The Audit Connection Collaborating for Enterprise Excellence
Spring 2015, Issue No. 9
Inside this issue:
MEMO TO MANAGERS Four ways you can help mitigate our rising cybersecurity risks
1-2
Documenting Standard Operating Procedures
2-3
Return of the Departmental SelfAssessment
3-4
The Benefits of Professional Associations
5-6
New Audit Team Member
6
MEMO TO MANAGERS Four ways you can help mitigate our rising cybersecurity risks Clay Sprouse, Chief Audit Officer As FBI Director James Comey recently stated, “There are only two types of companies when it comes to cybersecurity. Those that have been hacked and those that do not know they’ve been hacked.” With so many potential entry points to our company’s network (smart phones, tablets, laptops, etc.), the bottom line is that cybersecurity risks have increased for all organizations, including ours. Understanding and Managing Our Cybersecurity Risk As a manager, you have a responsibility to help protect our organization’s sensitive information — including personnel, financial, and strategic data — to thwart potential risks. Consider taking the following steps to protect yourself, employees, and our organization online:
Internal Audit Staff Clay Sprouse…………………..CAO Kathleen Boyd ..... Assoc. Director Crystal Corey ......... Audit Manager Will Barnes ............. Senior Auditor Sheryl Brown ............... I.T. Auditor Rufus Copeland…………...Auditor Sarah Wilder………...……..Auditor Lisa Kedigh………Admin. Asst. III Nilda Treska………….Audit Intern John Bourassa……....Audit Intern
The Office of Internal Audit's purpose is to support the mission and vision of the Georgia Regents Enterprise by: providing independent and objective management evaluations; identifying actual and potential problems; providing corrective guidance; developing management recommendations; and providing consultative services in accordance with professional internal auditing standards and compliance review guidelines.
Be sure your employees complete and understand the training provided by both our compliance department and IT/Information Security. Make sure your team is getting the information they need to effectively protect our organization from cybersecurity risks.
Teach employees how to spot phishing emails and report suspicious emails. When applicable, use case studies from real security breaches to highlight the importance of being vigilant when accessing websites, logging onto the network from other devices, and clicking on links embedded in emails.
Understand your role in protecting your employees’ personal information. Do not work on compensation or other sensitive employee information on an unsecured network or on a device that does not have the appropriate encryption technology.
As always, be there to answer their questions, as it is crucial for fostering a culture of compliance, support a speak-up culture by demonstrating that when your employees aren’t sure what to do, they know they can talk to you.
Compliance with our technical guidelines does not automatically equal security. Even the most compliant organizations have or will experience a security breach at some point. But we should all be proactive about ways to deter, detect, and remediate should a breach occur in our organization, and your contributions are critical to that equation.
We are here to help you! 706-721-2661 gru.edu/admin/oia
(continued on page 2)
Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 2
The Audit Connection
MEMO TO MANAGERS Four ways you can help mitigate our rising cybersecurity risks
1-2
Documenting Standard Operating Procedures
2-3
Return of the Departmental SelfAssessment
3-4
The Benefits of 5-6 Professional Associations New Audit Team Member 6
Q&A Questions of the Month Q: I know one of my employees is transporting our intellectual property on an unsecured device. Our IT training says we shouldn’t do that. How should I address the situation with them? A: You should direct your employee to the relevant IT Security/Compliance policy. The employee should be required to remove the content from the device as soon as possible. Q: Doesn’t IT own cybersecurity risk? Why am I getting this message from the compliance office? A: While this risk area is technical in nature, much of cybersecurity risk is related to human error. The compliance team works with you to help educate and train your employees to ensure that our organization is protected. We work hand-in-hand with our more technical colleagues to ensure you have the tools you need to assist the employees that report to you. RESOURCE Webcast: Cybersecurity for Ethics & Compliance Pros: The New E&C Frontier Source: Compliance Communicator, Professional Content for your Ethics & Compliance Newsletter. Documenting Standard Operating Procedures Crystal Corey, Audit Manager No one wants to actually spend time documenting what they do and how they do it! It's time consuming, and you could actually be “doing” it rather than writing it down, right? Well consider if an employee in your department was going on vacation for two weeks and you were responsible for covering his/her job responsibilities. Would you even know what he/she is responsible for much less how to execute? Standard Operating Procedures (SOPs) would be very helpful in this situation! What are SOPs, and why are they important? SOPs are written documents detailing processes that can be used as guidance for completing internal, repeatable, specific tasks and/or projects. The purpose of an SOP is to ensure services and/or products are delivered accurately and consistently, in effect, playing a crucial role in business success. Four important reasons for documenting SOPs:
Holds employees accountable — expectations/responsibilities are documented; employees know how to execute them; and their actions can be measured against the SOP. This eliminates ambiguity in processes. (continued on page 3)
Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 3
The Audit Connection
MEMO TO MANAGERS Four ways you can help mitigate our rising cybersecurity risks
1-2
Documenting Standard Operating Procedures
2-3
Return of the Departmental SelfAssessment
3-4
The Benefits of 5-6 Professional Associations
Identifies inefficiencies/leans processes — ”seeing” a process can help you evaluate how sensible and efficient the process is and how it can be streamlined. Serves as a great training tool — in times of employee turnover and process change, as we have all experienced at GRU, they ease training and assist new employees with understanding how to complete tasks. Facilitates business continuity — in the event an employee is absent, business can continue as normal without interruption.
You may ask yourself, how do I get started?
New Audit Team Member 6
Make an inventory listing of any repeatable tasks you/your department performs. Use self-evident names so the process can be easily identified by a new user. Identify the steps to complete each task. Assume you are writing the process as a training guide for new hires; detail should be clear, useful, and kept at the level that would allow a new hire to follow the steps successfully. Identify timetables of relevant deadlines and events. For example, if a task needs to be performed quarterly, then specify. Test SOPs by swapping with other employees for understanding. and execution. This will identify points needing clarification, errors, and omissions. Establish an owner for each of the procedures, include dates and version numbers, and review them periodically for gaps, inconsistencies and changes to your business.
On a final note, the Office of Internal Audit recently documented its SOPs and worked with GRU’s Office of Institutional Effectiveness (IE) to identify inefficiencies/lean its audit planning process. In our next edition, read about the improvements made to our process with the help of IE. Return of the Departmental Self-Assessment Will Barnes, Senior Auditor No, it’s not a sequel to a movie. The Departmental Self-Assessment (DSA) is a tool that departments can use to help determine if their internal controls are strong, need improving, or are non existent. You may ask yourself, what are internal controls? How can I figure out if we have strong controls? Or where do I go for help if I have questions? Well, that’s where the DSA can help you! The DSA is a compilation of best business practices, helpful tools, and contact information related to specific areas of risk. Additionally, each area of risk has a questionnaire designed to be completed by directors, department ddministrators, business managers, department chairs, and/or whoever is primarily responsible for day-to- day operations of a unit. (continued on page 4) Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature it in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 4
The Audit Connection
MEMO TO MANAGERS Four ways you can help mitigate our rising cybersecurity risks
1-2
Documenting Standard Operating Procedures
2-3
Return of the Departmental SelfAssessment
3-4
The Benefits of 5-6 Professional Associations New Audit Team Member 6
The original DSA was released in 2008. With the help of experts from various campus units, the original version has been updated and is intended primarily for university and shared services units (DSA for the medical center is in development). With the new version, Internal Audit has revised the procedures for implementing the DSA. Beginning this spring, unit management will receive an email with a link to a DSA section which will be an electronic questionnaire. Management should complete and return the questionnaire to Internal Audit by the due date stated. There are (currently) 35 sections in the DSA. For those who did not just faint (or once you have recovered), please know that units will be asked to complete only a few sections at a time. The process is designed to take only a limited amount of time to complete. The DSA sections will be sent out over a period of several months. As a prequel to the sequel, here are 10 suggestions for good internal controls (thanks to Kevin Robinson, Executive Director of Internal Auditing at Auburn University). See how your unit would rate: 1.
Set a strong example for the expectations of ethical behavior, compliance with laws/policies, and communicate your expectations routinely to your unit’s personnel. 2. Never sign something you don’t understand. 3. Limit signature authority, and don’t let anyone sign your name (an employee should sign their own name). Never use a signature stamp. 4. If something doesn’t make sense, ask questions about it until it does. Pay attention to what your employees are doing. 5. Be familiar with state policies and procedures. Be willing to call and ask questions. 6. Consider unique risks your unit may have (i.e., cash collections, contracts & grants, etc.), and ensure additional oversight is provided. 7. Ensure accounts are reconciled monthly, and review the reconciliation for any unusual transactions (This should include a review of payroll and leave reports). 8. Don’t let one employee have complete control of any process. 9. Keep offices and labs locked to protect property, data, and other resources. (Remember to shred paper documents with identifying information.) 10. Ensure state assets are used for state business. And here is a bonus control for data security:
Ensure passwords and access are adequately controlled, data on mobile devices is encrypted, and personally identifiable information is stored and transmitted securely.
If you want a sneak peak, the DSA sections are available on the GRU Office of Internal Audit webpage at gru.edu/admin/oia/.
Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 5
The Audit Connection
MEMO TO MANAGERS Four ways you can help mitigate our rising cybersecurity risks
1-2
Documenting Standard Operating Procedures
2-3
Return of the Departmental SelfAssessment
3-4
The Benefits of 5-6 Professional Associations New Audit Team Member 6
The Benefits of Joining a Professional Association Rufus Copeland, Auditor Have you ever wondered why a professional association membership is so important? The staff within the Office of Internal Audit at GRU understand the importance and know the benefits first hand. We are active members of the international professional association Institute of Internal Auditors (IIA), serving through the local CSRA chapter. The IIA-CSRA strives to make a meaningful impact on the members and the organizations they serve by offering local meetings and events that are affordable, convenient, and cover a variety of training topics. Feel free to visit the website below to learn more information about the IIA-CSRA. chapters.theiia.org/central-savannah-riverarea/Pages/default.aspx If you are interested in furthering your career, joining a professional association could be a great start! There are a number of associations for nearly every profession or area of interest, and many have national, state, regional, and local chapters available to join. Anyone who is thinking of a professional organization membership should consider the following benefits: Enhance Your Network For most people, creating professional relationships where individuals are able to support and help one another in reaching their professional goals is important. Associations sponsor a number of events such as conferences and seminars throughout the year that allow you to connect with peers. These events provide you with an opportunity to ask for advice, learn best practices or new ideas, hear about the most recent issues and advances in your profession, and also meet and brainstorm with others who are looking to share and learn. Another benefit of enhancing your network is that you may find a mentor to help with your professional needs or you may be in a position to become a mentor to someone else. Giving back can be the greatest reward and benefit. Participating in forums, chat groups, or discussion boards sponsored by the association is also a great way to grow your network. This allows you to use your peers as sounding boards and often make some great friends with the same interests. Take Charge of Your Career Career resources are another important reason to consider membership. Connecting with colleagues within an association can open the doors to inside job leads. This is a great way to find targeted job postings for your area of interest. Additionally, many associations have career resources available such as tips on effective resumes or cover letters, job searching strategies, and negotiating techniques. Other benefits include information about seminars, training , or certification classes that may be suitable for you. And don't forget, listing your association membership on your resume is impressive to current and future employers as it shows involvement and dedication to staying connected in your profession. (continued on page 6)
Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 6
The Audit Connection
MEMO TO MANAGERS Four ways you can help mitigate our rising cybersecurity risks
1-2
Documenting Standard Operating Procedures
2-3
Return of the Departmental SelfAssessment
3-4
The Benefits of 5-6 Professional Associations New Audit Team Member 6
Broaden Your Knowledge Another reason to join an association is to learn more or stay informed within your profession. Most associations provide members with access to resource information such as case studies, articles, and books written by experts in the field or area of interest. Additionally, associations provide a source for scholarship information, links to publications, and recognition for persons achieving excellence in their field. No matter your field, staying on top of all of these issues is important. Conclusion Membership in a professional association is an excellent investment for your future. Whether you are looking to learn about job postings in your field, network in your professional community, gain access to current events, or just have some fun while meeting new people, joining a professional association is a step in the right direction!
The Office of Internal Audit is pleased to welcome Sarah Wilder to our team of auditors. Sarah graduated from GRU's Hull College of Business in December 2014 with a degree in accounting. She is currently pursuing her MBA at GRU. She was an intern in the Internal Audit office and is a member of the CSRA Chapter of the Institute of Internal Auditors. Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094