Risk and Compliance

 

 

GRC Conference 2019: Technology Trends and Disruptive Innovationhttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Technology-Trends-and-Disruptive-Innovation.aspxGRC Conference 2019: Technology Trends and Disruptive Innovation<p>​Business futurist Patrick Schwerdtfeger closed the Governance, Risk, and Control Conference with his keynote address, "Embracing Disruptive Innovation." Schwerdtfeger, whose technology expertise includes artificial intelligence, fintech, and blockchain, dissected the topic of business disruption and explained how attendees could spot potential threats and opportunities in their organizations.</p><p>Schwerdtfeger began with an illustration of the rapid growth of data, pointing to research from Amazon showing that, in 2000, the cost of storing one terabyte of data was $17,000 — by 2020, Amazon says, that price will have dropped to $3. In tandem, data processing and data bandwidth also have accelerated by leaps and bounds. And with Big Data, all of this information is being put to use by businesses, municipalities, and other entities — and it is continuing to scale rapidly. Schwerdtfeger terms this "exponential development" and says it is key to understanding future business trends.</p><p>"Human beings are hard wired to think in linear terms," he says. "But what could you do if your business system, such as ERP, were 10 times as powerful as it is now? We need to learn to think this way."</p><p>As an example, Schwerdtfeger pointed to the exponential development of the Human Genome Project, which began in 1990. By 1997, it was just 1% complete — but that actually represented the project's halfway point because it scaled at 100% per year. At that rate, it took just 6.5 years to get from 1% to 100%. The human genome project finished by 2003, and costs were lower than expected.</p><p>With this rapid propagation of technologies, Schwerdtfeger says, changes to organizations are going to be dramatic. As evidence, he cited a recent study from Washington University that says 40% of today's S&P 500 companies will no longer exist by 2026. </p><p>"Hearing this," he says, "people instinctively get into a defensive posture — they ask themselves, 'Who's going to eat our lunch?' But the question should be, 'Who else's lunch can we eat?'" In other words, those companies will be replaced, creating opportunity in the marketplace. Schwerdtfeger told audience members that they are well-positioned to spearhead these conversations and to find a way to stay on offense.</p><p>"There's more and more leverage in the system all the time," he says. "Technology is a form of leverage. You're either on one side of the leverage equation or on the other side of the leverage equation."</p><p>As technology evolves along an exponential curve, Schwerdtfeger says that, over time, repetitive manual jobs will be replaced by robotics. Moreover, repetitive cognitive jobs are likely to be replaced by algorithms. How do we plan for this? Schwerdtfeger says it boils down to two things: creativity and relationships.</p><p>"We need to focus on our ability to be creative and to work with other human beings," he says.</p><p>In his closing remarks, Schwerdtfeger encouraged attendees to think not only about what's happening in the world, but what they can do in response to it. His main message: think bigger. "When you think bigger, you inspire others around you," he says. "If you truly think big, you're going to outdo the competition."<br></p>David Salierno0
GRC Conference 2019: Owning the Momenthttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Owning-the-Moment.aspxGRC Conference 2019: Owning the Moment<p>​Keynote speaker Simon T. Bailey kicked off the ISACA/IIA Governance, Risk, and Control (GRC) Conference in Ft. Lauderdale, Fla., today with his session, "Shift Your Brilliance — Leading Amidst Change and Uncertainty." Bailey, a business strategist and entrepreneur, advised leaders on how to accept change and embrace uncertainty as their businesses face unprecedented technological, cultural, and other tectonic shifts.  </p><p>"We have an opportunity to own the moment," Bailey told the sold-out GRC audience. "The question we have to ask ourselves is how am I showing up in this moment to be my best self — to lead my organization, to lead my team, especially in the midst of uncertainty?"</p><p>That process, Bailey emphasizes, begins internally. To lead effectively, he says, every leader needs to introspect and seek to improve him or herself. Toward that end, he advises applying what he calls the "15-7-30-90" method. The process begins with taking <em>15</em> minutes a day to focus on what you want to accomplish — this is practiced <em>7</em> days per week, checking in every <em>30</em> days to review progress, and then taking a deeper dive every 90 days to assess progress from a broader perspective.</p><p>To further self-improvement efforts, Bailey encouraged audience members to surround themselves with a "personal board of directors." The board would comprise individuals "with different competencies, different skill sets, and a different understanding that challenges you to rise to the occasion," he says. It should be a group of people who inspire you, motivate you, and challenge you — whose advice you seek on important personal and professional matters.</p><p>Turning toward how leaders influence and inspire others, Bailey emphasized the importance of establishing good relationships. "One of the goals every leader needs to be thinking about is how do we move from command and control to collaboration and connection," he says. Relationship-building, he explains, is key to a leader's ability to motivate and inspire. And creating those relationships depends largely on one's ability to empathize, he says, adding that empathy is the No. 1 skill taught in Silicon Valley. "People don't care what you know until they know how much you care," he says.</p><p>To effectively lead through change, Bailey says leaders must embrace what he calls the "vuja de moment." This is the opposite of déjà vu, and it reflects the ability to look at what you have been doing with a fresh set of eyes as if you've never a seen it before. "It's asking yourself a different set of questions that will challenge you on the way you've done things, as well as on what <em>can</em> be done and what needs to be undone," he says.</p><p>After sharing numerous tips and strategies for leading through change and uncertainty, Bailey concluded with a quote from philosopher Eric Hoffer: "In times of change, the learners will inherit the earth, while the learned find themselves beautifully equipped to live in a world that no longer exists."<br></p>David Salierno0
The Control Culture Connectionhttps://iaonline.theiia.org/2019/Pages/The-Control-Culture-Connection.aspxThe Control Culture Connection<p>​All audit committees want strong internal controls over financial reporting, and a strong ethical culture where employees who suspect impropriety feel unafraid to speak about what they see. What is sometimes less understood are the connections between those two things — how corporate culture and internal controls should complement each other, to further the goal of strong, reliable financial reporting. Design them well, and the organization has a powerful buttress against executive misconduct. Don’t, and the opposite is just as true.</p><p>A fascinating example of this point comes from <a href="http://bankrate.com/" rel="nofollow">Bankrate.com</a>, which paid $28.5 million to the U.S. Justice Department earlier this year to settle long-running financial fraud charges. Back in 2011, Bankrate’s then-Chief Financial Officer Ed DiMaria concocted a cushion-accounting scheme to manipulate quarterly earnings. He and others fabricated expenses on a bogus spreadsheet, while hiding the true numbers from Bankrate’s audit firm. When the U.S. Securities and Exchange Commission (SEC) began inquiring about the company’s finances, DiMaria directed others to reply with material not responsive to the SEC’s document requests. </p><p>Of course this all unraveled eventually. Bankrate announced a restatement in 2014. DiMaria was dismissed, indicted, and sentenced to 10 years in prison. The company hired new outside counsel, and its audit committee cooperated fully with the SEC. </p><p>Think about what happened here. First, the company used technology and business processes that gave DiMaria the ability to fabricate financial data while concealing true information. Second, nobody raised alarms about DiMaria’s misconduct — not when he lied to the audit firm, not when he misled the audit committee, and not when he had others mislead the SEC. </p><p>The issue, really, is about transparency and freedom. Internal audit needs to be able to roam freely through the enterprise to assess risks, and it needs to be able to see real data, rather than whatever report management provides. Or, as Debi Roth, chair of the Audit Advisory Committee for Orange County Public Schools in Florida, puts it: “Can the audit department get it, and pull it themselves?” </p><p>That might seem like a straightforward part of governance. In the real world, however, Bankrate is by no means alone. For example, when Polycom Corp. agreed last year to pay $16 million to settle U.S. Foreign Corrupt Practices Act charges, the misconduct was fundamentally similar. Executives in China recorded false information on bogus spreadsheets to hide bribery violations from Polycom’s global managers, while masterminding a payoff scheme to Chinese government officials. </p><p>Technology and business processes that allow executives to create a false narrative; plus a corporate culture that allows them to spread the false narrative — if those are the ingredients for an audit committee’s nightmare, what’s the antidote? It comes in two parts: strong control activities over financial reporting, and strong corporate culture that encourages everyone to sound the alarms about misconduct. </p><h2>Ingredient 1: Control Activities</h2><p>The first ingredient is unimpeded access to the company’s transactional data. Access should include not just whatever reports someone might provide to internal audit or the audit committee, but also the actual data about payments, due diligence checks, beneficial ownership, contracts, or whatever else the audit team might want to see. </p><p>That’s partly a question of technology. Accounting systems should rely on a single data source to make frauds like bogus spreadsheets and false transaction entries harder to accomplish. In an ideal world, auditors should be able to drill down from balance sheet, to line-item accounts, to transactions within those accounts, to supporting documentation for those transactions. </p><p>As an audit committee chair, Roth wants to hear the chief audit executive (CAE) explain how the process for gathering data works, and whether there are any concerns about potential interference. For example, does the audit team depend on the IT department to generate reports? That’s a risk, no matter how well-intentioned the IT department might be. “I’m looking for the internal audit function to have a good process in place that addresses internal controls, and that they’re able to go out and do their job and do it well,” she says.</p><p>Once upon a time, when companies used data warehouses, the audit team could have access to them, too, and pull whatever information it needed. Today’s systems are more complicated, as many firms rely on cloud-based applications that might store data in different locations, or employees might use cloud-based applications but not tell IT about it. </p><p>Audit and accounting teams need to think about the design of financial reporting systems and transparency into the data, so that suspicious transactions stick out like a sore thumb. <br></p><h2>Ingredient 2: The Control Environment</h2><p>Even when suspicious transactions are more visible, someone still needs to point them out. After all, at organizations of any appreciable size, many fraudulent activities won’t be spotted by the audit team — especially if more than one person is involved in the misconduct, as happened at Bankrate, Polycom, and many others. The organization needs to foster an environment where employees feel comfortable raising concerns about misconduct. “That’s always top of mind as an audit committee member,” says Raoul Ménès, who serves on the audit committee of the Salt River Pima-Maricopa Indian Community in suburban Phoenix. </p><p>“The bad perception to have is, ‘Don’t worry, internal audit will get it,’” Ménès says. “Well, internal audit cannot see everything. They’ll show up for two weeks to do an audit, and then they’re gone.” </p><p>Ménès encourages audit committee members to spend more time at their organizations, getting to know employees casually. Show up early for a committee meeting, for example, and chat with the employees. (That’s in addition to any executive sessions at the committee meeting, or any conversations the committee chair has with the CAE between meetings.)</p><p>“Meet the audit team, or talk to the controller. Just see how things are going,” Ménès says. “When you’re able to connect with folks, to work with them and talk with them, they’ll open up.” </p><p>Fair enough, but how else can the audit function identify warning signs about corporate culture? “Auditing culture” is a lofty idea, but a bit vague. Instead, audit teams need to design tests for traits or behaviors that suggest the culture is wrong. Ménès, for example, once worked with a firm where employees received a three-question quiz about the code of conduct shortly after they had certified that they’d read it. The goal wasn’t to see how well they memorized the answers; it was to see whether the enterprise had high failure rates as a whole — which would suggest that employees weren’t taking the code seriously, a big culture risk. </p><p>Roth, meanwhile, wants to hear about managers who try to interfere with auditors’ ability to talk to other employees. “If someone is telling the auditor, ‘You can’t work with anyone else, you have to go through me’ — that’s an automatic red flag,” she says.  </p><h2>Shutting Down Abuse</h2><p>The truth is, an organization can’t achieve strong financial reporting without both elements present: systems that provide clear visibility into transactions and a corporate culture that encourages internal audit — or other parts of the enterprise — to put that visibility to good use. </p><p>That’s the buttress organizations need to thwart executives who might abuse their power to override controls or lie to the board. It can be tough to build in the modern enterprise, with complex IT systems and a globalized workforce. Build it right, however, and that buttress can be pretty powerful. <br></p>Matt Kelly1
The Winds of Trade Warshttps://iaonline.theiia.org/2019/Pages/The-Winds-of-Trade-Wars.aspxThe Winds of Trade Wars<h2>​How can a global company determine how to comply with volatile trade regulation shifts? </h2><p>In a changing global landscape, organizations need to be aligned, agile, and prepared. Specific to tariffs, the compliance office, supply chain, and public affairs/regulatory teams need to work together to develop a comprehensive response plan. In an escalating trade war, all functions need to understand their roles within the plan and be agile enough to ensure timely implementation. Items to prioritize are reviewing third-party contracts, updating costing models, investigating alternative supply options and coordinating with logistics, and ensuring controlled processes are in place to comply with changing duty rates and classifications. </p><p>As a risk leader within the organization, internal audit first should vocalize and elevate the potential impact of geopolitical risks, including trade wars and tariffs, to the audit committee, senior leadership, and others within the business. Second, internal audit should work with the appropriate teams to ensure response plans are in place if trade wars escalate or continue for an extended period. Third, internal audit should review the customs compliance process, paying particular attention to classification procedures and documentation to minimize the risk of transshipment [through intermediate sites] and payment noncompliance.</p><h2>What are some of the risks to a company with a global supply chain? </h2><p>The most immediate implications of tariffs are higher costs, limited alternative sourcing options, more complex logistics, and greater compliance risks. Businesses may look to adjust their manufacturing and sourcing strategies, but these cannot be changed overnight. The reality is that most companies have spent years planning and building their global supply chains.  </p><p>Although New Balance has been focused on preparedness and agility within our supply chain — including running internal scenarios for a trade war escalation — sourcing shifts are still capital-, resource-, and time-intensive challenges. All departments, from development through transportation, need to be in alignment and coordinating fully to achieve the overall strategic objectives. </p>Staff0
In Line With Riskhttps://iaonline.theiia.org/2019/Pages/In-Line-With-Risk.aspxIn Line With Risk<p>​Risk management has evolved and grown since its inception in the mid-20th century, as evidenced by the introduction of methodologies such as The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) <em>Enterprise Risk Management –Integrating With Strategy and Performance</em>, the International Organization for Standardization’s ISO 31000, and the Basel Accords. Yet, only 23% of respondents describe their risk management program as mature in the American Institute of Certified Professional Accountants’ 2019 The State of Risk Oversight, conducted jointly with North Carolina State’s ERM Initiative. Additionally, the perceived level of maturity has declined over the past two years, and most organizations struggle to integrate their enterprise risk management (ERM) program with the strategy and objective-setting process. </p><p>Understanding and managing risk has tremendous benefits, as it helps organizations better prepare for the future. So why aren’t ERM programs more mature and better accepted? Most likely it is because organizations do not know how to develop a program or because they do not embrace risk management.</p><p>The current way of thinking about this practice can be challenged to discover new ways of evolving it to more effectively manage strategic risk. My former organization developed and successfully implemented an ERM function, and I am currently using the same strategic program to build a function at Covetrus, an animal-health technology and services company. Building a systematic and strategic program at my former company was educational and rewarding, as it allowed my team and me to familiarize ourselves with many aspects of the organization. </p><h2>Where to Begin<br></h2><p>Before establishing the program, my team and I identified key points of concern that needed to be addressed during implementation: </p><ul><li>Risks were too generic to create measurable plans.</li><li>Issues and controls were not systematically mapped to risks. </li><li>It was difficult to quantify and qualify the impact to the organization.</li><li>Progress tracking of risk remediation plans was not well-documented.</li></ul><p> <br>The program implementation was then divided into three phases spanning several years.</p><h2>Phase 1: Pilot<br></h2><p>During this phase, the team developed a detailed risk library and hierarchy that aligned with the organization’s life cycle, mapped issues and controls to risks providing a real-time picture of the organization’s risk profile, developed measurable remediation plans for the top risks, and implemented centralized reporting.</p><p>Participation in the risk program initially was limited to the internal audit, vendor due diligence, and compliance teams. Some of the key steps taken to complete this phase included: </p><ul><li>Selecting an ERM standard. We decided on COSO’s updated ERM framework. </li><li>Defining purpose, scope, roles, and responsibilities. </li><li>Formalizing a risk-rating methodology. </li><li>Developing a master risk library.</li><li>Documenting a process for identifying risks, assessing severity, implementing responses, tracking, and reporting. </li><li>Conducting initial risk assessments with critical areas.</li></ul><p> <br> </p> <img src="/2019/PublishingImages/Hamzo-Enterprise-Risk-Areas.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:640px;height:570px;" /> <p>The development of the risk library was vital, as it defined the program foundation and provided common terminology for all of the program participants. Over time, the team updated the library based on management feedback to customize it to the type of risks inherent to the organization. The team organized risks into a three-tiered hierarchy. At the top were the key enterprise risk areas, which follow the organization’s life cycle (see “Enterprise Risk Areas," right).</p><p>Underneath each enterprise risk area, there are intermediate risks that represent the subfunctions of that risk area. Within each intermediate risk, there are individual risks that are potential events that can impact that business area. The individual risks are linked to processes, objectives, key risk indicators, financial losses, mitigating controls, incidents, and findings (see “Risks, Controls, Issues, and Remediation Mapping” below). </p><p>Mapping the more than 900 internal controls and issues to each individual risk took the most time, but it was the most important step. Mapping processes provided further insight into the ratings, which often are subjective. More specifically, the occurrence of an issue increased the likelihood, while the presence of compliant internal controls decreased the likelihood, of one or more risks occurring. </p><p>After the completion of this phase, we realized that we tried to accomplish too much in too short a time. For example, we defined the end-to-end risk process while simultaneously automating it via our risk management system. Looking back, we should have operationalized the process before introducing a tool. <br></p><h2>Phase 2: Implement the Program </h2><p>During phase 2, my team and I developed a formal risk management policy, fine-tuned the process, expanded risk assessments across all divisions, and established a governance committee. The team also incorporated other key risk management functions under the umbrella of the ERM program to include business continuity, information security, legal, and patient safety teams. </p><p>The individual teams had their own governance committees, which were consolidated into a single governance, risk, and compliance team comprising executive leadership. This team met several times a year to discuss top risks and the status of remediation plans, and to escalate critical issues, as necessary. </p><p>Issue tracking from these key functions was consolidated into one consistent process and tool. This effort took one year, and we followed the same process for each team: </p><ul><li>Conduct current state analysis of processes, people, and tools. </li><li>Normalize rating methodologies.  </li><li>Migrate all open issues and implement a process for identifying and tracking issues and remediation plans in the ERM system. </li></ul><p> <br>To ensure accurate risk tagging for these issues, we configured the tool to route any new issues to the risk management team for approval. We used the review as a learning opportunity for both our team and the business where once a month we reviewed issues, related root causes, remediation plans, and impacted risks. </p><h2>Phase 3: Integrate ERM With the Strategy </h2><p><img src="/2019/PublishingImages/Hamzo-Risk-Controls-Issues-Remediation-Mapping.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:640px;height:634px;" />Early in our process, we learned that a successful integration is dependent on the organization having a strategic approach for identifying, managing, and reporting on the strategy and objectives. Integration with the ERM program becomes just one of the steps in that process. </p><p>The integration process started with the definition of our risk appetite statements for each of the company objectives. For example: </p><ul><li>Objective: Develop new products and attract new customers. </li><li>Risk Appetite: An organization will not make decisions that compromise its reputation by using defective new products that introduce security vulnerabilities and cause customer data breach. </li></ul><p> <br>Next, the leadership team identified projects or initiatives that supported the organization’s objectives and strategy and included information such as opportunities, dependencies, resources, budget, and timeline. Coordination with the general and administration functions to discuss resource and budget needs, as well as any regulatory and compliance implications as a result of these projects, was necessary, as these dependencies could become risks to the objectives. This included human resources, legal, audit, and finance planning and forecasting teams.</p><p>The ERM team, partnering with leaders, identified additional risks at the project level. These risks were rated using the rating methodology and rolled up to the enterprise level. The prioritization and responses to the risks were aligned to the risk appetite statements. These statements also will guide the organization’s response to emerging risks that surface throughout the year. </p><h2>Organizational Alignment</h2><p>Throughout this program, the team learned to work more productively with the organization in order to be met with less resistance. From the start, we learned that discussions about risk without the right approach can be perceived as an attack and critical of the business. </p><p>As a result of this project, the team embraced a teaching and learning approach where we spend more time educating the organization about risk principles, which helped us better understand business and risks from the organization’s perspective. Collectively, the organization became more aligned with its risk profile. </p><p>Internal auditors can make a difference if organizations overcome their giving-up point. By giving risk management a try and not waiting for a big event to happen that forces internal auditors to adopt risk management haphazardly, they are doing right by their organizations. Progress cannot be made through fear. <br></p>Dorina Hamzo1
Don't Manage Risk — Manage Valuehttps://iaonline.theiia.org/2019/Pages/Dont-Manage-Risk-Manage-Value.aspxDon't Manage Risk — Manage Value<p>​Risk management’s traditional focus on adversity is changing. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2017 <em>Enterprise Risk Management (ERM)–Integrating With Strategy and Performance</em> framework now refers to risk holistically as “the possibility that events will occur and affect the achievement of strategy and business objectives.” With “adversely” removed from the definition, a risk is no longer something that must be prevented from happening. In addition, the framework no longer speaks of <em>risk management</em> as a separate process, but defines it in terms of “culture, capabilities, and practices.” </p><p>The updated COSO ERM framework and the International Organization for Standardization’s ISO 31000: Risk Management standard present great opportunities to replace the term <em>risk management</em> with <em>value management</em>. According to both standards, managing risk is all about creating and protecting value. However, they retain the term risk management. </p><p>Business activities always involve uncertainty. To increase success, leadership teams have to take advantage of opportunities and limit threats. Ultimately, they want to increase the certainty they will achieve their objectives and will not get what they do not want. For that reason, organizations need a pragmatic approach to keep key stakeholders satisfied by realizing value for them.</p><p>The value management approach offers intriguing opportunities for internal auditors because it focuses on the quality of decision-making within the organization. Internal audit can help the organization by assessing to what extent decision-makers possess the right competence and integrity to reconcile dilemmas caused by the conflicting interests of stakeholders. </p><h2>Becoming Future-proof</h2><p>Being future-proof requires an organization to continually create and protect value for its core stakeholders. However, terms such as <em>value</em>, <em>result</em>, <em>success</em>, and <em>improvement</em> only gain substance through the meaning that stakeholders attach to them. Stakeholders look at an organization from their own perspective. Based on their interests, they find certain things valuable such as innovation, punctuality, privacy, safety, compliance, integrity, efficiency, and continuity.</p><p>Future viability is about anticipating what might happen. The leadership team wants to know where the organization is expected to end up and to what extent this differs from what the organization’s core stakeholders expect. Is the organization on the right track? Or is there a real chance that it will not achieve its objectives? In that case, is the organization taking appropriate measures? Conversely, the organization may be exceeding expectations, because it is able to deal well with uncertainty. </p><h2>Bringing Experts Together</h2><p>Strategic, tactical, and operational decisions imply making choices and balancing potential pros and cons. Working standards and methods are intended to guide the decision-makers in the right direction. Determining these rules is the domain of specialized departments such as business continuity, compliance, control, information security, privacy, quality, and safety. Typically, all these functions conduct risk assessments, build control frameworks, and produce management reports, which easily can lead to functional silos and value destruction in practice.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​Value Management and Internal Audit</strong></p><p>Embracing the value management approach is different from advocating conventional risk management practices. Here are examples of what will change for internal auditors:</p><ul><li>Instead of focusing on the organization’s biggest vulnerabilities, internal audit holistically focuses on assessing the quality of management. Decisions made when planning, executing, monitoring, and improving business activities always have potential positive and negative effects on the interests of key stakeholders.</li><li>Instead of believing the organization should have a separate risk management process, function, or system, internal audit focuses on the organization’s capabilities to become future-proof. Propagating lots of separate risk terms, such as risk manager, risk culture, risk appetite, and risk report, may not lead to the realization of business objectives.</li><li>Instead of seeking to assess whether what COSO’s 2017 ERM framework calls the second line of accountability fulfills its responsibilities for overseeing performance and conformance, internal audit assesses the competence and integrity of decision-makers at all levels of the organization.</li><li>Instead of unilaterally focusing on money, internal audit recognizes that <em>value</em> implies more than cash, profit, stock price, and dividend. Key stakeholders have different interests and attach value to divergent matters.</li><li>Instead of embracing in-control statements oriented to the past, internal audit realizes that the key question is to what extent decision-makers at all levels of the organization are capable of creating and preserving value for key stakeholders in the future. </li><li>Instead of assuming that the future is makeable and perfectible through risk analyses, risk and control matrices, and control testing, internal audit acknowledges that the world is volatile, unpredictable, complex, and ambiguous, requiring a considerable degree of agility and flexibility.</li><li>Instead of assuming that risk management should be a separate item on the agenda for team meetings, internal audit emphasizes that each of the items is about effectively dealing with opportunities and threats.<br></li></ul></td></tr></tbody></table><p>Conventional risk management is a flawed concept (see “Value Management and Internal Audit,” right). Instead of having a separate program, function, or committee for managing risks, organizations should focus on connecting the functional experts. Generating and preserving value is dependent on these specialists collaborating to assist decision-makers at all levels with seizing opportunities and limiting threats. As an independent advisor, internal audit can help reduce organizational complexity and silo-thinking. <br></p><p>To connect the experts effectively, leadership teams should seek answers to five key questions. These basic business questions are the building blocks for the practical analyses that leaders can carry out for a separate business process, project, department, branch, division, value chain, or the entire organization. </p><p>Answering each of these questions requires making choices and balancing opportunities and threats. For example, implementing extensive control frameworks (part of the “how” question) may send the message to those involved that they have flawed judgment or lack integrity. Internal audit should independently assess to what extent leaders answer the questions satisfactorily.</p><p><strong>Who Can Decide?</strong> Value management hinges on the effectiveness of governance: Who is authorized to make which choices? This applies to allocating resources both to daily operations and continuous transformation. The individual responsible for achieving formulated objectives also should be able to decide how best to deal with relevant opportunities and threats. This can be done by optimizing the associated business processes and controls. </p><p>A prominent and practical issue concerns the mandate of the experts in the organization’s staff departments. To what extent are they allowed to prescribe working standards to their colleagues or are they only expected to provide advice? How does the leadership team ensure that the staff specialists keep the line managers in focus? On the other hand, how can leaders prevent the experts from exaggeration caused by enthusiasm? An example is information security specialists who produce unworkable policies and procedures. </p><p><strong>What Do We Do?</strong> Each leadership team benefits from having an integrated overview of the clustered activities of everyone involved within their entity. This structured summary of current tasks shows the organization’s common playing field. The overview of managerial, primary, and supporting processes provides insight into all relevant transaction flows and volumes. It also forms the basis for the IT application landscape for processing the transactions. Hence, it is the foundation for information management, business intelligence, and forecasting. Do those in charge have the right information for making balanced decisions? The advantages of better insight into who does what are evident in initiatives such as integration projects.</p><p><strong>Why Do We Do What We Do?</strong> The organization’s success is determined by the extent to which its core stakeholders are satisfied. They are primarily interested in how the leadership team’s performance affects their interests. That is why the stakeholder analysis is essential. If all goes well, the team’s ambitions fit in with the value that the organization wants to create and protect for specific stakeholders. This value is expressed in the organization’s mission, vision, and strategy, and is translated into concrete success factors, objectives, and indicators. Using clear tolerances for the key indicators and preparing regular forecasts provide ample input for timely adjustment. If the estimated outcomes are not within the bandwidths, the two options are to adjust the controls or to inform key stakeholders that they must accept revised tolerances. <br></p><p><strong>How Do We Do What We Do?</strong> To apply judgment, decision-makers need a framework and rules such as working standards and methods. The practical details of these rules are laid down in the charters, policies, guidelines, procedures, protocols, and work instructions. Clear working arrangements streamline decision-making, facilitate work hand-off among colleagues, and provide a clear reference for audits. The “how” question is about autonomy. For example, to what extent are subsidiaries allowed to make their own rules? <br></p><p>The decisive factor in the “how” is the organization’s culture. Is it characterized by managers setting the examples? Are decision-makers willing to face the possible consequences of their choices? Is it acceptable to challenge the assumptions in overly ambitious plans?</p><p><strong>What Can We Improve?</strong> A continuous improvement program helps the leadership team focus on what really matters. When asked about the “best improvements,” people typically mention situations where the risk exposure is bigger or the chance taking is smaller than desired. The necessary improvements are usually about better designing, implementing, applying, and monitoring the organization’s working methods and standards. These renovations explicitly deal with the competencies of those involved — not only their professional knowledge and skills, but especially their personal leadership qualities. <br></p><p>A continuous improvement program can enable the team to identify, prioritize, and realize improvement initiatives. The better the information management is and the more that employees feel free to report issues, the sooner trends can be identified.</p><h2>Value for Stakeholders</h2><p>Conventional risk management can easily turn into a separate, illusory, and compliance-driven system. Alternatively, value management is an integrated approach that can give leadership teams a single platform for all common types of management. It can help decision-makers identify, prioritize, and realize relevant improvements that are needed to satisfy their core stakeholders. <br></p>Marinus de Pooter1
Board Problemshttps://iaonline.theiia.org/2019/Pages/Board-Problems.aspxBoard Problems<p>Audit committees have a problem: They have too many problems. More precisely, they have too many types of problem — too many <em>types</em> of corporate misconduct to consider these days, because the definition of <em>misconduct</em> has expanded dramatically in the last 15 years. </p><p>That raises questions about the expertise audit committees need, and whether corporate boards have enough of it. Quite simply, if society wants corporations to exercise a sharper sense of ethics and moral responsibility, do we need more ethics and compliance officers serving on boards? </p><p>“It’s undeniably true,” says David Greenberg, former chief compliance officer (CCO) at tobacco manufacturer Altria and an audit committee member of International Seaways, a New York Stock Exchange-traded oil and gas tanker business. The definitions of <em>corporate misconduct</em> are expanding, he says, and the consequences of it are deepening. “Put those two things together, and it’s a recipe for needing more of that experience.” </p><p>A recent regulatory enforcement example demonstrates the point. Cognizant Technologies, an IT outsourcing firm, had been accused of violating the U.S. Foreign Corrupt Practices Act when two of its senior executives orchestrated a US$2 million bribe to government officials in India. The involvement of two senior executives would typically leave Cognizant unable to avoid criminal prosecution, according to U.S. Department of Justice (DOJ) policy. Yet when regulators settled the case in February, the DOJ did decline to bring any criminal charges. Prosecutors later said why: “The company voluntarily self-disclosed the conduct within two weeks of when the company’s board learned of it.” </p><p>Confessing egregious corporate misconduct is unquestionably the right thing to do. Still, confession is a big request — especially when doing so invites potentially serious legal and financial consequences, such as monetary penalties or a corporate criminal charge. So Cognizant’s decision to disclose its trouble immediately, without any certainty of favorable treatment, is all the more impressive. </p><p>Where did that ethical commitment come from? It’s worth noting that Cognizant’s audit committee chair at the time was Maureen Breakiron-Evans, who worked as general auditor of Cigna in the 2000s. Also on the committee was Leo Mackay, head of ethics and internal audit at Lockheed Martin. Both still serve on Cognizant’s board.</p><h2>Beyond Financial Expertise</h2><p>Under the U.S. Sarbanes-Oxley Act of 2002, the audit committee of a publicly traded firm needs at least one designated “financial expert” to help the audit committee police against financial fraud. When the act was passed, that might have been enough of a kick in the corporate rear to take internal control more seriously. Today, a strong control environment has become much more important, to address all sorts of issues. Regulators don’t just want swift corrective action; they want strong <em>preventive</em> action. Customers, business partners, or even self-appointed social justice warriors prowling Twitter — all want to see ethical culture taken seriously, translated into tangible policies, controls, and actions. </p><p>“A true auditor on the board, or a true employee relations or corporate compliance person, is important because what’s falling to the audit committee to investigate — it’s gone way beyond what audit committee charters originally said,” says Owen Bailitz, a former risk management and audit quality partner with RSM, who now serves on the audit committee of the American Board of Medical Specialties. “You’re basically expanding the definition of risk.” </p><p>Audit executives could perceive all of this as a virtuous circle. Yes, data analytics captures data about business process outputs, to identify anomalous events or excessive risks. Those insights let directors draw conclusions about how the enterprise is working. We still need the other half of the circle: using those insights to change policy, procedure, and culture, so business processes can stay within ethical parameters more easily. That’s the improvement society wants to see. </p><p>“Across stakeholders, there’s been more engagement with boards on this discussion. Ethics and culture are topics that are relevant to the full board and every committee of the board,” says Tracy Atkinson, audit committee chair of defense and aerospace systems provider Raytheon Co. “Having someone who lives and breathes this on the board adds to the dialogue in a new way.” Atkinson would know; she is executive vice president and CCO at financial services company State Street Corp. </p><p>We see that increased engagement in various ways. For example, the Edelman Trust Barometer, which surveys more than 33,000 people worldwide about their trust in institutions, recently found that 76% say their employers should “take the lead on change” for issues such as sexual harassment, the environment, and discrimination. And 71% said it’s critical for their CEO to respond to challenging issues.</p><p>Then there are regulatory pressures. For example, a board might find itself saddled with a corporate integrity agreement where the audit or risk committee has to certify compliance with the terms. Having a compliance or internal control expert on the board would make that an easier exercise.</p><p>Those are examples at the macro level. At the micro level, chief audit executives (CAEs) have this: <em>The Politics of Internal Auditing</em>, a 2016 IIA study, found that 55% of audit executives had been asked to suppress unwanted findings during their career. That tells us two things. First, that internal audit executives are well-acquainted with the threats of bad ethical culture; and second, that CAEs would be well-suited to serve on boards someday — because they (like CCOs) have seen poor ethical behavior up close, and it’s their job to uncover and eradicate bad behavior anyway, whatever the consequences. </p><p>That skill, of identifying the ethically correct step, taking it, and defending it, will only become more important. As Greenberg says, questions about disclosing misconduct, and whether voluntary disclosure is worth it, can be quite difficult. “You need people with some experience to overcome that.” </p><h2>Meanwhile, the Reality</h2><p>As desirable as ethics, audit, and compliance perspective on the board might be, practical limitations abound. Boards are still desperate to recruit women and minorities; some jurisdictions now require specific quotas for female directors. Boards also are desperate for cybersecurity expertise. And yes, foremost, boards want to recruit current or former CEOs, chief financial officers, and chief operations officers — people who understand the intersection of strategy, operations, and finance. </p><p>That leaves few open seats for other governance expertise. So boards might not rush to the idea of recruiting CAEs or CCOs, unless they’re particularly committed to foresight. As Bailitz put it: “You need to have a change of mindset among the chairpersons of these boards, to say, ‘We lack this expertise, and it’s something we need.’” <br></p><p>The push for cybersecurity expertise is a good parallel. Most executives, audit committees members included, understand cybersecurity at a reasonable level — what it is, why it’s important, and what it should achieve. But they don’t understand  how to assess it, improve it, or weave it through all of an organization’s operations. Only a cybersecurity expert does.</p><p>Ethical culture is a lot like that, Atkinson says. Boards might believe they can master ethics and culture because it seems like a nontechnical issue, but introducing an audit or compliance executive can sharpen the board’s perspective in new ways. “It’s a mindset,” she says. “Having compliance and ethics as your subject matter domain, and bringing that to the board, further serves to emphasize” where ethics and the control environment might need attention.</p><p>So will boards put more audit and compliance professionals on the audit committee or even some other board committee? Will recruiters start calling CAEs and CCOs? That’s hard to say, but it’s not just self-interest for CAEs to want that to happen. This is what the future of boardroom problems looks like, and the future has a habit of arriving eventually.  <br></p>Matt Kelly1
Auditing Culture: Where to Beginhttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-Where-to-Begin.aspxAuditing Culture: Where to Begin<p>​<span style="font-size:12px;">Auditing organizational culture is a challenging, multifaceted process. It can touch virtually all parts of the business, including the very top, and span a wide range of risks and topics.</span></p><p>Due to its complexity, many internal auditors interested in auditing culture may be unsure of how to approach it. This installment of my Auditing Culture series helps point practitioners in the right direction, offering some tips that may seem obvious but should not be overlooked. <br></p><h2>Consult With Your Stakeholders </h2><p>Auditors should start by identifying who their stakeholders are and determining what those individuals or groups expect from a culture audit. Examples of stakeholders include the audit committee, regulators, and executives — considerations for each of these groups can differ substantially. <br></p><p><strong>Audit Committee or Similar Oversight Group</strong> Has the audit committee asked for a culture audit? If so, this will help overcome possible resistance at lower levels. Does the committee have any specific expectations regarding which aspects of culture internal audit should examine or how the audit should be conducted? Do the committee members have any concerns about the existing culture? Have any members been involved in culture auditing elsewhere — if so, would they want to share their experiences or insights? Engaging this group in meaningful discussion will be important. <br></p><p>If the audit committee has not asked about auditing culture, internal auditors should initiate the discussion. Practitioners can suggest possible benefits to the organization (e.g., see "<a href="/2019/Pages/The-Right-Path.aspx">The Right Path</a>"), as well as some ways to approach a culture audit, drawing from research on what others have done.<br></p><p><strong>Regulators</strong> If the organization's regulators request or require audits of organizational culture, internal audit should hold the same kind of discussions with regulatory personnel as they do with the audit committee. In particular, what aspects of culture are they most interested in? What are their requirements or expectations for internal audit as it relates to culture? <br></p><p><strong>Executives</strong><strong> </strong>Support from the head of the organization is, of course, essential. Other executives may or may not like the idea, but they might be surprisingly supportive. For example, my first chief audit executive (CAE) reported to a chief financial officer who thought so little of internal audit that he moved the reporting relationship from himself down to the corporate controller. Nevertheless, he once said to the CAE, "I read your audit reports. They're fine. But what I really want from you is this. Your auditors are in our banks observing management's behavior. I want to know what they're seeing and thinking. I know they won't have the same kind of evidence they do for an audit finding, but I want to know what they think of management." <br></p><p>A 2011 IIA research study, Insight: Delivering Value to Stakeholders, provides a more generalized example. It found that 64% of executives surveyed expect that "the CAE provides comments to the audit committee of the board of directors or certain executives regarding the performance of senior leaders in the business, based upon internal audit activities performed within the organization." Only 30% said they experience this from their CAE, representing a 33% expectation gap.<br></p><h2>Know Your Organization </h2><p>A growing array of tools, techniques, and approaches exist for evaluating culture. To succeed, internal auditors must find an approach that will work within the organization's unique cultural environment. <br></p><p>One way to help determine the best approach is to consider where the existing culture fits on a series of scales, like the ones shown below (see "Where Does Your Organization Fall on These Scales?"). This estimation could be performed by the CAE, the audit management team, the entire staff (during a staff meeting), or selected members of management. <br></p><p>Contrasting examples of two hypothetical organizations help illustrate how scales like these can be used:</p><ul><li>The first organization emphasizes innovation more than control, and openness to mistakes rather than zero tolerance. It will likely accept audit techniques that are quite different from anything the auditors have done before. </li><li><p>The second organization leans more toward control and zero tolerance. The auditors in this organization should use techniques that are closer to what they've done in the past so they won't seem too unusual to clients. Auditors might have to start with baby steps and build gradually over time.<br></p></li></ul><p>To select the most meaningful scales for their organization, internal auditors can look to existing sources of cultural insight such as employee surveys and exit interview results. They can also talk with human resources, as well as risk management and others in the second line of defense. The insights that come from these and similar sources will also be valuable in other ways, such as scoping audit projects and supporting cultural audit issues.  <br></p><p>Where different parts of the organization fall along these scales can often vary, and those variations might suggest different approaches for certain areas. They also might suggest problematic cultural inconsistencies that should be examined, as well as identify "low hanging fruit" or possible champions in management for initial efforts. <br></p><h2>Select the Initial Approach</h2><p>With strong support from key stakeholders and a culture that is open to it, a robust approach may be possible right away. For example, a pharmaceutical company performs 5- to 6-week "values assurance" reviews in which internal audit works in a multidisciplinary team that includes psychologists, operational staff, and individuals with Lean Six Sigma experience. Or consider a financial services firm where the audit department uses a cultural model with eight cultural drivers broken into 35 topics. For each of these topics, the department has developed a comprehensive audit program to use during audit projects.<br></p><p>In my experience, and from what I have read, organizations with robust approaches like these usually:</p><ul><li>Experienced a serious scandal whose root cause was in the culture.</li><li><p>Operate within the financial service sector, in which Wall Street's "culture of greed" was a root cause of the 2008 global financial crisis.<br></p></li></ul><p>Most organizations, of course, do not belong to one of these groups. <br></p><p>Unless the audit committee and executive team are willing to devote significant resources to safeguarding against a culture-caused scandal, it is best for internal auditors to start slow. They can then build toward more robust approaches if and when the results indicate that doing so will be worth the cost. <br></p><p><img src="/2019/PublishingImages/auditing-culture-where-to-begin_sidebar.jpg" alt="" style="margin:5px;width:700px;height:603px;" /><br></p>James Roth1
The Healthy Corporate Culturehttps://iaonline.theiia.org/2019/Pages/The-Healthy-Corporate-Culture.aspxThe Healthy Corporate Culture<h2>How does an organization develop and maintain a healthy corporate culture? <br></h2><p><strong>Simmons</strong> Implementing a clear mission and company values sets the tone and messaging from the top, and specifying the organization’s desired risk culture in a way that aligns with these values helps solidify the corporate culture. Establishing a collaborative, open communication approach creates a comfortable work environment and is the best way to maintain a culture where people feel valued, respected, and empowered to offer ideas and make good decisions. Having a leadership team that believes in this approach, lives the mission/values, and knows what employees value contributes to an atmosphere where ideas are celebrated and rewarded, which can lead to a more efficient and productive organization. </p><p><strong><img src="/2019/PublishingImages/EOB-Esi-Akinosho.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Akinosho</strong> First, we need to define a healthy culture. A healthy corporate culture is a) connected to the company’s purpose and strategy; b) positive, inspiring, and engaging for employees who live it, customers who experience it, and shareholders who realize returns from it; and c) strong, consistent around the world, and not overly dependent on the effectiveness of a local leader. Developing a healthy corporate culture takes time, focus, and direction from leadership, as well as level support from key functions to help champion that desired culture. A top-down and bottom-up approach is key in not only the development of a healthy culture, but also in sustaining and fostering changes in it. <br></p><h2>What are the top risks to a healthy corporate culture? </h2><p><strong>Akinosho</strong> Risk culture connects the overall organizational culture to specific behaviors set along a defined risk framework. It speaks to culture in terms of the three lines of defense and guides how leadership monitors and responds to cultural stress and the risks of an unhealthy culture. Risks relating to corporate culture include a degraded tone at the top, lack of accountability, and minimized transparency. Cultural stress often takes the form of compliance issues, control failures, audit issues, or poor employee performance, and the typical root cause is often a breakdown in trust. Trust can be the biggest risk or asset to a healthy corporate culture, and the erosion of trust can be hard to control and even harder to earn back. By aligning the corporate culture and pulling certain cultural levers, trust can become the driving force for creating a shared vision and turning that vision into value. </p><p><strong><img src="/2019/PublishingImages/EOB-Charmian-Simmons.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Simmons</strong> First and foremost is culture risk, itself. Well-known corporate scandals related to harassment, fake accounts, accounting errors, and misconduct often are symptoms of culture issues and heighten the profile of culture risk as a growing liability for organizations. Culture risk management should be treated as an integrated process of oversight and monitoring that addresses strategy, performance, and risk, and aligns company values, goals, behaviors, and systems with favorable impacts both internally and externally. Other top risks that can affect a healthy corporate culture include financial, operational, market, and reputation risks. The particulars of each risk, such as ranking, priority, and specific factors, will vary by company/industry/geography and by the awareness level of underlying problems, mitigations, and ongoing monitoring. Some symptoms and behaviors that influence these risks include financial underperformance, inconsistencies in business/personnel performance, communication that leads to misunderstanding, unhealthy comparisons and gossip, demoralized employees, customer backlash, and the feeling of destroyed value.<br></p><h2>What are the indicators of a weak or failing corporate culture? </h2><p><strong>Simmons</strong> Indicators can be broadly classified into top-down and bottom-up. Indicators from a top-down business perspective include inconsistent financial and operational success and being perceived by the public and personnel as not conducting business activities with honesty and integrity. From a bottom-up personnel perspective, indicators may include lack of motivation; overwhelming frustration, such as fear of retaliation in speaking out, not being listened to, or pressured to meet unrealistic internal deadlines; poor customer relations; pending investigations; lack of efficiency or ideas; and lack of innovation. These indicators may be noticed by management, personnel, and internal audit, though one must be open and conditioned to seeing the signs to be receptive to raising the matter and taking active and visible action.</p><p><strong>Akinosho</strong> A weak culture can be characterized by inconsistent programs that deviate from the common goal and vision. Functional groups, including internal audit, that have different strategic objectives or have pockets of opposing forces will create stress within an organization’s operating model and increase the risk of compliance issues, failure to adhere to policies, and internal control breakdowns. Lack of leadership or misaligned tone at the top can hold an organization back and put it at risk for cultural issues. Today, many of these issues are coming to light in very public settings, which is why boards and audit committees are turning to internal auditors, the third line of defense for culture risk management, for insight. </p><h2>What should a formal culture risk management program look like? <br></h2><p><strong>Akinosho</strong> A formal culture risk management program is embedded throughout all three lines of defense, with the first line implementing the mechanisms to drive culture, the second line taking responsibility for defining the risk culture framework and monitoring effectiveness, and the third line performing independent culture assessments to monitor culture throughout the execution of the audit plan. </p><p><strong>Simmons</strong> Recent incidents and news headlines linked to “problematic culture” lead me to say there is no one-size-fits-all program; however, a culture risk management framework should comprise certain key elements that cover all aspects of culture and can be improved and measured over time. First, governance — the mission, values, ethics, policy, board, leadership, strategy, behaviors, and a common understanding of what’s expected. Second, relationships — transparent, honest, and nonthreatening leadership, communications, collaborations, and accountability. Third, environment — the workplace provides for comfortable, productive, inspired, responsive, innovative, rewarded, trusted, engaged employees and supports organizational effectiveness. Fourth, motivation — a fair values system exists surrounding performance, incentive, reward, continuous learning, and clarity of purpose.</p><h2>How does a dynamic, agile workplace affect corporate culture?<br></h2><p><strong>Simmons</strong> One affects the other and impacts the success of both. Many organizations want to be more agile to respond to the demands of customers, the digital economy, and rapidly changing marketplaces; however, most don’t appear to have the culture to support this. Being dynamic and agile means being able to quickly and easily adapt to constant change. A workplace environment like this needs to balance the mindset of change with tools, systems, and processes that support an agile approach and allow the four key culture elements mentioned previously to thrive and positively influence behaviors around cooperation, fast decision-making, experimentation, innovation, empowerment, sustainability, and effective cross-functional teamwork.</p><p><strong>Akinosho</strong> As companies adopt more dynamic and agile approaches and workplaces, they must be aware that the shifting operating models and transient nature of the workforce will have an impact on culture and can even present new risks. When unsuccessfully implemented, an agile operating model can cause a lack of vision or uncertainty in objectives for employees. This cultural stress will work against the achievement of objectives and strategy. Alternatively, an agile workplace can strengthen and foster an existing healthy culture and better advance the people agenda in areas such as development, employee retention, and workforce management.  <br></p>Staff1
3 Lines in Revisionhttps://iaonline.theiia.org/2019/Pages/3-Lines-in-Revision.aspx3 Lines in Revision<p>​The IIA has released a consultation document reviewing the widely accepted Three Lines of Defense model for public comment. The document, available at <a href="http://www.theiia.org/3LOD" target="_blank">www.theiia.org/3LOD</a>, aims to ensure the guidance is more applicable to today's changing organizational environment. It seeks to clarify essential responsibilities in governance, risk management, and control. Comments are welcome by Sept. 19. </p><p>The IIA's Three Lines of Defense task force seeks to "breathe new life" into the model by focusing on organizational success and embracing governance processes. IIA Global Chairman Naohiro Mouri explains that The IIA recognizes that risk "goes beyond 'defense'" and can create opportunity. "We want to ensure organizations can allocate and structure their resources and responsibilities by using the Three Lines of Defense to their advantage," he says.</p><p>To that end, the review considers both a reactive and proactive approach to fulfilling an organization's purpose and value creation. Moreover, the task force is evaluating how the model can be scaled for organizations of different sizes.</p><p>Additionally, the task force is considering how internal audit functions should address the "blurring of the lines" when they are asked to take on responsibilities within areas of the organization. The objective is to stress flexibility among the lines. </p>Tim McCollum0

  • Birmingham City Univ_August 2019_Premium 1
  • IIA Training_August 2019_Premium 2
  • IIA CIA_August 2019_Premium 3