Role of internal audit in order to prevent security breach in PaySF security

Hello Sir,

Thanks for agreeing to have a meet with me. It will be a pleasure being part of your organization and I am looking forward for this great opportunity.

Internal audit will play an important role in these crucial inventiveness through assisting administration in understanding the risk profile related with the breach in PaySF application. Further through internal audit assistance will be provided by suggesting proper risk reducing policies for  assessing and reporting risk alleviation activities during the significant phases of the inventiveness. It could be a crucial partner with the business in assisting to make sure that implementation of cloud-based technologies is an achievement. While updating or moving application or IT infrastructure of the company for issues relating to security of PaySF application through internal company will be able to execute budget and programme overruns, comprehensiveness of obligations or designs and project resourcing in appropriate manner.

Internal audit will assist company is ascertaining appropriate resolution for PaySF breach security issue through following activities:

• Executing a top-down risk evaluation around the organisation’s cyber security procedure utilising industry principles like a guideline and giving suggestion for procedure enhancement.
• Assessing existing procedures and controls for example Data Loss Prevention (DLP) solutions or Identifying Access Management (IAM) systems in order to assist in making sure that risks posed through a constantly evolving environment are considered.
• Evaluating the application of revised technology security models for instance multilayered defences, improved exposure methods and encryption of data leaving to the network.
• Assessing the company’s event reaction and communications plans.
• Evaluating third-party security providers for example cloud service supplier to assess the level to which they are concentrating on current and budding risks completely and adequately.

Supervising significant procedures and controls

Senior executives often concentrate on daily operations of companies, thus they should place adequate emphasis on supervising significant procedures and controls. Thus, internal audit could help supervising and mitigating errors as well as deception. With the help of adequate focus on important process the company can reduce the risk involved in app security.

Concentrating on likely IT security concerns

Internal auditors convey an organized, disciplined approach to administer the security breach issues relating to PaySF application through recognising, reducing and paying attention to threats which can influence the long term objective of corporations.

Separation of Responsibilities 

The main problem which is generally seen in organizations is to segregate of responsibilities among workers. In comparison to big companies the risk of fraud is high in small companies wherein incompatible functions are controlled by diverse individuals. The same can be minimised by segregating the duties between personnel. Further, internal auditors could recognise where fraud risks occurs and make suggestions in order to minimise risks.

The occurrence of legal risk is due to breach of or non-conformance with regulation, set of laws or imposed practices, when the legal rights and responsibilities of parties to a transaction are not well recognized. Legal electronic money risk occurs from ambiguity about the validity of some agreements formed through electronic media. Thus, the financial impact of assessed breach of security is that company might be obliged for heavy penalties due to non-compliance with law and provisions.

Operational risk takes place with regard to the controls over access to an application or software and risk administration systems, details which it communes with other parties and at the time of electronic funds transfer, calculates the bank uses to dissuade and detect bogus. Due to expanded computer abilities, geographical dispersion of access points as well as because of different uses of communication path comprising public networks for example internet, controlling access of an application or software. In addition to this, it is significant to consider that with electronic transfer of funds, violation of security can leads to fraud produced liabilities of the bank. In other types of electronic banking, unofficial access can results in direct losses, added liabilities to consumers or other inconveniences.

Role of internal audit in the resolution of the issue

Different kind of substantiation issues can take place, for instance, inappropriate controls can leads to a successful attack by hackers through which they can access, retrieve and use private consumer information. It is stated by Pratt and Peters (2017), when there are inappropriate controls, an external third party can access an organization’s computer system and insert a virus into it.

The shareholders and investors are important for the company. If they come to know that the data are loss or security breached by the company than the trust they have on the company will be loosed. Further, in such cases it is very difficult for the organisations to regain the trust of consumers. An organization will require putting additional efforts to regain the trust of its customers through satisfying them by providing appropriate service.

Along with external attacks on application and software as in present case PaySF are exposed to operational threat with regard to workers fraud; personnel who can secretly acquire substantiation information to access accounts of consumers or to steal value cards.  Further, involuntary errors through workers might also conciliation organization systems.  Direct concern to managerial authorities is the threat of criminals counterfeiting electronic money, which is delegating if organization not succeeds to integrate appropriate measures to identify and dissuade counterfeiting.

Table 1: Sanction Fines of four country in which PaySF is available

As in Italy sanction fines are too high in comparison i.e. £ 4.0 million to other countries or just double of UK. Thus, the company required to reassess the security network updates of Italy in order to reduce the same to possible extent. Even though the average no. of transaction of Italy are less than other three countries but the sanction fines are too high. The reason for potential causes of cyber security breaches might be as follows:

• Malevolent, International or criminal: Scams, hacking, deception cyber crime, data, systems and distraction of funds. Viruses and system infections are the usual reason of security breach. Thus, attempt should be made to prevent data theft by applying more complicated systems; the executors are working extremely hard to always remain one step ahead.
• Default Passwords: It is possible that company might not have altered the default password that appears on devices out of the box. Moreover, some selects bad passwords, for instance password or welcome which can be crack by hacker easily. Organisations evaluated about three million passwords for difficulty and discovered the most commonly used password was password1.
• Firewall: The possibility exist that application Pay SF did not practice a security violation in order to provide a good firewall in place. It sorts the information arriving by an Internet connection and any wicked information flagged by the firewall is blocked-up prior to any damage is caused. 

Table 2: Relationship between cost and profit of PaySF

Notes

1.14€ =1£

1 Kr =0.097£

It can be assess from the above figures that cost of sales of UK is higher than that of other countries. At the same time expenses of Sweden is also more than other countries. The reason behind same could be ineffectiveness of cyber security relating to application. Thus, expenditure of Sweden and Germany are higher in comparison to others and through internal audit procedure reason relating to same could be ascertained. In order to control specified risk in future, following measures could be applied:

Open isolated access Susceptibility: This is utilised for providing security services and protocol to third-party. Further, it also can be utilised to enable somebody to log in to a system vaguely.  It is considered that IT executives be mindful that any connection even if meant for a fruitful purpose, for example enabling the administration of a POS system isolatable can results in vulnerable networks.   

Create a cyber violation response strategy: Creating the comprehensive breach preparedness plan allows workers as well as mangers to comprehend the likely damages that can take place.  Furthermore, manger should be transparent regarding the scope of the violation. With the assistance of efficient response strategy, company can restrain lost productivity as well as can prevent unconstructive publicity.

The response plan must start with accurate assessment of what was mislaid and when.  Subsequently, determine who is accountable whenever possible. Through taking fast, significant action, company can limit damages and reinstate the trust of employees along with consumers.

Encryption of data and procuring cyber insurance policy: In order to secure the information the companies should make sure the data store up in databases and on networks is encrypted. It is considered as the efficient means of preventing data against hackers achieving access to receptive information. In case a company faces a cyber breach, an efficient Cyber insurance policy will compensate the losses and expenses to refurbish the damage.

As the transaction fees of UK are higher that is 1.2% in comparison to the other countries and the numbers of transaction are lower than that of Sweden. Therefore there is a need to implement the cyber security in efficient manner. The role of internal audit is to provided assurance to business in specified manner:

With the assistance of internal audit organization will be able to reconsider and test cyber security, business continuity and disaster-revival plans. Moreover the potential for reputational damage that poorly administered organisation disorders create is important, it is more efficient to find faults by deride exercises than in a reality.  By having conversation to the board of members and senior executive the level of risk could be reduced and efforts to resolve such threats can be made.

Further operating collaborative with IT and other parties to create efficient defences and responses: Cyber risk is considered as a risk for business, not just an IT risk. It is exaggerated, altered and mystified through being supported exclusively by IT systems. Creation of strong, mutual connection among internal audit and IT leads to ensuring reducing efforts and responses are effectual.

• Recommend enhancements in controls
• Authenticate the existence of assets and suggesting appropriate assistance for their protection.
• Review operations to determine whether results are consistent with established goals and whether the operations are being exercised as strategized
• Assess the sufficiency of the system of internal controls.
• Study reported occurrence of fraud, misappropriation, theft, waste and so on.
• Evaluate obedience with state and federal regulations and contractual requirements.

Executives and management requires assessing the effectiveness of applied changes on the organization. Further, it is required to be assured that whether the risk of breach of security has been reduced or not. Monitoring the modified environment of IT department is necessarily to be done on continue basis in order to assess the manner in which same has been affecting other functions of organization. Further the effectiveness will be rated on following basis:

The ways to rate the administration department skills:

• Administration is capable to be receptive and corporate  productively with existing and likely issues. When issues takes place it should be tackled and corrected.
• Administration is not always to be receptive to problems as they occurs but usually has an adequate record of performance  
• Ability to overrule controls without exposure.
• Ability to overrule the majority or all of the controls without exposure.

A violation of security can influence much more than that of short term incomes, thus management require to emphasize on same in continue manner. Important revenue loss as a result of a security violation is very general. Research depicts that 29% of business that face a data violation end up losing income. Of those lost income, 38% experienced a loss of 20% more. The same depicts that it is necessary that company should assess app security breach issues on a continue basis.