The More You Say More You Say<p>​Audit committees of U.S. publicly listed companies have had greater disclosure responsibilities since the U.S. Sarbanes–Oxley Act of 2002 took effect. Both the U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) have established and enforced audit and disclosure guidelines, including rules for what audit committees must disclose to the public. But those required disclosures are limited in scope.</p><p>Recently, some audit committees have begun providing voluntary disclosure to improve transparency and give further insight into the committee’s composition, activities, and decision-making processes. Voluntary disclosure provides additional context to mandatory SEC disclosures. Some audit committees may be disclosing more in hopes that it will discourage the SEC from expanding disclosure requirements. Moreover, shareholders and other stakeholders can benefit from more information about how audit firms are selected, compensated, and evaluated.</p><p>In light of this development, internal auditors need to understand which audit committee disclosures are required and become familiar with the voluntary disclosure trend. By engaging with the board and audit committee, internal audit can help shape opinions around which voluntary disclosures may benefit the organization and key stakeholders. Moreover, it can give the board a better understanding of disclosure trends. </p><h2>Required Disclosures</h2><p>The SEC has largely defined audit committee disclosure requirements since 1999. Historically, these requirements have been limited to descriptive information and select process assertions, which continued after the passage of Sarbanes–Oxley. Currently, SEC Regulation S-K, Item 407, requires the audit committee to:</p><ul><li>State whether the audit committee has a charter, and if so, provide appropriate disclosure.</li><li>If the board deems an audit committee member is not independent, disclose the nature of the relationship that makes that individual not independent and the reasons for the board’s determination.</li><li>Disclose whether the audit committee has reviewed and discussed the audited financial statements with management.</li><li>Indicate whether the audit committee has discussed with independent auditors matters required in AU section 380 of the PCAOB’s “Communication With Audit Committees.”</li><li>Include that the audit committee has received a letter from the independent accountant, including written disclosures pertaining to accountant independence (per PCAOB regulations).</li><li>Based on the appropriate review and discussions, provide a statement recommending that the audited financial statements be placed in the company’s 10-K or annual report.</li><li>Disclose member independence, including proof that at least one member is a financial expert.</li><li>Provide the names of each audit committee member or those acting in the role of the audit committee.</li></ul><p> <br> </p><p>In 2015, the SEC issued a concept release on possible revisions to audit committee disclosures, but the SEC has yet to change its requirements. In a July 2017 address at the Economic Club of New York, current SEC Chairman Jay Clayton stated that several SEC initiatives are underway to improve disclosures to investors. </p><p>Internal auditors should evaluate whether management has adequate governance to ensure required audit committee disclosures are appropriately identified and made. Creating a disclosure matrix that contains categories of SEC required disclosures can ensure all SEC mandatory items are included in the audit committee’s proxy disclosures. </p><h2>Voluntary Benefits</h2><p>In addition to adhering to the required disclosures, audit committees often voluntarily communicate additional information to their stakeholders. A variety of organizations have advocated for greater disclosure in recent years. In his response to the SEC’s Audit Committee Disclosure concept release in 2015, IIA President and CEO Richard Chambers noted that increased disclosure could support internal audit’s stature, independence, and resources. It also could build trust with investors and other external users of financial information.</p><p>Deloitte’s July 2018 On the Board’s Agenda report notes that Standard & Poor’s (S&P) 100 proxies “help to provide transparency into audit committee oversight activities.” Also, a 2017 Deloitte report stated that “transparency into the audit committee’s oversight activities and performance can provide investors with a better understanding of both the audit committee’s performance and the audit process.” </p><p>In addition to transparency, EY’s 2018 Report to Shareholders notes that although investors say they are confident in publicly listed companies’ financial reporting, some are evaluating company-auditor relationships. Earlier, the firm’s Audit Committee Reporting to Shareholders 2017 pointed out that stakeholders are looking closely at the board and audit committee’s role in “supporting high-quality financial reporting.”</p><p>Two separate publications from EY and the Center for Audit Quality (CAQ) highlight many potential benefits to a company in providing voluntary disclosure:</p><ul><li>Increased transparency with key stakeholders.</li><li>Alignment of all stakeholder expectations, resulting in reduced conflict.</li><li>Trusting relationships among stakeholders.</li><li>Increased investor confidence in the board.</li><li>Increased investor confidence in financial earnings quality.</li><li>Increased investor confidence in the presence of corporate policies.</li><li>Ability to assess top management’s decisions and behaviors.</li><li>Improved insight and assessment of the audit committee’s decision-making process.</li></ul><p> <br> </p><p>Internal auditors can educate the audit committee on voluntary disclosure trends — both overall and within their industry — and the potential benefits to the organization. They can add a voluntary category to their disclosure matrix to list potential voluntary disclosures for their organization to consider. To compile that list, they should consult current disclosure studies and research what S&P 500 companies and other organizations in their industry are reporting. Based on such findings, internal auditors can assist management and the board with recommendations on the extent and type of voluntary audit committee disclosures that their organization should make.</p><h2>Disclosure Types</h2><p>The CAQ’s 2018 Audit Committee Transparency Barometer report provides insight into what companies are voluntarily disclosing beyond the SEC requirements. The barometer provides five-year trend data for four categories of “enhanced disclosure” for each S&P 500, mid-cap, and small-cap company: </p><ul><li>Audit firm selection/ratification. </li><li>Audit firm compensation. </li><li>Audit firm evaluation </li><li>and supervision. </li><li>Audit engagement partner selection. </li></ul><p> <br> </p><p>The sampling frame used in the CAQ’s report was the S&P Composite 1,500 proxy statements of companies in these indices at the end of the filing period. “Voluntary Disclosures Rising” below reveals an upward trend in nearly all analyzed voluntary disclosures between 2014 and 2018. This increase may be driven by two factors. </p><p> <img src="/2019/PublishingImages/Gallagher_sidebar_voluntary-disclosures-rising.jpg" alt="" style="margin:5px;width:750px;" /> <br> </p><p>First, these areas provide insight into how diligently an audit committee is assessing the audit firm’s independence. The SEC cites this responsibility as one of the most important duties of an audit committee. </p><p>A second factor may be a response to recent PCAOB Staff Inspection Briefs that have expressed ongoing concerns with audit firm independence. In December 2018, the PCAOB’s Inspections Outlook for 2019 listed independence among its key areas of focus for inspections in 2019 and beyond. The board’s August 2017 Staff Inspection Brief noted that some firms’ systems of quality control did not provide enough assurance that their personnel understood and complied with independence requirements. Among the deficiencies were impermissible nonaudit services and instances where external auditors performed such services without the audit committee’s preapproval. </p><p>Similarly, a 2018 proxy review by the Deloitte Center for Board Effectiveness found disclosures related to auditor independence increased 10 percent across a sample of S&P 100 companies that reported by May 31, 2018. Given these two factors, audit committees may be increasing voluntary disclosure to provide further assurance that they are taking appropriate action to ensure audit firm independence. </p><h2>Practical Implications </h2><p>With more audit committees opting to provide voluntary disclosures, internal auditors can provide valuable insights on the topic to their audit committee. Practitioners should periodically monitor the audit committee disclosures among the organization’s competitors and any further action that the SEC may take on its 2015 concept release. Additionally, internal auditors should monitor annual publications from the CAQ, PCAOB Staff inspection briefs, and related applicable documents to both understand disclosure trends and provide necessary attention to them. Finally, internal auditors should inform clients that investors are evaluating the relationship between companies and audit firms. One way to communicate about this topic to investors is through voluntary disclosure.<br></p>Craig G. Gallagher1
Auditing Culture: Bumps in the Road Culture: Bumps in the Road<p>Internal auditors new to auditing culture should be aware of the challenges they might encounter during this type of assessment. In this latest installment of my "Auditing Culture" series, I present some of these challenges, together with potential ways of addressing them. Although the list is by no means exhaustive, it should give practitioners a few insights into what to expect.<br></p><h3>Culture is multifaceted and complex.<br></h3><p><strong></strong><span style="font-size:12px;">There are many models of culture available today. Those I have seen include anywhere from four to 30 cultural drivers. Moreover, each driver interacts with the others in complex ways. To foster the desired culture, each of these drivers should be well-designed, aligned with the other drivers, and operating effectively.  </span></p><p>It is impossible to deal with all the nuances of this complex web, but we don't have to. Internal audit's goal, as I said in my <a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">previous installment</a>, is to provide stakeholders insight about the culture and to continually enrich their understanding of it. We do need to be aware of the complexity of culture to avoid jumping to conclusions on limited evidence.<br></p><h3>There are no agreed upon criteria for what constitutes a good culture.</h3><p><strong></strong>The first researchers who studied organizational cultures tried to identify the characteristics of a good culture. Today, the general consensus is that there is no universally "right" or best culture. For example, a venture capital firm takes big risks for potentially big rewards, whereas a commercial bank should have a more balanced approach. Likewise, an internet startup may be almost completely focused on innovation, while an established internet service provider might be more conservative. <br></p><p>Cultural variations will even exist within the organization. Finance could have a more conservative culture, while the sales team's culture may be considerably more aggressive — both within limits, of course. That said, there is probably a "right" culture for each organization — the culture that will best help achieve its strategy and business objectives. The organization's strategy can be the starting point for internal auditors in dealing with this challenge.<br></p><h3>Managers create subcultures within their spheres of influence.</h3><p>These subcultures will often be appropriate, as in the example of finance vs. sales. But if they fail to align with the culture adopted by the organization at large, subcultures may be problematic. <br></p><p>While the multiplicity of subcultures can be challenging, it also presents an opportunity for internal auditors. Inconsistency between a subculture and the desired culture often creates risk, and business leaders need to be aware of it.<br></p><p>Before reporting these inconsistencies to higher levels, internal auditors should work with local managers to help resolve them. To help prevent managers from becoming defensive, auditors could try showing them evidence of the problem rather than just stating that a problem exists. That way, managers learn about the problem by seeing the inconsistencies for themselves. Although not always successful, this approach often works with well-intentioned managers who want to improve. When it does work and the risk is not severe, internal audit can monitor the resolution informally in a positive, collegial manner and may not have to embarrass the manager by reporting it to higher levels.<br></p><h3>Management and the board rarely define expectations for the culture.</h3><p>Ideally, expectations should be defined across each part of the business and include observable behaviors that illustrate consistency with, or variance from, the desired culture. Internal audit would then have specific criteria to audit against.</p><p>To deal with undefined cultural expectations, some internal audit functions use a published culture model, tailor the cultural drivers to their organization, and agree it with management and the board. The effectiveness of each driver in helping the organization achieve its objectives becomes their criteria.<br></p><p>Many, if not most, organizations have at least four or five stated values. Although general, these values can sometimes serve as criteria to audit against. One telecom company, for example, had a value of achieving work-life balance for its employees. While auditing a large project, the internal auditors observed people working 60 to 80 hours a week due to unrealistic targets and poor project leadership. After internal audit reported this finding to management, the CEO took prompt action to rectify the situation because it violated a value he believed in.<br></p><h3>Cultural inconsistency exists within the extended organization.</h3><p>Few organizations today are self-contained. They have outsourced functions, suppliers, joint ventures, global operations, and so on. These third parties create risks for the organization, and cultural inconsistencies can magnify those risks.<br></p><p>Internal auditors can help the organization come to grips with this challenge by finding out what, if anything, the organization is doing to address it and assessing whether those measures are sufficient. For example, I know of two organizations that require third parties to give them a report each year explaining how they conform with the organization's values. One of them meets with each third party to discuss the report, and those meetings are considered the most meaningful part of the assessment process.<br></p><h3>Employees are the best source, with a few caveats.</h3><p><strong></strong>In my <a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">first installment</a>, I proposed three principles for auditing culture, one of which is that an organization's culture exists in the perception of its employees. But finding out what employees really think of the culture can be difficult. Here are a few of the challenges.<br></p><p><strong>They might not be fully candid. </strong>Employees may hesitate to say negative things about their work environment to an auditor, fearing retribution if it gets back to their superiors. Dealing with this challenge depends on the situation. </p><p><span style="font-size:12px;">In a small organization in which auditors are trusted, a personal guarantee of confidentiality might be enough. At the other extreme is an anonymous employee survey, administered in a way that makes it physically impossible for anyone in the organization to know who said what. </span><br></p><p>Internal auditors may not always be able to fully convince employees that an online survey is anonymous. One public sector audit function that contends with this issue devised an in-person, group method of collecting information, tailored for its unique circumstances. The department reviews other agencies believed to have serious problems, heightening the potential for mistrust. To help maximize candor, the auditors gather employees in an auditorium with no managers present and ask them to complete hard copy surveys. The employees then pass their completed surveys to the end of the seating rows, and the auditors collect them with no way to know who completed each one. <br></p><p>Most audit departments fall somewhere between these extremes. They have to find the right balance, keeping in mind that the more they know where information comes from the better they can follow up, but with less actual or perceived confidentiality.</p><p><strong>They may have cultural "blind spots."</strong> A common definition of <em>culture</em> is "How we do things around here." When people join an organization, they want to fit in. They tend to accept the way things are done, assuming there must be a good reason for it — even if it doesn't seem quite right to them at first. <br></p><p>To deal with this challenge, internal auditors can apply their fresh perspective and broad knowledge of the organization to each audit. They are well-positioned to identify cultural inconsistencies that employees might not be aware of. </p><p><strong>They may be subject to cognitive bias and groupthink.</strong> By one count, behavioral economists have identified 188 cognitive biases that hinder effective decision-making. Knowledge of cognitive biases will help internal auditors address them. Jeff Desjardins, founder and editor of Canadian media and news firm Visual Capitalist, identifies a sampling of biases relevant to the business world in his article, "<a href="">18 Cognitive Bias Examples Show Why Mental Mistakes Get Made</a>."</p><p><span style="font-size:12px;">Groupthink can also obscure organizational culture. It can infect workshops, focus groups, or similar assessment forums. Facilitation skills should include the ability to recognize and counter groupthink. Also, auditors can use interviews or surveys instead of, or in addition to, group-oriented techniques.  </span></p><p><strong>Internal auditors may have their own blind spots and biases. </strong>When auditors<strong> </strong>conduct surveys, interviews, and workshops, they bring their own baggage to the table. Auditors should be mindful of their potential to influence the assessment process or misinterpret results. One technique that might help is to have one or more "challenge sessions" during an audit, in which a more experienced auditor, independent of the audit team, meets with team members to challenge their thinking.<br></p><p><strong>Clients' response to the results will be influenced by the culture.</strong> This may be true of the overall culture or the subculture created by a manager. Whether preparing to deliver initial verbal reporting on an issue or the final written report, internal auditors should consider how culture might affect the client's response and plan accordingly. </p><p><span style="font-size:12px;">For example, in a company with an aggressive sales culture, managers might be successful in the short term by driving employees to meet unrealistic targets. In doing so, they create a highly stressful, even toxic environment. Neither local nor senior management in such an organization is likely to welcome a recommendation to lower the targets and, in turn, the pressure. Providing concrete examples of the long-term harm this </span><span style="font-size:12px;">environment</span><span style="font-size:12px;"> has caused in some parts of the organization or in other organizations (like Wells Fargo) would not guarantee success but would make acceptance more likely.</span><br></p><h3>Overcoming Roadblocks<br></h3><p><span style="font-size:12px;">Internal auditors experienced in culture audits have likely encountered at least some of these challenges, as well as many others. But for those just starting, or about to start, being alert to culture-related challenges can be critical to success. As daunting as auditing culture may seem, internal auditors who have the courage to meet these challenges usually find the assurance value gained is well worth the effort.  </span><br></p>James Roth1
The Velocity of Risk Velocity of Risk<p>​Only a few decades ago, the onset of problematic risk events often was slow, and organizations handled the corresponding aftermath over a manageable time frame. Organizations armed with extensive public relations resources responded to most post-event crises after planning and analyzing thoughtful responses. Additionally, organizations carefully calculated their transparency with stakeholders regarding the event to manage its impact on the organization.   </p><p>Fast forward to today, and the pace of information is almost instantaneous. For example, when a popular U.S. fast food restaurant chain experienced an outbreak of E. coli-infected lettuce, its stock price decreased 44 percent within 90 days amid intensive social media and news exposure. Recent privacy concerns directed at various social media companies caused stock valuations to drop within minutes and led to immediate calls for government investigations. Disclosure of inappropriate sales arrangements by a large U.S. financial institution caused a significant upheaval, including important personnel changes. </p><p>In today's environment, the timing between a catastrophic risk-driven crisis and the financial and reputational decline for an organization can be practically simultaneous. This new reality has forced senior executives and internal auditors to consider a new aspect of risk management — the velocity of risk. </p><p>The velocity of risk is the speed or ferocity with which events occur in today's business environment. Auditing within this "new normal" means changing, adapting, and understanding the imperative to respond to the speed of change with a strong sense of urgency. Supplemented by awareness of the velocity of risk, internal auditors can identify and address areas where organizations must take preemptive actions to reduce the possibility of a crisis caused by a catastrophic risk event. </p><h2>Velocity and ERM</h2><p>The <em>International Standards for the Professional Practice of Internal Auditing</em> frames the execution, conduct, principles, and practices that also serve as "guardrails" for the profession. The standards relevant to the velocity of risk logically connect with internal audit competencies such as demonstrating competence and due professional care; aligning with the organization's strategies, objectives, and risks; providing risk-based assurance; being insightful, proactive, and future-focused; and promoting organizational improvement.</p><p>Internal auditors contribute in myriad ways to enterprise risk management (ERM) goals by: </p><p></p><ul><li>Helping management manage risk.</li><li>Assessing and auditing risk assessment methods and approaches. </li><li>Creating a responsive, nimble, and agile audit plan. </li><li>Evaluating whether ERM programs are using the right metrics. </li><li>Assessing whether management is prioritizing risk appropriately.</li><li>Supporting and educating the board and senior management on recent advances in risk management thinking. </li></ul><p> <br> </p><p>Often, internal audit will review how the organization is addressing the chief risk officer's enterprisewide risk assessment, providing assurance about the prioritization and adequacy of response strategies. These assessments will include internal audit's perspective of all the organization's operations directed toward risk considerations. That perspective should include risk areas that potentially are detrimental to the organization, as anticipated by assessments of probability, size, and speed of impact. Internal audit should target the corresponding areas within the scope of its work program.</p><p>In performing these duties, internal auditors should ensure the organization's ERM program matrix highlights how velocity of risk can impact the organization. Auditors should recommend making it one of the risk program's key metrics. </p><p>Auditing the velocity of risk can ensure risks are more appropriately prioritized and management is able to more effectively prevent, manage, and respond to risks. Internal auditors can help management and the board measure and address catastrophic risk by understanding the specific risks that could impact the business, measuring risk in an organized and systematic way, and documenting and communicating those quantitatively and qualitatively assessed risk perspectives. </p><h2>Planning and Execution</h2><p>Internal auditors must consider the velocity of risk when prioritizing and creating their annual audit plans. The audit plan should include a risk velocity measure that reflects the magnitude and speed of reaction internally and externally should a catastrophic risk event occur. The department should adjust its perspective on risk management by recognizing and addressing velocity's influence on likely events and impacts. Internal auditors must be aware of risk's current and ongoing impacts on the business in designing and executing audits, compiling results, documenting historical trends, and communicating how management, business processes, and embedded technology are addressing risk. Moreover, auditors should assist and influence management teams to better calibrate, anticipate needs, and frame the impact of velocity on risk-event preventive actions. </p><p>In performing their work, internal auditors must become familiar with the phrase "auditing at the speed of risk." Post-catastrophic risk event reactions tend to be much costlier and more detrimental to an organization. Auditors should anticipate risk-related events by using continuous monitoring tools and auditing through the systems  via queries, specialized exception reporting, and similar techniques. These methods teamed with including "velocity of risk" as a parameter in risk-matrix discussions can highlight at-risk business processes and transactions, increase coverage, and add speed. For example, internal auditors can equip themselves with tools and techniques such as trended historical transaction reviews within supply chain operations. </p><p>These methods — supplemented by vendor-by-vendor analytics, internal control reviews, and interviewing techniques — can lead to earlier detection of fraudulent transactions, timing discrepancies, wasteful or nonoptimal spending, and product defects. Integrating velocity of risk into internal audit's environment, along with a sense of urgency, can add to overall effectiveness, improve organizational agility and resilience, and contribute value to management. </p><h2>The Third Dimension of Risk</h2><p>The velocity of risk is pushing the internal audit profession to grow and support its own and management's awareness of risk's speed of impact by accelerating and enhancing risk-based auditing. Connectedness to business risks and strategies now is even more imperative for internal audit to maintain its relevance. To keep pace, businesses need to embrace a three-dimensional risk management approach: probability, impact size, but most importantly, velocity — that sense of timing, speed, and mean-time-to-event mentality.</p><p>By adding the dimension of velocity, internal audit can facilitate deep-dive assessments of certain risk areas that could become catastrophic risk events. Identifying these areas can inspire a more robust dialogue with management and the board about how to remedy potential issues. Moreover, addressing the velocity of risk can enable internal audit to help management and the board anticipate and prevent these crisis events from occurring. </p>Sridhar Ramamoorti1
A Matter of Privacy Matter of Privacy<h2>How do regulations like GDPR address issues with protecting personal data?<br></h2><p><strong>Maali</strong> Europe’s General Data Protection Regulation [GDPR] pushes companies doing business with Europeans’ data to do three things well: give people control over their data, respond quickly to breaches, and embed privacy controls throughout their business. The law has changed the privacy function from a paper-based exercise of policies and contracts to a business-transformation program affecting every product and service that uses European data.</p><p><strong>Hrubey</strong> GDPR and regulations like the California Consumer Privacy Act, Brazil’s new General Data Protection Law, and new and revised regulations in Australia, China, and Japan  highlight the need for companies to get their data protection practices in order. Organizations tend to have common challenges relating to data protection, including difficulty maintaining a current inventory of personal data, failing to connect privacy notices and privacy consents to personal data, and keeping personal data longer than is necessary to complete the business purpose described. Companies also are challenged with maintaining the accuracy of personal data and responding timely to data subject access requests.<br></p><h2>What are the consequences of failing to comply with data privacy regulations?</h2><p><strong><img src="/2019/PublishingImages/EOB-Hrubey-Pam.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Hrubey</strong> Under GDPR, fines for a failure to comply — particularly with data subject consent-related requirements — can be up to €20 million ($22.5 million), or 4 percent of the organization’s global annual turnover, whichever is larger. Organizations that have a data breach-related violation can be fined up to €10 million ($11.2 million), or 2 percent of the organization’s global annual turnover, whichever is larger. Operationally, regulators also can elect to stop the flow of personal data out of the European Union (EU), unless data is going to a country deemed to have adequate data protection provisions under EU regulations — the U.S., for example, does not have that designation. Regulators also can restrict an organization’s ability to use the personal data of EU residents until remediation is made of the underlying compliance problems. And perhaps more problematic is the damage to the organization’s reputation. In a highly digitized economy, customers must be able to trust organizations with their personal data.</p><p><strong>Maali</strong> A lot has been said about the maximum fine for an egregious violation of GDPR. But GDPR also gives European citizens a private right of action to bring lawsuits against companies for privacy violations, and courts have no limit to the penalties and awards they approve. Perhaps the biggest risk is if a regulator imposes an injunction to prevent a company from continuing to process EU personal data. This could stop a product or service overnight.</p><h2>How can organizations demonstrate that they are safeguarding information?<br></h2><p><strong><img src="/2019/PublishingImages/EOB-Mike-Maali.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Maali</strong> The most visible way for companies to demonstrate a high level of data-privacy maturity is to offer employees and consumers a portal where they can view, correct, and delete their data and express opt-in and opt-out privacy consents. In addition, a well-documented process for assessing, monitoring, and mitigating risk can provide confidence to key stakeholders.</p><p><strong>Hrubey</strong> Regulators expect organizations to be able to defend the risk-based decisions they have made regarding implementation of GDPR’s requirements. On the customer side, organizations should be transparent about the safeguards they are using to protect personal data. Privacy notices should, using plain language, include a description of how the organization protects the personal data under its care and be updated when the organization adjusts the safeguards used. Organizations should take a similar approach to privacy consent language, and take care to not process personal data before obtaining the data subject’s consent. Organizations also should consider including information about their privacy program on their website. </p><h2>What is audit’s role in assessing privacy governance?<br></h2><p><strong>Hrubey</strong> GDPR requires organizations to periodically assess compliance against the requirements. Internal audit generally is in an excellent position to make this assessment on behalf of the organization. The key to a successful privacy audit is to understand the organization’s privacy landscape and the potential risks it faces. Mindful of those risks, internal audit can leverage existing audit methodologies and follow standard internal audit methodology to understand the organization’s performance in those potential risk areas. Privacy is ever-changing, so being agile regarding the risk landscape is the best approach to the privacy audit. Privacy team members along with their legal support colleagues are responsible for determining how regulations like GDPR apply to the organization, and then ensuring that appropriate program materials are prepared. Internal audit can assess whether the organization has pulled through the policies and procedures as expected.</p><p><strong>Maali</strong> Internal audit can play a range of roles helping a company accelerate its privacy journey. The first is to consider data privacy as a material risk for the organization to monitor. Internal audit also can advise management on the selection of a privacy control framework that is most applicable to the company’s industry. It can assess and report the company’s status against that framework, and make recommendations on which stakeholders in each line of defense are best positioned to own the remediation of the control gaps. Internal audit also is positioned to test these controls on an ongoing basis, including reporting progress to senior management and the board.</p><h2>What should internal audit assess regarding third-party data privacy compliance?<br></h2><p><strong>Maali</strong> Internal audit can help the organization reduce third-party privacy risk in several ways. First, internal audit can ensure that management has sufficient processes to identify high-risk suppliers and perform ongoing monitoring. In addition, internal audit can ensure that sufficient protections exist within third-party contracts, including right to audit provisions. Finally, internal audit can play an important role in assessing the data privacy controls for high-risk suppliers.</p><p><strong>Hrubey</strong> Under GDPR, third parties who are processing personal data on behalf of an organization are accountable for complying with the related regulatory requirements. This does not mean that the organization hiring a third party is off the hook. Because the hiring organization is usually operating as a controller under GDPR — the entity that determines the purposes, conditions, and means of the processing of personal data — the controller may still have liability if the instructions provided to the third party regarding processing personal data were inappropriate. Organizations should have contracts that address expectations associated with privacy and data protection. Internal audit can evaluate contract compliance.</p><h2>What controls are most needed to ensure the organization complies with data privacy regulations?<br></h2><p><strong>Hrubey</strong> The answer depends, at least in part, on the organization’s work, its industry, and the specific personal data it processes. Generally, organizations need data privacy-related controls, including an individual responsible for determining what regulations apply and what the organization must do to comply; risk assessment processes that can pinpoint privacy and data protection-related risks; clear policies and procedures for employees to follow; periodic training; and investigations into noncompliance that identify associated root causes. Strong information security-related processes should include, for example, access controls by role and, where appropriate, by individual; encryption of electronic equipment, including laptops and mobile devices; physical security; and logical security.</p><p><strong>Maali</strong> The most difficult, but foundational and important privacy control, is to maintain a current inventory of all personal data, both within the organization and among relevant third parties. All lines of defense will have a role in meeting that objective. With a sustainable and accurate data inventory, companies can deploy other controls around information security and data-subject rights. <br></p>Staff1
A Board's Eye View of Digital Disruption Board's Eye View of Digital Disruption<p>At the end of every year, North Carolina State University and Protiviti publish a survey report on the enterprise risks occupying the minds of board directors and corporate executives for the following year. The Executive Perspectives on Top Risks report is always worth reading, and the 2019 edition does not disappoint.</p><p>What’s topping the charts for this year’s risks? Fear that the organization’s existing operations and technology won’t match performance expectations, especially against “born digital” competitors. That’s no surprise. Taxis vs. Uber, hotels vs. Airbnb, broker dealers vs. robo-advisors — even the record industry vs. iTunes, a bit further back in history. Fear of more nimble, next-generation competitors, while your own organization is too hide-bound to get out of its own way, is not new. </p><p>So how should boards approach digital transformation? “It’s something we talk about all the time,” says Tom Richlovsky, audit committee chair of United Community Banks (UCB), a regional bank based in Georgia. A generation ago, UCB would never find itself squeezed by fintech startups or global banks courting everyone with a mobile phone. Today, UCB does. As Richlovsky says: “We have a front-row seat to how digital disruption operates.” </p><h2>The Strategic Threat</h2><p>First, let’s appreciate what happens with digital disruption. Born-digital firms can be so disruptive because they build business models for existing problems with dramatically less commitment to physical assets. That’s the economics of it. </p><p>What happens operationally is a bit more nuanced. Digital firms can be more nimble because they are less bound to specific ways of doing things. Code is code, after all; if you don’t like how it works, you can change it.</p><p>So digital firms are less committed to physical assets, and they can pick off specific problems in a business, introducing whatever new solution they want. That’s how they disrupt the business models of established companies. They provide new choices to customers, who often  depart the organization’s model for the upstart’s. </p><p>A big part of success at digital transformation, then, involves close observation of the organization’s customers, plus a big dollop of imagination about what new relationships the organization can forge with them. “You have to understand what’s happening with your customers so that you can get a step ahead of them, and get them to adopt technologies and become a better customer who stays with you,” says Glenn Gow, a former board director at data analytics firm acuteIQ, who now advises boards on digital strategy. </p><p>Gow uses the example of ordering pizza. In the last decade, consumers have moved from placing orders by phone to placing them by app. Online ordering eases the transaction for the customer and generates more customer data for the pizza company — a great example, Gow says, of digital disruption benefitting all parties involved.</p><p>Too many boards fear the threats of digital disruption more than they embrace its opportunities. The truth is digital disruption will drive both threats and opportunities. “The ways in which disruption can occur are multiplying,” Richlovsky says, so the board needs to educate itself on all those ways. </p><h2>Governance of Digital Disruption</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } p.p2 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } p.p3 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; min-height:11.0px; } p.p4 { line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; } span.s2 { letter-spacing:-0.1px; } span.s3 { letter-spacing:-0.1px; } </style> <p><strong>Top Risks for 2019</strong></p><ol><li>Existing operations meeting performance expectations, competing against “born-digital” firms.</li><li>Succession challenges and ability to attract and retain top talent.</li><li>Regulatory changes and regulatory scrutiny.</li><li>Cyber threats.</li><li>Resistence to change operations.</li><li>Rapid speed of disruptive innovations and new technologies.</li><li>Privacy/identity management and information security.</li><li>Inability to use analytics and big data.</li><li>Organization’s culture may not sufficiently encourage timely identification and escalation of risk issues.</li><li>Sustaining customer loyalty and retention.</li></ol><p><em>Source: Executive Perspectives on Top Risks 2019, Protiviti and North Carolina State University Poole College of Management’s ERM Initiative</em><br></p><br></td></tr></tbody></table><p>In theory, if the board wants to gain more knowledge about the risks a certain issue might pose, step 1 is to ask the internal audit function. Digital disruption, however, poses so many strategic questions that it doesn’t lend itself to such straightforward analysis. It’s an open question whether most audit functions could understand and assess the challenges at hand.</p><p>“The concept is a good idea,” says Alan Siegfried, who is on a bank’s audit committee now and has served on the audit committees of UNICEF and Bon Secours Health System, “but realistically, probably 90 percent of the audit functions out there don’t have the qualifications or skill sets to do that well.” </p><p>Boards can take a few steps to improve that picture. First, they can identify strategic priorities for digital transformation more clearly, so the business units can determine which operations and business processes should be digitally transformed, and how. For example, should the business focus more on the “offense” of developing new products or services, or the “defense” of developing improvements to existing ones? Should it cut fixed costs by moving to cloud-based services, even if that drives up security, privacy, and litigation risks? </p><p>Gow suggests that boards work closely with the CEO and the chief information officer (CIO) on those points. After all, if success at digital disruption depends on astute data analytics and bold imagination on how to serve the customer in new ways — the CIO handles the former, the CEO the latter. </p><p>Then the board and management can develop a technology strategy that supports digital transformation, including the critical step of what new controls will be necessary to implement the strategy. For example, moving business processes to the cloud and taking advantage of mobile devices, so the organization can launch an international sales force with more in-the-field agents , is a reasonable digital transformation goal. </p><p>The technology strategy, however, will raise questions such as: How can the company harness all its operational data, if the data is stored within different apps? How does the company secure its data on employees’ personal devices? At that point, internal audit or compliance functions can return to the conversation, because the digital transformation goal is already laid out. The questions are more about risk management to ensure the transformation doesn’t go awry.</p><h2>Oversight of Digital Transformation</h2><p>So, which board committee should have digital transformation as part of its remit? A strong argument exists that no specific committee should own it. The only logical candidates would be the audit committee or a risk committee, and they are, to use Richlovsky’s phrase, “reactive committees.” That is, they seek to ensure that safeguards are in place for whatever strategies the organization pursues. How an organization moves into the digital world, however, is a strategic choice unto itself. Thus, the whole board should be responsible for infusing digital awareness into every organizational strategy and objective. </p><p>“When it’s a strategic journey the company is going through, it needs to be a full board topic,” says Eric Allegakoen, head of internal audit at Adobe and chair of The IIA’s Audit Committee. “Once the strategy becomes clear in how it’s getting executed, there would be responsibilities at the audit committee or risk committee level to monitor progress.”</p><p>Indeed. And if the risks listed by Protiviti, above, are any indicator, digital transformation will likely permeate boardroom conversations for some time. <br></p>Matt Kelly1
The Single Point of Failure Single Point of Failure<p>When Canadian cryptocurrency exchange CEO Gerald Cotten died unexpectedly in December, he took key corporate passwords to his grave. Those passwords could unlock $137 million in customer funds that were trapped on Cotten’s encrypted notebook computer. Without the recovery key to access those funds, his company, QuadrigaCX, filed for bankruptcy, according to Nova Scotia’s Supreme Court records. </p><p>In March, court-appointed monitor Ernst & Young (EY) cracked Cotten’s code and found the funds had been transferred out of customers’ crypto wallets in April 2018. Moreover, EY says QuadrigaCX kept limited records and never reported its financials.</p><p>This incident takes the meaning of a single point of failure to a higher level. It also suggests some considerations for internal auditors now and in the future.</p><p>At QuadrigaCX, basic governance, risk management, and controls failed to prevent this unexpected and disastrous event or allow for a timely recovery. Clearly, access controls stopped the company from running the key cryptocurrency exchange process and transacting with its customers normally. </p><p>All organizations need to think about single-point-of-failure risks such as one person knowing all the key passwords to a critical process. This risk occurs when failure of one part of a system stops the entire system from working. This condition is undesirable in any system with a goal of high availability or reliability . This is what happened at QuadrigaCX, which raises important questions and lessons in three key areas.</p><h2>Technology Governance, Risks, and Controls</h2><p>Internal auditors should identify critical business technology governance, risks, processes, and systems to determine whether single points of failure exist. IIA Standard 1210.A3: Proficiency calls on auditors to know the business and technology they review, which they can accomplish by learning, documenting, and mapping key processes and systems. As part of that process, the auditor may analyze the process flow and identify whether certain devices or processes could become a single point of failure. For example, in some network configurations, a single router or device may serve as a key gateway. But if the one device fails, the gateway may become unavailable to users. </p><p>Likewise, a single software failure can have a calamitous impact on a business. In 2012, a failed software test at Knight Capital caused the company’s new trading system to start trading repeatedly, resulting in a $440 million loss within 45 minutes.</p><p>Information security tools or systems can become a single point of failure, too. For example, a retail company requested that all of its customers update their sign-on passwords, telling them it would give them promotional discounts and improve account security. However, the password security system became a single point of failure when suddenly too many customers logged on to update their passwords, which crashed the system. The system was not designed to handle the volume. </p><p>In addressing single points of failure, internal auditors should focus on the highest business process and technology risks. For example, Deloitte’s An Eye on the Future 2019: Hot Topics for IT Internal Audit in Financial Services report lists cybersecurity, technology transformation and change, technology resilience, and extended enterprise risks among its hot risk topics. Several of these topics apply to all organizations.</p><p>Knowing the top risks represents a start, but finding single points of failure in those areas can be challenging. Internal auditors cover program changes by testing governance and controls, but at best, auditors can only sample certain testing procedures and processes. </p><h2>Disaster Recovery Backup Testing</h2><p>Internal auditors should determine what recovery or backup plans are in place for the organization’s critical systems. Disaster recovery plans serve as a high-level control process to restore critical systems that were lost or disrupted. Reviewing the governance, risks, and controls over backup or disaster recovery tests allows the auditor to determine how rapidly a critical system can be recovered. The objective of recovery testing should include looking at any single points of failure such as testing for missing documents, devices, or key individuals. </p><p>Use of cloud technology and software as a service adds different factors that the auditor needs to review. For example, how frequent and how realistic are the testing plans? What mistakes or setbacks are uncovered, and more importantly, are there any single points of failure? If a critical system recovery was performed but needed a single person to provide the only passwords to transact or start the system, then the auditor or recovery team should consider this a single point of failure.</p><p>Some technology recovery plans are not completely tested or exercised because they are too complex, no resources are budgeted, or the governance is too weak. Sometimes limited recovery is considered successful. </p><p>Several years ago, during a large payroll processor’s data center disaster recovery test, an IT audit team observed that a critical system failed to restore several times. The culprit: One backup medium failed and could not be read. The disaster recovery team was able to get a new backup made but from the existing data center. This backup took more than two days to create. What would have happened if the existing data center had been unavailable or if it took weeks to restore? Would the payroll processor’s customers accept this critical service disruption? </p><h2>Key Personnel</h2><p>Auditors should look for key personnel or executives as a single point of failure in their audit universe or audit program. If a privileged account user, system administrator, or CEO is the person who knows the key password, and no other person or recovery process is in place, then the risk of a single point of failure increases.</p><p>To begin, internal auditors should identify who the key stakeholders — customers, vendors, or users — are for the critical systems. They should inquire and document whether any single individual performs a critical task or function and consider the single-point-of-failure risk. </p><p>Key personnel do not need to be a CEO to become a single point of failure. During a review of a large retailer’s critical key management system, an IT auditor discovered that one of the two individuals who had half of the primary encryption key had left the company. The company noticed this situation because it had not needed to generate a new key since the employee departed. If it had needed to generate a new key, a serious delay or security incident may have occurred.</p><p>Prepare for the Future</p><p>Preparing for the future, internal auditors need to continue assessing complex IT processes based on risk. The QuadrigaCX incident demonstrates that auditors need to assess possible technology single points of failure. When a single point of failure can disrupt an organization’s business or technology process, auditors need to carefully assess this threat. Ignoring it could be hazardous to the organization’s health. <br></p>Steve Mar1
Editor's Note: GDPR Is Just the Beginning's Note: GDPR Is Just the Beginning<p>It is no surprise that cybersecurity and data protection remain top worries among chief audit executives (CAEs) responding to this year’s IIA North American Pulse of Internal Audit report. Seventy percent are highly concerned about the potential for reputational harm stemming from an inappropriate disclosure of private data. What is surprising is that CAEs are far less concerned about compliance with new data protection rules. Nearly 50 percent of respondents say their organizations have minimal or no concern. </p><p>Almost a year after the European Union’s General Data Protection Regulation (GDPR) went into effect, organizations are feeling “<a href="/2019/Pages/GDPRs-Global-Reach.aspx">GDPR’s Global Reach</a>.” And, it’s just the beginning. China has introduced regulations on cybersecurity, data protection, and cross-border data transfer that are reflective of GDPR. Brazil has a new General Data Protection Law that will go into effect in early 2020, and new and revised regulations are coming out of Australia and Japan, among many others. And, in the U.S., the California Consumer Privacy Act will take effect next year. </p><p>“Compliance requirements like GDPR are forcing changes in the way data is handled in many organizations,” Jan Hertzberg, a privacy consultant, tells author Arthur Piper. “For CAEs, it is not just about data privacy, but data integrity throughout the business.”</p><p>The many new data privacy regulations “highlight the need for organizations to get their data protection practices in order,” says Pam Hrubey of Crowe in this issue’s “<a href="/2019/Pages/A-Matter-of-Privacy.aspx">Eye on Business</a>.” Hrubey says organizations tend to have common challenges relating to data protection. She and Mike Maali of PwC consider those challenges and how organizations can safeguard information, as well as internal audit’s role in privacy governance. </p><p>In the Pulse report, concern about GDPR compliance escalates in line with the size of the respondent’s organization. In organizations with more than 50,000 employees, 62 percent rated compliance as a high concern compared to 29 percent who rated it that way overall. This suggests that larger organizations are more likely to have international operations. However, for others with international operations, there also could be some misunderstanding of when these new rules apply, as they are based not on the location of the organization, but on the location of the customer whose data is being gathered. To read the full 2019 Pulse report, visit <a href="" rel="nofollow"></a>.</p><p>On another note, it’s time once again to recognize high achievers in the profession. Nominations for <em>Internal Auditor</em>’s 2019 Emerging Leaders are now open. See the opposite page to learn how to nominate. Tell us who are the best and brightest in your internal audit functions and look for the article featuring this year’s leaders in October.<br></p>Anne Millage0
GDPR's Global Reach's Global Reach<p>​If U.S. businesses believed the broad waters of the Atlantic would save them from the European Union’s new General Data Protection Regulation (GDPR), that illusion was dispelled on Jan. 21. That was the day on which the French privacy regulator Commission Nationale de l’informatique et des Libertés (CNIL) fined Google about €50 million ($57 million) “for lack of transparency, inadequate information, and lack of valid consent regarding the [sic] ads personalization.”</p><p>NOYB–European Center for Digital Rights and La Quadrature du Net — two privacy activist groups — brought the case almost as soon as GDPR came into effect on May 25, 2018. They claimed that users could not give specific consent for Google to process private data because its terms and conditions were too ambiguous.</p><p>The regulator agreed. In the first big case to be decided under the new regulations, CNIL ruled that Google had breached the requirement for transparency. If customers wanted to find out how their data was used — especially for the business’ geo-tracking service — they would have to click through five or six different pages on the company’s site. Even then, some of that information was “not always clear nor comprehensive.” In addition, CNIL said that because the company used the data for an array of services, Google’s legal basis for processing it for each individual service was too opaque to the customer.</p><p>The regulator also found fault with Google’s consent procedures for targeting customers with personalized ads. It complained that users had to go into the “more options” menu to modify how their data would be used — the consent box there was already pre-ticked. More importantly, CNIL noted that in creating an account, the user was effectively agreeing to a range of data processing by the company — involving ads personalization, speech recognition, and more — which were all covered by a single agreement. “GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose,” CNIL concluded. </p><h2>GDPR Is Just the Start</h2><p>While Google has appealed the case to France’s top administrative body, the Council of State, CNIL’s train of logic provides an indication of how regulators are interpreting key aspects of GDPR for organizations based anywhere in the world and how they are applying fines. More than that, GDPR is likely to change the way organizations handle private data globally. No wonder internal auditors who felt they had crossed the finish line when GDPR went live are realizing they have just begun the race.</p><p>“Many U.S.-based organizations wish that they would have started their GDPR compliance efforts earlier,” says Jan Hertzberg, independent privacy consultant and adjunct professor at DePaul University in Chicago. Last year, many of them focused on updating their privacy policies and notices just before GDPR requirements went into effect. In the year to come, they plan to prioritize enterprisewide, GDPR risk assessments “to identify their greatest risks” and perform GDPR governance audits, he notes. </p><p>This new focus on data privacy is timely because GDPR’s underlying philosophy is finding its way into new regulations around the world: Customers have to specifically opt into services, their consent over data processing has to be explicit, they have a right to know what data organizations hold and how they use it, and organizations must have rapid response processes to notify regulators and customers of serious data breaches. In the EU, for instance, the provisions of GDPR will be extended to electronic communications by a new e-Privacy Regulation, which is expected to come into effect later this year. These rules will govern how organizations can send out unsolicited marketing emails and text messages, will enable web users to set their cookie preferences on their browsers, and will stiffen up confidentiality rules for internet businesses. </p><p>Further afield, China last year introduced a slew of regulations on cybersecurity, data protection, and cross-border data transfer with distinctive GDPR-type features. And in the U.S., the California Consumer Privacy Act of 2018, which takes effect in 2020, features opt-out clauses, transparency rules, and rights for customers to be forgotten similar to those contained in GDPR.</p><p>Internal auditors are working to better understand the regulators’ approach in balancing advice and punishment. And some are busy building networks within and outside of their organizations to help them understand the rules and what they mean to their enterprises. And while increasing their IT competencies is likely to be important, getting to grips with strategic issues is key.</p><h2>Regulators’ Approach</h2><p>GDPR applies to all businesses that hold the personal data of citizens of the EU, making businesses outside of Europe potentially subject to European rules. In this year’s Google case, CNIL made an important distinction that is likely to carry weight for complaints involving U.S. companies and others based outside of Europe. Despite the fact that Google’s European headquarters are in Dublin, Ireland, CNIL brought the case against the U.S. parent Google LLC. It ruled that because the U.S. office had the final say on how data collected through its Android app was used, the U.S. parent was legally responsible for complying with GDPR. Any fine is calculated, therefore, on the parent company’s turnover. In 2017, Google LLC had turnover of $110 billion, so the company could have been fined $4.4 billion, rather than the $57 million imposed by CNIL.</p><p>The U.K. regulator, the Information Commissioner’s Office (ICO), says fines do not represent the biggest threat to organizations from GDPR. It says the idea that there will be massive fines is “myth No. 1” when it comes to understanding how regulators are implementing and interpreting their new powers. “In terms of powers and sanctions, the ICO aims to educate and support organizations in fulfilling their responsibilities in relation to data protection,” says Debora Biasutti, lead communications officer for the ICO. “Issuing fines has always been, and will continue to be, a last resort.”</p><p>At the time of publication, the U.K. could potentially leave the EU without a formal set of agreements to govern how data on citizens is used between the two territories. If that happens, the U.K. will be covered by the 2018 Data Protection Act, which enshrines most of the provisions of GDPR into U.K. law.</p><p>Early indications are that regulators are working with businesses to help them comply but are prepared to fine them “proportionately” for perceived noncompliance. How regulators are seeking to help organizations can be seen by a series of cases involving much smaller businesses than Google. </p><p>In December 2018, for example, CNIL closed a GDPR consent case with a small French ad tech firm called Fidzup. According to the online magazine <em>TechCrunch</em>, Fidzup worked with CNIL to create a longer consent form so that customers could opt into, or out of, every service it offered individually, which echoes CNIL’s approach to Google. </p><p>“Now, okay, we have something between the initial asking for the CNIL — which was like a big book —  and our consent collection before the warning, which was too short with not the right information,” Fidzup CEO Oliver Magnan-Saurin told <em>TechCrunch</em>. The amended consent form is still a long read, he concedes. The company also had to alter the way its technology worked so that, for example, the app and its geolocation features worked even if the data did not go to advertisers when the user opted out. </p><h2>Slow Burn<br></h2><p>It is not clear whether internal auditors have fully grasped the extra-territorial reach of GDPR, according to recent IIA research. The 2019 North American Pulse of Internal Audit found that while 70 percent of chief audit executives (CAEs) surveyed were highly concerned about suffering reputational damage from privacy issues, only 29 percent expressed high concern about compliance with GDPR — although that concern grew to 62 percent among large organizations. “This could reflect some misunderstanding of how and when these new data protection and privacy rules apply,” the report says. The fact that the rules are not based on the location of the organization, but on the location of the customer whose data is being gathered, could have led some CAEs to believe their businesses are not affected, the report suggests.</p><p>Hertzberg says organizations’ apparent slowness to respond to GDPR requirements may be attributed in part to a lack of knowledge of GDPR requirements along with lack of clarity as to how to comply. He is somewhat critical of what he sees as the shortage of attention the EU has paid to educating businesses outside Europe. “Since this is so obviously a worldwide phenomenon, European regulators would do well to consider the foreign players more,” he says.</p><p>“Lack of awareness of GDPR requirements is a critical issue for organizations’ management, staff, and board,” Hertzberg adds. Internal auditors and compliance professionals often struggle to get those stakeholders to pay attention to what seems to be a European issue. “Now that the newness of GDPR has worn off, there is a concern that these requirements will get even less attention in the future,” he explains.</p><p>Hertzberg notes that some internal audit management — for example, CAEs and directors of internal audit — may be reluctant to hire cybersecurity and privacy specialists for their departments. Instead, they have chosen to collaborate with their own general counsels, chief information security officers, and chief privacy officers to help them come to grips with what the regulations mean in practice. They also have enlisted assistance from third-party consultants. </p><p>Overall, CAEs have put focus on cybersecurity and privacy awareness so those with operational responsibilities clearly understand that they must “own” the data they collect and use. In doing so, they will better understand the need for and the issues around the retention and protection of personal data. More problematically, he says, businesses have been less clear about which named person is ultimately responsible for the data that the organization owns.</p><p>“Compliance requirements, like GDPR, are forcing changes in the way that data is handled in many organizations,” Hertzberg says. “For CAEs, it is not just about data privacy, but data integrity throughout the business. That will mean internal auditors pay more attention than ever to data and become more data-centric in their approach to providing assurance.”</p><h2>Business Issues</h2><p>Dominique Vincenti, CAE at Uber and former vice president of internal audit at Seattle-based Nordstrom, says the initial risk for the department store business compared to larger online retailers was thought to be minimal because the proportion of shoppers based in Europe that use its online services is relatively small. “We used the opportunity to energize management around the topic because we felt that if it is not specifically GDPR, it is going to be something else that is GDPR-like,” she says. <br></p><p>Sure enough, a few months after GDPR took effect, California passed its own consumer protection laws. Vincenti says she would not be surprised if similar federal laws were in the pipeline. “California is significant to all U.S. businesses,” she explains. “If you are going to comply with its GDPR-like provisions, you are not just going to adapt your systems to only do so for your customers in California because it would be too difficult to segregate your customers. You just go with the highest common denominator.”</p><p>Vincenti says she expects most internal auditors will be ahead of the game when it comes to understanding the significance of such regulations. First, most will understand that the majority of organizations have poor data governance processes in place, so GDPR provides an opportunity to start addressing how businesses manage and govern data effectively. Second, those data governance weaknesses make GDPR a business issue, rather than a technology issue. “Internal audit needs to help the business understand whether it is leveraging and protecting this crucial asset as well as it should,” she says.</p><h2>Models and Strategy</h2><p>As GDPR-style regulations become more prevalent, businesses may need to rethink their strategic plans, says James Reinhard, audit director at Simon Property Group in Greenwood, Ind. For example, instead of modeling an online initiative to contain data in a centralized server, a company may need to devise a more disbursed, decentralized model where it retains data in various countries because some of its target jurisdictions may prohibit cross-border data transfers. This, in turn, could affect the cost, reach, and viability of such projects.</p><p>“If internal audit has a good seat at the table, it can be a sounding board for both executive management and the audit committee, and it can assess how well the changing environment is being monitored by management,” he says. “If such alignment with management is not there, this is going to be an increasing problem for internal audit.”</p><p>Reinhard says CAEs may strengthen their IT competencies to enable them to conduct more sophisticated data privacy reviews, tracking and protecting such data as it flows through increasingly digitalized businesses.</p><p>“Internal audit will need to rely on the company’s legal counsel to provide guidance on interpreting what is the use of a specific set of data and the manner in which it must be secured,” Reinhard says. “Naturally, if the company’s legal interpretation is incorrect, then internal audit’s opinion on attesting to compliance could be incorrect, too.” Expanding internal audit’s professional network can enable it to benchmark and find ideas that can be brought back into the organization, he adds.</p><h2>Finding Meaning</h2><p>Regardless of where they are based, many businesses are struggling to understand what GDPR means in practice, says James Castro-Edwards, a partner at the London law firm Wedlake Bell. “We’ve heard of organizations issuing hundreds of pages of information in response to subject access requests when that is not what the law required them to do,” he explains. There is a similar trend in reporting minor data breaches where the affected information is either low risk — people’s names and addresses — or where it has been suitably encrypted and protected. </p><p>“Internal auditors are going to have to focus a lot more sharply on data protection compliance,” Castro-Edwards says. That could include providing assurance on the business’ understanding of materiality so that management is not wasting time over-reporting. The ICO has commented on the widespread over-reporting of personal data breaches since GDPR took effect. Many incidents have been reported on a cautionary basis, while the mandatory obligation to maintain a record of incidents — including an explanation of any decisions not to report incidents — may have been overlooked.</p><p>Castro-Edwards says regulatory enforcement action will gradually help businesses understand GDPR better. But fresh legal risks are still emerging. </p><p>Last year, the U.K. supermarket Morrisons found itself on the end of group litigation — or class action as it is known in the U.S. — brought on behalf of just over 5,500 employees. The plaintiffs were among 100,000 Morrisons workers whose personal details were released on the internet by a disgruntled former employee. In what could be the first of many such cases, a U.K. lawyer brought the action following a relatively recent development in the common law that established the principle that people affected by a personal data breach may be able to claim compensation for pure distress. </p><p>“It is early days, but this could become as big a risk for businesses as ICO enforcement activity, because of the number of individuals typically affected by a high-profile data breach,” Castro-Edwards says. “Each affected individual need only claim a small sum for distress for the potential damages to mount up to a significant sum.” </p><p>That could mean that a U.S. company holding data relating to U.K. customers could find itself caught up in a class action. “The fact of the matter is that the ICO and other regulators have limited resources,” he says, “but any lawyer with the time and energy could bring this type of claim on behalf of a large number of individuals following a personal data breach.”</p><p>Perhaps the key lesson of GDPR for internal auditors is that the new regulations not only changed the rules on data privacy and processing, they changed the game. It is a game where the winners will have good data governance and pay close attention to how the rules are developing globally. Internal auditors who have strong networks across the business and beyond will be able to support the board on how GDPR may impact both operations and strategy. They will, in short, be a key player on the team. <br></p>Arthur Piper1
Banks and Bitcoin and Bitcoin <style> div.WordSection1 { } </style> <p><span lang="EN-GB">Some 10 years ago Bitcoin became the world’s first cryptocurrency, but mass adoption of it and other digital currencies has been hampered by price volatility and a general reluctance by investors, financial institutions, and regulators to get behind the technology. Barriers include lack of understanding about how the cryptocurrency works, as well as a trading process that can be opaque and subject to abuse — namely through hacking, market manipulation, and potential fraud.<br></span></p><p><span lang="EN-GB">That may be changing, however. In February JPMorgan Chase launched “JPM Coin,” the first cryptocurrency created by a major U.S. bank. It will be used to settle payments between clients, and the lender will then work to transfer cross-border payments or corporate debt issuance services to the blockchain. The technology will facilitate near-instantaneous settlement of these money transfers and will, according to the bank, mitigate counterparty risk.</span></p><p><span lang="EN-GB">The move represents a dramatic change of attitude: Just a few years ago JPMorgan CEO Jamie Dimon called bitcoin a “fraud” and even threatened to fire employees who traded in it. Other banks, including HSBC, State Street, Credit Suisse, and Barclays, have either used blockchain and cryptocurrencies (albeit tentatively) or are planning to do so. </span></p><p><span lang="EN-GB">Yet within a month of JPMorgan’s announcement, the Basel Committee on Banking Supervision, comprising the governors of 10 key central banks, released a warning about cryptocurrencies. In a statement it said that “while the crypto-asset market remains small relative to that of the global financial system … the continued growth of crypto-asset trading platforms and new financial products related to crypto-assets has the potential to raise financial stability concerns and increase risks faced by banks.”</span></p><p><span lang="EN-GB">The committee said that crypto-assets “do not reliably provide the standard functions of money and are unsafe to rely on as a medium of exchange or store of value,” adding that crypto-assets are not legal tender and are not backed by any government or public authority. Furthermore, the Basel Committee cited crypto-assets’ history of volatility and lack of standardization and pointed to numerous risks it presents to banks, including liquidity risk, credit risk, market risk, operational risk, money laundering and terrorist financing risk, and legal and reputation risks. </span></p><p><span lang="EN-GB">Nonetheless, the committee accepts that banks may still want to participate in the crypto-market. As such, if a bank decides to acquire crypto-asset exposures or provide related services, it should adopt certain measures as a minimum — and internal auditors may want to take note.</span></p><h2><span lang="EN-GB">Crypto-risks</span></h2><p><span lang="EN-GB">First, adequate due diligence is a must, the committee says. A bank “should ensure that it has the relevant and requisite technical expertise to adequately assess the risks stemming from crypto-assets.”</span></p><p><span lang="EN-GB">Second, a bank’s risk management framework for crypto-assets should be fully integrated into the overall risk management processes, including those related to anti-money laundering, combating the financing of terrorism and the evasion of sanctions, and heightened fraud monitoring. Furthermore, boards and senior management should be provided with timely and relevant information related to the bank’s crypto-asset risk profile. </span></p><p><span lang="EN-GB">Third, a bank should publicly disclose any material crypto-asset exposures or related services as part of its regular financial disclosures. It should also specify the accounting treatment for such exposures, consistent with domestic laws and regulations.</span></p><p><span lang="EN-GB">Finally, the bank should inform its supervisory authority of actual and planned crypto-asset exposure or activity in a timely manner. Moreover, it should provide assurance that it has fully assessed the permissibility of the activity and the risks associated with the intended exposures and services, and explain how it has mitigated these risks.</span></p><p><span lang="EN-GB">Daniel Wolfe, managing director at specialized research and investment group Simoleon Long-Term Value in London, says there are four key areas of risk that internal auditors should be aware of. The first is secure storage. “Crypto assets are secured by a private access key, but it is important that this key – essentially, a long list of letters and numbers — is kept safe, and that it is not just known to one person and held on one laptop.”</span></p><p><span lang="EN-GB">In February QuadrigaCX gained worldwide media attention due to the unique circumstances surrounding its failure. After the death of its CEO Gerald Cotton, the collapsed exchange no longer had access to his laptop, which contained the keys for over US$100 million worth of customers’ funds. And while the company’s external auditor has since cracked the code, it found the funds had been transferred out of customers’ crypto wallets in April 2018. The company’s directors are still in the process of trying to pay off creditors, and many have accused QuadrigaCX of suspicious activity or at least extreme negligence. “It is safer to separate the assets across several private keys so that if a hack does occur or if a laptop goes missing, not all of the cryptocurrencies will be stolen or lost,” says Wolfe. </span></p><p><span lang="EN-GB">Another key risk that internal auditors need to be aware of, Wolfe says, is the poor governance and lack of adequate controls around cryptocurrency exchanges. “The people behind the technology are more intent on making the trading a possibility rather than focusing on whether the exchange meets the same regulatory standards and levels of assurance as you’d find in a normal exchange,” he explains. “Some don’t even have basic ‘know your customer’ controls, for example, raising concerns about money-laundering. As such, the levels of governance, monitoring, and internal control are much poorer in a lot of crypto-currency exchanges.” </span></p><p><span lang="EN-GB">Wolfe also warns that internal auditors should pay close attention to how crypto-assets are handled on the balance sheet. He points to the lack of standardization on cryptocurrency profit and loss treatment as a potential area of concern when reporting organizational value for tax purposes, particularly in light of current volatility.</span></p><p><span lang="EN-GB">Indeed, the volatility around cryptocurrencies is a major risk in itself, Wolfe says. During the space of a year, the total worth of the cryptocurrency market fell to $139.7 billion by December last year — a drop of more than 80 percent compared to a $819 billion market cap in January 2018. “Cryptocurrencies will remain volatile for some years yet, so banks need to question how much of these types of assets they want to hold and for how long,” Wolfe says. “Catastrophic losses may seem a remote possibility, but they remain a possibility nonetheless. For example, if Bitcoin was hacked, confidence in the cryptocurrency could collapse overnight.”</span></p><h2><span lang="EN-GB">Lack of Harmony</span></h2><p><span lang="EN-GB">Jay Gomez, senior associate in the financial services team at Gibraltar-based law firm Triay & Triay, says that internal auditors need to be aware that there is no agreed international standard regarding cryptocurrency regulation, oversight, or risk. “Some jurisdictions take a very tough line on cryptocurrencies, such as the U.S., while others might be more pragmatic,” he says. “Regulatory approaches and views differ from one market to the next, so this may impact how banks might want to provide cryptocurrency services in those jurisdictions.” </span></p><p><span lang="EN-GB">Gomez also warns that the technology and the development of the cryptocurrency market is outpacing the development of effective regulation. Regulators struggle to keep up with rapid changes, he notes, potentially resulting in cryptocurrency risks that either might not be identified or may be underestimated and not controlled adequately by regulators or industry participants. As a result, Gomez suggests that “banks that want to dip their toes into the cryptocurrency market should keep an open dialogue with regulators about what the banks are doing, and how the regulator may react to developments.” </span></p>Neil Hodge1
It's All About Trust's All About Trust<p>​Audit committees and chief audit executives (CAEs) talk constantly about how to foster more engagement with each other, and rightly so. Their relationship is one of the most important for an organization to get right, if it wants effective corporate governance. </p><p>A good place to begin, then, is to consider the origin of the word <em>engagement</em>. It descends from the French verb <em>engager</em>. Today that word means “to hire” or “to employ” — but 400 years ago, when <em>engagement</em> first crept into the English language, <em>engager</em> actually meant “to pledge.”</p><p>That’s a useful point to remember when contemplating how to improve the relationship between audit committee and audit executive. It’s about pledging to be there for each other: I will help you, and you will help me, <em>and we both know that</em>. In other words, it’s about trust. Audit committees and audit executives have to trust that the other is thoughtful, competent, and looking out for the best interests of the organization. </p><p>That’s all the more true today in an immensely complex modern business world. Audit committees have a fiduciary (and for publicly traded companies, statutory) responsibility to oversee risk management at their organizations. Audit executives are watching their profession transform from an older era of financial statement audits to a newer one of monitoring risk and working with other parts of the organization to manage risk (see <a href="/2019/Pages/The-Audit-Committee-Connection.aspx">“The Audit Committee Connection”</a>).</p><p>In other words, both parties now have more to do, and more to worry about. That’s why cultivating a strong working relationship is important. That’s why <em>fostering trust</em> is important. Each needs the other to succeed.</p><p>“It’s a whole new world,” says Theresa Grafenstine, a managing partner at Deloitte, audit committee chair of the Pentagon Federal Credit Union, former audit committee chair of ISACA, and former inspector general of the U.S. House of Representatives. “We need to see this as a partnership.” </p><h2>Trust Begins With Communication</h2> <p>For starters, audit committees and audit executives can simply talk more often. There should be executive sessions at the end of audit committee meetings without management present. The audit committee chair should schedule informal chats with the CAE between formal meetings, even without anything specific in mind. Talk.</p><p>Marty Coyne, audit committee chair at Ocugen and a past audit committee member at numerous other technology companies, swears by both practices. “It’s almost mandatory in my mind,” he says. “If the audit committee isn’t doing that, shame on them.” (In the most recent North American Pulse of Internal Audit survey, nearly one-third of audit executives say they do <em>not</em> meet in private session with the audit committee.) </p><p>What questions should audit committees put to CAEs in those sessions? Unless some specific issue demands attention, they should pose open-ended questions without any right or wrong answers. What’s been happening in the last quarter? Are there any challenges where they can help? Coyne’s go-to question in such meetings: “What <em>didn’t</em> you say?” </p><p>Those questions give the CAE a chance to speak his or her mind, and to lead the discussion where the CAE believes it should go. “It’s so you can draw that person out,” says Brenda Gaines, audit committee chair for Tenet Healthcare. That, in turn, can foster the CAE’s trust in the audit committee.</p><p>Audit committee chairs should take the extra step of regular communication with the audit executive beyond the standard audit committee meetings. Gaines schedules a monthly phone call; Coyne has met CAEs for coffee. However the chair does it, that casual, unstructured line of communication can be invaluable.</p><p>“It would help me frame out the agenda for the audit committee meeting,” Coyne says. After all, audit committees have plenty of risks they can discuss in a formal meeting, and time is limited. So Coyne would chat with the audit executive to pinpoint which risks (aside from any standard matters about financials, investigations, and so forth) truly warranted the audit committee’s attention. </p><p>“There’s always room for a topic,” Coyne says, “and I want to make sure that the topic we talk about, beyond the normal topics, is germane and important, and going to move the needle.”</p><h2>Trust Endures Difficulty </h2><p>All that communication and trust spadework can pay off in several ways. First, the very act of creating an open culture among senior executives and the audit committee reduces the chance that difficult matters will arise where the audit committee needs to “take sides” in an impasse between internal audit and management. Second, when those impasses <em>do</em> arise (spoiler alert: sooner or later, they will), the audit committee can resolve it with the least amount of acrimony. </p><p>That also means the audit committee needs a healthy relationship with management, and needs to ensure management and the CAE have a healthy, respectful relationship, too. Grafenstine calls it the “triangle of success” — each side having equal power, where they each understand the other’s roles and responsibilities.</p><p>Coyne’s approach is, whenever possible, to bring all sides together in open communication at a committee meeting. After all, the CAE may be disappointed with the pace of improvement in a business process, but management might have a good reason for the delay: product launches, sudden departure of key personnel, or some other operational issue. </p><p>The audit committee’s job is to ensure such differences of opinion are aired openly and respectfully. The best way to do that is to foster trust long before that conversation happens. </p><p>“What you don’t want is all sorts of back-door conversations going on,” Coyne says, like the CEO and CAE speaking to the audit committee members separately, but not to each other. “That’s a disaster when that happens.” </p><h2>An Environment of Trust</h2><p>That need for collegial relations with management raises another point. From today into the future, success as a CAE will be more about exercising leadership and working with other parts of the organization to manage risk, rather than technical mastery of audit techniques. </p><p>Good audit executives “are not only a valuable resource to help the audit committee discharge its duties,” Gaines says. “They provide management with valuable insight as well on whether risk mitigation is effective.” </p><p>Those risk issues can range from IT controls for cybersecurity, to successful integration of an acquisition, to the rapidly rising concern of “culture risk.” Business processes might need improvement. Data analytics might provide valuable insights that someone needs to translate into updated controls and practices. </p><p>A good audit executive can do all of that, even while balancing the need for independent analysis of risk issues — <em>if</em> the audit committee fosters an environment of trust and open dialogue, and assures that the CAE has the resources he or she needs (financial, technological, personnel) to do the job. </p><p>It’s a lot to ask, of the audit committee and CAE, alike. One might almost say the French had it right 400 years ago: Engagement really is about pledging yourselves to each other.<br></p>Matt Kelly1

  • IIA GRC_May 2019_Premium 1
  • IIA Awareness Month_Premium 2
  • IIA Sawyer-OrderToday Bookstore_May 2019_Premium 3