Governance

 

 

It's All About Trusthttps://iaonline.theiia.org/2019/Pages/Its-All-About-Trust.aspxIt's All About Trust<p>​Audit committees and chief audit executives (CAEs) talk constantly about how to foster more engagement with each other, and rightly so. Their relationship is one of the most important for an organization to get right, if it wants effective corporate governance. </p><p>A good place to begin, then, is to consider the origin of the word <em>engagement</em>. It descends from the French verb <em>engager</em>. Today that word means “to hire” or “to employ” — but 400 years ago, when <em>engagement</em> first crept into the English language, <em>engager</em> actually meant “to pledge.”</p><p>That’s a useful point to remember when contemplating how to improve the relationship between audit committee and audit executive. It’s about pledging to be there for each other: I will help you, and you will help me, <em>and we both know that</em>. In other words, it’s about trust. Audit committees and audit executives have to trust that the other is thoughtful, competent, and looking out for the best interests of the organization. </p><p>That’s all the more true today in an immensely complex modern business world. Audit committees have a fiduciary (and for publicly traded companies, statutory) responsibility to oversee risk management at their organizations. Audit executives are watching their profession transform from an older era of financial statement audits to a newer one of monitoring risk and working with other parts of the organization to manage risk (see <a href="/2019/Pages/The-Audit-Committee-Connection.aspx">“The Audit Committee Connection”</a>).</p><p>In other words, both parties now have more to do, and more to worry about. That’s why cultivating a strong working relationship is important. That’s why <em>fostering trust</em> is important. Each needs the other to succeed.</p><p>“It’s a whole new world,” says Theresa Grafenstine, a managing partner at Deloitte, audit committee chair of the Pentagon Federal Credit Union, former audit committee chair of ISACA, and former inspector general of the U.S. House of Representatives. “We need to see this as a partnership.” </p><h2>Trust Begins With Communication</h2> <p>For starters, audit committees and audit executives can simply talk more often. There should be executive sessions at the end of audit committee meetings without management present. The audit committee chair should schedule informal chats with the CAE between formal meetings, even without anything specific in mind. Talk.</p><p>Marty Coyne, audit committee chair at Ocugen and a past audit committee member at numerous other technology companies, swears by both practices. “It’s almost mandatory in my mind,” he says. “If the audit committee isn’t doing that, shame on them.” (In the most recent North American Pulse of Internal Audit survey, nearly one-third of audit executives say they do <em>not</em> meet in private session with the audit committee.) </p><p>What questions should audit committees put to CAEs in those sessions? Unless some specific issue demands attention, they should pose open-ended questions without any right or wrong answers. What’s been happening in the last quarter? Are there any challenges where they can help? Coyne’s go-to question in such meetings: “What <em>didn’t</em> you say?” </p><p>Those questions give the CAE a chance to speak his or her mind, and to lead the discussion where the CAE believes it should go. “It’s so you can draw that person out,” says Brenda Gaines, audit committee chair for Tenet Healthcare. That, in turn, can foster the CAE’s trust in the audit committee.</p><p>Audit committee chairs should take the extra step of regular communication with the audit executive beyond the standard audit committee meetings. Gaines schedules a monthly phone call; Coyne has met CAEs for coffee. However the chair does it, that casual, unstructured line of communication can be invaluable.</p><p>“It would help me frame out the agenda for the audit committee meeting,” Coyne says. After all, audit committees have plenty of risks they can discuss in a formal meeting, and time is limited. So Coyne would chat with the audit executive to pinpoint which risks (aside from any standard matters about financials, investigations, and so forth) truly warranted the audit committee’s attention. </p><p>“There’s always room for a topic,” Coyne says, “and I want to make sure that the topic we talk about, beyond the normal topics, is germane and important, and going to move the needle.”</p><h2>Trust Endures Difficulty </h2><p>All that communication and trust spadework can pay off in several ways. First, the very act of creating an open culture among senior executives and the audit committee reduces the chance that difficult matters will arise where the audit committee needs to “take sides” in an impasse between internal audit and management. Second, when those impasses <em>do</em> arise (spoiler alert: sooner or later, they will), the audit committee can resolve it with the least amount of acrimony. </p><p>That also means the audit committee needs a healthy relationship with management, and needs to ensure management and the CAE have a healthy, respectful relationship, too. Grafenstine calls it the “triangle of success” — each side having equal power, where they each understand the other’s roles and responsibilities.</p><p>Coyne’s approach is, whenever possible, to bring all sides together in open communication at a committee meeting. After all, the CAE may be disappointed with the pace of improvement in a business process, but management might have a good reason for the delay: product launches, sudden departure of key personnel, or some other operational issue. </p><p>The audit committee’s job is to ensure such differences of opinion are aired openly and respectfully. The best way to do that is to foster trust long before that conversation happens. </p><p>“What you don’t want is all sorts of back-door conversations going on,” Coyne says, like the CEO and CAE speaking to the audit committee members separately, but not to each other. “That’s a disaster when that happens.” </p><h2>An Environment of Trust</h2><p>That need for collegial relations with management raises another point. From today into the future, success as a CAE will be more about exercising leadership and working with other parts of the organization to manage risk, rather than technical mastery of audit techniques. </p><p>Good audit executives “are not only a valuable resource to help the audit committee discharge its duties,” Gaines says. “They provide management with valuable insight as well on whether risk mitigation is effective.” </p><p>Those risk issues can range from IT controls for cybersecurity, to successful integration of an acquisition, to the rapidly rising concern of “culture risk.” Business processes might need improvement. Data analytics might provide valuable insights that someone needs to translate into updated controls and practices. </p><p>A good audit executive can do all of that, even while balancing the need for independent analysis of risk issues — <em>if</em> the audit committee fosters an environment of trust and open dialogue, and assures that the CAE has the resources he or she needs (financial, technological, personnel) to do the job. </p><p>It’s a lot to ask, of the audit committee and CAE, alike. One might almost say the French had it right 400 years ago: Engagement really is about pledging yourselves to each other.<br></p>Matt Kelly1
Internal Audit's Evolving Cybersecurity Rolehttps://iaonline.theiia.org/2019/Pages/Internal-Audits-Evolving-Cybersecurity-Role.aspxInternal Audit's Evolving Cybersecurity Role<p>​Technology is progressing at such lightning speed that even IT specialists struggle to keep their fingers on the pulse of technological change. So how are internal auditors expected to adequately assess and examine the various risks emerging in this cyber age?</p><p>As technology continues to advance, internal auditing must evolve. For many years, internal audit departments relied on IT audit specialists as partners in integrated audits. Although those specialists focused on systems and technology, integrated audits worked best when operational and financial auditors knew what to look at from an IT perspective. </p><p>In today’s world, internal auditors cannot delegate responsibility to their IT departments or IT auditors. All auditors should have a solid understanding and awareness of more than just general and application controls. They should realize the technology risks and their potential impact. </p><p>One of the most prevalent issues organizations face today is the constant threat of cyberattacks. Every day there is some new threat, breach, or cybersecurity incident. It is now imperative that all internal auditors understand the underlying drivers as well as the nature and causes of cyber risks. With this knowledge, internal auditors can add significant value to the organization by assessing and helping management strengthen cybersecurity.</p><h2>Knowledge Is Power</h2><p>Yes, internal auditors know how to use a computer and a cell phone, but do they realize the risks these technologies pose? What you don’t know can hurt you! In today’s business environment, training on cybersecurity issues should be a basic curriculum expected of internal auditors. Training that is essential for internal auditors includes understanding: </p><p></p><ul><li>The threat of cyber fraud to their organizations and the manner in which it could present itself. </li><li>Procedures that should be followed to assess cyber risk.</li><li>Types of new and existing breaches. </li><li>Various tools for managing cybersecurity issues. </li><li>Methods to prioritize assets at risk for protection plans.</li><li>Methods to appropriately allocate resources to protect assets.</li></ul><h2>Understand Cyber Risk Frameworks</h2><p>Organizations need to understand and use a structured cyber risk framework to mitigate threats. Although there are several frameworks, some organizations may focus on a specific framework, depending on their industry. </p><p>One of the most widely used frameworks is the U.S. National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework. The framework directs organizations to use a standard protocol in their cybersecurity efforts to identify and protect assets, and respond to and recover from incidents.</p><h2>Identify and Protect Assets at Risk</h2><p>The NIST framework recommends that organizations identify assets within the organization that are most susceptible to cyber threat. Next, it advises organizations to prioritize assets for protection, and develop and implement appropriate safeguards to ensure delivery of critical infrastructure services.</p><p>Identifying and protecting assets is similar to other risk assessment processes and is an area in which internal auditors can provide valuable insight to help protect their organizations. Auditors can help their organization by: </p><p></p><ul><li>Following a structured approach to perform a top-down assessment.</li><li>Evaluating cyber risks within individual audits.</li><li>Assessing the organization’s capabilities to manage assets that might be impacted by a cyber risk event. </li><li>Evaluating whether management and the board have developed a comprehensive cybersecurity strategy.</li><li>Fully integrating cyber risks into the annual audit plan.</li><li>Determining whether management is using the most effective process to prioritize assets for protection and allocate resources.</li></ul><h2>Monitor Detection Procedures</h2><p>Detecting cyber threats is the third component the NIST framework recommends. Once assets have been identified and protected, the organization should develop and implement appropriate activities to take action when a cybersecurity event is detected.</p><p>As with The Committee of Sponsoring Organizations of the Treadway Commission’s <em>Internal Control–Integrated Framework</em> monitoring component, performing detection procedures is management’s responsibility. However, internal auditors can test detection procedures to ensure they are designed appropriately. </p><p>Management should follow a well-devised protocol to develop, design, and implement detection procedures. Auditors can review and test that protocol and ensure detection procedures are addressing the most vulnerable assets. This act requires auditors to collaborate with management to fully understand the procedures used in the design phase and in identifying which assets are prioritized as higher risk.</p><h2>Respond to Incidents</h2><p>This component of the NIST framework includes activities to undertake when the organization has detected a cybersecurity incident. The objective is to contain the incident’s impact on the organization.</p><p>Compare a cybersecurity incident to a fire. Both are “all hands on deck” events. If management has not structured a cyber risk program appropriately, there may be many reactive actions and ad-hoc approaches to plugging the gaps. Internal auditors can be important consultants in this situation. </p><p>Often when a breach occurs, management looks for the quick fix. This may not always be the best solution. The response must consider not just the tactical steps taken to fix the problem but all of the ancillary communication and documentation that is required. In this circumstance, internal auditors can provide an independent perspective and guide management on the best path to follow to respond to the incident. But to be helpful, auditors must understand the technology issues as well as the incident-response processes.</p><h2>Use Recovery to Learn Lessons </h2><p>Recovering from a cybersecurity incident is comparable to recovering from an illness. When a person discovers he or she has a serious illness, all focus is placed on acting to respond to the illness. At that point, the mindset is survival rather than recovery.</p><p>As defined by NIST, the recovery phase occurs after the organization has responded to a breach. This phase includes identifying activities to maintain plans for resilience and to restore any services that were impaired due to a cybersecurity incident. The organization must be able to constructively review what occurred and extract appropriate lessons learned from the incident. Then the organization must incorporate those lessons into its current response protocol. </p><p>By assessing the lessons learned from an incident, internal audit can contribute to the ongoing viability of the organization’s cybersecurity incident plan. This assessment can assist the organization in evaluating gaps in how assets were identified and prioritized, how protection procedures were prioritized and executed, how detection procedures were implemented, and how response procedures were put into effect.</p><h2>Internal Audit’s Expertise</h2><p>The NIST Cybersecurity Framework’s guidance is just a sample of important concepts to understand. As technology evolves, so do the duties of internal auditors. The profession needs to step out of its comfort zone and insert its expertise into addressing cyber risk.<br></p>Lynn Fountain1
An Audit of Strategyhttps://iaonline.theiia.org/2019/Pages/An-Audit-of-Strategy.aspxAn Audit of Strategy<p>The <em>International Standards for the Professional Practice of Internal Auditing</em> and The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) <em>Enterprise Risk Management–Integrating With Strategy and Performance</em> emphasize strategy as the basis for internal audits. Despite this, auditors still often lack the tools and methodologies to audit strategy development and implementation for their organizations. By understanding the needed competencies for tackling a strategy audit, internal audit can help improve governance, risk management, and internal controls in an organization’s strategic management process. <br></p><p>Strategic management process best practices typically consist of four interdependent steps: </p><ol><li>Identify owners’ (key stakeholders) expectations. <br></li><li>Analyze the broader environment, industry, and organization’s performance. <br></li><li>Develop a long-term vision (destination) and strategy leading to that vision, as strategies reveal causality between strategic activities and strategic outcomes. <br></li><li>Implement strategy via communication, performance measurement and control, and review meetings.<br></li></ol><p>While it is not the role of internal audit to validate the content of these steps as performed by the organization’s leadership, there is an important requirement for the internal audit function to confirm that each step is being undertaken, and that the organization is using sensible methods at each stage. It is also important for the internal audit team to confirm that these steps are happening concurrently, with each of them operating consistently and cooperatively.</p><h2>Question 1: Have Stakeholders’ Expectations Been Identified?</h2><p>Even though the idea of shareholder maximization is always present, business practice abounds with examples of owners balancing profits (financial goals) with other goals — including corporate social, environmental, and economic performance. The first step of auditing strategy is to assess whether the board and senior management have identified stakeholder expectations of future performance in some practical way and have incorporated a response to these expectations within their strategy development process. In the long term, the achievement of stakeholder expectations is the ultimate measure of the performance of the organization’s senior management team. It should serve as stakeholders’ basis for evaluating whether the organization is being managed effectively. As such, it is vital that the strategy focuses on either meeting stakeholder expectations directly, or building and managing a supportive consensus within the stakeholder community concerning the choices of which expectations to meet over time. </p><h2>Question 2: Does Strategy Lie on Firm, Analytical Ground? </h2><p>Internal auditors should focus on the most important methodological aspects of strategic analyses.<br></p><p><strong>Is data reliable, relevant, and sufficient?</strong> With information easily accessible via the internet, internal auditors should assess if the information gathered is reliable and from trustworthy sources. They also need to evaluate whether the data is relevant (likely and impactful) and sufficient.</p><p><strong>Have managers avoided the risks of overconfidence and confirmation bias?</strong> Managers are often overconfident about the accuracy of their forecasts and risk assessments and far too narrow in their assessments of the range of possible outcomes. They frequently compound this problem with confirmation bias, which drives them to favor information that supports their positions (typically successes) and suppress information that contradicts them (typically failures). They might anchor their estimates to readily available evidence despite the known danger of making linear extrapolations from recent history to a highly uncertain and variable future. Internal auditors should use professional skepticism to assess the quality of collected data.<br></p><p><strong>Have potential black swan and black elephant scenarios been considered? </strong>Black swan events, such as terrorism or natural disasters, are difficult to predict and have major impact on the organization. Black elephant events, such as financial crisis cycles and climate change, are predictable, detrimental events that people or society choose to ignore. Internal auditors should assess whether the analytical process has addressed these unlikely events.<br></p><p><strong>Have analysts identified historical information and emerging trends?</strong> Big data has become a necessity rather than an advantage. Organizations should analyze readily available data from public sources and also use predictive analytics, prescriptive analytics, or autonomous statistics. These approaches go beyond what and why something is happening to address what will happen next. <br></p><p><strong>Have the organization’s current capabilities been analyzed formally?</strong> An organization’s ability to satisfy stakeholder expectations is to some extent determined by the capabilities (technological or marketing, for example) of the organization. If the capabilities are sufficient, the challenge is how to deploy them to best satisfy expectations. If the organization does not have the right mix or sufficient capabilities, the strategy will need to include steps to expand and develop internal capabilities or to purchase the required capabilities from elsewhere. How will this support or hinder work to satisfy stakeholder expectations?<br></p><p><strong>Is a strengths, weaknesses, opportunities, and threats (SWOT) examination an appropriate summary of key analytical findings?</strong> Internal auditors should assess whether the identified strengths and weaknesses are supported by an objective measurement or assessment, and whether the identified opportunities and threats are related to external factors — such as events from the broader environment or industry.</p><h2>Question 3: Has Strategy Development Followed Best Practices? </h2><p>First, strategy development involves clearly articulating the organization’s final destination (vision) at some future date. Internal auditors should assess whether the organization’s vision statement addresses owner/key stakeholder expectations, is achievable and measurable, and focuses on what the organization needs to achieve vs. what it needs to do. </p><p>Second, internal auditors should check whether the strategy reflects a business case, the logical causality between strategic activities and strategic outcomes (goals). Best practice strategies include cause-effect connections (strategic linkage models) outlining causality between strategic activities, themselves, and between strategic activities and strategic goals. They also should check whether strategic goals include financial and nonfinancial goals related to the activities the organization will need to implement the changes required by the chosen strategy. This includes short-term outcomes that the organization can track to confirm the actions taken are working as expected. In addition, auditors should assess whether clear, long-term strategic goals are quantified and associated with a specific time frame. Long-term goals help the organization pick and set targets for the amount of activity that needs to be delivered and the time frame for realizing required outcomes. </p><p>Third, internal auditors should assess the documentation of strategic activities. This should include at least:</p><ul><li>The owner or person responsible for effective completion of a strategic activity.<br></li><li>Tasks to be completed.<br></li><li>Timeline of activity.<br></li><li>Financial and other resources.<br></li><li>How to mitigate the main risks.<br></li></ul><p>Finally, internal auditors should check whether managers have ensured strategic alignment or the cascading of a designated strategy throughout the organization. Cascading is the process by which the ultimate goals are broken down into individual departmental activities, allowing for a more engaged and accountable workforce. Internal auditors should assess the responsibilities and ownership of execution plans at lower levels for implementation decisions.</p><h2>Question 4: Is Strategy Being Implemented?</h2><p>The last part of a strategy audit is implementation. Empirical research shows that strategy implementation remains elusive regarding effectiveness, with a reported fail rate of 50 percent to 90 percent. Internal auditors should be alert to the main causes of strategy implementation failure.<br></p><p>Communication Effective communication plays a critical role in aligning the whole organization with the strategy and giving employees an understanding of the pace of change that will be required. Internal auditors should: 1) identify communication channels that senior management is using to support strategy execution; 2) assess the appropriateness of communication channels from the perspective of frequency and reach; and 3) check whether any guidelines or a strategy execution model exists. Internal auditors can use a modified approach to COSO’s updated ERM framework to evaluate the strategy communication process. <br></p><p>Performance measurement and control Strategic performance measurement systems support adequate information sharing among individuals or the business units responsible for strategy execution. Internal auditors should identify whether strategic activities and goals have at least one performance indicator and target values (milestones) to keep track of what has been achieved. Then, auditors should assess the appropriateness of key performance indicators to make sure they are measurable, relevant, and informative. <br></p><p>Review meetings Organizations often lack senior management support in strategy execution. To encourage participation and support, senior management should set up and manage the review meetings. Internal auditors should check the frequency of the meetings, assess whether any controls have been put in place to ensure implementation actions are carried out, and evaluate whether any actions have been modified to ensure strategic goals are reached.</p><h2>PROVIDING REASSURANCE</h2><p>Stakeholders — who can directly or indirectly influence the organization’s ability to operate — comprise a mix of interested parties, including financial owners, regulatory bodies, and communities impacted by the organization’s activities. A critical responsibility of senior management is to balance the potentially conflicting interests of these stakeholder groups and direct the organization to maximize the extent to which these interests are satisfied. Organizational strategies document the plan to modify and adapt the performance of the organization in light of these stakeholder expectations. The role of internal audit is not to validate or contest the content of the strategy — which is the responsibility of senior management — but to reassure the senior team that its approach to strategy development and implementation is appropriate and well-controlled. <br></p><p><img src="/2018/PublishingImages/Drascek-An-Audit-of-Strategy-Key-Strategy-Development.jpg" class="ms-rtePosition-4" alt="" style="margin:5px;width:800px;height:741px;" /><br></p>Matej Drascek1
Auditing Culture: History and Principleshttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-History-and-Principles.aspxAuditing Culture: History and Principles<p><em>With this first in a series of articles planned on auditing culture, I'm excited to share what has been my passion, in one form or another, for the last 26 years.</em> <em>I hope the series will serve as a forum for the creative, courageous internal auditors who are active in auditing culture to share what they're doing, thinking, and</em> <em>concerned</em> <em>about</em>.  <br></p><h2>Brief History </h2><p>I went into business for myself three months after the first Committee of Sponsoring Organizations of the Treadway Commission (COSO) report came out in September 1992. <em>Internal Control–Integrated Framework</em> emphasized the primary importance of the control environment, which focuses on "people — their individual attributes, including integrity, ethical values, and competence" — and includes "management's philosophy and operating style" as one of seven factors that contribute to the control environment's effectives. This emphasis matched that of my first chief audit executive, Roger Carolus, who was a member of the COSO advisory group. <br></p><p>We never had the support to fully realize Roger's vision, but COSO's authoritative guidance sparked interest in the profession on evaluating soft controls. And while there is more to auditing culture, evaluating soft controls was the forerunner to this type of assessment and remains an essential ingredient to this day.   <br></p><p>During the 1990s, the profession's main tool of choice for evaluating soft controls was the control self-assessment (CSA) workshop. This technique was powerful, but only a minority of internal audit functions adopted it, and most of them saw diminishing returns after the first few years. Today, workshops seem to be used more by risk managers for risk assessment than by internal auditors. <br></p><p>Based on my own research and discussions with other audit professionals, the emerging tools of choice for evaluating soft controls are employee surveys and structured interviews, where auditors ask questions of a sample of employees and tabulate the results. Of course, auditors' observations are also key to understanding an organization's culture, though they usually need to be corroborated with more objective evidence.<br></p><h2>Three Principles</h2><p>How can internal auditors evaluate an organization's culture? They can look at governance documents like the code of ethics, mission and vision statements, and stated values. But these documents reflect the board and executives' desired culture, not the actual culture. <br></p><p>They can interview executives, who will describe the culture as they see it. But the information those executives receive from direct reports and below, upon which their assessment is based, is usually filtered. No one wants to give his or her boss bad news, so employees present a somewhat idealized picture of the culture — not dishonest, just slightly rosy. As information moves up the organizational ladder, the picture gets increasingly rosier. The "emperor has no clothes" syndrome generally applies.<br></p><p>So where does the real culture exist? Three principles help explain where culture can be found and how it should be audited. <br></p><p><strong>1. Culture Exists in Employee Perceptions</strong> Ultimately, culture resides in the perception of employees. If employees believe the culture is x, y, or z, that's what it is, and they will act accordingly. Of course, getting employees to say what they honestly believe about the culture can be challenging. I will discuss some of the challenges in future articles.<br></p><p><strong>2. Cultural Evaluation Must Be Based on Self-assessment </strong><strong> </strong>This principle flows from the first. If culture exists in the perception of employees, internal auditors have to act more as facilitators than as independent, objective observers. I have seen many dozens of effective soft control evaluation tools, and I have yet to see one that is not somehow based on self-assessment. <br></p><p>Auditors should keep in mind an important caveat to this principle. The term <em>self-assessment</em> sounds like people assessing themselves. For obvious reasons, auditors can't rely on this type of assessment as audit evidence — they need some form of verification. To use employee surveys as an example, phrasing questions so that employees assess their own behavior or managers assess their own area is not reliable. But asking employees to assess aspects of the environment created for them by higher levels can be quite reliable if they feel comfortable answering candidly. In addition to building a certain level of reliability into the survey process, internal auditors usually follow up on survey results by looking for corroborating evidence.<br></p><p><strong>3. The Goal Is to Enrich Understanding of the Culture</strong><strong>  </strong>An organization's culture is amorphous, varied from place to place, and changeable over time. It does not lend itself to evaluation by any one technique alone or to reaching a definitive assessment. Rather, internal auditors should use a variety of techniques — some quantitative, some qualitative — with the goal of continually enriching key stakeholders' understanding of the culture. Moreover, stakeholders need to understand that this is internal audit's goal. <br></p><p>Internal auditors should keep in mind that they are only one source of cultural information. The first and second lines of defense also have a story to tell. Auditors should work cooperatively with the first line and coordinate their work with the second line. But with its independence and objectivity, together with the variety of techniques at its disposal, internal audit can be one of the most reliable sources of cultural knowledge in the organization. <br></p><h2>The Root of the Matter</h2><p>As many observers have noted, a root cause of almost every major scandal or fraud is dysfunction in the organization's culture. To give the kind of assurance required at the level they should give it, internal auditors must generate the best information they can about where the culture stands and what factors are driving it. <br></p><p>If you have techniques or methodologies you are willing to share, or would like advice on something you are developing, please let me know. And, of course, questions and comments are always welcome.<br></p><p><br></p><p>For those who are new to auditing culture, our video, "<a href="/Pages/video.aspx?v=E2cXRjaDE6XeakZnHydeR1EZ2WVMb1qk">Culture Audits: Getting Started</a>," provides advice on how to begin and where the challenges may lie.<br></p>James Roth1
Wells Fargo Further Empowers Internal Audithttps://iaonline.theiia.org/blogs/chambers/2019/Pages/Wells-Fargo-Further-Empowers-Internal-Audit.aspxWells Fargo Further Empowers Internal Audit<p><img src="/2019/PublishingImages/teamwork-helping-shaking-hands.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​I have often quoted Danish philosopher Soren Kierkegaard regarding what motivates change. He wrote, "All change is preceded by crisis." American economist and Nobel laureate Milton Friedman made a similar observation when he said, "Only crisis, actual or perceived, produces real change."</p><p>In this context, I was heartened to see Wells Fargo & Co.'s announcement of changes to its governance practices in response to several crises involving its consumer lending division. I won't dwell on the details of the mega-bank's missteps or the resulting regulatory fines. Suffice it to say the scandals that engulfed the world's second-largest bank (by market capitalization) shook it to its core.<br></p><p>A 103-page <a href="https://www08.wellsfargomedia.com/assets/pdf/about/corporate/business-standards-report.pdf"><span style="text-decoration:underline;">business standards report</span></a> released by Wells Fargo last week outlines changes the bank has undertaken as a result of its missteps, and they include important changes to its approach to internal audit.</p><p>One of the most important changes is the consolidation of its retail banking audit team into one centralized group. In the aftermath of the scandals, an internal report showed organizational silos had stymied efforts to report bad practices through established control processes and structures. Consolidation of the audit team is designed to break down those silos, a company spokesman told <em>The </em><em>Wall Street Journal</em>.</p><p>The bank also created new management-level governance teams tasked with supporting leadership in carrying out risk management. Each team has a defined set of authorities and responsibilities. Of great significance are policies that create "clear escalation paths and risk-reporting expectations." From the Wells Fargo report:</p><p><span class="ms-rteStyle-BQ">The governance committee structure is designed to enable understanding, consideration, and decision-making of significant risk and control matters at the appropriate level of the company and by the appropriate mix of executives."</span></p><p>This step reflects a strong commitment to risk management that the bank report says will be guided by four core principles: long-term relationship focus, accountability, risk philosophy, and an environment of inclusiveness and candor.</p><p>That philosophy is applied to Wells Fargo's use of its internal audit division. It described Wells Fargo Audit Services as "delivering independent and objective internal audit services such as assessments and credible challenge regarding the company's governance, risk management, and controls." It is significant that the description includes the words "credible challenge."</p><p>This concept has been part of the bank regulation for several years, but it typically is applied to boards of directors, who are expected to challenge management actions, decisions, and recommendations. It is encouraging that internal audit at Wells Fargo is tasked with that same job. In addition to conducting tests and providing assessment and assurance of the bank's risk management, governance, and control structure, internal audit is tasked with proactively advising management on, "risks, management practices, and controls in the design and implementation of new business products, service, and processes; systems development; operational changes; and strategic initiatives." </p><p>Other details of internal audit's operations — including explicitly requiring adherence to The IIA's <em>International Standards for the Professional Practice of Internal Auditing </em>and Code of Ethics — describe a textbook example of an empowered and respected component of Wells Fargo's risk management team. At least on paper, it appears that internal audit is invited, indeed expected, to act as a trusted advisor to the board and management.</p><p>Of course, only time will tell whether Wells Fargo's actions will remain true to its written policies, but there are signs the bank is committed to the changes. <em>The </em><em>Wall Street Journal</em><em> </em>reports the bank has increased its audit staff size by about a third to 1,350 employees over the past two years. The bank also added more experienced directors to its board-level risk committee.</p><p>I am convinced that the changes undertaken by Wells Fargo — if embraced by management and nurtured by the board — will strengthen the organization and improve its risk management, governance, and control. If this happens, it may ultimately serve as a model for others to emulate.</p><p>As always, I look forward to your comments.<br></p>Richard Chambers0
Creating a Better Societyhttps://iaonline.theiia.org/2018/Pages/Creating-a-Better-Society.aspxCreating a Better Society<p>​The U.K. government’s recent launch of its Civil Society Strategy recognizes the social responsibility government and internal auditors have for creating the society we want to live in. Civil society in the U.K. today is not just about the well-being of the nation and everyone who lives there — it reflects the contributions we all make through our values to well-being in other civil societies across the globe. Those values are internal auditors’ greatest asset and resource. They also are what internal auditing is based on and should be all about.</p><p>The strategy’s aims are fourfold: Support people to play an active role in building a stronger society, unlock the full potential of the private and public sectors to support social good, help improve communities to make them better places to live and work in, and build stronger public services. I can think of no internal audit plan or program in any organization or sector that these aims and their achievement could not improve in terms of objectives, risk planning, engagement, results, findings, and follow-up. </p><p>Internal auditors all have a responsibility to make social auditing happen. Recent ventures into auditing culture and a new appreciation for culture’s role in establishing effective governance practices have touched on the importance of organizational stewardship and stakeholder engagement. Culture is not just about an organization’s values and how it performs. It also is about how the organization impacts the civil societies in which it operates. </p><p>Many institutional investors have signed on to the United Nations Principles of Responsible Investment with an environmental, social, and governance (ESG) duty: “To act in the best long-term interests of our beneficiaries. In this fiduciary role, we believe that [ESG] issues can affect the performance of investment portfolios.” ESG as a performance measure will continue to grow in importance for governments, investors, and organizations. It should also do so for all internal auditors in every country.</p><p>Good governance embraces environmental and social responsibilities in many ways. Achievement of the U.N. Sustainable Development Goals by its target of 2030 is just one aspect of this process. Today’s responses by organizations to the development and growth of integrated and strategic reporting will have a strong influence on the future of environmental and social responsibility declarations by organizations and the assurances they give and require. Internal auditors will always have a part to play to make this happen in their own organizations, across all sectors. The U.K.’s Chartered Institute of Internal Auditors has links into voluntary networks of internal auditors working in the charity, social housing, and higher education sectors. Their messages and progress are an excellent example of how professional internal auditing is already enhancing well-being in the U.K. and across the globe.  </p><p><em>A version of this article first appeared on </em>Audit & Risk<em> magazine’s website, </em><a href="http://www.auditandrisk.org.uk/" rel="nofollow" style="background-color:#ffffff;"><em>www.auditandrisk.org.uk</em></a><em>. Reproduced with permission.</em><br></p>Jeffrey Ridley1
A New Age of IT Governance Riskhttps://iaonline.theiia.org/2018/Pages/A-New-Age-of-IT-Governance-Risk.aspxA New Age of IT Governance Risk<p>Effective governance of IT is critical to organizational success and can transform an organization. While IT-enabled transformation can bring many rewards, poor governance of those projects can cause disruption and unintended consequences. </p><p>As an organization evaluates different technology investments, management must ensure the technology is aligned and delivered in accordance with the organization’s strategies and objectives. Internal auditors can help by providing independent assurance on the appropriateness and effectiveness of the governance structure. </p><h2>Technology’s Challenge</h2><p>IT departments manage the technology supporting business applications, disaster recovery, cloud services, and other mission-critical functions. In many organizations, the IT infrastructure is the foundation for business operations. Yet, new technology often creates new risks ranging from specific control weaknesses to potentially enterprisewide disruptions. Helping the organization assess and address these risks is an opportunity for internal auditors to add value. </p><p>According to Standard 2110-A2 of the <em>International Standards for the Professional Practice of Internal Auditing</em>, internal audit must assess whether IT governance supports the organization’s strategies and objectives. Consequently, the challenge for internal auditors is to help assess numerous risks associated with governance of enterprise IT. </p><h2>Frameworks<br></h2><p>Audit programs will be more useful if they differentiate governance risks from risks related to the management of enterprise IT. Internal auditors can leverage a variety of frameworks to develop high-quality, tailored audit programs for IT governance. </p><p>Governance frameworks include The Committee of Sponsoring Organizations of the Treadway Commission’s <em>Internal Control–Integrated Framework</em>, ISACA’s COBIT, and the Balanced Scorecard Institute’s Balanced Scorecard. Organizations also can use management frameworks such as ITIL, the U.S. National Institute of Science and Technology’s Cybersecurity Framework, and the International Organization for Standardization’s ISO/IEC 27001: Information Security Management, ISO/IEC 38500: Information Technology — Governance of IT, and ISO 9000: Quality Management. These frameworks explain risks, controls, and other details that can reduce the time required to develop an audit program. </p><h2>Audit Planning</h2><p>Internal auditors should become familiar with each of the governance frameworks so they can scope the audit engagement to focus on the appropriate risks. Audit programs should identify the impact of IT risk to the organization as well as the potential for compliance failure. During the risk assessment, auditors can determine the current state of risk management practices, assess design gaps, identify improvement opportunities, and recommend actions. They should consider several areas in their audit program. </p><p><strong>Strategic Alignment</strong> IT strategic alignment continues to be a top priority for most organizations and aligning technology with business strategies can be challenging for management. One of the key governance controls auditors can review is the process and methodology for justifying and prioritizing IT investments. Auditors can verify that the organization has a formal and periodic process for identifying business needs. Audit procedures also should validate that the IT budget cycle is part of the business operations budgeting process. Additionally, auditors can validate corporate objectives and strategic goal alignment by reviewing the decision rights and accountability framework documentation. <br></p><p><strong>Roles and Responsibilities</strong> IT executives need to collaborate with business-unit executives to ensure technology helps shape business strategy. Without clearly defined roles and responsibilities for IT management, the organization might risk not aligning IT and enterprise operations. To identify the links between business and IT plans, internal auditors can evaluate the strategic plan for IT-enabled initiatives, policies, presentations to the board that highlight the outcomes of a successful implementation, and third-party agreements. Additionally, auditors should verify IT’s involvement and responsibilities in the sourcing process. Appropriate involvement by IT can ensure new technology fits the organization’s current environment. Additionally, auditors, IT, and the information security group can collaborate to evaluate compliance requirements. <br></p><p><strong>Organizational Structure</strong> To enable better governance, the chief information officer should be part of an executive or senior management team and an active participant in setting business-unit-level strategy and goals. With the pace of change in today’s business environment, the IT organization must be agile and responsive, so auditors should review metrics associated with the length of projects as well as service satisfaction. <br></p><p>Auditors should try to identify unauthorized IT projects by business units — known as shadow IT — by reviewing technology acquisition processes, purchasing authority, application inventory, and sourcing processes. They should work with the IT support function to evaluate internet traffic to external sites that may identify unauthorized subscriptions to software as a service applications. Based on a sample, auditors can review IT’s level of participation on the organization’s steering committees and internal advisory boards. </p><p><strong>Risk Management</strong> Auditors should evaluate whether IT risks are included in the enterprise risk management program. Auditors also can review internal processes that identify, communicate, and manage IT risks. Change controls are a huge risk in this area, so auditors should review risk management activities such as communications planning, change management, and committee oversight. If the organization has a security operations center, auditors should assess how it manages the IT environment and responds to incidents. <br></p><p><strong>Project Management</strong> Organizations should have a project management office to provide governance to prioritize IT projects according to business need. Auditors should review program and project management methodology and ensure the organization complies with internal processes to request, evaluate, and approve IT projects. They should examine a sample of completed projects to determine whether those initiatives realized stated benefits. Moreover, auditors should review the process for evaluating and prioritizing projects at the business-unit and enterprisewide levels. Additionally, understanding and reviewing key performance metrics, such as planned vs. actual expenses and requirement backlog would be invaluable. <br></p><p><strong>Management Activities</strong> Without an appropriate focus on technology, organizations could mismanage critical IT resources such as the application environment, data, infrastructure, and people. Auditors should evaluate IT’s involvement in key projects, the demand forecasting process, and resource management practices. IT’s involvement and assessment before engaging software providers and consultants will help mitigate the implementation risks associated with large projects. Robust demand and resource management practices can provide the bottom-up approach to gain insights into business requirements, alignment, and priorities. By understanding IT resource commitments, internal audit can assess the organization’s ability to deliver on key initiatives. <br></p><h2>Identifying Key Risks</h2><p>Every organization’s risk profile is unique and depends on the organization’s culture, structure, and mission. Governance and management teams should identify and prioritize key risks for mitigation and formalize risk acceptance. Organizations should leverage internal audit’s knowledge of the business’ environment, IT investments, and internal processes. <br></p>Ashok (Ash) Kannan1
Will The IIA Redraw the Lines of Defense?https://iaonline.theiia.org/blogs/chambers/2018/Pages/Will-The-IIA-Redraw-the-Lines-of-Defense.aspxWill The IIA Redraw the Lines of Defense?<p><img src="/2018/PublishingImages/Businessman%20Standing%20at%20Entrance.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Good governance is part art, part science, and probably a bit of luck and magic. But the payoff when it is achieved is an organization that consistently achieves goals, serves stakeholder interests, supports long-term value creation, and nurtures a healthy culture. <br></p><p>The problem is that there can be no one-size-fits-all approach. Each organization faces unique risks, challenges, and opportunities that add variability to the struggle. But the importance of finding the right combination of rules, practices, controls, structures, and processes that support good governance is worth the effort. Not surprisingly, many tools and models have been developed over the years to explain or promote best practices that position organizations to succeed.</p><p>One model that has gained widespread acceptance and popularity is the Three Lines of Defense. Over more than two decades, myriad organizations have embraced the model, attracted by its simplicity in describing risk-management and control responsibilities in three separate "lines" — one that owns and manages risks (first line), one that supports risk management (second line), and one that provides independent audit assurance and insight (third line).</p><p>Many believe that The IIA invented the Three Lines of Defense model. While the precise origins of the model are subject to debate, The IIA did not originate it. In 2013, The IIA did publish a position paper in support of the model, in part because of its strong recognition of internal audit's vital third-line role as an independent assurance provider. </p><p>However, in recent years, critics have charged that the model's fixed "lines" make it too inflexible for today's dynamic governance challenges and that its focus on defense limits its effectiveness. Today's complex risk landscapes continually evolve, and rapid advances in technology offer both disruptions and opportunities. What's more, as organizations have developed new approaches to address risks, the "lines" have become less distinct with first-, second- and third-line responsibilities often overlapping.</p><p>In addition to concerns about the blurring of the lines of defense, others have noted that the Three Lines of Defense model is all about "protecting value," and doesn't really address the importance of value enhancement. The IIA's new strategic plan stresses that internal audit "be recognized as critical to enhancing and protecting organizational value." For this to happen, internal audit must be portrayed as more than just a third line of protecting value. </p><p>The time has come to take a new look at the Three Lines of Defense and give this trusted instrument a 21<sup>st</sup>century makeover. Buoyed by the support of governance experts in the public and private sectors, academia, regulators, and representatives of the Big Four accounting firms, The IIA has embarked on a project to refresh the model.<br></p><p>As IIA Chairman of the Board Naohiro Mouri said in the <a href="https://na.theiia.org/news/Pages/IIA-Launches-Global-Review-of-Three-Lines-of-Defense.aspx">press release announcing the ambitious project</a>:</p><p><span class="ms-rteStyle-BQ">"Our aim is not to replace Three Lines of Defense or invent a new model, but to ensure it can accommodate the nuances and dynamics we see across different organizations, so that they may leverage and learn from each other more effectively and strategically.</span></p><p><span class="ms-rteStyle-BQ">"We also must embrace the concept that risk goes beyond defense. Uncertainty creates risks and it creates opportunities. Consideration must be given to both sides in decision making and planning at all levels. Organizations must decide the most appropriate way to allocate and structure resources and responsibilities within their organizations, using the Three Lines of Defense to their advantage."</span></p><p>This yearlong project is headed by a core working group of governance experts who will tap into the vast experiences of an additional 30-member advisory group. The project includes a comprehensive review of governance approaches from around the world, and it will seek out and incorporate public comments through a formal exposure process. Ultimately, the project will result in a new IIA position paper on the subject, expected in the second half of 2019.</p><p>From the outset, The IIA's objective has been to explore how best to update the Three Lines of Defense model to reflect the changes in modern risk management and governance, while at the same time preserving its straightforward and clear approach. In keeping with its original intent, the refresh will focus on roles not organizational structures. In response to critiques, the aim is make the model more flexible, suitable to all sectors, and responsive to both the challenges and opportunities that risks offer. Like many of you, I eagerly await the result of the work from what is a world-class group of governance experts and a thorough and inclusive process.</p><p>My intent in sharing news of The IIA's Three Lines of Defense initiative is to inform you about this important project and to build momentum for a lively and productive consideration of the exposure draft, which is anticipated early next year.</p><p>The original model has served many organizations well for many years. My sincere hope is that the refreshed version will do so, as well.<br></p>Richard Chambers0
Doing the Right Thinghttps://iaonline.theiia.org/2018/Pages/Doing-the-Right-Thing.aspxDoing the Right Thing<h2>​In light of recent, well-publicized corporate culture failings, what are boards doing to address culture?</h2><p> <strong>Christensen</strong> We definitely see the concept of culture gaining traction in the boardroom. More than ever, directors are acutely aware that culture plays a role in delivering outcomes — both good and bad — for the companies they serve. Because culture can break down anywhere in the company, it is important for directors to experience firsthand the real-world culture in the organization, rather than rely solely on boardroom discussions and management reports. One way to accomplish this is by engaging directly with operating personnel through site visits. Directors also should insist on observations regarding culture from the chief risk officer, chief compliance officer, chief information security officer, and human resources and environment, health, and safety personnel, as well as other independent second line-of-defense functions. Boards also expect internal audit to weigh in as the third-line assurance provider.</p><p> <strong>Keele</strong> Boards are asking more directed questions: What is the risk of this happening in our company? What steps have we taken to prevent/detect this type of misconduct? Do we apply our processes consistently? How does the organization respond to a finding of inappropriate or unethical behavior — is everyone held accountable, or are certain individuals given a pass? Do we have a crisis management plan to respond to an event? Boards also should be consistently asking the broader questions that get at the current state of the organization’s culture: Are expectations for what constitutes unacceptable behavior clear and understood? Is the workplace safe and respectful? Do individuals feel they can speak up without retaliation, expect they will be heard, and have their concerns investigated? </p><h2>What do boards need to understand about their role in overseeing culture?</h2><p> <strong><img src="/2018/PublishingImages/EOB-Tracey-Keele.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Keele</strong> Most boards now understand that culture is important, but determining what to do about it is another matter. Like management, boards are not entirely sure how to confirm whether the culture they want is the culture they have. Because measuring and overseeing culture isn’t easy, there is a risk of defaulting to seemingly simple, check-the-box solutions. Further, there is a risk of over-relying on hard controls — policies, training, and systems that only provide a partial view of risk management. Understanding the drivers of conduct — soft controls — and whether the “walk” matches the “talk” is fundamental to understanding culture and risk.</p><p>Boards also should guard against focusing on today’s expectations, without considering how they may differ tomorrow. Technological, social, economic, regulatory, and political changes are occurring faster than ever. How do organizations evolve quickly, focus on both the spirit and the letter of the law, and anticipate change to enhance resiliency, grow, and build trust with stakeholders? </p><p> <strong>Christensen</strong> Culture is a vital enterprise asset that must be cultivated, nurtured, and maintained. Directors need to be curious enough to probe on culture issues. First and foremost, the board must want to know whether there are any concerns pertaining to culture warranting its attention. Board members must address two fundamental questions: How do we know what we need to know regarding culture? Is our understanding representative of the entire organization or just certain areas? No director wants to be on a board that ends up asking itself: How did this happen and why didn’t we know?</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Cultural Misalignment</strong></p><p>Christensen and Keele say these red flags may indicate that the tone in the middle isn’t aligned with the tone at the top. </p><ul><li>Nobody is talking about culture.</li><li>Controversial deals and encouragement of risk taking to hit short-term targets.</li><li>Complex and unclear legal and reporting structures that obscure transparency. </li><li>Poorly executed takeovers that allow pockets of bad behavior to thrive.</li><li>Lack of financial discipline.</li><li>Employees constantly fear being fired.</li><li>Employees execute projects without a clear vision from company leaders.</li><li>Lack of knowledge sharing among employees.</li><li>A focus on blame or covering for each other rather than fixing the problem.</li><li>A perceived disconnect between words and action. </li><li>A focus on the letter rather than the spirit of the law and regulations.</li><li>Risk management and controls are regarded as an inconvenience. </li><li>Lack of prompt follow through on commitments.</li><li>Failure to escalate identified issues and active concealment of problems.</li><li>Dress rehearsals for leadership visits that are focused on appearance.</li></ul></td></tr></tbody></table> <h2>What can internal audit do to inform the board about the organization’s culture?</h2><p> <strong><img src="/2018/PublishingImages/EOB-Brian-Christensen.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Christensen</strong> Internal audit, the third line of defense,  is well-positioned to perform a culture audit, evaluating the processes used across the entity by first- and second-line personnel to assess culture. Ironically, it is internal audit — the objective eye of the organization — that is uniquely qualified to bring “a systematic, disciplined approach” to a potentially subjective process like measuring culture. Internal auditors should “connect the dots,” considering the findings and gratuitous observations from multiple audits to ascertain whether any meaningful patterns exist. With everyone having a stake in evaluating the enterprise’s culture, the board should be privy to the results of all evaluations — particularly from independent second-line functions and internal audit. </p><p> <strong>Keele</strong> Internal auditors can play a critical role in understanding and enhancing culture. Internal audit can act as “the eyes and ears” of the organization, helping the board deepen its understanding of culture to better fulfill its culture oversight responsibilities. Evaluating and evolving audit skills and capabilities, initiating and promoting dialogue within the organization, garnering organizational permissions and support, and understanding the organization’s culture expectations, initiatives, and current state are important first steps for establishing internal audit’s role in culture.</p><h2>What tools and techniques should internal audit use to audit culture?</h2><p> <strong>Keele</strong> The tools and techniques used in traditional audits also are relevant to culture audits — interviews, data review and analysis, and walk-throughs. Also, the use of surveys, facilitated workshops, focus groups, and advanced analytical techniques like sentiment analysis can be extremely valuable, deepening the understanding of employee experiences and perceptions. Internal audit should think expansively about data that exists within and outside the organization to support improved risk assessment and audit execution. Procedures should be tailored based on the organization’s culture maturity and appetite for improvement, and internal audit’s capability and ambition. </p><p> <strong>Christensen</strong> Survey results can validate themes from stakeholder interactions to gauge consistency of views regarding the company’s culture. Relevant data metrics should supplement insights from surveys and direct interactions with stakeholders. These include risk metrics, conduct-related compliance data, issue escalation and resolution data, human resources data and reports, whistleblower reports, turnover data, ethics hotline reports, unstructured social media data, and employee demographic data. These and other metrics should be used as supplements to performance measures linked to the strategy to drive the type of organizational culture that management and the board would like stakeholders to experience when they interact with it. </p>Staff1
Don't Overlook Physical Accesshttps://iaonline.theiia.org/2018/Pages/Don't-Overlook-Physical-Access.aspxDon't Overlook Physical Access<p></p> <p>In the digital age, security risks have become a rising concern for boards, management, and chief audit executives. They have responded to technology advances and growing cyber threats by focusing on controlling access to data, networks, and systems — known as logical security. That focus on logical security often comes​ at the expense of attention to physical security around buildings, facilities, equipment, and other areas. </p><p>Physical and logical access are closely intertwined and combine to provide a higher level of security throughout the organization. Both types of access control are key to risk mitigation efforts to protect systems and data. Moreover, physical access can have a great impact on the effectiveness of logical access controls. Internal auditors need to focus on the basics and include physical access in their audit plans to ensure that the organization is protected adequately.</p><h2>What’s at Risk?</h2><p>Physical security is one of the most critical components of the overall security landscape. Weak physical security controls expose organizations to greater risk of failure of other controls. Recent incidents have shown that even with the strongest controls around logical security and intrusion detection, organizations continue to be exposed to the risk of unauthorized access in the absence of strong physical access controls.</p><p>Physical security risks are unique to each organization and depend on the size, geographical spread, and type of assets that need to be protected. Internal auditors often consider enterprise systems and data to be the primary assets that are vulnerable to physical security risks. That list must be expanded to include property, office buildings, warehouses, utility rooms, machinery, equipment, and vehicles as well as employees, contractors, and visitors. </p><p>The broader risks resulting from the lack of effective physical access controls include inappropriate and unauthorized access to information, theft, vandalism, inappropriate actions from rogue employees or angry customers, accidents, and terrorism. While important for every organization, the consequences when physical security controls are compromised may be greater for data centers, defense-related organizations, educational institutions, hotels, hospitals, and retail businesses.</p><h2>The Audit Plan</h2><p>Including physical security audits in the annual audit plan can help ensure the organization is taking a more structured approach to mitigating security risks. Auditors also should provide assurance that management has performed a physical security threat assessment. Physical security audits should cover several areas.</p><p><strong>Governance and Oversight</strong> Auditors should start by evaluating policies and procedures, oversight, risk assessments, training, and other processes that are in place to facilitate strong physical controls. Effective governance typically indicates a solid foundation for oversight and controls. <br></p><p>Ownership and accountability of physical access can sometimes be murky. Roles and responsibilities of security personnel, property management, data management, and IT overlap and are interrelated. Generally, the IT team supports and helps manage identity and access management programs, but a different business unit may be responsible for physical access. The effectiveness of physical access controls depends on the collaboration among all the affected groups.</p><p><strong>Physical Access Control Layers</strong> The first step in protecting against physical access threats is developing the ability to keep unauthorized individuals off the organization’s property. In assessing physical access controls, internal auditors should test the effectiveness of perimeter barriers such as fences, walls, or gates; protective lighting; alarm systems; communications systems; vehicle identification and control systems; and guard systems. As auditors move beyond perimeter considerations to review specific buildings, they should test other key controls such as security alarm systems, cameras, motion detectors, turnstiles, door locks, and badging systems. </p><p>Despite the most sophisticated personnel identification and control processes, piggybacking is still a huge concern. Piggybacking refers to when an unauthorized person follows behind another person who is authorized to gain entry into a restricted area or past a checkpoint. Internal auditors must ensure that the organization is taking enough measures to restrict access by unauthorized individuals until their identity is confirmed by on-site security personnel. Auditors can review training and communication about piggybacking and even observe this process during busy entry times.</p><p>Within each building, internal auditors should inspect elevator and stairwell access, as well as evaluate whether individual and conference room doors have appropriate locking mechanisms. Rooms that contain valuable or sensitive information and other assets should be adequately protected to prevent access by unauthorized personnel.</p><p>Internal auditors should evaluate these multiple layers of controls carefully to ensure they are strong enough from both preventive and detective aspects. All these systems should be integrated with each other. For example, many organizations use a human resources database called Active Directory to validate an employee’s access credentials in real time.</p><p><strong>Monitoring</strong> Internal auditors should assess whether the organization has effective monitoring controls in place to review the logs created from various monitoring systems. This information can ensure that the organization investigates and remedies all relevant incidents timely. In case of a breach, facilities, IT, information security, human resources, and legal teams must collaborate as a formal committee to discuss the incidents, analyze the root cause from investigations, and take remedial action. Internal auditors can review minutes from these committee meetings to evaluate their content and the effectiveness of their remedies.<br></p><h2>Internal Audit’s Next Steps</h2><p>Going forward, internal audit should integrate physical security into the department’s risk assessment process to ensure it gets adequate overall coverage in the annual audit plan. It is important for auditors to evaluate whether the current plan integrates physical security audit steps into relevant audit programs. </p><p>As they develop the audit plan and perform the risk assessment, auditors should schedule meetings with facility and security personnel to learn about past incidents and get a sense of risk exposures in this area. From there, they should meet with the relevant stakeholders to discuss the current logical controls and determine how much logical and other controls depend on physical controls. By following these steps and recommending effective physical security controls, internal auditors also can help strengthen the organization’s overall security profile.  ​</p>Manoj Satnaliwala1

  • GEICO_Mar 2019_Premium 1
  • IIA CIALS-_Mar 2019_Premium 2
  • IIA Group Training_Mar 18 to 31_2019_Premium 3