Governance

 

 

Wells Fargo Further Empowers Internal Audithttps://iaonline.theiia.org/blogs/chambers/2019/Pages/Wells-Fargo-Further-Empowers-Internal-Audit.aspxWells Fargo Further Empowers Internal Audit<p><img src="/2019/PublishingImages/teamwork-helping-shaking-hands.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​I have often quoted Danish philosopher Soren Kierkegaard regarding what motivates change. He wrote, "All change is preceded by crisis." American economist and Nobel laureate Milton Friedman made a similar observation when he said, "Only crisis, actual or perceived, produces real change."</p><p>In this context, I was heartened to see Wells Fargo & Co.'s announcement of changes to its governance practices in response to several crises involving its consumer lending division. I won't dwell on the details of the mega-bank's missteps or the resulting regulatory fines. Suffice it to say the scandals that engulfed the world's second-largest bank (by market capitalization) shook it to its core.<br></p><p>A 103-page <a href="https://www08.wellsfargomedia.com/assets/pdf/about/corporate/business-standards-report.pdf"><span style="text-decoration:underline;">business standards report</span></a> released by Wells Fargo last week outlines changes the bank has undertaken as a result of its missteps, and they include important changes to its approach to internal audit.</p><p>One of the most important changes is the consolidation of its retail banking audit team into one centralized group. In the aftermath of the scandals, an internal report showed organizational silos had stymied efforts to report bad practices through established control processes and structures. Consolidation of the audit team is designed to break down those silos, a company spokesman told <em>The </em><em>Wall Street Journal</em>.</p><p>The bank also created new management-level governance teams tasked with supporting leadership in carrying out risk management. Each team has a defined set of authorities and responsibilities. Of great significance are policies that create "clear escalation paths and risk-reporting expectations." From the Wells Fargo report:</p><p><span class="ms-rteStyle-BQ">The governance committee structure is designed to enable understanding, consideration, and decision-making of significant risk and control matters at the appropriate level of the company and by the appropriate mix of executives."</span></p><p>This step reflects a strong commitment to risk management that the bank report says will be guided by four core principles: long-term relationship focus, accountability, risk philosophy, and an environment of inclusiveness and candor.</p><p>That philosophy is applied to Wells Fargo's use of its internal audit division. It described Wells Fargo Audit Services as "delivering independent and objective internal audit services such as assessments and credible challenge regarding the company's governance, risk management, and controls." It is significant that the description includes the words "credible challenge."</p><p>This concept has been part of the bank regulation for several years, but it typically is applied to boards of directors, who are expected to challenge management actions, decisions, and recommendations. It is encouraging that internal audit at Wells Fargo is tasked with that same job. In addition to conducting tests and providing assessment and assurance of the bank's risk management, governance, and control structure, internal audit is tasked with proactively advising management on, "risks, management practices, and controls in the design and implementation of new business products, service, and processes; systems development; operational changes; and strategic initiatives." </p><p>Other details of internal audit's operations — including explicitly requiring adherence to The IIA's <em>International Standards for the Professional Practice of Internal Auditing </em>and Code of Ethics — describe a textbook example of an empowered and respected component of Wells Fargo's risk management team. At least on paper, it appears that internal audit is invited, indeed expected, to act as a trusted advisor to the board and management.</p><p>Of course, only time will tell whether Wells Fargo's actions will remain true to its written policies, but there are signs the bank is committed to the changes. <em>The </em><em>Wall Street Journal</em><em> </em>reports the bank has increased its audit staff size by about a third to 1,350 employees over the past two years. The bank also added more experienced directors to its board-level risk committee.</p><p>I am convinced that the changes undertaken by Wells Fargo — if embraced by management and nurtured by the board — will strengthen the organization and improve its risk management, governance, and control. If this happens, it may ultimately serve as a model for others to emulate.</p><p>As always, I look forward to your comments.<br></p>Richard Chambers0
Creating a Better Societyhttps://iaonline.theiia.org/2018/Pages/Creating-a-Better-Society.aspxCreating a Better Society<p>​The U.K. government’s recent launch of its Civil Society Strategy recognizes the social responsibility government and internal auditors have for creating the society we want to live in. Civil society in the U.K. today is not just about the well-being of the nation and everyone who lives there — it reflects the contributions we all make through our values to well-being in other civil societies across the globe. Those values are internal auditors’ greatest asset and resource. They also are what internal auditing is based on and should be all about.</p><p>The strategy’s aims are fourfold: Support people to play an active role in building a stronger society, unlock the full potential of the private and public sectors to support social good, help improve communities to make them better places to live and work in, and build stronger public services. I can think of no internal audit plan or program in any organization or sector that these aims and their achievement could not improve in terms of objectives, risk planning, engagement, results, findings, and follow-up. </p><p>Internal auditors all have a responsibility to make social auditing happen. Recent ventures into auditing culture and a new appreciation for culture’s role in establishing effective governance practices have touched on the importance of organizational stewardship and stakeholder engagement. Culture is not just about an organization’s values and how it performs. It also is about how the organization impacts the civil societies in which it operates. </p><p>Many institutional investors have signed on to the United Nations Principles of Responsible Investment with an environmental, social, and governance (ESG) duty: “To act in the best long-term interests of our beneficiaries. In this fiduciary role, we believe that [ESG] issues can affect the performance of investment portfolios.” ESG as a performance measure will continue to grow in importance for governments, investors, and organizations. It should also do so for all internal auditors in every country.</p><p>Good governance embraces environmental and social responsibilities in many ways. Achievement of the U.N. Sustainable Development Goals by its target of 2030 is just one aspect of this process. Today’s responses by organizations to the development and growth of integrated and strategic reporting will have a strong influence on the future of environmental and social responsibility declarations by organizations and the assurances they give and require. Internal auditors will always have a part to play to make this happen in their own organizations, across all sectors. The U.K.’s Chartered Institute of Internal Auditors has links into voluntary networks of internal auditors working in the charity, social housing, and higher education sectors. Their messages and progress are an excellent example of how professional internal auditing is already enhancing well-being in the U.K. and across the globe.  </p><p><em>A version of this article first appeared on </em>Audit & Risk<em> magazine’s website, </em><a href="http://www.auditandrisk.org.uk/" rel="nofollow" style="background-color:#ffffff;"><em>www.auditandrisk.org.uk</em></a><em>. Reproduced with permission.</em><br></p>Jeffrey Ridley1
A New Age of IT Governance Riskhttps://iaonline.theiia.org/2018/Pages/A-New-Age-of-IT-Governance-Risk.aspxA New Age of IT Governance Risk<p>Effective governance of IT is critical to organizational success and can transform an organization. While IT-enabled transformation can bring many rewards, poor governance of those projects can cause disruption and unintended consequences. </p><p>As an organization evaluates different technology investments, management must ensure the technology is aligned and delivered in accordance with the organization’s strategies and objectives. Internal auditors can help by providing independent assurance on the appropriateness and effectiveness of the governance structure. </p><h2>Technology’s Challenge</h2><p>IT departments manage the technology supporting business applications, disaster recovery, cloud services, and other mission-critical functions. In many organizations, the IT infrastructure is the foundation for business operations. Yet, new technology often creates new risks ranging from specific control weaknesses to potentially enterprisewide disruptions. Helping the organization assess and address these risks is an opportunity for internal auditors to add value. </p><p>According to Standard 2110-A2 of the <em>International Standards for the Professional Practice of Internal Auditing</em>, internal audit must assess whether IT governance supports the organization’s strategies and objectives. Consequently, the challenge for internal auditors is to help assess numerous risks associated with governance of enterprise IT. </p><h2>Frameworks<br></h2><p>Audit programs will be more useful if they differentiate governance risks from risks related to the management of enterprise IT. Internal auditors can leverage a variety of frameworks to develop high-quality, tailored audit programs for IT governance. </p><p>Governance frameworks include The Committee of Sponsoring Organizations of the Treadway Commission’s <em>Internal Control–Integrated Framework</em>, ISACA’s COBIT, and the Balanced Scorecard Institute’s Balanced Scorecard. Organizations also can use management frameworks such as ITIL, the U.S. National Institute of Science and Technology’s Cybersecurity Framework, and the International Organization for Standardization’s ISO/IEC 27001: Information Security Management, ISO/IEC 38500: Information Technology — Governance of IT, and ISO 9000: Quality Management. These frameworks explain risks, controls, and other details that can reduce the time required to develop an audit program. </p><h2>Audit Planning</h2><p>Internal auditors should become familiar with each of the governance frameworks so they can scope the audit engagement to focus on the appropriate risks. Audit programs should identify the impact of IT risk to the organization as well as the potential for compliance failure. During the risk assessment, auditors can determine the current state of risk management practices, assess design gaps, identify improvement opportunities, and recommend actions. They should consider several areas in their audit program. </p><p><strong>Strategic Alignment</strong> IT strategic alignment continues to be a top priority for most organizations and aligning technology with business strategies can be challenging for management. One of the key governance controls auditors can review is the process and methodology for justifying and prioritizing IT investments. Auditors can verify that the organization has a formal and periodic process for identifying business needs. Audit procedures also should validate that the IT budget cycle is part of the business operations budgeting process. Additionally, auditors can validate corporate objectives and strategic goal alignment by reviewing the decision rights and accountability framework documentation. <br></p><p><strong>Roles and Responsibilities</strong> IT executives need to collaborate with business-unit executives to ensure technology helps shape business strategy. Without clearly defined roles and responsibilities for IT management, the organization might risk not aligning IT and enterprise operations. To identify the links between business and IT plans, internal auditors can evaluate the strategic plan for IT-enabled initiatives, policies, presentations to the board that highlight the outcomes of a successful implementation, and third-party agreements. Additionally, auditors should verify IT’s involvement and responsibilities in the sourcing process. Appropriate involvement by IT can ensure new technology fits the organization’s current environment. Additionally, auditors, IT, and the information security group can collaborate to evaluate compliance requirements. <br></p><p><strong>Organizational Structure</strong> To enable better governance, the chief information officer should be part of an executive or senior management team and an active participant in setting business-unit-level strategy and goals. With the pace of change in today’s business environment, the IT organization must be agile and responsive, so auditors should review metrics associated with the length of projects as well as service satisfaction. <br></p><p>Auditors should try to identify unauthorized IT projects by business units — known as shadow IT — by reviewing technology acquisition processes, purchasing authority, application inventory, and sourcing processes. They should work with the IT support function to evaluate internet traffic to external sites that may identify unauthorized subscriptions to software as a service applications. Based on a sample, auditors can review IT’s level of participation on the organization’s steering committees and internal advisory boards. </p><p><strong>Risk Management</strong> Auditors should evaluate whether IT risks are included in the enterprise risk management program. Auditors also can review internal processes that identify, communicate, and manage IT risks. Change controls are a huge risk in this area, so auditors should review risk management activities such as communications planning, change management, and committee oversight. If the organization has a security operations center, auditors should assess how it manages the IT environment and responds to incidents. <br></p><p><strong>Project Management</strong> Organizations should have a project management office to provide governance to prioritize IT projects according to business need. Auditors should review program and project management methodology and ensure the organization complies with internal processes to request, evaluate, and approve IT projects. They should examine a sample of completed projects to determine whether those initiatives realized stated benefits. Moreover, auditors should review the process for evaluating and prioritizing projects at the business-unit and enterprisewide levels. Additionally, understanding and reviewing key performance metrics, such as planned vs. actual expenses and requirement backlog would be invaluable. <br></p><p><strong>Management Activities</strong> Without an appropriate focus on technology, organizations could mismanage critical IT resources such as the application environment, data, infrastructure, and people. Auditors should evaluate IT’s involvement in key projects, the demand forecasting process, and resource management practices. IT’s involvement and assessment before engaging software providers and consultants will help mitigate the implementation risks associated with large projects. Robust demand and resource management practices can provide the bottom-up approach to gain insights into business requirements, alignment, and priorities. By understanding IT resource commitments, internal audit can assess the organization’s ability to deliver on key initiatives. <br></p><h2>Identifying Key Risks</h2><p>Every organization’s risk profile is unique and depends on the organization’s culture, structure, and mission. Governance and management teams should identify and prioritize key risks for mitigation and formalize risk acceptance. Organizations should leverage internal audit’s knowledge of the business’ environment, IT investments, and internal processes. <br></p>Ashok (Ash) Kannan1
Will The IIA Redraw the Lines of Defense?https://iaonline.theiia.org/blogs/chambers/2018/Pages/Will-The-IIA-Redraw-the-Lines-of-Defense.aspxWill The IIA Redraw the Lines of Defense?<p><img src="/2018/PublishingImages/Businessman%20Standing%20at%20Entrance.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Good governance is part art, part science, and probably a bit of luck and magic. But the payoff when it is achieved is an organization that consistently achieves goals, serves stakeholder interests, supports long-term value creation, and nurtures a healthy culture. <br></p><p>The problem is that there can be no one-size-fits-all approach. Each organization faces unique risks, challenges, and opportunities that add variability to the struggle. But the importance of finding the right combination of rules, practices, controls, structures, and processes that support good governance is worth the effort. Not surprisingly, many tools and models have been developed over the years to explain or promote best practices that position organizations to succeed.</p><p>One model that has gained widespread acceptance and popularity is the Three Lines of Defense. Over more than two decades, myriad organizations have embraced the model, attracted by its simplicity in describing risk-management and control responsibilities in three separate "lines" — one that owns and manages risks (first line), one that supports risk management (second line), and one that provides independent audit assurance and insight (third line).</p><p>Many believe that The IIA invented the Three Lines of Defense model. While the precise origins of the model are subject to debate, The IIA did not originate it. In 2013, The IIA did publish a position paper in support of the model, in part because of its strong recognition of internal audit's vital third-line role as an independent assurance provider. </p><p>However, in recent years, critics have charged that the model's fixed "lines" make it too inflexible for today's dynamic governance challenges and that its focus on defense limits its effectiveness. Today's complex risk landscapes continually evolve, and rapid advances in technology offer both disruptions and opportunities. What's more, as organizations have developed new approaches to address risks, the "lines" have become less distinct with first-, second- and third-line responsibilities often overlapping.</p><p>In addition to concerns about the blurring of the lines of defense, others have noted that the Three Lines of Defense model is all about "protecting value," and doesn't really address the importance of value enhancement. The IIA's new strategic plan stresses that internal audit "be recognized as critical to enhancing and protecting organizational value." For this to happen, internal audit must be portrayed as more than just a third line of protecting value. </p><p>The time has come to take a new look at the Three Lines of Defense and give this trusted instrument a 21<sup>st</sup>century makeover. Buoyed by the support of governance experts in the public and private sectors, academia, regulators, and representatives of the Big Four accounting firms, The IIA has embarked on a project to refresh the model.<br></p><p>As IIA Chairman of the Board Naohiro Mouri said in the <a href="https://na.theiia.org/news/Pages/IIA-Launches-Global-Review-of-Three-Lines-of-Defense.aspx">press release announcing the ambitious project</a>:</p><p><span class="ms-rteStyle-BQ">"Our aim is not to replace Three Lines of Defense or invent a new model, but to ensure it can accommodate the nuances and dynamics we see across different organizations, so that they may leverage and learn from each other more effectively and strategically.</span></p><p><span class="ms-rteStyle-BQ">"We also must embrace the concept that risk goes beyond defense. Uncertainty creates risks and it creates opportunities. Consideration must be given to both sides in decision making and planning at all levels. Organizations must decide the most appropriate way to allocate and structure resources and responsibilities within their organizations, using the Three Lines of Defense to their advantage."</span></p><p>This yearlong project is headed by a core working group of governance experts who will tap into the vast experiences of an additional 30-member advisory group. The project includes a comprehensive review of governance approaches from around the world, and it will seek out and incorporate public comments through a formal exposure process. Ultimately, the project will result in a new IIA position paper on the subject, expected in the second half of 2019.</p><p>From the outset, The IIA's objective has been to explore how best to update the Three Lines of Defense model to reflect the changes in modern risk management and governance, while at the same time preserving its straightforward and clear approach. In keeping with its original intent, the refresh will focus on roles not organizational structures. In response to critiques, the aim is make the model more flexible, suitable to all sectors, and responsive to both the challenges and opportunities that risks offer. Like many of you, I eagerly await the result of the work from what is a world-class group of governance experts and a thorough and inclusive process.</p><p>My intent in sharing news of The IIA's Three Lines of Defense initiative is to inform you about this important project and to build momentum for a lively and productive consideration of the exposure draft, which is anticipated early next year.</p><p>The original model has served many organizations well for many years. My sincere hope is that the refreshed version will do so, as well.<br></p>Richard Chambers0
Doing the Right Thinghttps://iaonline.theiia.org/2018/Pages/Doing-the-Right-Thing.aspxDoing the Right Thing<h2>​In light of recent, well-publicized corporate culture failings, what are boards doing to address culture?</h2><p> <strong>Christensen</strong> We definitely see the concept of culture gaining traction in the boardroom. More than ever, directors are acutely aware that culture plays a role in delivering outcomes — both good and bad — for the companies they serve. Because culture can break down anywhere in the company, it is important for directors to experience firsthand the real-world culture in the organization, rather than rely solely on boardroom discussions and management reports. One way to accomplish this is by engaging directly with operating personnel through site visits. Directors also should insist on observations regarding culture from the chief risk officer, chief compliance officer, chief information security officer, and human resources and environment, health, and safety personnel, as well as other independent second line-of-defense functions. Boards also expect internal audit to weigh in as the third-line assurance provider.</p><p> <strong>Keele</strong> Boards are asking more directed questions: What is the risk of this happening in our company? What steps have we taken to prevent/detect this type of misconduct? Do we apply our processes consistently? How does the organization respond to a finding of inappropriate or unethical behavior — is everyone held accountable, or are certain individuals given a pass? Do we have a crisis management plan to respond to an event? Boards also should be consistently asking the broader questions that get at the current state of the organization’s culture: Are expectations for what constitutes unacceptable behavior clear and understood? Is the workplace safe and respectful? Do individuals feel they can speak up without retaliation, expect they will be heard, and have their concerns investigated? </p><h2>What do boards need to understand about their role in overseeing culture?</h2><p> <strong><img src="/2018/PublishingImages/EOB-Tracey-Keele.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Keele</strong> Most boards now understand that culture is important, but determining what to do about it is another matter. Like management, boards are not entirely sure how to confirm whether the culture they want is the culture they have. Because measuring and overseeing culture isn’t easy, there is a risk of defaulting to seemingly simple, check-the-box solutions. Further, there is a risk of over-relying on hard controls — policies, training, and systems that only provide a partial view of risk management. Understanding the drivers of conduct — soft controls — and whether the “walk” matches the “talk” is fundamental to understanding culture and risk.</p><p>Boards also should guard against focusing on today’s expectations, without considering how they may differ tomorrow. Technological, social, economic, regulatory, and political changes are occurring faster than ever. How do organizations evolve quickly, focus on both the spirit and the letter of the law, and anticipate change to enhance resiliency, grow, and build trust with stakeholders? </p><p> <strong>Christensen</strong> Culture is a vital enterprise asset that must be cultivated, nurtured, and maintained. Directors need to be curious enough to probe on culture issues. First and foremost, the board must want to know whether there are any concerns pertaining to culture warranting its attention. Board members must address two fundamental questions: How do we know what we need to know regarding culture? Is our understanding representative of the entire organization or just certain areas? No director wants to be on a board that ends up asking itself: How did this happen and why didn’t we know?</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Cultural Misalignment</strong></p><p>Christensen and Keele say these red flags may indicate that the tone in the middle isn’t aligned with the tone at the top. </p><ul><li>Nobody is talking about culture.</li><li>Controversial deals and encouragement of risk taking to hit short-term targets.</li><li>Complex and unclear legal and reporting structures that obscure transparency. </li><li>Poorly executed takeovers that allow pockets of bad behavior to thrive.</li><li>Lack of financial discipline.</li><li>Employees constantly fear being fired.</li><li>Employees execute projects without a clear vision from company leaders.</li><li>Lack of knowledge sharing among employees.</li><li>A focus on blame or covering for each other rather than fixing the problem.</li><li>A perceived disconnect between words and action. </li><li>A focus on the letter rather than the spirit of the law and regulations.</li><li>Risk management and controls are regarded as an inconvenience. </li><li>Lack of prompt follow through on commitments.</li><li>Failure to escalate identified issues and active concealment of problems.</li><li>Dress rehearsals for leadership visits that are focused on appearance.</li></ul></td></tr></tbody></table> <h2>What can internal audit do to inform the board about the organization’s culture?</h2><p> <strong><img src="/2018/PublishingImages/EOB-Brian-Christensen.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Christensen</strong> Internal audit, the third line of defense,  is well-positioned to perform a culture audit, evaluating the processes used across the entity by first- and second-line personnel to assess culture. Ironically, it is internal audit — the objective eye of the organization — that is uniquely qualified to bring “a systematic, disciplined approach” to a potentially subjective process like measuring culture. Internal auditors should “connect the dots,” considering the findings and gratuitous observations from multiple audits to ascertain whether any meaningful patterns exist. With everyone having a stake in evaluating the enterprise’s culture, the board should be privy to the results of all evaluations — particularly from independent second-line functions and internal audit. </p><p> <strong>Keele</strong> Internal auditors can play a critical role in understanding and enhancing culture. Internal audit can act as “the eyes and ears” of the organization, helping the board deepen its understanding of culture to better fulfill its culture oversight responsibilities. Evaluating and evolving audit skills and capabilities, initiating and promoting dialogue within the organization, garnering organizational permissions and support, and understanding the organization’s culture expectations, initiatives, and current state are important first steps for establishing internal audit’s role in culture.</p><h2>What tools and techniques should internal audit use to audit culture?</h2><p> <strong>Keele</strong> The tools and techniques used in traditional audits also are relevant to culture audits — interviews, data review and analysis, and walk-throughs. Also, the use of surveys, facilitated workshops, focus groups, and advanced analytical techniques like sentiment analysis can be extremely valuable, deepening the understanding of employee experiences and perceptions. Internal audit should think expansively about data that exists within and outside the organization to support improved risk assessment and audit execution. Procedures should be tailored based on the organization’s culture maturity and appetite for improvement, and internal audit’s capability and ambition. </p><p> <strong>Christensen</strong> Survey results can validate themes from stakeholder interactions to gauge consistency of views regarding the company’s culture. Relevant data metrics should supplement insights from surveys and direct interactions with stakeholders. These include risk metrics, conduct-related compliance data, issue escalation and resolution data, human resources data and reports, whistleblower reports, turnover data, ethics hotline reports, unstructured social media data, and employee demographic data. These and other metrics should be used as supplements to performance measures linked to the strategy to drive the type of organizational culture that management and the board would like stakeholders to experience when they interact with it. </p>Staff1
Don't Overlook Physical Accesshttps://iaonline.theiia.org/2018/Pages/Don't-Overlook-Physical-Access.aspxDon't Overlook Physical Access<p></p> <p>In the digital age, security risks have become a rising concern for boards, management, and chief audit executives. They have responded to technology advances and growing cyber threats by focusing on controlling access to data, networks, and systems — known as logical security. That focus on logical security often comes​ at the expense of attention to physical security around buildings, facilities, equipment, and other areas. </p><p>Physical and logical access are closely intertwined and combine to provide a higher level of security throughout the organization. Both types of access control are key to risk mitigation efforts to protect systems and data. Moreover, physical access can have a great impact on the effectiveness of logical access controls. Internal auditors need to focus on the basics and include physical access in their audit plans to ensure that the organization is protected adequately.</p><h2>What’s at Risk?</h2><p>Physical security is one of the most critical components of the overall security landscape. Weak physical security controls expose organizations to greater risk of failure of other controls. Recent incidents have shown that even with the strongest controls around logical security and intrusion detection, organizations continue to be exposed to the risk of unauthorized access in the absence of strong physical access controls.</p><p>Physical security risks are unique to each organization and depend on the size, geographical spread, and type of assets that need to be protected. Internal auditors often consider enterprise systems and data to be the primary assets that are vulnerable to physical security risks. That list must be expanded to include property, office buildings, warehouses, utility rooms, machinery, equipment, and vehicles as well as employees, contractors, and visitors. </p><p>The broader risks resulting from the lack of effective physical access controls include inappropriate and unauthorized access to information, theft, vandalism, inappropriate actions from rogue employees or angry customers, accidents, and terrorism. While important for every organization, the consequences when physical security controls are compromised may be greater for data centers, defense-related organizations, educational institutions, hotels, hospitals, and retail businesses.</p><h2>The Audit Plan</h2><p>Including physical security audits in the annual audit plan can help ensure the organization is taking a more structured approach to mitigating security risks. Auditors also should provide assurance that management has performed a physical security threat assessment. Physical security audits should cover several areas.</p><p><strong>Governance and Oversight</strong> Auditors should start by evaluating policies and procedures, oversight, risk assessments, training, and other processes that are in place to facilitate strong physical controls. Effective governance typically indicates a solid foundation for oversight and controls. <br></p><p>Ownership and accountability of physical access can sometimes be murky. Roles and responsibilities of security personnel, property management, data management, and IT overlap and are interrelated. Generally, the IT team supports and helps manage identity and access management programs, but a different business unit may be responsible for physical access. The effectiveness of physical access controls depends on the collaboration among all the affected groups.</p><p><strong>Physical Access Control Layers</strong> The first step in protecting against physical access threats is developing the ability to keep unauthorized individuals off the organization’s property. In assessing physical access controls, internal auditors should test the effectiveness of perimeter barriers such as fences, walls, or gates; protective lighting; alarm systems; communications systems; vehicle identification and control systems; and guard systems. As auditors move beyond perimeter considerations to review specific buildings, they should test other key controls such as security alarm systems, cameras, motion detectors, turnstiles, door locks, and badging systems. </p><p>Despite the most sophisticated personnel identification and control processes, piggybacking is still a huge concern. Piggybacking refers to when an unauthorized person follows behind another person who is authorized to gain entry into a restricted area or past a checkpoint. Internal auditors must ensure that the organization is taking enough measures to restrict access by unauthorized individuals until their identity is confirmed by on-site security personnel. Auditors can review training and communication about piggybacking and even observe this process during busy entry times.</p><p>Within each building, internal auditors should inspect elevator and stairwell access, as well as evaluate whether individual and conference room doors have appropriate locking mechanisms. Rooms that contain valuable or sensitive information and other assets should be adequately protected to prevent access by unauthorized personnel.</p><p>Internal auditors should evaluate these multiple layers of controls carefully to ensure they are strong enough from both preventive and detective aspects. All these systems should be integrated with each other. For example, many organizations use a human resources database called Active Directory to validate an employee’s access credentials in real time.</p><p><strong>Monitoring</strong> Internal auditors should assess whether the organization has effective monitoring controls in place to review the logs created from various monitoring systems. This information can ensure that the organization investigates and remedies all relevant incidents timely. In case of a breach, facilities, IT, information security, human resources, and legal teams must collaborate as a formal committee to discuss the incidents, analyze the root cause from investigations, and take remedial action. Internal auditors can review minutes from these committee meetings to evaluate their content and the effectiveness of their remedies.<br></p><h2>Internal Audit’s Next Steps</h2><p>Going forward, internal audit should integrate physical security into the department’s risk assessment process to ensure it gets adequate overall coverage in the annual audit plan. It is important for auditors to evaluate whether the current plan integrates physical security audit steps into relevant audit programs. </p><p>As they develop the audit plan and perform the risk assessment, auditors should schedule meetings with facility and security personnel to learn about past incidents and get a sense of risk exposures in this area. From there, they should meet with the relevant stakeholders to discuss the current logical controls and determine how much logical and other controls depend on physical controls. By following these steps and recommending effective physical security controls, internal auditors also can help strengthen the organization’s overall security profile.  ​</p>Manoj Satnaliwala1
Internal Auditors Must Live in a Shatterproof Househttps://iaonline.theiia.org/blogs/chambers/2018/Pages/Internal-Auditors-Must-Live-in-a-Shatterproof-House.aspxInternal Auditors Must Live in a Shatterproof House<p><img src="/2018/PublishingImages/Shattered%20Glass.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​I have long believed that internal auditors have a tougher challenge than many others in an organization. It's difficult to sustain a reputation for objectivity when we live and work in the same environment where we perform our audit responsibilities — sometimes for a few years, sometimes over an entire career. Everyone is watching internal audit to see if we are walking the talk. I have heard of us referred to as "example setters for an orga​nization," and that we are "constantly assessed by those we audit." I call it having a target on our back. If internal audit is not following organizational policies, or even <em>appears</em><em> </em>to not be following policies, the fallout will affect trust in the department and every internal auditor in it. </p><p>No one expects internal auditors to be flawless. We are human, after all. However, if the flaws cause others to question our ethics, we will lose a significant advantage that will likely undermine our ability to be perceived as trusted advisors. If management is aware of even minor ethical transgressions, their response when we offer advice or recommendations at the conclusion of our engagements is likely to be, "Why should I listen to him? He takes vacation days without charging them." Or, "She filed a faulty expense report and had to reimburse the company."</p><p>Internal auditors cannot afford the luxury of being vulnerable. Our behavior must be above reproach, if we are to provide counsel to others. And don't be surprised if, the first time you call out a senior manager for a serious ethical infraction, suddenly every minor infraction you ever committed is thrown back at you.</p><p>Neither can internal audit afford to fail living up to its commitments. A highly respected chief audit executive recently pointed out to me that internal auditors have to understand that they have a commitment both to the organization where they work and to a broad, diverse group of stakeholders. "We have to walk a fine line, understanding the firm's needs, the board's needs, management's needs, and investors' needs," he explained. "If we're not trustworthy, and if the people we work with aren't trustworthy, we leave the door open to fraud."</p><p>I believe most internal auditors do consistently act ethically. But occasional lapses happen, and when they do, they often make the news. Many of us recall all too well certain high-profile cases. For every highly publicized case of an internal auditor who gets in trouble for ethical transgressions, there are likely scores more whose transgressions were dealt with outside of public view. The actions of unethical internal auditors constitute a massive betrayal, not only of their employers and former colleagues, but also of their profession. Internal audit has many responsibilities, one of which is as ethical overseer. In that capacity, like Caesar's wife, it must be above suspicion.</p><p>To look at it another way, we have all heard the common wisdom that those who live in glass houses should not throw stones. But sometimes, as internal auditors, our job is to toss a rock or two. So, if we're going to throw stones — and, of course, we are — we'd better make sure our own house is shatterproof. A steadfast commitment to ethical behavior, coupled with a strong and effective quality assurance and improvement program, will help ensure that we avoid injury from flying glass.</p><p>One way to shatterproof the internal audit function is to make sure the right people are in it. We must carefully vet those who are brought on board to ensure there are no skeletons that could signal a moral compass that does not point true north. We should all hold each other accountable to live up to the highest levels of ethical conduct.</p><p>The IIA recognizes that ethical behavior is crucial to the fabric of our profession. Every IIA member around the world, along with those who hold an IIA certification, must conform to The IIA's <a href="https://na.theiia.org/standards-guidance/mandatory-guidance/pages/code-of-ethics.aspx"><span style="text-decoration:underline;">Code of Ethics</span></a>. In promulgating its code, The IIA states, "The purpose of the Institute's Code of Ethics is to promote an ethical culture in the profession of internal auditing." Recently, The IIA went a step further by specifying that "certified ​individuals are required to complete two CPE hours (each year) focused on the subject of ethics."</p><p>As I noted earlier, I do not believe that the internal audit profession has an "ethics problem." Let's all work hard to make sure it stays that way.</p>Richard Chambers0
In Compliancehttps://iaonline.theiia.org/2018/Pages/In-Compliance.aspxIn Compliance<p>​One of the biggest challenges facing organizations today is keeping up with the ever-changing regulatory environment. Companies are dealing with complex compliance requirements in every area of the world in which they operate. Some new requirements, such as the European Union’s General Data Protection Regulation (GDPR), impact organizations regardless of whether they have a physical presence in the location where the law was enacted. Noncompliance with these regulatory requirements, whether it be involuntary or criminal, can create significant risks to an organization, including legal, reputation, and financial risks. Organizations must have strong governance around their compliance programs to ensure these risks are assessed and managed across the organization. </p><p>Internal audit can use their expertise in risk management and internal control to effectively offer assurance as to whether the risks associated with compliance are being managed to an acceptable level. The audit can be scoped to evaluate the governance process as a first step, and third parties can be used when additional assurance on specific regulations is necessary. </p><p>There are frameworks internal audit can leverage to help ensure it assesses all of the key components of a well-governed compliance program. For example, Chapter 8, Part B, of the U.S. Sentencing Commission Guidelines Manual presents guidelines for an effective ethics and compliance program (see “7 Elements of an Effective Compliance and Ethics Program” below). Although this framework is commonly used after an allegation of criminal misconduct has been made or adjudicated, it also can be used to ensure all of the elements of a robust compliance program are in place. </p><p>It can be overwhelming when internal audit begins analyzing a compliance program, given its overall complexity and the knowledge necessary to adequately audit all of the various regulations both in the home country and abroad, but this framework helps identify manageable components to be assessed. Management can begin by identifying all of the key compliance areas that affect the organization — environmental, data privacy, import/export, and anti-bribery/anti-corruption, just to name a few. Each key compliance area should have a designated individual with an appropriate level of authority and responsibility to oversee the compliance program. Using the framework, that person, or his or her delegates, can begin documenting how the organization would demonstrate a program that prevents or detects misconduct. A steering team of cross-functional leaders from legal, human resources, compliance, risk management, internal audit, and other key areas can help identify common program elements, such as an overall code of conduct, investigation processes, and hotline management. Internal audit can play a key role in monitoring the overall compliance program and auditing specific risk areas. </p><p>In early 2017, the U.S. Department of Justice issued supplementary guidance titled Evaluation of Corporate Programs (<a href="http://bit.ly/2Pec0fl" rel="nofollow" target="_blank">http://bit.ly/2Pec0fl</a>). This evaluation guide aligns with the federal sentencing guidelines and other referenced guidance and provides tactical questions that internal audit could use to evaluate the program. Two components, third-party and merger and acquisition risk, were added that should be considered when evaluating the effectiveness of the overall compliance program. </p><p>Third parties may be an integral part of organizational processes and considered part of the extended enterprise. The organization may have significant risk if those third parties, acting on behalf of the organization, commit an act of noncompliance. The third party may put the organization at a significant amount of reputation risk, and in certain instances, the organization may be liable for the actions of the third party. The evaluation guide indicates that certain actions must be taken such as due diligence, appropriate controls, management of the relationship, and appropriate consequences if noncompliance or misconduct is identified. </p><p>With mergers and acquisitions, management must ensure that a robust due diligence process is in place, and that the compliance function is integrated into the overall process to ensure that compliance risk is addressed. In the case of an acquisition, integration and transition of the compliance program to the new entity must be completed and any risks identified during due diligence addressed. </p><p>Overall, the framework and guide provide a solid base on which internal audit can ensure governance over compliance programs is effective. These documents should not be used as a checklist, as the elements may be present but a culture of compliance may not be developed, and the program becomes more form than substance. Internal audit should evaluate the adequacy of the evidence maintained in support of the program and ensure that the organization can demonstrate, both internally and externally, that the compliance program is robust. Both quantitative and qualitative factors should be evaluated. Soft controls evidence, such as how employees and leadership talk about the culture, also should be considered. </p><p>Although compliance can be a complex area to evaluate, these tools, along with third-party experts when needed, should enable internal audit to offer assurance around the effectiveness of the governance of compliance programs.</p><table class="ms-rteTable-4" width="100%" cellspacing="0" style="height:31px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>​7 Elements of an Effective Compliance and Ethics Program</strong><br><br>The U.S. Sentencing Commission’s seven elements of an effective program include:<br><ol><li>The organization will establish standards and procedures to prevent and detect criminal conduct. </li><li>The organization’s governing body should be knowledgeable of the ethics and compliance program. High-level employees within the organization should be responsible for program oversight, with day-to-day responsibility delegated to specific individuals. </li><li>The organization will exercise due diligence to ensure that delegation of authority is not granted to individuals who have previously engaged in illegal activity or other conduct inconsistent with an effective compliance and ethics program. </li><li>The organization will periodically communicate its ethics program, including standards and procedures, by conducting effective training programs, for employees and third parties, and otherwise disseminating information as appropriate.</li><li>The organization will take steps to ensure that the compliance program is followed, including monitoring. The program must be periodically evaluated to assess its effectiveness, considering both quantitative and qualitative evidence. In addition, a system must be established whereby employees, or third parties, may anonymously and confidentially voice concerns.</li><li>The program must be promoted and consistently enforced across all levels of the organization, including appropriate incentives to act in accordance with the program and disciplinary actions when noncompliance is identified. </li><li>When criminal conduct is identified, the organization must respond appropriately and take steps to prevent further similar misconduct, including adjusting the overall compliance program. </li></ol><br>Source: U.S. Sentencing Commission, §8B2.1: Effective Compliance and Ethics Program, <a class="vglnk" href="http://bit.ly/2Ped56T" rel="nofollow" target="_blank"><span class="ms-rteForeColor-8">http://bit.ly/2Ped56T</span></a>.</td></tr></tbody></table><p></p>Kayla Flanders1
The CEO's Brand: A Blessing or a Curse?https://iaonline.theiia.org/blogs/chambers/2018/Pages/The-CEOs-Brand-A-Blessing-or-a-Curse.aspxThe CEO's Brand: A Blessing or a Curse?<p><img src="/2018/PublishingImages/Execs%20With%20Up-Down%20Arrows_445x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​The actions of high-profile CEOs and board chairmen can create share volatility and investor uneasiness, and the troubles of Tesla CEO Elon Musk provide a perfect example. Controversial statements and act​ions by Musk have sent Tesla's stock price on a wild roller-coaster ride. </p><p>This got me to thinking about the risks associated with high-profile company leaders. When a CEO's brand becomes one a​nd the same with the organization, his or her actions are more likely to be magnified, scrutinized, glorified, or vilified. And that poses a new level of risk that many organizations may not be prepared to handle.</p><p>In Musk's case, a single tweet stating he was considering taking Tesla private at $420 a share — "funding secured" — sent the electric-car company's stock skyrocketing to nearly $380 a share. It subsequently plummeted when the prospective financier — the Saudi Sovereign Wealth fund — announced there was no deal in place.</p><p>The fallout continued when the U.S. Securities and Exchange Commission filed a securities fraud charge against Musk for failing to have in place required disclosure controls and procedures relating to his decidedly "unofficial" communication. To his credit, Musk quickly settled the charge by agreeing to step down as chairman of Tesla's board and paying a hefty fine. That settlement boosted Tesla stock to its best trading day since May 2013, further reflecting how Musk's actions can significantly impact Tesla's value. </p><p>I'm not picking on Musk. There are plenty of other examples. The ongoing legal battles between Papa John's and its founder John Schnatter, the firing of GE CEO John Flannery, and Travis Kalanick's struggles at Uber each have arguably impacted their respective companies' value.</p><p>This raises the question: Is the CEO's brand a blessing or a curse? </p><p>There are pros and cons to bringing in a personality big enough to be viewed as the face of an organization. While some highly successful companies are built around the individual — Oprah Winfrey — others impose their brand on organizations when they join or return to them.</p><p>Michael Eisner, who made his name as CEO of Paramount Pictures, transformed The Walt Disney Co. by growing its brand in global theme parks, movies, TV, retail products, and a cruise line. Steve Jobs' return to Apple certainly sparked a return to greatness for a company that some believed was on the brink of failure. It is safe to assume that Jobs and Eisner were hired because of their proven skills as strategic risk takers accustomed to acting boldly and aggressively. But boards seeking to hire charismatic leaders should consider how the leaders' brands could impact the organization's risk appetite and culture.</p><p>There are potential downsides to consider. For example, some charismatic CEOs are known to have narcissistic personalities, and research suggests such leaders are more likely to cost the organization money. The authors of See You in Court: How CEO Narcissism Increases Firms' Vulnerability to Lawsuits argue that "narcissistic CEOs subject their organizations to undue legal risk because they are overconfident about their ability to win and less sensitive to the costs to their organizations of such litigation." Their research, published by <a href="https://www.sciencedirect.com/science/article/pii/S1048984317305271?via%3Dihub"><span lang="EN-US" style="text-decoration:underline;"><em>The Leadership Quarterly</em></span></a><em>,</em><em> </em>cites a growing body of evidence that suggests, "organizations led by narcissistic CEOs experience considerable downsides, including evidence of increased risk taking, overpaying for acquisitions, manipulating accounting data, and even fraud."</p><p>Leadership style and its potential impact on the organization's risk appetite and culture should always be on internal audit's radar. Organizations that have charismatic risk takers at their helms should incorporate this into their risk analyses. This should include audits of crisis management plans and candid discussions with the audit committee or board about risk scenarios involving the CEO.</p><p>Clearly, all CEOs impose their wills on organizations with varying degrees of guidance and oversight from their boards. The likelihood of their actions creating crises or significant reputational risks are typically pretty low. But just as no two organizations have identical risks appetites, not all CEOs create the same level of risk. </p><p>I'm interested in hearing about your experiences in dealing with CEO brands.​​</p>Richard Chambers0
Selling Enterprise Risk Managementhttps://iaonline.theiia.org/2018/Pages/Selling-Enterprise-Risk-Management.aspxSelling Enterprise Risk Management<p>​Although enterprise risk management (ERM) has a compelling value proposition, it may not always be intuitive to key stakeholders. That often is because the benefits of ERM are not easily observable or clearly quantifiable in the near term. As risk management professionals, internal auditors are easily sold on ERM’s merits because of our role in the third line of defense. We live and breathe risk management governance daily. But internal auditors and other risk professionals engaged in ERM efforts, by nature, do not tend to have strong sales competencies. So, when we propose ways to advance ERM principles to organizational leadership, the message often misses the mark. </p><p>The ability to convince stakeholders of ERM’s value may be the difference between an ERM program that flounders as a check-the-box compliance activity and one that develops into a strategic governance asset. It is vital for internal auditors and other risk management professionals to have a compelling and polished value proposition pitch in their ERM toolbox — one that is intuitive and presentable in terms and language that first and second line of defense managers will embrace.</p><p>Risk management is not a new idea, and most business professionals understand its importance. However, some are skeptical, writing ERM off as unnecessary or an academic theory that is unproven in the real world. When this skepticism is not based on an informed position, it is a shortsighted and misguided viewpoint that creates a major cultural barrier when attempting to implement or mature an ERM program. This is when ERM professionals need to be at their best as salespeople.</p><p>Just as professional athletes strive for a competitive edge, business professionals also should pursue measures to enhance their success. ERM can provide the same type of competitive edge that athletes get from personal trainers, data analytics, and other measures. But ERM benefits are realized when organizations appreciate, understand, and embrace the ERM value proposition. For an organization to unlock the potential of ERM as a strategic asset, a key element is a concise value proposition that leaders and managers can easily buy into.</p><p> <strong>Step 1: Start at the top.</strong> ERM programs are most successful when executive leadership supports them. The ERM value proposition must be understood at the highest management levels. But beyond that, leadership must be compelled to embrace ERM. Only then will leaders develop a vision for pursuing implementation with the requisite energy. Leaders will only embrace ERM when there is a clear value proposition. </p><p> <strong>Step 2: Don’t oversell.</strong> Internal audit must be careful not to sabotage ERM momentum by overpromising what the ERM value proposition can deliver. ERM will not solve all strategic risk management challenges. This message must be communicated with stakeholders by setting realistic expectations about what the organization can achieve. ERM implementation will inevitably encounter failures along with successes.</p><p> <strong>Step 3: Make the case for ERM by appealing to its intuitive nature.</strong> Internal audit should start by making a simple and intuitive case to legitimize ERM. Various entities have given ERM credibility by embracing its virtues. These include regulators (e.g., board requirements for risk oversight), credit rating agencies (e.g., ERM used as rating criteria by S&P and Moody’s), and major universities (e.g., ERM academic programs at North Carolina State University and St. John’s University). Additionally, ERM’s qualitative value is intuitive, as outlined in the waterfall diagram below.</p><p> <strong>Step 4: Draw a distinction between traditional risk management and ERM.</strong> All business professionals manage risk. Managers oversee various business functions and manage the risk inherent in these functions. Human resources (HR) managers manage HR risk, finance managers manage finance risk, and so on. The problem with this risk management model is that it does not promote an enterprise view of risk. Risk managers in these siloed functions make risk management decisions that can have negative impacts in other functional areas.</p><p>ERM is not designed to replace the traditional risk management model, but rather to enhance it by bringing greater visibility to risk management activities and impacts across functional silos. This is done by implementing risk management processes to methodically and purposefully identify, respond to, and monitor risks at the enterprise level. <br></p><p> <strong> Step 5: Make ERM a tool for aspirational risk management excellence.</strong> Compliance benefits may be an acceptable outcome for some organizations, but the real value of ERM is realized when its focus is more strategic. There are three imperatives of a strategic ERM value proposition:</p><p></p><ol><li><strong>Make informed decisions.</strong> ERM should support organizational decision-making for strategic planning, tactical execution, budgeting, and risk oversight.</li><li><strong>Protect stakeholder value.</strong> ERM should protect key stakeholders from value erosion.</li><li><strong>Optimize risk outcomes.</strong> ERM should seek the best possible risk outcomes by improving the likelihood of achieving strategic and business objectives, reducing the impact of organizational threats and weaknesses, exploiting organizational strengths and opportunities, and lessening the duration and persistence of negative risk outcomes.</li></ol><p>Aspirational and strategically designed ERM programs help organizations compete more aggressively in the marketplace. With the three imperatives in place, an organization is positioned to compete with an edge. </p><p>When designed to be a strategic governance asset, ERM facilitates advanced risk-taking capabilities and empowers a thoughtful, safe, and aggressive risk-taking approach. This can result in enhanced competitive agility and ultimately lead to enhanced organizational value.</p><p><img src="/2018/PublishingImages/Governance_p.65_ERM-qualitative-value.jpg" alt="" style="margin:5px;" /><br></p>Rick Wright1

  • IIA Sawyer_Feb 2019_Premium 1
  • IIA AEC_Feb 2019_Premium 2
  • IIA Quality_Feb 2019_Premium 3