Research Foundation Report - The Institute Of Internal Auditors  


October 2008
printPrint Article
printPrint Entire Issue

Internal Auditing Confronts Global Security Risks
An Interview with MacDonnell Ulsch

The world has changed dramatically and continues to do so. The impact of such sweeping change can be devastating. In Threat! Managing Risk in a Hostile World, published by The IIARF, MacDonnell Ulsch offers a unifying message and methodology that brings IT and executive management together. The goal of joining forces is to protect and defend the enterprise against a growing number of threats such as terrorism, identity theft, hacking, malicious computer code, corporate espionage, and more.

This book explains why the time for positive change is now, and why we cannot afford to wait. The IIARF asked Ulsch to provide insights on how the book evolved, and its implications for internal auditors, the general public, and organizations worldwide.

Ulsch’s background in governmental work, security, and defense played key roles in the decision to write Threat! Having served on the United States Secrecy Commission and as a consultant to agencies of the U.S. and British governments, among other assignments, he has attained knowledge of terrorism both for those involved in providing security and intelligence against it, and those directly impacted by it. He has witnessed the role technology and communications infrastructures play as an antidote to terrorist actions.

Ulsch indicates that technology has introduced risks applicable to both our personal and professional lives. “Our information is mobile,” says Ulsch. “The communications devices we use intertwine our lives both personally and in the workplace, making us vulnerable to identity theft. Issues that have not been effectively addressed at work will impact the employee at home.”

There is a clear linkage between the global risks of terrorism and the risks of corporate espionage, Ulsch states. “The issue is economic. Information has value.”  Organized crime, narcotics traffickers, and terrorists are linked. When they steal intellectual property, for example, the property can be sold with the proceeds used to finance terrorist operations of interest to that terrorist group. The ties among organized crime, drug cartels, and terrorists are also economic --these entities cooperate for their own interests and with drug profits totaling more than U.S. $1.5 trillion each year, they are bound to attract a lot of attention.

The Enterprise Threat Index: Defensive Enterprise Mapping included with the book is a high-level risk assessment tool intended to provide executive management and the board of directors with a general indication of the enterprise’s risk profile and potential risk flash points. According to Ulsch, it takes a more holistic approach than do many other methods. He started out by thinking like one of the “bad guys,” asking how to defeat a company’s security. He then considered how to defend against that threat and its business impact. He identified 79 Causal Threat and Risk Factors broken down into 28 Emerging Threats, 23 Existing Vulnerabilities, and 28 Enabling Conditions, providing risk and security officers with a broad range of risk data points.

Internal auditing plays a critical role in confronting the risks presented in the book. Ulsch indicates, “Not only is there an increase in hostility around the world, there is increased complexity in operations.”  He points out that internal auditors touch virtually every facet of the enterprise, and possess knowledge about vulnerabilities across the enterprise -- they see an enterprise mosaic that few others can see. They see enterprise defenses, work with those responsible for defending the integrity of the enterprise, and understand the regulatory requirements. "This provides a level of insight and awareness that positions internal audit to advise management and the board against increasingly hostile threats," says Ulsch.


MacDonnell Ulsch

Ulsch specializes in the defense of privacy and intellectual property. He has served on the United States Secrecy Commission, has advised the British Ministry of Defense, the Industrial Development Board of Belfast, Northern Ireland, and the U.S. Army; and has worked with the National Security Institute.

.1038 cover

To find out how to obtain a copy of Threat! Managing Risk in a Hostile World, visit The IIARF Bookstore.