May 2015

1

NEWSLETTER Progress Through Sharing

Happy International Internal Audit Awareness Month! As an internal audit professional, you play an important role in raising awareness and elevating the

profession. Whether you are an active IIA member or new to internal auditing, there’s something you can

do to raise awareness.

For example, you can customize your email signature and social media accounts with the International

Internal Audit Awareness Month digital icon (depicted at right). You can hold a lunch-and-learn in your

workplace to dispel myths about internal auditing and explain the value that a well-resourced,

independent internal audit function can provide. You can also distribute sweet treats or tokens to

coworkers with an educational flier about the profession.

Don’t let the opportunity pass to advocate the importance of internal auditing to your coworkers and

other stakeholders. For additional ideas, sample programs, tips, and templates, download the free Building

Awareness Toolkit from The IIA’s website.

As an important THANK YOU to all our local IIA members and others who have supported our

chapter by attending an IIA Spokane Chapter event any time during the last 8 months, we are

offering our How to Audit Information Security luncheon (3 CPEs), with

included catered lunch, for FREE!!†

Watch your email for a special discount code coming soon!

† Non-IIA members or attendees that have not attended an event are $25.00 ($8.33/CPE credit). Attendance is limited to the first 50 registrants.

2

IT Audit Corner

Cybersecurity is broken Ajay Arora, CEO, Veradocs

You don't have to read the news or keep up with latest tech trends to be fully aware that many parts of

daily life - the way we work, shop, travel and communicate - have all massively improved thanks to

technology. Look no further than services like Uber, Shyp, Slack and Airbnb as examples of services that

have enriched our lives in ways we hadn't imagined possible, fixing things we didn't even know were

broken. But user-driven technology has progressed so rapidly that it has significantly outpaced

technology's own ability to keep data protected from misuse and guarded from cyber vulnerabilities. And

trust me, data is being collected all the time (as witnessed in the Iggy Azalea leak). A lack of reliable

security is the price we've paid for this eruption of amazing new cloud-based services and keeping vital

data out of the wrong hands is an uphill battle.

Anyone who tells you that your data is secure today is lying to you. The state-of-the-art that is

cybersecurity today is broken. There must be a better way. But don't lose hope, there is.

There's no reversing the cloud and mobile technology revolution, but businesses live and die by

protecting the information those services produce. Simply put, yet often overlooked, we need a better

way to secure our most valuable assets.

Your data will escape: The “corporate boundary” is dead.

CIOs today need to adopt an entirely new security philosophy – one that hinges on the fact that your files

and information will be everywhere. This is an innate part of our modern operating system and the price

we pay for the benefits of the cloud. If we come to terms with this concept of a disappearing boundary,

the way we tackle security takes on a wholly different approach and is much easier to wrap our arms

around. If we can build a new security approach from the ground up based on the premise that data will

escape, and are then able to secure everything no matter where it is, we end up debunking the concept of

the “leak” entirely.

That's why my biggest frustration coming out of the recent Sony and Anthem hacks is companies opting

for reactive solutions to fortify firewalls and secure siloed tunnels of information. For example, there was

a major uptick in company-wide email-deletion policies in the wake of the Sony attack. Now that's just

dumb. Those are band-aid strategies that fail to address the heart of the problem.

Just because security is visible, doesn't mean it works.

When the boundary is no longer the determinant of what's secure and not, the focus shifts to the

relationship between people and disparate pieces of data. Maintaining a level of security in a

boundaryless world means security and policy follow exactly what you're trying to protect in the first

3

place — the data. In fact, a recent article in Harvard Business Review nodded towards the need for this

change and begged the question, “If data is money, why don't businesses keep it secure?” Sony has

already sunk a whopping $15M in response to its breach, but the glaring business impact of security is

not just seen in the aftermath.

Usable security, where users can choose how they want to access, store and share data, can only be made

possible by providing a seamless user experience, so security is integrated into the daily work of

everyone. A great user experience is one major obstacle security vendors (and arguably, all enterprise

services) have yet to conquer. If we can do it, we will move away from panic-inducing scare tactics used

to encourage adoption, and instead empower users with a solution they actually like to secure data.

Does your company have data? Then you need to become a security company.

In 2013, reporters, businesses and analysts all proclaimed that every company had become, or was

quickly becoming, a technology company judged on its ability to make sense of data and intelligently

respond. In the years to come, every company will become a security company – and will only be as

great as the security infrastructure protecting its data. That's because today, as almost all nooks and

crannies of our lives are digitally tracked and analyzed, data has become human.

In order to be a security company, enterprises need to rethink a few things. First, users have to be in

control of their data at any given point in time and should be able to revoke access when they want by

utilizing familiar technology. They should have complete peace of mind that their data truly stays theirs.

Second, in a cloud and mobile world there are no real controlled end-points anymore, unless we want to

take a step back into the stone ages. And third, the firewall model is broken and trying to extend the

perimeter out simply doesn't work anymore. It's about protecting the information, wherever it is, and not

about locking everything down where it's hard to access, use and share for your employees and partners.

Bringing this full circle, I am unapologetically optimistic about the turning point we've reached. We've

entered a new stage in technology where information-sharing and collaboration are more ubiquitous than

ever. If we're going to move forward with successfully securing information in today's mobile, cloud-

driven world, we must embrace an entirely new approach – one that accepts that leaks will happen, one in

which users rule and one where every company is a security company – and work from there. If you

think about it, a porous perimeter can actually be an exciting thing.

Read the original article HERE.

4

Upcoming Training Opportunities

Chapter Luncheons

MAY 2015

CYBERSECURITY AND AUDITING INFORMATION SECURITY

Wednesday, May 20, 2015

12:30 PM to 4:00 PM

The Lincoln Center

CYBERSECURITY

Nicole Tutt Cyberattacks have increased tremendously in terms of volume and impact. Analysis of data breach incidents has produced some interesting statistics in regards to attack methodology and an organization's ability to both defend and discover compromises. Recent regulatory emphasis is focused on 'Cyber' - what does that mean? What are some strategies that organizations can utilize to protect themselves?

Nicole Tutt INFORMATION SECURITY OFFICER

Spokane Teacher’s Credit Union

Nicole Tutt is the Information Security Officer at STCU. She has been

working in Information Technology for 23 years with a focus on

Information Security for the last 15. She holds a Master’s Degree in

Information Security and Assurance along with CISSP, CISA, GPEN and

GIAC ISO 27000 Specialist certifications among others. She is actively

involved in the local chapter of the Information Systems Security

Association (ISSA) and is a member of Infragard.

AUDITING INFORMATION SECURITY Steve Hunt

Today's information = POWER. And MONEY. What is the value of your institution's information? What lengths would someone who has access to it go through to steal your information resources? Has your organization done enough to protect its information? Is anyone safe? Join us for a discussion of audit-related information security best practices and some information picked up at recent MIS Institute and SANS conferences, and for some information on how to best perform an audit of your institution's Information Security. We will also discuss industry best practices and other standards surrounding information security and how to protect yourself and your family from the ever-changing cyber risks.

Stephen Hunt INTERNAL AUDITOR

AmericanWest Bank Stephen Hunt is an Internal Auditor at AmericanWest Bank. He is a

graduate of Eastern Washington University (EWU), with a Bachelor of

Arts in Management Information Systems (MIS) and Business

Management. He holds the IIA’s Certified Internal Auditor (CIA)

certification and is scheduled to sit for the Certified Information Systems

Auditor (CISA) and GIAC Systems and Network Auditor (GSNA)

certifications this summer. He serves on the IIA Spokane Chapter Board.

Stephen has been a previous speaker at local Institute of Internal Auditors

(IIA) and Association of Credit Union Internal Auditors (ACUIA) events. He

believes that information technology skills, while often overlooked, are a

must for all internal auditors.

5

Schedule of Events

Spokane Chapter - Institute of Internal Auditors

2014 – 2015 Chapter Year

SEPTEMBER

Tuesday, 23rd

Excel: Intro to Macros

1 CPE

OCTOBER

Tuesday, 28th

IT Risk – Keeping

Your Business Off the Front Page of the

Newspaper

1 CPE

NOVEMBER

CANCELLED in lieu of the Annual ACFE Fraud Conference

DECEMBER

Thursday, 18th

Joint Holiday

Luncheon with the ACFE

2 CPEs

JANUARY

Thursday, 22nd

Cancelled

FEBRUARY

Thursday, 19th

Managing

Compliance Risk with Third-Party Vendors

2 CPEs

MARCH

Wednesday, 11th

COSO 2013

2 CPEs

APRIL

Tuesday, 21st

Professional Skepticism

2 CPEs

MAY

Wednesday, 20th

Auditing Information

Security

3 CPEs

JUNE

No scheduled events

JULY

No scheduled events

AUGUST

No scheduled events

6

Member Spotlight The IIA Spokane Chapter will be spotlighting various chapter members each month to find out why the member chose their profession, what they do for fun (besides audit), and what has made them successful.

Q: How did you become an internal auditor?

After getting my MBA I worked for a few years as an accountant/cash manager at an insurance company, then became an auditor at an Accounting firm working with publicly traded companies.

Q: What do you enjoy the most in your current position? I like learning how everything works and how all the moving parts work together microscopically and macroscopically.

Q: What are some of the challenges you face in your current position?

Wondering how my job is going to look six months from now.

Q: If you were not an auditor, what would you be

doing?

I’d probably be working in the medical field.

Q: What are your passions or hobbies outside of internal audit?

I enjoy reading and spending time with my family.

Q: Any special skills or experiences you are proud of as an internal auditor?

I pride myself on having a good working

relationship with partners both in and out of my department. So much of auditing is based on people working with auditors and trusting them so that if there is an issue, it can be accurately identified; then appropriately resolved. The people we work with need to feel like they are part of the team and, therefore, the solution, for them to buy into it. If they don’t, the problem is more likely to perpetuate itself and no progress is made, no value added.

Q: Any word of advice to fellow internal

auditors?

Be sure to keep priorities in place. Identify

what is most important, what your goal is and

protect it, work for it and don’t give up.

Member: Arletta Miller Position: Staff Auditor Company: AmericanWest Bank Certifications: CPA, CFE Education: BS from Brigham Young University

MBA from the University of Utah

7

Job Postings

Contact Stephen Hunt, VP Communications, to include job postings in the newsletter and on the IIA Spokane website.

Senior Internal Auditor University of Idaho President's Office The University of Idaho seeks applications for a senior staff internal auditor to perform various types of financial, compliance, and operational audits of University functional areas, departments, and activities in accordance with professional auditing standards. Qualified applicants will have a bachelor’s degree with a major in accounting, finance, information systems, or other similar business areas and three years of relevant audit experience. This is a permanent full-time benefit eligible position. To learn more and submit an application, please visit jobs.uidaho.edu. Position closes on May 29, 2015.

Internal Auditor/Senior Internal Auditor

Northwest Farm Credit Services Internal Audit Northwest FCS is seeking an Internal Auditor to join our Spokane-based Internal Audit team. Reporting to the Director-Audit, this full-time position will help evaluate management's internal controls and identify, assess and report on risk areas in the organization's loan portfolio. Audit work will include the evaluation of controls and activity in all areas, with travel to branch locations required approximately one week per month. To learn more and submit an application, please click HERE.

Back to Basics

Sometimes it’s good to get back to the basics of something we do every day. In this section of the newsletter we will review some of the basic skills and practices that internal auditors use on a daily basis.

About Yourself (And How Others See You)

Ed Gelbstein, Ph.D.

Click HERE to access the Original Article in the ISACA Journal.

This article begins an exploration of some of the human factors that play a role in an auditor’s success.

How Well Do You Know Yourself and How Do You Perceive Others? “Know thyself” was one of the aphorisms engraved in the Temple of Apollo in Delphi in ancient Greece. More recently, it has become integrated into the science of emotional intelligence. Answering the question, “How well do you know yourself?,” with, “I do not know,” and/or “I do not care,” is likely to result in many dysfunctional relationships and very likely to result in a failed career as an auditor.

8

But beware: We often rely on self-assessments that may not be entirely objective. William Shakespeare said, “Men’s faults do seldom to themselves appear.” To assist in self-assessment, there are several well-established tools, such as the Myers-Briggs Type Indicator, the Keirsey Temperament Sorter and the Enneagram Test, all of which are readily available online and supported by qualified testers. In itself, it is good to have an understanding of your personality profile, but this is not enough. What really counts is how others see you. Feedback from others—friends, family, colleagues, bosses and more—is important. This requires you to accept what may be interpreted as criticism; something that is not always easy. And, of course, perception works both ways. However rational, well-adjusted and careful we are, our brains judge others, ranging from the “I admire this person” to “#@&#*$!” and everything in between. All of this happens even before we get to know the person properly. And, others are doing the same to you.

Similarities and Diversity While in nature all humans are 99.9 percent similar to other humans, no two are genetically identical. Diversity makes life interesting and complex at the same time. Figure 1 shows some of the factors that make every one of us a genuine “individual”. If you add to this nurture factors, such as education, the result is that interpersonal communications are neither self-evident nor easy. Getting them wrong is just too easy within a single culture and even easier in the multicultural environment that is increasingly found in the corporate world.

The Key to Success is Credibility How others perceive you matters because it will influence all interactions. The first set of attributes that support credibility relate to professional matters such as experience, achievements, qualifications, certifications, engagement in continuous education and, on the softer side, an individual’s awareness of what they know they know and what they know they do not know. We must assume that the domain of “what we do not know, we do not know” is not only nearly infinite, but that it keeps growing. Sometimes, auditors with limited experience are handicapped by a belief that they already know everything they need to know, and they make this clear to everyone who is willing to listen. It is difficult to recover from a loss of credibility in the eyes of the auditees. Soft skills include personal attributes that make interactions with others work well, i.e., those things that reduce friction, anxiety and suspicion, and those that support effective communication and avoid misunderstandings. A minimum set of soft skills involves the art of listening, writing and presenting, working with others (including teamwork), time and stress management, negotiations, conflict resolution, conducting interviews, and problem solving. The art of listening is especially important. In fact, the etymology

8 of the word “auditor” derives from the Latin word

“auditor” meaning a hearer. A future column will explore a range of soft skills in more detail. Given that we have to work with the brain we have, there are likely to be obstacles to overcome and other limitations, particularly when these involve changing the way we are and how we operate.

Bad Signs A sensitive person will be quickly aware of how others react to them, both socially and professionally. If, at the planning stage of an audit, the reaction from the target entity includes an explicit wish that a particular individual not be involved, the signs are clear: failure to be recognized as a professional.

9

Other bad signs include auditees challenging the auditors’ findings as irrelevant or erroneous and/or making recommendations that describe how the corrective actions should be implemented. It is entirely possible that either party may be in the wrong. The same is true when auditees express concerns—officially or through the informal grapevine—of a lack of confidence, lack of trust or a suspicion of bias. If this should be the case, there is something fundamentally wrong, and if this is escalated to senior management and/or the audit committee, the chief audit executive may be held accountable for such failures.

Good Signs An auditor who finds the right balance can establish long-term relationships with the auditees, based on mutual respect, trust and a clear understanding of the need to maintain independence, objectivity and confidentiality. A best-case scenario would see IS/IT professionals feeling comfortable with seeking the advice of their auditors (e.g., on how to conduct an audit-style self-assessment, on how to best prepare for an audit, on what other auditees have done on comparable issues). Auditees can be encouraged to ask auditors for independent advice as well as to watch and learn and, subsequently, use the knowledge gained to conduct a self-assessment of IT systems, operations and controls prior to the next audit. This self-assessment should be brutally honest and be shared with the IS/IT team. Sharing this with auditors would help considerably in scoping and focusing future audits.

Conclusions Technical expertise is necessary, but not sufficient to be or become a successful auditor. That is, a successful auditor is one who is credible, respected and personable enough to be considered a valuable source of information and advice.

10

Having a good knowledge of oneself and the soft skills that facilitate human interaction is just as important as

professional knowledge and, probably, harder to acquire. Being sensitive to how others perceive us is at least as

important. “O would some Power with vision teach us to see ourselves as others see us! It would from many a blunder

free us, and foolish notions.”

2014 – 2015 IIA Spokane Chapter Officers Spokane IIA Chapter Officers elected for the 2014-2015 Chapter Year):

Title Officer Organization

Chapter President David Gifford AmericanWest Bank

VP Membership & Programs Melanie Shanks Spokane Teacher’s Credit Union

VP Communications Stephen Hunt AmericanWest Bank

Treasurer Terra Kile DeCoria Maichel and Teague P.S.

Secretary Vanessa Scarpelli Umpqua Bank

2014 – 2015 IIA Spokane Chapter Board of Governors Spokane IIA Chapter Board of Governors for the 2014-2015 Chapter Year:

Governor Organization

Penny Brown AmericanWest Bank

Debra Peterson Washington Trust Bank

Cathy Cook Washington Trust Bank

Colleen Warner Global Credit Union

Click here to opt-out of future communications from the IIA Spokane Chapter.