Risk and Compliance

 

 

An Early Look at Internal Audit Priorities for 2019https://iaonline.theiia.org/blogs/chambers/2018/Pages/An-Early-Look-at-Internal-Audit-Priorities-for-2019.aspxAn Early Look at Internal Audit Priorities for 2019<p><span style="font-size:12px;"><img src="/2018/PublishingImages/risk-ahead-road-sign.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Like the speed of risk, the end of 2018 is approaching very rapidly. That means many of you are putting the finishing touches on your 2019 annual internal audit plan. I am sure that your process has been exhaustive, and you are preparing to present a plan for your audit committee that will reflect the risk-based priorities appropriate for your organization. However, before the ink dries on your plan, I thought you might find it useful to take an early look at the priorities your peers</span><span style="font-size:12px;"> are planning to address in the year ahead.</span></p><p>Risk defines the world of the internal auditor. Ultimately, risk is what shapes our audit plans, directs our stakeholders, and determines our success or failure. That is why we spend so much time and effort helping our organizations identify, understand, and mitigate or leverage risks. Understanding the unique mix of risks our organizations face, and the risk appetites of our stakeholders, is crucial to internal audit adding value.</p><p>A number of organizations produce annual reports that attempt to peer at the horizon to identify risks in the coming year. Sometimes, it is easy to predict what those risks will be, as some major ones are long term, if not perpetual. The challenge is to identify or anticipate unexpected, emerging, or atypical risks that may mature in the coming weeks or months, in hopes of preparing to gird against them or use them to benefit the organization.</p><p>Two recently published reports, one from Gartner Inc. and the other from the European Confederation of Institutes of Internal Auditing (ECIIA), identify a familiar foe as the top risk for 2019: cybersecurity. Over the years, this challenge to organizations has consistently climbed up the risk hierarchy in annual reports. It also has opened our eyes to other risk categories, as our understanding of cyber becomes more sophisticated and our approaches to managing it mature.</p><p>Indeed, the focus on cybersecurity has helped us to understand that technology and data are inexorably intertwined, and it has increased our awareness of risk related to data governance and data privacy. It has driven us to be more cognizant of risks related to third-party relationships, IT governance, and culture.</p><p>For example, four of the top five risks in the <a href="https://www.gartner.com/en/risk-audit/trends/audit-hot-spots.html">Gartner report</a> arguably stem from our focus on cybersecurity – cybersecurity preparedness, data privacy, data governance, and third-party risk. <a href="http://www.eciia.eu/wp-content/uploads/2018/09/Risk-in-Focus_2019.pdf"><em>Risk in Focus 2019</em></a><em>, </em>the report developed and produced by the ECIIA, groups cybersecurity, IT governance, and third-party risks into one category. Another category in the ECIIA report is data protection and strategies in a post-GDPR world.</p><p>Data and technology also are central to risk discussions on digitalization, automation, and artificial intelligence. These discussions neatly demonstrate the challenge of balancing risk and opportunity. As the ECIIA report points out:</p><p><em class="ms-rteStyle-BQ">"The cost and efficiency benefits of automation and other digital processes can be transformative, if harnessed to their full potential. But organizations must also consider the risk associated with such transformation."</em></p><p>Data collected since 2016 by The IIA in its annual Pulse of Internal Audit surveys reflect the same focus on cyber. The percentage of North American chief audit executives (CAEs) who rated cyber as a top risk to their organizations grew from 60 percent to 68 percent between 2016 and 2018. Over the same period, the percentage of CAEs rating IT as a top risk grew from 39 percent to 53 percent, and third-party relationships showed modest growth as well.</p><p>The Gartner report, which surveyed 144 CAEs, found two-thirds of respondents said they had experienced either a third-party-related disruption in the past two years or lacked sufficient knowledge of third-party activities to identify a disruption.</p><p>What is known is that third-party risks are growing more complex as digitalization, data sharing, and weak oversight of third-party relationships threaten to expose organizations to reputational harm. </p><p>It is easy to fixate on data- and technology-driven risks, but others certainly exist, as the two risk reports agree. Gartner identifies ethics and integrity as a risk that has evolved from culture risks identified in its 2018 report. The ECIIA report also identifies workplace culture as a risk.</p><p>In 2018, the #MeToo movement redefined how organizations see risks associated with sexual harassment and inequality in the workplace. While those two areas were known risk categories, the explosion of serious allegations against high-profile entertainment industry executives and the subsequent reputational damage to their organizations have significantly raised this risk level. The significant role of social media cannot be overstated. Here again, technology is influencing how we view risk.  </p><p>The Cambridge Analytica scandal provides another example. Facebook and its iconic founder, Mark Zuckerberg, suffered significant reputational damage for allowing the British company to mine personal information of millions of the service's users. It also raised awareness of the ethical responsibilities associated with data protection and privacy that now is viewed as a significant risk in both the Gartner and ECIIA reports.</p><p>As we look toward 2019, the risk landscape will likely focus on cybersecurity, data governance and privacy, third-party risk, and the evolving hazards associated with technology's impact on organizational ethics, culture, and integrity.</p><p>As you prepare your internal audit plans for the coming year, you should ensure that you have considered all of the risks facing your organization and discuss them with your audit committees and executive management. The list is by no means comprehensive or necessarily applicable to all organizations. However, it does provide a useful benchmark as you contemplate what may lie ahead in 2019.</p><p>As always, I look forward to your comments.<br></p>Richard Chambers0
Doing the Right Thinghttps://iaonline.theiia.org/2018/Pages/Doing-the-Right-Thing.aspxDoing the Right Thing<h2>​In light of recent, well-publicized corporate culture failings, what are boards doing to address culture?</h2><p> <strong>Christensen</strong> We definitely see the concept of culture gaining traction in the boardroom. More than ever, directors are acutely aware that culture plays a role in delivering outcomes — both good and bad — for the companies they serve. Because culture can break down anywhere in the company, it is important for directors to experience firsthand the real-world culture in the organization, rather than rely solely on boardroom discussions and management reports. One way to accomplish this is by engaging directly with operating personnel through site visits. Directors also should insist on observations regarding culture from the chief risk officer, chief compliance officer, chief information security officer, and human resources and environment, health, and safety personnel, as well as other independent second line-of-defense functions. Boards also expect internal audit to weigh in as the third-line assurance provider.</p><p> <strong>Keele</strong> Boards are asking more directed questions: What is the risk of this happening in our company? What steps have we taken to prevent/detect this type of misconduct? Do we apply our processes consistently? How does the organization respond to a finding of inappropriate or unethical behavior — is everyone held accountable, or are certain individuals given a pass? Do we have a crisis management plan to respond to an event? Boards also should be consistently asking the broader questions that get at the current state of the organization’s culture: Are expectations for what constitutes unacceptable behavior clear and understood? Is the workplace safe and respectful? Do individuals feel they can speak up without retaliation, expect they will be heard, and have their concerns investigated? </p><h2>What do boards need to understand about their role in overseeing culture?</h2><p> <strong><img src="/2018/PublishingImages/EOB-Tracey-Keele.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Keele</strong> Most boards now understand that culture is important, but determining what to do about it is another matter. Like management, boards are not entirely sure how to confirm whether the culture they want is the culture they have. Because measuring and overseeing culture isn’t easy, there is a risk of defaulting to seemingly simple, check-the-box solutions. Further, there is a risk of over-relying on hard controls — policies, training, and systems that only provide a partial view of risk management. Understanding the drivers of conduct — soft controls — and whether the “walk” matches the “talk” is fundamental to understanding culture and risk.</p><p>Boards also should guard against focusing on today’s expectations, without considering how they may differ tomorrow. Technological, social, economic, regulatory, and political changes are occurring faster than ever. How do organizations evolve quickly, focus on both the spirit and the letter of the law, and anticipate change to enhance resiliency, grow, and build trust with stakeholders? </p><p> <strong>Christensen</strong> Culture is a vital enterprise asset that must be cultivated, nurtured, and maintained. Directors need to be curious enough to probe on culture issues. First and foremost, the board must want to know whether there are any concerns pertaining to culture warranting its attention. Board members must address two fundamental questions: How do we know what we need to know regarding culture? Is our understanding representative of the entire organization or just certain areas? No director wants to be on a board that ends up asking itself: How did this happen and why didn’t we know?</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Cultural Misalignment</strong></p><p>Christensen and Keele say these red flags may indicate that the tone in the middle isn’t aligned with the tone at the top. </p><ul><li>Nobody is talking about culture.</li><li>Controversial deals and encouragement of risk taking to hit short-term targets.</li><li>Complex and unclear legal and reporting structures that obscure transparency. </li><li>Poorly executed takeovers that allow pockets of bad behavior to thrive.</li><li>Lack of financial discipline.</li><li>Employees constantly fear being fired.</li><li>Employees execute projects without a clear vision from company leaders.</li><li>Lack of knowledge sharing among employees.</li><li>A focus on blame or covering for each other rather than fixing the problem.</li><li>A perceived disconnect between words and action. </li><li>A focus on the letter rather than the spirit of the law and regulations.</li><li>Risk management and controls are regarded as an inconvenience. </li><li>Lack of prompt follow through on commitments.</li><li>Failure to escalate identified issues and active concealment of problems.</li><li>Dress rehearsals for leadership visits that are focused on appearance.</li></ul></td></tr></tbody></table> <h2>What can internal audit do to inform the board about the organization’s culture?</h2><p> <strong><img src="/2018/PublishingImages/EOB-Brian-Christensen.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Christensen</strong> Internal audit, the third line of defense,  is well-positioned to perform a culture audit, evaluating the processes used across the entity by first- and second-line personnel to assess culture. Ironically, it is internal audit — the objective eye of the organization — that is uniquely qualified to bring “a systematic, disciplined approach” to a potentially subjective process like measuring culture. Internal auditors should “connect the dots,” considering the findings and gratuitous observations from multiple audits to ascertain whether any meaningful patterns exist. With everyone having a stake in evaluating the enterprise’s culture, the board should be privy to the results of all evaluations — particularly from independent second-line functions and internal audit. </p><p> <strong>Keele</strong> Internal auditors can play a critical role in understanding and enhancing culture. Internal audit can act as “the eyes and ears” of the organization, helping the board deepen its understanding of culture to better fulfill its culture oversight responsibilities. Evaluating and evolving audit skills and capabilities, initiating and promoting dialogue within the organization, garnering organizational permissions and support, and understanding the organization’s culture expectations, initiatives, and current state are important first steps for establishing internal audit’s role in culture.</p><h2>What tools and techniques should internal audit use to audit culture?</h2><p> <strong>Keele</strong> The tools and techniques used in traditional audits also are relevant to culture audits — interviews, data review and analysis, and walk-throughs. Also, the use of surveys, facilitated workshops, focus groups, and advanced analytical techniques like sentiment analysis can be extremely valuable, deepening the understanding of employee experiences and perceptions. Internal audit should think expansively about data that exists within and outside the organization to support improved risk assessment and audit execution. Procedures should be tailored based on the organization’s culture maturity and appetite for improvement, and internal audit’s capability and ambition. </p><p> <strong>Christensen</strong> Survey results can validate themes from stakeholder interactions to gauge consistency of views regarding the company’s culture. Relevant data metrics should supplement insights from surveys and direct interactions with stakeholders. These include risk metrics, conduct-related compliance data, issue escalation and resolution data, human resources data and reports, whistleblower reports, turnover data, ethics hotline reports, unstructured social media data, and employee demographic data. These and other metrics should be used as supplements to performance measures linked to the strategy to drive the type of organizational culture that management and the board would like stakeholders to experience when they interact with it. </p>Staff1
Don't Overlook Physical Accesshttps://iaonline.theiia.org/2018/Pages/Don't-Overlook-Physical-Access.aspxDon't Overlook Physical Access<p></p> <p>In the digital age, security risks have become a rising concern for boards, management, and chief audit executives. They have responded to technology advances and growing cyber threats by focusing on controlling access to data, networks, and systems — known as logical security. That focus on logical security often comes​ at the expense of attention to physical security around buildings, facilities, equipment, and other areas. </p><p>Physical and logical access are closely intertwined and combine to provide a higher level of security throughout the organization. Both types of access control are key to risk mitigation efforts to protect systems and data. Moreover, physical access can have a great impact on the effectiveness of logical access controls. Internal auditors need to focus on the basics and include physical access in their audit plans to ensure that the organization is protected adequately.</p><h2>What’s at Risk?</h2><p>Physical security is one of the most critical components of the overall security landscape. Weak physical security controls expose organizations to greater risk of failure of other controls. Recent incidents have shown that even with the strongest controls around logical security and intrusion detection, organizations continue to be exposed to the risk of unauthorized access in the absence of strong physical access controls.</p><p>Physical security risks are unique to each organization and depend on the size, geographical spread, and type of assets that need to be protected. Internal auditors often consider enterprise systems and data to be the primary assets that are vulnerable to physical security risks. That list must be expanded to include property, office buildings, warehouses, utility rooms, machinery, equipment, and vehicles as well as employees, contractors, and visitors. </p><p>The broader risks resulting from the lack of effective physical access controls include inappropriate and unauthorized access to information, theft, vandalism, inappropriate actions from rogue employees or angry customers, accidents, and terrorism. While important for every organization, the consequences when physical security controls are compromised may be greater for data centers, defense-related organizations, educational institutions, hotels, hospitals, and retail businesses.</p><h2>The Audit Plan</h2><p>Including physical security audits in the annual audit plan can help ensure the organization is taking a more structured approach to mitigating security risks. Auditors also should provide assurance that management has performed a physical security threat assessment. Physical security audits should cover several areas.</p><p><strong>Governance and Oversight</strong> Auditors should start by evaluating policies and procedures, oversight, risk assessments, training, and other processes that are in place to facilitate strong physical controls. Effective governance typically indicates a solid foundation for oversight and controls. <br></p><p>Ownership and accountability of physical access can sometimes be murky. Roles and responsibilities of security personnel, property management, data management, and IT overlap and are interrelated. Generally, the IT team supports and helps manage identity and access management programs, but a different business unit may be responsible for physical access. The effectiveness of physical access controls depends on the collaboration among all the affected groups.</p><p><strong>Physical Access Control Layers</strong> The first step in protecting against physical access threats is developing the ability to keep unauthorized individuals off the organization’s property. In assessing physical access controls, internal auditors should test the effectiveness of perimeter barriers such as fences, walls, or gates; protective lighting; alarm systems; communications systems; vehicle identification and control systems; and guard systems. As auditors move beyond perimeter considerations to review specific buildings, they should test other key controls such as security alarm systems, cameras, motion detectors, turnstiles, door locks, and badging systems. </p><p>Despite the most sophisticated personnel identification and control processes, piggybacking is still a huge concern. Piggybacking refers to when an unauthorized person follows behind another person who is authorized to gain entry into a restricted area or past a checkpoint. Internal auditors must ensure that the organization is taking enough measures to restrict access by unauthorized individuals until their identity is confirmed by on-site security personnel. Auditors can review training and communication about piggybacking and even observe this process during busy entry times.</p><p>Within each building, internal auditors should inspect elevator and stairwell access, as well as evaluate whether individual and conference room doors have appropriate locking mechanisms. Rooms that contain valuable or sensitive information and other assets should be adequately protected to prevent access by unauthorized personnel.</p><p>Internal auditors should evaluate these multiple layers of controls carefully to ensure they are strong enough from both preventive and detective aspects. All these systems should be integrated with each other. For example, many organizations use a human resources database called Active Directory to validate an employee’s access credentials in real time.</p><p><strong>Monitoring</strong> Internal auditors should assess whether the organization has effective monitoring controls in place to review the logs created from various monitoring systems. This information can ensure that the organization investigates and remedies all relevant incidents timely. In case of a breach, facilities, IT, information security, human resources, and legal teams must collaborate as a formal committee to discuss the incidents, analyze the root cause from investigations, and take remedial action. Internal auditors can review minutes from these committee meetings to evaluate their content and the effectiveness of their remedies.<br></p><h2>Internal Audit’s Next Steps</h2><p>Going forward, internal audit should integrate physical security into the department’s risk assessment process to ensure it gets adequate overall coverage in the annual audit plan. It is important for auditors to evaluate whether the current plan integrates physical security audit steps into relevant audit programs. </p><p>As they develop the audit plan and perform the risk assessment, auditors should schedule meetings with facility and security personnel to learn about past incidents and get a sense of risk exposures in this area. From there, they should meet with the relevant stakeholders to discuss the current logical controls and determine how much logical and other controls depend on physical controls. By following these steps and recommending effective physical security controls, internal auditors also can help strengthen the organization’s overall security profile.  ​</p>Manoj Satnaliwala1
In Any Kind of Weatherhttps://iaonline.theiia.org/2018/Pages/In-Any-Kind-of-Weather.aspxIn Any Kind of Weather<p>​The world has changed radically since 2004, the year The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its original, principles-based <em>Enterprise Risk Management (ERM)–Integrated Framework</em>. Since that time, there have been tremendous technology advances, the continued development of a truly globalized economic system, and lingering impacts from a devastating recession that sprung from the banking and financial crises of 2007. </p><p>In parallel, risk management and internal audit practices have evolved as both professions have become more globalized and well-regarded within organizations. Risk guidance has improved. COSO significantly revised its ERM framework in 2017, introducing some important new features that can be of great help to organizations, risk managers, and internal auditors. In addition to COSO, the International Organization for Standardization published guidance in 2009 (ISO 31000:2009) and revised it this year (ISO 31000:2018). </p><p>One year after COSO issued its updated framework, many internal audit functions are working to apply the new framework to help their organizations weather the risks that are on the horizon. The ISO standard and COSO framework are now closely aligned and complementary. However, the COSO framework provides more detailed guidance around managing risk.</p><h2>Winds of Change</h2><p>The 2004 COSO ERM Framework introduced some advances in risk management. First, it helped bring greater consistency and veracity to risk management processes and systems. Second, it stated that the context in which business risk arose was crucial — risk needs to be seen in the light of an organization’s objectives. The framework emphasized the notion that risk management was not just about mitigating risk, but about providing organizations with a range of appropriate responses, depending on how much risk they wanted to take. These factors have helped risk management become mainstream in many organizations.</p><p>COSO’s <em>ERM Framework–Integrating With Strategy and Performance</em> makes those ideas much more central and extends them to cover recent thinking in risk management theory and practice. This can be seen throughout its 20 core principles (see “COSO ERM Components and Principles” below) and is further underpinned by giving governance and culture a powerful role to play. In addition, the revised framework emphasizes information, communication, and reporting to give boards and management accurate and timely information to make effective decisions. Moreover, the document urges organizations to look as much to the upsides of risk as to the potential downsides and for internal auditors and other advisors to do the same.</p><h2>Pinpointing Extreme Weather</h2><p>For internal audit to contribute effectively to the organization’s risk management efforts, it must understand how the revised COSO ERM framework can be applied in practice. COSO has produced some sector-specific examples of how to apply the framework in <em>Enterprise Risk Management–Integrating With Strategy and Performance: Compendium of Examples</em>. </p><p>One risk that almost any organization faces relates to extreme weather events such as hurricanes, tornados, and floods. The application of COSO ERM to this type of risk can be illustrated by mapping the framework to the COSO ERM components. Environmental risks are covered in draft guidance that COSO has developed with the World Business Council for Sustainable Development, Applying Enterprise Risk Management to Environmental, Social, and Governance-related Risks.</p><p><strong>Governance and Culture</strong> To start, the organization should establish governance for effective risk management for extreme weather events, just as it would for any other threat. However, discussions at the board level could evidence the importance the board places on understanding the potential impact and likelihood of weather events. Moreover, it should convey the board’s desire to ensure such events are managed appropriately. This step maps to the framework’s governance and culture component (principles 1–5). These principles cover everything from exercising board risk oversight to considerations of how to develop the operational structures and culture needed to deal effectively with extreme weather events.</p><p><strong>Strategy and Objective-setting</strong> In this step, internal auditors would seek to understand the risk in terms of the business’ context and strategy. In this respect, the board and management need to understand how extreme weather events may disrupt the pursuit of specific strategies and business objectives. The strategy and objective-setting component (principles 6–9) includes developing a risk appetite for this particular threat and considering alternative strategies for approaching risk management. This also includes how the business context impacts the organization’s risk profile.</p><p><strong>Performance</strong> Principles 10–14 cover performance of risk management. Selecting an extreme weather event as a specific risk covers principle 10 (identify risk). Management would next identify the possible outcomes from such events, based on its understanding of the business context and strategy, and this would feed into the assessment and prioritization of this risk. This assessment requires understanding the potential impact of weather event outcomes and the likelihood that those events would occur at the impact levels envisaged. As with all risk assessments, management must be careful not to fixate on a particular event or outcome. Rather, it needs to consider the full range of possible outcomes. </p><p>From this assessment, management can determine which of those events and outcomes should be a priority to manage. Management should then consider its ability to mitigate the impact of those risks, as well as its appetite for related risk outcomes, and select the most appropriate risk management responses or strategies. It is important that the business assigns responsibility and accountability for managing the risks. </p><p>Possible responses may include taking moves to reduce risk, such as disaster preparation, and taking measures to reduce the impact of extreme weather events. Organizations could consider risk sharing and secure insurance to limit the financial impact of such events. They may consider avoiding risk by moving a facility to a location less prone to hurricanes and flooding, for instance. Businesses may decide to accept the risk and wait to respond when the risk event happens because advance preparations may not be cost effective or practical. </p><p>Finally, management also could consider risk pursuit if the organization is in the type of business that can benefit from extreme weather risk. For example, it could quickly ship building products to areas affected by weather events to accelerate the rebuilding process or rapidly send medical supplies or water into affected areas. The key is that the organization should consider all potential scenarios and plan for the relevant ones.</p><p><strong>Review and Revision</strong> Weather patterns change, so organizations need to reassess the potential severity of extreme weather events and evaluate whether their risk responses remain optimal. Also, as these responses are tested by actual occurrences, management may reevaluate their capabilities to execute the desired responses based on their ongoing experiences. These map onto principles 15–17 in the review and revision component.</p><p><strong>Information, Communication, and Reporting</strong> This component (principles 18–20) focuses on how extreme weather risk is communicated and reported throughout the business. The board must understand the context, the potential events and outcomes, the assessment and prioritization results, the rationale for the responses that have been chosen, and the results of the periodic reviews and assessments. This process also may include communication from management to risk managers to help them make more timely and effective decisions related to their risk management activities. This is likely to be empowered by digital communication channels within the organization.</p><h2>The ERM Umbrella</h2><p>Not surprisingly, internal auditors need to thoroughly understand the new COSO ERM framework to help their organizations fully benefit from it. Part of internal audit’s role is to educate the board, executive management, and others throughout the business about these ERM components and principles. In addition, internal audit needs to advise management and provide input to enterprise risk assessments. </p><p>The current framework puts a lot of weight on boards and executives receiving the right information at the right time to provide risk oversight and evaluate the effectiveness of risk management. To that end, internal audit can provide assurance and advice about whether the information that is being reported upward is comprehensive, accurate, and timely. This could take the form of one-off consultancy style exercises, be part of an audit, or be a report to the board. </p><p>Finally, internal audit must be in a position to evaluate the overall effectiveness of ERM, a role that has been in The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em> for some time. Standards 2110: Governance and 2120: Risk Management direct internal audit to assess risk management. Despite that, there is not much guidance available on how to conduct a comprehensive assessment. Internal auditors could use the 20 principles to perform a gap analysis throughout the business to see which elements of the guidance point to areas of risk management that require improvement.</p><h2>An Accurate Forecast</h2><p>And what of the internal audit function, itself? There are two areas of internal audit practice that the current COSO ERM framework will impact — planning and projects. </p><p>More than ever, internal auditors must understand the organization’s business objectives and strategies when it comes to periodic audit planning. Auditors need to know what the risks are to those objectives and how those risks currently are managed. For example, has management considered alternative strategies to manage the risk, or are executives simply trying to mitigate it? What is management’s tolerance to risk in that area and how open is that tolerance to variation around certain risks? The answers to these questions will influence what projects internal audit should undertake.</p><p>Audit’s planning needs to be done in light of the organization’s risk culture and risk appetite. These factors could have a major impact on the scope and testing approach designed for a particular audit if that audit is to provide assurance that is targeted at the right level of the organization.</p><p>If audit planning is executed in light of business objectives and management’s risk culture and risk appetite, audit projects will take the same focus. That will mean that individual audit risk assessments will be better aligned with the organization’s own risk assessment — and project scope and testing will be based on risk tolerance. Internal audit will report any deficiencies in the specific context of their potential impact on business objectives and on management’s risk tolerances. Hopefully, this will lead to audit paying more attention to the potential upsides of specific risks.</p><h2>Clear Skies</h2><p>While many of the concepts in the current COSO ERM framework will be familiar to internal auditors, taken as a whole, it will represent a big leap in the quality of audit’s contribution to the business if implemented appropriately. Few internal audit departments are able to do a comprehensive assessment of the overall effectiveness of their organization’s ERM processes. The framework may enable internal audit to perform that assessment.</p><p>For internal auditors who are adopting the current framework for the first time, the key is to learn what it says and what it means to their organization in detail. Second, assessing the organization’s current ERM practices against the framework’s 20 principles can ensure auditors understand the guidance and have identified the most obvious gaps to remedy. </p><p>Third, if internal audit hasn’t already done so, it should start to audit and report in the context of the business’ objectives because this can help bring alive what the framework is about and make audits even more useful to management. Finally, internal audit should begin to take a more holistic approach to understanding the risks the organization faces and communicate that to management. That will help management understand risk better and how its responses to threats can turn into opportunities for the organization. </p><p><br></p><p><img src="/2018/PublishingImages/Sobel_Sidebar_COSO%20ERM.jpg" alt="" style="margin:5px;" /><br></p>Paul J. Sobel1
In Compliancehttps://iaonline.theiia.org/2018/Pages/In-Compliance.aspxIn Compliance<p>​One of the biggest challenges facing organizations today is keeping up with the ever-changing regulatory environment. Companies are dealing with complex compliance requirements in every area of the world in which they operate. Some new requirements, such as the European Union’s General Data Protection Regulation (GDPR), impact organizations regardless of whether they have a physical presence in the location where the law was enacted. Noncompliance with these regulatory requirements, whether it be involuntary or criminal, can create significant risks to an organization, including legal, reputation, and financial risks. Organizations must have strong governance around their compliance programs to ensure these risks are assessed and managed across the organization. </p><p>Internal audit can use their expertise in risk management and internal control to effectively offer assurance as to whether the risks associated with compliance are being managed to an acceptable level. The audit can be scoped to evaluate the governance process as a first step, and third parties can be used when additional assurance on specific regulations is necessary. </p><p>There are frameworks internal audit can leverage to help ensure it assesses all of the key components of a well-governed compliance program. For example, Chapter 8, Part B, of the U.S. Sentencing Commission Guidelines Manual presents guidelines for an effective ethics and compliance program (see “7 Elements of an Effective Compliance and Ethics Program” below). Although this framework is commonly used after an allegation of criminal misconduct has been made or adjudicated, it also can be used to ensure all of the elements of a robust compliance program are in place. </p><p>It can be overwhelming when internal audit begins analyzing a compliance program, given its overall complexity and the knowledge necessary to adequately audit all of the various regulations both in the home country and abroad, but this framework helps identify manageable components to be assessed. Management can begin by identifying all of the key compliance areas that affect the organization — environmental, data privacy, import/export, and anti-bribery/anti-corruption, just to name a few. Each key compliance area should have a designated individual with an appropriate level of authority and responsibility to oversee the compliance program. Using the framework, that person, or his or her delegates, can begin documenting how the organization would demonstrate a program that prevents or detects misconduct. A steering team of cross-functional leaders from legal, human resources, compliance, risk management, internal audit, and other key areas can help identify common program elements, such as an overall code of conduct, investigation processes, and hotline management. Internal audit can play a key role in monitoring the overall compliance program and auditing specific risk areas. </p><p>In early 2017, the U.S. Department of Justice issued supplementary guidance titled Evaluation of Corporate Programs (<a href="http://bit.ly/2Pec0fl" rel="nofollow" target="_blank">http://bit.ly/2Pec0fl</a>). This evaluation guide aligns with the federal sentencing guidelines and other referenced guidance and provides tactical questions that internal audit could use to evaluate the program. Two components, third-party and merger and acquisition risk, were added that should be considered when evaluating the effectiveness of the overall compliance program. </p><p>Third parties may be an integral part of organizational processes and considered part of the extended enterprise. The organization may have significant risk if those third parties, acting on behalf of the organization, commit an act of noncompliance. The third party may put the organization at a significant amount of reputation risk, and in certain instances, the organization may be liable for the actions of the third party. The evaluation guide indicates that certain actions must be taken such as due diligence, appropriate controls, management of the relationship, and appropriate consequences if noncompliance or misconduct is identified. </p><p>With mergers and acquisitions, management must ensure that a robust due diligence process is in place, and that the compliance function is integrated into the overall process to ensure that compliance risk is addressed. In the case of an acquisition, integration and transition of the compliance program to the new entity must be completed and any risks identified during due diligence addressed. </p><p>Overall, the framework and guide provide a solid base on which internal audit can ensure governance over compliance programs is effective. These documents should not be used as a checklist, as the elements may be present but a culture of compliance may not be developed, and the program becomes more form than substance. Internal audit should evaluate the adequacy of the evidence maintained in support of the program and ensure that the organization can demonstrate, both internally and externally, that the compliance program is robust. Both quantitative and qualitative factors should be evaluated. Soft controls evidence, such as how employees and leadership talk about the culture, also should be considered. </p><p>Although compliance can be a complex area to evaluate, these tools, along with third-party experts when needed, should enable internal audit to offer assurance around the effectiveness of the governance of compliance programs.</p><table class="ms-rteTable-4" width="100%" cellspacing="0" style="height:31px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>​7 Elements of an Effective Compliance and Ethics Program</strong><br><br>The U.S. Sentencing Commission’s seven elements of an effective program include:<br><ol><li>The organization will establish standards and procedures to prevent and detect criminal conduct. </li><li>The organization’s governing body should be knowledgeable of the ethics and compliance program. High-level employees within the organization should be responsible for program oversight, with day-to-day responsibility delegated to specific individuals. </li><li>The organization will exercise due diligence to ensure that delegation of authority is not granted to individuals who have previously engaged in illegal activity or other conduct inconsistent with an effective compliance and ethics program. </li><li>The organization will periodically communicate its ethics program, including standards and procedures, by conducting effective training programs, for employees and third parties, and otherwise disseminating information as appropriate.</li><li>The organization will take steps to ensure that the compliance program is followed, including monitoring. The program must be periodically evaluated to assess its effectiveness, considering both quantitative and qualitative evidence. In addition, a system must be established whereby employees, or third parties, may anonymously and confidentially voice concerns.</li><li>The program must be promoted and consistently enforced across all levels of the organization, including appropriate incentives to act in accordance with the program and disciplinary actions when noncompliance is identified. </li><li>When criminal conduct is identified, the organization must respond appropriately and take steps to prevent further similar misconduct, including adjusting the overall compliance program. </li></ol><br>Source: U.S. Sentencing Commission, §8B2.1: Effective Compliance and Ethics Program, <a class="vglnk" href="http://bit.ly/2Ped56T" rel="nofollow" target="_blank"><span class="ms-rteForeColor-8">http://bit.ly/2Ped56T</span></a>.</td></tr></tbody></table><p></p>Kayla Flanders1
Selling Enterprise Risk Managementhttps://iaonline.theiia.org/2018/Pages/Selling-Enterprise-Risk-Management.aspxSelling Enterprise Risk Management<p>​Although enterprise risk management (ERM) has a compelling value proposition, it may not always be intuitive to key stakeholders. That often is because the benefits of ERM are not easily observable or clearly quantifiable in the near term. As risk management professionals, internal auditors are easily sold on ERM’s merits because of our role in the third line of defense. We live and breathe risk management governance daily. But internal auditors and other risk professionals engaged in ERM efforts, by nature, do not tend to have strong sales competencies. So, when we propose ways to advance ERM principles to organizational leadership, the message often misses the mark. </p><p>The ability to convince stakeholders of ERM’s value may be the difference between an ERM program that flounders as a check-the-box compliance activity and one that develops into a strategic governance asset. It is vital for internal auditors and other risk management professionals to have a compelling and polished value proposition pitch in their ERM toolbox — one that is intuitive and presentable in terms and language that first and second line of defense managers will embrace.</p><p>Risk management is not a new idea, and most business professionals understand its importance. However, some are skeptical, writing ERM off as unnecessary or an academic theory that is unproven in the real world. When this skepticism is not based on an informed position, it is a shortsighted and misguided viewpoint that creates a major cultural barrier when attempting to implement or mature an ERM program. This is when ERM professionals need to be at their best as salespeople.</p><p>Just as professional athletes strive for a competitive edge, business professionals also should pursue measures to enhance their success. ERM can provide the same type of competitive edge that athletes get from personal trainers, data analytics, and other measures. But ERM benefits are realized when organizations appreciate, understand, and embrace the ERM value proposition. For an organization to unlock the potential of ERM as a strategic asset, a key element is a concise value proposition that leaders and managers can easily buy into.</p><p> <strong>Step 1: Start at the top.</strong> ERM programs are most successful when executive leadership supports them. The ERM value proposition must be understood at the highest management levels. But beyond that, leadership must be compelled to embrace ERM. Only then will leaders develop a vision for pursuing implementation with the requisite energy. Leaders will only embrace ERM when there is a clear value proposition. </p><p> <strong>Step 2: Don’t oversell.</strong> Internal audit must be careful not to sabotage ERM momentum by overpromising what the ERM value proposition can deliver. ERM will not solve all strategic risk management challenges. This message must be communicated with stakeholders by setting realistic expectations about what the organization can achieve. ERM implementation will inevitably encounter failures along with successes.</p><p> <strong>Step 3: Make the case for ERM by appealing to its intuitive nature.</strong> Internal audit should start by making a simple and intuitive case to legitimize ERM. Various entities have given ERM credibility by embracing its virtues. These include regulators (e.g., board requirements for risk oversight), credit rating agencies (e.g., ERM used as rating criteria by S&P and Moody’s), and major universities (e.g., ERM academic programs at North Carolina State University and St. John’s University). Additionally, ERM’s qualitative value is intuitive, as outlined in the waterfall diagram below.</p><p> <strong>Step 4: Draw a distinction between traditional risk management and ERM.</strong> All business professionals manage risk. Managers oversee various business functions and manage the risk inherent in these functions. Human resources (HR) managers manage HR risk, finance managers manage finance risk, and so on. The problem with this risk management model is that it does not promote an enterprise view of risk. Risk managers in these siloed functions make risk management decisions that can have negative impacts in other functional areas.</p><p>ERM is not designed to replace the traditional risk management model, but rather to enhance it by bringing greater visibility to risk management activities and impacts across functional silos. This is done by implementing risk management processes to methodically and purposefully identify, respond to, and monitor risks at the enterprise level. <br></p><p> <strong> Step 5: Make ERM a tool for aspirational risk management excellence.</strong> Compliance benefits may be an acceptable outcome for some organizations, but the real value of ERM is realized when its focus is more strategic. There are three imperatives of a strategic ERM value proposition:</p><p></p><ol><li><strong>Make informed decisions.</strong> ERM should support organizational decision-making for strategic planning, tactical execution, budgeting, and risk oversight.</li><li><strong>Protect stakeholder value.</strong> ERM should protect key stakeholders from value erosion.</li><li><strong>Optimize risk outcomes.</strong> ERM should seek the best possible risk outcomes by improving the likelihood of achieving strategic and business objectives, reducing the impact of organizational threats and weaknesses, exploiting organizational strengths and opportunities, and lessening the duration and persistence of negative risk outcomes.</li></ol><p>Aspirational and strategically designed ERM programs help organizations compete more aggressively in the marketplace. With the three imperatives in place, an organization is positioned to compete with an edge. </p><p>When designed to be a strategic governance asset, ERM facilitates advanced risk-taking capabilities and empowers a thoughtful, safe, and aggressive risk-taking approach. This can result in enhanced competitive agility and ultimately lead to enhanced organizational value.</p><p><img src="/2018/PublishingImages/Governance_p.65_ERM-qualitative-value.jpg" alt="" style="margin:5px;" /><br></p>Rick Wright1
GDPR and Internal Audithttps://iaonline.theiia.org/2018/Pages/GDPR-and-Internal-Audit.aspxGDPR and Internal Audit<p></p> <p>Now that the May 25 deadline has passed to comply with the European Union’s (EU’s) General Data Protection Regulation (GDPR), compliance executives may be breathing a sigh of relief. Yet the real compliance work is only beginning. </p><p>GDPR consolidates the EU’s personal data privacy protection laws and redirects the way organizations approach data privacy. It greatly expands the privacy rights of E.U. citizens and residents, and it applies to any organization that does business with those individuals, regardless of its location. Organizations that don’t comply with GDPR face penalties of up to €20 million or 4 percent of annual worldwide turnover, whichever is greater. </p><p>Compliance will require continued focus and effort. Internal audit can help the organization mitigate GDPR compliance risks by identifying ways to improve controls, raising risk awareness, and assuring compliance.</p><h2>Improving Controls​</h2><p>Internal audit can help the organization shift from the preparation phase to the implementation phase of GDPR. The regulation specifically requires organizations to focus on these control-oriented topics:</p><ul><li><em>Accuracy and quality</em> requires organizations to ensure data is accurate and up-to-date and that individuals can correct their records. <br></li><li><em>Security and privacy</em> by design requires organizations to document decisions taken to inform EU residents about how their data will be used and restricted. They also must implement technical, administrative, and physical security/privacy controls to mitigate potential harm. <br></li><li><em>Security safeguards</em> ensure that technical and organizational measures are implemented for privacy and security. <br></li></ul><p><br>Internal audit should work with management to identify relevant controls over data entry, assess the accuracy of information and recommend improvements, and strengthen controls that prevent and detect data errors.</p><h2>Raising Risk Awareness </h2><p>The direct risks associated with GDPR relate to potential fines and reputational impact. However, by digging into the regulation’s purpose, internal auditors can see other data protection risks.</p><p><strong>Monitoring, Measuring, and Reporting</strong> Organizations must have a data protection officer (DPO) to lead privacy and compliance efforts. Among the DPO’s tasks are reporting on compliance monitoring, training staff, and ensuring privacy compliance audits take place. The organization must perform data privacy impact assessments when new technologies and systems are used, provide timely data breach notifications, and report on the use of third-party processors.</p><p><strong>Prevent Harm</strong> GDPR imposes sanctions and penalties on organizations that process data unlawfully or fail to deploy safeguards. In addition, individuals may request that the organization remove their personal data from automated processing and profiling.</p><p><strong>Breach Management</strong> Organizations must put processes in place to notify persons no later than 72 hours after they discover a data breach, if it is determined that the breach will result in a high risk of privacy harm to those individuals.<br></p><p><strong>Openness, Transparency, and Notice</strong> Organizations must keep data for specific and legitimate purposes and notify persons about how the organization will use their data. Organizations also must inform individuals of safeguards applied when personal data is transferred to a third country.<br></p><p><strong>Individual Participation</strong> EU residents may request access to data, obtain a copy of the data held, and withdraw consent to use personal data as long as withdrawal does not result in legal violations. Individuals may object to the use of their data for direct marketing and profiling, and they may contact the DPO for any issue related to processing their personal data.<br></p><p>Internal audit can educate management about potential risks and ways to manage risks in each area. Auditors can communicate relevant information about these risks via informal emails, a departmental newsletter, or meeting with management. <br></p><h2>Assuring Compliance</h2><p>As new policies and procedures become more mature, internal audit will need to perform regular compliance audits to determine the extent to which the organization is complying with GDPR. Auditors should focus on how the organization manages data to help strengthen privacy and security controls and ensure they are designed appropriately and operating effectively. Auditors will need to assure compliance with key aspects of the regulation and provide early warnings about problems.</p><p><strong>Choice and Consent</strong> Under GDPR, organizations must allow users to choose how their personal data is used. Also, organizations must document and maintain consents and request parental authorization before collecting a child’s data. </p><p><strong>Legitimate Purpose</strong> To ensure data collection is lawful and necessary, organizations can collect only personal data that is needed to achieve the intended purpose. Reviewing and handling requests for further processing, restricting requests for data related to criminal convictions, and documenting situations where the right to object does not apply are all important. Internal auditors can help reduce risk by sampling data collection mechanisms for compliance.<br></p><p><strong>Limitations</strong> Organizations may keep data no longer than the period required to support the purposes for which it was collected, and they must erase an individual’s personal data upon his or her request. GDPR permits organizations to retain data meant for archiving purposes in the public interest or for reasons of scientific or historical research. <br></p><p><strong>Free Flow of Information and Legitimate Restriction</strong> This principle includes protections for data transfers using legally binding agreements between public authorities, binding corporate rules, model clauses, and other mechanisms. <br></p><p><strong>Third-party Vendor Management</strong> This principle ensures that organizations gather third-party/vendor guarantees of GDPR compliance along with proof that third parties have the required technical and organizational safeguards. The DPOs of the data controller — organizations or individuals that determine the purposes and means of processing data — must provide written authorizations to use a given processor.<br></p><p><strong>Accountability</strong> GDPR’s accountability principle provides a legal basis for processing personal data, establishes the DPO role, and informs citizens and residents of existing privacy rights and safeguards. In addition to overseeing the data protection strategy, the DPO must maintain contact with the supervisory authority and demonstrate compliance.<br></p><p>Internal auditors will need to periodically assess processes and controls for each of these principles to ensure they are designed and operating effectively. Auditors can review a sample of data transfer documentation to look for data that should not be transferred to another organization. They can run reports to look for data that is being kept longer than necessary and review available documentation for any exceptions.<br></p><h2>A GDPR Audit Plan</h2><p>To help the organization maintain compliance, internal audit should include independent GDPR assessments and compliance testing in the audit plan. It can raise executive and board awareness of GDPR noncompliance by highlighting poorly designed or missing controls. Finally, it can identify opportunities to audit common processes across departments. ​</p>Jan Hertzberg1
Internal Audit and Emerging Risks: From Hilltops to Desktopshttps://iaonline.theiia.org/blogs/chambers/2018/Pages/Internal-Audit-and-Emerging-Risks-From-Hilltops-to-Desktops.aspxInternal Audit and Emerging Risks: From Hilltops to Desktops<p>​<img src="/2018/PublishingImages/meteorologists-cliff-storm-lightning-weather-map.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />As a profession, internal auditors have cultivated a long and respected legacy as purveyors of hindsight. Almost all of us are adept at looking at last year's data and telling management where past mistakes were made. While hindsight is a necessary part of internal auditing, 20/20 hindsight is one of our least valuable skills. Often, our clients are already aware of past mistakes.​</p><p>With the advent of operational auditing and, ultimately, the introduction of consulting/advice into our portfolio of services, we also became purveyors of insight. Insight is generally seen as more valuable than hindsight to our beleaguered stakeholders, but it too suffers from limitations in an era when risks emerge at warp speed. Today's insight may well be tomorrow's hindsight. </p><p>There will always be a need for hindsight and insight, but foresight is the ultimate source of value. Stakeholders seek to navigate the future more than revisit the past or dwell in the present. It is time for internal auditors to focus our telescopes ahead. We need to concentrate on the risks of tomorrow if we are to not only protect but enhance value for our organizations.</p><p>Yet, stakeholders are generally unimpressed with our acumen at detecting emerging risks. In a 2016 KPMG survey of chief financial officers and audit committee chairs, only 10 percent agreed that their internal audit function adequately identified and responded to emerging risks that threatened their companies.</p><p>Over the past year, I have turned often to weather analogies when addressing challenges and opportunities for the internal audit profession. In many ways, identifying future risks is like predicting the weather. When our parents and grandparents were young, there was no such thing as weather radar. If they were curious or concerned about potential changes in weather, they simply peered out their windows or stood on a hill and scanned the horizon for potential storms. Of course, their weather predictions were often wrong. Climbing to the hilltop may have expanded their view, but weather patterns are far too complex to know if the clouds you see contain damaging winds, or if they are even coming your way. </p><p>That's why modern meteorologists have turned to more advanced methods. They monitor approaching storms with Doppler radar. They use digital satellite images to record cloud patterns around the world, and they plug the data into supercomputers, applying advanced statistical equations and algorithms to create more accurate forecast models. Of course, we all know that even meteorologists sometimes get it wrong, but their degree of reliability has increased dramatically with the advent of new tools and technology.</p><p>From hilltops to desktops, we all need to get smarter about risks, and there's a lot we can learn from meteorologists. They don't just observe the weather and make guesses about what the future might hold. They use every resource at their disposal to identify potential trouble spots and patterns before the storm materializes or inflicts significant damage. </p><p>Internal auditors and meteorologists have much in common. But our scope is much broader than predicting the weather. It encompasses virtually every type of risk, from the impact of changing market conditions or pandemics to financial and compliance issues. And that means our focus must extend far beyond the immediate future.</p><p>It would be great if there were technologies like Doppler radar to identify emerging risks. Someday, such tools might exist, but until then, we need to create our own virtual radar for detecting and monitoring emerging/approaching risks. That requires us to become more analytical in our approach.</p><p>As KPMG Partner <a href="https://home.kpmg.com/au/en/home/insights/2016/09/internal-audit-emerging-risks.html">Michael Hill has noted</a>, "Emerging risks can arise from many sources — economic or demographic shifts, changes in the competitor landscape, technology advances, or customer preferences." So, there is a lot for us to watch for when it comes to emerging risks. The horizon is so vast that the job will simply be too great for a chief audit executive alone. It will take the proverbial internal audit "village" to monitor emerging risks for a typical company. Just as the department's resources are assembled when annual internal audit plans are formulated, so too should the various experts be deployed to identify and monitor emerging risks. For example, the staff with the greatest IT expertise should monitor the horizon for emerging technology risks. </p><p>Fred Stuckel, vice president of enterprise risk management and audit at Express Scripts, shared the process his company uses to identify emerging risks in a <a href="https://erm.ncsu.edu/library/article/identifying-and-evaluating-emerging-risks">recent video posted by North Carolina State Poole College of Management's Enterprise Risk Management Initiative</a>. Stuckel noted that within Express Scripts, he and his team "spend a lot of time on the internet and on social media." They "peruse through international newspapers that are converted from foreign language to English, to get different perspectives of what the impact of any kind of change might be to the United States or to the global market."</p><p>There is no silver bullet for identifying emerging risks. Like all risk assessment, there is a degree of art in addition to science. However, if internal audit isn't looking in the right direction, there is a greater likelihood of missing emerging risks. But just as storms in the Northern Hemisphere often emerge from the West, there are directions from which potential risks facing your company are likely to emerge. These include:</p><ul><li>Economic forecasts (macroeconomic as well as those facing your industry).<br></li><li>Known strategic business risks facing your company.<br></li><li>New corporate initiatives being planned.<br></li><li>Legislative and regulatory outlook facing your industry.<br></li><li>Geopolitical developments and political risks in regions where your company operates.<br></li><li>Disruptive threats or opportunities facing your industry.<br></li><li>Performance of your primary competitors.<br></li><li>Risks emerging as headlines via traditional or social media.</li></ul><p></p><p>Identifying emerging risks should be a collaborative process with management. After all, management is likely to have already identified many emerging risks​ that threaten the organization. We should position ourselves as a partner, not a competitor trying to on​e-up management, when it comes to emerging risk acumen. After fully vetting our inventory of emerging risks, we should be prepared to share our perspectives with the audit committee. Our conversation must include our own plans for monitoring and responding to these risks as the organization's internal auditors.</p>We have entered an era in which crises have become commonplace, and after each new crisis, the same questions arise: "Why didn't we see it coming?" "Where were the internal auditors?" The world's best internal audit functions are well-prepared to answer these questions, and they do so in part by focusing on the future, by maintaining agility, and by proactively identifying and addressing emerging risks.<p></p><p>Hindsight is one of our least essential skills. It's time to turn our telescopes in the other direction.</p>Richard Chambers0
Crisis Overconfidencehttps://iaonline.theiia.org/2018/Pages/Crisis-Overconfidence.aspxCrisis Overconfidence<p>​Companies are overconfident about their ability to cope in a crisis, and executive leadership on the issue may also be sorely lacking in some organizations, according to a new report. Research by professional services firm Deloitte has found that nearly 60 percent of crisis management and other executives surveyed believe organizations face more crises today than they did 10 years ago.</p><p>They are not wrong. In the past two years, 80 percent of organizations worldwide have had to mobilize their crisis management teams at least once, with cyber and safety incidents topping the list of crises requiring management intervention. And the impact of a crisis on organizations is immediate: nearly three-fifths experienced a leap in customer complaints, usually on social media.</p><p>More than four in five respondents say their organizations have a crisis management plan in place. However, Deloitte's study, Stronger, Fitter, Better: Crisis Management for the Resilient Enterprise,<em> </em>has<em> </em>uncovered dramatic gaps between a company's confidence that it can respond to crises and its level of preparedness. It found that while nearly 90 percent of respondents are confident in their organization's ability to deal with a corporate scandal, only 17 percent have tested that assumption through a simulation exercise. Similarly, 70 percent of organizations are confident in their ability to manage a product recall, though only 22 percent have carried out a simulation exercise.</p><p>The survey, which included participation from more than 500 crisis management, business continuity, and risk senior executives across 20 countries, also found that organizations feel more confident in confronting some types of risks rather than others — particularly IT risks because they feature so prominently on risk agendas. For example, nine out of 10 respondents have fairly or very high levels of confidence in their organization's ability to tackle system failures, with similar numbers confident in their organization's ability to respond to regulatory and policy changes (89 percent), corporate scandals (88 percent), and cyberattacks (87 percent). </p><p>Deloitte's research found that experiencing a crisis teaches organizations to avoid them. For example, nearly 90 percent of organizations surveyed have conducted (largely internal) reviews following a crisis, and while these crises were not always foreseen, companies recognized that they might have been averted. As a result, organizations are now more likely to take action to forestall future crises.</p><p>Indeed, a crisis management response plan is critical. Deloitte found that nearly half of respondent organizations that did not have a plan in place saw their finances negatively impacted when a crisis struck. For those organizations with a plan, it was less than a third. </p><p>"Crisis management shouldn't start with a crisis — at this point it may already be too late," says Peter Dent, Deloitte Global crisis management leader. "With the rapid pace of change facing companies worldwide, and with crises on the rise, it is critical for organizations to be ready to respond with skilled leadership and plans that have been tested and rehearsed." </p><p>Crisis plans work best when the board and senior management are involved in shaping them and sponsoring them. And to secure their participation, the study's authors say that it is important to keep the plan relevant to them so that it addresses the issues that "keep management awake at night," such as the impact on reputation and the bottom line.  </p><p>Organizations should also ensure that they set up a crisis management plan specifically for the board, because when a crisis hits executives may need to play a very different — and more interventionist — role from normal. For example, if the crisis is causing significant damage to reputation, affecting share price, or resulting in regulatory sanctions or litigation, it may be up to the board to plan the company's continuity and survival. And in terms of succession planning, it may be appropriate to recruit board members with prior crisis management experience, Deloitte says.</p><p>Leadership commitment to crisis management is critical. But nearly a quarter of respondents cite the effectiveness of leadership and decision-making as one of the greatest crisis management challenges their organizations face. In fact, leadership commitment — or lack of it — was deemed to be the primary challenge for respondents, followed by effectiveness of teamwork, familiarity with the crisis structure/response process, and clarity of roles and responsibilities.</p><p>Part of the problem, Deloitte says, is that leaders are unprepared for crisis management. Therefore, organizations should establish a leadership structure for a crisis to help define roles and responsibilities, and training should be provided, particularly around communicating with stakeholders. Organizations should also identify the leadership styles of particular executives and managers, and work out who would be best placed to deal with certain aspects of the crisis response: in a high-pressure environment, leaders will tend to rely heavily on their most natural leadership style — which may not be suitable. </p><p>Deloitte's research found that crises often emanate from the actions of third parties such as suppliers and alliance partners, but at the same time, these third parties often play an important role in helping to manage and mitigate the problem. Recognizing this, 59 percent of respondents say that they participate in crisis exercises with third parties, examine third parties' crisis plans, or both. In Europe, the proportion is 80 percent.</p><p>As a result, the researchers say that companies should determine which outside organizations need to be in the fold when managing a crisis. These could include advisors such as lawyers, public relations firms, or specialist cyber defense organizations, as well as crisis advisors. In addition, they say, critical service providers, joint venture partners, resellers, distributors, and any other entity that could trigger a crisis (or be affected by it) should be involved in crisis preparations too. </p><p>The report adds that — depending on the scenario — these outside parties should also be included in simulations and exercises where appropriate, and should also share their contingency plans and provide regular updates on response readiness. Companies should stress the benefits of such collaboration, and even consider stipulating in contracts and agreements that such information should be shared.</p><p>"Crises aren't inevitable," Dent says. "Many of them are avoidable, which is why smart business leaders invest in crisis management capabilities. These strengths can help their organizations avoid costly, and sometimes irreparable, damage to finances, employee morale, brand, and reputation."</p>Neil Hodge0
Risks Speak Louder Than Issueshttps://iaonline.theiia.org/2018/Pages/Risks-Speak-Louder-Than-Issues.aspxRisks Speak Louder Than Issues<p>​Mutual understanding between internal audit and its clients can be difficult to achieve. When audit clients hear jargon such as "issues" and "gaps," or read it in an audit report, they often stop listening. They're left with the impression that internal audit doesn't understand the risks their area faces and that its reporting is irrelevant. At the same time, auditors may experience frustration over clients' failure to understand audit issues. Why can't issue communication be easier and more effective? In many cases, it's because auditors don't "speak the same language" as their clients and fail to communicate adequately about risk. </p><p>The IIA Position Paper, The Three Lines of Defense in Effective Risk Management and Control, states that risk management and control duties must be coordinated carefully organizationwide "to assure that risk and control processes operate as intended." In reality, that coordination does not always happen. For the first-line business units conducting day-to-day operations, if there are no risks within the immediate processes they manage, there are no issues. At the same time, many internal auditors perform their work in isolation, targeting check boxes without comprehensive understanding of risks, even though second-line risk management and compliance functions are looking at risk appetite and the risk landscape enterprisewide. Effective risk communication can be challenging when internal auditors are out of sync with other assurance providers and adhere to an outdated, myopic approach. </p><p>In today's rapidly changing environment, the traditional method of identifying issues simply based on test results for design and operational effectiveness constitutes an insufficient means of risk analysis, reporting, and acceptance. Although test results provide a solid basis for showing how the client failed, they don't provide much insight into why clients should care other than a low score. And if our deliverables lose relevance to the audience, we lose buy-in. </p><p>Within the audit report, risk-based information tends to be underdeveloped and fails to provide adequate support for issues. Risk statements often appear merely as a single line in each issue table, and risk analysis may no​t be presented holistically anywhere in the report. Moreover, risk assessment usually occurs during the planning and scoping phase of an audit. Even if the assessment has been performed well and reveals areas of weakness, key risk indicators would be gradually lost during an audit and toward the conclusion of the engagement, leading to unclear answers about true risk. Risk conversations should instead take place throughout the entire audit.</p><p>Before presenting issues to clients, internal auditors should ask, "Did I perform sufficient risk analysis to cover significant areas?" rather than "Have I identified enough findings?" Overall, the goal of issue communication should not be putting down names on the sign-off sheet, but rather mutual agreement on risks and a willingness to address them. </p>Jingwen (Grace) Wu1

  • Gleim_Nov 2018_Premium 1
  • Temple_ITACS_Nov 2018_Premium 2