Governance

 

 

A Question of Audit Prerogativeshttps://iaonline.theiia.org/2019/Pages/A-Question-of-Audit-Prerogatives.aspxA Question of Audit Prerogatives<p style="text-align:justify;">Call it the Battle of Bismarck — a political turf battle unfolding in the state capital of North Dakota, which actually turns on a question audit executives everywhere can appreciate. <br></p><p style="text-align:justify;">How does an audit function work when the chief audit executive and audit committee disagree over what the function should do?<br></p><p style="text-align:justify;">On one side of the issue is Josh Gallion, elected state auditor in 2016. On the other is the  Legislative Audit and Fiscal Review Committee, the state's version of an audit committee. Earlier this year lawmakers quietly adopted a provision requiring Gallion to get approval from the audit committee before he conducts "performance audits" of government offices. <br></p><p style="text-align:justify;">Gallion politely but firmly told the Legislature in July that he doesn't believe the law is constitutional, since it impedes his autonomy as a duly elected executive officer of the state. The state attorney general agrees with him. The top budget analyst for the Legislature does not.<br></p><p style="text-align:justify;">"We will not be seeking approval of performance audits, but what I will tell you is communication is key,"  Gallion <a href="https://bismarcktribune.com/news/local/govt-and-politics/north-dakota-state-auditor-lawmakers-remain-at-odds-over-new/article_fad595f7-ad1e-541b-abdd-a8b49469f31f.html">told North Dakota lawmakers during a recent hearing</a>.<br></p><p style="text-align:justify;">That wasn't what state Rep. Gary Kreidt, chair of the legislative audit committee, wanted to hear. He was unhappy that Gallion has been announcing the results of performance audits to the public, without first letting audit committee members review the findings. <br></p><p style="text-align:justify;">"I don't like to read in the newspaper an audit that's been completed and not have been notified that this audit was done," Kreidt said in that same legislative hearing. <br></p><p style="text-align:justify;">The backstory here is interesting reading for political junkies and audit professionals alike. First, "performance audits" are defined as examinations of specific agencies or offices, to assess whether the agency achieves its stated goals <em>and </em>whether it does so in an economical manner.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<p style="text-align:justify;"><strong>Putting Differences Aside</strong></p><p style="text-align:justify;">In the corporate world, best practices to avoid these situations abound. Among them: <br></p><ul style="list-style-type:disc;"><li>The chief audit executive should meet with the audit committee chair regularly <em>and</em> informally, between committee meetings, just to build rapport and trust. </li><li>The CAE, management, and the audit committee should collaborate while drawing up the risk assessment and preparing the audit plan. That at least prevents anyone from being caught by surprise, which is one criticism North Dakota lawmakers had about Gallion.</li><li>Allow management sufficient time to review the audit findings and prepare a rebuttal that is included in the report, again to prevent anyone from being caught by surprise.</li><li>Incorporate the IIA's model charter language as much as possible, spelling out roles and responsibilities clearly. "A flawed charter will certainty trigger challenges to the authority of any internal audit function," Hughes says.<br></li></ul><br></td></tr></tbody></table><p style="text-align:justify;">Gallion undertook such an audit last year, to examine Gov. Doug Burgum's use of state aircraft. That audit came after reports that Minnesota energy company <a href="https://www.minotdailynews.com/opinion/community-columnists/2019/05/nd-no-longer-has-an-independent-auditor-thanks-to-burgum-legislature/">Xcel Energy flew Burgum and his wife to Super Bowl LII</a> in 2018. Gallion also <a href="https://www.inforum.com/news/education/1005685-Audit-ND-college-VP-whos-a-Fargo-commissioner-didn%E2%80%99t-disclose-conflict-of-interest-with-wife%E2%80%99s-firm">released an audit earlier this year that raised questions about a powerful state senator</a>, who didn't disclose a conflict of interest while working at a North Dakota state college. <br></p><p style="text-align:justify;">In April, just before the end of North Dakota's legislative session, lawmakers tucked that provision about seeking the audit committee's permission for performance audits into the state's must-pass budget bill. <br></p><p style="text-align:justify;">Cynics say the provision <a href="https://www.minotdailynews.com/opinion/community-columnists/2019/05/nd-no-longer-has-an-independent-auditor-thanks-to-burgum-legislature/">was retribution for an auditor unapologetic about doing his job</a>. That may be so. For the rest of us, the tensions here set up an important lesson in best practices — how can organizations avoid this sort of a standoff? <br></p><p style="text-align:justify;"><strong>Lines of Authority</strong></p><p style="text-align:justify;">In the corporate world, an audit committee telling the audit executive <em>not</em> to examine certain issues without the committee's permission would be a big red flag. ("I'd certainly look for the exit," one IT audit executive told me.) But as daft as that idea might be, a corporation's audit committee theoretically could do it. <br></p><p style="text-align:justify;">Public sector audits are different, because they're more susceptible to criticism that an audit was driven by political motives. Audit committees overseeing public sector audit functions are likewise susceptible to accusations of undermining the independence or objectivity of the function for political purposes. <br></p><p style="text-align:justify;">"There's a huge risk of [those arguments] happening," says Kip Memmott, director of audits for the Oregon secretary of state. "Actually, it's not a risk — it happens quite frequently." <br></p><p style="text-align:justify;">Memmott sees the challenge as one of strained relationships and communications. Not everyone might see the value in a performance audit, or understand the risk that audit is trying to assess. The employees in question might also feel vulnerable as targets of the audit. <br></p><p style="text-align:justify;">That means the audit executive really needs to work on communication with those stakeholder groups if he or she wants to succeed. So one fair but pointed question: does the audit function have leadership in place to handle those human challenges? Or is it run by skilled technical auditors who have been promoted into a role that needs different skills? <br></p><p style="text-align:justify;">"Audit is about relationships and communications," Memmott says — and "as a field, we have not done as well as we could have."<br></p><p style="text-align:justify;"><a href="https://www.gao.gov/yellowbook/overview">Generally Accepted Government Auditing Standards</a>, maintained by the U.S. Government Accountability Office and commonly known as "The Yellow Book," spell out exacting standards for independence. If a public auditor doesn't meet them, the auditor should disclose that in the performance audit itself, along with whatever mitigating steps the auditor has taken. Even then, the auditor is still open to accusations of pursuing certain audits for political reasons.<br></p><p style="text-align:justify;">"Given that the public has long been 'sold' on the integrity and objectivity associated with unqualified or unmodified opinions, any qualifiers tend to trigger concerns regarding the objectivity of an audit," says Peter Hughes, assistant auditor-controller and chief audit executive for Los Angeles County. "Thus the reason that state and legislative auditors may challenge the benefit of such qualified audits."<br></p><p style="text-align:justify;">The wrinkle in North Dakota is that nobody can fire anybody else for flouting any of these practices; the auditor, the lawmakers, and the governor are all elected by voters. They must work together. <br></p><p style="text-align:justify;">Which brings us back to Memmott's point that communication to foster strong, working relationships is paramount. Yes, that can be painstaking, and in some instances political motivations will be entrenched. Audit leaders still need to try.<br></p><p style="text-align:justify;">"I don't know if chief auditors can control it, but certainly if they can't, they better be aware of it," Memmott says. <br></p><p style="text-align:justify;">We don't know how North Dakota's impasse over performance audits will end. A proposed <a href="https://www.grandforksherald.com/news/government-and-politics/3828217-North-Dakota-group-falls-short-on-all-three-referral-petitions-wont-challenge-auditor-restrictions-at-the-polls">voter referendum to repeal the restrictions failed to gather enough signatures</a>. Some lawmakers say they will try to repeal the restrictions in the 2021 legislative session. And despite Gallion and the legislative audit committee being at odds on that issue, both sides also say they will continue to work together on other issues. <br></p><p style="text-align:justify;">The rest of us can watch and wonder what we might do.<br></p>Matt Kelly1
Auditing Culture: Observation and Datahttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-Observation-and-Data.aspxAuditing Culture: Observation and Data<p>There are many ways to audit an organization's culture. With strong support from the top and sufficient resources, some internal audit functions adopt a comprehensive, resource-intensive method. For others — I suspect most — it is best to start with a fairly simple approach and build from there. One such approach combines auditors' observations with data metrics. And because this strategy is not dramatically different from traditional audit techniques, clients shouldn't find it jarring or outside the norm. When implemented correctly, it can be a powerful means of gauging the cultural environment.    <br></p><h2>Auditors' Observations<br></h2><p>In "<a href="/2018/Pages/Beneath-the-Surface.aspx">Beneath the Surface</a>" (<em>Internal Auditor</em>, June 2018) author Doug Anderson compared culture to a volcano that can look calm on the outside while churning internally with lava and gases that could make it erupt without warning. Hard evidence of a culture — such as policies, programs, and even employee surveys in many cases — focuses on the surface. To really understand the culture, employees have to get inside it. <br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Signs of a Healthy Culture </strong></p><ul style="color:#222222;background-color:#6eabba;"><li>Strong tone at the top, in words and deeds.</li><li>Open communication, an atmosphere of mutual trust.</li><li>Accountability is enforced and accepted, without unrealistic expectations or unfair repercussions.</li><li>A "just culture," which distinguishes among:</li><ul><li>honest mistakes (no one is blamed).</li><li>risky behavior (addressed with coaching and education).</li><li>reckless behavior (intentionally excessively risky or unethical, which is punished).</li></ul><li>Effective challenge is encouraged and valued.</li><li>Incentives that encourage healthy risk taking.<br></li></ul></td></tr></tbody></table><p>I've heard some audit practitioners say that an experienced internal auditor can almost predict an audit rating on the second or third day of an engagement just by sheer presence in the work environment. Talking with people, reading body language, sensing employee's attitudes, observing the physical environment — all contribute to a typically accurate understanding of an area's culture. <br></p><p>Auditors must, of course, keep an open mind and remain objective. Accordingly, many put their perceptions to the side and focus only on the objective, hard evidence. I'm reminded of an audit director who once told me about an instance where he became extremely frustrated with his team. The auditors returned to the office talking about the negative atmosphere of the client's area, citing lack of employee motivation and a hostile manager, among other problems. But when the team submitted a draft of the audit report, it indicated the area was well-run. When he asked about the discrepancy, his team said, "The area is a total disaster, but the controls are fine." Wrong answer! <br></p><p>Internal auditors should not ignore their perceptions — they can lead to the most significant issue of an audit. Observation can be a key tool for gauging culture, as reflected in "Signs of a Healthy Culture" (right), "Red Flags of a Toxic Culture" (below) and "Examples of Toxic Leadership Styles" (below). <br></p><h2>Combined With Metrics<br></h2><p>For most internal auditors, reporting a cultural issue based only on observations results in a fight they can never win. The good news is that there is usually objective data to support those observations, such as those listed in "Metrics That Might Support Auditors' Observations" below. <br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Red Flags of a Toxic Culture </strong></p><ul><li>Excessive focus on short-term results.</li><li>Unrealistic performance targets.</li><li>"My way or the highway" management, inhibiting input and healthy debate.</li><li>Lack of open communication (caused by fear, lack of trust, or information hoarding).</li><li>Competition to get ahead rather than cooperation.</li><li>Favoritism.</li><li>Lack of work-life balance.</li><li>Chronic grumbling by employees.</li><li>Cliquishness, gossip, rumors.</li><li>Chronic stress.</li><li>Lack of employee development.</li><li>Lack of accountability (in general or for top performers).</li><li>Lack of motivation in a work group (could be caused by any of the above).<br></li></ul></td></tr></tbody></table><p>Metrics like these can be a powerful tool when combined with observations. For example, if auditors spot red flags of a toxic workplace, employee survey results might corroborate those observations. Turnover and sick leave statistics might reflect the culture's negative impact on the business. Discussing these links with audit clients won't always succeed, but it is far more robust than the auditors' observations alone. <br></p><p>A growing number of audit functions are using metrics that support observations in a variety of other ways, including:</p><ul><li> <strong>To plan and scope an audit project.</strong> An audit function might gather a standard set of metrics for risk assessment on every audit. When some of these metrics appear to be negative, the auditors can seek to determine why. For example, if turnover and sick leave are unusually high and the company has received an excessive number of customer complaints or hotline reports, or if projects regularly fail, the root cause may well be a cultural issue. If auditors suspect this is the case, they can conduct confidential interviews with employees and gather evidence to support and explain the link between the cause and effect. </li><li><p> <strong>To populate a dashboard that executives and the audit committee review regularly for indications of entitywide issues or trends</strong>. This in fact seems to be a growing trend. In "The Board Needs Culture Dashboards" (FEI Daily, March 2018), Dennis Whalen, leader of KPMG's Board Leadership Center, said, "I'd be shocked if, by the end of 2018, most companies didn't have some kind of culture dashboard that somebody monitors and presents for the board on a regular basis so they can see outside the C-suite and the corporate office."<br></p></li></ul><p>If an internal audit function developed a set of metrics meaningful to the organization and got buy-in from executives and the audit committee, it could use them for both of these purposes, in addition to leveraging them for support of audit observations.<br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>Examples of Toxic Leadership Styles </strong></p><ul><li>Narcissistic (egotistic, power hungry, care more about themselves than the organization).</li><li>Autocratic ("my way or the highway," intolerant of ideas contrary to their own).</li><li>Manipulative (charming to superiors, "kiss up, kick down").</li><li>Secretive (hoards information to appear superior or use it to get ahead unfairly).</li><li>Deflecting (blames others for problems or talks around issues to avoid being found out).</li><li>Hypocritical ("Do what I say, not what I do").</li></ul>Disorganized, lacking focus (followers don't feel a real sense of direction). <br> <p></p></td></tr></tbody></table><p>A particularly interesting use of metrics occurred in 2002 when the Office of the City Auditor in Austin, Texas, performed a citywide ethics audit. The audit team gathered indicators of a positive or negative ethical climate in each of the city's departments from a citywide employee survey and a series of management interviews. Using statistical software, the auditors correlated these indicators with metrics like turnover and sick leave usage, complaints and successful claims by citizens, injuries to employees, and employee intentions to continue working for the city. They found that departments with strong ethical climates had significantly less turnover and sick leave, fewer complaints and claims, etc. The city responded by centralizing and strengthening oversight of ethics, drawing on the best practices of high-performing departments documented in the audit report.<br></p><h2> A Powerful Combination</h2><p>Internal auditors' perceptions of a work environment are usually sound but rarely stand by themselves. By combining their observations with data that management trusts, and by discussing the linkage tactfully with their audit clients, auditors can make a real difference in the organization. For auditors struggling with how to begin a culture audit, this could be a useful starting point.<br></p><p></p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p> <strong>​Metrics That Might Support Auditors' Observations </strong></p><ul><li>Employee survey results.</li><li>Structured interview results.</li><li>Customer survey results.</li><li>Customer complaints.</li><li>Hotline statistics, including evidence of whistleblower protection.</li><li>Statistics for hotline open to suppliers.</li><li>Frequency of legal problems.</li><li>Frequency of audit issues with the same or similar culture-related root cause.</li><li>Frequency of repeat audit findings.</li><li>Timeliness and effectiveness of corrective actions.</li><li>Turnover statistics.</li><li>Sick time statistics.</li><li>Exit interview results.</li><li>IT surveillance results.</li><li>Performance review timeliness.</li><li>Frequency of negative media coverage, including social media.</li><li>Warranty claims.</li><li>Diversity statistics.</li><li>Level of community engagement.</li><li>Environmental impact data, with effective monitoring and continuous improvement.</li><li>Frequency of performance targets being missed (suggesting unrealistic targets that pressure managers to meet them "whatever it takes").</li><li>Frequency of large projects failing.<br></li></ul> </td></tr></tbody></table>James Roth1
Wrangling the Internet of Thingshttps://iaonline.theiia.org/2019/Pages/Wrangling-the-Internet-of-Things.aspxWrangling the Internet of Things<p>​The Internet of Things (IoT) allows businesses to connect everything from the office printer to factory production lines via Wi-fi, making it an ideal tool for organizations to exploit, and for employees to use effectively. And there appears to be no limit to what IoT technology is capable of delivering. </p><p>Because of how simple it is to install and use the associated software and applications on people’s smartphones and tablets, technology heavyweights like Cisco Systems and IT analysts such as Juniper Research estimate that the number of connected IoT devices will reach 50 billion worldwide in 2020. According to research by Forrester, businesses will lead the surge in IoT adoption this year, with 85% of large companies implementing IoT or planning deployments. </p><p>But such connectivity comes at a price. As IoT usage increases, so too do the associated risks. Simple devices rely on simple security, and simple protocols can be simply ignored. </p><p>A common problem is employees simply adding devices to the network, without informing the IT department — or without the IT team noticing. For example, Raef Meeuwisse, a UK-based cybersecurity consultant and information systems auditor, says that one security technology company revealed that when installing network security detection in new customer networks, it found that up to 40% of devices logged on to the network were IoT. “That was a surprise to those organizations’ executives and their IT departments,” he says.</p><p>Such anecdotes mean internal audit has a real job at hand to ensure that IoT deployments go smoothly and that the associated benefits are delivered. And the task is fraught with danger: The technology is still evolving, new risks are emerging, and controls to mitigate these risks often seem to be a step behind what is actually happening in the workplace.</p><h2>Warning Signs<br></h2><p>Information experts and standards-setters such as ISACA point out that because IoT has no universally accepted definition, there aren’t any universally accepted standards for quality, safety, or durability, nor any universally accepted audit or assurance programs. Indeed, IoT comes with warning notices writ large. According to ISACA’s State of Cybersecurity 2019 report, only one-third of respondents are highly confident in their cybersecurity team’s ability to detect and respond to current cyberthreats, including IoT usage — a worrying statistic given the proliferation of IoT devices. Industry experts and hackers have demonstrated how easy it is to target IoT-enabled office security surveillance systems and turn them into spy cameras to access passwords and confidential and sensitive information on employees’ computer screens (see “Targeting the IoT Within” below for examples of other IoT vulnerabilities). </p><p>Distributed denial of service attacks (DDoS) on IoT devices — which analysts and IT experts deem the most likely type of threat — are the best example of IoT device security and governance flaws. In 2016, the Mirai cyberattack on servers at Dyn, a company that controls much of the internet’s domain-name infrastructure, temporarily stalled several high-profile websites and online services, including CNN, Netflix, Reddit, and Twitter. Unique in that case was that the outages were caused by a DDoS attack largely made up of multiple, small IoT devices such as TVs and home entertainment consoles, rather than via computers infected with malware. These devices shared a common vulnerability: They each had a built-in username and password that could be used to install the malware and re-task it for other purposes. The attack was the most powerful of its type and involved hundreds of thousands of hijacked devices. </p><p>“As is often the case with new innovations, the use of IoT technology has moved more quickly than the mechanisms available to safeguard devices and their users,” says Amit Sinha, executive vice president of engineering and cloud operations at cloud security firm Zscaler in San Jose, Calif. “Enterprises need to take steps to safeguard these devices from malware attacks and other outside threats.”</p><h2>Begin With Security</h2><p>Events like the Mirai attack make security a priority for internal auditors to review. Among the top IoT security concerns that experts identify are weak default and password credentials, failure to install readily available security patches, loss of devices, and failure to delete data before using a new or replacement device. The steps to rectify such problems are relatively simple, but they are “usually ignored or forgotten about,” says Colin Robbins, managing security consultant at Nottingham, U.K.-based cybersecurity specialist Nexor. </p><p>As a starter, he says, internal auditors should check that the business has a process to ensure that all IoT device passwords are unique and cannot be reset to any universal factory default value to minimize the risk of hacking. The organization should update software and vulnerability patches regularly, and devices that cannot be updated — because of age, model, or operating system — should be isolated once personal and work data has been removed from them.</p><p>“Organizations need to have conversations at the highest level of management about what IoT means to the business,” says Deral Heiland, IoT research lead at Boston-based cybersecurity firm Rapid7. Once they have done this, Heiland suggests they focus on detailed processes around security and ask key questions such as: What IoT has the organization currently deployed? Who owns it? How does the organization manage patches for these technologies, and how does it monitor for intrusions? What processes does the organization need for deploying new technologies?</p><p>Technical Hygiene Standards Effective IoT security requires organ-izations to develop their own protocols and security specifications up front, Meeuwisse says. This ensures that “devices can either be integrated into particular security zones or quarantined and excluded from the possibility of getting close to anything of potential value,” he explains. </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Targeting the IoT Within</strong><br></p><p>In January 2017, the U.S. Food and Drug Administration issued a statement warning that certain kinds of implantable cardiac devices, such as pacemakers and defibrillators, could be accessed by malicious hackers. Designed to send patient information to physicians working remotely, the devices connect wirelessly to a hub in the patient’s home, which in turn connects to the internet over standard landline or wireless connections. Unfortunately, technicians found that certain transmitters in the hub device were open to intrusions and exploits. In a worst-case scenario, hackers could manipulate the virtual controls and trigger incorrect shocks and pulses, or even just deplete the device’s battery. Manufacturers quickly developed and deployed a software patch. </p><p>The case demonstrates the need for internal audit to check that Wi-fi networks are secure, that default factory settings on any connected devices are not used, and that the organization,  through the IT department, has patch management processes in place to check whether any devices have security updates that need to be installed.<br></p></td></tr></tbody></table><p>Meeuwisse adds that whether a business is manufacturing or simply installing IoT devices, having security architecture standards to ensure information security throughout the organization is aligned with business goals is a crucial first step. “Buying or designing technology before having a clear understanding of the security specification required is a dangerous path,” he says. “For any new type of IoT device, there should always be a risk assessment process in place to understand whether the device meets security requirements, needs more intensive scrutiny, or poses a significant potential risk.”</p><p>More widely, organizations need to examine “the basics” to ensure that they maintain their IT system’s “technical hygiene,” says Corbin Del Carlo, director, internal audit IT and infrastructure at financial services firm Discover Financial Services in Riverwoods, Ill. For example, Wi-fi access should be closed so only authorized and certified devices can use it, and there should be an inventory of devices that are connected to the network so the IT department knows who is using them. For additional security, IT should scan the network routinely — even daily — to check whether new devices have been added to the network and whether they have been approved. </p><p>Del Carlo also says internal auditors need to check that the organization’s IT architecture can support a potentially massive scale-up of devices wanting to access its systems and network quickly. “We’re talking about millions more devices all coming online within a year or two,” he says. “Can your IT system cope with that kind of increase in demand? What assurance do you have that the system won’t fail?”</p><p>Del Carlo recommends organizations draw up a shortlist of device manufacturers that are deemed secure enough and compatible with their IT architecture. “If you allow devices from any manufacturer to access the network, then you need the in-house capability to monitor the security of potentially hundreds of different makes and find security patches for them all, which can be very time-consuming,” he points out.<br></p><p>A list of approved manufacturers also can make it easier to audit whether the devices have the latest versions of security downloads. “Even if a particular manufacturer’s product proves to have vulnerabilities, it is much easier to fix the problem for all those devices than try to constantly monitor whether there are security updates for many different products made by dozens of manufacturers,” he says.</p><h2>Intrusive Monitoring</h2><p>It’s not only the organization’s security that internal auditors should consider. Auditors also should make management aware of potential privacy issues that some applications may present — especially those that feature GPS tracking, cameras, and voice recorders. “Tracking where employees are can be useful for delivery drivers, but is it necessary to track employees who are office-based?” Del Carlo asks. </p><p>An example is an IoT app that monitors how much time people spend at their desks and prompts them to take a break if they are there too long. Organizations could use that technology to monitor how frequently people are not at their desks, Del Carlo notes. “While this may catch out those who take extended lunch breaks, it may also highlight those who have to take frequent trips to the bathroom for medical conditions that they may wish to keep private,” he explains. “As a result, auditors should query such device usage.”</p><h2>Business Risks</h2><p>Yet while there is a vital need to make IoT security a priority, Robbins says organizations should not overlook whether management has appropriately scoped the business case for an IoT deployment, and how success or failure can be judged. “As with any other project, particularly around IT, managers can throw money at something they do not understand just because they think they need it, or because everyone else is using it,” he says. </p><p>Robbins cautions that poorly implemented IoT solutions create new vulnerabilities for businesses. “With IoT, it’s not data that is at risk, but business processes at the heart of a company,” he points out. “If these processes fail, it could lead to a direct impact on cost or revenue.”</p><p>According to Robbins, the success of IoT means a heavy — and “almost blind” — reliance on the rest of the “things” that support the technology working effectively within the supply chain. Take for example an IoT device that monitors bakery products made in an oven. That device may tell the operator that the oven temperature is 200 degrees and the baked goods have another 20 minutes of cooking time, he explains. </p><p>“But the problem is that you have no physical way of checking, or even being alerted, that the technology might be wrong or has been hacked, and that the settings and readings are incorrect,” Robbins says. “Everyone is relying on all the different parts of the supply chain — the app vendor, the cloud provider, and so on — maintaining security in a world where there are no agreed-upon standards or best practice. Talk about ‘blind faith.’” </p><p>IoT also increases the need for additional third-party and vendor risk monitoring, Del Carlo warns. This is because app developers not only may be collecting data from users to help inform design improvements but also to generate sales leads. </p><p>“Internal auditors need to think about the data that these vendors might be getting and how they may be using it,” Del Carlo explains. For example, developers may be exploiting user data to approach the organization’s competitors with products tailored to the competitor’s needs. “Internal auditors need to check what data developers may be collecting and why,” he advises.</p><h2>Early Best Practices</h2><p>Despite the absence of universally agreed-upon guidance for aligning IoT usage with business needs, some industry bodies have tried to promote what they consider to be either basic steps or best practice. For instance, in a series of blog posts, ISACA recommends that organizations perform pre-audit planning when considering investing in IoT solutions. It advises organizations to think about how the devices will be used from a business perspective, what business processes will be supported, and what business value is expected to be generated. ISACA also suggests that internal auditors question whether the organization has evaluated all risk scenarios and compared them to anticipated business value.</p><p>Eric Lovell, practice director for internal audit technology solutions at PwC in Charlotte, N.C., says internal audit should have a strong role in ensuring that IoT risks are understood and controlled, and that the technology is aligned to help achieve the organization’s business strategy. “Internal audit should ask a lot of questions about how the organization uses IoT, and whether it has a clear strategic vision about how it can use the technology and leverage the benefits from it,” he says.</p><p>As IoT is part of the business strategy, Lovell says internal auditors need to assess the business case for it. “Internal auditors need to ask management about the business benefits it sees from using IoT, such as improving worker safety, better managing assets, or generating customer insights, and how these benefits are going to be measured and assessed to ensure that they have been realized,” he advises.</p><p>Questions to ask include: What metrics does the organization have in place to gauge success or failure? Are these metrics in line with industry best practice? Are there stage gates in place that would allow the organization to check progress at various points and make changes to the scope or needs of the project? “Equally importantly, does the organization have the right people with the necessary skills, experience, and expertise to check that the technology is delivering its stated aims and is being used securely?” Lovell notes.</p><p>Lovell also says internal auditors need a seat at the table from the beginning when the organization embarks on an IoT strategy. “Like with any other project, internal audit will have less influence and input if the function joins the discussion after the project has already been planned, scoped, and started,” he explains. “Internal auditors need to make sure that they are part of those early discussions to gauge management’s strategic thinking and their level of awareness of the possible risks and necessary controls and procedures.”</p><h2>IoT’s Dynamic Risks</h2><p>Risks shift over time as technology innovations and the business and regulatory environment evolve. “It is pointless to think that the risks that you have identified with IoT technologies at the start of the implementation process will remain the same a couple of years down the line,” Lovell says. “Internal auditors need to constantly review how IoT is being used — and under what circumstances and by whom — and assess whether the technology is still fit for purpose to meet the needs of the business.” <br></p>Neil Hodge1
GRC Conference 2019: Transformative Technologyhttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Transformative-Technology.aspxGRC Conference 2019: Transformative Technology<p>​Pamela Nigro, senior director of Information Security at Health Care Service Corp., opened the final day of the Governance, Risk, and Control (GRC) Conference with her general session, "The Future of IT Audit and Industry 4.0." Negro shared with audience members her thoughts on emerging technologies affecting today's organizations and those that will transform the businesses of tomorrow.</p><p>"Organizations are shifting from traditional ways of engaging and interacting with customers, prioritizing digital ones," she says. Citing health care as an example, Nigro pointed to the common practice of sharing patient test results via a portal rather than a phone call. She also cited Tesla as operating not so much as a car company but as a software company that collects and leverages data to serve its customers. <br></p><p>"Now every business is a digital business with software at the core," she says. "There used to be a focus on running IT like a business. Now IT is the business — there is not a business that is not run by IT."</p><p>Data, Nigro adds, has become the world's most valuable resource — much more so than oil. And it's not just about collecting and storing data, it's about transforming that data into useful and consumable information.</p><p>"Digital transformation is the foundation on how organizations deliver value to their customers," she says. "It's more than simply remaining competitive. There's a radical rethinking of how organizations use technology and processes to fundamentally achieve business performance."</p><p>Nigro cited artificial intelligence and Internet of Things interconnectivity as examples of transformative technologies that are driving business ecosystems and changing the way business is done. But this interconnectedness, she points out, creates a host of risks. Among them, she pointed to cyberthreats recently identified by <em></em><em>Security </em>magazine, including cryptojacking, software subversion, and cryptocurrency ecosystem attacks.</p><p>She also referenced the threat of breaking encryption using quantum computers. "As auditors, encryption is an important part of our structure," she says. "It is important that we feel confident that we can rely on that encryption for our security, for our privacy, for our protection. What happens if that is easily breached?" The thinking has shifted, she says, from considering <em></em><em>if </em>a company will get hacked to <em></em><em>when </em>it will get hacked.</p><p>In response to these threats, Nigro challenged auditors to not just keep up, but to "set the pace." "Why can't we and our development partners get sandboxes to start to play and understand and learn this technology so that we can help be a value-added partner to our organizations as they move into these new technologies?" she asked.<br></p><p>Nigro says auditors need to become leaders in the digital transformation space and help organizations move into this technology. She encourages auditors to adapt and think about how to "get ahead of the digital curve."</p><p>Toward that end, she advised attendees to make sure they have the necessary competencies and understanding to tackle digital challenges. "Think about how you are maintaining, or even leading, in your skills set," she says. "Understand how the technology really supports strategic objectives. Focus on those risks that can delay or derail business objectives, and identify how the algorithms are being used."</p><p>Nigro also encouraged auditors to get involved early in technology projects and to partner with the first and second lines of defense to help best manage the risks appropriately. "We have to stop being the 'department of no,'" she says, "and find a way to bake compliance and build controls into these new technologies and processes."<br></p>David Salierno0
GRC Conference 2019: Technology Trends and Disruptive Innovationhttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Technology-Trends-and-Disruptive-Innovation.aspxGRC Conference 2019: Technology Trends and Disruptive Innovation<p>​Business futurist Patrick Schwerdtfeger closed the Governance, Risk, and Control Conference with his keynote address, "Embracing Disruptive Innovation." Schwerdtfeger, whose technology expertise includes artificial intelligence, fintech, and blockchain, dissected the topic of business disruption and explained how attendees could spot potential threats and opportunities in their organizations.</p><p>Schwerdtfeger began with an illustration of the rapid growth of data, pointing to research from Amazon showing that, in 2000, the cost of storing one terabyte of data was $17,000 — by 2020, Amazon says, that price will have dropped to $3. In tandem, data processing and data bandwidth also have accelerated by leaps and bounds. And with Big Data, all of this information is being put to use by businesses, municipalities, and other entities — and it is continuing to scale rapidly. Schwerdtfeger terms this "exponential development" and says it is key to understanding future business trends.</p><p>"Human beings are hard wired to think in linear terms," he says. "But what could you do if your business system, such as ERP, were 10 times as powerful as it is now? We need to learn to think this way."</p><p>As an example, Schwerdtfeger pointed to the exponential development of the Human Genome Project, which began in 1990. By 1997, it was just 1% complete — but that actually represented the project's halfway point because it scaled at 100% per year. At that rate, it took just 6.5 years to get from 1% to 100%. The human genome project finished by 2003, and costs were lower than expected.</p><p>With this rapid propagation of technologies, Schwerdtfeger says, changes to organizations are going to be dramatic. As evidence, he cited a recent study from Washington University that says 40% of today's S&P 500 companies will no longer exist by 2026. </p><p>"Hearing this," he says, "people instinctively get into a defensive posture — they ask themselves, 'Who's going to eat our lunch?' But the question should be, 'Who else's lunch can we eat?'" In other words, those companies will be replaced, creating opportunity in the marketplace. Schwerdtfeger told audience members that they are well-positioned to spearhead these conversations and to find a way to stay on offense.</p><p>"There's more and more leverage in the system all the time," he says. "Technology is a form of leverage. You're either on one side of the leverage equation or on the other side of the leverage equation."</p><p>As technology evolves along an exponential curve, Schwerdtfeger says that, over time, repetitive manual jobs will be replaced by robotics. Moreover, repetitive cognitive jobs are likely to be replaced by algorithms. How do we plan for this? Schwerdtfeger says it boils down to two things: creativity and relationships.</p><p>"We need to focus on our ability to be creative and to work with other human beings," he says.</p><p>In his closing remarks, Schwerdtfeger encouraged attendees to think not only about what's happening in the world, but what they can do in response to it. His main message: think bigger. "When you think bigger, you inspire others around you," he says. "If you truly think big, you're going to outdo the competition."<br></p>David Salierno0
GRC Conference 2019: Building Your Brandhttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Building-Your-Brand.aspxGRC Conference 2019: Building Your Brand<p>​Day two of the IIA/ISACA Governance, Risk, and Control Conference (GRC) opened with a keynote address from internal audit executive Nancy Haig on creating "Your Personal Brand." Haig shared her advice on building a brand identity, and then maintaining that brand once it's established.</p><p>To begin, she explained, professionals must understand what does not fall within the scope of their brand. "Your personal brand is not about stuff, it has nothing to do with your stuff," Haig told the GRC audience. "It doesn't matter — your house, your car, your clothes, any possessions at all. It doesn't factor into your personal brand." She adds that brands are not about bragging, self-promotion, attention-seeking, disingenuous behavior, or self-centered connections.</p><p>Instead, Haig says, personal brands comprise a genuine, meaningful representation of ourselves. She says one's brand should present an authentic personal image — one that is both unique and professional, and speaks to reputation. Perhaps most importantly, Haig adds, a personal brand needs to be promoted on social media — if done correctly, it will help create an expanded presence in one's industry, enhance engagement with other professionals, and facilitate career advancement.</p><p>As a first step toward developing a personal brand, Haig recommended audience members ask themselves a question: "If someone heard your name, what would they associate it with?" She suggests approaching friends, colleagues, and family members to determine their perceptions. What strengths and weaknesses do they see?</p><p>Next, Haig advised determining which social media platforms to target. She pointed to LinkedIn as a logical venue for most professionals, though other platforms with a mix of social and professional content may be useful as well. "You're going to have to assess which are the best places for you to be," she says.</p><p>Once online, Haig says, a personal brand needs to establish trust from its audience. She recommends accomplishing this through consistency and repetition. "You don't want to be one way to some people and someone else to other people," she says. Moreover, the brand needs to be monitored regularly to make sure information online represents the brand accurately and that someone hasn't hijacked it.</p><p>Haig also offered numerous practical tips for personal brand enhancement, such as searching for oneself online to look for brand inconsistencies and setting up automated news alerts for references to one's name. She also suggested participating in a local professional association chapter, contributing an article to an industry magazine, and creating a personal website as ways of expanding a personal brand and solidifying it with professional connections.</p><p>For more information on personal branding, read Nancy Haig's article, "<a href="/2018/Pages/Your-Personal-Brand.aspx" style="background-color:#ffffff;">Your Personal Brand</a>" — winner of this year's <em>Internal Auditor</em> John B. Thurston award for literary excellence.<br></p>David Salierno0
GRC Conference 2019: Owning the Momenthttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Owning-the-Moment.aspxGRC Conference 2019: Owning the Moment<p>​Keynote speaker Simon T. Bailey kicked off the ISACA/IIA Governance, Risk, and Control (GRC) Conference in Ft. Lauderdale, Fla., today with his session, "Shift Your Brilliance — Leading Amidst Change and Uncertainty." Bailey, a business strategist and entrepreneur, advised leaders on how to accept change and embrace uncertainty as their businesses face unprecedented technological, cultural, and other tectonic shifts.  </p><p>"We have an opportunity to own the moment," Bailey told the sold-out GRC audience. "The question we have to ask ourselves is how am I showing up in this moment to be my best self — to lead my organization, to lead my team, especially in the midst of uncertainty?"</p><p>That process, Bailey emphasizes, begins internally. To lead effectively, he says, every leader needs to introspect and seek to improve him or herself. Toward that end, he advises applying what he calls the "15-7-30-90" method. The process begins with taking <em>15</em> minutes a day to focus on what you want to accomplish — this is practiced <em>7</em> days per week, checking in every <em>30</em> days to review progress, and then taking a deeper dive every 90 days to assess progress from a broader perspective.</p><p>To further self-improvement efforts, Bailey encouraged audience members to surround themselves with a "personal board of directors." The board would comprise individuals "with different competencies, different skill sets, and a different understanding that challenges you to rise to the occasion," he says. It should be a group of people who inspire you, motivate you, and challenge you — whose advice you seek on important personal and professional matters.</p><p>Turning toward how leaders influence and inspire others, Bailey emphasized the importance of establishing good relationships. "One of the goals every leader needs to be thinking about is how do we move from command and control to collaboration and connection," he says. Relationship-building, he explains, is key to a leader's ability to motivate and inspire. And creating those relationships depends largely on one's ability to empathize, he says, adding that empathy is the No. 1 skill taught in Silicon Valley. "People don't care what you know until they know how much you care," he says.</p><p>To effectively lead through change, Bailey says leaders must embrace what he calls the "vuja de moment." This is the opposite of déjà vu, and it reflects the ability to look at what you have been doing with a fresh set of eyes as if you've never a seen it before. "It's asking yourself a different set of questions that will challenge you on the way you've done things, as well as on what <em>can</em> be done and what needs to be undone," he says.</p><p>After sharing numerous tips and strategies for leading through change and uncertainty, Bailey concluded with a quote from philosopher Eric Hoffer: "In times of change, the learners will inherit the earth, while the learned find themselves beautifully equipped to live in a world that no longer exists."<br></p>David Salierno0
The Control-Culture Connectionhttps://iaonline.theiia.org/2019/Pages/The-Control-Culture-Connection.aspxThe Control-Culture Connection<p>​All audit committees want strong internal controls over financial reporting, and a strong ethical culture where employees who suspect impropriety feel unafraid to speak about what they see. What is sometimes less understood are the connections between those two things — how corporate culture and internal controls should complement each other, to further the goal of strong, reliable financial reporting. Design them well, and the organization has a powerful buttress against executive misconduct. Don’t, and the opposite is just as true.</p><p>A fascinating example of this point comes from <a href="http://bankrate.com/" rel="nofollow">Bankrate.com</a>, which paid $28.5 million to the U.S. Justice Department earlier this year to settle long-running financial fraud charges. Back in 2011, Bankrate’s then-Chief Financial Officer Ed DiMaria concocted a cushion-accounting scheme to manipulate quarterly earnings. He and others fabricated expenses on a bogus spreadsheet, while hiding the true numbers from Bankrate’s audit firm. When the U.S. Securities and Exchange Commission (SEC) began inquiring about the company’s finances, DiMaria directed others to reply with material not responsive to the SEC’s document requests. </p><p>Of course this all unraveled eventually. Bankrate announced a restatement in 2014. DiMaria was dismissed, indicted, and sentenced to 10 years in prison. The company hired new outside counsel, and its audit committee cooperated fully with the SEC. </p><p>Think about what happened here. First, the company used technology and business processes that gave DiMaria the ability to fabricate financial data while concealing true information. Second, nobody raised alarms about DiMaria’s misconduct — not when he lied to the audit firm, not when he misled the audit committee, and not when he had others mislead the SEC. </p><p>The issue, really, is about transparency and freedom. Internal audit needs to be able to roam freely through the enterprise to assess risks, and it needs to be able to see real data, rather than whatever report management provides. Or, as Debi Roth, chair of the Audit Advisory Committee for Orange County Public Schools in Florida, puts it: “Can the audit department get it, and pull it themselves?” </p><p>That might seem like a straightforward part of governance. In the real world, however, Bankrate is by no means alone. For example, when Polycom Corp. agreed last year to pay $16 million to settle U.S. Foreign Corrupt Practices Act charges, the misconduct was fundamentally similar. Executives in China recorded false information on bogus spreadsheets to hide bribery violations from Polycom’s global managers, while masterminding a payoff scheme to Chinese government officials. </p><p>Technology and business processes that allow executives to create a false narrative; plus a corporate culture that allows them to spread the false narrative — if those are the ingredients for an audit committee’s nightmare, what’s the antidote? It comes in two parts: strong control activities over financial reporting, and strong corporate culture that encourages everyone to sound the alarms about misconduct. </p><h2>Ingredient 1: Control Activities</h2><p>The first ingredient is unimpeded access to the company’s transactional data. Access should include not just whatever reports someone might provide to internal audit or the audit committee, but also the actual data about payments, due diligence checks, beneficial ownership, contracts, or whatever else the audit team might want to see. </p><p>That’s partly a question of technology. Accounting systems should rely on a single data source to make frauds like bogus spreadsheets and false transaction entries harder to accomplish. In an ideal world, auditors should be able to drill down from balance sheet, to line-item accounts, to transactions within those accounts, to supporting documentation for those transactions. </p><p>As an audit committee chair, Roth wants to hear the chief audit executive (CAE) explain how the process for gathering data works, and whether there are any concerns about potential interference. For example, does the audit team depend on the IT department to generate reports? That’s a risk, no matter how well-intentioned the IT department might be. “I’m looking for the internal audit function to have a good process in place that addresses internal controls, and that they’re able to go out and do their job and do it well,” she says.</p><p>Once upon a time, when companies used data warehouses, the audit team could have access to them, too, and pull whatever information it needed. Today’s systems are more complicated, as many firms rely on cloud-based applications that might store data in different locations, or employees might use cloud-based applications but not tell IT about it. </p><p>Audit and accounting teams need to think about the design of financial reporting systems and transparency into the data, so that suspicious transactions stick out like a sore thumb. <br></p><h2>Ingredient 2: The Control Environment</h2><p>Even when suspicious transactions are more visible, someone still needs to point them out. After all, at organizations of any appreciable size, many fraudulent activities won’t be spotted by the audit team — especially if more than one person is involved in the misconduct, as happened at Bankrate, Polycom, and many others. The organization needs to foster an environment where employees feel comfortable raising concerns about misconduct. “That’s always top of mind as an audit committee member,” says Raoul Ménès, who serves on the audit committee of the Salt River Pima-Maricopa Indian Community in suburban Phoenix. </p><p>“The bad perception to have is, ‘Don’t worry, internal audit will get it,’” Ménès says. “Well, internal audit cannot see everything. They’ll show up for two weeks to do an audit, and then they’re gone.” </p><p>Ménès encourages audit committee members to spend more time at their organizations, getting to know employees casually. Show up early for a committee meeting, for example, and chat with the employees. (That’s in addition to any executive sessions at the committee meeting, or any conversations the committee chair has with the CAE between meetings.)</p><p>“Meet the audit team, or talk to the controller. Just see how things are going,” Ménès says. “When you’re able to connect with folks, to work with them and talk with them, they’ll open up.” </p><p>Fair enough, but how else can the audit function identify warning signs about corporate culture? “Auditing culture” is a lofty idea, but a bit vague. Instead, audit teams need to design tests for traits or behaviors that suggest the culture is wrong. Ménès, for example, once worked with a firm where employees received a three-question quiz about the code of conduct shortly after they had certified that they’d read it. The goal wasn’t to see how well they memorized the answers; it was to see whether the enterprise had high failure rates as a whole — which would suggest that employees weren’t taking the code seriously, a big culture risk. </p><p>Roth, meanwhile, wants to hear about managers who try to interfere with auditors’ ability to talk to other employees. “If someone is telling the auditor, ‘You can’t work with anyone else, you have to go through me’ — that’s an automatic red flag,” she says.  </p><h2>Shutting Down Abuse</h2><p>The truth is, an organization can’t achieve strong financial reporting without both elements present: systems that provide clear visibility into transactions and a corporate culture that encourages internal audit — or other parts of the enterprise — to put that visibility to good use. </p><p>That’s the buttress organizations need to thwart executives who might abuse their power to override controls or lie to the board. It can be tough to build in the modern enterprise, with complex IT systems and a globalized workforce. Build it right, however, and that buttress can be pretty powerful. <br></p>Matt Kelly1
The Winds of Trade Warshttps://iaonline.theiia.org/2019/Pages/The-Winds-of-Trade-Wars.aspxThe Winds of Trade Wars<h2>​How can a global company determine how to comply with volatile trade regulation shifts? </h2><p>In a changing global landscape, organizations need to be aligned, agile, and prepared. Specific to tariffs, the compliance office, supply chain, and public affairs/regulatory teams need to work together to develop a comprehensive response plan. In an escalating trade war, all functions need to understand their roles within the plan and be agile enough to ensure timely implementation. Items to prioritize are reviewing third-party contracts, updating costing models, investigating alternative supply options and coordinating with logistics, and ensuring controlled processes are in place to comply with changing duty rates and classifications. </p><p>As a risk leader within the organization, internal audit first should vocalize and elevate the potential impact of geopolitical risks, including trade wars and tariffs, to the audit committee, senior leadership, and others within the business. Second, internal audit should work with the appropriate teams to ensure response plans are in place if trade wars escalate or continue for an extended period. Third, internal audit should review the customs compliance process, paying particular attention to classification procedures and documentation to minimize the risk of transshipment [through intermediate sites] and payment noncompliance.</p><h2>What are some of the risks to a company with a global supply chain? </h2><p>The most immediate implications of tariffs are higher costs, limited alternative sourcing options, more complex logistics, and greater compliance risks. Businesses may look to adjust their manufacturing and sourcing strategies, but these cannot be changed overnight. The reality is that most companies have spent years planning and building their global supply chains.  </p><p>Although New Balance has been focused on preparedness and agility within our supply chain — including running internal scenarios for a trade war escalation — sourcing shifts are still capital-, resource-, and time-intensive challenges. All departments, from development through transportation, need to be in alignment and coordinating fully to achieve the overall strategic objectives. </p>Staff0
In Line With Riskhttps://iaonline.theiia.org/2019/Pages/In-Line-With-Risk.aspxIn Line With Risk<p>​Risk management has evolved and grown since its inception in the mid-20th century, as evidenced by the introduction of methodologies such as The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) <em>Enterprise Risk Management –Integrating With Strategy and Performance</em>, the International Organization for Standardization’s ISO 31000, and the Basel Accords. Yet, only 23% of respondents describe their risk management program as mature in the American Institute of Certified Professional Accountants’ 2019 The State of Risk Oversight, conducted jointly with North Carolina State’s ERM Initiative. Additionally, the perceived level of maturity has declined over the past two years, and most organizations struggle to integrate their enterprise risk management (ERM) program with the strategy and objective-setting process. </p><p>Understanding and managing risk has tremendous benefits, as it helps organizations better prepare for the future. So why aren’t ERM programs more mature and better accepted? Most likely it is because organizations do not know how to develop a program or because they do not embrace risk management.</p><p>The current way of thinking about this practice can be challenged to discover new ways of evolving it to more effectively manage strategic risk. My former organization developed and successfully implemented an ERM function, and I am currently using the same strategic program to build a function at Covetrus, an animal-health technology and services company. Building a systematic and strategic program at my former company was educational and rewarding, as it allowed my team and me to familiarize ourselves with many aspects of the organization. </p><h2>Where to Begin<br></h2><p>Before establishing the program, my team and I identified key points of concern that needed to be addressed during implementation: </p><ul><li>Risks were too generic to create measurable plans.</li><li>Issues and controls were not systematically mapped to risks. </li><li>It was difficult to quantify and qualify the impact to the organization.</li><li>Progress tracking of risk remediation plans was not well-documented.</li></ul><p> <br>The program implementation was then divided into three phases spanning several years.</p><h2>Phase 1: Pilot<br></h2><p>During this phase, the team developed a detailed risk library and hierarchy that aligned with the organization’s life cycle, mapped issues and controls to risks providing a real-time picture of the organization’s risk profile, developed measurable remediation plans for the top risks, and implemented centralized reporting.</p><p>Participation in the risk program initially was limited to the internal audit, vendor due diligence, and compliance teams. Some of the key steps taken to complete this phase included: </p><ul><li>Selecting an ERM standard. We decided on COSO’s updated ERM framework. </li><li>Defining purpose, scope, roles, and responsibilities. </li><li>Formalizing a risk-rating methodology. </li><li>Developing a master risk library.</li><li>Documenting a process for identifying risks, assessing severity, implementing responses, tracking, and reporting. </li><li>Conducting initial risk assessments with critical areas.</li></ul><p> <br> </p> <img src="/2019/PublishingImages/Hamzo-Enterprise-Risk-Areas.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:640px;height:570px;" /> <p>The development of the risk library was vital, as it defined the program foundation and provided common terminology for all of the program participants. Over time, the team updated the library based on management feedback to customize it to the type of risks inherent to the organization. The team organized risks into a three-tiered hierarchy. At the top were the key enterprise risk areas, which follow the organization’s life cycle (see “Enterprise Risk Areas," right).</p><p>Underneath each enterprise risk area, there are intermediate risks that represent the subfunctions of that risk area. Within each intermediate risk, there are individual risks that are potential events that can impact that business area. The individual risks are linked to processes, objectives, key risk indicators, financial losses, mitigating controls, incidents, and findings (see “Risks, Controls, Issues, and Remediation Mapping” below). </p><p>Mapping the more than 900 internal controls and issues to each individual risk took the most time, but it was the most important step. Mapping processes provided further insight into the ratings, which often are subjective. More specifically, the occurrence of an issue increased the likelihood, while the presence of compliant internal controls decreased the likelihood, of one or more risks occurring. </p><p>After the completion of this phase, we realized that we tried to accomplish too much in too short a time. For example, we defined the end-to-end risk process while simultaneously automating it via our risk management system. Looking back, we should have operationalized the process before introducing a tool. <br></p><h2>Phase 2: Implement the Program </h2><p>During phase 2, my team and I developed a formal risk management policy, fine-tuned the process, expanded risk assessments across all divisions, and established a governance committee. The team also incorporated other key risk management functions under the umbrella of the ERM program to include business continuity, information security, legal, and patient safety teams. </p><p>The individual teams had their own governance committees, which were consolidated into a single governance, risk, and compliance team comprising executive leadership. This team met several times a year to discuss top risks and the status of remediation plans, and to escalate critical issues, as necessary. </p><p>Issue tracking from these key functions was consolidated into one consistent process and tool. This effort took one year, and we followed the same process for each team: </p><ul><li>Conduct current state analysis of processes, people, and tools. </li><li>Normalize rating methodologies.  </li><li>Migrate all open issues and implement a process for identifying and tracking issues and remediation plans in the ERM system. </li></ul><p> <br>To ensure accurate risk tagging for these issues, we configured the tool to route any new issues to the risk management team for approval. We used the review as a learning opportunity for both our team and the business where once a month we reviewed issues, related root causes, remediation plans, and impacted risks. </p><h2>Phase 3: Integrate ERM With the Strategy </h2><p><img src="/2019/PublishingImages/Hamzo-Risk-Controls-Issues-Remediation-Mapping.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:640px;height:634px;" />Early in our process, we learned that a successful integration is dependent on the organization having a strategic approach for identifying, managing, and reporting on the strategy and objectives. Integration with the ERM program becomes just one of the steps in that process. </p><p>The integration process started with the definition of our risk appetite statements for each of the company objectives. For example: </p><ul><li>Objective: Develop new products and attract new customers. </li><li>Risk Appetite: An organization will not make decisions that compromise its reputation by using defective new products that introduce security vulnerabilities and cause customer data breach. </li></ul><p> <br>Next, the leadership team identified projects or initiatives that supported the organization’s objectives and strategy and included information such as opportunities, dependencies, resources, budget, and timeline. Coordination with the general and administration functions to discuss resource and budget needs, as well as any regulatory and compliance implications as a result of these projects, was necessary, as these dependencies could become risks to the objectives. This included human resources, legal, audit, and finance planning and forecasting teams.</p><p>The ERM team, partnering with leaders, identified additional risks at the project level. These risks were rated using the rating methodology and rolled up to the enterprise level. The prioritization and responses to the risks were aligned to the risk appetite statements. These statements also will guide the organization’s response to emerging risks that surface throughout the year. </p><h2>Organizational Alignment</h2><p>Throughout this program, the team learned to work more productively with the organization in order to be met with less resistance. From the start, we learned that discussions about risk without the right approach can be perceived as an attack and critical of the business. </p><p>As a result of this project, the team embraced a teaching and learning approach where we spend more time educating the organization about risk principles, which helped us better understand business and risks from the organization’s perspective. Collectively, the organization became more aligned with its risk profile. </p><p>Internal auditors can make a difference if organizations overcome their giving-up point. By giving risk management a try and not waiting for a big event to happen that forces internal auditors to adopt risk management haphazardly, they are doing right by their organizations. Progress cannot be made through fear. <br></p>Dorina Hamzo1

  • GEICO_September 2019_Premium 1__
  • Chartered Prof Acct Canada_Sept2019_Preimum 2
  • IIA CERT CIA_September 2019_Premium 3