Governance

 

 

In Compliancehttps://iaonline.theiia.org/2018/Pages/In-Compliance.aspxIn Compliance<p>​One of the biggest challenges facing organizations today is keeping up with the ever-changing regulatory environment. Companies are dealing with complex compliance requirements in every area of the world in which they operate. Some new requirements, such as the European Union’s General Data Protection Regulation (GDPR), impact organizations regardless of whether they have a physical presence in the location where the law was enacted. Noncompliance with these regulatory requirements, whether it be involuntary or criminal, can create significant risks to an organization, including legal, reputation, and financial risks. Organizations must have strong governance around their compliance programs to ensure these risks are assessed and managed across the organization. </p><p>Internal audit can use their expertise in risk management and internal control to effectively offer assurance as to whether the risks associated with compliance are being managed to an acceptable level. The audit can be scoped to evaluate the governance process as a first step, and third parties can be used when additional assurance on specific regulations is necessary. </p><p>There are frameworks internal audit can leverage to help ensure it assesses all of the key components of a well-governed compliance program. For example, Chapter 8, Part B, of the U.S. Sentencing Commission Guidelines Manual presents guidelines for an effective ethics and compliance program (see “7 Elements of an Effective Compliance and Ethics Program” below). Although this framework is commonly used after an allegation of criminal misconduct has been made or adjudicated, it also can be used to ensure all of the elements of a robust compliance program are in place. </p><p>It can be overwhelming when internal audit begins analyzing a compliance program, given its overall complexity and the knowledge necessary to adequately audit all of the various regulations both in the home country and abroad, but this framework helps identify manageable components to be assessed. Management can begin by identifying all of the key compliance areas that affect the organization — environmental, data privacy, import/export, and anti-bribery/anti-corruption, just to name a few. Each key compliance area should have a designated individual with an appropriate level of authority and responsibility to oversee the compliance program. Using the framework, that person, or his or her delegates, can begin documenting how the organization would demonstrate a program that prevents or detects misconduct. A steering team of cross-functional leaders from legal, human resources, compliance, risk management, internal audit, and other key areas can help identify common program elements, such as an overall code of conduct, investigation processes, and hotline management. Internal audit can play a key role in monitoring the overall compliance program and auditing specific risk areas. </p><p>In early 2017, the U.S. Department of Justice issued supplementary guidance titled Evaluation of Corporate Programs (<a href="http://bit.ly/2Pec0fl" rel="nofollow" target="_blank">http://bit.ly/2Pec0fl</a>). This evaluation guide aligns with the federal sentencing guidelines and other referenced guidance and provides tactical questions that internal audit could use to evaluate the program. Two components, third-party and merger and acquisition risk, were added that should be considered when evaluating the effectiveness of the overall compliance program. </p><p>Third parties may be an integral part of organizational processes and considered part of the extended enterprise. The organization may have significant risk if those third parties, acting on behalf of the organization, commit an act of noncompliance. The third party may put the organization at a significant amount of reputation risk, and in certain instances, the organization may be liable for the actions of the third party. The evaluation guide indicates that certain actions must be taken such as due diligence, appropriate controls, management of the relationship, and appropriate consequences if noncompliance or misconduct is identified. </p><p>With mergers and acquisitions, management must ensure that a robust due diligence process is in place, and that the compliance function is integrated into the overall process to ensure that compliance risk is addressed. In the case of an acquisition, integration and transition of the compliance program to the new entity must be completed and any risks identified during due diligence addressed. </p><p>Overall, the framework and guide provide a solid base on which internal audit can ensure governance over compliance programs is effective. These documents should not be used as a checklist, as the elements may be present but a culture of compliance may not be developed, and the program becomes more form than substance. Internal audit should evaluate the adequacy of the evidence maintained in support of the program and ensure that the organization can demonstrate, both internally and externally, that the compliance program is robust. Both quantitative and qualitative factors should be evaluated. Soft controls evidence, such as how employees and leadership talk about the culture, also should be considered. </p><p>Although compliance can be a complex area to evaluate, these tools, along with third-party experts when needed, should enable internal audit to offer assurance around the effectiveness of the governance of compliance programs.</p><table class="ms-rteTable-4" width="100%" cellspacing="0" style="height:31px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>​7 Elements of an Effective Compliance and Ethics Program</strong><br><br>The U.S. Sentencing Commission’s seven elements of an effective program include:<br><ol><li>The organization will establish standards and procedures to prevent and detect criminal conduct. </li><li>The organization’s governing body should be knowledgeable of the ethics and compliance program. High-level employees within the organization should be responsible for program oversight, with day-to-day responsibility delegated to specific individuals. </li><li>The organization will exercise due diligence to ensure that delegation of authority is not granted to individuals who have previously engaged in illegal activity or other conduct inconsistent with an effective compliance and ethics program. </li><li>The organization will periodically communicate its ethics program, including standards and procedures, by conducting effective training programs, for employees and third parties, and otherwise disseminating information as appropriate.</li><li>The organization will take steps to ensure that the compliance program is followed, including monitoring. The program must be periodically evaluated to assess its effectiveness, considering both quantitative and qualitative evidence. In addition, a system must be established whereby employees, or third parties, may anonymously and confidentially voice concerns.</li><li>The program must be promoted and consistently enforced across all levels of the organization, including appropriate incentives to act in accordance with the program and disciplinary actions when noncompliance is identified. </li><li>When criminal conduct is identified, the organization must respond appropriately and take steps to prevent further similar misconduct, including adjusting the overall compliance program. </li></ol><br>Source: U.S. Sentencing Commission, §8B2.1: Effective Compliance and Ethics Program, <a class="vglnk" href="http://bit.ly/2Ped56T" rel="nofollow" target="_blank"><span class="ms-rteForeColor-8">http://bit.ly/2Ped56T</span></a>.</td></tr></tbody></table><p></p>Kayla Flanders1
The CEO's Brand: A Blessing or a Curse?https://iaonline.theiia.org/blogs/chambers/2018/Pages/The-CEOs-Brand-A-Blessing-or-a-Curse.aspxThe CEO's Brand: A Blessing or a Curse?<p><img src="/2018/PublishingImages/Execs%20With%20Up-Down%20Arrows_445x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​The actions of high-profile CEOs and board chairmen can create share volatility and investor uneasiness, and the troubles of Tesla CEO Elon Musk provide a perfect example. Controversial statements and act​ions by Musk have sent Tesla's stock price on a wild roller-coaster ride. </p><p>This got me to thinking about the risks associated with high-profile company leaders. When a CEO's brand becomes one a​nd the same with the organization, his or her actions are more likely to be magnified, scrutinized, glorified, or vilified. And that poses a new level of risk that many organizations may not be prepared to handle.</p><p>In Musk's case, a single tweet stating he was considering taking Tesla private at $420 a share — "funding secured" — sent the electric-car company's stock skyrocketing to nearly $380 a share. It subsequently plummeted when the prospective financier — the Saudi Sovereign Wealth fund — announced there was no deal in place.</p><p>The fallout continued when the U.S. Securities and Exchange Commission filed a securities fraud charge against Musk for failing to have in place required disclosure controls and procedures relating to his decidedly "unofficial" communication. To his credit, Musk quickly settled the charge by agreeing to step down as chairman of Tesla's board and paying a hefty fine. That settlement boosted Tesla stock to its best trading day since May 2013, further reflecting how Musk's actions can significantly impact Tesla's value. </p><p>I'm not picking on Musk. There are plenty of other examples. The ongoing legal battles between Papa John's and its founder John Schnatter, the firing of GE CEO John Flannery, and Travis Kalanick's struggles at Uber each have arguably impacted their respective companies' value.</p><p>This raises the question: Is the CEO's brand a blessing or a curse? </p><p>There are pros and cons to bringing in a personality big enough to be viewed as the face of an organization. While some highly successful companies are built around the individual — Oprah Winfrey — others impose their brand on organizations when they join or return to them.</p><p>Michael Eisner, who made his name as CEO of Paramount Pictures, transformed The Walt Disney Co. by growing its brand in global theme parks, movies, TV, retail products, and a cruise line. Steve Jobs' return to Apple certainly sparked a return to greatness for a company that some believed was on the brink of failure. It is safe to assume that Jobs and Eisner were hired because of their proven skills as strategic risk takers accustomed to acting boldly and aggressively. But boards seeking to hire charismatic leaders should consider how the leaders' brands could impact the organization's risk appetite and culture.</p><p>There are potential downsides to consider. For example, some charismatic CEOs are known to have narcissistic personalities, and research suggests such leaders are more likely to cost the organization money. The authors of See You in Court: How CEO Narcissism Increases Firms' Vulnerability to Lawsuits argue that "narcissistic CEOs subject their organizations to undue legal risk because they are overconfident about their ability to win and less sensitive to the costs to their organizations of such litigation." Their research, published by <a href="https://www.sciencedirect.com/science/article/pii/S1048984317305271?via%3Dihub"><span lang="EN-US" style="text-decoration:underline;"><em>The Leadership Quarterly</em></span></a><em>,</em><em> </em>cites a growing body of evidence that suggests, "organizations led by narcissistic CEOs experience considerable downsides, including evidence of increased risk taking, overpaying for acquisitions, manipulating accounting data, and even fraud."</p><p>Leadership style and its potential impact on the organization's risk appetite and culture should always be on internal audit's radar. Organizations that have charismatic risk takers at their helms should incorporate this into their risk analyses. This should include audits of crisis management plans and candid discussions with the audit committee or board about risk scenarios involving the CEO.</p><p>Clearly, all CEOs impose their wills on organizations with varying degrees of guidance and oversight from their boards. The likelihood of their actions creating crises or significant reputational risks are typically pretty low. But just as no two organizations have identical risks appetites, not all CEOs create the same level of risk. </p><p>I'm interested in hearing about your experiences in dealing with CEO brands.​​</p>Richard Chambers0
Selling Enterprise Risk Managementhttps://iaonline.theiia.org/2018/Pages/Selling-Enterprise-Risk-Management.aspxSelling Enterprise Risk Management<p>​Although enterprise risk management (ERM) has a compelling value proposition, it may not always be intuitive to key stakeholders. That often is because the benefits of ERM are not easily observable or clearly quantifiable in the near term. As risk management professionals, internal auditors are easily sold on ERM’s merits because of our role in the third line of defense. We live and breathe risk management governance daily. But internal auditors and other risk professionals engaged in ERM efforts, by nature, do not tend to have strong sales competencies. So, when we propose ways to advance ERM principles to organizational leadership, the message often misses the mark. </p><p>The ability to convince stakeholders of ERM’s value may be the difference between an ERM program that flounders as a check-the-box compliance activity and one that develops into a strategic governance asset. It is vital for internal auditors and other risk management professionals to have a compelling and polished value proposition pitch in their ERM toolbox — one that is intuitive and presentable in terms and language that first and second line of defense managers will embrace.</p><p>Risk management is not a new idea, and most business professionals understand its importance. However, some are skeptical, writing ERM off as unnecessary or an academic theory that is unproven in the real world. When this skepticism is not based on an informed position, it is a shortsighted and misguided viewpoint that creates a major cultural barrier when attempting to implement or mature an ERM program. This is when ERM professionals need to be at their best as salespeople.</p><p>Just as professional athletes strive for a competitive edge, business professionals also should pursue measures to enhance their success. ERM can provide the same type of competitive edge that athletes get from personal trainers, data analytics, and other measures. But ERM benefits are realized when organizations appreciate, understand, and embrace the ERM value proposition. For an organization to unlock the potential of ERM as a strategic asset, a key element is a concise value proposition that leaders and managers can easily buy into.</p><p> <strong>Step 1: Start at the top.</strong> ERM programs are most successful when executive leadership supports them. The ERM value proposition must be understood at the highest management levels. But beyond that, leadership must be compelled to embrace ERM. Only then will leaders develop a vision for pursuing implementation with the requisite energy. Leaders will only embrace ERM when there is a clear value proposition. </p><p> <strong>Step 2: Don’t oversell.</strong> Internal audit must be careful not to sabotage ERM momentum by overpromising what the ERM value proposition can deliver. ERM will not solve all strategic risk management challenges. This message must be communicated with stakeholders by setting realistic expectations about what the organization can achieve. ERM implementation will inevitably encounter failures along with successes.</p><p> <strong>Step 3: Make the case for ERM by appealing to its intuitive nature.</strong> Internal audit should start by making a simple and intuitive case to legitimize ERM. Various entities have given ERM credibility by embracing its virtues. These include regulators (e.g., board requirements for risk oversight), credit rating agencies (e.g., ERM used as rating criteria by S&P and Moody’s), and major universities (e.g., ERM academic programs at North Carolina State University and St. John’s University). Additionally, ERM’s qualitative value is intuitive, as outlined in the waterfall diagram below.</p><p> <strong>Step 4: Draw a distinction between traditional risk management and ERM.</strong> All business professionals manage risk. Managers oversee various business functions and manage the risk inherent in these functions. Human resources (HR) managers manage HR risk, finance managers manage finance risk, and so on. The problem with this risk management model is that it does not promote an enterprise view of risk. Risk managers in these siloed functions make risk management decisions that can have negative impacts in other functional areas.</p><p>ERM is not designed to replace the traditional risk management model, but rather to enhance it by bringing greater visibility to risk management activities and impacts across functional silos. This is done by implementing risk management processes to methodically and purposefully identify, respond to, and monitor risks at the enterprise level. <br></p><p> <strong> Step 5: Make ERM a tool for aspirational risk management excellence.</strong> Compliance benefits may be an acceptable outcome for some organizations, but the real value of ERM is realized when its focus is more strategic. There are three imperatives of a strategic ERM value proposition:</p><p></p><ol><li><strong>Make informed decisions.</strong> ERM should support organizational decision-making for strategic planning, tactical execution, budgeting, and risk oversight.</li><li><strong>Protect stakeholder value.</strong> ERM should protect key stakeholders from value erosion.</li><li><strong>Optimize risk outcomes.</strong> ERM should seek the best possible risk outcomes by improving the likelihood of achieving strategic and business objectives, reducing the impact of organizational threats and weaknesses, exploiting organizational strengths and opportunities, and lessening the duration and persistence of negative risk outcomes.</li></ol><p>Aspirational and strategically designed ERM programs help organizations compete more aggressively in the marketplace. With the three imperatives in place, an organization is positioned to compete with an edge. </p><p>When designed to be a strategic governance asset, ERM facilitates advanced risk-taking capabilities and empowers a thoughtful, safe, and aggressive risk-taking approach. This can result in enhanced competitive agility and ultimately lead to enhanced organizational value.</p><p><img src="/2018/PublishingImages/Governance_p.65_ERM-qualitative-value.jpg" alt="" style="margin:5px;" /><br></p>Rick Wright1
Is There Too Much Civility in the Boardroom?https://iaonline.theiia.org/blogs/chambers/2018/Pages/Is-There-Too-Much-Civility-in-the-Boardroom.aspxIs There Too Much Civility in the Boardroom?<p>​<img src="/2018/PublishingImages/Businesspeople%20at%20meeting%20table.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Let's face it, civility is in short supply in the 21<sup>st ​</sup>century. Whether in politics, social media, on the highway, or in line at a fast-food restaurant, common courtesy and respect are scarce commodities. One place that civility seems to be alive and well is in the boardroom. However, one has to ask: Is there too much civility in a place where members should bring a healthy dose of skepticism?</p><p>Common wisdom is that inspirational leadership is synonymous with great success. Many of the world's most successful companies are associated with iconic leaders such as Bill Gates, Mark Zuckerberg, Steve Jobs, Jack Ma, and others.</p><p>However, the list of well-known organizations that suffered scandal in recent years because of management missteps is just as long, including Uber, Wells Fargo, Papa John's, and Tesla. Certainly, the #MeToo movement has shown that successful organizations can suffer rapid and significant reputational damage when the human failings of their leaders are exposed.</p><p>My examination of high-profile governance failures in recent years has convinced me that, far too often, ineffective board oversight is at the root of corporate scandals. Too many boards are reluctant to question management. Too often, boards are content to say, "We hired a great CEO. We're going to step back and let him or her do their job."</p><p>I often wonder if there may simply be too much civility in the boardroom. I am not suggesting the boardroom equivalent of a "food fight," but board members have an obligation to bring professional skepticism to their roles. They must be willing to ask probing questions, challenge management assumptions, rock the boat if necessary, and frankly, risk their future on the board.</p><p>One of the key topics in The IIA Audit Executive Center's <a href="http://theiia.mkt5790.com/2018_Pulse_of_Internal_Audit/?sessionGUID=98a9a075-6363-a75a-7970-41ead7310494&sessionGUID=98a9a075-6363-a75a-7970-41ead7310494&webSyncID=07066959-6bb6-4abd-55ca-a794c22e5457&sessionGUID=d54aaa45-7c96-15bb-7e01-726392aa0638"><span style="text-decoration:underline;">2018 North American Pulse of Internal Audit</span></a> report is board engagement. In the report, chief audit executives are encouraged to strengthen their relationship with audit committee members to help this important stakeholder group understand that they are the true drivers and enablers of effective assurance over internal control.</p><p>While vital to the interests of internal audit, internal auditors must do more than just persuade boards and audit​ committees to support us. We must help boards renew their commitment to understanding and supporting basic risk management. It is amazing to me that some 21<sup>st</sup>century corporations still don't get it.</p><p>I have often advised my readers to "audit at the speed of risk," but the reality is, no matter how agile and effective an internal audit function becomes, it cannot go it alone. Effective governance, by definition, will always demand enterprisewide effort.</p><p>Effective governance requires constant monitoring and the willingness to question whether management's actions will strain or otherwise impair the governance process. For example, companies often fail to anticipate the possibility of an ends-justify-the-means culture developing in response to pressure to meet earnings expectations or other metrics that drive business. I made this point in a recent <span style="text-decoration:underline;"><a href="https://www.theiia.org/sites/auditchannel/Pages/video.aspx?v=k5ZTMwZzE6EzCZJpLhlFSdxFdu8gXgEl">interview</a></span> with CNBC Asia's "Squawk Box," where I also noted that board independence is critical to governance success.</p><p>Board members must be willing to question management's actions and not be reluctant to speak out because of potential conflicts. This is why I and others have encouraged organizations to separate the joint role of CEO/chairman. From an internal audit perspective, having a CEO who also serves as board chairman effectively negates the dual reporting line that supports an objective and independent internal audit function. The role can have an equally detrimental effect on board independence.</p><p>There has been increasing focus on the composition of boards, especially regarding the need to have members who have IT experience, as cybersecurity is a leading risk area. This kind of self-examination is healthy and may lead to improved board performance. But no level of experience or diversity will ensure board effectiveness if the fundamental trait of professional skepticism is missing.</p><p>Asking the extra question, requesting additional information, and turning to internal audit to help provide assurance on what the board is hearing from management are all legitimate actions for a board that is independent and committed to maintaining healthy risk management and internal control. </p><p>Let me be clear about one thing: I'm not advocating for an adversarial or conflict-driven relationship between the board and senior management. The board–management relationship should never devolve into a food fight, but it also shouldn't always be a picnic, either.</p><p>As always, I look forward to your comments.</p>Richard Chambers0
GDPR and Internal Audithttps://iaonline.theiia.org/2018/Pages/GDPR-and-Internal-Audit.aspxGDPR and Internal Audit<p></p> <p>Now that the May 25 deadline has passed to comply with the European Union’s (EU’s) General Data Protection Regulation (GDPR), compliance executives may be breathing a sigh of relief. Yet the real compliance work is only beginning. </p><p>GDPR consolidates the EU’s personal data privacy protection laws and redirects the way organizations approach data privacy. It greatly expands the privacy rights of E.U. citizens and residents, and it applies to any organization that does business with those individuals, regardless of its location. Organizations that don’t comply with GDPR face penalties of up to €20 million or 4 percent of annual worldwide turnover, whichever is greater. </p><p>Compliance will require continued focus and effort. Internal audit can help the organization mitigate GDPR compliance risks by identifying ways to improve controls, raising risk awareness, and assuring compliance.</p><h2>Improving Controls​</h2><p>Internal audit can help the organization shift from the preparation phase to the implementation phase of GDPR. The regulation specifically requires organizations to focus on these control-oriented topics:</p><ul><li><em>Accuracy and quality</em> requires organizations to ensure data is accurate and up-to-date and that individuals can correct their records. <br></li><li><em>Security and privacy</em> by design requires organizations to document decisions taken to inform EU residents about how their data will be used and restricted. They also must implement technical, administrative, and physical security/privacy controls to mitigate potential harm. <br></li><li><em>Security safeguards</em> ensure that technical and organizational measures are implemented for privacy and security. <br></li></ul><p><br>Internal audit should work with management to identify relevant controls over data entry, assess the accuracy of information and recommend improvements, and strengthen controls that prevent and detect data errors.</p><h2>Raising Risk Awareness </h2><p>The direct risks associated with GDPR relate to potential fines and reputational impact. However, by digging into the regulation’s purpose, internal auditors can see other data protection risks.</p><p><strong>Monitoring, Measuring, and Reporting</strong> Organizations must have a data protection officer (DPO) to lead privacy and compliance efforts. Among the DPO’s tasks are reporting on compliance monitoring, training staff, and ensuring privacy compliance audits take place. The organization must perform data privacy impact assessments when new technologies and systems are used, provide timely data breach notifications, and report on the use of third-party processors.</p><p><strong>Prevent Harm</strong> GDPR imposes sanctions and penalties on organizations that process data unlawfully or fail to deploy safeguards. In addition, individuals may request that the organization remove their personal data from automated processing and profiling.</p><p><strong>Breach Management</strong> Organizations must put processes in place to notify persons no later than 72 hours after they discover a data breach, if it is determined that the breach will result in a high risk of privacy harm to those individuals.<br></p><p><strong>Openness, Transparency, and Notice</strong> Organizations must keep data for specific and legitimate purposes and notify persons about how the organization will use their data. Organizations also must inform individuals of safeguards applied when personal data is transferred to a third country.<br></p><p><strong>Individual Participation</strong> EU residents may request access to data, obtain a copy of the data held, and withdraw consent to use personal data as long as withdrawal does not result in legal violations. Individuals may object to the use of their data for direct marketing and profiling, and they may contact the DPO for any issue related to processing their personal data.<br></p><p>Internal audit can educate management about potential risks and ways to manage risks in each area. Auditors can communicate relevant information about these risks via informal emails, a departmental newsletter, or meeting with management. <br></p><h2>Assuring Compliance</h2><p>As new policies and procedures become more mature, internal audit will need to perform regular compliance audits to determine the extent to which the organization is complying with GDPR. Auditors should focus on how the organization manages data to help strengthen privacy and security controls and ensure they are designed appropriately and operating effectively. Auditors will need to assure compliance with key aspects of the regulation and provide early warnings about problems.</p><p><strong>Choice and Consent</strong> Under GDPR, organizations must allow users to choose how their personal data is used. Also, organizations must document and maintain consents and request parental authorization before collecting a child’s data. </p><p><strong>Legitimate Purpose</strong> To ensure data collection is lawful and necessary, organizations can collect only personal data that is needed to achieve the intended purpose. Reviewing and handling requests for further processing, restricting requests for data related to criminal convictions, and documenting situations where the right to object does not apply are all important. Internal auditors can help reduce risk by sampling data collection mechanisms for compliance.<br></p><p><strong>Limitations</strong> Organizations may keep data no longer than the period required to support the purposes for which it was collected, and they must erase an individual’s personal data upon his or her request. GDPR permits organizations to retain data meant for archiving purposes in the public interest or for reasons of scientific or historical research. <br></p><p><strong>Free Flow of Information and Legitimate Restriction</strong> This principle includes protections for data transfers using legally binding agreements between public authorities, binding corporate rules, model clauses, and other mechanisms. <br></p><p><strong>Third-party Vendor Management</strong> This principle ensures that organizations gather third-party/vendor guarantees of GDPR compliance along with proof that third parties have the required technical and organizational safeguards. The DPOs of the data controller — organizations or individuals that determine the purposes and means of processing data — must provide written authorizations to use a given processor.<br></p><p><strong>Accountability</strong> GDPR’s accountability principle provides a legal basis for processing personal data, establishes the DPO role, and informs citizens and residents of existing privacy rights and safeguards. In addition to overseeing the data protection strategy, the DPO must maintain contact with the supervisory authority and demonstrate compliance.<br></p><p>Internal auditors will need to periodically assess processes and controls for each of these principles to ensure they are designed and operating effectively. Auditors can review a sample of data transfer documentation to look for data that should not be transferred to another organization. They can run reports to look for data that is being kept longer than necessary and review available documentation for any exceptions.<br></p><h2>A GDPR Audit Plan</h2><p>To help the organization maintain compliance, internal audit should include independent GDPR assessments and compliance testing in the audit plan. It can raise executive and board awareness of GDPR noncompliance by highlighting poorly designed or missing controls. Finally, it can identify opportunities to audit common processes across departments. ​</p>Jan Hertzberg1
Crisis Overconfidencehttps://iaonline.theiia.org/2018/Pages/Crisis-Overconfidence.aspxCrisis Overconfidence<p>​Companies are overconfident about their ability to cope in a crisis, and executive leadership on the issue may also be sorely lacking in some organizations, according to a new report. Research by professional services firm Deloitte has found that nearly 60 percent of crisis management and other executives surveyed believe organizations face more crises today than they did 10 years ago.</p><p>They are not wrong. In the past two years, 80 percent of organizations worldwide have had to mobilize their crisis management teams at least once, with cyber and safety incidents topping the list of crises requiring management intervention. And the impact of a crisis on organizations is immediate: nearly three-fifths experienced a leap in customer complaints, usually on social media.</p><p>More than four in five respondents say their organizations have a crisis management plan in place. However, Deloitte's study, Stronger, Fitter, Better: Crisis Management for the Resilient Enterprise,<em> </em>has<em> </em>uncovered dramatic gaps between a company's confidence that it can respond to crises and its level of preparedness. It found that while nearly 90 percent of respondents are confident in their organization's ability to deal with a corporate scandal, only 17 percent have tested that assumption through a simulation exercise. Similarly, 70 percent of organizations are confident in their ability to manage a product recall, though only 22 percent have carried out a simulation exercise.</p><p>The survey, which included participation from more than 500 crisis management, business continuity, and risk senior executives across 20 countries, also found that organizations feel more confident in confronting some types of risks rather than others — particularly IT risks because they feature so prominently on risk agendas. For example, nine out of 10 respondents have fairly or very high levels of confidence in their organization's ability to tackle system failures, with similar numbers confident in their organization's ability to respond to regulatory and policy changes (89 percent), corporate scandals (88 percent), and cyberattacks (87 percent). </p><p>Deloitte's research found that experiencing a crisis teaches organizations to avoid them. For example, nearly 90 percent of organizations surveyed have conducted (largely internal) reviews following a crisis, and while these crises were not always foreseen, companies recognized that they might have been averted. As a result, organizations are now more likely to take action to forestall future crises.</p><p>Indeed, a crisis management response plan is critical. Deloitte found that nearly half of respondent organizations that did not have a plan in place saw their finances negatively impacted when a crisis struck. For those organizations with a plan, it was less than a third. </p><p>"Crisis management shouldn't start with a crisis — at this point it may already be too late," says Peter Dent, Deloitte Global crisis management leader. "With the rapid pace of change facing companies worldwide, and with crises on the rise, it is critical for organizations to be ready to respond with skilled leadership and plans that have been tested and rehearsed." </p><p>Crisis plans work best when the board and senior management are involved in shaping them and sponsoring them. And to secure their participation, the study's authors say that it is important to keep the plan relevant to them so that it addresses the issues that "keep management awake at night," such as the impact on reputation and the bottom line.  </p><p>Organizations should also ensure that they set up a crisis management plan specifically for the board, because when a crisis hits executives may need to play a very different — and more interventionist — role from normal. For example, if the crisis is causing significant damage to reputation, affecting share price, or resulting in regulatory sanctions or litigation, it may be up to the board to plan the company's continuity and survival. And in terms of succession planning, it may be appropriate to recruit board members with prior crisis management experience, Deloitte says.</p><p>Leadership commitment to crisis management is critical. But nearly a quarter of respondents cite the effectiveness of leadership and decision-making as one of the greatest crisis management challenges their organizations face. In fact, leadership commitment — or lack of it — was deemed to be the primary challenge for respondents, followed by effectiveness of teamwork, familiarity with the crisis structure/response process, and clarity of roles and responsibilities.</p><p>Part of the problem, Deloitte says, is that leaders are unprepared for crisis management. Therefore, organizations should establish a leadership structure for a crisis to help define roles and responsibilities, and training should be provided, particularly around communicating with stakeholders. Organizations should also identify the leadership styles of particular executives and managers, and work out who would be best placed to deal with certain aspects of the crisis response: in a high-pressure environment, leaders will tend to rely heavily on their most natural leadership style — which may not be suitable. </p><p>Deloitte's research found that crises often emanate from the actions of third parties such as suppliers and alliance partners, but at the same time, these third parties often play an important role in helping to manage and mitigate the problem. Recognizing this, 59 percent of respondents say that they participate in crisis exercises with third parties, examine third parties' crisis plans, or both. In Europe, the proportion is 80 percent.</p><p>As a result, the researchers say that companies should determine which outside organizations need to be in the fold when managing a crisis. These could include advisors such as lawyers, public relations firms, or specialist cyber defense organizations, as well as crisis advisors. In addition, they say, critical service providers, joint venture partners, resellers, distributors, and any other entity that could trigger a crisis (or be affected by it) should be involved in crisis preparations too. </p><p>The report adds that — depending on the scenario — these outside parties should also be included in simulations and exercises where appropriate, and should also share their contingency plans and provide regular updates on response readiness. Companies should stress the benefits of such collaboration, and even consider stipulating in contracts and agreements that such information should be shared.</p><p>"Crises aren't inevitable," Dent says. "Many of them are avoidable, which is why smart business leaders invest in crisis management capabilities. These strengths can help their organizations avoid costly, and sometimes irreparable, damage to finances, employee morale, brand, and reputation."</p>Neil Hodge0
Model Governance, Where to Begin?https://iaonline.theiia.org/2018/Pages/Model-Governance,-Where-to-Begin.aspxModel Governance, Where to Begin?<p></p> <p>Models serve many purposes and support various decisions across an organization. A model is a mathematical representation of an entity system given certain operational, financial, compliance, and/or economic conditions that aims to quantify past, present, or future outcomes to provide decision-making information. Models typically are used to predict future results or to allow an entity to perform analysis within the mathematical model to determine the impacts of different drivers or variables on model output. Models can be simple calculations in an Excel spreadsheet with a small table of variable inputs, or they can be highly complex mathematical and statistical computations with a web of interrelated models using sophisticated software on a dedicated server. </p><p>Model governance provides oversight and control to minimize model risk, establishes policy to protect the integrity of the model output used in decision-making, prioritizes and authorizes changes to models used by the organization, and facilitates the sharing of information across the organization regarding the use and limitations of the models to improve transparency.</p><p>Before internal audit can evaluate the model governance structure and effectiveness, it needs to gain an understanding of the models that are used within the organization. This can be time-consuming. Documentation is valuable to any process, but it is difficult to find in practice. Internal audit may have to work with management to develop an initial listing that can be used to identify and assess risks and determine the audit scope. The list of models should include: </p><ul><li>Name for the model.<br></li><li>A brief description of the model’s purpose and use.<br></li><li>Key model personnel: model owner, developer, tester/validator, production operator, and users.<br></li><li>Frequency of model output reporting.<br></li><li>The software and platform used for the model.<br></li><li>The latest version of the model being used.<br></li><li>The model risk rating. <br></li></ul><p><br>The model owner should maintain more detailed information for each model regarding inputs, assumptions, methodologies, process documentation with risks and controls identified, data flow diagrams, items excluded from the model, approximations or assumptions used in the model, model limitations, manual outside adjustments to the model, and software and hardware used by the model.</p><p>The model risk rating should be based on probability and impact and be consistent with other risk rating structures used within the organization. When determining the model risk rating, internal audit should consider several risk drivers (along with other relevant criteria based on the industry or business), including: financial statement impact of results, level of model dependency in making business decisions, regulatory requirements, complexity of calculations and the extraction/transferring/loading of inputs, degree of interdependencies among models, subjectivity of assumptions or inputs, experience level of the personnel involved, historical experience of issues, effectiveness of controls, and degree of incentive compensation that may be tied to performance or output.</p><p>Once the listing of models is compiled, risk rated, and agreed upon by key stakeholders, internal audit can perform an assessment of model governance focusing on the high-risk models as a starting point. All high-risk rated models should be within the purview of a model governance committee.</p><p>The scope of responsibilities of a model governance committee is subject to debate and tends to be the victim of scope creep given the volume of risks associated with models. “Model Governance Committee Responsibilities,” below, provides a comprehensive listing of items to be considered in determining the scope of a committee. There may be other responsibilities specific to an organization or evolving risks.</p><p>The structure and oversight of the model governance committee should be tailored to the specific needs and level of maturity of the organization: </p><ul><li>The committee should report to the board directly, or indirectly via another committee. <br></li><li>Membership should include a variety of senior-level model stakeholders.<br></li><li>Responsibilities should be clearly defined for committee members and those involved in the modeling process. <br></li><li>Committee decisions should be clearly documented with supporting rationale in committee minutes.<br></li><li>A communication process should be in place to notify those who are responsible for any follow-up actions, noting anyone who should be consulted or informed.<br></li></ul><p><br>Having a model governance committee centralizes the identification of, and response to, model risks, which typically improves communication across stakeholders, builds consensus around decisions, establishes controls, and enables management action given the diversity of committee membership. The focus on model risks by regulators and external auditors has been increasing. Having a committee that receives and generates appropriate documentation makes it much easier to address those concerns. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><br><p><strong>Model Governance Committee Responsibilities</strong></p><p>Potential responsibilities may be completed by the committee, management or a project team with committee oversight, or some combination thereof. Responsibilities will vary but could include: </p><ul><li>Develop, approve, and communicate model policy, standards, and procedures.<br></li><li>Plan resources and prioritize tasks when there are competing priorities or dependencies.<br></li><li>Review and approve technical papers from subject-matter experts regarding gray areas or where there is disagreement on model approaches.<br></li><li>Prioritize and approve model changes, including tolerance and materiality levels for approvals needed for model changes.<br></li><li>Review and approve risk control matrices for material mo​dels. Also, have insight into control issues that impact the model, including general IT and application controls over inputs, processes, and outputs.<br></li><li>Monitor compliance issues that impact the model  and approve management actions to remediate issues.<br></li><li>Oversee model data quality — integrity; outliers; timeliness and availability; security; and extraction, transfer, and loading.<br></li><li>Oversee model validation — static and dynamic testing, sensitivity analysis, analytics, user acceptance testing, analysis and quantification of changes, and identification of risk-based deep dives into current models on an ad hoc, periodic, or rotational basis.<br></li><li>Provide an objective, robust check and challenge process on model results.<br></li><li>Approve outside-the-model adjustments and rationale for use.<br></li><li>Maintain a list of known model limitations and implications for use.<br></li><li>Approve the timing of model releases to production.<br></li><li>Coordinate the reporting calendar and use of model results.<br></li><li>Identify stress and scenario testing for the models and determine management actions.<br></li><li>Provide a consistent, common communication point to address questions and drive improvement.<br></li></ul></td></tr></tbody></table><p></p>Kelley Ellis1
The Integrity Officehttps://iaonline.theiia.org/2018/Pages/The-Integrity-Office.aspxThe Integrity Office<p>​While the mission statements of internal audit and corporate compliance functions are similar — focused on operational integrity, efficiency, and effectiveness — organizational structures often put them in separate worlds. In most organizations, the two departments have separate leadership, perform separate risk assessments, develop separate audit and monitoring plans, individually identify and investigate issues and concerns, and recommend appropriate solutions. Rarely does one know what the other is doing. It is unfortunate, because organizations can leverage the work of these two departments, so that working together they can bring value that is greater than the sum of the separate parts. </p><p>Twelve years ago, Cleveland Clinic's senior management and the audit committee decided to leverage the work of the offices of Internal Audit and Corporate Compliance by putting them under one umbrella, and calling it the Integrity Office. As the chief audit executive (CAE), I was promoted to a new C-suite position called chief integrity officer to lead the office, and continued to report directly to the audit committee.</p><h2>Structuring the Office</h2><p>The first organizational decision was whether to combine the two departments into one staff, or keep them as separate departments under one overall leader. Though their mission statements were similar, there was a key difference in their interpretation and application of the word <em>independent</em>. Consistent with the U.S. Federal Sentencing Guidelines, formal guidance issued by the Office of the Inspector General at the U.S. Department of Health and Human Services (DHHS), and requirements imposed in numerous corporate integrity agreements, corporate compliance must maintain an independent reporting structure to the governing body of the organization. It also must maintain independence and objectivity in all aspects of the organization's compliance and ethics programs. That said, the program cannot effectively be administered or maintained without at least some degree of coordination and collaboration with operational areas. For example, corporate compliance often participates in the development of policies and procedures, internal controls, and systems to mitigate risks. Independence is likewise a necessity for internal audit, but in a different way. The work of internal audit is much more defined than that of corporate compliance and must conform to stringent professional standards of independence. Internal audit must demonstrate independence of mind as well as appearance. Considering that independence and objectivity are core tenets of both professions, we felt it was necessary to preserve a certain degree of independence between them. We accomplished this by organizing them as separate departments within the Integrity Office.  </p><h2>Independence From General Counsel</h2><p>In many organizations, the compliance function reports to the office of general counsel. Board of director guidance from the DHHS Office of Inspector General has provided that the compliance officer should not be the general counsel, or the subordinate to that position. Corporate compliance independence from the legal department is critical, and the integrity office model provides that independence. Also, while many companies view the compliance department as a legal function, compliance programs should be focused on implementing regulations in the organization's operations and preventing noncompliance, or aiding early identification of issues. Therefore, having a compliance staff that understands the organization's operations and how the regulations can be implemented is most effective. </p><h2>Similar Skills</h2><p>Just as the missions of internal audit and corporate compliance are similar, so are the skills necessary for their work. Internal auditors need to understand an organization's operations to audit its processes effectively. Due to the complexity of an academic medical center's varied operations, Cleveland Clinic's internal audit staff consists of professionals with different backgrounds in finance, billing, coding, nursing, medical research, IT, and forensics. Similarly, the corporate compliance staff includes professionals with experience in nursing, billing, coding, medical research, and law. Both staffs need excellent investigation skills, and the diversity of professional experience provides a depth of knowledge necessary to audit across the risk population effectively and make appropriate recommendations. A major difference is that while both staffs can identify and report issues and make recommendations, corporate compliance also can be involved in the issue remediation process. Internal audit can subsequently complete a follow-up audit to determine if the recommendations were implemented correctly.</p><h2>Risk Assessment Benefits</h2><p>Cleveland Clinic is a complex, $8 billion academic medical center, with multistate regional hospitals and international operations. Like many organizations, it has an enterprise risk management (ERM) process that is focused on monitoring significant risks to the organization and what we are doing to address or mitigate those risks. While ERM focuses on the major enterprise risks, internal audit and corporate compliance have to focus on the related sub-risks at ground level.</p><p>Internal audit completes an extensive annual risk assessment as the basis of developing its annual audit plan. The risk assessment is a three-pronged process. First, it incorporates input from approximately 100 interviews each year from people throughout the enterprise. In addition to interviews of senior management and board members, we include mid-level managers, administrators, doctors, and nurses. Internal audit learns a lot about the risks they perceive, which can differ depending on their operation. This information is critical to our risk assessment, and we probably would not be aware of many of these perceived risks if we did not listen to such a broad group of people. </p><p>Second, we evaluate if we may be affected by national health-care issues or concerns currently impacting other organizations. We frequently read or hear about significant issues at peer organizations, and we want to determine if we may have the same exposures. Evaluating the issues during this process helps mitigate the exposure by either determining that it is not an issue for us, or that we have identified it and will resolve it more timely. </p><p>The third part of our risk assessment process is evaluating known risks from prior years. Have they adequately been resolved? Is a follow-up audit warranted? All three parts of the risk assessment process are important to capture and understand the risk population. </p><p>One element of an effective compliance program is to include the auditing and monitoring of compliance risks. Corporate compliance functions also have to perform a risk assessment to determine the risks to be included in their audit and monitoring programs. Risk assessments are much more effective when internal audit and compliance staff can work together to determine the risk population, evaluate the level of risk, and decide the risks to be audited and monitored. It is more effective to have the minds of both departments involved in evaluating risks. It is also more efficient, as it can eliminate the duplicate steps of both departments auditing the same areas or processes, as well as eliminate certain risks from falling through the cracks and not being audited at all. Management also appreciates when employees are interviewed once during the assessment process instead of internal audit interviewing employees the week after corporate compliance asked them the same questions. </p><p>A significant part of any U.S.-based health-care organization's compliance program is complying with the U.S. Health Information Portability and Accountability Act (HIPAA). HIPAA security regulations require an organization to have a current assessment of information security risks. At Cleveland Clinic, the chief information security officer reports functionally to the chief information officer, but also has an indirect, or dotted line, reporting to the chief integrity officer. This reporting line provides the chief integrity officer the ability to effectively monitor information security control activities, and the opportunity for internal audit and corporate compliance to make recommendations related to information security-related risks. </p><h2>Realizing Synergies </h2><p>While our formal risk assessment process happens annually, the benefits of internal audit and corporate compliance being under the same umbrella are reaped throughout the year. The findings from one of the department's activities may result in a change in plans for the other department. While internal audit and corporate compliance are separate departments, their offices are on the same floor and they can easily talk with each other about questions or concerns. </p><p>We continue to have separate monthly department staff meetings. Because I am familiar with the activities and results in both departments, my attendance at both staff meetings provides the opportunity for immediate transfer of helpful information during discussions. There also is a better understanding of and appreciation for the work performed by members of the other department. </p><p>Our internal audit staff has a forensic audit group that is charged with looking for financial, privacy, and information security-related anomalies. They also use their talents to provide corporate compliance support during complex compliance investigations. Our IT audit staff and operations audit staff provide support to compliance investigations when their talents are required to add value. </p><p>That support goes in both directions. Our compliance staff members consist of professionals from many disciplines, so they can provide internal audit with invaluable objective insight into areas being audited. Having everyone under the same organizational umbrella also eliminates resource politics. As the chief integrity officer, I can decide the best use of resources and not have to work through another executive's agenda. This is a significant benefit for both departments. </p><h2>Ensuring Independence </h2><p>The Three Lines of Defense model of internal controls puts corporate compliance in the second line of defense, and internal audit in the third line of defense. The main concern with putting corporate compliance and internal audit under common independent leadership is that internal audit cannot then independently audit the compliance function activities. If internal audit cannot independently audit compliance under one umbrella, then it is an internal audit performance issue rather than an inherent limitation with the structure. In addition to the internal reports we provide management and the audit committee, our external auditors review our compliance activities and results. They attend every audit committee meeting, and the audit committee asks for their opinions about the internal audit and corporate compliance functions during multiple executive sessions throughout the year. If our compliance function were underperforming compared to our peers, our external auditors would inform the audit committee. </p><p>Apart from that, management and the board receive other third-party evidence to determine if internal audit is not being above board with its assessment of compliance activities. For example, as a health-care provider to Medicare Advantage programs, insurance plans that provide supplemental coverage to people with government provided Medicare coverage, our compliance program is subject to annual audits by the Medicare Advantage insurance companies. Numerous insurance companies have completed detailed audits of our compliance program, requiring documentation and audit testing support for compliance program requirements. Each of the external auditors issued audit reports showing no findings or recommendations. These reports are provided to senior management and the audit committee as independent third-party support.</p><p>We also have a senior-level enterprisewide corporate compliance committee, chaired by a physician leader. The committee meets twice a month to review compliance program activities and results. The organization's ERM program also has identified regulatory compliance as an area of risk. Compliance risks and current mitigation activities are under the oversight of our ERM Steering Committee. The corporate compliance function has to demonstrate to the steering committee how the organization is addressing and mitigating these risks.</p><p>Management and the board also may request to have an external peer review of the compliance program performed. Similar to the process included in The IIA's <em>International Standards for the Professional Practice of Internal Auditing</em>, an external peer review of the compliance program would provide an independent evaluation of compliance program effectiveness. </p><h2>Umbrella of Benefits</h2><p>The integrity office model was not a common organizational structure at the time Cleveland Clinic implemented it 12 years ago. Given the success we have experienced and benefits we have realized from having internal audit and corporate compliance under the leadership of an integrity office umbrella, it is easy to see why an increasing number of health-care entities have subsequently adopted it. </p><p>In addition to the internal benefits realized, we are pleased that our integrity office model has been an integral part of Cleveland Clinic being recognized as one of the World's Most Ethical Companies by Ethisphere for eight years. It is a recognition that the organization is proud to have received and maintained.</p>Donald A. Sinko1
Governance in Viewhttps://iaonline.theiia.org/2018/Pages/Governance-in-View.aspxGovernance in View<p>​Today's business landscape creates some tricky terrain for organizations to navigate. Heightened scrutiny of boards and management, and transformational internal and market forces are the rule, rather than the exception. In this environment, a corporate governance assessment can yield significant value for organizations. Moreover, it enables internal audit to satisfy the requirements of Standard 2110: Governance.</p><p>Corporate governance is the system of rules, practices, and processes by which an organization is controlled and directed. It sets the foundation not only for business protection and strategic performance, but also for the confidence of the markets, investors, regulators, and other key stakeholders. Effective corporate governance is a powerful driver for achieving strategic objectives in dynamic environments while supporting a strong risk culture (see "The Value of Corporate Governance" below right).</p><h2>Laying the Groundwork</h2><p>Determining whether strong corporate governance practices are in place entails taking a hard look at big-ticket issues such as the board's and the executives' roles and practices, how leadership sets and agrees on strategy, how that strategy translates into overall action plans, how those plans are managed, and how progress is measured against goals. Performing this analysis has enormous advantages, but there is a potential catch. This is an assessment of the top of the organization — its board, management, business strategy, and risk management and compliance functions. The return is high, but so are the risks to internal audit. Planning, execution, and reporting must be aligned to the broad based stakeholder group so internal audit's findings and recommendations are fully supported and acted upon. That makes it imperative that corporate governance audits are well planned and skillfully executed. Internal audit must obtain the necessary buy-in at the highest levels, provide excellent communication and project management throughout the audit, and ensure it has the right expertise focused on the review from the start through the final deliverable. </p><p>​As chief audit executives consider these issues, they should keep in mind the expectations of key stakeholders such as the board, C-suite, and business unit management. Without stakeholder commitment — including making time for interviews, reviewing results, and implementing improvements — the audit can't succeed. By seeking high-level input and perspective early on, internal audit can respond to stakeholder concerns, incorporate their priorities, and ensure the audit goes forward with the appropriate backing from senior management.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>The Value of Corporate Governance</strong></p><p>Corporate governance has several tangible benefits:</p><ul><li> <strong>Meeting heightened expectations of regulators and stakeholders.</strong> Faced with unprecedented scrutiny, many boards are challenged to move their organizations forward while meeting the ever-increasing demands of stakeholders and regulators. <br></li><li> <strong>Managing the organization's shifting risk profile because of internal and market forces.</strong> Organizations in many industries are striving to transform themselves. Changing business models and expansion into new businesses, services, and products continually reshape an organization's risk profile. Adapting corporate governance to these new realities is an important component of a successful business transformation.<br></li><li> <strong>Identifying blind spots that could impede achievement of the organization's strategy.</strong> Without strong corporate governance, organizations may struggle with conflicting objectives or a competing strategy that is diverting resources from a priority project.<br></li><li> <strong>Addressing concerns about risk culture.</strong><em> </em>Without a business strategy, it's difficult — if not impossible — to determine whether the organization is taking appropriate risks. Robust corporate governance can maintain focus on the organization's strategy and how it aligns with its risk culture.<br></li><li> <strong>Surveying the organization's lines of defense.</strong> There's a great deal to be gained from looking carefully at the organization's 1) revenue-generating business units and their accountability for the risks they create, 2) risk management teams and the framework they have created for business units, and 3) internal audit function, including internal and board reporting objectives. ​<br></li></ul></td></tr></tbody></table><p>​It's also important to focus on the organization's external stakeholders such as regulators, shareholders, and external auditors. Once announced, internal audit's decision to undertake a corporate governance audit will generate intense interest. Auditors should prepare for regulator requests to look at their approach and findings. </p><div><p>Delving into governance audits without the right expertise, timeline, and scope can hurt the internal audit function. Depending on its depth of expertise, internal audit may want to bring in third-party subject-matter specialists to provide additional credibility, experience, and an industry sector perspective that is benchmarked against leading practices. Working closely with outside subject-matter experts also provides an excellent knowledge transfer opportunity that can assist internal audit in future reviews. </p><div><h2>Governance and Risk</h2><p>A look at the corporate governance risk framework is a helpful way to understand the structure for an audit (see "The Corporate Governance Risk Framework" below right). Internal auditors should ask several questions about the organization's corporate governance framework. Auditors at highly regulated organizations already may be hearing these questions from regulators. However, any organization would benefit from exploring whether its governance model:</p><ul><li>Guides strategic direction and day-to-day control.<br></li><li>Outlines the rules and procedures for making decisions.<br></li><li>Specifies and distributes rights and responsibilities, including decision-making authority, among the organization's various stakeholders.<br></li><li>Provides structure and accountability through which the organization can achieve its objectives and monitor how it performs.<br></li><li>Maintains the integrity of the organization's structure and accountability.<br></li><li>Influences the appropriate tone and risk culture.<br></li></ul><p> <br> </p><p>Risk culture merits special emphasis because it is at the heart of corporate governance. If internal auditors fail to consider the organization's risk culture, they may miss the subtle indicators of ineffective governance.​ For example, a company may have a well-designed governance structure but ineffective governance because its risk culture discourages managers from escalating risk issues for fear of the consequences. </p><p>Finally, the organization needs to decide where it wants to be in the corporate governance maturity model. Does it want to be a leader in one or more areas, or is average sufficient? A corporate governance audit can benchmark where the organization stands on categories ranging from board governance to strategic planning to tone at the top to risk management and corporate compliance. For each of these areas (and more), auditors can chart whether the organization is lagging, average, or leading against peers. </p><h2>Structuring the Audit</h2><p>There is not one ideal way to assess the state of corporate governance. An example of an approach that is well-suited to an organization embarking on this process for the first time is to execute a two-phase assessment comprising an initial advisory phase and an audit phase.​</p><p> <strong>Advisory Phase </strong>In the first phase, the goal is to establish a baseline by focusing on the entire governance framework. The assessment relies heavily on interviews with a selection of board members, senior executives, and others in the organization. The questions should focus on a broad range of governance topics, including corporate strategy, board oversight and committee structure, management committee structure, tone at the top and culture, the state of the compliance program, and the state of the risk management program. At the highest level, these interviews should provide a view of their understanding of the organization's governance processes and how those processes are aligned with corporate objectives. </p><p> Auditors also should review supporting documentation, such as bylaws, board committee charters, policies, and organizational charts, to create a holistic picture of the organization's culture and processes. They then should analyze information developed through the interviews and document review processes and assess it against a maturity scale. Audit recommendations should assist the organization to ultimately move farther along that scale.</p><p>A corporate governance assessment will require the audit team to make qualitative judgments about the design of the governance structure. Internal audit will need to determine how formal the corporate governance elements should be compared to leading practices in the industry and at peer companies. Performing the initial work as an advisory review allows for a freer two-way exchange of ideas and observations ahead of the formal audit.</p><p>During the advisory phase, internal audit should communicate the results of its interviews and assessment to management as recommendations instead of formal issues. The absence of an opinion positions the internal auditor as a business advisor, which promotes candid discussions and more informed recommendations. </p><p>At the end of the advisory phase, suitable time is needed to allow the organization to implement corrective actions in response to recommendations resulting from the first phase. The amount of time depends on the extent of remediation required and often will be more than a year to allow for policies to be developed or enhanced and implemented.​</p><p> <img src="/2018/PublishingImages/Schwartz-the-corporate-governance-risk-framework.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /> <strong>Audit Phase </strong>With an established framework in place, the company can conduct a formal audit to assess the effectiveness of governance processes. Here, the scope is narrower and builds on the previous review work. As during the first phase, interviewing board members and executives is a key component. In-depth testing of key risk areas also is important. Examples of key risk areas include delegation of authority, board and management committee charters, risk appetite, and the compliance testing program. The outcome is an analysis of targeted issues, leading practice recommendations for improvements, and a formal audit opinion. </p><p>Internal auditors should keep in mind that they are auditing the leadership of the organization. Presenting corporate governance audit findings to the CEO or board members is the ultimate "seat at the table" for CAEs. They must ensure their facts are thoroughly vetted and benchmarking against leading practices is well supported. Anything short of that could damage internal audit's credibility.</p><p>This two-phase method is just one approach to auditing corporate governance. Organizations with a well-honed governance structure may prefer to start directly with the audit phase. The key is to tailor an approach for the organization, considering issues such as the maturity of its structures, availability of resources, and leadership and regulatory expectations.</p><h2>Driving Change</h2><p>The value proposition for a corporate governance assessment is significant. Working closely with the board and senior management, internal auditors have an opportunity to drive change. This is a high-risk, high-reward effort, though. A thoughtful, measured approach and stakeholder buy-in are critical at every stage — from planning through report issuance. </p></div></div>Doug Watt1
Taking the Lead on Blockchainhttps://iaonline.theiia.org/2018/Pages/Taking-the-Lead-on-Blockchain.aspxTaking the Lead on Blockchain<p>​Internal auditors are no strangers to change, and change continues to transform even the most traditional of processes. The latest revolutionary innovation is blockchain. Initially the technology underlying digital currencies such as Bitcoin, blockchain is beginning to change processes across many industries. </p><p>Like all new technologies, blockchain may produce innumerable new risks. Yet ultimately, it has the potential to help manage and mitigate many traditional audit risks. Internal auditors need to understand how blockchain may change business processes, determine the risks to the organization, and revisit audit processes and procedures to leverage the technology in their work. </p><h2>How It Works</h2><p>A blockchain is effectively a type of decentralized database known as a distributed ledger. Unlike traditional databases, blockchains have no sole administrator. As each transaction is recorded, it is time-stamped in real time onto the "block." Each block is linked to the previous block, and each user has a copy of that block on his or her own device. That process effectively creates an audit trail. </p><p>Blockchain is most notably used for transactions involving the buying or selling of digital currencies. Although the electronic encrypted audit trail is one by-product of the underlying technology of interest to internal auditors, another interesting side effect of the process is an accounting methodology called triple-entry accounting. Modern financial accounting is based on double-entry bookkeeping dating back to the 1400s. With triple-entry accounting, all entries for a given transaction are made to the blockchain to verify and document receipt of the transaction.Thus, triple-entry accounting blends traditional double-entry accounting with third-party validation. As such, this methodology potentially could vastly alter traditional accounting processes and the subsequent control activities, risk assessment, and monitoring activities.</p><h2>Impact on Audit Process</h2><p>Often, internal auditors must catch up with technologies that are already in place, making modifications to the existing audit plan arduous and further emphasizing the need for a dynamic and adaptable audit plan. The complexity and incremental cost associated with blockchain implementation creates additional risk to the organization, making it vital that auditors are involved from inception and not just after implementation when a final process must be audited. Other risks associated with blockchain include scalability constraints, new privacy and security risks, and the need to consider new regulatory requirements, many of which have not yet been promulgated.</p><p>Historically, auditors have been tasked with verifying the management assertions of existence, valuation, rights and obligations, completeness, and presentation and disclosure. The use of a distributed general ledger virtually eliminates the possibility of altering transactional data or inputting fictitious data, as the encrypted signatures of both parties involved in a given transaction are required. </p><p>Even with recent media coverage of digital currency hacks, the supporting technology underlying blockchain continues to be touted as "tamper-proof," "validated," "secure," and "private." Hacks are possible on applications that use blockchain, just as on an organization's intranet. However, for a hack or data leak to occur, an attacker not only has to concurrently hack each user on the network, but also bypass encryption. Such an intrusion would be highly visible to those on the network.<strong><em> </em></strong>Internal auditors must perform comprehensive risk assessments to determine the likelihood, magnitude, and nature of potential threats as well as the appropriate preventive, detective, and corrective controls. </p><p>In addition to the data being more secure and valid, using a distributed public ledger gives auditors access to transactional data needed for the audit in real time, thus allowing for more continuous auditing. While continuous auditing has the potential to enable auditors to be more efficient, proactive, adaptive, and forward-looking, internal audit departments must explore the impact continuous auditing may have on existing audit programs and the potential disruption to the traditional audit cycle. Specifically, auditors must consider how it could impact scheduling, planning, and the actual collection of audit evidence.  </p><p>While blockchain would in no way be a substitute for U.S. Sarbanes-Oxley Act of 2002 control testing, it could greatly increase the efficiency of traditional audits, creating a more uniform and highly verified audit trail from which to work. The improved quality of data and fewer reconciliations can potentially reduce the amount of work necessary throughout the year. Auditors may be able to conduct more work remotely, because less fieldwork will have to occur at the client's site.<strong><em> </em></strong>Moreover, efficiency gains from blockchain may enable internal auditors to focus on other high-risk areas such as internal control, compliance, or operational audits. </p><h2>Audit Implications</h2><p>With the advent of blockchain, the nature of audit work may change pervasively. Potential changes to consider include: </p><ul><li> <em>Systematically less reliance on paper documentation that can be altered or falsified easily.</em> Matching and vouching to test for existence and appropriate valuation may largely be outdated, as auditors will have easy access to transactional data that already has been mutually agreed upon and verified by an independent third party.<br></li><li> <em>Differing cybersecurity risks and controls.</em><strong> </strong>As the use of blockchain makes data available to everyone on the network, both physical and logical access controls will be more important than ever. In addition, use of a distributed public ledger can decrease the risk of successful computer attacks and may increase the visibility of attacks. The increased visibility elevates the importance of an organization's incident response plan.   <br></li><li> <em>More involvement in creating new processes based on blockchain technology.</em><strong> </strong>As recent publications from the Big 4 firms note, the reliance on blockchain technology may require auditors to collaborate with IT professionals and raise the demand for auditors with IT expertise. Subsequent documentation of new processes and changes to old processes are key controls that auditors should not overlook. Over time, the use of blockchain may lead to increased standardization in both business processes and audit processes across industries as best practices emerge. <br></li></ul><h2>Risks and Rewards</h2><p>To prevent or lessen the risk of crisis that often precedes imminent change, internal auditors must stay abreast of emerging technologies such as blockchain. Yet, as with many new technologies and processes, blockchain may present a steep learning curve for auditors. Understanding the underlying technology of a distributed public ledger can enable auditors to assess the new control environment and new risks to the organization. In this way, internal auditors can be change agents who help mitigate the negative risks that all too often accompany the rewards associated with any new technology.​</p>Jamie L. Hoelscher1

  • Gleim_Oct2018_Premium 1
  • IIA CERT CIA_Oct2018_PRemium 2
  • IIA CIALS_Oct2018_Premium 3