Risk and Compliance



The Idea of a Unified Risk Oversight Councilhttps://iaonline.theiia.org/blogs/marks/2017/Pages/The-idea-of-a-Unified-Risk-Oversight-Council.aspxThe Idea of a Unified Risk Oversight Council​<p> <a href="https://www.securityexecutivecouncil.com/spotlight/?sid=30603" target="_blank">A report by the Security Executive Council ​</a>(a firm that "specializes in corporate security risk mitigation solutions") makes interesting reading.</p><p>For example, it says the following:</p><p> <span class="ms-rteStyle-BQ">We find, that despite best intentions, enterprise-wide risk management often fails. </span><span class="ms-rteStyle-BQ"><a href="https://erm.ncsu.edu/library/article/bp-risk-management" target="_blank">British Petroleum's Deepwater Horizon catastrophe </a><span style="font-size:inherit;">is one of many examples. All-hazards risk mitigation assurance requires that we get beyond one-dimensional, compliance-only, enterprise risk "list" management. </span></span></p><p>It is interesting that rather than talking about risk management or ERM, they talk about "all hazards risk mitigation assurance." Hold that thought for a moment.</p><p>​I like the reference (I believe the phrase was created by Jim DeLoach) to "list management." I join Jim and the Council in calling that practice out as ineffective, although it creates the <em>illusion</em> of risk management.</p><p>The report continues with:</p><p> <span class="ms-rteStyle-BQ">Programs that work are multi-dimensional, operationally integrated and relevantly informed by cross-functional subject matter expertise. They include:</span></p><p> <span class="ms-rteStyle-BQ">· 24 x 7 x ​365 situational risk awareness communications.</span></p><p> <span class="ms-rteStyle-BQ">· Continuous risk/threat/vulnerability assessments.</span></p><p> <span class="ms-rteStyle-BQ">· Mitigation design, performance testing, and innovation pilots.</span></p><p> <span class="ms-rteStyle-BQ">· Persistent all-hazards risk monitoring, anomaly detection and response assurance.</span></p><p> <span class="ms-rteStyle-BQ">· Critical event management; including near-miss after-action queries with objective targeted performance improvement.</span></p><p> <span class="ms-rteStyle-BQ">· Engaged leadership governance.</span></p><p> <span class="ms-rteStyle-BQ">· Ongoing prevention/mitigation systems hygiene.</span></p><p> <span class="ms-rteStyle-BQ">· Understood roles and responsibilities including compliance-plus brand reputation Duty of Care dependencies.</span></p><p>All the items surely belong, but an effective program needs more.</p><p>This is focused on harms (or hazards) and not on what might happen that could affect the achievement of our objectives.</p><p>As such, it remains incomplete and unlikely to be effective in helping the organization succeed.</p><p>An important part of the report talks about why ERM often fails:</p><p> <span class="ms-rteStyle-BQ">A review of the literature reveals enterprise risk management has shortfalls in the 5 following areas:</span></p><p> <span class="ms-rteStyle-BQ">1. Organizations adopt frameworks or processes that are siloed, regulatory-focused, and overly prescriptive; often self-focused with insufficient attention on emerging hazards.</span></p><p> <span class="ms-rteStyle-BQ">2. Risk inventories are often "personal-opinion" management polls that are infrequently supported by research, or weighted subject matter expert opinion or proven practices.</span></p><p> <span class="ms-rteStyle-BQ">3. Plans speak to, but seldom assure integrated cross-functional prevention, protection, mitigation planning, funding, testing, or performance inside and outside the organization.</span></p><p> <span class="ms-rteStyle-BQ">4. Compliance requirements are often less rigorous than intended and do not sufficiently educate, incent, or protect anomaly reporters and whistleblowers.</span></p><p> <span class="ms-rteStyle-BQ">5. Leadership governance is largely in name only, part-time and seldom involved in cross-functional resilience operational dependency planning, testing and performance oversight.</span></p><p>Note the reference to "siloed" risk management functions.</p><p>I believe, based on what I read here, that the Council's recommendations are putting corporate security's risk activities in yet another silo.</p><p>That's not to say that the corporate security function shouldn't have a program to address the risks in their area of responsibility. But they should be integrated with the management of other risks.</p><p>For example, the potential for thieves to break into a warehouse should be aggregated with risks such as the potential for failing to comply with employee safety regulations or waste water disposal rules when considering a decision to establish a new building to house valuable metals.</p><p>In addition, the authors are focused on hazards and not on results, or what can influence results.</p><p>They also seem to see operational risk management (ORM) and enterprise risk management (ERM) as separate and distinct. If that is their experience, no wonder risk management is failing! The whole point of ERM, as I see it, is to bring an enterprisewide view to all risks, everything that might happen and influence the achievement of objectives.</p><p>Only when all related risks are considered can  the best decision be made.</p><p>However, I think their concept of a risk oversight council and their list of benefits is on the right track. To quote:</p><p> <span class="ms-rteStyle-BQ">· It enables persistent Unified Risk Oversight governance. Subject matter expert business leaders and section chiefs may now cross-functionally evaluate, prioritize and resource mitigation options for both emerging and residual threats.</span></p><p> <span class="ms-rteStyle-BQ">· Many senior management leaders recognize that the expanding organizational strategy faces persistent and evolving external and internal risk factors that require collaborative, continuous, and nimble processes, including emerging and residual threat vigilance with operational oversight.</span></p><p> <span class="ms-rteStyle-BQ">· It is often a course correction for efforts that did not cross-functionally connect enterprise risk management for emerging and fast onset of risks, especially at the operational levels.</span></p><p>When I was chief risk officer, I had an executive risk committee that performed a similar function and more. For example, it:</p><ul><li>Was comprised of direct reports to the CEO.</li><li>Owned the management of risk across the extended enterprise.</li><li>Ensured management participation, resources, and actions as appropriate.</li><li>Approved policies and processes.</li><li>Resolved differences in risk assessment and evaluation.</li><li>Approved reporting to the CEO and the board.</li><li>Monitored the performance of risk management and initiated changes as necessary.</li></ul><p> <br> </p><p>The paper references ISO 31000 but it is interesting that COSO ERM is not mentioned.</p><p>They close with 13 questions for "responsible leaders." What do you think of them? Are they useful?</p><p>I welcome your comments.​</p><p> <br> </p>Norman Marks0
​​The Integration of Governance, Risk, Compliance, and Related Activitieshttps://iaonline.theiia.org/blogs/marks/2017/Pages/The-integration-of-governance,-risk,-compliance-and-related-activities.aspx​​The Integration of Governance, Risk, Compliance, and Related Activities<p>​The Open Compliance and Ethics Group (OCEG) has been on the forefront of GRC for a very long time.</p><p>Not only do they have a definition of GRC that makes sense and has practical meaning, but they recognize the need for all the functions of the organization to work together if objectives are to be achieved.</p><ul><li>The role of governance in setting objectives, establishing expectations, monitoring performance and adapting as necessary, and ensuring an appropriate culture.</li><li>The consideration of risk (what might happen) in both the setting and execution of strategies.</li><li>Compliance with both laws/regulations and the expectations of society.​</li></ul><p><br></p><p>This is reflected in their definition of GRC:</p><p><span class="ms-rteStyle-BQ">GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].</span></p><p>In their <a href="http://www.oceg.org/resources/grc-maturity-survey-2017/" target="_blank">2017 GRC Maturity Survey</a>, the author (Michael Rasmussen, a friend for whom I have great personal and professional respect) states:</p><p><span class="ms-rteStyle-BQ">In the ideal world there is a natural flow through to GRC. Governance sets objectives and directs and steers the organization setting the context for risk management. Risk management aims to understand and minimize uncertainty in those objectives and reduce exposure to loss while maximizing performance. Compliance assures that the organization operates with integrity to the boundaries established in organization values, policies, regulatory and legal requirements, as well as boundaries set by risk limits and thresholds. </span></p><p><span class="ms-rteStyle-BQ">However, within many organizations there are often many GRC functions operating in isolation producing redundancy and gaps while remaining ignorant of the interrelationship of risk across silos. This has a measurable cost to the organization in inefficiency, ineffectiveness, and lack of agility. </span></p><p><span class="ms-rteStyle-BQ">Other organizations have mature and structured processes and reporting on GRC that brings together an integrated and orchestrated view of GRC processes and information.</span></p><p>I strongly encourage everybody to become a member of OCEG, which is free for individuals. It is an excellent source of reference materials and thought leadership. (Like Michael, I am an OCEG Fellow.)</p><p>The latest OCEG GRC Maturity Survey reports that the great majority of organizations still have functions that operate in silos without the coordination and cooperation necessary to realize and deliver full value to stakeholders.</p><p>There is progress, but it is slow.</p><p>Organizations need to recognize that when the different parts of the organization operate to their own instead of the collective rhythm of the enterprise, sub-optimal performance is ensured.</p><p>This can result not only in the failure to achieve the possible, but falling short of ethical and legal obligations.</p><p>The survey results are biased in that the 697 respondents are members of OCEG, primarily risk practitioners (41 percent), internal auditors (31 percent), and compliance personnel (28 percent).</p><p>That implies that they are more familiar than the general work population with the problem of silos and the need to manage risk.</p><p>Even so, only about a quarter of the respondents from organizations where they have integrated risk management and other activities have confidence that risks can be mapped to their sources or drivers.</p><p>A few more believe significant risks have identified owners and are managing those risks effectively.</p><p>Let me repeat what I said before:</p><p><span class="ms-rteStyle-BQ">Organizations need to recognize that when the different parts of the organization operate to their own instead of the collective rhythm of the enterprise, sub-optimal performance is ensured.</span></p><p><span class="ms-rteStyle-BQ">This can result not only in the failure to achieve the possible, but falling short of ethical and legal obligations.</span></p><p>Is this a problem in your organization?</p><p>Has it been recognized?</p><p>Is anything being done?</p><p>Is that enough?</p><p>I welcome your comments.</p><p>​ </p>Norman Marks0
Cybersecurity Effectivenesshttps://iaonline.theiia.org/blogs/marks/2017/Pages/Cyber-security-effectiveness.aspxCybersecurity Effectiveness<p>​I think it is fair to say that cybersecurity is one of the issues that are top of mind for board​​s, risk, and audit professionals.</p><p>I have written quite a lot about it in previous posts, including:</p><ul><li> <a href="https://normanmarks.wordpress.com/2017/02/18/cyber-and-reputation-risk-are-dominoes/" target="_blank">Cyber and Reputation Risk Are Dominoes</a>.</li><li> <a href="https://normanmarks.wordpress.com/2017/01/07/how-much-cyber-risk-should-an-organization-take/" target="_blank">How Much Cyber Risk Should an Organization Take?</a></li><li> <a href="/blogs/marks/2017/Pages/Cyber-root-cause-alarm-bells-are-ringing.aspx">Cyber Root Cause Alarm Bells Are Ringing</a>. </li><li> <a href="/blogs/marks/2017/Pages/An-important-cyber-risk-framework.aspx">An Important Cyberrisk Framework</a>.</li><li> <a href="/blogs/marks/2016/Pages/How-much-cyber-risk-should-we-take.aspx">How Much Cyberrisk Should We Take?</a></li></ul><p> <br> </p><p>Now The IIA's Internal Audit Foundation has partnered with Crow​e Horwath to publish <a href="http://theiia.mkt5790.com/Cybersecurity/?sessionGUID=5c051ece-e16a-13e0-b38b-da55b8b8848b&sessionGUID=5c051ece-e16a-13e0-b38b-da55b8b8848b&sessionGUID=5c051ece-e16a-13e0-b38b-da55b8b8848b&sessionGUID=5c051ece-e16a-13e0-b38b-da55b8b8848b&sessionGUID=5c051ece-e16a-13e0-b38b-da55b8b8848b&sessionGUID=516a1ea5-7b55-d03c-63cd-03d7306428dc&sessionGUID=516a1ea5-7b55-d03c-63cd-03d7306428dc&webSyncID=2108194b-b0bb-6d83-1a67-76610ace2dc4&sessionGUID=165ca4ac-a077-7724-4b68-271483c0b918" target="_blank" style="background-color:#ffffff;">The Security Intelligence Center Next Steps: Beyond Response to Anticipation</a>.<br></p><p>I recommend it to every IT auditor and CAE.</p><p>But, it's not perfect (sorry, IIA).</p><p>This is good:</p><blockquote><ul><li>As cyberattacks become increasingly commonplace, much of the discussion among security professionals has moved from the desire to avoid and block all intrusions. Instead, there is growing recognition that despite everyone's best efforts to prevent it, there is always a probability that an intrusion will occur. This shift in outlook has extensive implications in terms of cybersecurity operations. Once it is recognized that 100 percent protection 100 percent of the time is not achievable, the cybersecurity emphasis can begin to shift from a defensive posture to a more offensive and proactive one that focuses on learning about how certain threats operate, how their effects can be limited or mitigated, and how the incident response time (from identification to remediation) can be accelerated.<br><br></li><li>Organizations that rate higher on the cybersecurity maturity scale are not necessarily spending more dollars overall, but are taking a more predictive approach to cybersecurity intelligence by integrating well-rounded security solutions and avoiding bolt-on products. As they do this, they also help bring the issue of cybersecurity further into the mainstream and make the anticipation and mitigation of attacks a more manageable experience. By following this example, organizations that are less mature in cybersecurity can begin to focus their existing IT security resources and budgets more intelligently as they make the transition to a more mature approach to the overall cybersecurity challenge.</li></ul></blockquote>​ <p> <br> </p><p>The report has some good reference materials, identifying cyber and information security frameworks and guides.</p><p>It focuses on the existence and attributes of security operations centers, which may be of value in assessing what your organization has implemented.</p><p>I also like the emphasis on the emerging field of threat intelligence — trying to anticipate attacks and how they may be made.</p><p>But when it comes to the involvement of internal audit and some basic first steps, I have a problem.</p><p>This is what the report says:</p><p>The authors of the report recommended seven key questions for internal audit to ask about cybersecurity preparedness. The questions are:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><ol><li>Is the organization able to monitor suspicious network intrusion?<br></li><li>Is the organization able to identify whether an attack is occurring?<br></li><li>Can the organization isolate the attack and restrict potential damage?<br></li><li>Is the organization able to know whether confidential data is leaving the organization?<br></li><li>If an incident does occur, is a written crisis-management plan in place that has been tested and is in line with organizational risk?<br></li><li>If an incident does occur, does the organization have access to forensic skills to assist with the incident?<br></li><li>Is the incident team in place, and do they know their roles and responsibilities?<br></li></ol></blockquote><p> <br> </p><p>The most critical omission is a business risk assessment. As I have explained in other posts (listed above), it is mandatory in my opinion to understand how the business and the achievement of its objectives would be affected by a breach.</p><p>Then there is the omission of any question relating to the adequate resourcing of the cyber team, or the <span style="text-decoration:underline;">timely</span> detection of a breach.</p><p>The seven questions are a decent start, but there is more that needs to be done.</p><p>I welcome your thoughts.</p><p> <br> </p>Norman Marks0
Cyber Root Cause Alarm Bells Are Ringinghttps://iaonline.theiia.org/blogs/marks/2017/Pages/Cyber-root-cause-alarm-bells-are-ringing.aspxCyber Root Cause Alarm Bells Are Ringing<p>​<a href="https://www.tripwire.com/state-of-security/tripwire-news/new-research-highlights-top-cyber-attack-concerns-for-2017/" target="_blank" style="background-color:#ffffff;">A new study by Tripwire</a> should be setting off your alarms.</p><p>The company surveyed 403 IT security professionals, the people who should know about the true state of information security or cyber at their organization.</p><p> <strong>90 percent of organizations lack the </strong> <span style="text-decoration:underline;"> <strong>skills</strong></span><strong> to address the full range of cyber threats!</strong></p><p>There have been repeated reports that information security experts are in high demand but low supply. This confirms the problem.</p><p> <strong>97 percent of organizations lack the </strong> <span style="text-decoration:underline;"> <strong>technology</strong></span><strong> they need to address the threats!</strong></p><p>If I was on the board and heard this, I would be questioning the executive team hard.</p><p>Other surveys indicate that the majority of executives know they have been hacked in the past and expect hackers to be successful in the future.</p><p>​But do they know the true extent of the problem?</p><p>Do they know their defenses are down — and that their people don't have the ability to detect intrusions promptly?</p><p>When I took over the internal audit function at a company years ago, I was concerned by what I saw in the information security area.</p><p>Rather than audit the defenses, I had my team audit whether the company had the <strong>capability</strong> to build, maintain, and manage the defenses.</p><p>Key questions include:</p><ul><li>Do you understand the risk to the business (the consequences) if there is a successful intrusion? How will the objectives of the organization be affected? Can you and have you assessed cyber risk in business terms? How recent is that assessment?</li><li>Are you satisfied and if so why? If not, what are you doing about it?</li><li>Do you have the people to understand (on a continuing basis) and then address cyber risk?</li><li>Do they have the tools? Is that your opinion or theirs?</li><li>Is the voice of information security heard and listened to at senior and board levels?</li><li>Would a reasonable, prudent individual believe the risk to the organization is at an acceptable level, and will continue to be at an acceptable level over the next year?</li><li>How often is an <strong>objective</strong> assessment of information security performed and is it reliable? Are its recommendations acted on?</li><li>Does it still make sense to expect employees to handle cyber risk? Is it better to outsource it, and to what extent should we do that?</li></ul><p> <br> </p><p>I welcome your comments.</p><p> <br> </p>Norman Marks0
​​​Reports That Provide Actionable Informationhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Reports-that-provide-actionable-information.aspx​​​Reports That Provide Actionable Information<p>​Stories make it easier, in my experience, to explain a concept. So if you are sitting comfortably, its storytime (fictional).​</p><p>A young couple is fast asleep when they feel a tug on the bedsheets.</p><p>"Mommy, daddy, my tummy hurts and I don't feel well!" Sob.</p><p>"Come here. Let me feel your forehead. Oh, it's quite hot. Darling, get the thermometer. We need to check his temperature."</p><p>"Here it is."</p><p>"Son, you have a temperature. Where does it hurt?"</p><p>"Here," pointing and then doubling up in pain.</p><p>They look at each other and decide to take him to the ​doctor. They don't want to wait until the morning to see their regular doctor so they dress, bundle the boy up, and drive to the hospital.</p><p>A doctor is found quickly and checks the boy out. He decides some tests are needed, including (to the child's distress) taking some blood.</p><p>The doctor leaves them in the care of a nurse, telling them that he will get the results to them as quickly as possible.</p><p>An hour passes. Two hours.</p><p>Finally, the nurse appears.</p><p>"Here's the doctor's report. I know it's quite long but you can see from the Table of Contents that the Executive Summary starts on page 2."</p><p>The father takes the report and starts to leaf through it.</p><p>"OK, it has his picture on the cover so we know it's the right report. But, that looks like an old picture. Let's see what's in the Executive Summary.</p><p>"His weight is 45 pounds, which the doctor notes is average for his height and age. I guess that's good. His temperature is a few degrees above normal. We already knew that. His white cell count is …"</p><p>The father stops talking except to mumble to himself as he reads on. Every so often you hear a muttered "So what?"</p><p>Finally, he throws the report down and accosts the nurse.</p><p>"Is our boy going to be all right? Why is his fever high and why does he have stomach pain? What can we do to help him?"<br></p><p>There's a huge difference between reporting facts and providing the information your audience needs.</p><p>For risk practitioners, can you answer these questions?</p><ul><li>Do you know what decisions your executive team and board are trying to make?</li><li>Do you know what information they need about what might happen, information they could use to make more intelligent and informed decisions?</li><li>Are you helping them be more successful or are you only helping them avoid harm?</li></ul><p> <br> </p><p>For internal auditors:</p><ul><li>Do you know what your executive management team and board are trying to achieve?</li><li>Do you know what they need from you to have assurance that risks to success are being managed at acceptable levels?</li><li>Do you only provide assurance on controls rather than risks to objectives?</li><li>When you assess the adequacy of controls, is it clear what potential effect they may have on specific objectives?</li></ul><p> <br> </p><p>For everybody, do you know what your customer wants from you?</p><p>Are you informing him or her what they need to know — will their child (the organization) be OK, what do they need to know about the condition of risk management and internal control, and, what do they need to do about it?</p><p>Are your providing <strong> <em>actionable</em></strong> information?</p><p>I welcome your comments.</p><p> <br> </p>Norman Marks0
Changing of the Guardhttps://iaonline.theiia.org/2017/Pages/Changing-of-the-Guard.aspxChanging of the Guard<h2>​What compliance trends can auditors expect in 2017?</h2><p>This will be a year of tremendous change that creates volatility and uncertainty in the internal audit profession. Top political appointees at U.S. regulatory agencies will turn over, and there will be marked changes in priorities with the incoming presidential administration. Those changes in priorities will filter down to the enforcement arena. With a new president who is prone to using social media to provoke policy confrontations with corporations and individuals, there is a material risk that companies may face some negative consequences if they become the focal point of President Trump’s attention.</p><h2><br>How can a new presidential administration affect the risks that organizations face?</h2><p>President Trump was elected on an agenda to tear down the central legislative, regulatory, and executive actions of his predecessor. There will be a number of recent rulemakings rescinded through legislation, a number of in-progress rulemakings halted or significantly modified, and a number of pending court cases over regulations abandoned to better reflect the new president’s priorities and philosophies. It will be critical for internal auditors to stay aware of the state of play for laws and regulations that most affect their organization’s operations on a daily basis.</p>Staff0
​​What Is Holding the Company Back?https://iaonline.theiia.org/blogs/marks/2017/Pages/What-is-holding-the-company-back.aspx​​What Is Holding the Company Back?<p>​Okay, the risk purists are going to be annoyed with me — again.</p><p>We like to focus on potential events or situations that could affect the achievement of objectives. </p><p>That's fine.</p><p>But they argue that if the event or situation is <em>certain</em>, then it's not something covered by risk management. It's no longer a possibility; it's a sure thing.</p><p>Hmm.</p><p>My thinking is that while it may be <em>certain</em> that the event or situation will happen, the <em>effect</em> may be <em>uncertain </em>[1]. Maybe there's something we can and should do about it to change the potential effect and/or its likelihood.</p><p>In an earlier post, <a href="https://normanmarks.wordpress.com/2016/12/31/the-real-risks-the-ones-not-in-the-typical-list-of-top-risks/" target="_blank">The Real Risks: The Ones Not in the Typical List of Top Risks</a>, I included a number of situations (the purists could argue, correctly, that they are <em>sources of risk</em> rather than a risk themselves).</p><p>Included in the list were:</p><ul><li>Not having sufficient people.<br></li><li>Lack of teamwork.<br></li></ul><p> <br> </p><p>Some of the comments I received said that these were very often conditions already in place, so they weren't really risks (or sources of risk).</p><p>I have to question whether that matters, even if correct (which I doubt)!</p><p>Both of these conditions create the possibility of harm to the organization.</p><p>There probably is harm now, but there is a possibility of harm continuing unless the conditions are changed.</p><p>Where I am going is this: Let's not get hung up over terminology! Words can get in our way.</p><p>Instead, let's focus on:</p><ul><li>What might happen?</li><li>Is that okay?</li><li>What are we going to do about it?</li></ul><p> <br> </p><p>Risk managers should include these conditions as sources of future risk as well as current harm.</p><p>Internal auditors should consider the value of auditing the controls to address these problems.</p><p>Management and the board should pay attention and fix the problems! Risk and audit practitioners can help by shining a light on the situation.</p><p>I still call <a href="https://www.amazon.com/Auditing-that-matters-Norman-Marks/dp/1537662023/ref=asap_bc?ie=UTF8" target="_blank">auditing what matters</a> "enterprise risk-based auditing." I don't care whether people want to call the topics covered by my audits risks, sources of risk, or gizmos.​</p><p>What do you think? </p><p> <br> </p><p>[1] Technically, risk is the <em>effect</em> of uncertainty on objectives, so the fact that the event or situation is certain is not the deciding factor.</p><p>​<br></p>Norman Marks0
Step Back and Read the Headlineshttps://iaonline.theiia.org/2016/Pages/Step-Back-and-Read-the-Headlines.aspxStep Back and Read the Headlines<p>​Discussions about ethics and reputation often include the “front page of the newspaper” test: Would you take a certain action if you knew it would be on the front page of tomorrow’s newspaper? And while the concept may be a little dated (Newspaper? What’s a newspaper?), the underlying premise still holds true. In fact, in a world where anything can be posted, tweeted, and spread instantly, it is even more relevant.<br></p><p>Reputational risk continues to be considered one of the biggest issues facing board members, executives, and anyone charged with the welfare of an organization. Accordingly, it represents an important consideration for all internal auditors. But despite this focus, organizations do not understand the real impact and power of reputational risk in the decision-making process.<br></p><p>Recently, some nonprofit organizations have faced increased scrutiny for their spending practices. Donors have raised serious questions about the percentage of donations going to those in need versus the percentage going to questionable operational expenses. The nonprofits defend these as justifiable expenses. But the arguments fall on deaf ears, resulting in substantial and often debilitating decreases in donations, as well as an increasing list of castoff C-suite executives.<br></p><p>But imagine yourself sitting in the original meetings. A board member asks about the cost of entertainment at a function, or the investment in a glossy new building, or high-class travel expenses, or the CEO’s salary. Someone provides a clear, cogent explanation, citing standards that must be maintained, the ability to attract more affluent donors with larger investments, or the need to reward executives for their success. Based on these sound and logical explanations, you might find that you agree with the decisions.<br></p><p>The problem is that such internal decisions are seldom viewed through the prism of public opinion. In the boardroom it makes perfect sense; on the front page, not so much so.<br></p><p>You may well argue that you are nothing more than a lowly internal auditor who has never seen the inside of a boardroom, let alone been allowed to help with high-level decisions. However, the same principles hold true for every question you raise. Listen closely to the explanations — how a decision was made, how an event occurred, and how it will be ignored or corrected. Then consider how it would look on the front page of tomorrow’s paper.</p><p>Given the importance of reputation to organizational success, internal auditors need to keep it in mind at all times. Reputation should not just be considered during the first risk assessment; it must continue to receive focus until the auditors and clients come to a conclusion that satisfies everyone — even the people who might see it in tomorrow’s headlines. <br></p>Mike Jacka1
A Winning Pairhttps://iaonline.theiia.org/2016/Pages/A-Winning-Pair.aspxA Winning Pair<p>​We’ve all seen the advertisements for the latest and greatest home security systems. Yet despite all of their bells and whistles  and the good they may do, security systems are useless if we forget to set the alarm. The technology and the person using it must work simultaneously to achieve the best results. In much the same way, governance and automation can be complementary, but they are not substitutes for each other. In some cases, automation may be used to force process steps and monitor actions, but a company cannot automate its way to compliance. Even the most sophisticated automated processes often contain at least an interface with what is usually the factor of greatest risk — the human being. Governance is a tool to help bridge the gap. </p><p>Take cybersecurity, for example. The Center for Internet Security’s Critical Security Controls calls for a defense-in-depth model to help prevent and detect malware. The intent is to use multiple tools, each specializing in different protections such as access control, intrusion protection/detection, malware identification, and vulnerability scanning. These products are “layered,” with each tool testing some aspect of the communication, usually with the ability to block or send alerts on questionable traffic. Only if the message passes through all appropriate gates can it be delivered to its intended destination. This is no inexpensive proposition. A company’s spending on cybersecurity may reach tens of millions of dollars.</p><p>And despite automated defenses, proactive technology tools, and the money, time, and resources invested, organizations remain at risk. Phishing, where a party with harmful intentions uses methods such as enticing emails to get recipients to click a link, is a prime example. The code behind the associated link may load malware onto the user’s machine, capturing login credentials, and spreading malware throughout the network. The intruder now has the same access as that of the victim and will seek elevated access privileges. All it takes is one person clicking one link containing malware in one email to infect the system.  </p><p>Governance can be effective in bolstering the line of defense. A sound policy, employee education, and monitoring for enforcement are all critical facets of such a program. Internal auditors should be looking for governance in all the right places.</p><p>The auditor should determine whether the organization has defined the level of risk it is willing to assume and whether there is a current risk profile. By identifying risks, mitigation activities in place, and residual risks, the organization can determine its current position. The auditor can then compare the risk appetite to the risk profile. Where the residual risk is too high, the organization can brainstorm alternatives and assess the cost/benefit of each. Results are likely to identify high-risk areas where automation alone cannot bridge the gap or is too costly to implement.</p><p>For those actionable items, ensuring good governance may be the best option. Access control is one example. When an employee or contractor is terminated, particularly for cause, access to systems and facilities must be removed immediately. While it is possible to automate access deactivation, the process must be initiated by a human interface. Having a policy that assigns responsibility for this function is best practice. </p><p>There must be widespread awareness and understanding of the policy and a sense of urgency and ownership in carrying it out. As the termination procedure may not be a frequent occurrence, reminders to all managers and inclusion in manager on-board training are necessary. Also, it’s imperative that human resources have this process top of mind. </p><p>A robust awareness program also contributes to driving behaviors. Executive behavior is key, and employees must know what is expected of them. Repeated education can be effective, as many need reminders. Auditors may recommend computer-based training, lunch-and-learn sessions, posters, gamification, and other methods to improve retention and reinforce desired behavior.  </p><p>Finally, there is a need to monitor for desired behavior. While many factors can be monitored electronically, governance still plays a role. The auditor can determine whether there are policies for monitoring employee behavior. Has there been a discussion with the legal department regarding an employee’s expectation of privacy? If employees should not have an expectation of privacy regarding company property, computerized activity on company networks, etc., have they been notified? The auditor may want to recommend a banner on the login page of the company’s systems.</p><p>Just like installing a home security system and remembering to use it, governance and automated controls should be complementary. Auditors can help companies see how a balance is needed. Desired behavior must be governed from the top, embraced by management, and exercised by all. ​</p>Debbie Shelton1
​Monitoring Laws and Regulations and Their Effect on Your Organizationhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Monitoring-laws-and-regulations-and-their-effect-on-your-organization.aspx​Monitoring Laws and Regulations and Their Effect on Your Organization<p>​This is an important topic for every organization, whether public or private, local or global.</p><p>It's especially true when you add interpretations by the regulators and courts of existing laws and regulations.</p><p>Something that you thought you understood to mean A now appears to mean B.</p><p>If you are not up to date on the laws and regulations with which you need to comply, there is a significant potential for harm.</p><p>OCEG recently shared an infographic on the topic of <a href="http://www.oceg.org/resources/regulatory-change-management/" target="_blank">Regulatory Change Management</a>. Sponsored and developed by Thomson Reuters, the accompanying article points out that technology assists that can help monitor changes in the regulatory environment that might affect the organization, its risks, and its ability to remain in compliance.</p><p>I agree that technology like this can be very useful. But I am not 100 percent convinced that it is sufficient.</p><p>If it were up to me, I would develop a map that shows all the areas where laws, regulations, and societal expectations might apply to the enterprise. I add societal expectations because failing to live up to them can be damaging, directly to the organization's reputation and indirectly to its revenue and more.</p><p>I would then, for each area, identify how we could ensure we remain up to date, and who is responsible. I would not ignore sources like:</p><ul><li>The external law firms.</li><li>The external auditors.</li><li>Government affairs consultants.</li><li>The management team and other advisors.</li></ul><p><br></p><p>But it's not enough for designated individuals to receive notification of changes that might affect the organization.</p><p>It's not enough, as implied in the piece, for analysis to be performed at HQ.</p><p>The changes and their implications need to be communicated to all potentially affected individuals across the extended enterprise. That population includes not only employees but partners, service providers, and others in the supply chain.</p><p>Training may be needed; policies and procedures may need to be updated. As noted by the authors, controls may need to be changed or adapted to the new environment.</p><p>It is quite possible that regulatory change may mean that current strategies and objectives need to be changed as well.</p><p>This is an important area, one that deserves the attention of both risk practitioners and internal auditors. From time to time, the board might consider asking management to report on its ability to both identify and then respond to regulatory change.</p><p>Perhaps you can share sources of information about regulatory change that I have missed, as well as measures that organizations should take to address them.</p><p>OCEG is a great source of <a href="http://www.oceg.org/resource_topic/free/?utm_source=OCEG+Members&utm_campaign=aa0204db3e-Reg+Change&utm_medium=email&utm_term=0_2afb06e6d3-aa0204db3e-122229369" target="_blank">materials</a> and <a href="http://www.oceg.org/education/grc-fundamentals/?utm_source=OCEG+Members&utm_campaign=aa0204db3e-Reg+Change&utm_medium=email&utm_term=0_2afb06e6d3-aa0204db3e-122229369" target="_blank">training</a>. Membership is free!​</p><p><br></p>Norman Marks0

  • TeamMate_Prem 1
  • RSM_Prem 2
  • IIA Sydney Conf_Prem 3



Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z