Risk and Compliance



Blue Bell Blueshttps://iaonline.theiia.org/2019/Pages/Blue-Bell-Blues.aspxBlue Bell Blues<p>Investor lawsuits seeking to hold directors liable for failures in their oversight duties were bolstered in June by a case involving Blue Bell Creameries. <em>Marchand v. Barnhill</em> did not signal a change in law, but it did affirm a legal standard that boards that fail to make a good faith effort to oversee a material risk area breach their “duty of loyalty.”</p><p>Legalese aside, the Blue Bell case provides a compelling example for directors to examine. While legal standards set a high bar, Marchand demonstrates that, in certain circumstances, ignorance about poor risk management is not a defense against board liability. </p><p>The details around the lawsuit are well-established. A 2015 listeria outbreak linked to three deaths caused Blue Bell Creameries to shut down production, recall all products, and later reduce its workforce by more than one-third. An investor suit alleged senior management disregarded warnings about contamination risks and kept the board in the dark about the issue.</p><p>From 2009 through 2014, regulators identified numerous health safety compliance failures. Yet, even though several positive tests showed the presence of listeria, including one test from an independent lab, board minutes reflected “no board-level discussion of listeria.”</p><p>Despite what would appear to be a glaring lack of board oversight, the Delaware Court of Chancery dismissed the case in fall 2018, ruling the plaintiff failed to show that directors had breached their “Caremark duties.”</p><h2>What Are Caremark Duties?</h2><p>Caremark duties are the result of a 1996 Delaware Chancery Court decision in the derivative action case brought by shareholders of Caremark International Inc., alleging the board of directors breached its duty of care by failing to put in place adequate internal control systems. The Caremark Rule that came from the case, and set a precedent for future director liability claims, states, “a director’s obligations includes a duty to attempt in good faith to assure that a corporate compliance information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by noncompliance with applicable legal standards.”</p><p>Cutting through the legalese again, Caremark establishes an obligation for directors to at least try to make sure “a reasonable board-level system of monitoring and compliance” is in place. Failing to do so could make directors liable for losses relating to compliance failures. </p><p>In <em>Marchand</em>, the Delaware Supreme Court overturned the lower court’s dismissal, concluding “the complaint supports an inference that no system of board level compliance monitoring and reporting existed at Blue Bell.” The court noted the board failed to establish a committee to monitor food safety or devote time in meetings to discuss food safety compliance. Of significance is the court’s opinion that “... food safety was essential and mission critical.” </p><h2>Protecting Against Caremark Failures</h2><p>Reasonable and informed directors typically should not have to worry about Caremark failures. As the Delaware Supreme Court made clear, boards get into trouble when they ignore their oversight responsibilities.</p><p>There are valuable lessons in the court’s findings in <em>Marchand</em> that can help protect boards and head off behaviors that make them vulnerable to successful Caremark claims. It is important to note that the court’s findings that follow center on the Blue Bell board’s failure to understand its “mission-critical” risk:  food safety. </p><p><strong>Blue Bell had no board committee that addressed food safety.</strong> Boards must understand what is mission critical for their organization, whether it’s food safety at Blue Bell or data protection at Facebook, and assure that it has systems in place to monitor compliance with mission-critical regulations.<br></p><p><strong>Blue Bell management was not required to keep the board informed about food safety compliance practices.</strong> Boards cannot assume management will bring all problems to their attention, and, therefore, must be proactive in seeking out information about compliance with mission-critical risks.<br></p><p><strong>Blue Bell had no regularly scheduled discussions about food safety.</strong> Mission-critical risks must be discussed and assessed on a routine basis by the board.<br></p><p><strong>Blue Bell’s board received favorable information about food safety but negative information was not shared. </strong>Boards cannot assume that management will willingly present the bad along with the good. It must establish processes to discover all relevant information from management and seek additional reliable sources of information, including turning to internal audit to provide independent assurance on the accuracy, completeness, and timeliness of the information the board receives, particularly around mission-critical risks.<br></p><p><strong>Blue Bell board minutes reflect meetings were “devoid of any suggestion that there was any regular discussion of food safety issues.” </strong>Traditional approaches to protecting the board include limiting details in minutes, which often only reflect official board actions. In Blue Bell’s case, this strategy backfired in that the official account of business reflected that no time was spent discussing mission-critical issues.<br></p><h2>What’s Next?</h2><p>The <em>Marchand</em> case and its relevant Caremark implications are but one of a growing number of pressure points on boards relating to oversight duties. As the list of governance failures and scandals grows, regulators, investors, and the general public are demanding more oversight and more accountability.</p><p>A February article in <em>Business Law Today</em> eloquently articulates the need for a fundamental change in how board directors approach their jobs:</p><p>“A substantive checks and balances approach addresses the roles, responsibilities, and relationships among the key elements and players in a firm’s governance, controls, and oversight system. Institutional investors, individual investors, and other market and regulatory interests increasingly demand that those involved in corporate governance recognize their responsibilities and are held accountable in addressing these responsibilities. An additional emerging expectation is that senior leaders in an organization, both board and management, recognize that a leader’s role is one of service rather than entitlement.” </p><p>The article goes on to say that governing structures that consolidate power and authority into fewer hands often fail if individuals in power feel entitled to do as they please. It adds that boards must be involved in formulating checks and balances and take active roles in executing them. “Carrying out these active roles will necessarily lead to regular interaction with the CEO and others in senior management as well as with a company’s internal and external auditors,” the authors write. “While tone at the top may sometimes remain only as words that do not actually affect behavior, the institution of checks and balances can exert considerable influence.”</p><p>These fundamental changes won’t happen overnight, especially in organizations with entrenched systems and practices. But clearly the era of boards providing obsequious approval to management is over. To continue to do so is not just counter to prevailing investor sentiment, it also makes boards increasingly susceptible, as demonstrated in <em>Marchand</em>.</p><p>Such a transition cannot happen without a system of effective checks and balances, as described in the <em>Business Law Today</em> article. Given this current environment of increased exposure, boards would do well to seek internal audit’s independent assurance and advice on critical issues. <br></p>Jim Pelletier1
A Lesson in Ethicshttps://iaonline.theiia.org/2019/Pages/A-Lesson-in-Ethics.aspxA Lesson in Ethics<p>​Recent reports of the extremes some parents have pursued to get their children admitted into elite colleges have raised questions about what example these parents are setting for their children. In some cases the children were unaware of their parents’ extraordinary efforts, though others allegedly knew about it and therefore may have been complicit. Perhaps the scandal comes as no surprise to many in the audit profession — after all, we see cheating, rule bending, and outright falsehoods regularly. But rather than simply shrugging our shoulders and pretending it has nothing to do with us, internal auditors need to be part of the solution. </p><p>Research suggests that dishonesty among students is common. Donald McCabe, founding president of the International Center for Academic Integrity, analyzed surveys of nearly 71,000 college students conducted between 2002 and 2015. He reported that 39% admitted to cheating on tests, and 68% admitted to some form of cheating. Why do college students cheat? They want a good job and career. </p><p>Think about that last statement — college students cheat to get a job. Many of them obtain their first job as new hires in the audit department. If these students view cheating as acceptable, what can internal auditors do to help them understand their organization’s ethical expectations, as well as those of the internal audit profession? </p><p>Many years ago, a university colleague shared with me the story of a phone call he received from a local employer. The firm’s representative bluntly asked what the university was teaching its students, as his company had just caught an auditor signing off on an audit program for work not actually performed. My colleague privately observed later that he had always thought this individual, as a student at our university, had cheated in his classes, even though he never caught him in the act. From a professional viewpoint this anecdote points to a big risk — students who cheated in college may continue to cheat in their career.</p><p>Efforts to address such risk should begin as soon as students enter the workforce. Internal audit onboarding<br> activities and employee mentoring, for example, should be aimed at helping new hires do the right thing. Encouragement should focus on guidance to help them comprehend what it means to be an internal audit professional — including adherence to ethical standards. Recent graduates should be reminded that behavior they may have viewed as acceptable in college is not acceptable in the workforce.</p><p>We also need to promote success stories of individuals who have not cheated — of those who exemplify high standards of ethical conduct. We should celebrate individuals who stopped a fraud from happening, or who helped prevent the company from erring in judgment. Sending the right message up front will help the next generation of audit practitioners make good choices and maintain the standards of integrity that have long defined our profession.  <br></p>Perry Moore1
A Question of Audit Prerogativeshttps://iaonline.theiia.org/2019/Pages/A-Question-of-Audit-Prerogatives.aspxA Question of Audit Prerogatives<p style="text-align:justify;">Call it the Battle of Bismarck — a political turf battle unfolding in the state capital of North Dakota, which actually turns on a question audit executives everywhere can appreciate. <br></p><p style="text-align:justify;">How does an audit function work when the chief audit executive and audit committee disagree over what the function should do?<br></p><p style="text-align:justify;">On one side of the issue is Josh Gallion, elected state auditor in 2016. On the other is the  Legislative Audit and Fiscal Review Committee, the state's version of an audit committee. Earlier this year lawmakers quietly adopted a provision requiring Gallion to get approval from the audit committee before he conducts "performance audits" of government offices. <br></p><p style="text-align:justify;">Gallion politely but firmly told the Legislature in July that he doesn't believe the law is constitutional, since it impedes his autonomy as a duly elected executive officer of the state. The state attorney general agrees with him. The top budget analyst for the Legislature does not.<br></p><p style="text-align:justify;">"We will not be seeking approval of performance audits, but what I will tell you is communication is key,"  Gallion <a href="https://bismarcktribune.com/news/local/govt-and-politics/north-dakota-state-auditor-lawmakers-remain-at-odds-over-new/article_fad595f7-ad1e-541b-abdd-a8b49469f31f.html">told North Dakota lawmakers during a recent hearing</a>.<br></p><p style="text-align:justify;">That wasn't what state Rep. Gary Kreidt, chair of the legislative audit committee, wanted to hear. He was unhappy that Gallion has been announcing the results of performance audits to the public, without first letting audit committee members review the findings. <br></p><p style="text-align:justify;">"I don't like to read in the newspaper an audit that's been completed and not have been notified that this audit was done," Kreidt said in that same legislative hearing. <br></p><p style="text-align:justify;">The backstory here is interesting reading for political junkies and audit professionals alike. First, "performance audits" are defined as examinations of specific agencies or offices, to assess whether the agency achieves its stated goals <em>and </em>whether it does so in an economical manner.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<p style="text-align:justify;"><strong>Putting Differences Aside</strong></p><p style="text-align:justify;">In the corporate world, best practices to avoid these situations abound. Among them: <br></p><ul style="list-style-type:disc;"><li>The chief audit executive should meet with the audit committee chair regularly <em>and</em> informally, between committee meetings, just to build rapport and trust. </li><li>The CAE, management, and the audit committee should collaborate while drawing up the risk assessment and preparing the audit plan. That at least prevents anyone from being caught by surprise, which is one criticism North Dakota lawmakers had about Gallion.</li><li>Allow management sufficient time to review the audit findings and prepare a rebuttal that is included in the report, again to prevent anyone from being caught by surprise.</li><li>Incorporate the IIA's model charter language as much as possible, spelling out roles and responsibilities clearly. "A flawed charter will certainty trigger challenges to the authority of any internal audit function," Hughes says.<br></li></ul><br></td></tr></tbody></table><p style="text-align:justify;">Gallion undertook such an audit last year, to examine Gov. Doug Burgum's use of state aircraft. That audit came after reports that Minnesota energy company <a href="https://www.minotdailynews.com/opinion/community-columnists/2019/05/nd-no-longer-has-an-independent-auditor-thanks-to-burgum-legislature/">Xcel Energy flew Burgum and his wife to Super Bowl LII</a> in 2018. Gallion also <a href="https://www.inforum.com/news/education/1005685-Audit-ND-college-VP-whos-a-Fargo-commissioner-didn%E2%80%99t-disclose-conflict-of-interest-with-wife%E2%80%99s-firm">released an audit earlier this year that raised questions about a powerful state senator</a>, who didn't disclose a conflict of interest while working at a North Dakota state college. <br></p><p style="text-align:justify;">In April, just before the end of North Dakota's legislative session, lawmakers tucked that provision about seeking the audit committee's permission for performance audits into the state's must-pass budget bill. <br></p><p style="text-align:justify;">Cynics say the provision <a href="https://www.minotdailynews.com/opinion/community-columnists/2019/05/nd-no-longer-has-an-independent-auditor-thanks-to-burgum-legislature/">was retribution for an auditor unapologetic about doing his job</a>. That may be so. For the rest of us, the tensions here set up an important lesson in best practices — how can organizations avoid this sort of a standoff? <br></p><p style="text-align:justify;"><strong>Lines of Authority</strong></p><p style="text-align:justify;">In the corporate world, an audit committee telling the audit executive <em>not</em> to examine certain issues without the committee's permission would be a big red flag. ("I'd certainly look for the exit," one IT audit executive told me.) But as daft as that idea might be, a corporation's audit committee theoretically could do it. <br></p><p style="text-align:justify;">Public sector audits are different, because they're more susceptible to criticism that an audit was driven by political motives. Audit committees overseeing public sector audit functions are likewise susceptible to accusations of undermining the independence or objectivity of the function for political purposes. <br></p><p style="text-align:justify;">"There's a huge risk of [those arguments] happening," says Kip Memmott, director of audits for the Oregon secretary of state. "Actually, it's not a risk — it happens quite frequently." <br></p><p style="text-align:justify;">Memmott sees the challenge as one of strained relationships and communications. Not everyone might see the value in a performance audit, or understand the risk that audit is trying to assess. The employees in question might also feel vulnerable as targets of the audit. <br></p><p style="text-align:justify;">That means the audit executive really needs to work on communication with those stakeholder groups if he or she wants to succeed. So one fair but pointed question: does the audit function have leadership in place to handle those human challenges? Or is it run by skilled technical auditors who have been promoted into a role that needs different skills? <br></p><p style="text-align:justify;">"Audit is about relationships and communications," Memmott says — and "as a field, we have not done as well as we could have."<br></p><p style="text-align:justify;"><a href="https://www.gao.gov/yellowbook/overview">Generally Accepted Government Auditing Standards</a>, maintained by the U.S. Government Accountability Office and commonly known as "The Yellow Book," spell out exacting standards for independence. If a public auditor doesn't meet them, the auditor should disclose that in the performance audit itself, along with whatever mitigating steps the auditor has taken. Even then, the auditor is still open to accusations of pursuing certain audits for political reasons.<br></p><p style="text-align:justify;">"Given that the public has long been 'sold' on the integrity and objectivity associated with unqualified or unmodified opinions, any qualifiers tend to trigger concerns regarding the objectivity of an audit," says Peter Hughes, assistant auditor-controller and chief audit executive for Los Angeles County. "Thus the reason that state and legislative auditors may challenge the benefit of such qualified audits."<br></p><p style="text-align:justify;">The wrinkle in North Dakota is that nobody can fire anybody else for flouting any of these practices; the auditor, the lawmakers, and the governor are all elected by voters. They must work together. <br></p><p style="text-align:justify;">Which brings us back to Memmott's point that communication to foster strong, working relationships is paramount. Yes, that can be painstaking, and in some instances political motivations will be entrenched. Audit leaders still need to try.<br></p><p style="text-align:justify;">"I don't know if chief auditors can control it, but certainly if they can't, they better be aware of it," Memmott says. <br></p><p style="text-align:justify;">We don't know how North Dakota's impasse over performance audits will end. A proposed <a href="https://www.grandforksherald.com/news/government-and-politics/3828217-North-Dakota-group-falls-short-on-all-three-referral-petitions-wont-challenge-auditor-restrictions-at-the-polls">voter referendum to repeal the restrictions failed to gather enough signatures</a>. Some lawmakers say they will try to repeal the restrictions in the 2021 legislative session. And despite Gallion and the legislative audit committee being at odds on that issue, both sides also say they will continue to work together on other issues. <br></p><p style="text-align:justify;">The rest of us can watch and wonder what we might do.<br></p>Matt Kelly1
Auditing Culture: Observation and Datahttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-Observation-and-Data.aspxAuditing Culture: Observation and Data<p>There are many ways to audit an organization's culture. With strong support from the top and sufficient resources, some internal audit functions adopt a comprehensive, resource-intensive method. For others — I suspect most — it is best to start with a fairly simple approach and build from there. One such approach combines auditors' observations with data metrics. And because this strategy is not dramatically different from traditional audit techniques, clients shouldn't find it jarring or outside the norm. When implemented correctly, it can be a powerful means of gauging the cultural environment.    <br></p><h2>Auditors' Observations<br></h2><p>In "<a href="/2018/Pages/Beneath-the-Surface.aspx">Beneath the Surface</a>" (<em>Internal Auditor</em>, June 2018) author Doug Anderson compared culture to a volcano that can look calm on the outside while churning internally with lava and gases that could make it erupt without warning. Hard evidence of a culture — such as policies, programs, and even employee surveys in many cases — focuses on the surface. To really understand the culture, employees have to get inside it. <br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Signs of a Healthy Culture </strong></p><ul style="color:#222222;background-color:#6eabba;"><li>Strong tone at the top, in words and deeds.</li><li>Open communication, an atmosphere of mutual trust.</li><li>Accountability is enforced and accepted, without unrealistic expectations or unfair repercussions.</li><li>A "just culture," which distinguishes among:</li><ul><li>honest mistakes (no one is blamed).</li><li>risky behavior (addressed with coaching and education).</li><li>reckless behavior (intentionally excessively risky or unethical, which is punished).</li></ul><li>Effective challenge is encouraged and valued.</li><li>Incentives that encourage healthy risk taking.<br></li></ul></td></tr></tbody></table><p>I've heard some audit practitioners say that an experienced internal auditor can almost predict an audit rating on the second or third day of an engagement just by sheer presence in the work environment. Talking with people, reading body language, sensing employee's attitudes, observing the physical environment — all contribute to a typically accurate understanding of an area's culture. <br></p><p>Auditors must, of course, keep an open mind and remain objective. Accordingly, many put their perceptions to the side and focus only on the objective, hard evidence. I'm reminded of an audit director who once told me about an instance where he became extremely frustrated with his team. The auditors returned to the office talking about the negative atmosphere of the client's area, citing lack of employee motivation and a hostile manager, among other problems. But when the team submitted a draft of the audit report, it indicated the area was well-run. When he asked about the discrepancy, his team said, "The area is a total disaster, but the controls are fine." Wrong answer! <br></p><p>Internal auditors should not ignore their perceptions — they can lead to the most significant issue of an audit. Observation can be a key tool for gauging culture, as reflected in "Signs of a Healthy Culture" (right), "Red Flags of a Toxic Culture" (below) and "Examples of Toxic Leadership Styles" (below). <br></p><h2>Combined With Metrics<br></h2><p>For most internal auditors, reporting a cultural issue based only on observations results in a fight they can never win. The good news is that there is usually objective data to support those observations, such as those listed in "Metrics That Might Support Auditors' Observations" below. <br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Red Flags of a Toxic Culture </strong></p><ul><li>Excessive focus on short-term results.</li><li>Unrealistic performance targets.</li><li>"My way or the highway" management, inhibiting input and healthy debate.</li><li>Lack of open communication (caused by fear, lack of trust, or information hoarding).</li><li>Competition to get ahead rather than cooperation.</li><li>Favoritism.</li><li>Lack of work-life balance.</li><li>Chronic grumbling by employees.</li><li>Cliquishness, gossip, rumors.</li><li>Chronic stress.</li><li>Lack of employee development.</li><li>Lack of accountability (in general or for top performers).</li><li>Lack of motivation in a work group (could be caused by any of the above).<br></li></ul></td></tr></tbody></table><p>Metrics like these can be a powerful tool when combined with observations. For example, if auditors spot red flags of a toxic workplace, employee survey results might corroborate those observations. Turnover and sick leave statistics might reflect the culture's negative impact on the business. Discussing these links with audit clients won't always succeed, but it is far more robust than the auditors' observations alone. <br></p><p>A growing number of audit functions are using metrics that support observations in a variety of other ways, including:</p><ul><li> <strong>To plan and scope an audit project.</strong> An audit function might gather a standard set of metrics for risk assessment on every audit. When some of these metrics appear to be negative, the auditors can seek to determine why. For example, if turnover and sick leave are unusually high and the company has received an excessive number of customer complaints or hotline reports, or if projects regularly fail, the root cause may well be a cultural issue. If auditors suspect this is the case, they can conduct confidential interviews with employees and gather evidence to support and explain the link between the cause and effect. </li><li><p> <strong>To populate a dashboard that executives and the audit committee review regularly for indications of entitywide issues or trends</strong>. This in fact seems to be a growing trend. In "The Board Needs Culture Dashboards" (FEI Daily, March 2018), Dennis Whalen, leader of KPMG's Board Leadership Center, said, "I'd be shocked if, by the end of 2018, most companies didn't have some kind of culture dashboard that somebody monitors and presents for the board on a regular basis so they can see outside the C-suite and the corporate office."<br></p></li></ul><p>If an internal audit function developed a set of metrics meaningful to the organization and got buy-in from executives and the audit committee, it could use them for both of these purposes, in addition to leveraging them for support of audit observations.<br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>Examples of Toxic Leadership Styles </strong></p><ul><li>Narcissistic (egotistic, power hungry, care more about themselves than the organization).</li><li>Autocratic ("my way or the highway," intolerant of ideas contrary to their own).</li><li>Manipulative (charming to superiors, "kiss up, kick down").</li><li>Secretive (hoards information to appear superior or use it to get ahead unfairly).</li><li>Deflecting (blames others for problems or talks around issues to avoid being found out).</li><li>Hypocritical ("Do what I say, not what I do").</li></ul>Disorganized, lacking focus (followers don't feel a real sense of direction). <br> <p></p></td></tr></tbody></table><p>A particularly interesting use of metrics occurred in 2002 when the Office of the City Auditor in Austin, Texas, performed a citywide ethics audit. The audit team gathered indicators of a positive or negative ethical climate in each of the city's departments from a citywide employee survey and a series of management interviews. Using statistical software, the auditors correlated these indicators with metrics like turnover and sick leave usage, complaints and successful claims by citizens, injuries to employees, and employee intentions to continue working for the city. They found that departments with strong ethical climates had significantly less turnover and sick leave, fewer complaints and claims, etc. The city responded by centralizing and strengthening oversight of ethics, drawing on the best practices of high-performing departments documented in the audit report.<br></p><h2> A Powerful Combination</h2><p>Internal auditors' perceptions of a work environment are usually sound but rarely stand by themselves. By combining their observations with data that management trusts, and by discussing the linkage tactfully with their audit clients, auditors can make a real difference in the organization. For auditors struggling with how to begin a culture audit, this could be a useful starting point.<br></p><p></p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p> <strong>​Metrics That Might Support Auditors' Observations </strong></p><ul><li>Employee survey results.</li><li>Structured interview results.</li><li>Customer survey results.</li><li>Customer complaints.</li><li>Hotline statistics, including evidence of whistleblower protection.</li><li>Statistics for hotline open to suppliers.</li><li>Frequency of legal problems.</li><li>Frequency of audit issues with the same or similar culture-related root cause.</li><li>Frequency of repeat audit findings.</li><li>Timeliness and effectiveness of corrective actions.</li><li>Turnover statistics.</li><li>Sick time statistics.</li><li>Exit interview results.</li><li>IT surveillance results.</li><li>Performance review timeliness.</li><li>Frequency of negative media coverage, including social media.</li><li>Warranty claims.</li><li>Diversity statistics.</li><li>Level of community engagement.</li><li>Environmental impact data, with effective monitoring and continuous improvement.</li><li>Frequency of performance targets being missed (suggesting unrealistic targets that pressure managers to meet them "whatever it takes").</li><li>Frequency of large projects failing.<br></li></ul> </td></tr></tbody></table>James Roth1
GRC Conference 2019: Transformative Technologyhttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Transformative-Technology.aspxGRC Conference 2019: Transformative Technology<p>​Pamela Nigro, senior director of Information Security at Health Care Service Corp., opened the final day of the Governance, Risk, and Control (GRC) Conference with her general session, "The Future of IT Audit and Industry 4.0." Negro shared with audience members her thoughts on emerging technologies affecting today's organizations and those that will transform the businesses of tomorrow.</p><p>"Organizations are shifting from traditional ways of engaging and interacting with customers, prioritizing digital ones," she says. Citing health care as an example, Nigro pointed to the common practice of sharing patient test results via a portal rather than a phone call. She also cited Tesla as operating not so much as a car company but as a software company that collects and leverages data to serve its customers. <br></p><p>"Now every business is a digital business with software at the core," she says. "There used to be a focus on running IT like a business. Now IT is the business — there is not a business that is not run by IT."</p><p>Data, Nigro adds, has become the world's most valuable resource — much more so than oil. And it's not just about collecting and storing data, it's about transforming that data into useful and consumable information.</p><p>"Digital transformation is the foundation on how organizations deliver value to their customers," she says. "It's more than simply remaining competitive. There's a radical rethinking of how organizations use technology and processes to fundamentally achieve business performance."</p><p>Nigro cited artificial intelligence and Internet of Things interconnectivity as examples of transformative technologies that are driving business ecosystems and changing the way business is done. But this interconnectedness, she points out, creates a host of risks. Among them, she pointed to cyberthreats recently identified by <em></em><em>Security </em>magazine, including cryptojacking, software subversion, and cryptocurrency ecosystem attacks.</p><p>She also referenced the threat of breaking encryption using quantum computers. "As auditors, encryption is an important part of our structure," she says. "It is important that we feel confident that we can rely on that encryption for our security, for our privacy, for our protection. What happens if that is easily breached?" The thinking has shifted, she says, from considering <em></em><em>if </em>a company will get hacked to <em></em><em>when </em>it will get hacked.</p><p>In response to these threats, Nigro challenged auditors to not just keep up, but to "set the pace." "Why can't we and our development partners get sandboxes to start to play and understand and learn this technology so that we can help be a value-added partner to our organizations as they move into these new technologies?" she asked.<br></p><p>Nigro says auditors need to become leaders in the digital transformation space and help organizations move into this technology. She encourages auditors to adapt and think about how to "get ahead of the digital curve."</p><p>Toward that end, she advised attendees to make sure they have the necessary competencies and understanding to tackle digital challenges. "Think about how you are maintaining, or even leading, in your skills set," she says. "Understand how the technology really supports strategic objectives. Focus on those risks that can delay or derail business objectives, and identify how the algorithms are being used."</p><p>Nigro also encouraged auditors to get involved early in technology projects and to partner with the first and second lines of defense to help best manage the risks appropriately. "We have to stop being the 'department of no,'" she says, "and find a way to bake compliance and build controls into these new technologies and processes."<br></p>David Salierno0
GRC Conference 2019: Technology Trends and Disruptive Innovationhttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Technology-Trends-and-Disruptive-Innovation.aspxGRC Conference 2019: Technology Trends and Disruptive Innovation<p>​Business futurist Patrick Schwerdtfeger closed the Governance, Risk, and Control Conference with his keynote address, "Embracing Disruptive Innovation." Schwerdtfeger, whose technology expertise includes artificial intelligence, fintech, and blockchain, dissected the topic of business disruption and explained how attendees could spot potential threats and opportunities in their organizations.</p><p>Schwerdtfeger began with an illustration of the rapid growth of data, pointing to research from Amazon showing that, in 2000, the cost of storing one terabyte of data was $17,000 — by 2020, Amazon says, that price will have dropped to $3. In tandem, data processing and data bandwidth also have accelerated by leaps and bounds. And with Big Data, all of this information is being put to use by businesses, municipalities, and other entities — and it is continuing to scale rapidly. Schwerdtfeger terms this "exponential development" and says it is key to understanding future business trends.</p><p>"Human beings are hard wired to think in linear terms," he says. "But what could you do if your business system, such as ERP, were 10 times as powerful as it is now? We need to learn to think this way."</p><p>As an example, Schwerdtfeger pointed to the exponential development of the Human Genome Project, which began in 1990. By 1997, it was just 1% complete — but that actually represented the project's halfway point because it scaled at 100% per year. At that rate, it took just 6.5 years to get from 1% to 100%. The human genome project finished by 2003, and costs were lower than expected.</p><p>With this rapid propagation of technologies, Schwerdtfeger says, changes to organizations are going to be dramatic. As evidence, he cited a recent study from Washington University that says 40% of today's S&P 500 companies will no longer exist by 2026. </p><p>"Hearing this," he says, "people instinctively get into a defensive posture — they ask themselves, 'Who's going to eat our lunch?' But the question should be, 'Who else's lunch can we eat?'" In other words, those companies will be replaced, creating opportunity in the marketplace. Schwerdtfeger told audience members that they are well-positioned to spearhead these conversations and to find a way to stay on offense.</p><p>"There's more and more leverage in the system all the time," he says. "Technology is a form of leverage. You're either on one side of the leverage equation or on the other side of the leverage equation."</p><p>As technology evolves along an exponential curve, Schwerdtfeger says that, over time, repetitive manual jobs will be replaced by robotics. Moreover, repetitive cognitive jobs are likely to be replaced by algorithms. How do we plan for this? Schwerdtfeger says it boils down to two things: creativity and relationships.</p><p>"We need to focus on our ability to be creative and to work with other human beings," he says.</p><p>In his closing remarks, Schwerdtfeger encouraged attendees to think not only about what's happening in the world, but what they can do in response to it. His main message: think bigger. "When you think bigger, you inspire others around you," he says. "If you truly think big, you're going to outdo the competition."<br></p>David Salierno0
GRC Conference 2019: Building Your Brandhttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Building-Your-Brand.aspxGRC Conference 2019: Building Your Brand<p>​Day two of the IIA/ISACA Governance, Risk, and Control Conference (GRC) opened with a keynote address from internal audit executive Nancy Haig on creating "Your Personal Brand." Haig shared her advice on building a brand identity, and then maintaining that brand once it's established.</p><p>To begin, she explained, professionals must understand what does not fall within the scope of their brand. "Your personal brand is not about stuff, it has nothing to do with your stuff," Haig told the GRC audience. "It doesn't matter — your house, your car, your clothes, any possessions at all. It doesn't factor into your personal brand." She adds that brands are not about bragging, self-promotion, attention-seeking, disingenuous behavior, or self-centered connections.</p><p>Instead, Haig says, personal brands comprise a genuine, meaningful representation of ourselves. She says one's brand should present an authentic personal image — one that is both unique and professional, and speaks to reputation. Perhaps most importantly, Haig adds, a personal brand needs to be promoted on social media — if done correctly, it will help create an expanded presence in one's industry, enhance engagement with other professionals, and facilitate career advancement.</p><p>As a first step toward developing a personal brand, Haig recommended audience members ask themselves a question: "If someone heard your name, what would they associate it with?" She suggests approaching friends, colleagues, and family members to determine their perceptions. What strengths and weaknesses do they see?</p><p>Next, Haig advised determining which social media platforms to target. She pointed to LinkedIn as a logical venue for most professionals, though other platforms with a mix of social and professional content may be useful as well. "You're going to have to assess which are the best places for you to be," she says.</p><p>Once online, Haig says, a personal brand needs to establish trust from its audience. She recommends accomplishing this through consistency and repetition. "You don't want to be one way to some people and someone else to other people," she says. Moreover, the brand needs to be monitored regularly to make sure information online represents the brand accurately and that someone hasn't hijacked it.</p><p>Haig also offered numerous practical tips for personal brand enhancement, such as searching for oneself online to look for brand inconsistencies and setting up automated news alerts for references to one's name. She also suggested participating in a local professional association chapter, contributing an article to an industry magazine, and creating a personal website as ways of expanding a personal brand and solidifying it with professional connections.</p><p>For more information on personal branding, read Nancy Haig's article, "<a href="/2018/Pages/Your-Personal-Brand.aspx" style="background-color:#ffffff;">Your Personal Brand</a>" — winner of this year's <em>Internal Auditor</em> John B. Thurston award for literary excellence.<br></p>David Salierno0
GRC Conference 2019: Owning the Momenthttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Owning-the-Moment.aspxGRC Conference 2019: Owning the Moment<p>​Keynote speaker Simon T. Bailey kicked off the ISACA/IIA Governance, Risk, and Control (GRC) Conference in Ft. Lauderdale, Fla., today with his session, "Shift Your Brilliance — Leading Amidst Change and Uncertainty." Bailey, a business strategist and entrepreneur, advised leaders on how to accept change and embrace uncertainty as their businesses face unprecedented technological, cultural, and other tectonic shifts.  </p><p>"We have an opportunity to own the moment," Bailey told the sold-out GRC audience. "The question we have to ask ourselves is how am I showing up in this moment to be my best self — to lead my organization, to lead my team, especially in the midst of uncertainty?"</p><p>That process, Bailey emphasizes, begins internally. To lead effectively, he says, every leader needs to introspect and seek to improve him or herself. Toward that end, he advises applying what he calls the "15-7-30-90" method. The process begins with taking <em>15</em> minutes a day to focus on what you want to accomplish — this is practiced <em>7</em> days per week, checking in every <em>30</em> days to review progress, and then taking a deeper dive every 90 days to assess progress from a broader perspective.</p><p>To further self-improvement efforts, Bailey encouraged audience members to surround themselves with a "personal board of directors." The board would comprise individuals "with different competencies, different skill sets, and a different understanding that challenges you to rise to the occasion," he says. It should be a group of people who inspire you, motivate you, and challenge you — whose advice you seek on important personal and professional matters.</p><p>Turning toward how leaders influence and inspire others, Bailey emphasized the importance of establishing good relationships. "One of the goals every leader needs to be thinking about is how do we move from command and control to collaboration and connection," he says. Relationship-building, he explains, is key to a leader's ability to motivate and inspire. And creating those relationships depends largely on one's ability to empathize, he says, adding that empathy is the No. 1 skill taught in Silicon Valley. "People don't care what you know until they know how much you care," he says.</p><p>To effectively lead through change, Bailey says leaders must embrace what he calls the "vuja de moment." This is the opposite of déjà vu, and it reflects the ability to look at what you have been doing with a fresh set of eyes as if you've never a seen it before. "It's asking yourself a different set of questions that will challenge you on the way you've done things, as well as on what <em>can</em> be done and what needs to be undone," he says.</p><p>After sharing numerous tips and strategies for leading through change and uncertainty, Bailey concluded with a quote from philosopher Eric Hoffer: "In times of change, the learners will inherit the earth, while the learned find themselves beautifully equipped to live in a world that no longer exists."<br></p>David Salierno0
The Control-Culture Connectionhttps://iaonline.theiia.org/2019/Pages/The-Control-Culture-Connection.aspxThe Control-Culture Connection<p>​All audit committees want strong internal controls over financial reporting, and a strong ethical culture where employees who suspect impropriety feel unafraid to speak about what they see. What is sometimes less understood are the connections between those two things — how corporate culture and internal controls should complement each other, to further the goal of strong, reliable financial reporting. Design them well, and the organization has a powerful buttress against executive misconduct. Don’t, and the opposite is just as true.</p><p>A fascinating example of this point comes from <a href="http://bankrate.com/" rel="nofollow">Bankrate.com</a>, which paid $28.5 million to the U.S. Justice Department earlier this year to settle long-running financial fraud charges. Back in 2011, Bankrate’s then-Chief Financial Officer Ed DiMaria concocted a cushion-accounting scheme to manipulate quarterly earnings. He and others fabricated expenses on a bogus spreadsheet, while hiding the true numbers from Bankrate’s audit firm. When the U.S. Securities and Exchange Commission (SEC) began inquiring about the company’s finances, DiMaria directed others to reply with material not responsive to the SEC’s document requests. </p><p>Of course this all unraveled eventually. Bankrate announced a restatement in 2014. DiMaria was dismissed, indicted, and sentenced to 10 years in prison. The company hired new outside counsel, and its audit committee cooperated fully with the SEC. </p><p>Think about what happened here. First, the company used technology and business processes that gave DiMaria the ability to fabricate financial data while concealing true information. Second, nobody raised alarms about DiMaria’s misconduct — not when he lied to the audit firm, not when he misled the audit committee, and not when he had others mislead the SEC. </p><p>The issue, really, is about transparency and freedom. Internal audit needs to be able to roam freely through the enterprise to assess risks, and it needs to be able to see real data, rather than whatever report management provides. Or, as Debi Roth, chair of the Audit Advisory Committee for Orange County Public Schools in Florida, puts it: “Can the audit department get it, and pull it themselves?” </p><p>That might seem like a straightforward part of governance. In the real world, however, Bankrate is by no means alone. For example, when Polycom Corp. agreed last year to pay $16 million to settle U.S. Foreign Corrupt Practices Act charges, the misconduct was fundamentally similar. Executives in China recorded false information on bogus spreadsheets to hide bribery violations from Polycom’s global managers, while masterminding a payoff scheme to Chinese government officials. </p><p>Technology and business processes that allow executives to create a false narrative; plus a corporate culture that allows them to spread the false narrative — if those are the ingredients for an audit committee’s nightmare, what’s the antidote? It comes in two parts: strong control activities over financial reporting, and strong corporate culture that encourages everyone to sound the alarms about misconduct. </p><h2>Ingredient 1: Control Activities</h2><p>The first ingredient is unimpeded access to the company’s transactional data. Access should include not just whatever reports someone might provide to internal audit or the audit committee, but also the actual data about payments, due diligence checks, beneficial ownership, contracts, or whatever else the audit team might want to see. </p><p>That’s partly a question of technology. Accounting systems should rely on a single data source to make frauds like bogus spreadsheets and false transaction entries harder to accomplish. In an ideal world, auditors should be able to drill down from balance sheet, to line-item accounts, to transactions within those accounts, to supporting documentation for those transactions. </p><p>As an audit committee chair, Roth wants to hear the chief audit executive (CAE) explain how the process for gathering data works, and whether there are any concerns about potential interference. For example, does the audit team depend on the IT department to generate reports? That’s a risk, no matter how well-intentioned the IT department might be. “I’m looking for the internal audit function to have a good process in place that addresses internal controls, and that they’re able to go out and do their job and do it well,” she says.</p><p>Once upon a time, when companies used data warehouses, the audit team could have access to them, too, and pull whatever information it needed. Today’s systems are more complicated, as many firms rely on cloud-based applications that might store data in different locations, or employees might use cloud-based applications but not tell IT about it. </p><p>Audit and accounting teams need to think about the design of financial reporting systems and transparency into the data, so that suspicious transactions stick out like a sore thumb. <br></p><h2>Ingredient 2: The Control Environment</h2><p>Even when suspicious transactions are more visible, someone still needs to point them out. After all, at organizations of any appreciable size, many fraudulent activities won’t be spotted by the audit team — especially if more than one person is involved in the misconduct, as happened at Bankrate, Polycom, and many others. The organization needs to foster an environment where employees feel comfortable raising concerns about misconduct. “That’s always top of mind as an audit committee member,” says Raoul Ménès, who serves on the audit committee of the Salt River Pima-Maricopa Indian Community in suburban Phoenix. </p><p>“The bad perception to have is, ‘Don’t worry, internal audit will get it,’” Ménès says. “Well, internal audit cannot see everything. They’ll show up for two weeks to do an audit, and then they’re gone.” </p><p>Ménès encourages audit committee members to spend more time at their organizations, getting to know employees casually. Show up early for a committee meeting, for example, and chat with the employees. (That’s in addition to any executive sessions at the committee meeting, or any conversations the committee chair has with the CAE between meetings.)</p><p>“Meet the audit team, or talk to the controller. Just see how things are going,” Ménès says. “When you’re able to connect with folks, to work with them and talk with them, they’ll open up.” </p><p>Fair enough, but how else can the audit function identify warning signs about corporate culture? “Auditing culture” is a lofty idea, but a bit vague. Instead, audit teams need to design tests for traits or behaviors that suggest the culture is wrong. Ménès, for example, once worked with a firm where employees received a three-question quiz about the code of conduct shortly after they had certified that they’d read it. The goal wasn’t to see how well they memorized the answers; it was to see whether the enterprise had high failure rates as a whole — which would suggest that employees weren’t taking the code seriously, a big culture risk. </p><p>Roth, meanwhile, wants to hear about managers who try to interfere with auditors’ ability to talk to other employees. “If someone is telling the auditor, ‘You can’t work with anyone else, you have to go through me’ — that’s an automatic red flag,” she says.  </p><h2>Shutting Down Abuse</h2><p>The truth is, an organization can’t achieve strong financial reporting without both elements present: systems that provide clear visibility into transactions and a corporate culture that encourages internal audit — or other parts of the enterprise — to put that visibility to good use. </p><p>That’s the buttress organizations need to thwart executives who might abuse their power to override controls or lie to the board. It can be tough to build in the modern enterprise, with complex IT systems and a globalized workforce. Build it right, however, and that buttress can be pretty powerful. <br></p>Matt Kelly1
The Winds of Trade Warshttps://iaonline.theiia.org/2019/Pages/The-Winds-of-Trade-Wars.aspxThe Winds of Trade Wars<h2>​How can a global company determine how to comply with volatile trade regulation shifts? </h2><p>In a changing global landscape, organizations need to be aligned, agile, and prepared. Specific to tariffs, the compliance office, supply chain, and public affairs/regulatory teams need to work together to develop a comprehensive response plan. In an escalating trade war, all functions need to understand their roles within the plan and be agile enough to ensure timely implementation. Items to prioritize are reviewing third-party contracts, updating costing models, investigating alternative supply options and coordinating with logistics, and ensuring controlled processes are in place to comply with changing duty rates and classifications. </p><p>As a risk leader within the organization, internal audit first should vocalize and elevate the potential impact of geopolitical risks, including trade wars and tariffs, to the audit committee, senior leadership, and others within the business. Second, internal audit should work with the appropriate teams to ensure response plans are in place if trade wars escalate or continue for an extended period. Third, internal audit should review the customs compliance process, paying particular attention to classification procedures and documentation to minimize the risk of transshipment [through intermediate sites] and payment noncompliance.</p><h2>What are some of the risks to a company with a global supply chain? </h2><p>The most immediate implications of tariffs are higher costs, limited alternative sourcing options, more complex logistics, and greater compliance risks. Businesses may look to adjust their manufacturing and sourcing strategies, but these cannot be changed overnight. The reality is that most companies have spent years planning and building their global supply chains.  </p><p>Although New Balance has been focused on preparedness and agility within our supply chain — including running internal scenarios for a trade war escalation — sourcing shifts are still capital-, resource-, and time-intensive challenges. All departments, from development through transportation, need to be in alignment and coordinating fully to achieve the overall strategic objectives. </p>Staff0

  • Fastpath_Oct 2019_Premium 1
  • IIA CPA_Audit_Oct 2019_Premium 2
  • IIA Certification_Oct 2019_Premium 3