March 19, 2021
COVERAGE FROM THE IIA'S GENERAL AUDIT MANAGEMENT CONFERENCE
The IIA's Incoming President Discusses His Vision
The IIA's incoming president and CEO, Anthony Pugliese, held a virtual town hall on Friday to discuss his vision for the organization and the future of the internal audit profession, with Nancy Haig, The Institute's North American Board chair. Pugliese comes to The IIA from the California Society of Certified Public Accountants, where he was president and CEO. He succeeds Richard Chambers, who will retire as president and CEO at the end of March.
In describing what he brings to his new position, Pugliese noted his 24 years of experience in the association industry, as well as his experience with internal audit and with leading an internal audit team. He said he understands the value proposition and that multiple value propositions are needed for The IIA's different members and their different interests. "The power of partnering with others also is something we have the opportunity to do," he said.
Pugliese said an important part of his vision is how the Certified Internal Auditor (CIA) designation is evolving and whether The IIA is keeping up with what is expected in the profession. For example, technology is becoming more and more pervasive as a component of the profession. "I don't think we've quite gotten to the point where we are thought of as the go-to group for technology decision-making or for assistance in decision-making."
In addition to an understanding of technology, Pugliese said he wants CIAs to be known for the human intelligence or emotional intelligence skills that are critical in business today.
Pugliese emphasized the importance of understanding and influencing the profession's career pipeline, not only at the university level, but in high school as well. In addition, Pugliese said too many newcomers from diverse backgrounds were not finding the profession welcoming and were leaving. He said more needs to be done to ensure people from these backgrounds are attracted to and remain in the profession.
Moreover, The IIA needs to consider new approaches to how it delivers learning, Pugliese noted. For adult education to be effective, it has to be engaging and fun. Also, this learning needs to be measured differently, by measuring competencies rather than simply continuing professional education credits, he said.
Cybercrime Has Become More Sophisticated Than Imagined
During the COVID-19 pandemic, organizations across the business landscape have been more susceptible to cybersecurity threats than ever before, said investigative journalist Geoff White, the closing keynote speaker Thursday at the 2021 General Audit Management (GAM) Conference. This rise in cybercrime is more than just opportune timing; these sophisticated and highly coordinated crimes are incredibly difficult to identify, let alone prevent. Some of these crimes have resulted in losses of tens or even hundreds of millions of dollars.
Cybercrime has moved up in the news agenda as people have become more dependent on phones and technology. "But there's something else that's happened away from the public gaze," White said. "Over the last five or ten years, there has been a coming together of three key groups, key motivators behind cybercrime."
These groups, he explained, are organized crime, nation-state crime, and "hacktivists" who use hacking to bring about political and social change. In fact, each of these groups have steadily been learning from one another to the point where investigators are finding it difficult to tell the difference between them.
To elaborate on just how in-depth such attacks have become, White uses the example of the hacking of Bangladesh Bank. After initially gaining access to the bank's servers through an infected email that resembled a resume, this group of hackers spent a year slowly planning their attack. At the end of the operation, the hackers managed to access a bank account worth $951 million over 36 separate transactions, a large portion of which they ultimately laundered by gambling at a casino over several weeks. At the end of the operation, the hackers, through their coordinated attacks, managed to get away with $81 million.
One of the most concerning aspects of such stories is that situations like this often are unavoidable. "If your organization is thinking in terms of 'if' you get hacked, you're behind the times," White said. "It could be happening right now. It could have already happened."
According to White, companies need a "when team" that is well-prepared to deal with the fallout. "What kind of information will the hackers have?" he asks. "What damages will be in play? What are the reputational risks that may reach the headlines? How will you communicate when hackers strike? How do you communicate with regulators and clients? These are the kinds of questions a 'when' team can help answer."
Such teams require deft coordination between a variety of disciplines, including IT and tech security, public relations, legal, and compliance. "These groups need to get into the same room and speak the same language," White said. "You have to have commonality of spirit to know how to deal with something like this when it happens."
Board Experts Share Tips for Wowing the Board
"It's never been more important to have a great connection with the board than it is today," said KPMG LLP advisory partner Michael Smith, as he introduced the Thursday GAM Conference session, "Wow the Board: Lead the 2021 Audit Committee Agenda."
Primarily, chief audit executives (CAEs) should help the audit committee know which risks to prioritize, said Stephen Brown, a senior advisor at the KPMG Board Leadership Center and former CEO of the Society of Corporate Governance. CAEs should capitalize on the breadth and depth of their involvement in the organization to communicate risk priorities to audit committee members, he added.
Internal audit must focus on fundamentals such as strategic risks and priorities, noted panelist Debbie Messemer, a board member of Allogene Therapeutics, Carbon 3D, and PayPal. But it also must be an inclusive team that lives the organization's core values and collaborates with first- and second-line roles. Messemer said effective communication with various stakeholders is critical and acknowledges that audit committees expect more from internal auditors. "Things we thought were aspirational maybe five or 10 years ago are fundamental at this point," she added.
People's trust in companies now requires considering long-term shareholder value, authenticity, and transparency, according to Brown. "The legal or compliance answer may be absolutely correct, but may not be enough," he said. Internal auditors can help the board become more familiar with issues, such as environmental, social, and governance concepts, which are important to institutional investors, employees, and customers but may be new to board members. Brand trust and reputation are at risk if companies do not fulfill the promises they make to address such issues.
Internal audit typically represents the pinnacle of trust in companies. Messemer said building relationships across all aspects of the company enhances that reputation. "You'll know if you are a trusted advisor when you realize that people are seeking you out for advice and a point of view, because of your deep and holistic understanding of the company and its risks and controls," she said. She added that great CAEs gather insights from across the organization and from competitors and proactively share them with the audit committee chair to help drive the committee's agenda.
Brown pointed out that it is important to link insights to things that affect board members personally. Internal auditors and boards should review proxy season previews or round-ups, especially those of their peers or similar larger organizations, to see what is important to institutional investors in terms that are tied directly to specific risks.
The pandemic caused many organizations to send workers home, but among leaders, opinions differ on how and when to bring them back. While some CEOs see permanent changes to their offices, others are anxious for a return to the office and business-as-usual. According to Agenda (paywall), one-third of companies responding to a Conference Board survey said they expected 40% of their employees to remain working from home for at least 12 months after the pandemic. However the survey, conducted in late 2020, found that about 40% of companies that had transitioned employees to remote work during the pandemic said they planned to bring their staff back to the office as early as March. Agenda cited a recent Wall Street Journal article in which CEOs of major companies shared their thoughts on the benefits and flaws of working from home. At one end of the spectrum, Citigroup CEO Jane Fraser said she expects to bring all employees back to the office, arguing that apprenticeship and belonging is essential to culture. On the other end, Margaret Keane, CEO of Synchrony Financial, said a flexible work shift was long overdue.
The early days of U.S. President Joe Biden's administration has seen a continuing tension between U.S. and China, which might have significant implications for the business community. According to The Washington Post, U.S. Secretary of State Antony Blinken criticized China for both its trade policies and ongoing cyberattacks against the U.S. in an interaction with Chinese diplomat Yang Jiechi. Jiechi criticized recent U.S. sanctions against Chinese officials. Both parties are expected to meet three more times in Anchorage, Alaska over the next two days. Blinken will illustrate his concerns related to "increasingly aggressive activities across the Taiwan Strait" and other issues, while Jiechi will request that the U.S. reverse the Trump administration sanctions that led to limitations on U.S. technology sales to Chinese telecommunications companies and chipmakers.
Business Roundtable Immigration Committee Chair Tim Cook, CEO of Apple, issued a statement Thursday urging U.S. lawmakers to pass the American Dream and Promise Act. The immigration reform bill would create a path to citizenship for undocumented immigrants who arrived in the U.S. before the age of 18. In his statement, Cook noted that these individuals are "working in the disciplines and industries that will help America emerge stronger on the other side of COVID-19." Late Thursday, the House of Representatives passed the act, which now advances to the Senate, according to Business Insider. The Business Roundtable also called for additional immigration reform.
March 18, 2021
COVERAGE FROM THE IIA'S GENERAL AUDIT MANAGEMENT CONFERENCE
How Companies Can Work Toward a Sustainable Workforce
A shortage of skilled workers, competition from companies with "intellectual property-rich products and services," and shrinking markets resulting from protectionism are among the disruptive risks organizations face in 2021 and beyond, said author John Manzella. The nationally syndicated columnist on global business and economic trends spoke at Thursday's general session of the 2021 General Audit Management (GAM) Conference.
According to Manzella, one reason for a shortage of skilled workers in the U.S. is that participation in the labor force is declining. He cited statistics showing that one in five men ages 25-54 are long-term unemployed. For women, labor participation rates peaked in 1999.
"Many lower-skilled workers can't find rewarding jobs and sit on the sidelines," he pointed out. Other factors reducing participation include child care issues, the opioid crisis, incarceration, and disability.
"This is difficult for businesses because if companies can't find workers, they can't grow," Manzella said. The lack of growth reduces gross domestic product, which then lowers the overall standard of living.
COVID-19 has exacerbated the problem by disproportionally impacting lower-skilled workers and those with child care issues, Manzella said. Automation is another factor in job losses for these workers, as the pandemic and advances in artificial intelligence have sped up automation.
To thrive in the new economy, workers need to engage in life-long learning, and companies need to focus on intellectual property-rich products and services. Manzella suggested that companies can contribute to a sustainable workforce by:
- Allowing entry for more legal immigrants at all skill levels.
- Investing more in employee education and training.
- Considering European-style apprentice programs.
- Hiring older workers.
- Offering more generous day care options, a strategy that has boosted participation rates among women in Europe.
- Offering more flexibility — that is, greater employee input in work schedules and more time working from home.
- Implementing referral programs.
- Deploying automation.
Manzella also argued for moving away from protectionist policies, which he says shrink markets and hurt economies. He cited U.S. Chamber of Commerce statistics showing that markets outside the U.S. represent 80% of the world's purchasing power, 92% of economic growth, and 95% of consumers.
"When I talk to CEOs, they often tell me that more and more of their incremental earnings are generated from abroad," Manzella said. "They need access to these fast-growing markets."
Internal Audit Has a Major Role in Organizations' Diversity and Inclusion Efforts
The isolation enforced by the pandemic during the violent aftermath of George Floyd's death and the controversies surrounding the presidential election focused attention onto diversity and inclusion. For its part, Bank of America now has "its foot pressed to the gas" on issues of inclusion, said Rhonda Bethea, the company's senior vice president and general auditor, today at the 2021 GAM Conference.
Bethea joined Stacy Juncho, executive vice president and general auditor for PNC Financial Services, and Sarah Fedele, U.S. internal audit leader for Deloitte & Touche, for a discussion of "Internal Audit's Role in Fostering Diversity and Inclusion." Among their initiatives, both banks have announced four-year, $1 billion commitments to address inequality and support inclusion efforts.
What is internal audit's role in diversity and inclusion? At PNC, internal audit looks at compliance with affirmative action programs, as well as at diversity and inclusion in areas such as sourcing and human resources.
Bank of America has strong governance, policies, and procedures that are audited, Bethea said. In addition, human capital reporting — which draws elements from human resources and environmental, social, and governance — received a higher profile for 2020, she added.
At Deloitte, Fedele said clients want to know whether their programs are meeting their objectives. In addition, clients are concerned about the accuracy of diversity and inclusion data and whether the appropriate controls are in place.
While internal audit looks at its organization, it also needs to be self-aware, Juncho said. A first step is for internal audit to have its own diversity and inclusion council plugged into the corporate-level council. It's also important to look not just at diversity, but to work toward creating a culture of inclusion, she said.
Recruiting also needs to be looked at, Fedele said. Internal audit should push more at the college level to create a wider understanding of the profession to attract a more diverse pool of candidates.
As employees start returning to offices, Bethea noted an important point to keep in mind: "It's going to be a culture shock coming back into the workplace." It will be important not to lose the team-building carried out during the pandemic, and coaching and support will be necessary, she said.
In addition, it is important to get teams back in the office for in-person coaching and teaching, Juncho said. This mentoring also is part of the process of identifying future leaders. "I fear that we are going to miss out on our leaders of tomorrow until we can get back together," she said.
Getting a Handle on Non-GAAP and ESG Reporting
In Silicon Valley, companies are transforming business models through acquisitions and mergers, conversions to subscription services, and capital generation through initial public offerings and special purpose acquisition companies. In this innovative climate, companies often provide investors with nonfinancial metrics in addition to traditional financial reports, said Princy Jain, a PwC partner based in the San Francisco Bay area.
On Wednesday, Jain led a discussion with three Silicon Valley internal audit leaders on "Non-GAAP, Nonfinancial, ESG, and Operational Measures of Internal Audit" at the 2021 GAM Conference.
Jain said Silicon Valley companies frequently supplement financial statements based on generally accepted accounting principles (GAAP) with operational metrics such as monthly unique users and daily active users. They are reporting on their environmental, social, and governance (ESG) activities, too. However, because independent audits of such non-GAAP metrics are not required, there is great risk of inadequately defined and designed reporting controls and undetected errors, he cautioned.
The panelists recognized challenges in defining and standardizing these measures, as well as internal audit's role in educating those responsible for reporting such metrics about risks specific to the organization and developing a control mindset.
Scott Schulze, vice president and head of internal audit at Autodesk, explained how non-GAAP financial and operational metrics were key to the software company's reporting as it transformed its business model from licensed-based to subscription-based. He said internal audit was involved early in the business design process to advise on auditable controls and to develop standardized definitions and reporting frameworks.
Schultz said his department leveraged "the muscle we had from a Sarbanes–Oxley framework perspective, including things like Section 302 certifications." That experience enabled internal audit and management to develop a defined and repeatable methodology that ensured data integrity, completeness, and accuracy.
ESG measures are core to the business model of Sunrun Inc., a San Francisco-based solar panel and battery storage company, says Laurie Hanover, the company's chief audit executive (CAE). Sunrun periodically issues an impact report to highlight ESG achievements and uses operating metrics in its earnings report to represent the subscriber base of its residential solar-as-a-service model.
Working with data and process owners across the organization, from investor relations to technology and engineering, is important, Hanover explained. "Don't assume it's your usual suspects in accounting who are providing this data," she said.
Julie Wyckoff, CAE at Intuit Inc., said the company's compliance team anchors its corporate responsibility metrics in the globally recognized standards of the Sustainability Accounting Standards Board and the World Bank's Global Reporting Initiative Index. Internal audit assists through informal consultations, advisory engagements, and assurance by validating highly visible metrics.
Successful Implementation Begins With Collaboration and Transparency
How can internal audit help ensure that everyone in the organization collaborates to build the right capabilities into systems and processes at the beginning of the implementation process? Sandy Pundmann, senior partner, Global Internal Audit at Deloitte & Touche LLP, led a panel to discuss this topic Wednesday at the 2021 GAM Conference.
Implementation can be broadly defined as any major change such as a new system, product design, or business model, said panelists Stasi Brown and Sean Eirich of Google, Melissa Kandel of Peloton, and Charmaine Wilson of Deloitte. During such ventures, internal audit should make sure there is alignment on roles and responsibilities, what risks and controls are in play, and who is responsible for providing assurance on implementation activities.
Internal audit can provide significant organizational value beyond just identifying the scope of IT, data privacy, operational, strategic, and U.S. Sarbanes–Oxley Act of 2002 risks. As an advisor, internal audit can ensure stakeholders along the three lines are interacting with the right data and understand who has what capabilities within the organization.
The panelists elaborated on some of the unique challenges they faced during their various implementations. "When I joined Peloton, we were just finalizing the inventory of what our key systems were and doing Sarbanes–Oxley scoping," said Kandel, the fitness company's senior vice president of Internal Audit and Risk. "We had 35 systems. No one knew what Sarbanes–Oxley was, or a Sarbanes–Oxley report. There's no silver bullet with these projects. They take alignment, they take connecting the dots, and they take driving the business case and ensuring that controls are in place to address the risk upfront."
Eirich, Google's director of Internal Audit, said the company is going through a multiyear implementation of SAP's enterprise software — one of the largest such implementations ever. "One of the key elements we have found during this process is the importance of coordination across the three lines and an understanding of what the role of internal audit would be," Eirich explained. "Our focus is always on the key risks of the organization and covering them in the most efficient way possible, so we established the expectation that we would be conducting audits across the second line as well as the first line."
In establishing this understanding across the three lines, organizations must commit to transparency, panelists said. Not only can this insulate the implementation process from the need for pivoting beyond the point of no return, but it also can open the door for stakeholders to provide additional value that otherwise would be restricted by a narrow focus. The earlier such a culture is established, the greater the benefits the organization could see.
March 17, 2021
COVERAGE FROM THE IIA'S GENERAL AUDIT MANAGEMENT CONFERENCE
In a Culture of Inclusion, Everyone Wins
Diversity and inclusion (D&I) are not just about "doing the right thing" in the workplace — they are also about propelling an organization's talent and productivity forward, said corporate coach Shirley Davis. Davis discussed the business benefits of creating an inclusive culture during Wednesday's general session at the 2021 General Audit Management (GAM) Conference.
"Visibility matters to top talent," said Davis, president and CEO of SDS Global Enterprises. "They're going to be looking for people who look like them and [asking], 'Is the organization set up in such a way that I'll be able to be successful?'"
Diversity within an organization encourages diversity of thought, creativity, and innovation, Davis said. Inclusivity helps people feel esteemed and gives them a sense of belonging. Inclusivity also impacts employee engagement overall.
"When you have an inclusive culture, employees are more engaged," she explained. This is especially crucial considering that studies show roughly 60% of employees worldwide describe themselves as "disengaged" at work, she added.
According to Davis, both diversity and inclusion are important. "Can you have diversity and not have inclusion? Yes," Davis said. "Many organizations have done just that. They have focused on representation only. It's a start. This work is a journey."
Leaders are the key to building inclusive cultures, Davis said. "At the core of all of this, we've got to have top leaders — leaders who know how to bring out the best in the talent." She cited what she called Deloitte's 6 C's of inclusive leadership (PDF): commitment to D&I, courage to speak up, cognizance of bias, curiosity to understand others, cultural intelligence, and a collaborative spirit.
Davis suggested that leaders take stock of their competencies and even ask teams what competencies they need to improve on. She also suggested that leaders begin getting comfortable with uncomfortable conversations by practicing with a trusted advisor, "someone who doesn't look like you," to see where blinds spots exist. "Ask questions to learn and understand, not to debate and judge," Davis said.
Trusting the Team Is Important Part of Agile Adoption
Step back and trust your team was among the thoughts offered about internal audit's implementation of the Agile methodology in Wednesday's presentation "Better, Faster, Happier … Kicking and Screaming" at the 2021 GAM Conference. For one, Agile teams are self-organizing. That meant Sarah Adams, a managing director at Deloitte & Touche and the firm's global Agile audit leader, needed to learn not to look at the scrum master as leader of the team, but as one member of a team of equals. In Agile, the scrum master is a "servant-leader" who facilitates quick meetings called scrums.
Another session participant, Ranjani Narayanan, a senior manager at Deloitte, said she needed to become a different kind of leader when her team embraced Agile. Before, she expected the team to run on her calendar, but with Agile, she needed to change her thinking to connect, empower, and energize in order to foster a good team.
Stephanie D'Elia, a managing director at Goldman Sachs, said one of her fears in implementing Agile was that quality and documentation were no longer going to be important — Agile would mean that teams would be "writing on neon Post-its." However, she learned that use of Agile actually promotes the right documentation for the files.
In addition, D'Elia said the teams liked the input they received from the frequent interaction with stakeholders. They found that more meetings were a positive — the teams felt empowered, and managing directors felt they gained a better understanding of what was going on.
Goldman developed an implementation plan to ensure adoption of consistent Agile practices across the globe. As part of the adoption, Goldman learned the importance of leadership and of the tone at the top, D'Elia said. Forming a center of excellence also was critical to success, she said.
Even small audit departments can adopt Agile principles, Adams said, noting that an Agile scrum can be implemented with a team of three people. However, she suggested that departments of fewer than 25 people look at adopting Kanban methodology, which uses the Agile principles.
Chambers on Agents of Change in an Era of Disruption
Disruptive events such as those the world has faced this past year accelerate the need for internal auditors to become agents of change, according to Richard Chambers, The IIA's outgoing president and CEO. Such change agents are "catalysts for transformation who not only protect value but also create it," he said during Tuesday's afternoon keynote session at the 2021 GAM Conference.
Chambers' session was based on his latest book, Agents of Change: Internal Auditors in an Era of Disruption. Chambers said the book's purpose is to explore the attributes internal auditors need to become powerful change agents, including having business acumen, being relationship-centric, and having a strategic and innovative mindset.
Business acumen should include financial, marketplace, operational, technology, and strategic areas, as well as understanding the business intricacies unique to the auditor's organization, Chambers said.
Being relationship-centric means generating trust by sustaining collaborative relationships. This requires networking, team building, emotional intelligence, and diplomatic verbal and nonverbal communication and listening skills, he noted.
Having a strategic and innovative mindset requires developing an internal audit strategy that is integrated with the organization's strategy and embracing the opportunities presented by continuous, rapid change, Chambers said. This mindset also requires agility, driven by an urgency for efficiency and effectiveness and a focus on meeting stakeholder needs.
Chief audit executives must become more adept at telling internal audit's story, as well, Chambers said. That story should recast the view of internal audit from simply what it has done in the past to what it has the potential to do and should speak about change in a way that inspires others to action. "We have to be seen in our organizations as indispensable to protecting and creating value," Chambers said.
Agents of change go beyond their roles as trusted advisors, Chambers explained. Rather than waiting to be called upon or limiting themselves to communicating observations and advice, they work tirelessly to generate positive change within the organization. "The true agent of change is the pinnacle to which we should aspire," he said.
Audit Function Size Shouldn't Hinder Standards Conformance
Small audit functions often feel that completing a quality assessment review (QAR) to conform to the International Standards for the Professional Practice of Internal Auditing can be particularly challenging. Difficulties include cost, lack of time and resources, and a fear of being designated as nonconforming.
Despite these reservations, internal audit department size should not hinder conformance, said Monica Moyer-Kessel, director of Internal Audit for Saint Leo University, during her GAM presentation, "Small Audit Functions: Conforming With the Standards."
The leader of an audit function of two, Moyer-Kessel has experienced many of these challenges firsthand. "I had such a fear about pursuing my generally conforms designation that I procrastinated for an entire year." she said. "Once I started, though, I was surprised it only took me 80 to 100 hours to go through it."
The first step toward overcoming these fears is thoroughly evaluating the department's current level of conformance, Moyer-Kessel said. This assessment can be done by using page F-18 of The IIA's Quality Assessment Manual for the Internal Audit Activity to identify any gaps or barriers to conformance. For the areas that do not conform, auditors should consider what they might need to change to overcome or work around it.
For example, Moyer-Kessel notes that many small audit functions can't afford a full-time IT auditor. Her solution was to convince the audit committee to allocate money for an annual IT audit and hiring an outside firm to work with her team, which helped it gain more IT knowledge. "Steps like this allowed me to move from nonconforming to partially conforming to generally conforming," she explained.
It is critical for small audit functions to understand that not everything is going to be optimized, Moyer-Kessel pointed out. To generally conform, a function does not have to conform to every standard. What is more important is the intent of the Standards and showing processes and documentation that internal audit is working to continually improve to meet these intentions.
"Generally conforms does not mean absolutely conforms," Moyer-Kessel said. "If you have a few standards that you partially conform to or do not conform to, and you have documentation showing rationale why, it does not stop your independent validator from writing an opinion that you generally conform. I wish someone had explained this to me when I did my first QAR."
The IIA's 2021 North American Pulse of Internal Audit shows the disparities in opportunities produced by the COVID-19 pandemic, as well as the costs it has extracted. According to the new report, Many Sides of Crisis, the pandemic's effects have varied by industry, but the effects have been less severe on internal audit than on organizations. "The pandemic created an open audition for internal audit to showcase its value," the report said. In addition, the report uses insights gathered by The IIA's Audit Executive Center to look at a broad spectrum of metrics, including internal audit budgets, staffing, risk assessments, and audit plans.
A new U.S. Government Accountability Office (GAO) report examines private sector defined contribution (DC) retirement plan cybersecurity administration and how federal guidance can mitigate cybersecurity risks, according to Plansponsor magazine. Even with existing federal requirements that attempt to minimize risk in DC plans, the report explained (PDF) that more guidance is needed on a federal level. DC plans, plan sponsors, and their service providers have an increased risk of being hacked because they share personally identifiable information (PII) and plan asset data. Moreover, there are questions about whose responsibility it is to protect participant and plan data with the shift to remote work during the past year. The GAO said even as more participants enroll in employer-sponsored retirement plans, the Department of Labor has failed to clarify fiduciary responsibility for mitigating cybersecurity risk and establish minimum expectations for protecting PII and plan assets.
An HP Inc. report (PDF) found that 29% of malware captured in the fourth quarter of 2020 was previously unknown — a wake-up call for organizations that struggle to routinely update their cybersecurity infrastructure. "This report highlights the deficiencies in traditional defenses that rely on detection to block malware," said Ian Pratt, global head of Security for Personal Systems at HP Inc. "Attackers have repeatedly found new ways to bypass traditional detection-based tools, making it more important than ever for organizations to build zero-trust design principles into their security architecture." The report also provides insight into what forms of malware are most commonly seen today. According to the data, 88% of malware detected was delivered by email (usually with fake invoice attachments), while 12% was delivered by web downloads. Documents were the most common types of malicious attachments (31%), followed by archive files (28%), spreadsheets (19%), and executable files (17%).
March 16, 2021
COVERAGE FROM THE IIA'S GENERAL AUDIT MANAGEMENT CONFERENCE
2021 GAM Keynote: Lack of Skepticism, Oversight, Helped Fuel Rise of Theranos
The rise of biomedical startup Theranos and its founder, Elizabeth Holmes, was boosted by Holmes' charisma and enabled by a lack of skepticism about her company as well as failures of due diligence and governance. Pulitzer Prize-winning journalist John Carreyrou authored the bestseller, Bad Blood: Secrets and Lies in a Silicon Valley Startup and was the first to break the scandals surrounding the company for The Wall Street Journal.
In the opening keynote session of The IIA's 2021 General Audit Management (GAM) Conference, Carreyrou said journalists bought into Holmes' narrative of a woman entrepreneur propelling herself to the top of male-dominated Silicon Valley. In turn, Holmes used the favorable media coverage to raise funds for the company, which she founded in 2003 to develop an innovative blood-testing device.
Carreyrou also noted the failure of Theranos' board — which included public figures such as former U.S. Secretaries of State Henry Kissinger and George Schultz — to exercise due diligence over the company. This was in part because the board members did not have expertise in science or health care, and because Holmes had voting control of the company. "The board did not do its job,' Carreyrou said.
Holmes and businessman Sunny Balwani, who became president and chief operating officer of Theranos, were quick to take legal action against critics. The two were obsessed with secrecy to the extent of monitoring employees' keystrokes on their computers. The obsession with secrecy was a red flag about the company, Carreyrou said, and the secrecy as well as its litigious attitude made it difficult to find sources. "The whistleblowers are the heroes of this story," he said.
Carreyrou also faulted the drug store chain Walgreens Boots Alliance for not exercising due diligence when it signed a deal with Theranos in 2012 to put the company's testing machines in its stores, ignoring concerns about their reliability.
Carreyrou's article about Theranos ran in The Journal in October 2015. The following April, the U.S. Securities and Exchange Commission started an investigation of Theranos, and in March 2018, it charged Holmes and Balwani with fraud. Holmes lost control of the company as part of a settlement.
In June 2018, a federal grand jury in California charged Holmes and Balwani with wire fraud and conspiracy; Theranos went out of business three months later. Holmes' trial is scheduled to begin in July; Balwani's trial is set for 2022.
Kraft Heinz Auditor Shares the Recipe for Its Data Analytics Program
Many internal audit functions are eager to leverage technology to better perceive both risks and opportunities. This was the case for Fernando Garcia, vice president of Internal Audit at the Kraft Heinz Co., who headed up a data analytics initiative at the global food company in 2017. Garcia shared insights from his data analytics journey today at the 2021 GAM Conference session "Using Real-time Data to Mine Better Insights."
Garcia described how his department moved from a manual-based data analytics model to one that involves continuous monitoring, a dashboard of more than 100 key risk indicators, and the beginning of a predictive analysis program — in a few short years. The team did this by working with Kraft Heinz's IT department and partnering with EY and IBM to develop a data analytics platform called Risk Navigator. This platform allows internal audit to monitor real-time key risk indicators for each core business process.
Garcia discussed some of the challenges, benefits, and best practices involved in launching a successful data analytics program. For instance, the team opted to "scale up quickly," monitoring as many as 75 key risk indicators at once to generate insights and demonstrate the impact of the data analytics tool.
Change management also has been a big part of the data analytics initiative. "You have your supporters and influencers, and those who are more resistant to change," Garcia explained.
The team developed a risk monitoring center of excellence and helped educate other business units on the benefits of Risk Navigator, including offering workshops and demos, training materials, and access to the platform. These efforts generated enthusiasm over time. "We see that momentum, with many business leaders coming to us and asking us to build key indicators," Garcia said.
As for its benefits, Garcia said the data analytics tool is helping the company improve on existing controls and implement new ones, identify process inconsistencies, and get ahead of risk and control gaps by leveraging real-time data. It also helps the team better understand the business it works for and build business acumen.
Co-presenter Milene Carvalho, a partner at EY's Americas Enterprise Risk Practice, said part of internal audit's journey in launching a data analytics program is understanding that not everything is going to work perfectly at first. "You're going to have bumps in the road," Carvalho said. "If you don't fail, it's a sign that you didn't try hard enough." She advised that the initiative is about "being gutsy and having a vision."
The IIA Inducts Four Into American Hall of Distinguished Audit Practitioners
Angelina Chin, Mike Fucilli, Sandra Pundmann, and Shannon Urban are the 2021 inductees to The IIA's American Hall of Distinguished Audit Practitioners. The honor, announced during Tuesday's opening session of the GAM Conference, recognizes internal audit practitioners who have made extraordinary contributions to the internal audit profession in the U.S.
Chin's internal audit career included leadership positions at both the General Motors Co. and the Federal Reserve Bank of Chicago. Fucilli recently retired as auditor general at the Metropolitan Transportation Authority in New York and now teaches at St. John's University while owning an audit and advisory company.
Pundmann has advised the boards and C-suite executives of more than one-fourth of Fortune 100 companies during her nearly 40-year career. Urban is currently the chief audit executive at Hasbro Inc., and has 25 years of experience in internal audit, enterprise risk assessment, control design, and controls assessment in multiple industries.
Each of the 2021 inductees has made significant contributions to The IIA as a volunteer and has become widely respected for the breadth of his or her knowledge and insight about the profession. "The 2021 inductees are truly representative of the scope of internal audit's service, value, and impact," said Nancy Haig, chair of The IIA's North American Board at the induction ceremony. "They set the standard for others to emulate."
Inclusion into this distinguished group represents one of the highest honors in the internal audit profession and is only given to those who exemplify high ethical conduct, integrity, moral character, service, and leadership within the internal audit community. To be considered, the person must be nominated by at least two individuals who are actively engaged in the profession.
March 15, 2021
One year after the World Health Organization's declaration of the COVID-19 global pandemic, 76% of CEOs said global economic growth will improve over the next 12 months, according to PwC's 24th Annual Global CEO Survey. "That's nearly 20 percentage points greater than the previous record high for optimism, over all the years we have been asking this question," said the report, which is based on 5,050 survey responses gathered in January and February. "Based on this year's responses, we estimate that global growth could rise as much as 5%." Yet, the respondents expressed anxiety, with most rating pandemics and other health crises as the top threats that could affect their organization's growth prospects. Cybersecurity took second place, and the percentage of CEOs concerned about how "the spread of misinformation" could affect growth nearly doubled. While 43% said they should report on environmental impact, only 30% of respondents said they were "extremely concerned" about climate change, and 60% have not yet factored climate change into their strategic risk management activities. CEOs of companies in countries with the highest exposure to natural hazards were among the least prepared for climate change risk, the report notes.
Publicly listed companies in the United Arab Emirates (UAE) must have at least one woman board member as a result of a recent amendment by the country's Securities and Commodities Authority (SCA), Reuters reports. Women sit on the boards of 28 of the 110 listed companies, currently. The SCA says the move was made to "empower Emirati women" and to encourage them to participate on boards. The UAE's decision is part of a trend among countries and organizations worldwide to ramp up their diversity and inclusion efforts. In the U.S., executive search firms have reported a large upswing in requests to find chief diversity officers, Agenda reports (paywall). According to Agenda, companies also are searching for chief human resource officers and looking at increasing their investments in the human resources functions.
The White House is contemplating the use of cybersecurity ratings and standards for U.S. software, a move akin to how New York City grades restaurants on sanitation or Singapore labels internet of things devices, CyberScoop reports. The Biden administration is considering the ratings as the government and organizations respond to two major security incidents — the SolarWinds supply chain attack and the exploitation of vulnerabilities in Microsoft Exchange servers. The concept of government labeling and grading in cybersecurity is not new. Some experts have long supported an Energy Star-style rating system resembling the program that the U.S. Environmental Protection Agency and Energy Department use to promote energy-efficient devices.
Now that the historic $1.9 trillion American Rescue Act has been signed into law, many U.S. businesses — particularly small businesses that have seen significant tribulations during the pandemic — are investigating how the law will affect their expenses and policies. The Guardian lists some of the tax incentives in the bill that could enable small businesses to both save on taxes and provide additional funding. These include the extension of an employee retention tax credit of $7,500 per employee per quarter, and an extension of the Families First Coronavirus Response Act (FFCRA) tax credit, which allows businesses to claim money back on their federal payroll tax returns for the wages they were required to pay to employees who needed to take time off for COVID-19-related reasons. The law also extends the COBRA tax credit, which can be claimed by employers who continue to pay for the health insurance premiums on behalf of laid-off employees, and the work opportunity tax credit, which can be claimed by any employer that hires a veteran, someone off of welfare, or a worker who has been unemployed more than six months. Finally, it includes a "carryback of losses" program that allows businesses that lost money between 2018 and 2020 to carry back those losses for up to five years.