Governance

 

 

​Monitoring Laws and Regulations and Their Effect on Your Organizationhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Monitoring-laws-and-regulations-and-their-effect-on-your-organization.aspx​Monitoring Laws and Regulations and Their Effect on Your Organization<p>​This is an important topic for every organization, whether public or private, local or global.</p><p>It's especially true when you add interpretations by the regulators and courts of existing laws and regulations.</p><p>Something that you thought you understood to mean A now appears to mean B.</p><p>If you are not up to date on the laws and regulations with which you need to comply, there is a significant potential for harm.</p><p>OCEG recently shared an infographic on the topic of <a href="http://www.oceg.org/resources/regulatory-change-management/" target="_blank">Regulatory Change Management</a>. Sponsored and developed by Thomson Reuters, the accompanying article points out that technology assists that can help monitor changes in the regulatory environment that might affect the organization, its risks, and its ability to remain in compliance.</p><p>I agree that technology like this can be very useful. But I am not 100 percent convinced that it is sufficient.</p><p>If it were up to me, I would develop a map that shows all the areas where laws, regulations, and societal expectations might apply to the enterprise. I add societal expectations because failing to live up to them can be damaging, directly to the organization's reputation and indirectly to its revenue and more.</p><p>I would then, for each area, identify how we could ensure we remain up to date, and who is responsible. I would not ignore sources like:</p><ul><li>The external law firms.</li><li>The external auditors.</li><li>Government affairs consultants.</li><li>The management team and other advisors.</li></ul><p><br></p><p>But it's not enough for designated individuals to receive notification of changes that might affect the organization.</p><p>It's not enough, as implied in the piece, for analysis to be performed at HQ.</p><p>The changes and their implications need to be communicated to all potentially affected individuals across the extended enterprise. That population includes not only employees but partners, service providers, and others in the supply chain.</p><p>Training may be needed; policies and procedures may need to be updated. As noted by the authors, controls may need to be changed or adapted to the new environment.</p><p>It is quite possible that regulatory change may mean that current strategies and objectives need to be changed as well.</p><p>This is an important area, one that deserves the attention of both risk practitioners and internal auditors. From time to time, the board might consider asking management to report on its ability to both identify and then respond to regulatory change.</p><p>Perhaps you can share sources of information about regulatory change that I have missed, as well as measures that organizations should take to address them.</p><p>OCEG is a great source of <a href="http://www.oceg.org/resource_topic/free/?utm_source=OCEG+Members&utm_campaign=aa0204db3e-Reg+Change&utm_medium=email&utm_term=0_2afb06e6d3-aa0204db3e-122229369" target="_blank">materials</a> and <a href="http://www.oceg.org/education/grc-fundamentals/?utm_source=OCEG+Members&utm_campaign=aa0204db3e-Reg+Change&utm_medium=email&utm_term=0_2afb06e6d3-aa0204db3e-122229369" target="_blank">training</a>. Membership is free!​</p><p><br></p>Norman Marks0
New Leadership, New Riskshttps://iaonline.theiia.org/2017/Pages/New-Leadership-New-Risks.aspxNew Leadership, New Risks<p>​<span style="text-align:justify;">When a momentous event happens — and without question, the election of Donald Trump to the Oval Office was momentous — people tend to overestimate the consequences for the short term, and underestimate them for the long term. That point is worth remembering as the intern​al audit community tries to decipher what the Trump administration means for business risk.</span></p><p style="text-align:justify;">After all, the Trump team has talked a great deal about sweeping change: tax reform, health-care reform, infrastructure spending, trade policy, and regulatory reform. The immediate impulse to brace for impact is natural. </p><p style="text-align:justify;">A better metaphor, however, might be that audit leaders should acclimate to a new environment — one that will arrive more subtly than people expect, but in the fullness of time, bring about potentially dramatic change. Fundamentally, the business risks themselves will not change. Regulatory enforcement, financial reporting, cybersecurity, supply chain, liquidity — all the risks that organizations faced in previous years will still exist in 2017 and beyond. What will change is the underlying forces and conditions that shape those risks. </p><p style="text-align:justify;">Identifying those changing conditions, and deducing their implications for the organization's own enterprise risk assessment, will be a key challenge for chief audit executives in the Trump Era. What are some of those tectonic shifts likely to happen in 2017 and beyond? Let's look at a few examples.​</p><h3>The Rise o​​​f Political Risk</h3><p style="text-align:justify;">Political risk — that is, dramatic, unpredictable political decisions that can carry far-reaching consequences for a business or industry — has not been a phenomenon in the United States for many years. Now it will be, owing to the new president's willingness to confront corporate decisions head-on. </p><p style="text-align:justify;">One example is his recent admonishments against Ford Motor Co. for its plans to locate a US$1.6 billion manufacturing plant in Mexico, and Ford's subsequent announcement on Jan. 3 that <a href="http://www.reuters.com/article/us-ford-mexico-idUSKBN14N1EO">it would scrap those plans to build a US$700 million plant in Michigan</a>. Another is Trump's comments during his Jan. 11 press conference, where he announced that <a href="http://www.wsj.com/articles/trump-attacks-drugmakers-on-pricing-1484167641">he wants to require pharmaceutical companies to bid on contracts for Medicare and Medicaid</a>. That would be a major shift in government health-care spending; the Nasdaq Biotech Index fell 3 percent within hours of his statement.</p><p style="text-align:justify;">Businesses will need to explore strategies that can withstand greater political risk. Manufacturers, for example, may invest more in work automation technologies. Services businesses might develop more customer self-help mechanisms to avoid the political risk of outsourcing call centers. Investment strategies might need to be shorter-term, so companies can tack into political winds more easily.</p><p style="text-align:justify;">More broadly, industries might see international sanctions reversed — removing them from Russia, re-imposing them on Iran — or well-understood markets up-ended in light of new political priorities (e.g., health care). For example, a 2017 political analysis published by the law firm Squire Patton Boggs identified several legislative events likely to happen this year: </p><ul><li>The end of free-trade efforts such as the Trans-Pacific Partnership or the Transatlantic Trade and Investment Partnership.</li><li>Significant changes (or even full abolition) of the Consumer Financial Protection Bureau and the Financial Stability Oversight Council, two oversight bodies created by the Dodd-Frank Wall Street Reform and Consumer Protection Act.</li><li>The repeal and replacement of the Patient Protection and Affordable Care Act. </li></ul><p style="text-align:justify;">Each of these potential changes could significantly impact the immediate industries to which they pertain, as well as the broader economy.</p><h3>The Shift in Enf​​orcement Risk</h3><p style="text-align:justify;">Businesses may also see a regulatory enforcement climate of smaller penalties against corporations, especially when companies cooperate with regulators to identify individual wrongdoers at their companies. A precursor to this idea emerged in 2016, in the Justice Department's Foreign Corrupt Practices Act Pilot Program: discounts in monetary penalties for companies that disclosed violations of anti-bribery law and then remediated control weaknesses.</p><p style="text-align:justify;">So what would the implications be if the Trump Administration applies that concept on a wider scale? Foremost, companies would want to revisit their compliance programs to ensure they can cooperate with regulators effectively. For example, if a company wants to win cooperation credit for helping regulators prosecute individuals, it must be able to identify (and gather evidence against) those individuals within its ranks. So the importance of e-discovery processes and investigation protocols goes up.</p><h3>From Che​​ap Money to Easy Money</h3><p style="text-align:justify;">The Trump Administration wants to ease oversight of bank lending and new capital formation. At the same time, we're likely to see more infrastructure spending <em>and</em> higher interest rates as the Federal Reserve keeps nudging rates higher amid stronger economic growth.</p><p style="text-align:justify;">String all those variables together: a world of stronger growth, where companies can get loans more easily but at higher interest rates. What risks emerge from a scenario like that? </p><p style="text-align:justify;">Companies could, for example, face greater liquidity risk if their finances are based on instruments that can't withstand higher interest rates. Or the demand for skilled labor will grow so fierce that companies might face workforce shortages. Merger targets could become unaffordable. Inflation might erode expected profits.</p><p style="text-align:justify;">An over-stimulated economy would be quite different from the past decade of low economic growth, low interest rates, and a tightly constrained financial sector. It would reverse many long-held assumptions businesses have used, with corresponding change to risks, policies, and controls. </p><p style="text-align:justify;">By the same token, the new lending climate could offer significant potential for growth without some of these downsides – and organizational leadership will want to consider whether they're positioned to leverage that opportunity. Chief audit executives could help ensure the organization has adequately examined the upside potential of economic growth. </p><p style="text-align:justify;">Every company would experience bank lending changes in its own way, but more than anything else, this new economic climate could be the most tangible change that a Trump Administration might bring about.</p><h3>Remember​​ the Limits</h3><p style="text-align:justify;">For all the potential transformations that the Trump Era might bring, internal audit professionals should also remember another truth: political power is often fragile. For <em>any</em> policy change to move forward, <em>all</em> Republicans in Congress and<em> </em>Trump must agree on the policy. Any crack in party resolve could fracture the whole plan.</p><p style="text-align:justify;">That could translate into delays and disputes on any number of legislative efforts. In fact, those delays have already emerged over health-care reform. Tax reform might see similar treatment, as special interests lobby to preserve their favorite corners of the tax code. (This also means that we're more likely to see change that the executive branch can enact itself, much like we saw in the later Obama years.)</p><p style="text-align:justify;">A recent analysis by the law firm Arnold Porter demonstrates the challenge. For tax reform, the analysis says, Trump's main thrust will be to increase the benefits of manufacturing in the U.S., to stimulate job growth. The early proposals also mean, however, that <a href="http://www.wsj.com/articles/toy-makers-gird-for-tax-code-change-1484143201">retailers that import cheaper goods from overseas could see painful tax increases</a>. </p><p style="text-align:justify;">That will likely lead to fierce battles in Washington, with some powerful corporate voices fighting to preserve their interests. When will those questions get resolved? Nobody knows.​​</p><p style="text-align:justify;">In other words, internal auditors shouldn't ask, "How will the Trump administration change my world?" A far better question is to ask, "How will the Trump administration change the broader world — and what is the organization doing to prepare for it?" </p>Matt Kelly0
An Important Cyberrisk Framework​https://iaonline.theiia.org/blogs/marks/2017/Pages/An-important-cyber-risk-framework.aspxAn Important Cyberrisk Framework​<p>​Perhaps the most important cyberrisk framework is that published by the U.S. National Institute of Standards and Technology (NIST). Recently, NIST shared for comment a proposed update to their framework.</p><p>You can <a href="https://www.nist.gov/cyberframework" target="_blank">download the document and view related videos here</a>.</p><p>Here are some key excerpts from the executive summary:</p><ul><li>Similar to financial and reputational risk, cybersecurity risk affects a company's bottom line. It can drive up costs and impact revenue. It can harm an organization's ability to innovate and to gain and maintain customers.</li><li>The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization's risk management processes.</li><li>The Framework enables organizations — regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.</li><li>The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks — different threats, different vulnerabilities, different risk tolerances — and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks.</li></ul><p><br></p><p>Later, the authors say this:</p><p><span class="ms-rteStyle-BQ">"Enterprise risk manageme​nt is the consideration of all risks to achieving a given business objective. Ensuring cybersecurity is factored into enterprise risk consideration is integral to achieving business objectives. This includes the positive effects of cybersecurity as well as the negative effects should cybersecurity be subverted."</span></p><p>There's a good amount of material to like.</p><ul><li>The framework is risk-based and talks about, in my words, investing in cybersecurity commensurate with the level of risk.</li><li>When it talks about risk, it is to the achievement of business objectives. They don't talk about protecting information assets, but rather drive to what is important to the success of the business.</li><li>It uses a maturity model (although it doesn't describe it as such) as a useful way to assess the effectiveness of the cyber program.</li><li>It makes the point that those responsible for the cyber program need to be at an appropriate level within the organization.</li><li>It emphasizes that the management of cyberrisk needs to be integrated within the broader enterprise risk management activity.</li></ul><p><br></p><p>However, there are some few areas where I would have liked to have seen more discussion.</p><ul><li>Appendix B is a list of objectives for the cyber program. However, in my opinion it is over-simplified and probably incomplete. For example, I do not see anything about protecting the organization from the effects of social engineering.</li><li>While detection is emphasized, the need for <em>timely</em> detection is not mentioned.</li><li>The framework mentions the need for continuous improvement and that cyberrisk is dynamic. However, the sea is constantly rising and defenses have to adapt at least as fast as the risk changes. Investment needs to be in resources that enable threats to be monitored and defenses upgraded continuously.</li><li>The task of assessing the likelihood of a breach is hardly covered at all. There is general acceptance of the fact that a breach is almost inevitable, so the emphasis perhaps should be on the likelihood of different degrees of impact. Past experience may not be a good indicator, as prior breaches may not have been detected — leaving management with the unjustified belief that the incidence of breach is lower than it really is.</li><li>The framework suggests that the organization should have an inventory of all assets or points on the network. However, with the extended supply chain plus the Internet of Things plus the fact that employees and other individuals are hacked as entry points, the problem is far more severe than is presented. I am not persuaded that an inventory can ever be considered complete.</li><li>While the framework talks about integration with the enterprise risk management program, it is important to note that cyber may be one of several risks that might affect the achievement of one or more business objectives. Decisions about acceptable levels of risk to an objective should consider all these risks, not just one. In other words, cyber and other risks to an objective may appear to be at an acceptable level individually, but the aggregate effect may be intolerable and require action.</li><li>The framework references the ISO 31000:2009 global risk management standard (curiously not the COSO ERM Integrated Framework) but defines "risk" in its own way. It also uses the term "risk tolerance" in its own way, inconsistent with that of COSO or ISO. (It is essentially the same as COSO's risk appetite).</li></ul><p><br></p><p>A framework is simply that, a framework that any organization can build out to suit its situation and needs.</p><p>I encourage everybody to consider the document, respond with suggestions for improvement, and perhaps use it to assess and then upgrade your organization's cyber program.</p><p>Your comments?​</p><p><br></p>Norman Marks0
​Deloitte Shares a List of "Risk" Trends to Watch in 2017 and Beyondhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Deloitte-shares-a-list-of-“risk”-trends-to-watch-in-2017-and-beyond.aspx​Deloitte Shares a List of "Risk" Trends to Watch in 2017 and Beyond<p>​Rather than the list of top risks, the people at Deloitte suggest that there are a number of trends "that have the potential to significantly alter the risk landscape for companies around the world and change how they respond to and manage risk."</p><p>They share 10 in <a href="https://www2.deloitte.com/us/en/pages/risk/articles/future-of-risk-ten-trends.html" target="_blank">The Future of Risk: New Game, New Rules</a>.</p><p>I like the way they start:</p><p><span class="ms-rteStyle-BQ">The risk landscape is changing fast. Every day's headlines bring new reminders that the future is on its way, and sometimes it feels like new risks and response strategies are around every corner. The outlines of new opportunities and new challenges for risk leaders — indeed, all organizational leaders — are already visible.</span></p><p><span class="ms-rteStyle-BQ">What you'll see is that risk's onset and consequences, and the entire nature of the risk discipline, are evolving. The good news? The strategic conversation around risk is changing too. For leaders today, risk can be used as a tool to create value and achieve higher levels of performance. It's no longer something to only fear, minimize, and avoid.</span></p><p>For the moment, let's put aside our differences about the meaning of words such as "risk" and "risk source." </p><p>The 10 trends they have listed merit consideration. As Deloitte suggests, we should all consider these trends. Do we agree with the facts as presented? Will they affect us and, if so, how? How should we respond?</p><p>Please read the report, which is fairly short, before coming back to this discussion.</p><p>The first trend is <span style="text-decoration:underline;">cognitive technologies</span>, which is a fancy term that includes big data analytics, predictive analytics, AI, machine learning, and so on. Deloitte says it is about "using smart machines to detect, predict, and prevent risks in high-risk situations."</p><p>Broadly speaking, every organization should be watching and exploring ways to use new or advances in technology for this purpose.</p><p>But more might be done.</p><p>Machine learning and similar technologies may not only detect patterns and so on, analyze them, but actually make decisions and initiate action. Smart software, as well as machines, is starting to replace humans that perform repetitive analysis and response.</p><p>The second is "<span style="text-decoration:underline;">Controls become pervasive</span>." Deloitte is not talking about internal controls, here. They are talking about controls automation. They could have easily rolled this into the first trend, since it's really about the use of technology for risk monitoring.</p><p>The third is quite different: It's about advances in <span style="text-decoration:underline;">behavioral science</span>. I'm not sure what they expect to be different in 2017 and beyond, because the study of human behavior is not new at all. The key is whether the science will be <span style="text-decoration:underline;">used</span>.</p><p>Deloitte then uses the term "<span style="text-decoration:underline;">vigilance</span>" for its next trend. This is another fancy word; <strong>detection </strong>would have worked just as well, perhaps more accurately, but vigilance is more exciting and appealing to the consumer of Deloitte services.</p><p>Yes, more attention needs to be placed on risk monitoring and detection controls, especially with respect to cyber.</p><p>The next one is "<span style="text-decoration:underline;">risk transfer</span>." Arguably, risk is never transferred. It can only be shared or mitigated. Also, preventive controls do not eliminate risk; they just reduce the level to hopefully acceptable levels, because there is always the possibility that the controls will fail. The only change in this area I am aware of is the emergence of (limited) cyber insurance.</p><p>Deloitte thinks that the fact that <span style="text-decoration:underline;">innovation outpaces regulation</span> is a trend. I am not persuaded. However, the relaxation of regulation under President Trump would be a change — but may not be <span><span>in effect </span></span> long-term if he is not re-elected in four years.</p><p>Using <span style="text-decoration:underline;">risk management to drive performance</span> is not a new thought. I have been pressing for it for a while myself. If it becomes a reality, that would certainly be an important trend.</p><p>"<span style="text-decoration:underline;">Collective risk management</span>" is an interesting concept. However, laws and regulations can limit the sharing of information.</p><p>"<span style="text-decoration:underline;">Disruption</span> dominates the executive agenda" is not new. I agree with Deloitte that it should be expected to increase this year and into the future.</p><p>Then Deloitte picks <span style="text-decoration:underline;">reputation </span>risk — again, not really new. The change is that new technologies can help us address it.</p><p><br></p><p>Overall, a couple of points that should stimulate some thinking. But most of this should be ho-hum for most of us.</p><p>What do you think?​</p><p><br></p><p><br></p>Norman Marks0
Healthy Compliancehttps://iaonline.theiia.org/2016/Pages/Healthy-Compliance.aspxHealthy Compliance<h2>​What are health care’s top compliance risks for 2017? </h2><p>Cybersecurity is on every industry’s top 10 list, but health care is particularly susceptible because its data is worth 10 times the price of credit data on the black market. And, health-care organizations are increasingly becoming the target of ransomware attacks. The second risk is government’s recent focus on the quality of care provided to patients. Physicians, hospitals, and other providers that did not comply with Medicare’s regulations regarding the medical necessity of services provided have had to pay settlements to the U.S. government. Health-care providers need to ensure compliance with these requirements.<br></p><h2>How can compliance officers best ensure they do not face personal liability in compliance failures? </h2><p>This is the $64,000 question! Having asked myself that question on many occasions, I have only one response: Be diligent. We must thoroughly investigate and respond to every compliance complaint and report. Gone are the days where we disregard a report solely because the source is a disgruntled employee. We must take every report very seriously. We must ensure our investigation and remediation are well-documented. In this litigious environment, “dotting the i’s and crossing the t’s” can truly make all the difference.</p><h2>How can internal audit and compliance best collaborate to address regulatory burdens?</h2><p>In our organization, audit and compliance staff work together to ensure regulatory compliance. For instance, in the course of a compliance audit, an IT auditor may mine the data looking for anomalies, and then the clinical compliance auditor would review the medical records selected in the data mining process for compliance with a given regulation. Likewise, in a compliance investigation, our audit staff will conduct interviews and perform data analytics. The compliance staff will do the research on applicable regulatory guidance and then audit selected records for compliance. </p>Staff0
​The Decision-maker's View of Riskhttps://iaonline.theiia.org/blogs/marks/2016/Pages/The-decision-maker’s-view-of-risk.aspx​The Decision-maker's View of Risk<p>​I recently had the privilege of speaking after and then moderating a panel that included <a href="http://www.fairinstitute.org/chairmans-welcome" target="_blank">Jack Jones</a>. Jack is the creator and evangelist for the FAIR methodology, about which he wrote <a href="https://www.amazon.com/Measuring-Managing-Information-Risk-Approach/dp/0124202314" target="_blank"><em>Measuring and Managing Information Risk: A FAIR Approach</em></a>. A number of people have found this very useful and have recommended it to me. I think it is worth considering.</p><p><a href="http://www.fairinstitute.org/blog/a-different-definition-of-risk-management" target="_blank">Jack has written a blog post about our meeting</a> with his reflections on the 95 percent agreement we have on risk management and his perspective on the other 5 percent.</p><p>Please read his post as my comments will be in response.</p><p>I enjoyed the MISTI conference where this meeting took place, but I have to admit meeting Jack was very much the highlight. It's always great to have a constructive conversation with somebody who has spent at least as much time thinking about a topic as you yet has different ideas. It's a learning opportunity.</p><p>I respect Jack's view. It is difficult for an individual who has grown up with the idea that "risk" is something bad, and the role of the risk practitioner is to help decision-makers assess and respond to "What could go wrong," to believe they should use the same analytical process to assess what would go well. Several who have commented on my posts on this topic make that valid point.</p><p>Recognition is given to the facts that a) decisions have multiple potential consequences (more often than not there is a <strong><em>combination</em></strong> of positive and negative) and b) people need to make intelligent decisions based on the best available information considering <strong><em>all</em></strong> the potential effects. The question is whether it is the responsibility of the risk practitioner to help with all sides of the coin.</p><p>I would like to shift our perspective from the risk practitioner to the decision-maker: the individual we are trying to help.</p><p>Let's put ourselves in their shoes.</p><p>As he or she works towards his or her objective, decisions will have to be made.</p><p>The decision-maker needs to weigh all the potential effects, everything that might happen, if he or she goes ahead. All options need to be assessed.</p><p>For example, imagine you are a senior vice president and you have to decide whether and when to go ahead with a new product launch.</p><p>The risk officer is there to help. With her assistance, you have an assessment of the potential harms that might result from going to market too early. These include the possibility that the product needs additional testing to ensure it functions reliably as desired; the effect on the launch could be catastrophic, resulting in lost sales and customers, reputation damage, and additional costs to repair or replace units sold and then re-launch at a later time. In addition, the marketing, sales, and the product help desk teams might not be ready, such that the launch fails to meet desired sales targets. So going to market early is rated by her as "high risk."</p><p>One alternative is to delay the launch by a month. The risk officer has worked with you to assess this scenario as well. The potential for each of the harms rated high for the early launch is lower, and the two of you have agreed to rate a delayed launch as "moderate risk."</p><p>The third and final option you are considering is to delay for two months. This will allow for thorough testing of the new product and preparation by all the support teams. This option is rated as "low risk."</p><p>But there are advantages to an early product launch. They could be significant.</p><p>Releasing the product quickly is being urged by the marketing and sales team as desirable because of the potential to be first to market the new generation of product. They say that an early launch is far more likely to seize a considerable market share and pricing can be optimized when there is little competition.</p><p>The support teams are pushing hard. They have told you and senior management that any delay, even for a month, is likely to give your competitors time to bring their comparable products to market. They are predicting that sales will be as much as 20 percent less if there is a one month delay and 35 percent less if the delay is two months.</p><p>Which is the best decision for the company?</p><p>The potential harms have been subject to a disciplined assessment process, but the potential rewards are based on the "experience" of the marketing and sales staff.</p><p>Even if a disciplined process was followed, are the results comparable to the assessment of harms?</p><p>Would a comparison of the harm assessment and the reward assessment be like comparing apples and oranges? Are they equally objective and credible?</p><p>My point is that the optimum situation is where all the potential consequences of each option are assessed the same way. How else can the senior vice president be comfortable that she is making an informed, intelligent decision — selecting the option that is best for the company?</p><p>Maybe, as Jack says, as risk practitioners we have boxed ourselves in by calling ourselves "risk" officers. Maybe we should try another term that doesn't limit our own image as well as that of our stakeholders to assessing the downside.</p><p>Isn't it all about helping the company and its decision-makers succeed?</p><p>I welcome your thoughts.​</p><p><br></p>Norman Marks0
A Holistic Approach to IT Riskhttps://iaonline.theiia.org/2016/Pages/A-Holistic-Approach-to-IT-Risk.aspxA Holistic Approach to IT Risk<p>​With IT ingrained in most business processes, IT risk management has become a critical part of enterprise risk management. The rise of cybersecurity incidents in recent years has heightened the need for directors and executive management to understand, evaluate, and respond to IT risks. Yet, managing these risks can be daunting because of the technical complexity and far-reaching outcomes of an IT risk event.<br></p><p>Although it is tempting for the board and management to focus on cyberrisks, internal audit must consider the full range of IT risks and take a more holistic view of the business. Gaining such a view is one of the advantages of using ISACA’s COBIT framework to address risk management challenges. <br></p><p>The latest version, COBIT 5, released in 2012, can help internal auditors develop an audit plan to address IT risks, set IT audit objectives, and define the scope for IT audits. It can help simplify complex issues by giving auditors best practices and conceptual guidance on how to categorize risks, identify risk events, and understand the relationship between risk events and value creation.<br></p><p>Moreover, COBIT emphasizes the value of assessing a process from end to end, instead of auditing components of that process. In addition, the separation of governance from management highlights the need to audit IT risks related to IT governance and management, which organizations tend to overlook.<br></p><h2>COBIT Explained</h2><p>COBIT is an enterprisewide IT governance and management framework designed to enable organizations to maintain a balance between realizing benefits from IT and optimizing risk levels and resource use. It is based on five principles: meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management. <br></p><p>COBIT 5’s basic premise is that goals cascade in an organization — that is, stakeholder needs are translated into enterprise goals, which set the direction for IT goals and enabler goals. Further, the framework provides guidance on IT risk management from a functional perspective (i.e., what is needed to build and sustain core risk governance and management activities), and a risk management perspective (i.e., how the COBIT enablers can assist the core risk management processes of identifying, analyzing, and responding to risk). <br></p><p>COBIT 5 describes enablers as factors that “individually and collectively influence whether something will work.” They can be used in both IT risk management and IT audit planning.<br></p><h2>Enabling Audit Planning</h2><p>Whether developing an audit plan or planning for an individual audit, internal auditors need to determine the audit objectives, scope, timing, resource requirements, and process. COBIT suggests auditors take a holistic view of the business when planning an audit. <br></p><p>Auditors can use the seven COBIT enablers as the foundation for identifying IT audit objectives and defining the audit’s scope. These enablers are:<br></p><ul><li>Principles, policies, and frameworks that translate the desired behavior into practical guidance that can be managed.</li><li>Processes that support achievement of a set objective.</li><li>Organizational structures that are important for decision-making.</li><li>Culture, ethics, and behavior of individuals, which explain the human interactions that influence governance and management. </li><li>Information, including all information produced and used in the business.</li><li>Services, infrastructure, and application, including the IT used by the organization.</li><li>People, skills, and competencies, including people who are required for successful completion of all activities. </li></ul><p></p><p>Because COBIT provides 36 generic risk scenarios, internal auditors should begin by working with management to prioritize risk scenarios for their organization. COBIT uses primary and secondary ranking to show the impact of each risk scenario on the type of risk. COBIT categorizes the risk types based on whether the risk is strategic (IT benefit/value enablement), operations-related (IT operations/service delivery), or project-related (IT program/project delivery). <br></p><p>Second, internal auditors can identify activities pertaining to each of the enablers for the prioritized risk scenarios. For example, organizations face IT risk when selecting IT programs (risk scenario), which primarily affect the organization’s strategy and secondarily its operations. To manage this risk, management can implement a policy that indicates the types of IT investments that are a priority (policy), have a formal process to select IT projects (process), have an IT steering committee (organizational structure), communicate the importance of technology throughout the organization (culture), define IT investment selection criteria (information), have a program management application (application), and involve appropriate managers in the decision-making process (people). <br></p><p>Third, internal auditors can rank activities based on an approach that best fits the organization. For example, auditors may use a high/medium/low priority, primary/secondary, or a rank order based on weights to identify the areas that need attention. Finally, once the activities are ranked, auditors can plan the audit by first focusing on the primary/high priority activities before turning attention to secondary activities given resource, time, and personnel constraints.<br></p><h2>An Eye on the Big Picture</h2><p>COBIT’s recommended best practices can establish a foundation for providing assurance on the adequacy, reliability, and integrity of an organization’s information systems, regardless of its industry, technology infrastructure, or geographic location. This foundation can help internal auditors understand how the organization operates and where it wants to go. <br></p><p>Moreover, the COBIT guidance recognizes that IT risk exposure differs among organizations based on management’s risk appetite, involvement, and risk response. Internal auditors can use the framework to understand the nature of IT risks that are unique to their organization and develop an intuition that helps them recognize red flags, internal control weaknesses, and fraud.</p><p>Further, COBIT can help internal auditors identify and organize audit findings that can be instrumental in establishing and monitoring the organization’s IT risk management practices. The framework enables auditors to work at a detailed level while also keeping the big picture in mind.  <br></p>Nishani Edirisinghe Vincent1
​How Much Cyberrisk Should We Take?https://iaonline.theiia.org/blogs/marks/2016/Pages/How-much-cyber-risk-should-we-take.aspx​How Much Cyberrisk Should We Take?<p>​I recently presented on this topic at an MISTI conference for IT auditors.</p><p>My theme started with the fact that it is impossible to eliminate cyberrisk — the potential for a breach of our corporate network to harm us in some way. (I should say that we should be talking about "cyber-related business risk.")</p><p>While spending money to shore up our defenses will hopefully reduce the number and frequency of intrusions, the hackers' tools and techniques continue to develop, and we are constantly adding potential points of weakness as our use of technology grows. A recent survey said that the great majority of organizations don't have a good handle on how many addressable devices (Internet of Things) are now attached to their corporate network.</p><p>We can mitigate the effect of an intrusion with a combination of timely detection (the average time to detect is an appalling 9 months or so), incident response, encryption and other safeguards, and contingency planning.</p><p>But investments in cyber will not eliminate the risk.</p><p>So how much should we invest?</p><p>How much cyberrisk should we be willing to take?</p><p>I suggested that we need to understand and assess the risk.</p><p>But it is the risk to the objectives of the enterprise we should be assessing, not some measure of threat to IT assets or services. In other words, what is the cyber-related business risk.</p><p>How could a breach affect our business and the achievement of corporate goals?</p><p>How could it affect revenue, market share, earnings, and reputation?</p><p>What is the level of risk — to the enterprise?</p><p>If we can assess the level of risk, we can start to consider alternative ways to address the risk.</p><p>If we invest x dollars (whether in people, tools, or services), will that reduce the risk by more than the investment?</p><p>Can we tolerate the risk? Can we tolerate the cost of a breach?</p><p>According to one survey I read, the average cost of a breach is "only" US$208,432. <a href="http://www-03.ibm.com/security/data-breach/" target="_blank">IBM and the Ponemon Institute</a> disagreed, saying it was US$4 million. Rand pointedly said that was incorrect, that the cost is less than US$200,000.</p><p>Whichever number is correct, the average cost of a breach is not as alarming as many if not most might believe.</p><p>According to <a href="http://www.darkreading.com/attacks-breaches/rand-study-average-data-breach-costs-$200k-not-millions/d/d-id/1326962" target="_blank">Rand</a>, "cyber incidents cost firms a mere 0.4% of annual revenues on average. By comparison, overall rates of corruption, financial misstatements, and billing fraud account for 5% of annual revenues, followed by retail shrinkage (1.3%), followed by online fraud (0.9%)."</p><p>I am not saying that we should accept cyberrisk as a cost of doing business.</p><p>I am saying that we should invest in cyber defense, detection, and response commensurate with the risk.</p><p>We have other uses for the funds and resources!</p><p>I am also saying that if we are to adopt the new and disruptive technology that will drive the business forward, we should be willing to accept some reasonable level of cyberrisk.</p><p>Some in the audience vocally and loudly disagreed. They said that reducing security weakness and other IT-related risks to dollars and cents, allowing management to say remediation costs were more than the risk justified, would send the wrong message. It would say that some IT-related risks should be accepted.</p><p>Sorry, but that is the right message.</p><p>Every organization's assessment of cyber-related business risk (or any risk, for that matter) will be different. It will vary depending on their business and how they conduct it, their public image, how they value their reputation, and so on. It will also be affected by regulatory guidance and oversight.</p><p>Every organization's investment in addressing cyberrisk should be tailored to its level of risk — recognizing that the level of risk is likely to change.</p><p>Where does that leave me?</p><p>That there are greater risks than cyber.</p><p>The risk of being left behind by our competitors when it comes to leveraging new and disruptive technology is typically far greater. </p><p>The cost of a delay in or even the failure of a major systems enterprise resource planning implementation will probably be several times the cost of a breach.</p><p>So let's make intelligent decisions about investing in the management of cyberrisk.</p><p>Let's not cry out that the cyber sky is falling.</p><p>I welcome your thoughts.</p><p> </p><p>PS – <a href="http://corporatecomplianceinsights.com/bank-regulators-issue-proposed-rules-cybersecurity-controls/?utm_campaign=2016+Newslettters&utm_source=hs_email&utm_medium=email&utm_content=38923203&_hsenc=p2ANqtz--xWl4DIJp8oVy1GfMf_LpSbfTzl3K-9vwJyPQbXPnibLjSbSM_G21leAzUcmQALI7O6ljevbRSzSooHhQZ_pxcElZ5wg&_hsmi=38923203" target="_blank">see here for an article on cyberrisk regulations</a> proposed for U.S. banks. Note that they are also risk-based.</p><p><br></p>Norman Marks0
​Do We Know How to Audit Technology-related Risks?https://iaonline.theiia.org/blogs/marks/2016/Pages/Do-we-know-how-to-audit-technology-related-risks.aspx​Do We Know How to Audit Technology-related Risks?<p>​I just read through the latest ISACA/Protiviti survey, <a href="https://www.protiviti.com/US-en/insights/it-audit-benchmarking-survey" target="_blank">A Global Look at IT Audit Best Practices</a>.</p><p>It has a wealth of generally useful information and I recommend it to all internal audit leaders but not to board members — the level of detail is too much for their use. The executive summary is the most I would have a director read. But it would be better to have the CAE summarize the report for them, focusing on what lessons should be learned for their particular organization.</p><p>Some things surprised and others disappointed me.</p><p>My most important issue is that we need to stop talking about IT audit.</p><p>We should be talking about auditing risks relating to technology!</p><p>In the days of yore, the IT department owned and ran all the technology — with the exception of minor pieces of so-called user-managed software.</p><p>But not in 2016.</p><p>A good friend of mine, Gene Kim, is co-author of <a href="http://itrevolution.com/books/phoenix-project-devops-book/" target="_blank"><em>The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win</em></a>. I recommend it to anybody interested in technology and today's approach to running the IT function.</p><p>Recently, I read <a href="https://www.linkedin.com/pulse/5-aha-moments-while-reading-phoenix-project-sara-hruska" target="_blank">a review of <em>The Phoenix Project</em> by Sara Hruska</a>. She makes a few pertinent points:</p><ul><li>Pretty much every business is so dependent on technology that the distinction between leading the IT function and the CEO/chief operating officer role is diminishing.</li><li>The success of any organization can be dependent on the ability of the IT function to deliver at speed technology solutions that will drive the business.</li></ul><p><br></p><p>So, my first point is that the topic should no longer be the IT function, but the development, maintenance, and use of technology across the extended enterprise.</p><p>Let's talk about <em>technology</em> auditing.</p><p>Then there's my constant drumbeat comment that there is no such thing as IT risk.</p><p>It's technology-related <em>business </em>risk.</p><p>What could go wrong when it comes to the development, maintenance, or use of technology that would significantly affect the achievement of <em>business</em> objectives?</p><p>For that reason, there should not be a separate IT audit plan. It should, as Protiviti reports is more often than not the case, part of an integrated audit plan that is updated as often as risks change.</p><p>According to Protiviti, about half the respondents only update their (IT) audit plan annually.</p><p>That simply won't do in an era of dynamic change, especially around technology and its use.</p><p>I find it curious that despite the point made by Sara Hruska, the ability to identify the potential for disruptive technology to drive the organization forward is not among the top technology challenges in the Protiviti report. Perhaps it is because that was not an option Protiviti allowed respondents to select. More likely, though, it is because practitioners simply don't pay enough attention to the problem.</p><p>Is that correct?</p><p>Maybe Protiviti thought that their question about auditing IT governance would cover it. But, IMHO, a single audit of IT governance is not recommended. The topic is broad and practitioners should assess only those aspects of IT governance that are more critical to their business.</p><p>Other points of interest in the survey results:</p><ul><li>Nearly half believe their IT department is not aware of all of their organization's connected devices (e.g., connected thermostats, TVs, fire alarms, cars).</li><li>83 percent of respondents say cyberattacks are among the top three threats facing organizations today, and only 38 percent say they are prepared to experience one. — Comment, I wonder if they have assessed the <em>business</em> risk of a breach.</li><li>The study also found that only 29 percent of the respondents are very confident in their enterprise's ability to ensure the privacy of its sensitive data.</li><li>Only 65 percent said their CAE has sufficient knowledge to discuss IT audit matters with the audit committee. — Comment, that is dreadful.</li><li>Half or less than half of companies have their CAE or IT audit lead meet regularly with the chief information officer!</li><li>Where there is a corporate ERM framework, less than half the IT audit work is integrated with it.</li><li>Only about half are doing a significant or even a moderate amount of work on new technology initiatives.</li></ul><p></p><p>This is a disappointing state of affairs. I was an IT auditor for many years before becoming a CAE and always made sure my team was involved in every major technology initiative. The IT audit staff was generally about a third of the team — and I am talking about from 1990 to 2012!</p><p>Today, technology-related risk is huge and merits a lot more attention that it appears, from the study, it is getting.</p><p>What do you think?</p><p>What jumps out at you from the survey?​</p><p><br></p>Norman Marks0
​The State of Information or Cybersecurityhttps://iaonline.theiia.org/blogs/marks/2016/Pages/The-state-of-information-or-cyber-security.aspx​The State of Information or Cybersecurity<p>​</p><p>PwC has shared the results of their <a href="http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/assets/gsiss-report-cybersecurity-privacy-possibilities.pdf" target="_blank">Global Information Security Survey 2017</a>. This particular paper discusses the state of threat intelligence and information sharing.</p><p>It's an interesting paper, but how meaningful and relevant is this topic to most organizations?</p><p>Certainly, if you want to have a reasonable set of cyber defenses, you need to understand how the enemy (both within and without) will attack – on which fronts and with which weapons.</p><p>But, the enemy's tools and techniques are not only growing constantly in strength, but are diverse.</p><p>What kind of organization can believe that it has the resources (or, should I say, can afford the resources) not only to have reliable and timely threat intelligence but the ability to turn that intelligence into enhanced defenses?</p><p>I am not persuaded that any but the largest organizations, who can afford both to hire a multitude of experts and to purchase all the tools they need both ​for reconnaissance and defense maintenance, should even think of placing reliance on internal resources.</p><p>If I were on the board or in the executive suite, I would be asking the tough questions about why this is not outsourced to an organization that can spread the costs of threat intelligence and defense maintenance across multiple organizations.</p><p>Being satisfied with what you can afford is not acceptable.</p><p>It is pretty much inevitable that any organization will be breached.</p><p>So, let's do what we can about defense through intelligent outsourcing, supplemented with in-house personnel who can focus on ensuring more vulnerabilities are not created by new initiatives and products.</p><p>The other "problem" with the PwC paper is that because breaches are not only certain (and there will be multiple breaches per year), it is crucial to be able to detect them rapidly – and I mean within hours and not days or longer.</p><p>Reports show that it may take 6 or 9 months (or longer) to detect a breach.</p><p>How can you expect to minimize damage, let alone expel the enemy, if you don't know that you have been breached, where it occurred, what has been damaged, and what the enemy is doing right now?</p><p>Again, if I were on the board or in the C-suite, I would ask how management knows whether they have been breached today, yesterday, or even in the last month. How would they ensure that any damage is kept to within acceptable levels – and what do you think an acceptable level of damage is?</p><p>I would certainly ask how a breach could affect the organization achieving its goals.</p><p>Do you ask these questions?</p><p>Does your CEO or the board?</p><p>If not, why not?</p><p>I welcome your comments.</p><p> </p>Norman Marks0

  • TeamMate_Jan2017_Prem 1
  • IIA TeamDevelopment_Jan2017_Prem 2
  • IIA PerformanceAuditing_Jan2017_Prem 3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z