GDPR and Internal Audit and Internal Audit<p></p> <p>Now that the May 25 deadline has passed to comply with the European Union’s (EU’s) General Data Protection Regulation (GDPR), compliance executives may be breathing a sigh of relief. Yet the real compliance work is only beginning. </p><p>GDPR consolidates the EU’s personal data privacy protection laws and redirects the way organizations approach data privacy. It greatly expands the privacy rights of E.U. citizens and residents, and it applies to any organization that does business with those individuals, regardless of its location. Organizations that don’t comply with GDPR face penalties of up to €20 million or 4 percent of annual worldwide turnover, whichever is greater. </p><p>Compliance will require continued focus and effort. Internal audit can help the organization mitigate GDPR compliance risks by identifying ways to improve controls, raising risk awareness, and assuring compliance.</p><h2>Improving Controls​</h2><p>Internal audit can help the organization shift from the preparation phase to the implementation phase of GDPR. The regulation specifically requires organizations to focus on these control-oriented topics:</p><ul><li><em>Accuracy and quality</em> requires organizations to ensure data is accurate and up-to-date and that individuals can correct their records. <br></li><li><em>Security and privacy</em> by design requires organizations to document decisions taken to inform EU residents about how their data will be used and restricted. They also must implement technical, administrative, and physical security/privacy controls to mitigate potential harm. <br></li><li><em>Security safeguards</em> ensure that technical and organizational measures are implemented for privacy and security. <br></li></ul><p><br>Internal audit should work with management to identify relevant controls over data entry, assess the accuracy of information and recommend improvements, and strengthen controls that prevent and detect data errors.</p><h2>Raising Risk Awareness </h2><p>The direct risks associated with GDPR relate to potential fines and reputational impact. However, by digging into the regulation’s purpose, internal auditors can see other data protection risks.</p><p><strong>Monitoring, Measuring, and Reporting</strong> Organizations must have a data protection officer (DPO) to lead privacy and compliance efforts. Among the DPO’s tasks are reporting on compliance monitoring, training staff, and ensuring privacy compliance audits take place. The organization must perform data privacy impact assessments when new technologies and systems are used, provide timely data breach notifications, and report on the use of third-party processors.</p><p><strong>Prevent Harm</strong> GDPR imposes sanctions and penalties on organizations that process data unlawfully or fail to deploy safeguards. In addition, individuals may request that the organization remove their personal data from automated processing and profiling.</p><p><strong>Breach Management</strong> Organizations must put processes in place to notify persons no later than 72 hours after they discover a data breach, if it is determined that the breach will result in a high risk of privacy harm to those individuals.<br></p><p><strong>Openness, Transparency, and Notice</strong> Organizations must keep data for specific and legitimate purposes and notify persons about how the organization will use their data. Organizations also must inform individuals of safeguards applied when personal data is transferred to a third country.<br></p><p><strong>Individual Participation</strong> EU residents may request access to data, obtain a copy of the data held, and withdraw consent to use personal data as long as withdrawal does not result in legal violations. Individuals may object to the use of their data for direct marketing and profiling, and they may contact the DPO for any issue related to processing their personal data.<br></p><p>Internal audit can educate management about potential risks and ways to manage risks in each area. Auditors can communicate relevant information about these risks via informal emails, a departmental newsletter, or meeting with management. <br></p><h2>Assuring Compliance</h2><p>As new policies and procedures become more mature, internal audit will need to perform regular compliance audits to determine the extent to which the organization is complying with GDPR. Auditors should focus on how the organization manages data to help strengthen privacy and security controls and ensure they are designed appropriately and operating effectively. Auditors will need to assure compliance with key aspects of the regulation and provide early warnings about problems.</p><p><strong>Choice and Consent</strong> Under GDPR, organizations must allow users to choose how their personal data is used. Also, organizations must document and maintain consents and request parental authorization before collecting a child’s data. </p><p><strong>Legitimate Purpose</strong> To ensure data collection is lawful and necessary, organizations can collect only personal data that is needed to achieve the intended purpose. Reviewing and handling requests for further processing, restricting requests for data related to criminal convictions, and documenting situations where the right to object does not apply are all important. Internal auditors can help reduce risk by sampling data collection mechanisms for compliance.<br></p><p><strong>Limitations</strong> Organizations may keep data no longer than the period required to support the purposes for which it was collected, and they must erase an individual’s personal data upon his or her request. GDPR permits organizations to retain data meant for archiving purposes in the public interest or for reasons of scientific or historical research. <br></p><p><strong>Free Flow of Information and Legitimate Restriction</strong> This principle includes protections for data transfers using legally binding agreements between public authorities, binding corporate rules, model clauses, and other mechanisms. <br></p><p><strong>Third-party Vendor Management</strong> This principle ensures that organizations gather third-party/vendor guarantees of GDPR compliance along with proof that third parties have the required technical and organizational safeguards. The DPOs of the data controller — organizations or individuals that determine the purposes and means of processing data — must provide written authorizations to use a given processor.<br></p><p><strong>Accountability</strong> GDPR’s accountability principle provides a legal basis for processing personal data, establishes the DPO role, and informs citizens and residents of existing privacy rights and safeguards. In addition to overseeing the data protection strategy, the DPO must maintain contact with the supervisory authority and demonstrate compliance.<br></p><p>Internal auditors will need to periodically assess processes and controls for each of these principles to ensure they are designed and operating effectively. Auditors can review a sample of data transfer documentation to look for data that should not be transferred to another organization. They can run reports to look for data that is being kept longer than necessary and review available documentation for any exceptions.<br></p><h2>A GDPR Audit Plan</h2><p>To help the organization maintain compliance, internal audit should include independent GDPR assessments and compliance testing in the audit plan. It can raise executive and board awareness of GDPR noncompliance by highlighting poorly designed or missing controls. Finally, it can identify opportunities to audit common processes across departments. ​</p>Jan Hertzberg1
Crisis Overconfidence Overconfidence<p>​Companies are overconfident about their ability to cope in a crisis, and executive leadership on the issue may also be sorely lacking in some organizations, according to a new report. Research by professional services firm Deloitte has found that nearly 60 percent of crisis management and other executives surveyed believe organizations face more crises today than they did 10 years ago.</p><p>They are not wrong. In the past two years, 80 percent of organizations worldwide have had to mobilize their crisis management teams at least once, with cyber and safety incidents topping the list of crises requiring management intervention. And the impact of a crisis on organizations is immediate: nearly three-fifths experienced a leap in customer complaints, usually on social media.</p><p>More than four in five respondents say their organizations have a crisis management plan in place. However, Deloitte's study, Stronger, Fitter, Better: Crisis Management for the Resilient Enterprise,<em> </em>has<em> </em>uncovered dramatic gaps between a company's confidence that it can respond to crises and its level of preparedness. It found that while nearly 90 percent of respondents are confident in their organization's ability to deal with a corporate scandal, only 17 percent have tested that assumption through a simulation exercise. Similarly, 70 percent of organizations are confident in their ability to manage a product recall, though only 22 percent have carried out a simulation exercise.</p><p>The survey, which included participation from more than 500 crisis management, business continuity, and risk senior executives across 20 countries, also found that organizations feel more confident in confronting some types of risks rather than others — particularly IT risks because they feature so prominently on risk agendas. For example, nine out of 10 respondents have fairly or very high levels of confidence in their organization's ability to tackle system failures, with similar numbers confident in their organization's ability to respond to regulatory and policy changes (89 percent), corporate scandals (88 percent), and cyberattacks (87 percent). </p><p>Deloitte's research found that experiencing a crisis teaches organizations to avoid them. For example, nearly 90 percent of organizations surveyed have conducted (largely internal) reviews following a crisis, and while these crises were not always foreseen, companies recognized that they might have been averted. As a result, organizations are now more likely to take action to forestall future crises.</p><p>Indeed, a crisis management response plan is critical. Deloitte found that nearly half of respondent organizations that did not have a plan in place saw their finances negatively impacted when a crisis struck. For those organizations with a plan, it was less than a third. </p><p>"Crisis management shouldn't start with a crisis — at this point it may already be too late," says Peter Dent, Deloitte Global crisis management leader. "With the rapid pace of change facing companies worldwide, and with crises on the rise, it is critical for organizations to be ready to respond with skilled leadership and plans that have been tested and rehearsed." </p><p>Crisis plans work best when the board and senior management are involved in shaping them and sponsoring them. And to secure their participation, the study's authors say that it is important to keep the plan relevant to them so that it addresses the issues that "keep management awake at night," such as the impact on reputation and the bottom line.  </p><p>Organizations should also ensure that they set up a crisis management plan specifically for the board, because when a crisis hits executives may need to play a very different — and more interventionist — role from normal. For example, if the crisis is causing significant damage to reputation, affecting share price, or resulting in regulatory sanctions or litigation, it may be up to the board to plan the company's continuity and survival. And in terms of succession planning, it may be appropriate to recruit board members with prior crisis management experience, Deloitte says.</p><p>Leadership commitment to crisis management is critical. But nearly a quarter of respondents cite the effectiveness of leadership and decision-making as one of the greatest crisis management challenges their organizations face. In fact, leadership commitment — or lack of it — was deemed to be the primary challenge for respondents, followed by effectiveness of teamwork, familiarity with the crisis structure/response process, and clarity of roles and responsibilities.</p><p>Part of the problem, Deloitte says, is that leaders are unprepared for crisis management. Therefore, organizations should establish a leadership structure for a crisis to help define roles and responsibilities, and training should be provided, particularly around communicating with stakeholders. Organizations should also identify the leadership styles of particular executives and managers, and work out who would be best placed to deal with certain aspects of the crisis response: in a high-pressure environment, leaders will tend to rely heavily on their most natural leadership style — which may not be suitable. </p><p>Deloitte's research found that crises often emanate from the actions of third parties such as suppliers and alliance partners, but at the same time, these third parties often play an important role in helping to manage and mitigate the problem. Recognizing this, 59 percent of respondents say that they participate in crisis exercises with third parties, examine third parties' crisis plans, or both. In Europe, the proportion is 80 percent.</p><p>As a result, the researchers say that companies should determine which outside organizations need to be in the fold when managing a crisis. These could include advisors such as lawyers, public relations firms, or specialist cyber defense organizations, as well as crisis advisors. In addition, they say, critical service providers, joint venture partners, resellers, distributors, and any other entity that could trigger a crisis (or be affected by it) should be involved in crisis preparations too. </p><p>The report adds that — depending on the scenario — these outside parties should also be included in simulations and exercises where appropriate, and should also share their contingency plans and provide regular updates on response readiness. Companies should stress the benefits of such collaboration, and even consider stipulating in contracts and agreements that such information should be shared.</p><p>"Crises aren't inevitable," Dent says. "Many of them are avoidable, which is why smart business leaders invest in crisis management capabilities. These strengths can help their organizations avoid costly, and sometimes irreparable, damage to finances, employee morale, brand, and reputation."</p>Neil Hodge0
Model Governance, Where to Begin?,-Where-to-Begin.aspxModel Governance, Where to Begin?<p></p> <p>Models serve many purposes and support various decisions across an organization. A model is a mathematical representation of an entity system given certain operational, financial, compliance, and/or economic conditions that aims to quantify past, present, or future outcomes to provide decision-making information. Models typically are used to predict future results or to allow an entity to perform analysis within the mathematical model to determine the impacts of different drivers or variables on model output. Models can be simple calculations in an Excel spreadsheet with a small table of variable inputs, or they can be highly complex mathematical and statistical computations with a web of interrelated models using sophisticated software on a dedicated server. </p><p>Model governance provides oversight and control to minimize model risk, establishes policy to protect the integrity of the model output used in decision-making, prioritizes and authorizes changes to models used by the organization, and facilitates the sharing of information across the organization regarding the use and limitations of the models to improve transparency.</p><p>Before internal audit can evaluate the model governance structure and effectiveness, it needs to gain an understanding of the models that are used within the organization. This can be time-consuming. Documentation is valuable to any process, but it is difficult to find in practice. Internal audit may have to work with management to develop an initial listing that can be used to identify and assess risks and determine the audit scope. The list of models should include: </p><ul><li>Name for the model.<br></li><li>A brief description of the model’s purpose and use.<br></li><li>Key model personnel: model owner, developer, tester/validator, production operator, and users.<br></li><li>Frequency of model output reporting.<br></li><li>The software and platform used for the model.<br></li><li>The latest version of the model being used.<br></li><li>The model risk rating. <br></li></ul><p><br>The model owner should maintain more detailed information for each model regarding inputs, assumptions, methodologies, process documentation with risks and controls identified, data flow diagrams, items excluded from the model, approximations or assumptions used in the model, model limitations, manual outside adjustments to the model, and software and hardware used by the model.</p><p>The model risk rating should be based on probability and impact and be consistent with other risk rating structures used within the organization. When determining the model risk rating, internal audit should consider several risk drivers (along with other relevant criteria based on the industry or business), including: financial statement impact of results, level of model dependency in making business decisions, regulatory requirements, complexity of calculations and the extraction/transferring/loading of inputs, degree of interdependencies among models, subjectivity of assumptions or inputs, experience level of the personnel involved, historical experience of issues, effectiveness of controls, and degree of incentive compensation that may be tied to performance or output.</p><p>Once the listing of models is compiled, risk rated, and agreed upon by key stakeholders, internal audit can perform an assessment of model governance focusing on the high-risk models as a starting point. All high-risk rated models should be within the purview of a model governance committee.</p><p>The scope of responsibilities of a model governance committee is subject to debate and tends to be the victim of scope creep given the volume of risks associated with models. “Model Governance Committee Responsibilities,” below, provides a comprehensive listing of items to be considered in determining the scope of a committee. There may be other responsibilities specific to an organization or evolving risks.</p><p>The structure and oversight of the model governance committee should be tailored to the specific needs and level of maturity of the organization: </p><ul><li>The committee should report to the board directly, or indirectly via another committee. <br></li><li>Membership should include a variety of senior-level model stakeholders.<br></li><li>Responsibilities should be clearly defined for committee members and those involved in the modeling process. <br></li><li>Committee decisions should be clearly documented with supporting rationale in committee minutes.<br></li><li>A communication process should be in place to notify those who are responsible for any follow-up actions, noting anyone who should be consulted or informed.<br></li></ul><p><br>Having a model governance committee centralizes the identification of, and response to, model risks, which typically improves communication across stakeholders, builds consensus around decisions, establishes controls, and enables management action given the diversity of committee membership. The focus on model risks by regulators and external auditors has been increasing. Having a committee that receives and generates appropriate documentation makes it much easier to address those concerns. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><br><p><strong>Model Governance Committee Responsibilities</strong></p><p>Potential responsibilities may be completed by the committee, management or a project team with committee oversight, or some combination thereof. Responsibilities will vary but could include: </p><ul><li>Develop, approve, and communicate model policy, standards, and procedures.<br></li><li>Plan resources and prioritize tasks when there are competing priorities or dependencies.<br></li><li>Review and approve technical papers from subject-matter experts regarding gray areas or where there is disagreement on model approaches.<br></li><li>Prioritize and approve model changes, including tolerance and materiality levels for approvals needed for model changes.<br></li><li>Review and approve risk control matrices for material mo​dels. Also, have insight into control issues that impact the model, including general IT and application controls over inputs, processes, and outputs.<br></li><li>Monitor compliance issues that impact the model  and approve management actions to remediate issues.<br></li><li>Oversee model data quality — integrity; outliers; timeliness and availability; security; and extraction, transfer, and loading.<br></li><li>Oversee model validation — static and dynamic testing, sensitivity analysis, analytics, user acceptance testing, analysis and quantification of changes, and identification of risk-based deep dives into current models on an ad hoc, periodic, or rotational basis.<br></li><li>Provide an objective, robust check and challenge process on model results.<br></li><li>Approve outside-the-model adjustments and rationale for use.<br></li><li>Maintain a list of known model limitations and implications for use.<br></li><li>Approve the timing of model releases to production.<br></li><li>Coordinate the reporting calendar and use of model results.<br></li><li>Identify stress and scenario testing for the models and determine management actions.<br></li><li>Provide a consistent, common communication point to address questions and drive improvement.<br></li></ul></td></tr></tbody></table><p></p>Kelley Ellis1
The Integrity Office Integrity Office<p>​While the mission statements of internal audit and corporate compliance functions are similar — focused on operational integrity, efficiency, and effectiveness — organizational structures often put them in separate worlds. In most organizations, the two departments have separate leadership, perform separate risk assessments, develop separate audit and monitoring plans, individually identify and investigate issues and concerns, and recommend appropriate solutions. Rarely does one know what the other is doing. It is unfortunate, because organizations can leverage the work of these two departments, so that working together they can bring value that is greater than the sum of the separate parts. </p><p>Twelve years ago, Cleveland Clinic's senior management and the audit committee decided to leverage the work of the offices of Internal Audit and Corporate Compliance by putting them under one umbrella, and calling it the Integrity Office. As the chief audit executive (CAE), I was promoted to a new C-suite position called chief integrity officer to lead the office, and continued to report directly to the audit committee.</p><h2>Structuring the Office</h2><p>The first organizational decision was whether to combine the two departments into one staff, or keep them as separate departments under one overall leader. Though their mission statements were similar, there was a key difference in their interpretation and application of the word <em>independent</em>. Consistent with the U.S. Federal Sentencing Guidelines, formal guidance issued by the Office of the Inspector General at the U.S. Department of Health and Human Services (DHHS), and requirements imposed in numerous corporate integrity agreements, corporate compliance must maintain an independent reporting structure to the governing body of the organization. It also must maintain independence and objectivity in all aspects of the organization's compliance and ethics programs. That said, the program cannot effectively be administered or maintained without at least some degree of coordination and collaboration with operational areas. For example, corporate compliance often participates in the development of policies and procedures, internal controls, and systems to mitigate risks. Independence is likewise a necessity for internal audit, but in a different way. The work of internal audit is much more defined than that of corporate compliance and must conform to stringent professional standards of independence. Internal audit must demonstrate independence of mind as well as appearance. Considering that independence and objectivity are core tenets of both professions, we felt it was necessary to preserve a certain degree of independence between them. We accomplished this by organizing them as separate departments within the Integrity Office.  </p><h2>Independence From General Counsel</h2><p>In many organizations, the compliance function reports to the office of general counsel. Board of director guidance from the DHHS Office of Inspector General has provided that the compliance officer should not be the general counsel, or the subordinate to that position. Corporate compliance independence from the legal department is critical, and the integrity office model provides that independence. Also, while many companies view the compliance department as a legal function, compliance programs should be focused on implementing regulations in the organization's operations and preventing noncompliance, or aiding early identification of issues. Therefore, having a compliance staff that understands the organization's operations and how the regulations can be implemented is most effective. </p><h2>Similar Skills</h2><p>Just as the missions of internal audit and corporate compliance are similar, so are the skills necessary for their work. Internal auditors need to understand an organization's operations to audit its processes effectively. Due to the complexity of an academic medical center's varied operations, Cleveland Clinic's internal audit staff consists of professionals with different backgrounds in finance, billing, coding, nursing, medical research, IT, and forensics. Similarly, the corporate compliance staff includes professionals with experience in nursing, billing, coding, medical research, and law. Both staffs need excellent investigation skills, and the diversity of professional experience provides a depth of knowledge necessary to audit across the risk population effectively and make appropriate recommendations. A major difference is that while both staffs can identify and report issues and make recommendations, corporate compliance also can be involved in the issue remediation process. Internal audit can subsequently complete a follow-up audit to determine if the recommendations were implemented correctly.</p><h2>Risk Assessment Benefits</h2><p>Cleveland Clinic is a complex, $8 billion academic medical center, with multistate regional hospitals and international operations. Like many organizations, it has an enterprise risk management (ERM) process that is focused on monitoring significant risks to the organization and what we are doing to address or mitigate those risks. While ERM focuses on the major enterprise risks, internal audit and corporate compliance have to focus on the related sub-risks at ground level.</p><p>Internal audit completes an extensive annual risk assessment as the basis of developing its annual audit plan. The risk assessment is a three-pronged process. First, it incorporates input from approximately 100 interviews each year from people throughout the enterprise. In addition to interviews of senior management and board members, we include mid-level managers, administrators, doctors, and nurses. Internal audit learns a lot about the risks they perceive, which can differ depending on their operation. This information is critical to our risk assessment, and we probably would not be aware of many of these perceived risks if we did not listen to such a broad group of people. </p><p>Second, we evaluate if we may be affected by national health-care issues or concerns currently impacting other organizations. We frequently read or hear about significant issues at peer organizations, and we want to determine if we may have the same exposures. Evaluating the issues during this process helps mitigate the exposure by either determining that it is not an issue for us, or that we have identified it and will resolve it more timely. </p><p>The third part of our risk assessment process is evaluating known risks from prior years. Have they adequately been resolved? Is a follow-up audit warranted? All three parts of the risk assessment process are important to capture and understand the risk population. </p><p>One element of an effective compliance program is to include the auditing and monitoring of compliance risks. Corporate compliance functions also have to perform a risk assessment to determine the risks to be included in their audit and monitoring programs. Risk assessments are much more effective when internal audit and compliance staff can work together to determine the risk population, evaluate the level of risk, and decide the risks to be audited and monitored. It is more effective to have the minds of both departments involved in evaluating risks. It is also more efficient, as it can eliminate the duplicate steps of both departments auditing the same areas or processes, as well as eliminate certain risks from falling through the cracks and not being audited at all. Management also appreciates when employees are interviewed once during the assessment process instead of internal audit interviewing employees the week after corporate compliance asked them the same questions. </p><p>A significant part of any U.S.-based health-care organization's compliance program is complying with the U.S. Health Information Portability and Accountability Act (HIPAA). HIPAA security regulations require an organization to have a current assessment of information security risks. At Cleveland Clinic, the chief information security officer reports functionally to the chief information officer, but also has an indirect, or dotted line, reporting to the chief integrity officer. This reporting line provides the chief integrity officer the ability to effectively monitor information security control activities, and the opportunity for internal audit and corporate compliance to make recommendations related to information security-related risks. </p><h2>Realizing Synergies </h2><p>While our formal risk assessment process happens annually, the benefits of internal audit and corporate compliance being under the same umbrella are reaped throughout the year. The findings from one of the department's activities may result in a change in plans for the other department. While internal audit and corporate compliance are separate departments, their offices are on the same floor and they can easily talk with each other about questions or concerns. </p><p>We continue to have separate monthly department staff meetings. Because I am familiar with the activities and results in both departments, my attendance at both staff meetings provides the opportunity for immediate transfer of helpful information during discussions. There also is a better understanding of and appreciation for the work performed by members of the other department. </p><p>Our internal audit staff has a forensic audit group that is charged with looking for financial, privacy, and information security-related anomalies. They also use their talents to provide corporate compliance support during complex compliance investigations. Our IT audit staff and operations audit staff provide support to compliance investigations when their talents are required to add value. </p><p>That support goes in both directions. Our compliance staff members consist of professionals from many disciplines, so they can provide internal audit with invaluable objective insight into areas being audited. Having everyone under the same organizational umbrella also eliminates resource politics. As the chief integrity officer, I can decide the best use of resources and not have to work through another executive's agenda. This is a significant benefit for both departments. </p><h2>Ensuring Independence </h2><p>The Three Lines of Defense model of internal controls puts corporate compliance in the second line of defense, and internal audit in the third line of defense. The main concern with putting corporate compliance and internal audit under common independent leadership is that internal audit cannot then independently audit the compliance function activities. If internal audit cannot independently audit compliance under one umbrella, then it is an internal audit performance issue rather than an inherent limitation with the structure. In addition to the internal reports we provide management and the audit committee, our external auditors review our compliance activities and results. They attend every audit committee meeting, and the audit committee asks for their opinions about the internal audit and corporate compliance functions during multiple executive sessions throughout the year. If our compliance function were underperforming compared to our peers, our external auditors would inform the audit committee. </p><p>Apart from that, management and the board receive other third-party evidence to determine if internal audit is not being above board with its assessment of compliance activities. For example, as a health-care provider to Medicare Advantage programs, insurance plans that provide supplemental coverage to people with government provided Medicare coverage, our compliance program is subject to annual audits by the Medicare Advantage insurance companies. Numerous insurance companies have completed detailed audits of our compliance program, requiring documentation and audit testing support for compliance program requirements. Each of the external auditors issued audit reports showing no findings or recommendations. These reports are provided to senior management and the audit committee as independent third-party support.</p><p>We also have a senior-level enterprisewide corporate compliance committee, chaired by a physician leader. The committee meets twice a month to review compliance program activities and results. The organization's ERM program also has identified regulatory compliance as an area of risk. Compliance risks and current mitigation activities are under the oversight of our ERM Steering Committee. The corporate compliance function has to demonstrate to the steering committee how the organization is addressing and mitigating these risks.</p><p>Management and the board also may request to have an external peer review of the compliance program performed. Similar to the process included in The IIA's <em>International Standards for the Professional Practice of Internal Auditing</em>, an external peer review of the compliance program would provide an independent evaluation of compliance program effectiveness. </p><h2>Umbrella of Benefits</h2><p>The integrity office model was not a common organizational structure at the time Cleveland Clinic implemented it 12 years ago. Given the success we have experienced and benefits we have realized from having internal audit and corporate compliance under the leadership of an integrity office umbrella, it is easy to see why an increasing number of health-care entities have subsequently adopted it. </p><p>In addition to the internal benefits realized, we are pleased that our integrity office model has been an integral part of Cleveland Clinic being recognized as one of the World's Most Ethical Companies by Ethisphere for eight years. It is a recognition that the organization is proud to have received and maintained.</p>Donald A. Sinko1
Governance in View in View<p>​Today's business landscape creates some tricky terrain for organizations to navigate. Heightened scrutiny of boards and management, and transformational internal and market forces are the rule, rather than the exception. In this environment, a corporate governance assessment can yield significant value for organizations. Moreover, it enables internal audit to satisfy the requirements of Standard 2110: Governance.</p><p>Corporate governance is the system of rules, practices, and processes by which an organization is controlled and directed. It sets the foundation not only for business protection and strategic performance, but also for the confidence of the markets, investors, regulators, and other key stakeholders. Effective corporate governance is a powerful driver for achieving strategic objectives in dynamic environments while supporting a strong risk culture (see "The Value of Corporate Governance" below right).</p><h2>Laying the Groundwork</h2><p>Determining whether strong corporate governance practices are in place entails taking a hard look at big-ticket issues such as the board's and the executives' roles and practices, how leadership sets and agrees on strategy, how that strategy translates into overall action plans, how those plans are managed, and how progress is measured against goals. Performing this analysis has enormous advantages, but there is a potential catch. This is an assessment of the top of the organization — its board, management, business strategy, and risk management and compliance functions. The return is high, but so are the risks to internal audit. Planning, execution, and reporting must be aligned to the broad based stakeholder group so internal audit's findings and recommendations are fully supported and acted upon. That makes it imperative that corporate governance audits are well planned and skillfully executed. Internal audit must obtain the necessary buy-in at the highest levels, provide excellent communication and project management throughout the audit, and ensure it has the right expertise focused on the review from the start through the final deliverable. </p><p>​As chief audit executives consider these issues, they should keep in mind the expectations of key stakeholders such as the board, C-suite, and business unit management. Without stakeholder commitment — including making time for interviews, reviewing results, and implementing improvements — the audit can't succeed. By seeking high-level input and perspective early on, internal audit can respond to stakeholder concerns, incorporate their priorities, and ensure the audit goes forward with the appropriate backing from senior management.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>The Value of Corporate Governance</strong></p><p>Corporate governance has several tangible benefits:</p><ul><li> <strong>Meeting heightened expectations of regulators and stakeholders.</strong> Faced with unprecedented scrutiny, many boards are challenged to move their organizations forward while meeting the ever-increasing demands of stakeholders and regulators. <br></li><li> <strong>Managing the organization's shifting risk profile because of internal and market forces.</strong> Organizations in many industries are striving to transform themselves. Changing business models and expansion into new businesses, services, and products continually reshape an organization's risk profile. Adapting corporate governance to these new realities is an important component of a successful business transformation.<br></li><li> <strong>Identifying blind spots that could impede achievement of the organization's strategy.</strong> Without strong corporate governance, organizations may struggle with conflicting objectives or a competing strategy that is diverting resources from a priority project.<br></li><li> <strong>Addressing concerns about risk culture.</strong><em> </em>Without a business strategy, it's difficult — if not impossible — to determine whether the organization is taking appropriate risks. Robust corporate governance can maintain focus on the organization's strategy and how it aligns with its risk culture.<br></li><li> <strong>Surveying the organization's lines of defense.</strong> There's a great deal to be gained from looking carefully at the organization's 1) revenue-generating business units and their accountability for the risks they create, 2) risk management teams and the framework they have created for business units, and 3) internal audit function, including internal and board reporting objectives. ​<br></li></ul></td></tr></tbody></table><p>​It's also important to focus on the organization's external stakeholders such as regulators, shareholders, and external auditors. Once announced, internal audit's decision to undertake a corporate governance audit will generate intense interest. Auditors should prepare for regulator requests to look at their approach and findings. </p><div><p>Delving into governance audits without the right expertise, timeline, and scope can hurt the internal audit function. Depending on its depth of expertise, internal audit may want to bring in third-party subject-matter specialists to provide additional credibility, experience, and an industry sector perspective that is benchmarked against leading practices. Working closely with outside subject-matter experts also provides an excellent knowledge transfer opportunity that can assist internal audit in future reviews. </p><div><h2>Governance and Risk</h2><p>A look at the corporate governance risk framework is a helpful way to understand the structure for an audit (see "The Corporate Governance Risk Framework" below right). Internal auditors should ask several questions about the organization's corporate governance framework. Auditors at highly regulated organizations already may be hearing these questions from regulators. However, any organization would benefit from exploring whether its governance model:</p><ul><li>Guides strategic direction and day-to-day control.<br></li><li>Outlines the rules and procedures for making decisions.<br></li><li>Specifies and distributes rights and responsibilities, including decision-making authority, among the organization's various stakeholders.<br></li><li>Provides structure and accountability through which the organization can achieve its objectives and monitor how it performs.<br></li><li>Maintains the integrity of the organization's structure and accountability.<br></li><li>Influences the appropriate tone and risk culture.<br></li></ul><p> <br> </p><p>Risk culture merits special emphasis because it is at the heart of corporate governance. If internal auditors fail to consider the organization's risk culture, they may miss the subtle indicators of ineffective governance.​ For example, a company may have a well-designed governance structure but ineffective governance because its risk culture discourages managers from escalating risk issues for fear of the consequences. </p><p>Finally, the organization needs to decide where it wants to be in the corporate governance maturity model. Does it want to be a leader in one or more areas, or is average sufficient? A corporate governance audit can benchmark where the organization stands on categories ranging from board governance to strategic planning to tone at the top to risk management and corporate compliance. For each of these areas (and more), auditors can chart whether the organization is lagging, average, or leading against peers. </p><h2>Structuring the Audit</h2><p>There is not one ideal way to assess the state of corporate governance. An example of an approach that is well-suited to an organization embarking on this process for the first time is to execute a two-phase assessment comprising an initial advisory phase and an audit phase.​</p><p> <strong>Advisory Phase </strong>In the first phase, the goal is to establish a baseline by focusing on the entire governance framework. The assessment relies heavily on interviews with a selection of board members, senior executives, and others in the organization. The questions should focus on a broad range of governance topics, including corporate strategy, board oversight and committee structure, management committee structure, tone at the top and culture, the state of the compliance program, and the state of the risk management program. At the highest level, these interviews should provide a view of their understanding of the organization's governance processes and how those processes are aligned with corporate objectives. </p><p> Auditors also should review supporting documentation, such as bylaws, board committee charters, policies, and organizational charts, to create a holistic picture of the organization's culture and processes. They then should analyze information developed through the interviews and document review processes and assess it against a maturity scale. Audit recommendations should assist the organization to ultimately move farther along that scale.</p><p>A corporate governance assessment will require the audit team to make qualitative judgments about the design of the governance structure. Internal audit will need to determine how formal the corporate governance elements should be compared to leading practices in the industry and at peer companies. Performing the initial work as an advisory review allows for a freer two-way exchange of ideas and observations ahead of the formal audit.</p><p>During the advisory phase, internal audit should communicate the results of its interviews and assessment to management as recommendations instead of formal issues. The absence of an opinion positions the internal auditor as a business advisor, which promotes candid discussions and more informed recommendations. </p><p>At the end of the advisory phase, suitable time is needed to allow the organization to implement corrective actions in response to recommendations resulting from the first phase. The amount of time depends on the extent of remediation required and often will be more than a year to allow for policies to be developed or enhanced and implemented.​</p><p> <img src="/2018/PublishingImages/Schwartz-the-corporate-governance-risk-framework.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /> <strong>Audit Phase </strong>With an established framework in place, the company can conduct a formal audit to assess the effectiveness of governance processes. Here, the scope is narrower and builds on the previous review work. As during the first phase, interviewing board members and executives is a key component. In-depth testing of key risk areas also is important. Examples of key risk areas include delegation of authority, board and management committee charters, risk appetite, and the compliance testing program. The outcome is an analysis of targeted issues, leading practice recommendations for improvements, and a formal audit opinion. </p><p>Internal auditors should keep in mind that they are auditing the leadership of the organization. Presenting corporate governance audit findings to the CEO or board members is the ultimate "seat at the table" for CAEs. They must ensure their facts are thoroughly vetted and benchmarking against leading practices is well supported. Anything short of that could damage internal audit's credibility.</p><p>This two-phase method is just one approach to auditing corporate governance. Organizations with a well-honed governance structure may prefer to start directly with the audit phase. The key is to tailor an approach for the organization, considering issues such as the maturity of its structures, availability of resources, and leadership and regulatory expectations.</p><h2>Driving Change</h2><p>The value proposition for a corporate governance assessment is significant. Working closely with the board and senior management, internal auditors have an opportunity to drive change. This is a high-risk, high-reward effort, though. A thoughtful, measured approach and stakeholder buy-in are critical at every stage — from planning through report issuance. </p></div></div>Doug Watt1
Taking the Lead on Blockchain the Lead on Blockchain<p>​Internal auditors are no strangers to change, and change continues to transform even the most traditional of processes. The latest revolutionary innovation is blockchain. Initially the technology underlying digital currencies such as Bitcoin, blockchain is beginning to change processes across many industries. </p><p>Like all new technologies, blockchain may produce innumerable new risks. Yet ultimately, it has the potential to help manage and mitigate many traditional audit risks. Internal auditors need to understand how blockchain may change business processes, determine the risks to the organization, and revisit audit processes and procedures to leverage the technology in their work. </p><h2>How It Works</h2><p>A blockchain is effectively a type of decentralized database known as a distributed ledger. Unlike traditional databases, blockchains have no sole administrator. As each transaction is recorded, it is time-stamped in real time onto the "block." Each block is linked to the previous block, and each user has a copy of that block on his or her own device. That process effectively creates an audit trail. </p><p>Blockchain is most notably used for transactions involving the buying or selling of digital currencies. Although the electronic encrypted audit trail is one by-product of the underlying technology of interest to internal auditors, another interesting side effect of the process is an accounting methodology called triple-entry accounting. Modern financial accounting is based on double-entry bookkeeping dating back to the 1400s. With triple-entry accounting, all entries for a given transaction are made to the blockchain to verify and document receipt of the transaction.Thus, triple-entry accounting blends traditional double-entry accounting with third-party validation. As such, this methodology potentially could vastly alter traditional accounting processes and the subsequent control activities, risk assessment, and monitoring activities.</p><h2>Impact on Audit Process</h2><p>Often, internal auditors must catch up with technologies that are already in place, making modifications to the existing audit plan arduous and further emphasizing the need for a dynamic and adaptable audit plan. The complexity and incremental cost associated with blockchain implementation creates additional risk to the organization, making it vital that auditors are involved from inception and not just after implementation when a final process must be audited. Other risks associated with blockchain include scalability constraints, new privacy and security risks, and the need to consider new regulatory requirements, many of which have not yet been promulgated.</p><p>Historically, auditors have been tasked with verifying the management assertions of existence, valuation, rights and obligations, completeness, and presentation and disclosure. The use of a distributed general ledger virtually eliminates the possibility of altering transactional data or inputting fictitious data, as the encrypted signatures of both parties involved in a given transaction are required. </p><p>Even with recent media coverage of digital currency hacks, the supporting technology underlying blockchain continues to be touted as "tamper-proof," "validated," "secure," and "private." Hacks are possible on applications that use blockchain, just as on an organization's intranet. However, for a hack or data leak to occur, an attacker not only has to concurrently hack each user on the network, but also bypass encryption. Such an intrusion would be highly visible to those on the network.<strong><em> </em></strong>Internal auditors must perform comprehensive risk assessments to determine the likelihood, magnitude, and nature of potential threats as well as the appropriate preventive, detective, and corrective controls. </p><p>In addition to the data being more secure and valid, using a distributed public ledger gives auditors access to transactional data needed for the audit in real time, thus allowing for more continuous auditing. While continuous auditing has the potential to enable auditors to be more efficient, proactive, adaptive, and forward-looking, internal audit departments must explore the impact continuous auditing may have on existing audit programs and the potential disruption to the traditional audit cycle. Specifically, auditors must consider how it could impact scheduling, planning, and the actual collection of audit evidence.  </p><p>While blockchain would in no way be a substitute for U.S. Sarbanes-Oxley Act of 2002 control testing, it could greatly increase the efficiency of traditional audits, creating a more uniform and highly verified audit trail from which to work. The improved quality of data and fewer reconciliations can potentially reduce the amount of work necessary throughout the year. Auditors may be able to conduct more work remotely, because less fieldwork will have to occur at the client's site.<strong><em> </em></strong>Moreover, efficiency gains from blockchain may enable internal auditors to focus on other high-risk areas such as internal control, compliance, or operational audits. </p><h2>Audit Implications</h2><p>With the advent of blockchain, the nature of audit work may change pervasively. Potential changes to consider include: </p><ul><li> <em>Systematically less reliance on paper documentation that can be altered or falsified easily.</em> Matching and vouching to test for existence and appropriate valuation may largely be outdated, as auditors will have easy access to transactional data that already has been mutually agreed upon and verified by an independent third party.<br></li><li> <em>Differing cybersecurity risks and controls.</em><strong> </strong>As the use of blockchain makes data available to everyone on the network, both physical and logical access controls will be more important than ever. In addition, use of a distributed public ledger can decrease the risk of successful computer attacks and may increase the visibility of attacks. The increased visibility elevates the importance of an organization's incident response plan.   <br></li><li> <em>More involvement in creating new processes based on blockchain technology.</em><strong> </strong>As recent publications from the Big 4 firms note, the reliance on blockchain technology may require auditors to collaborate with IT professionals and raise the demand for auditors with IT expertise. Subsequent documentation of new processes and changes to old processes are key controls that auditors should not overlook. Over time, the use of blockchain may lead to increased standardization in both business processes and audit processes across industries as best practices emerge. <br></li></ul><h2>Risks and Rewards</h2><p>To prevent or lessen the risk of crisis that often precedes imminent change, internal auditors must stay abreast of emerging technologies such as blockchain. Yet, as with many new technologies and processes, blockchain may present a steep learning curve for auditors. Understanding the underlying technology of a distributed public ledger can enable auditors to assess the new control environment and new risks to the organization. In this way, internal auditors can be change agents who help mitigate the negative risks that all too often accompany the rewards associated with any new technology.​</p>Jamie L. Hoelscher1
Internal Auditors: More Than Cybersecurity Police Auditors: More Than Cybersecurity Police<p>​​New guidance announced by the U.S. Securities and Exchange Commission last week is raising the bar on how publicly traded companies report on their handling of one of the top challenges facing every organization — cybersecurity.</p><p>The new cyber-risk guidance, an evolution of guidance first released by the regulator in 2011, boosts reporting requirements in various ways, from disclosures about board involvement in cyber-risk oversight to enhancing internal reporting procedures that more effectively determine when cyber issues rise to the level of materiality and, therefore, should be reported publicly. The new guidelines inevitably will create new compliance challenges and, with that, additional need for internal audit to provide assurance on those compliance efforts.</p><p>The new U.S. rules, along with the upcoming deadline to meet strict European Union guidelines on data protection, are high-profile examples of where internal audit can provide important assurance on information technology (IT). </p><p>But it is important, indeed crucial, for organizations to understand that management of cyber risks and data protection are only part of the overall IT governance picture and that internal audit can and should play a larger role than simply acting as the cybersecurity police.</p><p>A recently published IIA <a href="">Global Technology Audit Guide (GTAG)</a> provides direction and insight on internal audit's approach to auditing IT governance. The GTAG's executive summary captures the benefits of strong IT governance and describes how proper IT governance can help organizations achieve their goals.</p><p>From the GTAG executive summary:</p><p><span class="ms-rteStyle-BQ">"Effective IT governance contributes to control efficiency and effectiveness​​​​​, and allows the organization's investment in IT to realize both financial and nonfinancial benefits. Often when controls are poorly designed or deficient, a root cause is weak or ineffective IT governance." </span></p><p>The benefits of effective IT governance are significant. In addition to aligning IT strategies with organizational objectives, it helps identify and properly manage risks; optimizes IT investments to deliver value; defines, measures, and reports on IT performance using meaningful metrics; and helps manage IT resources.</p><p>Sound IT governance helps organizations address IT challenges, such as the growing complexity of IT environments, growing use of data to make business decisions, and, as previously discussed, the growing number of laws and regulations associated with the threat of cyberattacks.</p><p>As with all governance issues, internal audit is uniquely positioned to give management and the board a clear-eyed assessment on the effectiveness and efficiency of the processes and structures that make up IT governance.</p><p>The GTAG provides valuable insights on how responsibilities of multiple governance structures within the organization can overlap. For example, corporate governance oversees conformance processes and is involved in compliance and business governance oversees performance processes.</p><p>The key is for internal audit to examine — and to help management and the board understand — the interplay among all three governance structures and not view IT governance as somehow separate and apart. A key message from the GTAG captures this well:</p><p><span class="ms-rteStyle-BQ">"Alignment of organizational objectives and IT is more about governance and less about technology. Governance assures alternatives are evaluated, execution is appropriately directed, and risk and performance are monitored."</span></p><p>The GTAG provides internal auditors the tools and techniques to build work programs and perform engagements involving IT governance. These include a step-by-step description of engagement planning, from understanding the context and purpose of the engagement to reporting results. Additionally, five appendices provide related IIA standards and guidance, a glossary of key terms, a sample internal controls questionnaire, a risk and controls matrix, and a list of additional resources.</p><p>It is important to emphasize that having a well-developed IT governance audit program in place will help integrate IT into the overall governance strategy and take the mystery out of IT, which often contributes to poor IT controls. It also will help position organizations to respond quickly and efficiently to changes in regulations or IT-related risks.</p><p>The current scramble to meet upcoming European Union rules on data protection suggest that not enough organizations are taking a comprehensive approach to IT governance. Indeed, those troubles were clearly reflected in an August survey by DocsCorp, reported in <a href="">The Current State of GDPR Readiness</a>. The survey found 43 percent of respondents from Europe and the United Kingdom identified financial penalties for noncompliance as their biggest concern with the new rules. In Canada and the United States, the survey found 73 percent of respondents had yet to start preparing for the new rules and 54 percent were unaware of the May 25 compliance deadline.</p><p>I encourage every chief audit executive to download and review the new GTAG and discuss IT governance with their management and boards. Providing an accurate and unbiased assessment of how IT operates within the organization is another example of where internal audit can add value and help organizations achieve their goals.</p><p>As always, I look forward to your comments.​</p>Richard Chambers0
The Extended Enterprise Extended Enterprise<p></p> <p>Whether it is referred to as third-party risk, vendor management, supply chain management, or something else, organizations must recognize the risk implications of operating as an extended enterprise. Today’s interconnected business models enable companies to leverage partnerships to manage costs and increase competitive advantage. In the extended enterprise, company data and, in many cases, its client or associate data are shared, transferred, processed, or stored by external entities. Very often, this data is among the organization’s key information assets. The risk to the entity unknowingly increases when management has not assessed or addressed the potential threats being posed to key assets in this sharing process. These risks may include security protections and associated breach risk, availability standards and associated operational risk, ownership rights and associated strategic risk, and other key risk points across financial, operational, reputational, and legal areas. Considering these risks and evolving business operations — alongside an increasingly complex regulatory landscape — third-party governance and oversight models are a must-have for organizations. </p><p>Gone are the days when an organization’s simple inquiry into a new vendor’s policies, data security practices, and control structure during the vendor procurement process was considered sufficient. Over time, simple inquiry evolved into a brief, often narrowly focused, evidence or documentation gathering exercise with limited actual review or scrutiny. Fast forward to today when organizations are expected, by stakeholders and regulators, alike, to know, assess, and actively monitor external providers’ adherence to defined practices. Internal audit — and its first and second line counterparts — must determine whether appropriate measures are in place to address third-party risk. This process begins by identifying and understanding two key data points: 1) Who are the organization’s vendors and external partners (and their subcontractors or providers)? and 2) What information is being shared with them? Once the landscape and risk profiles are understood, appropriate governance and monitoring also can be established. </p><p>Identifying key vendors is the initial step — keeping in mind individual relationships and vendor services structures must be fully understood. Does the organization use an external data center provider? Are there software as a service (SaaS)-based applications used within the organization? Is application development performed by an external provider? Where do external business partners exist within key operational business processes? What external entities do the finance, human resources, legal, security, and other corporate teams use to support their functions?</p><p>Certain functional areas and systems within the organization can assist in beginning the identification process. Procurement and legal are two functions that should have an understanding of the external partners and associated contracts in place. Review of payables data and vendor master data also can help identify external entities providing services. Discussion with divisional or functional management teams will help validate understanding of the entire third-party landscape, including process dependencies and integration points, as well as the scope of services the vendors provide.</p><p>During the identification process a “follow the data” approach should be applied. Internal data governance processes often aid in identifying data components and associated risk. This is the foundation for understanding which data elements to follow in this process. Data that is identified in categories such as “high risk” or with specific regulatory requirements must be traced through its life cycle to all sources. This includes anyone in the vendor process who may handle the data. </p><p>During the data tracing process, the consideration of “fourth-party providers” also must be included. Fourth parties (or fifth or beyond) are vendors or subservice providers used by an organization’s direct vendors — extending the risk and governance requirements even further into the supply chain. These can be identified through review of vendor contracts (as they often will specifically state whether services can be subcontracted), but in many cases only are identified during inquiry and discussion with the vendor directly. They all must be assessed as any exposure to risk must be identified and appropriately mitigated.</p><p>Along with developing a comprehensive inventory of the vendors providing services across the organization, organizations are well-served by establishing a standard rating or assessment criteria structure to consistently assign a risk classification or other rating to each external business partner. Internal audit can help build or enhance this classification framework based on its understanding of risk assessment principles, as well as its knowledge of business operations and key risk points. </p><p>Often, the vendor risk rating or classification structure will include assessment of data being shared, vendor operations, potential customer impact, regulatory considerations, and level of dependency on the vendor for ongoing operations (e.g., system availability or other operational requirements). These categories should be assigned quantifiable metrics where possible, based on risk thresholds established by the organization. Leveraging this standard classification structure, critical vendors can be identified and the assessment process structured in a prioritized fashion, aligning risk with associated review frequency and depth.</p><p>While this article focuses specifically on recommendations to be included in the vendor assessment process, a full vendor management program includes the entire life-cycle process for managing vendor relationships — from planning and selection to ongoing monitoring. Specific design of the vendor assessment process and approach must be aligned with organizational requirements; however, certain focus areas are appropriate for most companies. Common elements may include:</p><ul><li>Information Security — technical configurations, security architecture, access management, monitoring, and incident response.<br></li><li>Physical Security — facility access, security monitoring, and document control measures.<br></li><li>Policies and Programs — program and governance models, policies and standards, and reporting structures.<br></li><li>Human Resources — background checks/verifications and associate training programs.<br></li><li>Availability — system maintenance and monitoring process, support and operational oversight, and system change processes.<br></li><li>Business Continuity — disaster recovery and business resumption plans.<br></li><li>Regulatory Compliance — key requirements may apply to specific data types or industries; the Health Insurance Portability and Accountability Act and General Data Protection Regulation are examples of regulations including specific requirements in regard to third parties.<br></li><li>Vendor Management — extension of requirements to subservice providers and associated monitoring. <br></li></ul><p><br></p><p>​During the vendor review process, it is likely that gaps will be noted between expectations or obligations and actual practices. Effective risk management for third parties also includes ongoing monitoring of vendor response to concerns to ensure they are appropriately addressed.</p><p>Implementation and operation of a third-party risk management program is not a small undertaking. However, when considering the business risk associated with vendors and operating with an extended enterprise model, the opportunity for reducing risk and potentially better leveraging vendor partnerships clearly demonstrates the necessity and value of the effort. A measured and phased approach will address the most significant risks as the program matures over time. ​</p>Melissa Ryan1
Board Matters Matters<p>​Having a sound relationship with the board is crucial if internal audit functions are to serve their organizations well and provide effective assurance. ​Whether chief audit executives (CAEs) report directly to the board or, more likely, to an audit committee, it is vital that the two sides share an informed understanding of internal audit and its role and purpose within the organization. That is why educating the board about the level and nature of assurance internal audit provides is an important part of any CAE’s role. </p><p>While that is an easy principle to grasp, achieving it in practice can be a difficult and prolonged journey for both sides. Explaining what internal audit can do and how the function should be positioned in the business is likely to be unhelpful, unless it is done in the context of the board’s real-life needs. “CAEs should be thinking about putting themselves in the shoes of the board members, and understanding what is on their agenda and why,” says Ninette Caruso, CAE at Discover Financial Services in Riverwoods, Ill. Boards are more likely to be concerned with business issues such as profitable growth, dealing with competitors, net profits, and complying with pressing regulatory issues. If internal audit is not engaged in those areas, trying to educate the board about assurance is likely to feel too abstract and disconnected from the business. </p><h2>Board Perspective</h2><p>As internal audit begins to provide specific value and advice to the board in those parts of the business where it has genuine concerns, Caruso says it will be effectively educating the board about what true risk-based internal audit means to the organization by demonstrating the type and level of assurance it can provide. In doing so, internal audit will be greatly appreciated and recognized for it. </p><p>“Let’s try to understand where the board is coming from and not waste time trying to add value to, say, a compliance audit if the board is not really interested in that area,” Caruso says. “Instead, the internal audit function needs to focus on perhaps two main issues on the board’s agenda at that particular point in time and to put all of its efforts into those areas.”</p><p>Getting issues onto the board’s agenda that internal audit feels are important, but the board does not, can be more challenging. Caruso says it demands a level of storytelling that auditors are not often used to about what they have found and why that matters to the organization.</p><p>“Even if the board only wants internal audit to check the controls put in place by management and risk functions, internal audit can still play an educating role by standing back and looking at themes that emerge from the interaction between different parts of the business,” Caruso says. “Nobody may want that from internal audit until we bring it to them and they can see the value of it firsthand.”</p><h2>A Clear Understanding</h2><p>Louis Cooper, chief executive of the U.K.’s Non-Executive Directors’ Association, a professional training and education membership organization based in London, understands how CAEs and nonexecutives think about each other. He agrees with Caruso when she says that CAEs often dive in, providing services that they believe the board will want without stepping back and asking some simple questions first — and listening to the responses. </p><p>As Caruso says, boards generally want to know what the key issues are and what the organization needs to do to respond to them. But building a picture of what the board wants can take time. “Internal audit often has a disjointed view of the board because of the limited contact it has with its members through various committees and because of the brevity of that contact,” Cooper says. “Quite often, internal auditors only get pulled into the audit committee to present their report, so they often don’t have ongoing dialogue with key board members, especially the audit committee chair.” </p><p>In addition, internal auditors are busy people, he says, concerned with delivering their audit plans. That is why it is important for CAEs to schedule time within the audit plan, itself, for relationship building. Internal auditors can use those meetings to both strengthen their understanding of the board and explain how the function can serve the organization’s broader needs.</p><p>“Having a clear understanding of the corporate governance framework within the organization enables people to connect the dots on the risks that have been identified in the organization,” Cooper says. “Internal audit’s knowledge of the organization and its related feedback on the effectiveness of the corporate governance framework is an element often missing from such conversations.”</p><p>If the CAE can help the board come to grips with the control environment and help ensure management takes more ownership over some of the control processes, it can promote a better balance of activity based on management fulfilling its role in the Three Lines of Defense model. That helps move internal audit away from low-level controls testing and into a more strategic risk-based auditing, the internal auditor’s “holy grail,” which can, in turn, free time in the audit plan for big-picture audits or consultancy-style projects.</p><h2>Manage Expectations</h2><p>Kristiina Lagerstedt, vice president, Audit and Assurance, at Sanoma in Helsinki, and a board member at Uutechnic Group, says internal audit departments can educate boards on the progress of big change projects. She has been working on information security and privacy readiness and maturity in preparation for the European Union’s stringent new General Data Privacy Regulation (GDPR), set to come into force this year. Because Sanoma is operating in the media and learning sector, getting the rules right is crucial.</p><p>“When GDPR was introduced, I noticed there wasn’t a common approach to privacy and information security within my company,” she said. She raised the issue, and the company decided to establish a steering group to oversee preparations for the changes with the CEO as chair. </p><p>“I took care of the agenda for the first year and a half, and we met twice a quarter,” she explains. Six months ago, when the steering committee agreed that the privacy and information security programs were up and running appropriately, it decided to meet quarterly and the agenda moved over to the chief information security officer. Lagerstedt is still involved, but with a smaller role.</p><p>“For a CAE, it is important to get involved in group-level change programs to ensure a common approach across businesses and countries,” she says. Lagerstedt’s main contribution was to keep the project moving and keep top management and the board up to speed on the progress made, the main risks faced and how they were being dealt with, and the maturity levels the business units had achieved on a quarterly basis.</p><p>“When you are pushing things forward and operating as a change agent (or consultant), it is sometimes confusing for people in the business to understand what the role of internal audit is and should be,” she says. While internal audit took a front-line role in the GDPR project in some respects, she aims to involve the business’ external auditors in the next audit to help reassert internal audit’s independence.</p><p>“Be brave in the tasks you take on,” she says. “Think about the company doing the right thing, but also keep in mind your and your team’s limitations to successfully manage expectations and not give promises you cannot keep.” She says continual education about what internal audit does and can do is key to success. “Remember to keep top management and the audit committee informed about where you are, and what the next steps and most critical risks are,” she advises.</p><h2>Explain the Standards</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } p.p2 { line-height:12.0px; font:42.5px 'Interstate Light'; } p.p3 { line-height:12.0px; font:9.0px 'Interstate Light'; } p.p4 { text-indent:12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; } span.s2 { } </style> <p><strong>IIA Standards</strong></p><p>Although The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em> does not explicitly say that the internal audit function should educate the board, it can be inferred from the many ways in which auditors communicate and work with directors and management across the business. While there is obvious value in providing education as to the effectiveness of the governance processes within the organization, and the type of major risks change projects can bring about, does it make sense to try to educate the board about the <em>Standards</em>? After all, the <em>Standards</em> are meant to be the benchmark of audit quality.</p><p>“Effective communications enable the audit committee to work with internal audit leaders to better understand the internal audit process,” Jim DeLoach and Charlotta Hjelm wrote in their 2016 CBOK Stakeholder Report, Six Audit Committee Imperatives: Enabling Internal Audit to Make a Difference. “To this end, directors should become more familiar with The IIA’s International Standards.”</p><p>Given the time constraints that both internal auditors and board members experience, is such a suggestion realistic or even desirable? According to evidence included in the report, the answer is yes. The quality and frequency of communication between CAEs and board members is greater among stakeholders familiar with the <em>Standards</em>, according to the report. Specifically, two out of three board members are familiar with the <em>Standards</em> to some degree and almost all — 98 percent — see value in internal audit conformance.</p><p>“If audit committee members do not have adequate knowledge of the <em>Standards</em>, they should ask the CAE for more information about them and how internal audit is ensuring their conformance,” DeLoach and Hjelm conclude.​</p></td></tr></tbody></table><p>For David MacCabe, a longtime CAE and an internal audit consultant based in Austin, Texas, informing the board that the internal audit function is conducting engagements in line with the <em>International Standards for the Professional Practice of Internal Auditing</em> is on his list of the critical assurances the CAE should provide to the board. </p><p>“Some members of the board may have minimal experience in business operations, such as those in nonprofit organizations, and they may just be interested in the programs and the people they serve,” he says. “But even in corporate America, there are some members of the board who may not be sure what their full duties and responsibilities are — and what the appropriate questions to ask as a responsible board member are.” </p><p>Internal audit can help educate them about those duties and, in doing so, underline its own credibility and integrity by explicitly saying it adheres to these international standards, he says. “Even for experienced boards, it can be useful to demonstrate that you are committed to external quality reviews by independent practitioners so they will know you are a step ab​ove what they may have experienced elsewhere,” he adds.</p><h2>Build Relationships</h2><p>Effective communication and other interpersonal skills are crucial to achieving that goal and, while MacCabe says today’s auditors are generally more personable than in the past, there is room for improvement. In addition, The IIA’s many useful tools and publications can help CAEs inform and educate the board about leading practices for internal audit teams and audit committees.</p><p>He agrees with other CAEs that progress can be slow, and trust and respect need to be earned both by word and deed. Being proactive and available to management and staff in formal and informal settings can be a winning approach, MacCabe says. “It makes a world of difference to be open-minded, available, accessible, and approachable in the hallway, in the cafeteria, and wherever in the organization,” he says. People are much more likely to share their concerns when you are friendly, and people get to know you.</p><p>He recalls one time when he brought a story he had heard through conversations with staff to a line manager. “The manager was worried I’d pass it on to his section head, but I gave him the option to act on it or not, and emphasized that it was not a complaint or concern, but an observation about something that may or may not be true,” he says. Situations like this can help form great relationships because the auditor is then viewed as being available to discuss issues and provide informal advice for control improvements or remedial actions. </p><p>“Building those relationships throughout the organization from the board to the frontline of the business is crucial,” MacCabe says. “Management often asked me to pass things onto the board, and that can be done either in confidence, or openly as they choose. Everyone benefits.” </p><h2>Commit to Improvement</h2><p>MacCabe says internal audit also must be committed to continuous improvement through internal and external quality assessments (refer to Standard 1300 series) and by continually updating its knowledge of leading internal audit and management practices, as well as business and industry trends. For that, quality assurance reviews are particularly important — especially because they form a key part of conforming with professional standards. He says he worries that only 39 percent of survey respondents worldwide said they had such an external review, according to the Common Body of Knowledge (CBOK) 2015 Global Internal Audit Practitioner Survey.</p><p>“It’s no use saying that we are professionals and then only being partly in conformance with our own <em>Standards</em> — that erodes our credibility,” he says. He urges CAEs and all internal auditors to be committed to achieving and demonstrating the highest professional standards. In striving to do so, auditors will become a more respected and vital source of knowledge and education on assurance for everyone in the business — especially the board. </p><style> p.p1 { line-height:12.0px; } p.p2 { text-indent:18.0px; line-height:12.0px; } p.p3 { line-height:12.0px; font:10.0px Amplitude; color:#b65b38; } p.p4 { text-indent:9.0px; line-height:12.0px; } p.p5 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { } span.s2 { vertical-align:1.0px; } span.s3 { font:8.0px Interstate; } </style>Arthur Piper1
Are You Prepared? You Prepared?<h2>​What is internal audit's role in ensuring the organization has a disaster recovery plan? </h2><p>As we've recently seen, disasters — whether natural or from human activity — have shown the need for sound disaster recovery plans. Internal auditors play an assurance and consulting role in this arena, so they need to understand attitudes toward disaster recovery risk within their organizations. Disaster recovery should be part of the overall business continuity management process. For organizations that are ad hoc or reactive in their level of disaster recovery maturity, internal audit may need to assist in making the case to senior management for better preparedness.</p><p>As part of its risk assessment process, internal audit should examine the plan to determine if operations have been prioritized appropriately, and risk assessments and responses are sufficient and cost effective. Internal audit should note whether the plan is a working document that is updated timely as important changes take place, including acquired businesses and new software and technologies. Based on the level of risk, internal audit should schedule audits of the disaster recovery processes to provide assurance there are no significant gaps. ​Another opportunity for internal audit is educating senior management and the board on their responsibilities for ensuring effective risk management practices are in place for any outsourcing arrangements.​<br></p><h2>What should internal audit look for in a disaster recovery audit?</h2><p>The areas to cover in a disaster recovery audit can depend to some extent on the size, number of locations, and complexity of the organization. The most common areas to review are which functions and systems are covered or excluded in the plan and why, testing multiple scenarios to identify vulnerabilities and gaps in the plan, inventory of equipment and software, and documentation of backup and recovery processes (IT and non-IT). Auditors should consider critical data back-up storage and frequency — including data stored on computers, smartphones, and devices, which employees may use for work and personal use. Other items to review include testing of back-up systems to be sure data can be restored; insurance coverage; legal involvement and review; disaster recovery contract provisions, including service-level agreements with outsourcers and suppliers; and whether responsibilities are clearly defined.​​</p>Staff0

  • SCCE2018_August2018_Premium 1
  • IIA FSACACGABookstore_August2018_Premium 2
  • IIA EHS2018_August 2018_Premium 3