Interesting discussion on IT Audit findings, worth reading!
I have news; Audit Monkey has been doing some IT Audit work and has come across the following weaknesses. However, I’m unsure whether these are weaknesses and the implications. So, to assist me, I’m going to let you, the reader, decide. In no particular order:

Top IT Challenges & Audit: Protiviti Survey 2012

Information Security (including data privacy, storage and management) ranked #1 among the top technology challenges faced by organisations, according to 2012 IT Audit Benchmarking Survey conducted by Protiviti, a global consulting firm operating in over 20 countries. Protiviti conducted the survey at the end of September 2012 with 1,000 people from companies with 100+ employees.

Cloud computing, social media, risk management & governance and regulatory compliance followed the list of top technology challenges.

IT Audit

The survey hints that a large of number of organizations may be understaffed in terms of IT Audit capabilities in their internal audit functions. Organizations are meeting this gap with guest auditors, co-source providers and outsource IT audit function. 

While the survey indicates a significant gap in the IT audit capabilities of many organizations, 48% of small companies are  not using any outside resources, clearly indicating  that these organizations lack necessary skills and resources to manage IT risk. 

In-house internal audit department lacking the specific skill sets seems to be the major reason for organizations using external resources to meet the IT audit requirements. 67% of the participants expressed this opinion, which stood at 62%  in 2011. This clearly indicates, the organizations are increasingly looking forward to avail the services of experienced and qualified IT auditors, while keeping the costs low.
Considering the fact that a significant number of companies have limited or no resources devoted to IT Audit,   the survey concludes that a number of  organizations are not in compliance with Standard 1210.A3 stipulated by the IIA. 

IIA Standard 1210.A3  Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

 IT Audit Risk Assessment

Considering the pace of technology proliferation in organizations IT implementation and business models as well as the changing threat scope in general, IT audit risk assessment needs to be carried out on an ongoing process and at least in a quarter. Interestingly, only 13% of the organizations are conducting the risk assessment at this frequency and as many as 65% of the organizations conduct at annual intervals !! This clearly indicates,  majority of organizations are NOT keeping pace with the rate of technology change, emerging new threats and innovations in the organizations.


On a positive note, 86% of the organizations adopted a framework to based their IT Audit Risk Assessments with COBIT (63%) and COSO (43%) leading the list.

IT Governance

The survey tested the organizations’ IT Governance processes as against the IIA standard to ensure the internal audit function assesses whether the IT Governance sustains and supports organization’s business strategy and objectives.

IIA Standard 2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.

Unfortunately, responses from about three fourths of the organizations indicate that IT Governance process is NOT a priority.

The survey also covered other aspects like training, gaps in audit plan and can be accessed  from http://www.protiviti.com/en-US/Documents/Surveys/2012-IT-Audit-Benchmarking-Survey-Protiviti.pdf

Data Protection & Privacy: Data Breach in Greece

Greek Man Accused of Stealing Data of 9 Million Citizens

Greece is in news again, for all wrong reasons. This time it is not the ever failing economy or bailout plans from one more country or authority. A Greek man has been arrested on suspicion of having stolen 9 million personal data filesin what is believed to be the biggest breach of private information the country has ever seen. The 35-year-old accused was found in possession of the data files that included identity card details, tax numbers, vehicle license plate numbers and home addresses.

General legal framework  in Greece

Personal data processing and protection in Greece is mainly regulated by Law 2472/1997 known as the Data Protection Act (DPA), implementing Directive 95/46/EC. The DPA regulates the automatic or manual processing of data relating to living identifiable individuals in connection with the provision of electronic communications, which are not publicly available. The DPA sets forth the basic terms and conditions relating to data collection and processing, imposes fundamental obligations on data controllers regarding all categories of data-related activities. The DP Authority receives complaints and have been levying penalties on data breach complaints received.

What abets the crime?

Interestingly, data breaches were observed in increased  proportion across the Globe during the years of recession and economic slowdown few years ago. Security experts warn that incidents of crime  are likely to increase during challenging economic times. There is  evidence from the large security monitoring networks showing that cyber crime attacks like phishing have already risen. With rising levels of uncertainty of employment &  negative growths in income, disgruntled employees might take sensitive data when they leave an organisation. Even for the honest worker, there is no guarantee, that he would return all assets like USB token and remember to erase entire company data from his personal devices. Further, with falling incomes, companies would try to cut all expenses, perhaps those on information security administration as well, in order to save few more pennies.

 What can be done?

Organisations should not see this as a case of ‘data loss’ alone,  and what they should remember is that the company’s reputation itself is at stake. In addition, don’t forget the penalties imposed due to Data Protection & Privacy Laws in force.  Organisations handling potentially sensitive data should not routinely invest in some data protection tools and gain false assurance, as these tools, despite having a positive role, suffer from many of the limitations of early intrusion detection and intrusion prevention systems like potentially high numbers of false positives and associated inconvenience to legitimate business users. In addition, these organisations should  invest sufficient time and effort in creating policies and practises – like access controls to key & critical applications, log management –  aimed at preventing data loss.

Educating the end-users  about their responsibilities to organisation and customer data, would be more effective than locking down USB ports or disallowing devices. The problem of data breaches is NOT just with the technology, as popularly perceived, and the solution lies more in focusing at the policies, processes and education. The returns on investment on these are more rewarding than on investments in technology.