Governance

 

 

The Integrity Officehttps://iaonline.theiia.org/2018/Pages/The-Integrity-Office.aspxThe Integrity Office<p>​While the mission statements of internal audit and corporate compliance functions are similar — focused on operational integrity, efficiency, and effectiveness — organizational structures often put them in separate worlds. In most organizations, the two departments have separate leadership, perform separate risk assessments, develop separate audit and monitoring plans, individually identify and investigate issues and concerns, and recommend appropriate solutions. Rarely does one know what the other is doing. It is unfortunate, because organizations can leverage the work of these two departments, so that working together they can bring value that is greater than the sum of the separate parts. </p><p>Twelve years ago, Cleveland Clinic's senior management and the audit committee decided to leverage the work of the offices of Internal Audit and Corporate Compliance by putting them under one umbrella, and calling it the Integrity Office. As the chief audit executive (CAE), I was promoted to a new C-suite position called chief integrity officer to lead the office, and continued to report directly to the audit committee.</p><h2>Structuring the Office</h2><p>The first organizational decision was whether to combine the two departments into one staff, or keep them as separate departments under one overall leader. Though their mission statements were similar, there was a key difference in their interpretation and application of the word <em>independent</em>. Consistent with the U.S. Federal Sentencing Guidelines, formal guidance issued by the Office of the Inspector General at the U.S. Department of Health and Human Services (DHHS), and requirements imposed in numerous corporate integrity agreements, corporate compliance must maintain an independent reporting structure to the governing body of the organization. It also must maintain independence and objectivity in all aspects of the organization's compliance and ethics programs. That said, the program cannot effectively be administered or maintained without at least some degree of coordination and collaboration with operational areas. For example, corporate compliance often participates in the development of policies and procedures, internal controls, and systems to mitigate risks. Independence is likewise a necessity for internal audit, but in a different way. The work of internal audit is much more defined than that of corporate compliance and must conform to stringent professional standards of independence. Internal audit must demonstrate independence of mind as well as appearance. Considering that independence and objectivity are core tenets of both professions, we felt it was necessary to preserve a certain degree of independence between them. We accomplished this by organizing them as separate departments within the Integrity Office.  </p><h2>Independence From General Counsel</h2><p>In many organizations, the compliance function reports to the office of general counsel. Board of director guidance from the DHHS Office of Inspector General has provided that the compliance officer should not be the general counsel, or the subordinate to that position. Corporate compliance independence from the legal department is critical, and the integrity office model provides that independence. Also, while many companies view the compliance department as a legal function, compliance programs should be focused on implementing regulations in the organization's operations and preventing noncompliance, or aiding early identification of issues. Therefore, having a compliance staff that understands the organization's operations and how the regulations can be implemented is most effective. </p><h2>Similar Skills</h2><p>Just as the missions of internal audit and corporate compliance are similar, so are the skills necessary for their work. Internal auditors need to understand an organization's operations to audit its processes effectively. Due to the complexity of an academic medical center's varied operations, Cleveland Clinic's internal audit staff consists of professionals with different backgrounds in finance, billing, coding, nursing, medical research, IT, and forensics. Similarly, the corporate compliance staff includes professionals with experience in nursing, billing, coding, medical research, and law. Both staffs need excellent investigation skills, and the diversity of professional experience provides a depth of knowledge necessary to audit across the risk population effectively and make appropriate recommendations. A major difference is that while both staffs can identify and report issues and make recommendations, corporate compliance also can be involved in the issue remediation process. Internal audit can subsequently complete a follow-up audit to determine if the recommendations were implemented correctly.</p><h2>Risk Assessment Benefits</h2><p>Cleveland Clinic is a complex, $8 billion academic medical center, with multistate regional hospitals and international operations. Like many organizations, it has an enterprise risk management (ERM) process that is focused on monitoring significant risks to the organization and what we are doing to address or mitigate those risks. While ERM focuses on the major enterprise risks, internal audit and corporate compliance have to focus on the related sub-risks at ground level.</p><p>Internal audit completes an extensive annual risk assessment as the basis of developing its annual audit plan. The risk assessment is a three-pronged process. First, it incorporates input from approximately 100 interviews each year from people throughout the enterprise. In addition to interviews of senior management and board members, we include mid-level managers, administrators, doctors, and nurses. Internal audit learns a lot about the risks they perceive, which can differ depending on their operation. This information is critical to our risk assessment, and we probably would not be aware of many of these perceived risks if we did not listen to such a broad group of people. </p><p>Second, we evaluate if we may be affected by national health-care issues or concerns currently impacting other organizations. We frequently read or hear about significant issues at peer organizations, and we want to determine if we may have the same exposures. Evaluating the issues during this process helps mitigate the exposure by either determining that it is not an issue for us, or that we have identified it and will resolve it more timely. </p><p>The third part of our risk assessment process is evaluating known risks from prior years. Have they adequately been resolved? Is a follow-up audit warranted? All three parts of the risk assessment process are important to capture and understand the risk population. </p><p>One element of an effective compliance program is to include the auditing and monitoring of compliance risks. Corporate compliance functions also have to perform a risk assessment to determine the risks to be included in their audit and monitoring programs. Risk assessments are much more effective when internal audit and compliance staff can work together to determine the risk population, evaluate the level of risk, and decide the risks to be audited and monitored. It is more effective to have the minds of both departments involved in evaluating risks. It is also more efficient, as it can eliminate the duplicate steps of both departments auditing the same areas or processes, as well as eliminate certain risks from falling through the cracks and not being audited at all. Management also appreciates when employees are interviewed once during the assessment process instead of internal audit interviewing employees the week after corporate compliance asked them the same questions. </p><p>A significant part of any U.S.-based health-care organization's compliance program is complying with the U.S. Health Information Portability and Accountability Act (HIPAA). HIPAA security regulations require an organization to have a current assessment of information security risks. At Cleveland Clinic, the chief information security officer reports functionally to the chief information officer, but also has an indirect, or dotted line, reporting to the chief integrity officer. This reporting line provides the chief integrity officer the ability to effectively monitor information security control activities, and the opportunity for internal audit and corporate compliance to make recommendations related to information security-related risks. </p><h2>Realizing Synergies </h2><p>While our formal risk assessment process happens annually, the benefits of internal audit and corporate compliance being under the same umbrella are reaped throughout the year. The findings from one of the department's activities may result in a change in plans for the other department. While internal audit and corporate compliance are separate departments, their offices are on the same floor and they can easily talk with each other about questions or concerns. </p><p>We continue to have separate monthly department staff meetings. Because I am familiar with the activities and results in both departments, my attendance at both staff meetings provides the opportunity for immediate transfer of helpful information during discussions. There also is a better understanding of and appreciation for the work performed by members of the other department. </p><p>Our internal audit staff has a forensic audit group that is charged with looking for financial, privacy, and information security-related anomalies. They also use their talents to provide corporate compliance support during complex compliance investigations. Our IT audit staff and operations audit staff provide support to compliance investigations when their talents are required to add value. </p><p>That support goes in both directions. Our compliance staff members consist of professionals from many disciplines, so they can provide internal audit with invaluable objective insight into areas being audited. Having everyone under the same organizational umbrella also eliminates resource politics. As the chief integrity officer, I can decide the best use of resources and not have to work through another executive's agenda. This is a significant benefit for both departments. </p><h2>Ensuring Independence </h2><p>The Three Lines of Defense model of internal controls puts corporate compliance in the second line of defense, and internal audit in the third line of defense. The main concern with putting corporate compliance and internal audit under common independent leadership is that internal audit cannot then independently audit the compliance function activities. If internal audit cannot independently audit compliance under one umbrella, then it is an internal audit performance issue rather than an inherent limitation with the structure. In addition to the internal reports we provide management and the audit committee, our external auditors review our compliance activities and results. They attend every audit committee meeting, and the audit committee asks for their opinions about the internal audit and corporate compliance functions during multiple executive sessions throughout the year. If our compliance function were underperforming compared to our peers, our external auditors would inform the audit committee. </p><p>Apart from that, management and the board receive other third-party evidence to determine if internal audit is not being above board with its assessment of compliance activities. For example, as a health-care provider to Medicare Advantage programs, insurance plans that provide supplemental coverage to people with government provided Medicare coverage, our compliance program is subject to annual audits by the Medicare Advantage insurance companies. Numerous insurance companies have completed detailed audits of our compliance program, requiring documentation and audit testing support for compliance program requirements. Each of the external auditors issued audit reports showing no findings or recommendations. These reports are provided to senior management and the audit committee as independent third-party support.</p><p>We also have a senior-level enterprisewide corporate compliance committee, chaired by a physician leader. The committee meets twice a month to review compliance program activities and results. The organization's ERM program also has identified regulatory compliance as an area of risk. Compliance risks and current mitigation activities are under the oversight of our ERM Steering Committee. The corporate compliance function has to demonstrate to the steering committee how the organization is addressing and mitigating these risks.</p><p>Management and the board also may request to have an external peer review of the compliance program performed. Similar to the process included in The IIA's <em>International Standards for the Professional Practice of Internal Auditing</em>, an external peer review of the compliance program would provide an independent evaluation of compliance program effectiveness. </p><h2>Umbrella of Benefits</h2><p>The integrity office model was not a common organizational structure at the time Cleveland Clinic implemented it 12 years ago. Given the success we have experienced and benefits we have realized from having internal audit and corporate compliance under the leadership of an integrity office umbrella, it is easy to see why an increasing number of health-care entities have subsequently adopted it. </p><p>In addition to the internal benefits realized, we are pleased that our integrity office model has been an integral part of Cleveland Clinic being recognized as one of the World's Most Ethical Companies by Ethisphere for eight years. It is a recognition that the organization is proud to have received and maintained.</p>Donald A. Sinko1
Governance in Viewhttps://iaonline.theiia.org/2018/Pages/Governance-in-View.aspxGovernance in View<p>​Today's business landscape creates some tricky terrain for organizations to navigate. Heightened scrutiny of boards and management, and transformational internal and market forces are the rule, rather than the exception. In this environment, a corporate governance assessment can yield significant value for organizations. Moreover, it enables internal audit to satisfy the requirements of Standard 2110: Governance.</p><p>Corporate governance is the system of rules, practices, and processes by which an organization is controlled and directed. It sets the foundation not only for business protection and strategic performance, but also for the confidence of the markets, investors, regulators, and other key stakeholders. Effective corporate governance is a powerful driver for achieving strategic objectives in dynamic environments while supporting a strong risk culture (see "The Value of Corporate Governance" below right).</p><h2>Laying the Groundwork</h2><p>Determining whether strong corporate governance practices are in place entails taking a hard look at big-ticket issues such as the board's and the executives' roles and practices, how leadership sets and agrees on strategy, how that strategy translates into overall action plans, how those plans are managed, and how progress is measured against goals. Performing this analysis has enormous advantages, but there is a potential catch. This is an assessment of the top of the organization — its board, management, business strategy, and risk management and compliance functions. The return is high, but so are the risks to internal audit. Planning, execution, and reporting must be aligned to the broad based stakeholder group so internal audit's findings and recommendations are fully supported and acted upon. That makes it imperative that corporate governance audits are well planned and skillfully executed. Internal audit must obtain the necessary buy-in at the highest levels, provide excellent communication and project management throughout the audit, and ensure it has the right expertise focused on the review from the start through the final deliverable. </p><p>​As chief audit executives consider these issues, they should keep in mind the expectations of key stakeholders such as the board, C-suite, and business unit management. Without stakeholder commitment — including making time for interviews, reviewing results, and implementing improvements — the audit can't succeed. By seeking high-level input and perspective early on, internal audit can respond to stakeholder concerns, incorporate their priorities, and ensure the audit goes forward with the appropriate backing from senior management.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>The Value of Corporate Governance</strong></p><p>Corporate governance has several tangible benefits:</p><ul><li> <strong>Meeting heightened expectations of regulators and stakeholders.</strong> Faced with unprecedented scrutiny, many boards are challenged to move their organizations forward while meeting the ever-increasing demands of stakeholders and regulators. <br></li><li> <strong>Managing the organization's shifting risk profile because of internal and market forces.</strong> Organizations in many industries are striving to transform themselves. Changing business models and expansion into new businesses, services, and products continually reshape an organization's risk profile. Adapting corporate governance to these new realities is an important component of a successful business transformation.<br></li><li> <strong>Identifying blind spots that could impede achievement of the organization's strategy.</strong> Without strong corporate governance, organizations may struggle with conflicting objectives or a competing strategy that is diverting resources from a priority project.<br></li><li> <strong>Addressing concerns about risk culture.</strong><em> </em>Without a business strategy, it's difficult — if not impossible — to determine whether the organization is taking appropriate risks. Robust corporate governance can maintain focus on the organization's strategy and how it aligns with its risk culture.<br></li><li> <strong>Surveying the organization's lines of defense.</strong> There's a great deal to be gained from looking carefully at the organization's 1) revenue-generating business units and their accountability for the risks they create, 2) risk management teams and the framework they have created for business units, and 3) internal audit function, including internal and board reporting objectives. ​<br></li></ul></td></tr></tbody></table><p>​It's also important to focus on the organization's external stakeholders such as regulators, shareholders, and external auditors. Once announced, internal audit's decision to undertake a corporate governance audit will generate intense interest. Auditors should prepare for regulator requests to look at their approach and findings. </p><div><p>Delving into governance audits without the right expertise, timeline, and scope can hurt the internal audit function. Depending on its depth of expertise, internal audit may want to bring in third-party subject-matter specialists to provide additional credibility, experience, and an industry sector perspective that is benchmarked against leading practices. Working closely with outside subject-matter experts also provides an excellent knowledge transfer opportunity that can assist internal audit in future reviews. </p><div><h2>Governance and Risk</h2><p>A look at the corporate governance risk framework is a helpful way to understand the structure for an audit (see "The Corporate Governance Risk Framework" below right). Internal auditors should ask several questions about the organization's corporate governance framework. Auditors at highly regulated organizations already may be hearing these questions from regulators. However, any organization would benefit from exploring whether its governance model:</p><ul><li>Guides strategic direction and day-to-day control.<br></li><li>Outlines the rules and procedures for making decisions.<br></li><li>Specifies and distributes rights and responsibilities, including decision-making authority, among the organization's various stakeholders.<br></li><li>Provides structure and accountability through which the organization can achieve its objectives and monitor how it performs.<br></li><li>Maintains the integrity of the organization's structure and accountability.<br></li><li>Influences the appropriate tone and risk culture.<br></li></ul><p> <br> </p><p>Risk culture merits special emphasis because it is at the heart of corporate governance. If internal auditors fail to consider the organization's risk culture, they may miss the subtle indicators of ineffective governance.​ For example, a company may have a well-designed governance structure but ineffective governance because its risk culture discourages managers from escalating risk issues for fear of the consequences. </p><p>Finally, the organization needs to decide where it wants to be in the corporate governance maturity model. Does it want to be a leader in one or more areas, or is average sufficient? A corporate governance audit can benchmark where the organization stands on categories ranging from board governance to strategic planning to tone at the top to risk management and corporate compliance. For each of these areas (and more), auditors can chart whether the organization is lagging, average, or leading against peers. </p><h2>Structuring the Audit</h2><p>There is not one ideal way to assess the state of corporate governance. An example of an approach that is well-suited to an organization embarking on this process for the first time is to execute a two-phase assessment comprising an initial advisory phase and an audit phase.​</p><p> <strong>Advisory Phase </strong>In the first phase, the goal is to establish a baseline by focusing on the entire governance framework. The assessment relies heavily on interviews with a selection of board members, senior executives, and others in the organization. The questions should focus on a broad range of governance topics, including corporate strategy, board oversight and committee structure, management committee structure, tone at the top and culture, the state of the compliance program, and the state of the risk management program. At the highest level, these interviews should provide a view of their understanding of the organization's governance processes and how those processes are aligned with corporate objectives. </p><p> Auditors also should review supporting documentation, such as bylaws, board committee charters, policies, and organizational charts, to create a holistic picture of the organization's culture and processes. They then should analyze information developed through the interviews and document review processes and assess it against a maturity scale. Audit recommendations should assist the organization to ultimately move farther along that scale.</p><p>A corporate governance assessment will require the audit team to make qualitative judgments about the design of the governance structure. Internal audit will need to determine how formal the corporate governance elements should be compared to leading practices in the industry and at peer companies. Performing the initial work as an advisory review allows for a freer two-way exchange of ideas and observations ahead of the formal audit.</p><p>During the advisory phase, internal audit should communicate the results of its interviews and assessment to management as recommendations instead of formal issues. The absence of an opinion positions the internal auditor as a business advisor, which promotes candid discussions and more informed recommendations. </p><p>At the end of the advisory phase, suitable time is needed to allow the organization to implement corrective actions in response to recommendations resulting from the first phase. The amount of time depends on the extent of remediation required and often will be more than a year to allow for policies to be developed or enhanced and implemented.​</p><p> <img src="/2018/PublishingImages/Schwartz-the-corporate-governance-risk-framework.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /> <strong>Audit Phase </strong>With an established framework in place, the company can conduct a formal audit to assess the effectiveness of governance processes. Here, the scope is narrower and builds on the previous review work. As during the first phase, interviewing board members and executives is a key component. In-depth testing of key risk areas also is important. Examples of key risk areas include delegation of authority, board and management committee charters, risk appetite, and the compliance testing program. The outcome is an analysis of targeted issues, leading practice recommendations for improvements, and a formal audit opinion. </p><p>Internal auditors should keep in mind that they are auditing the leadership of the organization. Presenting corporate governance audit findings to the CEO or board members is the ultimate "seat at the table" for CAEs. They must ensure their facts are thoroughly vetted and benchmarking against leading practices is well supported. Anything short of that could damage internal audit's credibility.</p><p>This two-phase method is just one approach to auditing corporate governance. Organizations with a well-honed governance structure may prefer to start directly with the audit phase. The key is to tailor an approach for the organization, considering issues such as the maturity of its structures, availability of resources, and leadership and regulatory expectations.</p><h2>Driving Change</h2><p>The value proposition for a corporate governance assessment is significant. Working closely with the board and senior management, internal auditors have an opportunity to drive change. This is a high-risk, high-reward effort, though. A thoughtful, measured approach and stakeholder buy-in are critical at every stage — from planning through report issuance. </p></div></div>Doug Watt1
Taking the Lead on Blockchainhttps://iaonline.theiia.org/2018/Pages/Taking-the-Lead-on-Blockchain.aspxTaking the Lead on Blockchain<p>​Internal auditors are no strangers to change, and change continues to transform even the most traditional of processes. The latest revolutionary innovation is blockchain. Initially the technology underlying digital currencies such as Bitcoin, blockchain is beginning to change processes across many industries. </p><p>Like all new technologies, blockchain may produce innumerable new risks. Yet ultimately, it has the potential to help manage and mitigate many traditional audit risks. Internal auditors need to understand how blockchain may change business processes, determine the risks to the organization, and revisit audit processes and procedures to leverage the technology in their work. </p><h2>How It Works</h2><p>A blockchain is effectively a type of decentralized database known as a distributed ledger. Unlike traditional databases, blockchains have no sole administrator. As each transaction is recorded, it is time-stamped in real time onto the "block." Each block is linked to the previous block, and each user has a copy of that block on his or her own device. That process effectively creates an audit trail. </p><p>Blockchain is most notably used for transactions involving the buying or selling of digital currencies. Although the electronic encrypted audit trail is one by-product of the underlying technology of interest to internal auditors, another interesting side effect of the process is an accounting methodology called triple-entry accounting. Modern financial accounting is based on double-entry bookkeeping dating back to the 1400s. With triple-entry accounting, all entries for a given transaction are made to the blockchain to verify and document receipt of the transaction.Thus, triple-entry accounting blends traditional double-entry accounting with third-party validation. As such, this methodology potentially could vastly alter traditional accounting processes and the subsequent control activities, risk assessment, and monitoring activities.</p><h2>Impact on Audit Process</h2><p>Often, internal auditors must catch up with technologies that are already in place, making modifications to the existing audit plan arduous and further emphasizing the need for a dynamic and adaptable audit plan. The complexity and incremental cost associated with blockchain implementation creates additional risk to the organization, making it vital that auditors are involved from inception and not just after implementation when a final process must be audited. Other risks associated with blockchain include scalability constraints, new privacy and security risks, and the need to consider new regulatory requirements, many of which have not yet been promulgated.</p><p>Historically, auditors have been tasked with verifying the management assertions of existence, valuation, rights and obligations, completeness, and presentation and disclosure. The use of a distributed general ledger virtually eliminates the possibility of altering transactional data or inputting fictitious data, as the encrypted signatures of both parties involved in a given transaction are required. </p><p>Even with recent media coverage of digital currency hacks, the supporting technology underlying blockchain continues to be touted as "tamper-proof," "validated," "secure," and "private." Hacks are possible on applications that use blockchain, just as on an organization's intranet. However, for a hack or data leak to occur, an attacker not only has to concurrently hack each user on the network, but also bypass encryption. Such an intrusion would be highly visible to those on the network.<strong><em> </em></strong>Internal auditors must perform comprehensive risk assessments to determine the likelihood, magnitude, and nature of potential threats as well as the appropriate preventive, detective, and corrective controls. </p><p>In addition to the data being more secure and valid, using a distributed public ledger gives auditors access to transactional data needed for the audit in real time, thus allowing for more continuous auditing. While continuous auditing has the potential to enable auditors to be more efficient, proactive, adaptive, and forward-looking, internal audit departments must explore the impact continuous auditing may have on existing audit programs and the potential disruption to the traditional audit cycle. Specifically, auditors must consider how it could impact scheduling, planning, and the actual collection of audit evidence.  </p><p>While blockchain would in no way be a substitute for U.S. Sarbanes-Oxley Act of 2002 control testing, it could greatly increase the efficiency of traditional audits, creating a more uniform and highly verified audit trail from which to work. The improved quality of data and fewer reconciliations can potentially reduce the amount of work necessary throughout the year. Auditors may be able to conduct more work remotely, because less fieldwork will have to occur at the client's site.<strong><em> </em></strong>Moreover, efficiency gains from blockchain may enable internal auditors to focus on other high-risk areas such as internal control, compliance, or operational audits. </p><h2>Audit Implications</h2><p>With the advent of blockchain, the nature of audit work may change pervasively. Potential changes to consider include: </p><ul><li> <em>Systematically less reliance on paper documentation that can be altered or falsified easily.</em> Matching and vouching to test for existence and appropriate valuation may largely be outdated, as auditors will have easy access to transactional data that already has been mutually agreed upon and verified by an independent third party.<br></li><li> <em>Differing cybersecurity risks and controls.</em><strong> </strong>As the use of blockchain makes data available to everyone on the network, both physical and logical access controls will be more important than ever. In addition, use of a distributed public ledger can decrease the risk of successful computer attacks and may increase the visibility of attacks. The increased visibility elevates the importance of an organization's incident response plan.   <br></li><li> <em>More involvement in creating new processes based on blockchain technology.</em><strong> </strong>As recent publications from the Big 4 firms note, the reliance on blockchain technology may require auditors to collaborate with IT professionals and raise the demand for auditors with IT expertise. Subsequent documentation of new processes and changes to old processes are key controls that auditors should not overlook. Over time, the use of blockchain may lead to increased standardization in both business processes and audit processes across industries as best practices emerge. <br></li></ul><h2>Risks and Rewards</h2><p>To prevent or lessen the risk of crisis that often precedes imminent change, internal auditors must stay abreast of emerging technologies such as blockchain. Yet, as with many new technologies and processes, blockchain may present a steep learning curve for auditors. Understanding the underlying technology of a distributed public ledger can enable auditors to assess the new control environment and new risks to the organization. In this way, internal auditors can be change agents who help mitigate the negative risks that all too often accompany the rewards associated with any new technology.​</p>Jamie L. Hoelscher1
Internal Auditors: More Than Cybersecurity Policehttps://iaonline.theiia.org/blogs/chambers/2018/Pages/Internal-Auditors-More-Than-Cybersecurity-Police.aspxInternal Auditors: More Than Cybersecurity Police<p>​​New guidance announced by the U.S. Securities and Exchange Commission last week is raising the bar on how publicly traded companies report on their handling of one of the top challenges facing every organization — cybersecurity.</p><p>The new cyber-risk guidance, an evolution of guidance first released by the regulator in 2011, boosts reporting requirements in various ways, from disclosures about board involvement in cyber-risk oversight to enhancing internal reporting procedures that more effectively determine when cyber issues rise to the level of materiality and, therefore, should be reported publicly. The new guidelines inevitably will create new compliance challenges and, with that, additional need for internal audit to provide assurance on those compliance efforts.</p><p>The new U.S. rules, along with the upcoming deadline to meet strict European Union guidelines on data protection, are high-profile examples of where internal audit can provide important assurance on information technology (IT). </p><p>But it is important, indeed crucial, for organizations to understand that management of cyber risks and data protection are only part of the overall IT governance picture and that internal audit can and should play a larger role than simply acting as the cybersecurity police.</p><p>A recently published IIA <a href="https://global.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG17.aspx">Global Technology Audit Guide (GTAG)</a> provides direction and insight on internal audit's approach to auditing IT governance. The GTAG's executive summary captures the benefits of strong IT governance and describes how proper IT governance can help organizations achieve their goals.</p><p>From the GTAG executive summary:</p><p><span class="ms-rteStyle-BQ">"Effective IT governance contributes to control efficiency and effectiveness​​​​​, and allows the organization's investment in IT to realize both financial and nonfinancial benefits. Often when controls are poorly designed or deficient, a root cause is weak or ineffective IT governance." </span></p><p>The benefits of effective IT governance are significant. In addition to aligning IT strategies with organizational objectives, it helps identify and properly manage risks; optimizes IT investments to deliver value; defines, measures, and reports on IT performance using meaningful metrics; and helps manage IT resources.</p><p>Sound IT governance helps organizations address IT challenges, such as the growing complexity of IT environments, growing use of data to make business decisions, and, as previously discussed, the growing number of laws and regulations associated with the threat of cyberattacks.</p><p>As with all governance issues, internal audit is uniquely positioned to give management and the board a clear-eyed assessment on the effectiveness and efficiency of the processes and structures that make up IT governance.</p><p>The GTAG provides valuable insights on how responsibilities of multiple governance structures within the organization can overlap. For example, corporate governance oversees conformance processes and is involved in compliance and business governance oversees performance processes.</p><p>The key is for internal audit to examine — and to help management and the board understand — the interplay among all three governance structures and not view IT governance as somehow separate and apart. A key message from the GTAG captures this well:</p><p><span class="ms-rteStyle-BQ">"Alignment of organizational objectives and IT is more about governance and less about technology. Governance assures alternatives are evaluated, execution is appropriately directed, and risk and performance are monitored."</span></p><p>The GTAG provides internal auditors the tools and techniques to build work programs and perform engagements involving IT governance. These include a step-by-step description of engagement planning, from understanding the context and purpose of the engagement to reporting results. Additionally, five appendices provide related IIA standards and guidance, a glossary of key terms, a sample internal controls questionnaire, a risk and controls matrix, and a list of additional resources.</p><p>It is important to emphasize that having a well-developed IT governance audit program in place will help integrate IT into the overall governance strategy and take the mystery out of IT, which often contributes to poor IT controls. It also will help position organizations to respond quickly and efficiently to changes in regulations or IT-related risks.</p><p>The current scramble to meet upcoming European Union rules on data protection suggest that not enough organizations are taking a comprehensive approach to IT governance. Indeed, those troubles were clearly reflected in an August survey by DocsCorp, reported in <a href="https://www.docscorp.com/media/multimedia/infographics/gdpr-survey-results-emea/">The Current State of GDPR Readiness</a>. The survey found 43 percent of respondents from Europe and the United Kingdom identified financial penalties for noncompliance as their biggest concern with the new rules. In Canada and the United States, the survey found 73 percent of respondents had yet to start preparing for the new rules and 54 percent were unaware of the May 25 compliance deadline.</p><p>I encourage every chief audit executive to download and review the new GTAG and discuss IT governance with their management and boards. Providing an accurate and unbiased assessment of how IT operates within the organization is another example of where internal audit can add value and help organizations achieve their goals.</p><p>As always, I look forward to your comments.​</p>Richard Chambers0
The Extended Enterprisehttps://iaonline.theiia.org/2018/Pages/The-Extended-Enterprise.aspxThe Extended Enterprise<p></p> <p>Whether it is referred to as third-party risk, vendor management, supply chain management, or something else, organizations must recognize the risk implications of operating as an extended enterprise. Today’s interconnected business models enable companies to leverage partnerships to manage costs and increase competitive advantage. In the extended enterprise, company data and, in many cases, its client or associate data are shared, transferred, processed, or stored by external entities. Very often, this data is among the organization’s key information assets. The risk to the entity unknowingly increases when management has not assessed or addressed the potential threats being posed to key assets in this sharing process. These risks may include security protections and associated breach risk, availability standards and associated operational risk, ownership rights and associated strategic risk, and other key risk points across financial, operational, reputational, and legal areas. Considering these risks and evolving business operations — alongside an increasingly complex regulatory landscape — third-party governance and oversight models are a must-have for organizations. </p><p>Gone are the days when an organization’s simple inquiry into a new vendor’s policies, data security practices, and control structure during the vendor procurement process was considered sufficient. Over time, simple inquiry evolved into a brief, often narrowly focused, evidence or documentation gathering exercise with limited actual review or scrutiny. Fast forward to today when organizations are expected, by stakeholders and regulators, alike, to know, assess, and actively monitor external providers’ adherence to defined practices. Internal audit — and its first and second line counterparts — must determine whether appropriate measures are in place to address third-party risk. This process begins by identifying and understanding two key data points: 1) Who are the organization’s vendors and external partners (and their subcontractors or providers)? and 2) What information is being shared with them? Once the landscape and risk profiles are understood, appropriate governance and monitoring also can be established. </p><p>Identifying key vendors is the initial step — keeping in mind individual relationships and vendor services structures must be fully understood. Does the organization use an external data center provider? Are there software as a service (SaaS)-based applications used within the organization? Is application development performed by an external provider? Where do external business partners exist within key operational business processes? What external entities do the finance, human resources, legal, security, and other corporate teams use to support their functions?</p><p>Certain functional areas and systems within the organization can assist in beginning the identification process. Procurement and legal are two functions that should have an understanding of the external partners and associated contracts in place. Review of payables data and vendor master data also can help identify external entities providing services. Discussion with divisional or functional management teams will help validate understanding of the entire third-party landscape, including process dependencies and integration points, as well as the scope of services the vendors provide.</p><p>During the identification process a “follow the data” approach should be applied. Internal data governance processes often aid in identifying data components and associated risk. This is the foundation for understanding which data elements to follow in this process. Data that is identified in categories such as “high risk” or with specific regulatory requirements must be traced through its life cycle to all sources. This includes anyone in the vendor process who may handle the data. </p><p>During the data tracing process, the consideration of “fourth-party providers” also must be included. Fourth parties (or fifth or beyond) are vendors or subservice providers used by an organization’s direct vendors — extending the risk and governance requirements even further into the supply chain. These can be identified through review of vendor contracts (as they often will specifically state whether services can be subcontracted), but in many cases only are identified during inquiry and discussion with the vendor directly. They all must be assessed as any exposure to risk must be identified and appropriately mitigated.</p><p>Along with developing a comprehensive inventory of the vendors providing services across the organization, organizations are well-served by establishing a standard rating or assessment criteria structure to consistently assign a risk classification or other rating to each external business partner. Internal audit can help build or enhance this classification framework based on its understanding of risk assessment principles, as well as its knowledge of business operations and key risk points. </p><p>Often, the vendor risk rating or classification structure will include assessment of data being shared, vendor operations, potential customer impact, regulatory considerations, and level of dependency on the vendor for ongoing operations (e.g., system availability or other operational requirements). These categories should be assigned quantifiable metrics where possible, based on risk thresholds established by the organization. Leveraging this standard classification structure, critical vendors can be identified and the assessment process structured in a prioritized fashion, aligning risk with associated review frequency and depth.</p><p>While this article focuses specifically on recommendations to be included in the vendor assessment process, a full vendor management program includes the entire life-cycle process for managing vendor relationships — from planning and selection to ongoing monitoring. Specific design of the vendor assessment process and approach must be aligned with organizational requirements; however, certain focus areas are appropriate for most companies. Common elements may include:</p><ul><li>Information Security — technical configurations, security architecture, access management, monitoring, and incident response.<br></li><li>Physical Security — facility access, security monitoring, and document control measures.<br></li><li>Policies and Programs — program and governance models, policies and standards, and reporting structures.<br></li><li>Human Resources — background checks/verifications and associate training programs.<br></li><li>Availability — system maintenance and monitoring process, support and operational oversight, and system change processes.<br></li><li>Business Continuity — disaster recovery and business resumption plans.<br></li><li>Regulatory Compliance — key requirements may apply to specific data types or industries; the Health Insurance Portability and Accountability Act and General Data Protection Regulation are examples of regulations including specific requirements in regard to third parties.<br></li><li>Vendor Management — extension of requirements to subservice providers and associated monitoring. <br></li></ul><p><br></p><p>​During the vendor review process, it is likely that gaps will be noted between expectations or obligations and actual practices. Effective risk management for third parties also includes ongoing monitoring of vendor response to concerns to ensure they are appropriately addressed.</p><p>Implementation and operation of a third-party risk management program is not a small undertaking. However, when considering the business risk associated with vendors and operating with an extended enterprise model, the opportunity for reducing risk and potentially better leveraging vendor partnerships clearly demonstrates the necessity and value of the effort. A measured and phased approach will address the most significant risks as the program matures over time. ​</p>Melissa Ryan1
Board Mattershttps://iaonline.theiia.org/2018/Pages/Board-Matters.aspxBoard Matters<p>​Having a sound relationship with the board is crucial if internal audit functions are to serve their organizations well and provide effective assurance. ​Whether chief audit executives (CAEs) report directly to the board or, more likely, to an audit committee, it is vital that the two sides share an informed understanding of internal audit and its role and purpose within the organization. That is why educating the board about the level and nature of assurance internal audit provides is an important part of any CAE’s role. </p><p>While that is an easy principle to grasp, achieving it in practice can be a difficult and prolonged journey for both sides. Explaining what internal audit can do and how the function should be positioned in the business is likely to be unhelpful, unless it is done in the context of the board’s real-life needs. “CAEs should be thinking about putting themselves in the shoes of the board members, and understanding what is on their agenda and why,” says Ninette Caruso, CAE at Discover Financial Services in Riverwoods, Ill. Boards are more likely to be concerned with business issues such as profitable growth, dealing with competitors, net profits, and complying with pressing regulatory issues. If internal audit is not engaged in those areas, trying to educate the board about assurance is likely to feel too abstract and disconnected from the business. </p><h2>Board Perspective</h2><p>As internal audit begins to provide specific value and advice to the board in those parts of the business where it has genuine concerns, Caruso says it will be effectively educating the board about what true risk-based internal audit means to the organization by demonstrating the type and level of assurance it can provide. In doing so, internal audit will be greatly appreciated and recognized for it. </p><p>“Let’s try to understand where the board is coming from and not waste time trying to add value to, say, a compliance audit if the board is not really interested in that area,” Caruso says. “Instead, the internal audit function needs to focus on perhaps two main issues on the board’s agenda at that particular point in time and to put all of its efforts into those areas.”</p><p>Getting issues onto the board’s agenda that internal audit feels are important, but the board does not, can be more challenging. Caruso says it demands a level of storytelling that auditors are not often used to about what they have found and why that matters to the organization.</p><p>“Even if the board only wants internal audit to check the controls put in place by management and risk functions, internal audit can still play an educating role by standing back and looking at themes that emerge from the interaction between different parts of the business,” Caruso says. “Nobody may want that from internal audit until we bring it to them and they can see the value of it firsthand.”</p><h2>A Clear Understanding</h2><p>Louis Cooper, chief executive of the U.K.’s Non-Executive Directors’ Association, a professional training and education membership organization based in London, understands how CAEs and nonexecutives think about each other. He agrees with Caruso when she says that CAEs often dive in, providing services that they believe the board will want without stepping back and asking some simple questions first — and listening to the responses. </p><p>As Caruso says, boards generally want to know what the key issues are and what the organization needs to do to respond to them. But building a picture of what the board wants can take time. “Internal audit often has a disjointed view of the board because of the limited contact it has with its members through various committees and because of the brevity of that contact,” Cooper says. “Quite often, internal auditors only get pulled into the audit committee to present their report, so they often don’t have ongoing dialogue with key board members, especially the audit committee chair.” </p><p>In addition, internal auditors are busy people, he says, concerned with delivering their audit plans. That is why it is important for CAEs to schedule time within the audit plan, itself, for relationship building. Internal auditors can use those meetings to both strengthen their understanding of the board and explain how the function can serve the organization’s broader needs.</p><p>“Having a clear understanding of the corporate governance framework within the organization enables people to connect the dots on the risks that have been identified in the organization,” Cooper says. “Internal audit’s knowledge of the organization and its related feedback on the effectiveness of the corporate governance framework is an element often missing from such conversations.”</p><p>If the CAE can help the board come to grips with the control environment and help ensure management takes more ownership over some of the control processes, it can promote a better balance of activity based on management fulfilling its role in the Three Lines of Defense model. That helps move internal audit away from low-level controls testing and into a more strategic risk-based auditing, the internal auditor’s “holy grail,” which can, in turn, free time in the audit plan for big-picture audits or consultancy-style projects.</p><h2>Manage Expectations</h2><p>Kristiina Lagerstedt, vice president, Audit and Assurance, at Sanoma in Helsinki, and a board member at Uutechnic Group, says internal audit departments can educate boards on the progress of big change projects. She has been working on information security and privacy readiness and maturity in preparation for the European Union’s stringent new General Data Privacy Regulation (GDPR), set to come into force this year. Because Sanoma is operating in the media and learning sector, getting the rules right is crucial.</p><p>“When GDPR was introduced, I noticed there wasn’t a common approach to privacy and information security within my company,” she said. She raised the issue, and the company decided to establish a steering group to oversee preparations for the changes with the CEO as chair. </p><p>“I took care of the agenda for the first year and a half, and we met twice a quarter,” she explains. Six months ago, when the steering committee agreed that the privacy and information security programs were up and running appropriately, it decided to meet quarterly and the agenda moved over to the chief information security officer. Lagerstedt is still involved, but with a smaller role.</p><p>“For a CAE, it is important to get involved in group-level change programs to ensure a common approach across businesses and countries,” she says. Lagerstedt’s main contribution was to keep the project moving and keep top management and the board up to speed on the progress made, the main risks faced and how they were being dealt with, and the maturity levels the business units had achieved on a quarterly basis.</p><p>“When you are pushing things forward and operating as a change agent (or consultant), it is sometimes confusing for people in the business to understand what the role of internal audit is and should be,” she says. While internal audit took a front-line role in the GDPR project in some respects, she aims to involve the business’ external auditors in the next audit to help reassert internal audit’s independence.</p><p>“Be brave in the tasks you take on,” she says. “Think about the company doing the right thing, but also keep in mind your and your team’s limitations to successfully manage expectations and not give promises you cannot keep.” She says continual education about what internal audit does and can do is key to success. “Remember to keep top management and the audit committee informed about where you are, and what the next steps and most critical risks are,” she advises.</p><h2>Explain the Standards</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } p.p2 { line-height:12.0px; font:42.5px 'Interstate Light'; } p.p3 { line-height:12.0px; font:9.0px 'Interstate Light'; } p.p4 { text-indent:12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; } span.s2 { } </style> <p><strong>IIA Standards</strong></p><p>Although The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em> does not explicitly say that the internal audit function should educate the board, it can be inferred from the many ways in which auditors communicate and work with directors and management across the business. While there is obvious value in providing education as to the effectiveness of the governance processes within the organization, and the type of major risks change projects can bring about, does it make sense to try to educate the board about the <em>Standards</em>? After all, the <em>Standards</em> are meant to be the benchmark of audit quality.</p><p>“Effective communications enable the audit committee to work with internal audit leaders to better understand the internal audit process,” Jim DeLoach and Charlotta Hjelm wrote in their 2016 CBOK Stakeholder Report, Six Audit Committee Imperatives: Enabling Internal Audit to Make a Difference. “To this end, directors should become more familiar with The IIA’s International Standards.”</p><p>Given the time constraints that both internal auditors and board members experience, is such a suggestion realistic or even desirable? According to evidence included in the report, the answer is yes. The quality and frequency of communication between CAEs and board members is greater among stakeholders familiar with the <em>Standards</em>, according to the report. Specifically, two out of three board members are familiar with the <em>Standards</em> to some degree and almost all — 98 percent — see value in internal audit conformance.</p><p>“If audit committee members do not have adequate knowledge of the <em>Standards</em>, they should ask the CAE for more information about them and how internal audit is ensuring their conformance,” DeLoach and Hjelm conclude.​</p></td></tr></tbody></table><p>For David MacCabe, a longtime CAE and an internal audit consultant based in Austin, Texas, informing the board that the internal audit function is conducting engagements in line with the <em>International Standards for the Professional Practice of Internal Auditing</em> is on his list of the critical assurances the CAE should provide to the board. </p><p>“Some members of the board may have minimal experience in business operations, such as those in nonprofit organizations, and they may just be interested in the programs and the people they serve,” he says. “But even in corporate America, there are some members of the board who may not be sure what their full duties and responsibilities are — and what the appropriate questions to ask as a responsible board member are.” </p><p>Internal audit can help educate them about those duties and, in doing so, underline its own credibility and integrity by explicitly saying it adheres to these international standards, he says. “Even for experienced boards, it can be useful to demonstrate that you are committed to external quality reviews by independent practitioners so they will know you are a step ab​ove what they may have experienced elsewhere,” he adds.</p><h2>Build Relationships</h2><p>Effective communication and other interpersonal skills are crucial to achieving that goal and, while MacCabe says today’s auditors are generally more personable than in the past, there is room for improvement. In addition, The IIA’s many useful tools and publications can help CAEs inform and educate the board about leading practices for internal audit teams and audit committees.</p><p>He agrees with other CAEs that progress can be slow, and trust and respect need to be earned both by word and deed. Being proactive and available to management and staff in formal and informal settings can be a winning approach, MacCabe says. “It makes a world of difference to be open-minded, available, accessible, and approachable in the hallway, in the cafeteria, and wherever in the organization,” he says. People are much more likely to share their concerns when you are friendly, and people get to know you.</p><p>He recalls one time when he brought a story he had heard through conversations with staff to a line manager. “The manager was worried I’d pass it on to his section head, but I gave him the option to act on it or not, and emphasized that it was not a complaint or concern, but an observation about something that may or may not be true,” he says. Situations like this can help form great relationships because the auditor is then viewed as being available to discuss issues and provide informal advice for control improvements or remedial actions. </p><p>“Building those relationships throughout the organization from the board to the frontline of the business is crucial,” MacCabe says. “Management often asked me to pass things onto the board, and that can be done either in confidence, or openly as they choose. Everyone benefits.” </p><h2>Commit to Improvement</h2><p>MacCabe says internal audit also must be committed to continuous improvement through internal and external quality assessments (refer to Standard 1300 series) and by continually updating its knowledge of leading internal audit and management practices, as well as business and industry trends. For that, quality assurance reviews are particularly important — especially because they form a key part of conforming with professional standards. He says he worries that only 39 percent of survey respondents worldwide said they had such an external review, according to the Common Body of Knowledge (CBOK) 2015 Global Internal Audit Practitioner Survey.</p><p>“It’s no use saying that we are professionals and then only being partly in conformance with our own <em>Standards</em> — that erodes our credibility,” he says. He urges CAEs and all internal auditors to be committed to achieving and demonstrating the highest professional standards. In striving to do so, auditors will become a more respected and vital source of knowledge and education on assurance for everyone in the business — especially the board. </p><style> p.p1 { line-height:12.0px; } p.p2 { text-indent:18.0px; line-height:12.0px; } p.p3 { line-height:12.0px; font:10.0px Amplitude; color:#b65b38; } p.p4 { text-indent:9.0px; line-height:12.0px; } p.p5 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { } span.s2 { vertical-align:1.0px; } span.s3 { font:8.0px Interstate; } </style>Arthur Piper1
Are You Prepared?https://iaonline.theiia.org/2017/Pages/Are-You-Prepared.aspxAre You Prepared?<h2>​What is internal audit's role in ensuring the organization has a disaster recovery plan? </h2><p>As we've recently seen, disasters — whether natural or from human activity — have shown the need for sound disaster recovery plans. Internal auditors play an assurance and consulting role in this arena, so they need to understand attitudes toward disaster recovery risk within their organizations. Disaster recovery should be part of the overall business continuity management process. For organizations that are ad hoc or reactive in their level of disaster recovery maturity, internal audit may need to assist in making the case to senior management for better preparedness.</p><p>As part of its risk assessment process, internal audit should examine the plan to determine if operations have been prioritized appropriately, and risk assessments and responses are sufficient and cost effective. Internal audit should note whether the plan is a working document that is updated timely as important changes take place, including acquired businesses and new software and technologies. Based on the level of risk, internal audit should schedule audits of the disaster recovery processes to provide assurance there are no significant gaps. ​Another opportunity for internal audit is educating senior management and the board on their responsibilities for ensuring effective risk management practices are in place for any outsourcing arrangements.​<br></p><h2>What should internal audit look for in a disaster recovery audit?</h2><p>The areas to cover in a disaster recovery audit can depend to some extent on the size, number of locations, and complexity of the organization. The most common areas to review are which functions and systems are covered or excluded in the plan and why, testing multiple scenarios to identify vulnerabilities and gaps in the plan, inventory of equipment and software, and documentation of backup and recovery processes (IT and non-IT). Auditors should consider critical data back-up storage and frequency — including data stored on computers, smartphones, and devices, which employees may use for work and personal use. Other items to review include testing of back-up systems to be sure data can be restored; insurance coverage; legal involvement and review; disaster recovery contract provisions, including service-level agreements with outsourcers and suppliers; and whether responsibilities are clearly defined.​​</p>Staff0
Beyond the Numbershttps://iaonline.theiia.org/2017/Pages/Beyond-the-Numbers.aspxBeyond the Numbers<p>​Internal auditing should be about tomorrow,” Charlotta Hjelm, chief internal auditor at the Swedish insurance co-operative Länsförsäkringar, Stockholm, says. “If the function focuses mainly on financial audits, it is mostly looking at what happened yesterday and today.”</p><p>Hjelm says boards and audit clients are looking to their chief audit executives (CAEs) to provide assurance over their forward-looking operations and strategies — no more so than in areas of rapid change, such as product launches or IT initiatives. As a result, functions that have historically concentrated on auditing controls over financial information have been pushed out of their comfort zones and into the fuzzier world of nonfinancial auditing.</p><p>“If you are conducting financial audits, things are black and white,” Hjelm says. “The controls are right or wrong.” So-called nonfinancial audits, on the other hand, may be concerned with improving the efficiency of business processes, or the quality of services. Auditors working in those areas need adequate knowledge of the business and its functions — from human resources and sales, to supply chains and customers. “If a business wants to be the best, most efficient, and offer the highest quality of goods or services, that can be hard to define,” she says. </p><p>This lack of clarity has an impact on internal audit. If an organization’s goal setting is not precise, auditors can struggle to grasp what separates the most important audit area, for example, from the slightly less important. Moreover, risks in dynamic areas of the business can change rapidly, impact business processes in other parts of the business and prove difficult to cover comprehensively. Internal audit teams working in nonfinancial areas of the business need a wider range of technical skills, broader soft skills, and deeper business knowledge. But the rewards of engaging in these areas include providing better insight to the business on the quality of its operations and the risks it faces tomorrow.</p><h2>Aligning With the Business  </h2><p>The shift in emphasis from static, backward-looking audits has come from boards and from the profession itself as it has sought to win that coveted seat at the top table. In fact, over the past 15 years internal auditors in most sectors have been aligning themselves more closely with their organizations’ strategies. According to Driving Success in a Changing World: 10 Imperatives for Internal Audit, a 2015 report from The IIA containing the most recent figures, globally 57 percent of audit departments say they are aligned fully or mostly to their business’ goals and objectives. As that percentage continues to grow, increasing numbers of auditors will be  moving into those dynamic areas of the business that need assurance most — whether they are primarily financial in nature or not.</p><p>This realignment to auditing nonfinancial areas has led to a shift in approach that places greater value on what audit findings mean to the business than whether or not the organization is compliant with regulations. In regulated areas such as finance, for example, boards still want to know whether they are compliant with Solvency II — a European Union directive that focuses primarily on capital obligations for insurance firms — where there is a clear role for traditional internal audit, Hjelm says. “But they also want to know how much it will cost, whether we have the resources to do what is necessary, how it will affect the strategic plan, and whether I have audited the right areas.” Communicating on such a wide range of issues clearly has become an important dimension of Hjelm’s work.</p><p>Malcolm Zack, who has led audit teams in the consumer, payments, foodservice, mail, entertainment and travel sectors and now heads Zack Associates, an internal audit consultancy based in London, says he has been auditing nonfinancial areas of the businesses in which he has worked for more than<br> 20 years. Over that time, he has worked across a range of areas including IT audit, contingency planning, health and safety, codes of conduct, supplier risk, buying and merchandising, and social media, to name just a few. But he agrees with Hjelm that more recently boards have been encouraging internal auditors to move into areas where the business is changing rapidly because that is where the big risks can be. </p><p>“In recent years, I’ve been working more and more on business change projects, and project and program assurance,” he says. “New products and systems are where the higher risks are, and the ongoing auditing of those has become very important.” </p><p>He sees that trend intensifying in the coming years with auditors becoming more focused on the commercial and operational significance of their findings in such dynamic areas, rather than just on the financial data itself. Because finance is only one element the board needs assurance on, Zack says, that has changed the composition of many audit teams away from accountants and pure audit specialists. Experts in project management, IT, or human resources, for example, could be needed as much as technical auditing ability. An audit team in one financial institution Zack was familiar with, for instance, employed psychologists on its team during an audit of its culture.</p><p>“This has been a shift for the profession,” he says. “We are being asked to give a view of risk and controls across the entire organization potentially.” That requires the audit team to be staffed by a core of experienced auditors supported by a more fluid mix of people from different specialist areas and cultures to provide depth of knowledge in the area being audited, he says. </p><h2>Shift in Focus </h2><p>The difference between a financial audit and a nonfinancial audit can be one of focus, explains Phil Tarling, an internal audit consultant based in South East England, U.K., and former vice president, Internal Audit Capability, and head of the Internal Audit Centre of Excellence at global telecommunications firm Huawei Technologies. In one supply chain audit he was involved in, for example, when goods did not ship in time by sea, they were sent at greater cost by air. The financial findings were significant, but the nonfinancial part of the audit also showed that the supply chain was poorly structured and included recommendations on how to fix the problem.</p><p>“In nonfinancial auditing, you need people to understand that the business exists to make a profit and that cost has a negative impact on its ability to do so,” he says. “Not all auditors think that way, and not all people working in the business do either.”</p><p>That is why Tarling is cautious about bringing people with business acumen, or with subject-area expertise, into the audit function. “When you say ‘business acumen,’ do you mean that people understand the way things are done, or the way they should be done?” he asks. He warns that external staff from the business can bring with them negative baggage and may be too caught up in the minutiae of their role to see the bigger picture, or to imagine different ways of working.</p><p>“It means you have to work a lot harder to get the right people on the audit team,” he says. Going back to his supply chain example, he would recommend hiring someone who possesses high-level experience with establishing a supply chain and training him or her in audit and risk. Smaller audit functions would need to cosource such staff with an internal audit provider and transfer knowledge to the core team during the project, he says.</p><h2>Integrated Thinking </h2><p>Trends in auditing nonfinancial areas are coming under the spotlight from regulators, standard setters, and business groups mulling over the causes of the financial and economic crash of 2007 — the effects of which are still felt today in the form of historically low interest rates and slow growth in many countries. The consensus among groups such as the International Integrated Reporting Council (IIRC) is that many businesses did not understand how the risks within their businesses are related to each other and to the wider business world. Providing some form of coordinated assurance over all nonfinancial aspects of corporate activity can be achieved by integrated reporting (<IR>). </p><p>The IIRC’s International <IR> Framework argues that, too often, companies have disjointed reporting practices that are driven more by regulation than by business need. That has led to a fragmented approach to what is reported. What is needed, the framework says, is <IR> delivered to shareholders and stakeholders that provides a complete picture of the business and its risks, which is underpinned by integrated thinking. </p><p>“Integrated thinking is the active consideration by an organization of the relationships between its various operating and functional units and the capitals that the organization uses or affects,” the framework says. “Integrated thinking leads to integrated decision-making and actions that consider the creation of value over the short, medium, and long term.” </p><p>The IIA recently articulated internal audit’s potential role in the integrated thinking arena. Its project concluded that internal audit’s holistic purview of the organization uniquely positions it to support integrated thinking’s goals of strategic decision-making, planning, and delivery in a way that considers the perspectives of the business, its various stakeholders, and the resources needed to create wealth.</p><p>“Internal auditing is focused on the same central concerns that prompt the move toward integrated thinking and enhanced external reporting,” says Anton van Wyk, a former IIA board chairman who led the organization’s integrated reporting task force. “By providing well-informed insight, advice, and assurance, consistent with The IIA’s Core Principles for the Professional Practice of Internal Auditing, internal auditors can have a significant contribution to make in supporting their clients in their journey to integrated thinking.”</p><h2>Connecting the Dots</h2><p>Some practitioners agree. Karem Obeid, CAE, Tawazun Economic Council in Abu Dhabi, United Arab Emirates, says boards have become more sophisticated in their understanding of what internal audit can offer — especially the function’s ability to create value by driving business improvement and advising on risk in dynamic areas of the organization. “If as an auditor you get involved in benchmarking integrated thinking and reporting at an early stage,” Obeid says, “you can be the facilitator that helps join the dots across the whole organization and beyond.”</p><p>He sees taking on the role of driving the integrated thinking project as a great way of demonstrating the value that internal audit can add to the business. It can also help the audit team better direct its work and resources to where they are most needed, and enable internal audit to serve the organization as a trusted advisor.</p><p>Auditors can do this by building on their experience of auditing nonfinancial areas of the business, says Obeid — who contributed to the IIA white paper, Global Perspectives and Insights: Beyond the Numbers — Internal Audit’s Role in Nonfinancial Reporting. But, he adds, integrated thinking is a project that has challenges. The CAE and his or her team, for example, must understand the business both from a technical and practical point of view. Those with many years of nonfinancial audit experience will be better placed to see how the risks in different areas — often called silos — are related and how they may be audited across the business. Others would require a steep learning curve.</p><p>Second, integrated thinking and the reporting it produces need to serve a wider range of stakeholders — both within and outside the business. Although most internal auditors are effective at dealing with the board, management, and some other functions — such as risk and compliance — few have experience in dealing directly with external stakeholders, such as customers and external pressure groups. </p><p>“Internal auditors need to communicate more with stakeholders, not just through business meetings, but through social media, socializing in person, and getting to know the culture and mind-sets of these groups,” Obeid says. “Also, the audit team has to increase among those groups an awareness and understanding of audit’s role — and the importance of following The IIA’s Standards.”</p><h2>Sustainability </h2><p>One area of rapid change in the integrated reporting world is that of climate-related financial disclosures. Although a paper published in June by the U.S. Financial Stability Board (FSB) relates to financial services businesses, it is a good example of how important governments now view the environmental impact of investor decisions on society. The paper, Task Force on Climate-related Financial Disclosures: Overview of Recommendations, proposes enhanced, voluntary disclosures on how each organization’s governance, strategy, risk management, and metrics help it report accurately and effectively on climate-related risks.</p><p>For Richard Goode, an executive director in the Americas Climate Change and Sustainability Services practice at EY, the paper is a clear indication of how government agencies and investors are increasingly asking to see proof of an organization’s “social license to operate.” According to the EY Center for Board Matters, more than half of the shareholder proposals during the 2017 proxy season related to environmental and social issues — in other words, pressure is growing for companies to demonstrate their social, ethical, and environmental credentials.</p><p>“This is a key area for internal audit to act as a trusted business advisor,” he says. “Business managers are asking internal auditors to help them articulate what their nonfinancial risks are and how well their sustainability programs are being put in place and run.” </p><p>Goode adds that while internal auditors can take a leading role, they should avoid an emotional plea to senior leadership and the board. “Speak the language of risk, collate and analyze the data, benchmark within your industry and among standout performers in other industries, and prove what is important and why.”</p><h2>Trusted Nonfinancial Advisor</h2><p>Goode stresses the importance of having the right expertise to help tackle the more technical aspects of such nonfinancial areas. On the other hand, the lack of such expertise should not be used as an excuse for inaction.</p><p>“Make sure you get the topic on the risk register and talk to the business about what risks they are facing in that area,” he says. “Talk to managers, institutional investors, and stakeholders and put together an honest materiality assessment.” If the risk is real and material, the resources are likely to follow, he adds. </p><p>Hjelm agrees. “The more success you have in these nonfinancial areas, the more trusted you will be to do less testing,” she says. “You will be providing true insight for the company about their potential future risks and helping the company make money tomorrow. Besides, as an internal auditor it’s much more rewarding to help people and have fun while doing it.” ​</p>Arthur Piper1
The Time Has Come for Marks on Governancehttps://iaonline.theiia.org/blogs/marks/2017/Pages/The-time-has-come-for-Marks-on-Governance.aspxThe Time Has Come for Marks on Governance<p>​In <em>The Walrus and the Carpenter</em>, Lewis Carroll wrote:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><p>"The time has come," the Walrus said,</p><p>      "To talk of many things:</p><p>Of shoes — and ships — and sealing-wax —</p><p>      Of cabbages — and kings —</p><p>And why the sea is boiling hot —</p><p>      And whether pigs have wings."</p></blockquote><p> <br> </p><p>[I will let my friend and fellow blogger, <a href="/blogs/jacka" target="_blank">Mike Jacka</a>, talk about flying pigs.]</p><p> <br> </p><p>Yes, the time has come — to talk about concluding this blog. After all, I have been retired for five years and it is time to start slowing down.</p><p>The blog was born in 2008 with "<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=607cd1df-2cc8-490e-bac2-ba8391dee68f" target="_blank">A Broken Relationship</a>." Since then, I have written hundreds of articles on governance, risk management, internal auditing (of course), and technology. Not a single reference, I am afraid, to flying pigs.</p><p>While this blog will come to end, the world and its challenges will not. I will continue to write and speak about them. I hope to see you at IIA and other conferences, and I will continue to share my thoughts in <em>Internal Auditor</em> magazine and on my personal site.</p><p>Perhaps my last blog post should be about how the future of internal auditing is in auditing and then communicating what matters. I was recently honored to make a keynote presentation on that topic at IIA–Brasil's annual conference in Rio de Janeiro.</p><p>I asked the attendees whether they wanted, as internal auditors, to have a seat at the top table alongside senior executives from finance, operations, legal, marketing, and so on. They all said internal audit should have a seat at the top table. As Richard Chambers says in his latest book, they want internal audit to be seen as <a href="https://bookstore.theiia.org/trusted-advisors-key-attributes-of-outstanding-internal-auditors" target="_blank">trusted advisors</a>.</p><p>Then I asked who they would invite to sit at <em>their</em> table. I suggested that they would welcome people who had something interesting and valuable to offer. They wouldn't invite people (except family members) simply because of their title or position.</p><p>Similarly, internal audit heads (chief internal auditors, CAEs) will be welcomed at the top table when they have something interesting and valuable to offer on the topics typically discussed at that table: the enterprise's objectives and strategies, major projects, performance, and risks to success.</p><p>If we do what I suggested in <a href="https://www.amazon.com/Auditing-that-matters-Norman-Marks/dp/1537662023/ref=asap_bc?ie=UTF8" target="_blank"><em>Auditing That Matters</em></a>, we would be considered trusted advisors that provide assurance, insight, and advice that helps the organization succeed. I said:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><p>For internal audit to "matter," it needs to:</p><ol><li>Focus on the risks that matter to the board and top management — risks to the successful delivery of value to stakeholders, the achievement of objectives set by the board.</li><li>Provide assurance on those risks that is readily consumable, relevant, actionable, and timely — helping board members and executives make informed decisions that lead the organization to success; where action is necessary, it can be taken promptly and effectively.</li><li>Provide a formal opinion by the CAE on whether the systems of internal control and risk management provide reasonable assurance that the more significant risks are managed at desired levels.</li><li>Provide, in addition to formal assurance, its objective insight on any area critical to the achievement of success. For example, internal audit cannot be fearful of sharing its opinion on the performance of key personnel, the structure of the organization, and so on.</li><li>Communicate <em>what</em> its stakeholders need to know, <em>when</em> they need to know, and <em>in a form</em> that is easily consumed, relevant, and actionable.</li><li>Work effectively with management to help upgrade its processes, systems, organizational structure, controls, and people as needed.</li></ol></blockquote><p>These principles are consistent with The IIA's four results-oriented <a href="https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx" target="_blank">Core Principles for the Effective Practice of Internal Auditing</a>. They state that an effective internal audit function:</p><ul><li>Communicates effectively.</li><li>Provides risk-based assurance.</li><li>Is insightful, proactive, and future-focused.</li><li>Promotes organizational improvement.</li></ul> <br> <p>Internal audit should focus on the more significant risks to the enterprise, not just those that may be important to a process, business unit, or middle manager. If you focus on risks to individual processes, business units, and so on you merit a seat at the <em>middle</em> management table — because those are the people interested in what you have to say. But if you have an eye on the future, on the risks that could either derail or represent opportunities to succeed today and in the next year or so, your insights are valuable to senior leadership.</p><p>We simply cannot continue to perform audits of history and write reports that stakeholders read out of duty. We need to provide forward-looking assurance and advice on what matters and will matter in the days ahead: communications that matter to our stakeholders because they help them succeed.</p><p>We need to discard the outdated concept of an audit universe and focus instead on a risk universe. We audit and provide assurance on the management of risks, not the management of business units.</p><p>One of the challenges is going to be to understand what risk and risk management are all about. Frankly, I don't think enough people (and especially internal auditors) understand that it is not about the periodic review of a list of risks.</p><p>No, risk management is about ensuring that people are able to make informed and intelligent decisions, taking the desired amount of risk. It's about making sure they think things through, considering all the things that might happen, both good and bad, before making a decision — and every decision creates or modifies risk.</p><p>Internal audit should audit the management of risk within and across the enterprise, not simply compliance with risk policies and standards.</p><p>Think about this. <a href="https://www.mckinsey.com/business-functions/organization/our-insights/five-fifty-better-decision" target="_blank">According to McKinsey</a>, "60% of senior executives say that bad decisions were about as frequent as good ones"! This is an opportunity for internal audit — but we have to know what is possible and desirable, and that is beyond putting together a risk inventory. We need to be brave and talk about the elephants in the room.</p><p>Almost always, the root cause of risk and control problems is <em>people</em>. Maybe it's an ineffective manager or an individual who does not have the training or experience to do the job. Maybe a control is not being performed reliably because the function is understaffed.</p><p>Our goal is not popularity. Our goal has to be to provide our stakeholders with <em>actionable</em> information that will enable them to correct what needs to be corrected.</p><p>Our goal has to be to help the organization succeed! Providing a list of problems is not nearly enough.</p><p>As I look back on nine years of blogging here, I can see progress. For example, perhaps half of internal audit functions have moved from a rigid annual audit plan to a flexible one that makes sure you are auditing what matters now, rather than what used to matter. That progress needs to continue.</p><p>The path to success lies in our ability to challenge <em>everything</em> we have done because it is what we have always done. We wouldn't accept that from process owners. Why accept it in our own profession?</p><p>Challenge:</p><ul><li>What we are auditing.</li><li>How we are auditing.</li><li>How we communicate the results of our work.</li><li>How we provide stakeholders with what they need — actionable information.</li><li>How we can help the organization succeed.</li></ul><p> </p><p>We need to be <a href="https://www.youtube.com/watch?v=QUQsqBqxoR4" target="_blank">brave</a> (watch the video). Not everybody in our world, from board members to staff members, is going to be happy with change.</p><p>But if we move forward and show them the value <strong><em>to them</em></strong><strong> </strong>of addressing and then communicating what matters, it is not only possible to get their enthusiastic support but will earn you a seat at the top table.</p><p>What do you think?</p><p>Are we there yet?</p><p> </p>Norman Marks0
How to Improve Your SOX Compliance Programhttps://iaonline.theiia.org/blogs/marks/2017/Pages/How-to-Improve-Your-SOX-Compliance-Program.aspxHow to Improve Your SOX Compliance Program<p>If you have been following either of my blogs (hopefully both, here and at <a rel="nofollow" href="http://normanmarks.wordpress.com/" class="vglnk"><span>normanmarks</span><span>.</span><span>wordpress</span><span>.</span><span>com</span></a>), you know that I frequently call out so-called expert guidance that is anything but expert.</p><p>Recently, a software vendor teamed up with a mid-size accounting firm to publish a white paper, with guidance for companies on optimizing their Sarbanes-Oxley program that should never have seen the light of day. Frankly, I am not going to waste time and space criticizing it.</p><p>Instead, I will share some suggestions of my own:</p><ol><li>Make sure you are focused on financial reporting risk! The scope should include controls required to provide <em>reasonable assurance</em> that <em>material errors or omissions</em> will be either prevented or detected. That means that the likelihood is more than a <em>reasonable possibility</em>. That means more than simply a theoretical possibility, and the error or omission has to be <em>material</em> to the consolidated financial statements.</li><li>Question why you have controls included in scope where, should they fail, there is less than a reasonable possibility of a material error or omission.</li><li>Apply the risk-based, top-down approach to the whole program, including IT general controls (ITGC) and how you address the COSO Principles. The ITGC scoping should be a continuation of the scoping, not a separate evaluation. Identify the controls that provide reasonable assurance that the COSO Principles are <em>present and functioning</em> (as defined by COSO, a defect would not be a <em>major</em> deficiency).</li><li>Be experts not only in the U.S. Public Company Accounting Oversight Board (PCAOB) standards (including AS10 and so on) but also in the U.S. Securities and Exchange Commission's (SEC's) <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwiztpXW5vrXAhUJ8GMKHXpgBkwQFggpMAA&url=https://www.sec.gov/rules/interp/2007/33-8810.pdf&usg=AOvVaw2N8inpeXRkZw96h-p_Q7qh">Interpretive Guidance</a> and SEC/PCAOB staff guidance.</li><li>Re-evaluate the program every year! The business changes every year and the scope should be reviewed and refined every year.</li><li>Read The IIA's updated guidance (my book): <a href="https://bookstore.theiia.org/managements-guide-to-sarbanes-oxley-section-404-4th-edition">Management's Guide to Sarbanes-Oxley Section 404, 4th Edition</a>. (FYI, I receive no income from sales of this book: It all goes to the Internal Audit Foundation.)</li></ol><p>I welcome your thoughts.</p><p> </p>Norman Marks0

  • Gleim-cia-changes-webinar_June 18-30_PRemium 1
  • SCCE 2018 June 19-30_Premium 2
  • IIA CIALS-CIA-Learning_June 2018_Premium 3