Will The IIA Redraw the Lines of Defense? The IIA Redraw the Lines of Defense?<p><img src="/2018/PublishingImages/Businessman%20Standing%20at%20Entrance.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Good governance is part art, part science, and probably a bit of luck and magic. But the payoff when it is achieved is an organization that consistently achieves goals, serves stakeholder interests, supports long-term value creation, and nurtures a healthy culture. <br></p><p>The problem is that there can be no one-size-fits-all approach. Each organization faces unique risks, challenges, and opportunities that add variability to the struggle. But the importance of finding the right combination of rules, practices, controls, structures, and processes that support good governance is worth the effort. Not surprisingly, many tools and models have been developed over the years to explain or promote best practices that position organizations to succeed.</p><p>One model that has gained widespread acceptance and popularity is the Three Lines of Defense. Over more than two decades, myriad organizations have embraced the model, attracted by its simplicity in describing risk-management and control responsibilities in three separate "lines" — one that owns and manages risks (first line), one that supports risk management (second line), and one that provides independent audit assurance and insight (third line).</p><p>Many believe that The IIA invented the Three Lines of Defense model. While the precise origins of the model are subject to debate, The IIA did not originate it. In 2013, The IIA did publish a position paper in support of the model, in part because of its strong recognition of internal audit's vital third-line role as an independent assurance provider. </p><p>However, in recent years, critics have charged that the model's fixed "lines" make it too inflexible for today's dynamic governance challenges and that its focus on defense limits its effectiveness. Today's complex risk landscapes continually evolve, and rapid advances in technology offer both disruptions and opportunities. What's more, as organizations have developed new approaches to address risks, the "lines" have become less distinct with first-, second- and third-line responsibilities often overlapping.</p><p>In addition to concerns about the blurring of the lines of defense, others have noted that the Three Lines of Defense model is all about "protecting value," and doesn't really address the importance of value enhancement. The IIA's new strategic plan stresses that internal audit "be recognized as critical to enhancing and protecting organizational value." For this to happen, internal audit must be portrayed as more than just a third line of protecting value. </p><p>The time has come to take a new look at the Three Lines of Defense and give this trusted instrument a 21<sup>st</sup>century makeover. Buoyed by the support of governance experts in the public and private sectors, academia, regulators, and representatives of the Big Four accounting firms, The IIA has embarked on a project to refresh the model.<br></p><p>As IIA Chairman of the Board Naohiro Mouri said in the <a href="">press release announcing the ambitious project</a>:</p><p><span class="ms-rteStyle-BQ">"Our aim is not to replace Three Lines of Defense or invent a new model, but to ensure it can accommodate the nuances and dynamics we see across different organizations, so that they may leverage and learn from each other more effectively and strategically.</span></p><p><span class="ms-rteStyle-BQ">"We also must embrace the concept that risk goes beyond defense. Uncertainty creates risks and it creates opportunities. Consideration must be given to both sides in decision making and planning at all levels. Organizations must decide the most appropriate way to allocate and structure resources and responsibilities within their organizations, using the Three Lines of Defense to their advantage."</span></p><p>This yearlong project is headed by a core working group of governance experts who will tap into the vast experiences of an additional 30-member advisory group. The project includes a comprehensive review of governance approaches from around the world, and it will seek out and incorporate public comments through a formal exposure process. Ultimately, the project will result in a new IIA position paper on the subject, expected in the second half of 2019.</p><p>From the outset, The IIA's objective has been to explore how best to update the Three Lines of Defense model to reflect the changes in modern risk management and governance, while at the same time preserving its straightforward and clear approach. In keeping with its original intent, the refresh will focus on roles not organizational structures. In response to critiques, the aim is make the model more flexible, suitable to all sectors, and responsive to both the challenges and opportunities that risks offer. Like many of you, I eagerly await the result of the work from what is a world-class group of governance experts and a thorough and inclusive process.</p><p>My intent in sharing news of The IIA's Three Lines of Defense initiative is to inform you about this important project and to build momentum for a lively and productive consideration of the exposure draft, which is anticipated early next year.</p><p>The original model has served many organizations well for many years. My sincere hope is that the refreshed version will do so, as well.<br></p>Richard Chambers0
Doing the Right Thing the Right Thing<h2>​In light of recent, well-publicized corporate culture failings, what are boards doing to address culture?</h2><p> <strong>Christensen</strong> We definitely see the concept of culture gaining traction in the boardroom. More than ever, directors are acutely aware that culture plays a role in delivering outcomes — both good and bad — for the companies they serve. Because culture can break down anywhere in the company, it is important for directors to experience firsthand the real-world culture in the organization, rather than rely solely on boardroom discussions and management reports. One way to accomplish this is by engaging directly with operating personnel through site visits. Directors also should insist on observations regarding culture from the chief risk officer, chief compliance officer, chief information security officer, and human resources and environment, health, and safety personnel, as well as other independent second line-of-defense functions. Boards also expect internal audit to weigh in as the third-line assurance provider.</p><p> <strong>Keele</strong> Boards are asking more directed questions: What is the risk of this happening in our company? What steps have we taken to prevent/detect this type of misconduct? Do we apply our processes consistently? How does the organization respond to a finding of inappropriate or unethical behavior — is everyone held accountable, or are certain individuals given a pass? Do we have a crisis management plan to respond to an event? Boards also should be consistently asking the broader questions that get at the current state of the organization’s culture: Are expectations for what constitutes unacceptable behavior clear and understood? Is the workplace safe and respectful? Do individuals feel they can speak up without retaliation, expect they will be heard, and have their concerns investigated? </p><h2>What do boards need to understand about their role in overseeing culture?</h2><p> <strong><img src="/2018/PublishingImages/EOB-Tracey-Keele.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Keele</strong> Most boards now understand that culture is important, but determining what to do about it is another matter. Like management, boards are not entirely sure how to confirm whether the culture they want is the culture they have. Because measuring and overseeing culture isn’t easy, there is a risk of defaulting to seemingly simple, check-the-box solutions. Further, there is a risk of over-relying on hard controls — policies, training, and systems that only provide a partial view of risk management. Understanding the drivers of conduct — soft controls — and whether the “walk” matches the “talk” is fundamental to understanding culture and risk.</p><p>Boards also should guard against focusing on today’s expectations, without considering how they may differ tomorrow. Technological, social, economic, regulatory, and political changes are occurring faster than ever. How do organizations evolve quickly, focus on both the spirit and the letter of the law, and anticipate change to enhance resiliency, grow, and build trust with stakeholders? </p><p> <strong>Christensen</strong> Culture is a vital enterprise asset that must be cultivated, nurtured, and maintained. Directors need to be curious enough to probe on culture issues. First and foremost, the board must want to know whether there are any concerns pertaining to culture warranting its attention. Board members must address two fundamental questions: How do we know what we need to know regarding culture? Is our understanding representative of the entire organization or just certain areas? No director wants to be on a board that ends up asking itself: How did this happen and why didn’t we know?</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Cultural Misalignment</strong></p><p>Christensen and Keele say these red flags may indicate that the tone in the middle isn’t aligned with the tone at the top. </p><ul><li>Nobody is talking about culture.</li><li>Controversial deals and encouragement of risk taking to hit short-term targets.</li><li>Complex and unclear legal and reporting structures that obscure transparency. </li><li>Poorly executed takeovers that allow pockets of bad behavior to thrive.</li><li>Lack of financial discipline.</li><li>Employees constantly fear being fired.</li><li>Employees execute projects without a clear vision from company leaders.</li><li>Lack of knowledge sharing among employees.</li><li>A focus on blame or covering for each other rather than fixing the problem.</li><li>A perceived disconnect between words and action. </li><li>A focus on the letter rather than the spirit of the law and regulations.</li><li>Risk management and controls are regarded as an inconvenience. </li><li>Lack of prompt follow through on commitments.</li><li>Failure to escalate identified issues and active concealment of problems.</li><li>Dress rehearsals for leadership visits that are focused on appearance.</li></ul></td></tr></tbody></table> <h2>What can internal audit do to inform the board about the organization’s culture?</h2><p> <strong><img src="/2018/PublishingImages/EOB-Brian-Christensen.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Christensen</strong> Internal audit, the third line of defense,  is well-positioned to perform a culture audit, evaluating the processes used across the entity by first- and second-line personnel to assess culture. Ironically, it is internal audit — the objective eye of the organization — that is uniquely qualified to bring “a systematic, disciplined approach” to a potentially subjective process like measuring culture. Internal auditors should “connect the dots,” considering the findings and gratuitous observations from multiple audits to ascertain whether any meaningful patterns exist. With everyone having a stake in evaluating the enterprise’s culture, the board should be privy to the results of all evaluations — particularly from independent second-line functions and internal audit. </p><p> <strong>Keele</strong> Internal auditors can play a critical role in understanding and enhancing culture. Internal audit can act as “the eyes and ears” of the organization, helping the board deepen its understanding of culture to better fulfill its culture oversight responsibilities. Evaluating and evolving audit skills and capabilities, initiating and promoting dialogue within the organization, garnering organizational permissions and support, and understanding the organization’s culture expectations, initiatives, and current state are important first steps for establishing internal audit’s role in culture.</p><h2>What tools and techniques should internal audit use to audit culture?</h2><p> <strong>Keele</strong> The tools and techniques used in traditional audits also are relevant to culture audits — interviews, data review and analysis, and walk-throughs. Also, the use of surveys, facilitated workshops, focus groups, and advanced analytical techniques like sentiment analysis can be extremely valuable, deepening the understanding of employee experiences and perceptions. Internal audit should think expansively about data that exists within and outside the organization to support improved risk assessment and audit execution. Procedures should be tailored based on the organization’s culture maturity and appetite for improvement, and internal audit’s capability and ambition. </p><p> <strong>Christensen</strong> Survey results can validate themes from stakeholder interactions to gauge consistency of views regarding the company’s culture. Relevant data metrics should supplement insights from surveys and direct interactions with stakeholders. These include risk metrics, conduct-related compliance data, issue escalation and resolution data, human resources data and reports, whistleblower reports, turnover data, ethics hotline reports, unstructured social media data, and employee demographic data. These and other metrics should be used as supplements to performance measures linked to the strategy to drive the type of organizational culture that management and the board would like stakeholders to experience when they interact with it. </p>Staff1
Don't Overlook Physical Access't-Overlook-Physical-Access.aspxDon't Overlook Physical Access<p></p> <p>In the digital age, security risks have become a rising concern for boards, management, and chief audit executives. They have responded to technology advances and growing cyber threats by focusing on controlling access to data, networks, and systems — known as logical security. That focus on logical security often comes​ at the expense of attention to physical security around buildings, facilities, equipment, and other areas. </p><p>Physical and logical access are closely intertwined and combine to provide a higher level of security throughout the organization. Both types of access control are key to risk mitigation efforts to protect systems and data. Moreover, physical access can have a great impact on the effectiveness of logical access controls. Internal auditors need to focus on the basics and include physical access in their audit plans to ensure that the organization is protected adequately.</p><h2>What’s at Risk?</h2><p>Physical security is one of the most critical components of the overall security landscape. Weak physical security controls expose organizations to greater risk of failure of other controls. Recent incidents have shown that even with the strongest controls around logical security and intrusion detection, organizations continue to be exposed to the risk of unauthorized access in the absence of strong physical access controls.</p><p>Physical security risks are unique to each organization and depend on the size, geographical spread, and type of assets that need to be protected. Internal auditors often consider enterprise systems and data to be the primary assets that are vulnerable to physical security risks. That list must be expanded to include property, office buildings, warehouses, utility rooms, machinery, equipment, and vehicles as well as employees, contractors, and visitors. </p><p>The broader risks resulting from the lack of effective physical access controls include inappropriate and unauthorized access to information, theft, vandalism, inappropriate actions from rogue employees or angry customers, accidents, and terrorism. While important for every organization, the consequences when physical security controls are compromised may be greater for data centers, defense-related organizations, educational institutions, hotels, hospitals, and retail businesses.</p><h2>The Audit Plan</h2><p>Including physical security audits in the annual audit plan can help ensure the organization is taking a more structured approach to mitigating security risks. Auditors also should provide assurance that management has performed a physical security threat assessment. Physical security audits should cover several areas.</p><p><strong>Governance and Oversight</strong> Auditors should start by evaluating policies and procedures, oversight, risk assessments, training, and other processes that are in place to facilitate strong physical controls. Effective governance typically indicates a solid foundation for oversight and controls. <br></p><p>Ownership and accountability of physical access can sometimes be murky. Roles and responsibilities of security personnel, property management, data management, and IT overlap and are interrelated. Generally, the IT team supports and helps manage identity and access management programs, but a different business unit may be responsible for physical access. The effectiveness of physical access controls depends on the collaboration among all the affected groups.</p><p><strong>Physical Access Control Layers</strong> The first step in protecting against physical access threats is developing the ability to keep unauthorized individuals off the organization’s property. In assessing physical access controls, internal auditors should test the effectiveness of perimeter barriers such as fences, walls, or gates; protective lighting; alarm systems; communications systems; vehicle identification and control systems; and guard systems. As auditors move beyond perimeter considerations to review specific buildings, they should test other key controls such as security alarm systems, cameras, motion detectors, turnstiles, door locks, and badging systems. </p><p>Despite the most sophisticated personnel identification and control processes, piggybacking is still a huge concern. Piggybacking refers to when an unauthorized person follows behind another person who is authorized to gain entry into a restricted area or past a checkpoint. Internal auditors must ensure that the organization is taking enough measures to restrict access by unauthorized individuals until their identity is confirmed by on-site security personnel. Auditors can review training and communication about piggybacking and even observe this process during busy entry times.</p><p>Within each building, internal auditors should inspect elevator and stairwell access, as well as evaluate whether individual and conference room doors have appropriate locking mechanisms. Rooms that contain valuable or sensitive information and other assets should be adequately protected to prevent access by unauthorized personnel.</p><p>Internal auditors should evaluate these multiple layers of controls carefully to ensure they are strong enough from both preventive and detective aspects. All these systems should be integrated with each other. For example, many organizations use a human resources database called Active Directory to validate an employee’s access credentials in real time.</p><p><strong>Monitoring</strong> Internal auditors should assess whether the organization has effective monitoring controls in place to review the logs created from various monitoring systems. This information can ensure that the organization investigates and remedies all relevant incidents timely. In case of a breach, facilities, IT, information security, human resources, and legal teams must collaborate as a formal committee to discuss the incidents, analyze the root cause from investigations, and take remedial action. Internal auditors can review minutes from these committee meetings to evaluate their content and the effectiveness of their remedies.<br></p><h2>Internal Audit’s Next Steps</h2><p>Going forward, internal audit should integrate physical security into the department’s risk assessment process to ensure it gets adequate overall coverage in the annual audit plan. It is important for auditors to evaluate whether the current plan integrates physical security audit steps into relevant audit programs. </p><p>As they develop the audit plan and perform the risk assessment, auditors should schedule meetings with facility and security personnel to learn about past incidents and get a sense of risk exposures in this area. From there, they should meet with the relevant stakeholders to discuss the current logical controls and determine how much logical and other controls depend on physical controls. By following these steps and recommending effective physical security controls, internal auditors also can help strengthen the organization’s overall security profile.  ​</p>Manoj Satnaliwala1
Internal Auditors Must Live in a Shatterproof House Auditors Must Live in a Shatterproof House<p><img src="/2018/PublishingImages/Shattered%20Glass.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​I have long believed that internal auditors have a tougher challenge than many others in an organization. It's difficult to sustain a reputation for objectivity when we live and work in the same environment where we perform our audit responsibilities — sometimes for a few years, sometimes over an entire career. Everyone is watching internal audit to see if we are walking the talk. I have heard of us referred to as "example setters for an orga​nization," and that we are "constantly assessed by those we audit." I call it having a target on our back. If internal audit is not following organizational policies, or even <em>appears</em><em> </em>to not be following policies, the fallout will affect trust in the department and every internal auditor in it. </p><p>No one expects internal auditors to be flawless. We are human, after all. However, if the flaws cause others to question our ethics, we will lose a significant advantage that will likely undermine our ability to be perceived as trusted advisors. If management is aware of even minor ethical transgressions, their response when we offer advice or recommendations at the conclusion of our engagements is likely to be, "Why should I listen to him? He takes vacation days without charging them." Or, "She filed a faulty expense report and had to reimburse the company."</p><p>Internal auditors cannot afford the luxury of being vulnerable. Our behavior must be above reproach, if we are to provide counsel to others. And don't be surprised if, the first time you call out a senior manager for a serious ethical infraction, suddenly every minor infraction you ever committed is thrown back at you.</p><p>Neither can internal audit afford to fail living up to its commitments. A highly respected chief audit executive recently pointed out to me that internal auditors have to understand that they have a commitment both to the organization where they work and to a broad, diverse group of stakeholders. "We have to walk a fine line, understanding the firm's needs, the board's needs, management's needs, and investors' needs," he explained. "If we're not trustworthy, and if the people we work with aren't trustworthy, we leave the door open to fraud."</p><p>I believe most internal auditors do consistently act ethically. But occasional lapses happen, and when they do, they often make the news. Many of us recall all too well certain high-profile cases. For every highly publicized case of an internal auditor who gets in trouble for ethical transgressions, there are likely scores more whose transgressions were dealt with outside of public view. The actions of unethical internal auditors constitute a massive betrayal, not only of their employers and former colleagues, but also of their profession. Internal audit has many responsibilities, one of which is as ethical overseer. In that capacity, like Caesar's wife, it must be above suspicion.</p><p>To look at it another way, we have all heard the common wisdom that those who live in glass houses should not throw stones. But sometimes, as internal auditors, our job is to toss a rock or two. So, if we're going to throw stones — and, of course, we are — we'd better make sure our own house is shatterproof. A steadfast commitment to ethical behavior, coupled with a strong and effective quality assurance and improvement program, will help ensure that we avoid injury from flying glass.</p><p>One way to shatterproof the internal audit function is to make sure the right people are in it. We must carefully vet those who are brought on board to ensure there are no skeletons that could signal a moral compass that does not point true north. We should all hold each other accountable to live up to the highest levels of ethical conduct.</p><p>The IIA recognizes that ethical behavior is crucial to the fabric of our profession. Every IIA member around the world, along with those who hold an IIA certification, must conform to The IIA's <a href=""><span style="text-decoration:underline;">Code of Ethics</span></a>. In promulgating its code, The IIA states, "The purpose of the Institute's Code of Ethics is to promote an ethical culture in the profession of internal auditing." Recently, The IIA went a step further by specifying that "certified ​individuals are required to complete two CPE hours (each year) focused on the subject of ethics."</p><p>As I noted earlier, I do not believe that the internal audit profession has an "ethics problem." Let's all work hard to make sure it stays that way.</p>Richard Chambers0
In Compliance Compliance<p>​One of the biggest challenges facing organizations today is keeping up with the ever-changing regulatory environment. Companies are dealing with complex compliance requirements in every area of the world in which they operate. Some new requirements, such as the European Union’s General Data Protection Regulation (GDPR), impact organizations regardless of whether they have a physical presence in the location where the law was enacted. Noncompliance with these regulatory requirements, whether it be involuntary or criminal, can create significant risks to an organization, including legal, reputation, and financial risks. Organizations must have strong governance around their compliance programs to ensure these risks are assessed and managed across the organization. </p><p>Internal audit can use their expertise in risk management and internal control to effectively offer assurance as to whether the risks associated with compliance are being managed to an acceptable level. The audit can be scoped to evaluate the governance process as a first step, and third parties can be used when additional assurance on specific regulations is necessary. </p><p>There are frameworks internal audit can leverage to help ensure it assesses all of the key components of a well-governed compliance program. For example, Chapter 8, Part B, of the U.S. Sentencing Commission Guidelines Manual presents guidelines for an effective ethics and compliance program (see “7 Elements of an Effective Compliance and Ethics Program” below). Although this framework is commonly used after an allegation of criminal misconduct has been made or adjudicated, it also can be used to ensure all of the elements of a robust compliance program are in place. </p><p>It can be overwhelming when internal audit begins analyzing a compliance program, given its overall complexity and the knowledge necessary to adequately audit all of the various regulations both in the home country and abroad, but this framework helps identify manageable components to be assessed. Management can begin by identifying all of the key compliance areas that affect the organization — environmental, data privacy, import/export, and anti-bribery/anti-corruption, just to name a few. Each key compliance area should have a designated individual with an appropriate level of authority and responsibility to oversee the compliance program. Using the framework, that person, or his or her delegates, can begin documenting how the organization would demonstrate a program that prevents or detects misconduct. A steering team of cross-functional leaders from legal, human resources, compliance, risk management, internal audit, and other key areas can help identify common program elements, such as an overall code of conduct, investigation processes, and hotline management. Internal audit can play a key role in monitoring the overall compliance program and auditing specific risk areas. </p><p>In early 2017, the U.S. Department of Justice issued supplementary guidance titled Evaluation of Corporate Programs (<a href="" rel="nofollow" target="_blank"></a>). This evaluation guide aligns with the federal sentencing guidelines and other referenced guidance and provides tactical questions that internal audit could use to evaluate the program. Two components, third-party and merger and acquisition risk, were added that should be considered when evaluating the effectiveness of the overall compliance program. </p><p>Third parties may be an integral part of organizational processes and considered part of the extended enterprise. The organization may have significant risk if those third parties, acting on behalf of the organization, commit an act of noncompliance. The third party may put the organization at a significant amount of reputation risk, and in certain instances, the organization may be liable for the actions of the third party. The evaluation guide indicates that certain actions must be taken such as due diligence, appropriate controls, management of the relationship, and appropriate consequences if noncompliance or misconduct is identified. </p><p>With mergers and acquisitions, management must ensure that a robust due diligence process is in place, and that the compliance function is integrated into the overall process to ensure that compliance risk is addressed. In the case of an acquisition, integration and transition of the compliance program to the new entity must be completed and any risks identified during due diligence addressed. </p><p>Overall, the framework and guide provide a solid base on which internal audit can ensure governance over compliance programs is effective. These documents should not be used as a checklist, as the elements may be present but a culture of compliance may not be developed, and the program becomes more form than substance. Internal audit should evaluate the adequacy of the evidence maintained in support of the program and ensure that the organization can demonstrate, both internally and externally, that the compliance program is robust. Both quantitative and qualitative factors should be evaluated. Soft controls evidence, such as how employees and leadership talk about the culture, also should be considered. </p><p>Although compliance can be a complex area to evaluate, these tools, along with third-party experts when needed, should enable internal audit to offer assurance around the effectiveness of the governance of compliance programs.</p><table class="ms-rteTable-4" width="100%" cellspacing="0" style="height:31px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>​7 Elements of an Effective Compliance and Ethics Program</strong><br><br>The U.S. Sentencing Commission’s seven elements of an effective program include:<br><ol><li>The organization will establish standards and procedures to prevent and detect criminal conduct. </li><li>The organization’s governing body should be knowledgeable of the ethics and compliance program. High-level employees within the organization should be responsible for program oversight, with day-to-day responsibility delegated to specific individuals. </li><li>The organization will exercise due diligence to ensure that delegation of authority is not granted to individuals who have previously engaged in illegal activity or other conduct inconsistent with an effective compliance and ethics program. </li><li>The organization will periodically communicate its ethics program, including standards and procedures, by conducting effective training programs, for employees and third parties, and otherwise disseminating information as appropriate.</li><li>The organization will take steps to ensure that the compliance program is followed, including monitoring. The program must be periodically evaluated to assess its effectiveness, considering both quantitative and qualitative evidence. In addition, a system must be established whereby employees, or third parties, may anonymously and confidentially voice concerns.</li><li>The program must be promoted and consistently enforced across all levels of the organization, including appropriate incentives to act in accordance with the program and disciplinary actions when noncompliance is identified. </li><li>When criminal conduct is identified, the organization must respond appropriately and take steps to prevent further similar misconduct, including adjusting the overall compliance program. </li></ol><br>Source: U.S. Sentencing Commission, §8B2.1: Effective Compliance and Ethics Program, <a class="vglnk" href="" rel="nofollow" target="_blank"><span class="ms-rteForeColor-8"></span></a>.</td></tr></tbody></table><p></p>Kayla Flanders1
The CEO's Brand: A Blessing or a Curse? CEO's Brand: A Blessing or a Curse?<p><img src="/2018/PublishingImages/Execs%20With%20Up-Down%20Arrows_445x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​The actions of high-profile CEOs and board chairmen can create share volatility and investor uneasiness, and the troubles of Tesla CEO Elon Musk provide a perfect example. Controversial statements and act​ions by Musk have sent Tesla's stock price on a wild roller-coaster ride. </p><p>This got me to thinking about the risks associated with high-profile company leaders. When a CEO's brand becomes one a​nd the same with the organization, his or her actions are more likely to be magnified, scrutinized, glorified, or vilified. And that poses a new level of risk that many organizations may not be prepared to handle.</p><p>In Musk's case, a single tweet stating he was considering taking Tesla private at $420 a share — "funding secured" — sent the electric-car company's stock skyrocketing to nearly $380 a share. It subsequently plummeted when the prospective financier — the Saudi Sovereign Wealth fund — announced there was no deal in place.</p><p>The fallout continued when the U.S. Securities and Exchange Commission filed a securities fraud charge against Musk for failing to have in place required disclosure controls and procedures relating to his decidedly "unofficial" communication. To his credit, Musk quickly settled the charge by agreeing to step down as chairman of Tesla's board and paying a hefty fine. That settlement boosted Tesla stock to its best trading day since May 2013, further reflecting how Musk's actions can significantly impact Tesla's value. </p><p>I'm not picking on Musk. There are plenty of other examples. The ongoing legal battles between Papa John's and its founder John Schnatter, the firing of GE CEO John Flannery, and Travis Kalanick's struggles at Uber each have arguably impacted their respective companies' value.</p><p>This raises the question: Is the CEO's brand a blessing or a curse? </p><p>There are pros and cons to bringing in a personality big enough to be viewed as the face of an organization. While some highly successful companies are built around the individual — Oprah Winfrey — others impose their brand on organizations when they join or return to them.</p><p>Michael Eisner, who made his name as CEO of Paramount Pictures, transformed The Walt Disney Co. by growing its brand in global theme parks, movies, TV, retail products, and a cruise line. Steve Jobs' return to Apple certainly sparked a return to greatness for a company that some believed was on the brink of failure. It is safe to assume that Jobs and Eisner were hired because of their proven skills as strategic risk takers accustomed to acting boldly and aggressively. But boards seeking to hire charismatic leaders should consider how the leaders' brands could impact the organization's risk appetite and culture.</p><p>There are potential downsides to consider. For example, some charismatic CEOs are known to have narcissistic personalities, and research suggests such leaders are more likely to cost the organization money. The authors of See You in Court: How CEO Narcissism Increases Firms' Vulnerability to Lawsuits argue that "narcissistic CEOs subject their organizations to undue legal risk because they are overconfident about their ability to win and less sensitive to the costs to their organizations of such litigation." Their research, published by <a href=""><span lang="EN-US" style="text-decoration:underline;"><em>The Leadership Quarterly</em></span></a><em>,</em><em> </em>cites a growing body of evidence that suggests, "organizations led by narcissistic CEOs experience considerable downsides, including evidence of increased risk taking, overpaying for acquisitions, manipulating accounting data, and even fraud."</p><p>Leadership style and its potential impact on the organization's risk appetite and culture should always be on internal audit's radar. Organizations that have charismatic risk takers at their helms should incorporate this into their risk analyses. This should include audits of crisis management plans and candid discussions with the audit committee or board about risk scenarios involving the CEO.</p><p>Clearly, all CEOs impose their wills on organizations with varying degrees of guidance and oversight from their boards. The likelihood of their actions creating crises or significant reputational risks are typically pretty low. But just as no two organizations have identical risks appetites, not all CEOs create the same level of risk. </p><p>I'm interested in hearing about your experiences in dealing with CEO brands.​​</p>Richard Chambers0
Selling Enterprise Risk Management Enterprise Risk Management<p>​Although enterprise risk management (ERM) has a compelling value proposition, it may not always be intuitive to key stakeholders. That often is because the benefits of ERM are not easily observable or clearly quantifiable in the near term. As risk management professionals, internal auditors are easily sold on ERM’s merits because of our role in the third line of defense. We live and breathe risk management governance daily. But internal auditors and other risk professionals engaged in ERM efforts, by nature, do not tend to have strong sales competencies. So, when we propose ways to advance ERM principles to organizational leadership, the message often misses the mark. </p><p>The ability to convince stakeholders of ERM’s value may be the difference between an ERM program that flounders as a check-the-box compliance activity and one that develops into a strategic governance asset. It is vital for internal auditors and other risk management professionals to have a compelling and polished value proposition pitch in their ERM toolbox — one that is intuitive and presentable in terms and language that first and second line of defense managers will embrace.</p><p>Risk management is not a new idea, and most business professionals understand its importance. However, some are skeptical, writing ERM off as unnecessary or an academic theory that is unproven in the real world. When this skepticism is not based on an informed position, it is a shortsighted and misguided viewpoint that creates a major cultural barrier when attempting to implement or mature an ERM program. This is when ERM professionals need to be at their best as salespeople.</p><p>Just as professional athletes strive for a competitive edge, business professionals also should pursue measures to enhance their success. ERM can provide the same type of competitive edge that athletes get from personal trainers, data analytics, and other measures. But ERM benefits are realized when organizations appreciate, understand, and embrace the ERM value proposition. For an organization to unlock the potential of ERM as a strategic asset, a key element is a concise value proposition that leaders and managers can easily buy into.</p><p> <strong>Step 1: Start at the top.</strong> ERM programs are most successful when executive leadership supports them. The ERM value proposition must be understood at the highest management levels. But beyond that, leadership must be compelled to embrace ERM. Only then will leaders develop a vision for pursuing implementation with the requisite energy. Leaders will only embrace ERM when there is a clear value proposition. </p><p> <strong>Step 2: Don’t oversell.</strong> Internal audit must be careful not to sabotage ERM momentum by overpromising what the ERM value proposition can deliver. ERM will not solve all strategic risk management challenges. This message must be communicated with stakeholders by setting realistic expectations about what the organization can achieve. ERM implementation will inevitably encounter failures along with successes.</p><p> <strong>Step 3: Make the case for ERM by appealing to its intuitive nature.</strong> Internal audit should start by making a simple and intuitive case to legitimize ERM. Various entities have given ERM credibility by embracing its virtues. These include regulators (e.g., board requirements for risk oversight), credit rating agencies (e.g., ERM used as rating criteria by S&P and Moody’s), and major universities (e.g., ERM academic programs at North Carolina State University and St. John’s University). Additionally, ERM’s qualitative value is intuitive, as outlined in the waterfall diagram below.</p><p> <strong>Step 4: Draw a distinction between traditional risk management and ERM.</strong> All business professionals manage risk. Managers oversee various business functions and manage the risk inherent in these functions. Human resources (HR) managers manage HR risk, finance managers manage finance risk, and so on. The problem with this risk management model is that it does not promote an enterprise view of risk. Risk managers in these siloed functions make risk management decisions that can have negative impacts in other functional areas.</p><p>ERM is not designed to replace the traditional risk management model, but rather to enhance it by bringing greater visibility to risk management activities and impacts across functional silos. This is done by implementing risk management processes to methodically and purposefully identify, respond to, and monitor risks at the enterprise level. <br></p><p> <strong> Step 5: Make ERM a tool for aspirational risk management excellence.</strong> Compliance benefits may be an acceptable outcome for some organizations, but the real value of ERM is realized when its focus is more strategic. There are three imperatives of a strategic ERM value proposition:</p><p></p><ol><li><strong>Make informed decisions.</strong> ERM should support organizational decision-making for strategic planning, tactical execution, budgeting, and risk oversight.</li><li><strong>Protect stakeholder value.</strong> ERM should protect key stakeholders from value erosion.</li><li><strong>Optimize risk outcomes.</strong> ERM should seek the best possible risk outcomes by improving the likelihood of achieving strategic and business objectives, reducing the impact of organizational threats and weaknesses, exploiting organizational strengths and opportunities, and lessening the duration and persistence of negative risk outcomes.</li></ol><p>Aspirational and strategically designed ERM programs help organizations compete more aggressively in the marketplace. With the three imperatives in place, an organization is positioned to compete with an edge. </p><p>When designed to be a strategic governance asset, ERM facilitates advanced risk-taking capabilities and empowers a thoughtful, safe, and aggressive risk-taking approach. This can result in enhanced competitive agility and ultimately lead to enhanced organizational value.</p><p><img src="/2018/PublishingImages/Governance_p.65_ERM-qualitative-value.jpg" alt="" style="margin:5px;" /><br></p>Rick Wright1
Is There Too Much Civility in the Boardroom? There Too Much Civility in the Boardroom?<p>​<img src="/2018/PublishingImages/Businesspeople%20at%20meeting%20table.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Let's face it, civility is in short supply in the 21<sup>st ​</sup>century. Whether in politics, social media, on the highway, or in line at a fast-food restaurant, common courtesy and respect are scarce commodities. One place that civility seems to be alive and well is in the boardroom. However, one has to ask: Is there too much civility in a place where members should bring a healthy dose of skepticism?</p><p>Common wisdom is that inspirational leadership is synonymous with great success. Many of the world's most successful companies are associated with iconic leaders such as Bill Gates, Mark Zuckerberg, Steve Jobs, Jack Ma, and others.</p><p>However, the list of well-known organizations that suffered scandal in recent years because of management missteps is just as long, including Uber, Wells Fargo, Papa John's, and Tesla. Certainly, the #MeToo movement has shown that successful organizations can suffer rapid and significant reputational damage when the human failings of their leaders are exposed.</p><p>My examination of high-profile governance failures in recent years has convinced me that, far too often, ineffective board oversight is at the root of corporate scandals. Too many boards are reluctant to question management. Too often, boards are content to say, "We hired a great CEO. We're going to step back and let him or her do their job."</p><p>I often wonder if there may simply be too much civility in the boardroom. I am not suggesting the boardroom equivalent of a "food fight," but board members have an obligation to bring professional skepticism to their roles. They must be willing to ask probing questions, challenge management assumptions, rock the boat if necessary, and frankly, risk their future on the board.</p><p>One of the key topics in The IIA Audit Executive Center's <a href=""><span style="text-decoration:underline;">2018 North American Pulse of Internal Audit</span></a> report is board engagement. In the report, chief audit executives are encouraged to strengthen their relationship with audit committee members to help this important stakeholder group understand that they are the true drivers and enablers of effective assurance over internal control.</p><p>While vital to the interests of internal audit, internal auditors must do more than just persuade boards and audit​ committees to support us. We must help boards renew their commitment to understanding and supporting basic risk management. It is amazing to me that some 21<sup>st</sup>century corporations still don't get it.</p><p>I have often advised my readers to "audit at the speed of risk," but the reality is, no matter how agile and effective an internal audit function becomes, it cannot go it alone. Effective governance, by definition, will always demand enterprisewide effort.</p><p>Effective governance requires constant monitoring and the willingness to question whether management's actions will strain or otherwise impair the governance process. For example, companies often fail to anticipate the possibility of an ends-justify-the-means culture developing in response to pressure to meet earnings expectations or other metrics that drive business. I made this point in a recent <span style="text-decoration:underline;"><a href="">interview</a></span> with CNBC Asia's "Squawk Box," where I also noted that board independence is critical to governance success.</p><p>Board members must be willing to question management's actions and not be reluctant to speak out because of potential conflicts. This is why I and others have encouraged organizations to separate the joint role of CEO/chairman. From an internal audit perspective, having a CEO who also serves as board chairman effectively negates the dual reporting line that supports an objective and independent internal audit function. The role can have an equally detrimental effect on board independence.</p><p>There has been increasing focus on the composition of boards, especially regarding the need to have members who have IT experience, as cybersecurity is a leading risk area. This kind of self-examination is healthy and may lead to improved board performance. But no level of experience or diversity will ensure board effectiveness if the fundamental trait of professional skepticism is missing.</p><p>Asking the extra question, requesting additional information, and turning to internal audit to help provide assurance on what the board is hearing from management are all legitimate actions for a board that is independent and committed to maintaining healthy risk management and internal control. </p><p>Let me be clear about one thing: I'm not advocating for an adversarial or conflict-driven relationship between the board and senior management. The board–management relationship should never devolve into a food fight, but it also shouldn't always be a picnic, either.</p><p>As always, I look forward to your comments.</p>Richard Chambers0
GDPR and Internal Audit and Internal Audit<p></p> <p>Now that the May 25 deadline has passed to comply with the European Union’s (EU’s) General Data Protection Regulation (GDPR), compliance executives may be breathing a sigh of relief. Yet the real compliance work is only beginning. </p><p>GDPR consolidates the EU’s personal data privacy protection laws and redirects the way organizations approach data privacy. It greatly expands the privacy rights of E.U. citizens and residents, and it applies to any organization that does business with those individuals, regardless of its location. Organizations that don’t comply with GDPR face penalties of up to €20 million or 4 percent of annual worldwide turnover, whichever is greater. </p><p>Compliance will require continued focus and effort. Internal audit can help the organization mitigate GDPR compliance risks by identifying ways to improve controls, raising risk awareness, and assuring compliance.</p><h2>Improving Controls​</h2><p>Internal audit can help the organization shift from the preparation phase to the implementation phase of GDPR. The regulation specifically requires organizations to focus on these control-oriented topics:</p><ul><li><em>Accuracy and quality</em> requires organizations to ensure data is accurate and up-to-date and that individuals can correct their records. <br></li><li><em>Security and privacy</em> by design requires organizations to document decisions taken to inform EU residents about how their data will be used and restricted. They also must implement technical, administrative, and physical security/privacy controls to mitigate potential harm. <br></li><li><em>Security safeguards</em> ensure that technical and organizational measures are implemented for privacy and security. <br></li></ul><p><br>Internal audit should work with management to identify relevant controls over data entry, assess the accuracy of information and recommend improvements, and strengthen controls that prevent and detect data errors.</p><h2>Raising Risk Awareness </h2><p>The direct risks associated with GDPR relate to potential fines and reputational impact. However, by digging into the regulation’s purpose, internal auditors can see other data protection risks.</p><p><strong>Monitoring, Measuring, and Reporting</strong> Organizations must have a data protection officer (DPO) to lead privacy and compliance efforts. Among the DPO’s tasks are reporting on compliance monitoring, training staff, and ensuring privacy compliance audits take place. The organization must perform data privacy impact assessments when new technologies and systems are used, provide timely data breach notifications, and report on the use of third-party processors.</p><p><strong>Prevent Harm</strong> GDPR imposes sanctions and penalties on organizations that process data unlawfully or fail to deploy safeguards. In addition, individuals may request that the organization remove their personal data from automated processing and profiling.</p><p><strong>Breach Management</strong> Organizations must put processes in place to notify persons no later than 72 hours after they discover a data breach, if it is determined that the breach will result in a high risk of privacy harm to those individuals.<br></p><p><strong>Openness, Transparency, and Notice</strong> Organizations must keep data for specific and legitimate purposes and notify persons about how the organization will use their data. Organizations also must inform individuals of safeguards applied when personal data is transferred to a third country.<br></p><p><strong>Individual Participation</strong> EU residents may request access to data, obtain a copy of the data held, and withdraw consent to use personal data as long as withdrawal does not result in legal violations. Individuals may object to the use of their data for direct marketing and profiling, and they may contact the DPO for any issue related to processing their personal data.<br></p><p>Internal audit can educate management about potential risks and ways to manage risks in each area. Auditors can communicate relevant information about these risks via informal emails, a departmental newsletter, or meeting with management. <br></p><h2>Assuring Compliance</h2><p>As new policies and procedures become more mature, internal audit will need to perform regular compliance audits to determine the extent to which the organization is complying with GDPR. Auditors should focus on how the organization manages data to help strengthen privacy and security controls and ensure they are designed appropriately and operating effectively. Auditors will need to assure compliance with key aspects of the regulation and provide early warnings about problems.</p><p><strong>Choice and Consent</strong> Under GDPR, organizations must allow users to choose how their personal data is used. Also, organizations must document and maintain consents and request parental authorization before collecting a child’s data. </p><p><strong>Legitimate Purpose</strong> To ensure data collection is lawful and necessary, organizations can collect only personal data that is needed to achieve the intended purpose. Reviewing and handling requests for further processing, restricting requests for data related to criminal convictions, and documenting situations where the right to object does not apply are all important. Internal auditors can help reduce risk by sampling data collection mechanisms for compliance.<br></p><p><strong>Limitations</strong> Organizations may keep data no longer than the period required to support the purposes for which it was collected, and they must erase an individual’s personal data upon his or her request. GDPR permits organizations to retain data meant for archiving purposes in the public interest or for reasons of scientific or historical research. <br></p><p><strong>Free Flow of Information and Legitimate Restriction</strong> This principle includes protections for data transfers using legally binding agreements between public authorities, binding corporate rules, model clauses, and other mechanisms. <br></p><p><strong>Third-party Vendor Management</strong> This principle ensures that organizations gather third-party/vendor guarantees of GDPR compliance along with proof that third parties have the required technical and organizational safeguards. The DPOs of the data controller — organizations or individuals that determine the purposes and means of processing data — must provide written authorizations to use a given processor.<br></p><p><strong>Accountability</strong> GDPR’s accountability principle provides a legal basis for processing personal data, establishes the DPO role, and informs citizens and residents of existing privacy rights and safeguards. In addition to overseeing the data protection strategy, the DPO must maintain contact with the supervisory authority and demonstrate compliance.<br></p><p>Internal auditors will need to periodically assess processes and controls for each of these principles to ensure they are designed and operating effectively. Auditors can review a sample of data transfer documentation to look for data that should not be transferred to another organization. They can run reports to look for data that is being kept longer than necessary and review available documentation for any exceptions.<br></p><h2>A GDPR Audit Plan</h2><p>To help the organization maintain compliance, internal audit should include independent GDPR assessments and compliance testing in the audit plan. It can raise executive and board awareness of GDPR noncompliance by highlighting poorly designed or missing controls. Finally, it can identify opportunities to audit common processes across departments. ​</p>Jan Hertzberg1
Crisis Overconfidence Overconfidence<p>​Companies are overconfident about their ability to cope in a crisis, and executive leadership on the issue may also be sorely lacking in some organizations, according to a new report. Research by professional services firm Deloitte has found that nearly 60 percent of crisis management and other executives surveyed believe organizations face more crises today than they did 10 years ago.</p><p>They are not wrong. In the past two years, 80 percent of organizations worldwide have had to mobilize their crisis management teams at least once, with cyber and safety incidents topping the list of crises requiring management intervention. And the impact of a crisis on organizations is immediate: nearly three-fifths experienced a leap in customer complaints, usually on social media.</p><p>More than four in five respondents say their organizations have a crisis management plan in place. However, Deloitte's study, Stronger, Fitter, Better: Crisis Management for the Resilient Enterprise,<em> </em>has<em> </em>uncovered dramatic gaps between a company's confidence that it can respond to crises and its level of preparedness. It found that while nearly 90 percent of respondents are confident in their organization's ability to deal with a corporate scandal, only 17 percent have tested that assumption through a simulation exercise. Similarly, 70 percent of organizations are confident in their ability to manage a product recall, though only 22 percent have carried out a simulation exercise.</p><p>The survey, which included participation from more than 500 crisis management, business continuity, and risk senior executives across 20 countries, also found that organizations feel more confident in confronting some types of risks rather than others — particularly IT risks because they feature so prominently on risk agendas. For example, nine out of 10 respondents have fairly or very high levels of confidence in their organization's ability to tackle system failures, with similar numbers confident in their organization's ability to respond to regulatory and policy changes (89 percent), corporate scandals (88 percent), and cyberattacks (87 percent). </p><p>Deloitte's research found that experiencing a crisis teaches organizations to avoid them. For example, nearly 90 percent of organizations surveyed have conducted (largely internal) reviews following a crisis, and while these crises were not always foreseen, companies recognized that they might have been averted. As a result, organizations are now more likely to take action to forestall future crises.</p><p>Indeed, a crisis management response plan is critical. Deloitte found that nearly half of respondent organizations that did not have a plan in place saw their finances negatively impacted when a crisis struck. For those organizations with a plan, it was less than a third. </p><p>"Crisis management shouldn't start with a crisis — at this point it may already be too late," says Peter Dent, Deloitte Global crisis management leader. "With the rapid pace of change facing companies worldwide, and with crises on the rise, it is critical for organizations to be ready to respond with skilled leadership and plans that have been tested and rehearsed." </p><p>Crisis plans work best when the board and senior management are involved in shaping them and sponsoring them. And to secure their participation, the study's authors say that it is important to keep the plan relevant to them so that it addresses the issues that "keep management awake at night," such as the impact on reputation and the bottom line.  </p><p>Organizations should also ensure that they set up a crisis management plan specifically for the board, because when a crisis hits executives may need to play a very different — and more interventionist — role from normal. For example, if the crisis is causing significant damage to reputation, affecting share price, or resulting in regulatory sanctions or litigation, it may be up to the board to plan the company's continuity and survival. And in terms of succession planning, it may be appropriate to recruit board members with prior crisis management experience, Deloitte says.</p><p>Leadership commitment to crisis management is critical. But nearly a quarter of respondents cite the effectiveness of leadership and decision-making as one of the greatest crisis management challenges their organizations face. In fact, leadership commitment — or lack of it — was deemed to be the primary challenge for respondents, followed by effectiveness of teamwork, familiarity with the crisis structure/response process, and clarity of roles and responsibilities.</p><p>Part of the problem, Deloitte says, is that leaders are unprepared for crisis management. Therefore, organizations should establish a leadership structure for a crisis to help define roles and responsibilities, and training should be provided, particularly around communicating with stakeholders. Organizations should also identify the leadership styles of particular executives and managers, and work out who would be best placed to deal with certain aspects of the crisis response: in a high-pressure environment, leaders will tend to rely heavily on their most natural leadership style — which may not be suitable. </p><p>Deloitte's research found that crises often emanate from the actions of third parties such as suppliers and alliance partners, but at the same time, these third parties often play an important role in helping to manage and mitigate the problem. Recognizing this, 59 percent of respondents say that they participate in crisis exercises with third parties, examine third parties' crisis plans, or both. In Europe, the proportion is 80 percent.</p><p>As a result, the researchers say that companies should determine which outside organizations need to be in the fold when managing a crisis. These could include advisors such as lawyers, public relations firms, or specialist cyber defense organizations, as well as crisis advisors. In addition, they say, critical service providers, joint venture partners, resellers, distributors, and any other entity that could trigger a crisis (or be affected by it) should be involved in crisis preparations too. </p><p>The report adds that — depending on the scenario — these outside parties should also be included in simulations and exercises where appropriate, and should also share their contingency plans and provide regular updates on response readiness. Companies should stress the benefits of such collaboration, and even consider stipulating in contracts and agreements that such information should be shared.</p><p>"Crises aren't inevitable," Dent says. "Many of them are avoidable, which is why smart business leaders invest in crisis management capabilities. These strengths can help their organizations avoid costly, and sometimes irreparable, damage to finances, employee morale, brand, and reputation."</p>Neil Hodge0

  • IIA Sawyer PreOrder Web-Jan 2019 IAO_Prem 1
  • IIA COSO_Jan 2019 IAO_Prem 2
  • IIA Membership_BOY_Jan 2019 IAO_Prem 3