Invest in Specialty Skills and Other Tips for Internal Audit PlanningIn today’s dynamic and high-risk business environment, the role of an organization’s

internal audit department is more important than ever. Every day new risks emerge, and stakeholders require a comprehensive understanding of the complex risk

landscape and the processes and procedures in place to mitigate your organization’s challenges. Chief audit executives (CAEs) understand that a well-constructed internal audit plan can protect their organization from threats, minimize their risk of loss and help maintain operational efficiency. However, it is also important when planning to consider how your strategy will navigate political and regulatory pressures, monitor risks on a continuous basis and sustain an effective reporting and response structure. As your team is putting the final touches on its internal audit plan, consider the following tips to ensure that you are protecting your data, customers and revenues and preparing your team to react and respond should any disruptions occur.

(Continued on page 2)

1-866-956-1983 | www.cbiz.com/ras© Copyright 2016. CBIZ, Inc. NYSE Listed: CBZ. All rights reserved.

IN THIS ISSUE:

CBIZ BizTipsVideos@cbiz

Invest in Specialty Skills and Other Tips for Internal Audit PlanningPAGE 1

Cyber Risk - Now It IS the Daily News

PAGE 3

How to Build an Actionable Incident Response StrategyPAGE 4

Risk & Advisory Services

QuarterlyRisk AdvisorFEB. 2016 | 1ST QUARTER

With over 100 offices and 4,000 associates nationwide, CBIZ (NYSE: CBZ) delivers top-level financial and employee business services to organizations of all sizes, as well as individual clients, by providing national-caliber expertise combined with highly personalized service delivered at the local level.

Our national Risk & Advisory Services practice helps companies address unique risk factors through internal audit sourcing, SOX-404 and PCI DSS compliance programs, cybersecurity services, business continuity planning, and cost savings and recovery programs.

PAGE 21-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

FRANK CAMPAGNAManaging DirectorCBIZ Risk & Advisory ServicesCleveland, Ohio & Denver, Colorado216.525.1989 | fcampagna@cbiz.com

Plan with the End in Mind

Every organization has carefully created a strategy for how they will continue to grow and prosper year after year. These goals and objectives should form the building blocks for the foundation of your internal audit plan. With more threats surfacing, it can be difficult for professionals to pinpoint where to start their assessments and reviews. Understanding what your organization wants to achieve can help you prioritize projects to place emphasis on those that stakeholders truly value and support. Revisiting your end goals can keep your team focused throughout the year as potential new projects are proposed. Invest in Specialty Skills

Your organization has worked hard to bring together an analytical internal audit team that produces quality results. However, regulatory compliance requirements, breach tactics and risk environments evolve and require teams to develop new capabilities to continue to work at peak performance. Identifying, selecting and onboarding qualified professionals to extend your internal audit capabilities can be a costly and time-consuming process. Many organizations rely on third parties through co-sourcing or outsourcing to supplement their existing functions. Third party internal audit practices continuously train their practitioners on the latest industry standards and use state-of-the-art technology to conduct their assessments. Their teams are comprised of individuals that possess a wide variety of specialty skills from IT risk assessments and audit execution to anti-fraud and facility breach exercises. Co-sourcing and outsourcing relationships allow CAEs to deliver consistent results while continuing to recruit and train new staff members. Over time, these third party engagements can be adjusted and scaled to accommodate your growing team.

Assess Risks on a Continuous Basis

Even if you are creating internal audit plans that align with your organization’s overall goals and objectives, you need to keep your plans flexible to account for rapidly changing or emerging risks. Natural disasters, cybercriminal activity, or political unrest can have an impact on your organization, perhaps even destroying valuable revenue streams or reputations built over years of success. These risks can emerge or evolve quickly, and many organizations are shifting their attention to the areas most susceptible to major risks like IT or corporate governance. However, just shifting focus may not be enough to protect an organization if that organization’s internal audit department is still only updating its risk

assessments on an annual or semi-annual basis. It is imperative that CAEs maintain a flexible audit plan process and assess risk continuously throughout the year. Failure to do so may render your organization unable to avoid major risks and thus unprepared to respond quickly.

Benchmark Against Industry Leaders

As you begin to put the finishing touches on your flexible, strategic internal audit plan, you should compare your tactics and reporting structures against the best practices of the industry and other companies. Internal audit industry specialists continuously collect data on organizations of all sizes to compile national averages that can inform decision-making processes. The Institute of Internal Auditors has developed the Global Audit Information Network (GAIN) Benchmarking Tool, which allows you to compare your internal audit departments structure, size, performance and planning against the averages of organizations similar to yours. If your organization engages a third party to conduct all or part of your internal audit assessments, you can access the third party’s experience and knowledge from working with a variety of clients across your industry. Communicating your strategies with your third party provider allows the provider to assist in the planning process through best practice and improvement recommendations.

Stakeholders in your organization look to the internal audit department to be resourceful when managing a complex risk environment and responsive if disaster strikes. CAEs who understand organizational goals, create flexible plans that meet industry standards and monitor risks continuously position their departments for success. As the business world quickly changes and evolves, it is more important than ever for internal audit departments to be prepared to handle anything.

Protect Your Organization

If you have questions, comments or concerns about your internal audit plan, please contact CBIZ Risk & Advisory Services to evaluate your existing strategy.

(Continued from page 1)

PAGE 31-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

Cyber intrusions are no longer one-off events. Cyber issues are a fact of doing business. Cyber risk should be top of mind for business owners and executives across all business sectors and industries – retailers, service providers, financial institutions, property managers – there is no safe haven.

According to Ryan Vela, Dallas-based regional director of North America reactive and proactive cybersecurity services at Fidelis Cybersecurity, “70% of security professionals think they have done enough with respect to security, but 40% still expect to be breached.”1

While the threat is acknowledged, directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue, according to the National Association of Corporate Directors.

How vulnerable are you? Well, let’s begin with email. Vela recalled an incident where a hacker who was already in a large oil company’s system noticed that one work group

Cyber Risk - Now It IS the Daily News

DAMIAN CARACCIOLOVice PresidentCBIZ Insurance ServicesColumbia, Tennessee443.472.8096 | dcaracciolo@cbiz.com

CHRISTOPHER ROACHManaging DirectorCBIZ Risk & Advisory ServicesHouston, Texas281.844.4239 | croach@cbiz.com

ordered takeout from a Chinese restaurant every Friday. The hacker created a PDF labeled as an updated menu. When workers clicked on the menu, the hacker was able to download code to user PCs, giving them access to business data.

But email is hardly the only way in. Printers, thermostats and video conference equipment – even VPN connections – can provide entrée to your system.

In his exclusive November 2015 interview with GlobeSt.com, Kelly discussed specifically how the commercial real estate community is at risk. He noted that while the growing trend of conducting operations through the internet offers clear cost and control advantages, there are also clear vulnerabilities. Important services like HVAC can be tampered with or shut down; contractors and vendors holding key data may be vulnerable.

While suggesting that employee training and clear security policies can close the door to nearly 80% of intrusions caused by employee carelessness, Kelly advocates establishing “multi-disciplined teams” with C-suite leadership that can respond to both online and onsite security events.

From “Best” Practice to “Essential” Practice

When cybersecurity is not part of the business process, it leaves a company vulnerable to a range of security issues. Prevention and protection measures are critical. These should include both risk analysis through assessment and risk mitigation through the growing pool of cyber-focused insurance products and internal operational safeguards.

PAGE 41-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

Over the past few decades, the world’s economic and political infrastructures have been tested by physical and virtual terrorist attacks. If a business is targeted, transnational criminal organizations can destroy years of success and profitability in a matter of minutes. These criminal networks are expanding and continuously diversifying their activities, which increases the difficulty for businesses that are preparing response strategies that include potential terrorist threats.

In the wake of the recent terrorist attacks in Paris and San Bernardino, companies are reassessing their own disaster response and recovery plans to make sure they account for potential terrorist threats to day-to-day operations.

Preparing for internal and external risks can help protect your business, but it is impossible to predict exactly how or when disaster will strike. Focusing too narrowly on specific incidents when designing your incident response strategy could hinder your company’s ability to train your staff and react when faced with a threatening situation.

When creating your strategy, it is crucial to establish a framework that allows you to respond quickly in any situation. Regardless of the cause of the business disruption, the following four components will help you create a simple, yet holistic incident response and recovery strategy that is easy to implement.

Loss of Facilities

Immediately following the deadly shootings and explosions in Paris, French authorities closed major landmarks and cultural facilities, such as the Bataclan Theatre, the Eiffel Tower and the Louvre Museum. When an incident renders a facility unavailable for normal business operations, it can lead to devastating financial and functional consequences for the company. Regardless what disaster caused the loss of facility, your strategy needs to include how your business will continue its operations without disruption. This might include allowing your employees to continue their work

from home or identifying a temporary alternative location for your staff, such as a client facility or community collaborative workspace.

Loss of People

Even if your facility remains intact after an incident occurs, your staff could be divided or attending to their own personal needs unavailable to assist in the business recovery efforts. Personal tragedy, illness or injury can render key employees unavailable or incapable of making critical decisions necessary to get your business back on track. Part of your overall incident response and recovery strategy should include the cross-training of your staff so that each member is prepared to step in to perform critical functions should another employee be unavailable. Documenting your processes and procedures can ease the burden of training and provides employees with reference materials if necessary. It may also be valuable to identify an outside third party that could assist your team with critical functions in situations that would cause large members of your staff to be unavailable.

Loss of Technology

ENot every incident you may encounter will be physical. In 2014, JP Morgan experienced a data breach that compromised an estimated 83 million customer records. As today’s business environment increases its dependency on information technology, companies need to have a plan in place that helps them recognize when a cyberattack is occurring, react quickly to stop the breach and recover in a way that addresses both the short- and long-term problems from unauthorized access. Identifying potential system workarounds can keep your operations functioning should you lose the use of a system during an attack. Knowing exactly how long your company can continue to deliver client service without a particular system can help you create a recovery timeline once an outage or breach is contained.

Prepare for Anything: How to Build an Actionable Incident Response Strategy

(Continued on page 5)

PAGE 51-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

(Continued from page 4)

MARK MADARDirectorCBIZ Risk & Advisory ServicesCleveland, Ohio216.525.1956 | mmadar@cbiz.com

Loss of Vendors

Even if you take loss of facility, people and technology into consideration, your incident response strategy is only as strong as the third party vendors you rely on to deliver goods or services. Your vendors should be prepared to step in and assist should an incident happen to your company. Additionally, you should expect that a vendor’s disaster recovery plan offers protection for your company, as clients expect that you are protected if the disaster strikes on the vendor’s end. For example, in 2013 hackers were able to access 40 million Target customer debit and credit card accounts by intruding into their systems through credentials stolen from a refrigeration, heating and air conditioning subcontractor. Identify a few alternative vendors that you could rely on should your primary vendor be compromised.

Your primary objective when designing an incident response strategy is to create something that is actionable. Writing a plan including recovery steps for every possible scenario will likely result in a complex document that isn’t practical when employees need to act quickly. The key to a strong plan is not to overcomplicate the context. Your strategy should account for places, people and procedures, and it should be able to work in multiple situations. Over time, you can and should adjust or build upon your strategy as your company grows and evolves.

GENERAL AUDIT MANAGEMENT CONFERENCEMARCH 7 - 9, 2016 | DALLAS

Hosted by the Institute of Internal Auditors, the General Audit Management (GAM) Conference is a thought leadership event for CAEs, audit management, and key stakeholders who want to drive change and deliver results.

INFOSEC WORLD CONFERENCE & EXPOAPRIL 4 -6, 2016 | ORLANDO

Hosted by the MIS Training Institute, the InfoSec World Conference & Expo is a thought leadership event for security professionals to help them learn and test new information security ideas with their peers.

AUDIT WORLD CONFERENCE & EXPO HALLJUNE 14 - 15, 2016 | BOSTON

Hosted by the MIS Training Institute, the Audit World Conference brings together auditors, thought-leaders and experts from around the globe to collectively, as a group, help to improve the audit profession.

Upcoming Industry Events