considered capital expenses, often subject to extra scrutiny. When choosing which approach to take, chief audit executives should familiarize themselves with the organization’s operational expense and capital expense approval processes, the report advises.

Separately, former IIA president and CEO Richard Chambers, who recently left the IIA after running the organization for 12 years, has joined the board of SWAP Internal Audit Services, a company in the U.K., as its first independent non-executive director, starting April 1. He also recently formed his own firm, Richard F. Chambers and Associates LLC, with the mission of informing and inspiring internal auditors and illuminating the potential of the profession globally.

نشر في تكنولوجيا المعلومات

موسومة تحت

الإثنين, 28 مارس 2022 12:27

ما هو دور التدقيق الداخلي في "كبح جماح المخاطر الإلكترونية"؟

عامًا بعد عام، احتل الأمن السيبراني مكانة بارزة في سجلات المخاطر بالمنظمات. الأسباب بسيطة بما يكفي: تتطور المخاطر السيبرانية باستمرار، في حين أن مستوى الضرر الذي يمكن أن تتسبب فيه قد ازداد إلى حد أنها يمكن أن تشكل تهديدًا وجوديًا للشركات.

معلومات إضافية

المحتوى بالإنجليزية Year on year, cybersecurity has featured prominently on organizations' risk registers. The reasons why are simple enough: Cyber risks are constantly evolving, while the level of harm they are capable of has grown to such an extent that they can pose an existential threat to businesses.

Unfortunately, rapid changes in technological risks are not necessarily being matched with increased IT awareness among executives, potentially fueling an unrealistic (and unjustified) belief that organizations are adequately prepared to meet emerging cyber and IT threats. During The IIA's General Audit Management conference held in March, Nathan Anderson, senior director of internal audit at fast food chain McDonald's, warned that more times than not, management will have an overly confident take on the company's coverage of cybersecurity risks. "That's the kind of reassuring message you often want to give to a board, but in many cases … the level of confidence might be above what is justified," Anderson said.

Now more than ever, internal auditors need to understand and continually stay abreast of cyber threats. They must also understand what those charged with cybersecurity are doing to manage risks, what measures business unit leaders are taking, how well employees are complying with established procedures, and where vulnerabilities may lie in the extended enterprise.

Securing the Supply Chain
The recent hack on U.S. tech firm SolarWinds has shown just how vulnerable companies and their supply chains can be. The cyberattack — believed to have been conducted by Russian hackers and which went undetected for months — spread to the company's clients and allowed the attackers to spy on their activities: a serious problem when the client list includes the elite cybersecurity firm FireEye and the upper echelons of the U.S. government, including the Department of Homeland Security and Treasury Department. The high-profile hack prompted U.S. President Biden to issue an executive order for federal agencies to address supply chain security throughout the life cycle of software procured and used by the government. The message is clear: Software security vulnerabilities in one organization can open doors to others if preventive measures aren't taken.

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center in Mountain View, Calif., says over the past year software supply chain attacks have become "one of the most significant cyberthreats" organizations face. As such, he says, internal auditors should be pushing for the risk to be part of their cybersecurity reviews, if it isn't already included. In particular, internal auditors should check how much of an IT application or program is based on open-source software, he says. These are freely downloadable software components that account for the majority of code in commercial applications because they don't cost any money. Unfortunately, Mackey says, these components can easily bypass the normal vetting processes that an IT vendor would use if it were developing its own software, which means vulnerabilities are likely.

The best way to gain assurance, he says, is to attain a full inventory of software assets "to identify if there are any unpatched open source vulnerabilities, but more importantly to also identify if there are missing updates or patches" to keep the organization's IT infrastructure and data safe. Indeed, ineffective patch management policies are often cited as one of the key IT threats to organizations as IT departments either forget to check for patches, or employees ignore calls to download and install them.

Experts agree that third-party IT security flaws pose serious risks to organizations and therefore require a robust preventive response — with internal audit providing strong input. Shawn Chaput, strategy consultant at cybersecurity management and strategy consulting business Privity in Vancouver, British Columbia, says there are several key risks that should be on internal audit's radar, particularly around the use of cloud services and other third-party IT service providers.

Identity and Access Management Chaput says organizations' increasing reliance on identity and access management programs has become the most important risk since cloud computing came to prominence. "As everyone moved to the cloud or started working from home, organizations had to adapt to this new 'zero trust' architecture where identity is the new perimeter," Chaput says. Though unfortunately, he says, these measures often fall short. "Even with authenticating individuals and hardware, phishing and spear-phishing appears to be highly effective in exploiting this decentralization of cybersecurity and granting nefarious actors unauthorized access to company funds or administrative access to cloud infrastructure," Chaput says.

Supplier Management Supplier or third-party management program deficiencies is another key risk area. According to Chaput, with the transition to cloud services, organizations are more reliant on third parties to do the tasks they're supposed to, including handling data security. However, auditors should read the small print first. "The fact that clients may expect a cloud service provider (CSP) to do something and they don't is where due diligence prior to contract signing is important," he says. "The other relevant part of supplier management is the portability of the data you send to the CSP and whether you can actually get it back in some reasonable and useful format. Additionally, there is an increasing possibility that your CSP will be subject to a data breach of some sort — how you handle that needs to be determined well before it happens. The importance of this risk has increased, specifically since the SolarWinds hack."

Chaput says the risk of a service provider having a breach — and what the organization should do if that happens — should also be on every internal auditor's cybersecurity risk agenda. "If you're not expecting to have a breach or for one of your major service providers to have a breach, you haven't been paying attention," Chaput explains. To mitigate the risk, he says, organizations need to consider how they should respond to the incident, how they should communicate the news internally and externally, and whether they need to switch providers immediately.

Data Classification Internal auditors also should question the levels of security their organizations give to certain kinds of data they store in the cloud, Chaput says. "Many of our clients who use cloud service providers say 'we protect all of our data as though it is the highest sensitivity' instead of classifying and labeling the data to allow it to have different levels of security controls," he says. "If you don't classify your data, you're either underprotecting some of your data or overprotecting most of your data — and paying significantly more to the CSP than you need to."

Talent Deficiencies Ultimately, Chaput says, the fact that the cloud encompasses so many different technologies and services lends itself to another difficult risk for organizations to manage — finding and retaining IT staff familiar with constantly evolving technology. "It used to be that you'd hire an individual based on their experience with a specific enterprise resource planning package, like SAP, or with some deep technical knowledge in a vendor platform like Cisco routing and switching," he says. "Now, it's different: You're hiring someone today to use something that may not actually exist yet but will become a dominant feature of your environment in less than a year." Chaput adds that the impact of such skills shortages "has been increasing substantially over the last few years as technology changes accelerate."

Get to Know the Technology Team
The ever-changing nature of cybersecurity threats means that internal audit needs to understand not only technology, but also the people in charge of implementing, overseeing, and using it. "If internal audit is to understand technological risks, it has to understand technology," says Kamal Dua, senior vice president and chief audit executive at U.S. defense, aviation, IT, and biomedical research company Leidos in Reston, Va. Likewise, he says, if the profession is to help mitigate cybersecurity risks, it needs to know how the chief information officer (CIO) and the chief information security officer (CISO) identify and mitigate these challenges and the approach they take to cyber risk management.

"Internal audit needs to talk with and get to know the CIO and the CISO," Dua says. "Internal auditors need to understand how these functions work, and they need to form a deep and trusting relationship with them to provide the appropriate level of assurance to the company that cybersecurity risks are being properly identified, prioritized, and mitigated."

He also says internal audit has a strong role to play in establishing a solid response to cybersecurity risks. Working alongside other assurance functions such as enterprise risk management (ERM) and, in his organization, the cyber counsel, Dua says organizations should establish — and regularly review and update — a cybersecurity risk framework, as well as examine the governance around the organization's IT architecture and cybersecurity risks. Moreover, he says, internal audit should review the cybersecurity policies and standards in place to see if they are appropriately aligned to the corporation's risk tolerance and whether they are understood and circulated internally. After reviewing the organization's risk registers, internal audit also should develop a heat map to see where critical cyber risks may appear, what impact they could have on operations, and how the risks are being mitigated.

"It is important for internal audit to understand the company's ERM program, as well as understand where cybersecurity appears in the organization's risk heat map," Dua says. "You also need to develop a cyber risk assessment plan to assess what actions management is taking to mitigate cybersecurity risks and whether these need to be improved. At times internal audit functions can struggle to do this because they don't have the necessary level of in-house talent."

Dua adds that audit functions often presume IT auditors have the knowledge and skills required to audit cybersecurity, even when those skills are lacking. "It is important for IT auditors to continuously upgrade their skills by obtaining academic qualifications or professional certifications that are focused on identifying and managing cybersecurity risks," he says.

Some believe organizations should adopt a mix of low-tech and high-tech approaches to combat cybersecurity risks. In terms of low-tech, Jane Loginova, CEO of Radar Payments in London, says internal auditors should first focus on the "basics" — namely, ensuring that security policies are enforced internally and across channels and distributed networks, including core and cloud networks. "A lot of risk can be minimized by conducting regular checks and plugging security holes, settling on a unified security framework based on interoperability, centralizing visibility and control, segmenting the network to restrict the fluidity of malware, and deep integration," she says.

In terms of high-tech, she advises organizations to invest in artificial intelligence (AI) capabilities. "Investing in AI-based security systems can significantly reduce digital attacks and spot suspicious activity," she says. "The best ones are integrated with artificial neural networks, which combined with deep-learning models can speed up data analysis and decision-making. The technology also enables the network to nimbly adapt to new information it encounters in the network."

Faults on the Front Line
Still, not all cybersecurity risks are technologically complicated. Indeed, the most often cited cybersecurity threat is from people — usually employees — ignoring protocols or using the technology incorrectly.

Mark Guntrip, senior director, cybersecurity strategy, at cloud security firm Menlo Security in Mountain View, Calif., says one of the biggest cybersecurity challenges is end users circumventing security. "Companies put in place the security policies that they consider necessary to manage risk," he says. "However, if end users perceive policies as impacting their ability to get their job done, it's highly likely that they will attempt to work around the controls — not in a way to try and steal data or with any bad intention, but in fact to help the company, which puts security teams at a disadvantage." To address this problem, Guntrip says organizations should look to implement solutions that are "invisible" to end users. "Security that cannot be seen or felt cannot be circumvented," he says.

Simon Hodgkinson, senior development director at IT security management specialist Reliance acsn in London, says internal audit must push for effective leadership from the top. "It should be clear everyone is accountable for cybersecurity, much like safety, and this should not be viewed as a problem the security team owns alone," he says. "The leadership team should sponsor behavioral awareness campaigns, and the board and executive team should regularly undertake crisis exercising for a cyber event."

Hodgkinson adds that CAEs should work more closely with CISOs to jointly develop the internal audit plan and target resources to areas of the most concern and risk to the company. "Having the CAE and the CISO articulating a consistent and coherent view of the risk to the executive team and audit committee is a powerful way of balancing cyber and operational risk," he says.  

Other experts agree that effective cybersecurity requires a strong "human touch." George Finney, chief security officer at Southern Methodist University in Dallas, says forming strong relationships more widely is vital if internal audit is going to play a key role in improving cybersecurity risk management and resilience. "Relationships are our most important currency when it comes to effective change," he says. "Employees are the biggest threat surface in an organization — but they are also the ones on the front lines that are in the best position to understand the business and what controls will work in the real world."

Partnering With Business Units
Finney says it is also important for internal audit to develop relationships with department heads. "While talking to the IT department is obviously a good start, it is also important to talk to other department heads," he says. "What IT risks have they identified and prioritized? What methodologies were used to assess these risks? And are they the same as those that the IT department has identified? If other department heads invite internal audit in to help with project reviews and to test risk controls, it sends a signal throughout the rest of the organization that the audit function is one to call in a crisis — and that is a huge win."

In fact, Finney says one of the cornerstones to any successful cybersecurity risk management policy is to get enterprisewide buy-in. "I don't go out with a checklist and tell people where they are going wrong — I see every meeting/review as an opportunity to plan more effectively and to improve," he says. "It is more important to understand the thinking behind why people have taken the actions and decisions they have. If you approach audits from a positive perspective — rather than from the 'internal policeman' approach — you get fuller engagement."

Finney says that since cybersecurity is such a key risk to every organization, it "should be used as an opportunity by internal audit to push for executive support for initiatives that you know need to happen." And he adds that when internal audit assesses cybersecurity policies and controls in different areas of the organization, it presents an opportunity to build relationships with clients. "We don't want people to be afraid of internal audit: We want them to partner with us and collaborate to improve."

An Ongoing Threat
Cybersecurity risks are here to stay — and they will continue to evolve, constantly calling into question controls and procedures put in place to minimize and mitigate the dangers. Recent high-profile hacks and other IT security disasters should remind internal audit to widen its focus away from just the technology to other equally dangerous aspects of cybersecurity risk, such as policy noncompliance among employees or lack of third-party cyber-resiliency. They should also be a reminder of vulnerabilities that could appear anywhere in the organization and the importance of collaborative effort. Internal audit can help bind together different parts of the enterprise to form a unified front against cyber threats and help keep the organization protected from would-be attackers.

نشر في تكنولوجيا المعلومات

موسومة تحت

الثلاثاء, 24 مايو 2022 07:22

إنفوجرافيك.. أربعة اتجاهات تقنية أساسية للإنتاجية في عام 2021

نشر في إنفوجرافيك

موسومة تحت

الأربعاء, 21 سبتمبر 2022 11:40

كيفية جمع المستندات من العملاء أثناء العمل عن بُعد؟

مع عمل الكثير منا من المنزل بسبب فيروس كورونا ، فإن الطريقة التي نعمل بها مع العملاء بأكبر قدر ممكن من الكفاءة أصبحت أكثر أهمية من أي وقت مضى

معلومات إضافية

المحتوى بالإنجليزية How to collect documents from clients while working remotely
PRACTICE MANAGEMENT, WORKFLOW TOOLS
April 23, 2020 / Mariette Martinez, EA
With the tax deadline postponed and many of us working from home due to the coronavirus, being as efficient as possible with the way we work with clients is more important than ever. To be successful, we need to move more clients online. This starts with operating a 100 percent cloud-based practice and implementing an effective process for document collection.

Since my clients’ technical skills varied from highly tech savvy to new online app users, it was essential that the technology and client implementation would be seamless and user friendly for my multiple client types. I also wanted to keep our workflow as simple as possible, so using the fewest number of applications would create the best-case scenario. I wanted to synchronize what I had already implemented in my current operational workflow, while partnering that with serving my clients’ needs to stay connected. Ultimately, these processes provide me the necessary documents to keep our work flowing seamlessly.

I know that making these kinds of changes in your practice isn’t easy – and it takes time, especially now that we’re sheltering in place. According to an Intuit® Accountant Panel survey in March 2020 that asked about the most pressing issues due to the coronavirus, 42 percent of the 247 respondents said that getting documents from their clients was by far their biggest struggle when working virtually.

Whether you’re very experienced in collecting documents from your clients without seeing them in person – or if this is new for you because of the coronavirus, here are several best practices I can share to make the process easier.

The essence of a strong document collection platform, also referred to as a document portal, is a centralized, secure location to share documents and collaborate with clients and staff.

We chose Citrix ShareFile for our preferred solution, but several other options include Box, Dropbox, Google Drive, SmartVault and Intuit Link.

Several platforms allow firms to personalize the document portal experience with their firm branding to provide a more trusted and professional client experience. These document platforms also commonly enable:

Collaborating on documents and editing in real time.
Encrypted client requests with notifications and reminders.
Encrypted email for those times when email is the best way.
Sending and receiving of large files.
Most importantly, the document collection solution you choose should include a high level of encryption for your files, large space storage capabilities that can scale with your firm, and online and desktop automated syncing of all stored files. You definitely don’t want to encourage clients to send you their documents over email. The bottom line is that you and your clients should be able to securely share, collect, and collaborate on documents no matter where you are.

In addition, several platforms integrate with other helpful tools. One of my favorite integrations is Slack with Google Drive. What are some of your favorite integrations? Leave a comment below to share your recommendations.

One other concern: What do you do if your clients don’t want to send you their documents through the cloud? These “shoebox” clients may not be tech savvy and prefer physically dropping off their information to you, but if you’re working remotely and cannot see them in person, what do you do? You don’t want to lose a long-term client, so here are several recommendations:

Sit down with them over a phone conversation, or if they can figure it out, a web call, to explain how your portal works. Walk them slowly through the process and perhaps have them practice or test uploading something to you.
Record a quick video that also explains the process and send this to your clients who may need help using the platform. You can also include a link to the video in your email signature. Here’s an example of this type of video.
If a client absolutely insists on dropping off or mailing their documents, the best advice I can give is to go with the flow, and ensure your clients have a secure, private place to leave their documents with you outside your place of work to avoid contact during drop off. Most likely, this will be a very small slice of your client base.
When you find and implement the winning platform, you not only stay safe during this time of social distancing, but you will save time on document collection in your practice and witness the magic of productive collaboration. Good luck!

نشر في موضوعات متنوعة

موسومة تحت

الخميس, 31 ديسمبر 2020 12:41

أسوأ كلمات المرور لعام 2020، وقصص تقنية ربما فاتتك!

نشر في تكنولوجيا المعلومات

موسومة تحت

الأربعاء, 30 ديسمبر 2020 18:26

خمسة تنبؤات تقنية لعام 2021

ليس هناك شك في أن عام 2020 كان عامًا مضطربًا، وأعتقد أننا جميعًا شعرنا أننا في بحار عاصفة لبعض الوقت

معلومات إضافية

المحتوى بالإنجليزية 5 enterprise technology predictions for 2021
By Stephen Boals
December 28, 2020 12:06 PM

There is no doubt that 2020 was a turbulent year, and I think we all felt we were out to stormy seas for a bit. But winter has arrived and, with it, another cold breath of uncertainty. Where do we go from here when examining our strategic imperatives? Do we have a crystal ball to predict what will happen in the coming year? Well, I whipped out my crystal ball (actually, I had really long conversations with industry experts, customers and partners, and scrutinized a lot of research) to make some predictions for 2021.

Coronavirus remote work telecommuting
Claire Tu, an employee at Reprise Digital, works from her home in Shanghai during the coronavirus outbreak.Qilai Shen/Bloomberg
Remote work until fall
Optimistic people believe we will be back and lounging in the corporate offices by spring. If you are in sync with Bill Gates, we are just over halfway through the pandemic. I think we are somewhere in between, with most agreeing on a fall timeline for returning to the office. But will we really ever get “back” to the office? 2021 will be the year of the hybrid work mode, with over half of our workforce on a permanent WFH plan.
Hackers will target remote workers
Long gone are the days of the corporate firewall, accompanied by all assets locked down virtually behind this protective measure. I cannot imagine dealing with hundreds or thousands of remote access employees, giving them office-like access to private company resources and ensuring the security for those assets. Outside of the corporate domain, end-user home networks and computer assets are now vulnerable to hackers as a path to the center of the corporate domain — at higher levels than ever before. I compare the vulnerability of COVID-19 and the ICU bed count: IT can handle remote access at lower rates but now that everyone is working remotely, this surge of activity can overwhelm both small and large organizations looking to protect their realm.

Cloud revenue will skyrocket
You can no longer kick the can down the road. The cloud is here and the migration of resources is inevitable. We are seeing cloud interest from verticals that never before would have considered it an option. Financial services, healthcare and other industries are realizing they have to be prepared for unplanned and uncertain events. Holding out in their on-premise bastions is hampering their agility and flexibility. I was on a panel last week about the rise of the cloud and leveraging multiple cloud providers. One of the participants likened the cloud to the invention of electricity and the pervasive electrical grid. If you are one of the holdouts using candles and all the competition has electrical lights, machinery and heat, you will lose.
On-premise ERP will die
ERP systems have always been an on-premise ball-and-chain for the enterprise, preventing movement to the cloud. It’s disorganized and a tangled web of customizations, satellite apps, reports and sunk costs were the bane of the accounting world, as well as a blockade on the high road to “cloudness.” I have seen a noticeable shift in the desire to recreate the ERP app web through SaaS offerings and a strategy of public and private cloud offerings. The rise of integration platforms (iPaaS) has also made data transport and migration a seamless, affordable exercise. In the past, this was either not possible or prohibitively expensive.
Businesses will reinvent themselves — again
The only certainty is uncertainty as we breach the wall to exit 2020 and arrive in the new year. Flexible and agile digital organizations will be able to weather challenges and storms that the upcoming year will bring. Businesses that can reorganize and reinvent will be the winners.

How will your organization fare in 2021?

https://www.accountingtoday.com/list/5-enterprise-technology-predictions-for-2021