Risk and Compliance



GDPR and Internal Audithttps://iaonline.theiia.org/2018/Pages/GDPR-and-Internal-Audit.aspxGDPR and Internal Audit<p></p> <p>Now that the May 25 deadline has passed to comply with the European Union’s (EU’s) General Data Protection Regulation (GDPR), compliance executives may be breathing a sigh of relief. Yet the real compliance work is only beginning. </p><p>GDPR consolidates the EU’s personal data privacy protection laws and redirects the way organizations approach data privacy. It greatly expands the privacy rights of E.U. citizens and residents, and it applies to any organization that does business with those individuals, regardless of its location. Organizations that don’t comply with GDPR face penalties of up to €20 million or 4 percent of annual worldwide turnover, whichever is greater. </p><p>Compliance will require continued focus and effort. Internal audit can help the organization mitigate GDPR compliance risks by identifying ways to improve controls, raising risk awareness, and assuring compliance.</p><h2>Improving Controls​</h2><p>Internal audit can help the organization shift from the preparation phase to the implementation phase of GDPR. The regulation specifically requires organizations to focus on these control-oriented topics:</p><ul><li><em>Accuracy and quality</em> requires organizations to ensure data is accurate and up-to-date and that individuals can correct their records. <br></li><li><em>Security and privacy</em> by design requires organizations to document decisions taken to inform EU residents about how their data will be used and restricted. They also must implement technical, administrative, and physical security/privacy controls to mitigate potential harm. <br></li><li><em>Security safeguards</em> ensure that technical and organizational measures are implemented for privacy and security. <br></li></ul><p><br>Internal audit should work with management to identify relevant controls over data entry, assess the accuracy of information and recommend improvements, and strengthen controls that prevent and detect data errors.</p><h2>Raising Risk Awareness </h2><p>The direct risks associated with GDPR relate to potential fines and reputational impact. However, by digging into the regulation’s purpose, internal auditors can see other data protection risks.</p><p><strong>Monitoring, Measuring, and Reporting</strong> Organizations must have a data protection officer (DPO) to lead privacy and compliance efforts. Among the DPO’s tasks are reporting on compliance monitoring, training staff, and ensuring privacy compliance audits take place. The organization must perform data privacy impact assessments when new technologies and systems are used, provide timely data breach notifications, and report on the use of third-party processors.</p><p><strong>Prevent Harm</strong> GDPR imposes sanctions and penalties on organizations that process data unlawfully or fail to deploy safeguards. In addition, individuals may request that the organization remove their personal data from automated processing and profiling.</p><p><strong>Breach Management</strong> Organizations must put processes in place to notify persons no later than 72 hours after they discover a data breach, if it is determined that the breach will result in a high risk of privacy harm to those individuals.<br></p><p><strong>Openness, Transparency, and Notice</strong> Organizations must keep data for specific and legitimate purposes and notify persons about how the organization will use their data. Organizations also must inform individuals of safeguards applied when personal data is transferred to a third country.<br></p><p><strong>Individual Participation</strong> EU residents may request access to data, obtain a copy of the data held, and withdraw consent to use personal data as long as withdrawal does not result in legal violations. Individuals may object to the use of their data for direct marketing and profiling, and they may contact the DPO for any issue related to processing their personal data.<br></p><p>Internal audit can educate management about potential risks and ways to manage risks in each area. Auditors can communicate relevant information about these risks via informal emails, a departmental newsletter, or meeting with management. <br></p><h2>Assuring Compliance</h2><p>As new policies and procedures become more mature, internal audit will need to perform regular compliance audits to determine the extent to which the organization is complying with GDPR. Auditors should focus on how the organization manages data to help strengthen privacy and security controls and ensure they are designed appropriately and operating effectively. Auditors will need to assure compliance with key aspects of the regulation and provide early warnings about problems.</p><p><strong>Choice and Consent</strong> Under GDPR, organizations must allow users to choose how their personal data is used. Also, organizations must document and maintain consents and request parental authorization before collecting a child’s data. </p><p><strong>Legitimate Purpose</strong> To ensure data collection is lawful and necessary, organizations can collect only personal data that is needed to achieve the intended purpose. Reviewing and handling requests for further processing, restricting requests for data related to criminal convictions, and documenting situations where the right to object does not apply are all important. Internal auditors can help reduce risk by sampling data collection mechanisms for compliance.<br></p><p><strong>Limitations</strong> Organizations may keep data no longer than the period required to support the purposes for which it was collected, and they must erase an individual’s personal data upon his or her request. GDPR permits organizations to retain data meant for archiving purposes in the public interest or for reasons of scientific or historical research. <br></p><p><strong>Free Flow of Information and Legitimate Restriction</strong> This principle includes protections for data transfers using legally binding agreements between public authorities, binding corporate rules, model clauses, and other mechanisms. <br></p><p><strong>Third-party Vendor Management</strong> This principle ensures that organizations gather third-party/vendor guarantees of GDPR compliance along with proof that third parties have the required technical and organizational safeguards. The DPOs of the data controller — organizations or individuals that determine the purposes and means of processing data — must provide written authorizations to use a given processor.<br></p><p><strong>Accountability</strong> GDPR’s accountability principle provides a legal basis for processing personal data, establishes the DPO role, and informs citizens and residents of existing privacy rights and safeguards. In addition to overseeing the data protection strategy, the DPO must maintain contact with the supervisory authority and demonstrate compliance.<br></p><p>Internal auditors will need to periodically assess processes and controls for each of these principles to ensure they are designed and operating effectively. Auditors can review a sample of data transfer documentation to look for data that should not be transferred to another organization. They can run reports to look for data that is being kept longer than necessary and review available documentation for any exceptions.<br></p><h2>A GDPR Audit Plan</h2><p>To help the organization maintain compliance, internal audit should include independent GDPR assessments and compliance testing in the audit plan. It can raise executive and board awareness of GDPR noncompliance by highlighting poorly designed or missing controls. Finally, it can identify opportunities to audit common processes across departments. ​</p>Jan Hertzberg1
Internal Audit and Emerging Risks: From Hilltops to Desktopshttps://iaonline.theiia.org/blogs/chambers/2018/Pages/Internal-Audit-and-Emerging-Risks-From-Hilltops-to-Desktops.aspxInternal Audit and Emerging Risks: From Hilltops to Desktops<p>​<img src="/2018/PublishingImages/meteorologists-cliff-storm-lightning-weather-map.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />As a profession, internal auditors have cultivated a long and respected legacy as purveyors of hindsight. Almost all of us are adept at looking at last year's data and telling management where past mistakes were made. While hindsight is a necessary part of internal auditing, 20/20 hindsight is one of our least valuable skills. Often, our clients are already aware of past mistakes.​</p><p>With the advent of operational auditing and, ultimately, the introduction of consulting/advice into our portfolio of services, we also became purveyors of insight. Insight is generally seen as more valuable than hindsight to our beleaguered stakeholders, but it too suffers from limitations in an era when risks emerge at warp speed. Today's insight may well be tomorrow's hindsight. </p><p>There will always be a need for hindsight and insight, but foresight is the ultimate source of value. Stakeholders seek to navigate the future more than revisit the past or dwell in the present. It is time for internal auditors to focus our telescopes ahead. We need to concentrate on the risks of tomorrow if we are to not only protect but enhance value for our organizations.</p><p>Yet, stakeholders are generally unimpressed with our acumen at detecting emerging risks. In a 2016 KPMG survey of chief financial officers and audit committee chairs, only 10 percent agreed that their internal audit function adequately identified and responded to emerging risks that threatened their companies.</p><p>Over the past year, I have turned often to weather analogies when addressing challenges and opportunities for the internal audit profession. In many ways, identifying future risks is like predicting the weather. When our parents and grandparents were young, there was no such thing as weather radar. If they were curious or concerned about potential changes in weather, they simply peered out their windows or stood on a hill and scanned the horizon for potential storms. Of course, their weather predictions were often wrong. Climbing to the hilltop may have expanded their view, but weather patterns are far too complex to know if the clouds you see contain damaging winds, or if they are even coming your way. </p><p>That's why modern meteorologists have turned to more advanced methods. They monitor approaching storms with Doppler radar. They use digital satellite images to record cloud patterns around the world, and they plug the data into supercomputers, applying advanced statistical equations and algorithms to create more accurate forecast models. Of course, we all know that even meteorologists sometimes get it wrong, but their degree of reliability has increased dramatically with the advent of new tools and technology.</p><p>From hilltops to desktops, we all need to get smarter about risks, and there's a lot we can learn from meteorologists. They don't just observe the weather and make guesses about what the future might hold. They use every resource at their disposal to identify potential trouble spots and patterns before the storm materializes or inflicts significant damage. </p><p>Internal auditors and meteorologists have much in common. But our scope is much broader than predicting the weather. It encompasses virtually every type of risk, from the impact of changing market conditions or pandemics to financial and compliance issues. And that means our focus must extend far beyond the immediate future.</p><p>It would be great if there were technologies like Doppler radar to identify emerging risks. Someday, such tools might exist, but until then, we need to create our own virtual radar for detecting and monitoring emerging/approaching risks. That requires us to become more analytical in our approach.</p><p>As KPMG Partner <a href="https://home.kpmg.com/au/en/home/insights/2016/09/internal-audit-emerging-risks.html">Michael Hill has noted</a>, "Emerging risks can arise from many sources — economic or demographic shifts, changes in the competitor landscape, technology advances, or customer preferences." So, there is a lot for us to watch for when it comes to emerging risks. The horizon is so vast that the job will simply be too great for a chief audit executive alone. It will take the proverbial internal audit "village" to monitor emerging risks for a typical company. Just as the department's resources are assembled when annual internal audit plans are formulated, so too should the various experts be deployed to identify and monitor emerging risks. For example, the staff with the greatest IT expertise should monitor the horizon for emerging technology risks. </p><p>Fred Stuckel, vice president of enterprise risk management and audit at Express Scripts, shared the process his company uses to identify emerging risks in a <a href="https://erm.ncsu.edu/library/article/identifying-and-evaluating-emerging-risks">recent video posted by North Carolina State Poole College of Management's Enterprise Risk Management Initiative</a>. Stuckel noted that within Express Scripts, he and his team "spend a lot of time on the internet and on social media." They "peruse through international newspapers that are converted from foreign language to English, to get different perspectives of what the impact of any kind of change might be to the United States or to the global market."</p><p>There is no silver bullet for identifying emerging risks. Like all risk assessment, there is a degree of art in addition to science. However, if internal audit isn't looking in the right direction, there is a greater likelihood of missing emerging risks. But just as storms in the Northern Hemisphere often emerge from the West, there are directions from which potential risks facing your company are likely to emerge. These include:</p><ul><li>Economic forecasts (macroeconomic as well as those facing your industry).<br></li><li>Known strategic business risks facing your company.<br></li><li>New corporate initiatives being planned.<br></li><li>Legislative and regulatory outlook facing your industry.<br></li><li>Geopolitical developments and political risks in regions where your company operates.<br></li><li>Disruptive threats or opportunities facing your industry.<br></li><li>Performance of your primary competitors.<br></li><li>Risks emerging as headlines via traditional or social media.</li></ul><p></p><p>Identifying emerging risks should be a collaborative process with management. After all, management is likely to have already identified many emerging risks​ that threaten the organization. We should position ourselves as a partner, not a competitor trying to on​e-up management, when it comes to emerging risk acumen. After fully vetting our inventory of emerging risks, we should be prepared to share our perspectives with the audit committee. Our conversation must include our own plans for monitoring and responding to these risks as the organization's internal auditors.</p>We have entered an era in which crises have become commonplace, and after each new crisis, the same questions arise: "Why didn't we see it coming?" "Where were the internal auditors?" The world's best internal audit functions are well-prepared to answer these questions, and they do so in part by focusing on the future, by maintaining agility, and by proactively identifying and addressing emerging risks.<p></p><p>Hindsight is one of our least essential skills. It's time to turn our telescopes in the other direction.</p>Richard Chambers0
Crisis Overconfidencehttps://iaonline.theiia.org/2018/Pages/Crisis-Overconfidence.aspxCrisis Overconfidence<p>​Companies are overconfident about their ability to cope in a crisis, and executive leadership on the issue may also be sorely lacking in some organizations, according to a new report. Research by professional services firm Deloitte has found that nearly 60 percent of crisis management and other executives surveyed believe organizations face more crises today than they did 10 years ago.</p><p>They are not wrong. In the past two years, 80 percent of organizations worldwide have had to mobilize their crisis management teams at least once, with cyber and safety incidents topping the list of crises requiring management intervention. And the impact of a crisis on organizations is immediate: nearly three-fifths experienced a leap in customer complaints, usually on social media.</p><p>More than four in five respondents say their organizations have a crisis management plan in place. However, Deloitte's study, Stronger, Fitter, Better: Crisis Management for the Resilient Enterprise,<em> </em>has<em> </em>uncovered dramatic gaps between a company's confidence that it can respond to crises and its level of preparedness. It found that while nearly 90 percent of respondents are confident in their organization's ability to deal with a corporate scandal, only 17 percent have tested that assumption through a simulation exercise. Similarly, 70 percent of organizations are confident in their ability to manage a product recall, though only 22 percent have carried out a simulation exercise.</p><p>The survey, which included participation from more than 500 crisis management, business continuity, and risk senior executives across 20 countries, also found that organizations feel more confident in confronting some types of risks rather than others — particularly IT risks because they feature so prominently on risk agendas. For example, nine out of 10 respondents have fairly or very high levels of confidence in their organization's ability to tackle system failures, with similar numbers confident in their organization's ability to respond to regulatory and policy changes (89 percent), corporate scandals (88 percent), and cyberattacks (87 percent). </p><p>Deloitte's research found that experiencing a crisis teaches organizations to avoid them. For example, nearly 90 percent of organizations surveyed have conducted (largely internal) reviews following a crisis, and while these crises were not always foreseen, companies recognized that they might have been averted. As a result, organizations are now more likely to take action to forestall future crises.</p><p>Indeed, a crisis management response plan is critical. Deloitte found that nearly half of respondent organizations that did not have a plan in place saw their finances negatively impacted when a crisis struck. For those organizations with a plan, it was less than a third. </p><p>"Crisis management shouldn't start with a crisis — at this point it may already be too late," says Peter Dent, Deloitte Global crisis management leader. "With the rapid pace of change facing companies worldwide, and with crises on the rise, it is critical for organizations to be ready to respond with skilled leadership and plans that have been tested and rehearsed." </p><p>Crisis plans work best when the board and senior management are involved in shaping them and sponsoring them. And to secure their participation, the study's authors say that it is important to keep the plan relevant to them so that it addresses the issues that "keep management awake at night," such as the impact on reputation and the bottom line.  </p><p>Organizations should also ensure that they set up a crisis management plan specifically for the board, because when a crisis hits executives may need to play a very different — and more interventionist — role from normal. For example, if the crisis is causing significant damage to reputation, affecting share price, or resulting in regulatory sanctions or litigation, it may be up to the board to plan the company's continuity and survival. And in terms of succession planning, it may be appropriate to recruit board members with prior crisis management experience, Deloitte says.</p><p>Leadership commitment to crisis management is critical. But nearly a quarter of respondents cite the effectiveness of leadership and decision-making as one of the greatest crisis management challenges their organizations face. In fact, leadership commitment — or lack of it — was deemed to be the primary challenge for respondents, followed by effectiveness of teamwork, familiarity with the crisis structure/response process, and clarity of roles and responsibilities.</p><p>Part of the problem, Deloitte says, is that leaders are unprepared for crisis management. Therefore, organizations should establish a leadership structure for a crisis to help define roles and responsibilities, and training should be provided, particularly around communicating with stakeholders. Organizations should also identify the leadership styles of particular executives and managers, and work out who would be best placed to deal with certain aspects of the crisis response: in a high-pressure environment, leaders will tend to rely heavily on their most natural leadership style — which may not be suitable. </p><p>Deloitte's research found that crises often emanate from the actions of third parties such as suppliers and alliance partners, but at the same time, these third parties often play an important role in helping to manage and mitigate the problem. Recognizing this, 59 percent of respondents say that they participate in crisis exercises with third parties, examine third parties' crisis plans, or both. In Europe, the proportion is 80 percent.</p><p>As a result, the researchers say that companies should determine which outside organizations need to be in the fold when managing a crisis. These could include advisors such as lawyers, public relations firms, or specialist cyber defense organizations, as well as crisis advisors. In addition, they say, critical service providers, joint venture partners, resellers, distributors, and any other entity that could trigger a crisis (or be affected by it) should be involved in crisis preparations too. </p><p>The report adds that — depending on the scenario — these outside parties should also be included in simulations and exercises where appropriate, and should also share their contingency plans and provide regular updates on response readiness. Companies should stress the benefits of such collaboration, and even consider stipulating in contracts and agreements that such information should be shared.</p><p>"Crises aren't inevitable," Dent says. "Many of them are avoidable, which is why smart business leaders invest in crisis management capabilities. These strengths can help their organizations avoid costly, and sometimes irreparable, damage to finances, employee morale, brand, and reputation."</p>Neil Hodge0
Risks Speak Louder Than Issueshttps://iaonline.theiia.org/2018/Pages/Risks-Speak-Louder-Than-Issues.aspxRisks Speak Louder Than Issues<p>​Mutual understanding between internal audit and its clients can be difficult to achieve. When audit clients hear jargon such as "issues" and "gaps," or read it in an audit report, they often stop listening. They're left with the impression that internal audit doesn't understand the risks their area faces and that its reporting is irrelevant. At the same time, auditors may experience frustration over clients' failure to understand audit issues. Why can't issue communication be easier and more effective? In many cases, it's because auditors don't "speak the same language" as their clients and fail to communicate adequately about risk. </p><p>The IIA Position Paper, The Three Lines of Defense in Effective Risk Management and Control, states that risk management and control duties must be coordinated carefully organizationwide "to assure that risk and control processes operate as intended." In reality, that coordination does not always happen. For the first-line business units conducting day-to-day operations, if there are no risks within the immediate processes they manage, there are no issues. At the same time, many internal auditors perform their work in isolation, targeting check boxes without comprehensive understanding of risks, even though second-line risk management and compliance functions are looking at risk appetite and the risk landscape enterprisewide. Effective risk communication can be challenging when internal auditors are out of sync with other assurance providers and adhere to an outdated, myopic approach. </p><p>In today's rapidly changing environment, the traditional method of identifying issues simply based on test results for design and operational effectiveness constitutes an insufficient means of risk analysis, reporting, and acceptance. Although test results provide a solid basis for showing how the client failed, they don't provide much insight into why clients should care other than a low score. And if our deliverables lose relevance to the audience, we lose buy-in. </p><p>Within the audit report, risk-based information tends to be underdeveloped and fails to provide adequate support for issues. Risk statements often appear merely as a single line in each issue table, and risk analysis may no​t be presented holistically anywhere in the report. Moreover, risk assessment usually occurs during the planning and scoping phase of an audit. Even if the assessment has been performed well and reveals areas of weakness, key risk indicators would be gradually lost during an audit and toward the conclusion of the engagement, leading to unclear answers about true risk. Risk conversations should instead take place throughout the entire audit.</p><p>Before presenting issues to clients, internal auditors should ask, "Did I perform sufficient risk analysis to cover significant areas?" rather than "Have I identified enough findings?" Overall, the goal of issue communication should not be putting down names on the sign-off sheet, but rather mutual agreement on risks and a willingness to address them. </p>Jingwen (Grace) Wu1
Model Governance, Where to Begin?https://iaonline.theiia.org/2018/Pages/Model-Governance,-Where-to-Begin.aspxModel Governance, Where to Begin?<p></p> <p>Models serve many purposes and support various decisions across an organization. A model is a mathematical representation of an entity system given certain operational, financial, compliance, and/or economic conditions that aims to quantify past, present, or future outcomes to provide decision-making information. Models typically are used to predict future results or to allow an entity to perform analysis within the mathematical model to determine the impacts of different drivers or variables on model output. Models can be simple calculations in an Excel spreadsheet with a small table of variable inputs, or they can be highly complex mathematical and statistical computations with a web of interrelated models using sophisticated software on a dedicated server. </p><p>Model governance provides oversight and control to minimize model risk, establishes policy to protect the integrity of the model output used in decision-making, prioritizes and authorizes changes to models used by the organization, and facilitates the sharing of information across the organization regarding the use and limitations of the models to improve transparency.</p><p>Before internal audit can evaluate the model governance structure and effectiveness, it needs to gain an understanding of the models that are used within the organization. This can be time-consuming. Documentation is valuable to any process, but it is difficult to find in practice. Internal audit may have to work with management to develop an initial listing that can be used to identify and assess risks and determine the audit scope. The list of models should include: </p><ul><li>Name for the model.<br></li><li>A brief description of the model’s purpose and use.<br></li><li>Key model personnel: model owner, developer, tester/validator, production operator, and users.<br></li><li>Frequency of model output reporting.<br></li><li>The software and platform used for the model.<br></li><li>The latest version of the model being used.<br></li><li>The model risk rating. <br></li></ul><p><br>The model owner should maintain more detailed information for each model regarding inputs, assumptions, methodologies, process documentation with risks and controls identified, data flow diagrams, items excluded from the model, approximations or assumptions used in the model, model limitations, manual outside adjustments to the model, and software and hardware used by the model.</p><p>The model risk rating should be based on probability and impact and be consistent with other risk rating structures used within the organization. When determining the model risk rating, internal audit should consider several risk drivers (along with other relevant criteria based on the industry or business), including: financial statement impact of results, level of model dependency in making business decisions, regulatory requirements, complexity of calculations and the extraction/transferring/loading of inputs, degree of interdependencies among models, subjectivity of assumptions or inputs, experience level of the personnel involved, historical experience of issues, effectiveness of controls, and degree of incentive compensation that may be tied to performance or output.</p><p>Once the listing of models is compiled, risk rated, and agreed upon by key stakeholders, internal audit can perform an assessment of model governance focusing on the high-risk models as a starting point. All high-risk rated models should be within the purview of a model governance committee.</p><p>The scope of responsibilities of a model governance committee is subject to debate and tends to be the victim of scope creep given the volume of risks associated with models. “Model Governance Committee Responsibilities,” below, provides a comprehensive listing of items to be considered in determining the scope of a committee. There may be other responsibilities specific to an organization or evolving risks.</p><p>The structure and oversight of the model governance committee should be tailored to the specific needs and level of maturity of the organization: </p><ul><li>The committee should report to the board directly, or indirectly via another committee. <br></li><li>Membership should include a variety of senior-level model stakeholders.<br></li><li>Responsibilities should be clearly defined for committee members and those involved in the modeling process. <br></li><li>Committee decisions should be clearly documented with supporting rationale in committee minutes.<br></li><li>A communication process should be in place to notify those who are responsible for any follow-up actions, noting anyone who should be consulted or informed.<br></li></ul><p><br>Having a model governance committee centralizes the identification of, and response to, model risks, which typically improves communication across stakeholders, builds consensus around decisions, establishes controls, and enables management action given the diversity of committee membership. The focus on model risks by regulators and external auditors has been increasing. Having a committee that receives and generates appropriate documentation makes it much easier to address those concerns. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><br><p><strong>Model Governance Committee Responsibilities</strong></p><p>Potential responsibilities may be completed by the committee, management or a project team with committee oversight, or some combination thereof. Responsibilities will vary but could include: </p><ul><li>Develop, approve, and communicate model policy, standards, and procedures.<br></li><li>Plan resources and prioritize tasks when there are competing priorities or dependencies.<br></li><li>Review and approve technical papers from subject-matter experts regarding gray areas or where there is disagreement on model approaches.<br></li><li>Prioritize and approve model changes, including tolerance and materiality levels for approvals needed for model changes.<br></li><li>Review and approve risk control matrices for material mo​dels. Also, have insight into control issues that impact the model, including general IT and application controls over inputs, processes, and outputs.<br></li><li>Monitor compliance issues that impact the model  and approve management actions to remediate issues.<br></li><li>Oversee model data quality — integrity; outliers; timeliness and availability; security; and extraction, transfer, and loading.<br></li><li>Oversee model validation — static and dynamic testing, sensitivity analysis, analytics, user acceptance testing, analysis and quantification of changes, and identification of risk-based deep dives into current models on an ad hoc, periodic, or rotational basis.<br></li><li>Provide an objective, robust check and challenge process on model results.<br></li><li>Approve outside-the-model adjustments and rationale for use.<br></li><li>Maintain a list of known model limitations and implications for use.<br></li><li>Approve the timing of model releases to production.<br></li><li>Coordinate the reporting calendar and use of model results.<br></li><li>Identify stress and scenario testing for the models and determine management actions.<br></li><li>Provide a consistent, common communication point to address questions and drive improvement.<br></li></ul></td></tr></tbody></table><p></p>Kelley Ellis1
Into the Lighthttps://iaonline.theiia.org/2018/Pages/Into-the-Light.aspxInto the Light<p></p><p>When the dust settles, disgraced movie mogul Harvey Weinstein may actually end up helping women in the workplace. More than 85 women have come forward with their stories of sexual harassment and sexual assault at the hands of Weinstein, including retaliation in the form of blacklisting them from acting jobs for rejecting his advances. </p><p>The Weinstein scandal has become a social media firestorm that has propelled a movement — #MeToo — thousands of tweets, Instagram posts, and press conference comments, raising the profile of sexual harassment on legislative agendas and in corporate boardrooms. Publicity around the topic is drawing attention to the risks harassment represents and the processes companies implement to manage those risks — areas where internal auditors are key players in their organizations’ harassment prevention and mitigation efforts.</p><h2>A Shift in Response</h2><table class="ms-rteTable-default" width="100%" cellspacing="0" style="height:188px;"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​​<strong>History of #MeToo</strong><br> <style> p.p1 { line-height:12.0px; font:42.5px 'Interstate Light'; } p.p2 { line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } </style> <p> <br>Corporations addressing the risks represented by sexual harassment can thank civil rights activist Tarana Burke for spurring the improvements they’re making. She first used “Me, Too” in 2006 as shorthand for efforts to unify behind changing the harassment paradigm. In 2017, she was among the “Silence Breakers” Time named as “Person of the Year.” Actress Alyssa Milano took a friend’s advice to flood Twitter with the phrase, urging women who’ve been harassed or assaulted to retweet the two words. Her effort generated more than 200,000 responses in 24 hours. It became a top topic on Facebook, and Time’s Up, a defense fund and pressure group, formed to keep the message moving. ​</p></td></tr></tbody></table><p>Is the definition of <em>sexual harassment</em> changing? Betty McPhilimy, retired chief audit executive (CAE) at Northwestern University in Evanston, Ill., says no. Rather, “clarity is setting in.” Personal workplace priorities haven’t changed, either, she adds: “Everyone wants to be treated with respect.” </p><p>Brian Koegle, a partner in the employment and labor law department of the Los Angeles office of Poole & Shaffery LLP, agrees. “Legally speaking, the definition of <em>harassment</em> in the workplace has not changed,” he says. “It does evolve, but there have been no material changes to the definition or to how it’s interpreted under federal or state law for the better part of 15 years.” </p><p>What’s recently changed is the mix. “From the late 1980s until about 10 months ago, the most prevalent legal claims involved harassers creating hostile work environments,” Koegle says. “But now the overt, obscene cases are coming up more frequently, which we hadn’t seen for years until the Weinstein scandal broke.” He attributes this to the empowerment movement the scandal has spawned, where “women are feeling strong enough to come forward and say what’s actually happening after decades of fearing being blackballed.” The change, he adds, is especially evident in Hollywood, where there’s a groundswell of support. “It’s a social norm shift, rather than a legal shift.” </p><p>“Corporate response is changing, with more attention and responsibility focused on harassment issues and policies,” says Bettina Deynes, chief human resources officer at the Society for Human Resource Management, in Alexandria, Va. “The acceptance of primary responsibility for policy and enforcement by management is also increasing.” Human resources, she adds, must “create and publish policies that are clear and effective and that have strict penalties for unacceptable behavior.” It also must be simpler and less intimidating to report incidents of sexual harassment. “It’s a necessity,” she stresses, because “the risks of sexual harassment — lawsuits, internal conflicts, and employee terminations — are increasing.”</p><h2>Cases Are Climbing</h2><p>While the U.S. Equal Employment Opportunity Commission (EEOC) has not reported a surge in the number of harassment claims, Koegle says that it’s been exactly the opposite. “We’ve conducted more workplace investigations in the last four months than in the last five years, and we’re seeing more written in journals on harassment,” he says. There may be an explanation for the EEOC’s numbers, according to Robin Shea, an attorney with the Encino, Calif., firm Constangy Brooks Smith & Prophete LLP. In a blog post, Shea says the EEOC reporting period ended Sept. 30, before #MeToo gained prominence. “Brace yourself for 2018,” she says in the blog. “Retaliation was the most common claim in 2017, and pre-litigation monetary relief in harassment charges was at its highest since 2010.”</p><p>As women read more #MeToo stories, some may realize that an incident in their past — that at the time they felt was inappropriate — was, in fact, sexual harassment. Social media is causing the estimated 85 percent to 95 percent of women who don’t report the incident when it happens to reflect and come forward with their own stories. “I look back and I’m dumbfounded that I didn’t leave or tell someone,” says Tori Reid, a West Hollywood, Calif.-based actress, writer, and producer who grew up in a show business family. “I didn’t have kids to raise. I wasn’t desperate to keep the job. I guess I didn’t realize it was harassment. On a certain level, in the back of your mind, it’s the way we’ve known the entertainment workplace to be .” She avoided the worst of it. “Sixty percent of the work was making sure my boss didn’t put his hands on me,” she says. “I was dodging and ducking.” This year, she participated in the #MeToo unity demonstration at ​the Golden Globe Awards.</p><p>Harassment victims have testified about “slaps on the butt, repeated comments about breast size, and requests for sex,” a <em>Kaiser Health News</em> report found. And men are victims, too. A 1998 U.S. Supreme Court ruling in <em>Oncale v. Sundowner Offshore Services Inc.</em> said same-sex harassment of both sexes is actionable, and juries have held women responsible for harassing men. </p><h2>What's at Risk</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>More about sexual harassment in the workplace:</strong><br>​<br><ul><li><a href="/2018/Pages/MeToo-Felt-Far-and-Wide.aspx"><span class="ms-rteThemeForeColor-1-0">#MeToo Felt Far and Wide​</span></a> – ​Organizations are addressing sexual harassment.</li><li><a href="/2018/Pages/A-Fish-Rots-From-the-Head-Down.aspx" style="color:#222222;"><span class="ms-rteThemeForeColor-1-0">A Fish Rots From the Head Down​</span></a><span class="ms-rteThemeForeColor-1-0"> </span>– Sexual harassment mitigation must be dealt with at the top.  <br></li></ul></td></tr></tbody></table><p>Regardless of gender, this behavior has “a cumulative long-term negative impact on performance,” says Ed Lynch, assistant professor in the Department of Accounting at California State University at Fullerton’s Mihaylo College of Business and Economics. According to the Washington, D.C.-based National Women’s Law Center (NWLC), “victims suffer profound economic and emotional harm” — and its physical manifestations. Up to 70 percent of women and 45 percent of men have experienced harassment, University of Maine sociologist Amy Blackstone recently told <a href="http://livescience.com/" rel="nofollow">livescience.com</a>. Many victims feel self-doubt that turns into self-blame, which then turns into depression — and, for some women, post-traumatic stress disorder. Harassment has been tied to a range of stress-like physiological reactions, including sleep disturbances, neck pain, increased risk of cardiovascular disease, and, in extreme cases, increased risk of suicide. </p><p>The primary effects can destroy economic and career well-being. The New York Times examined the damage that fear of harassment allegations can cause to mentor-like relationships young executives develop with senior leaders. “All too often, we wind up prosecuting the victim as much as the alleged harasser,” Koegle points out, “with all the gossip and innuendo that can surround workplace harassment allegations.” One of the most important elements of an investigation, he says, is “making sure victims feel the company is supporting them, that someone’s got their back, and that nothing happens to them that’s retaliatory.”</p><p>There should be greater transparency in complaint handling, Lynch says, including how companies develop codes of conduct and related training and how they craft policies for follow up. He argues that transparency “enables the identification of prevention best practices” and outweighs any risk of reputation damage, which actually acts as an incentive for change.</p><h2>Employers' Risks Rising, Too </h2><p>In fact, organizations risk image damage anyway. “The primary risk is reputation,” says Robert Kuling, a partner in Enterprise Risk Services at Deloitte Canada in Calgary. “Getting into the public domain with issues around discrimination and harassment can absolutely destroy a company’s brand and trust.” For example:</p><ul><li>Weinstein’s studio has filed for bankruptcy, CNN reports, and terminated all confidentiality agreements that have kept more people from coming forward. Lantern Capital Partners agreed to acquire the studio after a separate deal to sell the assets fell apart. <br></li><li>The CBC News website reported that Toronto’s Soulpepper Theatre Co. lost $375,000 in planned federal funding after its artistic director, who resigned, was accused of sexual misconduct and harassment by four actresses. The women are suing for $4.25 million in damages from Soulpepper and $3.6 million from the executive. Canada’s Heritage Minister told CBC News that arts organizations lacking best practices for harassment and bullying also may be blocked from future funding. <br></li><li>After sexual harassment allegations targeted former CEO Steve Wynn, the <em>Boston Herald</em> reported that a casino under construction there would probably not carry Wynn’s name. Wynn stepped down and sold his shares, but the allegations caused Wynn Resorts stocks to plummet. Wynn reportedly settled one harassment suit for $7.5 million; regulators in Nevada and Massachusetts and in Macau, China, are examining the company.<br></li></ul> <p>The secondary risk organizations face is civil litigation saying the company didn’t do an appropriate job of providing a safe workplace, Kuling says. The government of Alberta recently amended safe workplace legislation to include mitigating the risk of discrimination and harassment, for example. “Harassment can be treated as a workplace injury,” he explains, creating regulatory risk as organizations prepare for and comply with their obligations under the law. </p><p>The third risk that’s developing, Kuling adds, “is where internal auditors can do a much better job: employee turnover.” People who don’t report harassment may just leave, he explains, and not mention the reason during exit interviews. But when internal audit conducts culture assessments, investigators “might get indicators of harassment and discrimination issues,” he says, adding that “the professional skepticism of internal auditors has to come to the forefront. That data could then inform future audits of turnover statistics.”</p><p>An ongoing culture of harassment and discrimination, Kuling argues, even if localized to a department, “is going to be hard to hide.” Lynch agrees and adds that internal audit should be prepared to identify and report suspicious behavior while working every assignment. “Th​e nature of internal audit brings the auditor in contact with a wide range of employees,” Lynch says. “Every internal auditor should receive training on identifying evidence of sexual harassment, or a failed reporting mechanism, and every audit report should provide an opportunity for the auditor to comment on compliance with the code of conduct.” </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​​<strong style="color:#222222;">How Internal Audit Can Help Address Sexual Harassment Risks​</strong><span style="color:#222222;background-color:#6eabba;"></span><p style="color:#222222;"><br>Internal audit has a responsibility to provide assurance that risks around sexual harassment policies, procedures, and reporting are being managed.</p><ul style="color:#222222;"><li>Follow U.S. Equal Employment Opportunity Commission guidance, <em>Proposed Enforcement Guidance on Unlawful Harassment</em> (January 2017), which sets the expectation that employers are being proactive in eliminating workplace harassment. It also outlines five core principles that have proven effective.<br></li><li>Make sure there is a written policy on how to handle harassment, discrimination, or retaliation claims. The absence of a written policy almost automatically triggers liability, Brian Koegle says. Policies need to address everybody in the liability universe — full-time and part-time employees, independent contractors, vendors, and clients who each pose some risk of potential liability. <br></li><li>Make sure company codes of conduct include examples of inappropriate behavior, Ed Lynch advises. Relevant examples are critical, he says, “because they serve as bright lines and consequently need to be continuously updated to reflect the changing work environments within each company.”<br></li><li>Human resources should conduct training and communicate to employees about how and where to report sexual harassment. Even with policies in place, not everyone knows the process for reporting.<br></li><li>Make sure there is an anti-retaliation policy. Inform personnel that the hotline may not only be used for obtaining information and reporting concerns, but also for reporting issues of retaliation. The code of conduct should plainly state that retaliation against anyone reporting harassment in good faith is a significant, punishable violation.<br></li><li>Compliance isn’t enough. Testing the effectiveness of compliance programs is another step and leveraging them to mitigate underlying risk is still another. That’s part of the reason The Committee of Sponsoring Organizations of the Treadway Commission has an internal controls framework and an enterprise risk management framework. <br></li><li>Internal audit or the chief compliance officer should report on the effectiveness of a company’s hotline to the audit committee. “Having lines of communication and, ultimately, an objective, confidential hotline process to lodge concerns to someone from outside that unit who will investigate is a critical control,” Betty McPhilimy says. “You don’t want hotline complaints squelched by a senior manager. They should go up to the board so people feel the hotline is a credible resource.”<br></li><li>Don’t reinvent the controls wheel. Risk management around harassment usually requires no new tools. An organization’s performance reviews, open-door policies, escalation procedures, ombudsmen, incentives, disciplinary action procedures, and ethics and compliance hotlines are all designed to accommodate anything that comes up, including sexual harassment. </li></ul></td></tr></tbody></table><h2>Being Proactive </h2><p>Organizations need to act, Kuling stresses. “Boards of directors need to have conversations with executive leaders around the culture of their organizations, and then be prepared to invest time and resources to seek assurance that these risks are being managed appropriately.” Deynes adds: “Internal audit can assist human resources in designing processes that confidentially discover existing problems and report them to the appropriate internal or external authorities. Legal can and should provide all necessary avenues for the execution of severe internal penalties and external prosecution for offenders.”</p><p>But organizations must ensure they don’t attack harassment with processes that simply separate the sexes. <em>The New York Times</em> reported that “some male investors have declined one-on-one meetings with women or rescheduled them from restaurants to conference rooms” because they worry about comments being misunderstood and becoming career-enders. </p><p>“That’s bad,” says Phyllis Hartman of PGHR Consulting Inc. in Freedom, Pa. “Clearly, we have to work together, and we’ve got to help people communicate respectfully, even when perceptions differ as far as how and when to say ‘lay off’ and end it then and there.” When managers say they’re afraid to talk to female employees, she tells them: “You probably can’t get into trouble talking about work. It’s highly unlikely you’ll be falsely accused.” And if a woman finds herself in a situation where she is “systematically excluded from important meetings and opportunities” or if her supervisor acts “in ways that adversely affect her advancement opportunities, learning opportunities, and so on,” she could legally claim discrimination under the Civil Rights Act of 1964. </p><h2>Handling Harassment </h2><p>What happens after sexual harassment is reported is critical, and internal audit has an important role in ensuring retaliation isn’t tolerated. Those acts, the NWLC points out, include a reprimand or other discipline, including termination; transfers to less-desirable positions or work schedules; and threats to report people to law enforcement based on immigration status. In some cases, just the threat of being penalized for speaking up constitutes retaliation, because the risk of career damage or being labeled a troublemaker is real. </p><p>Enforcement varies by jurisdiction. In Europe, member states are bound by the European Commission’s Directive 2006/54/EC, which defines sexual harassment as conduct intended to “violate the dignity of a person by creating an intimidating, hostile, degrading, humiliating, or offensive environment,” and Directive 2012/29/EU, which requires “assessments to determine if victims are at risk of retaliation” — and calls on employers to “offer appropriate measures to protect them.” In the U.S., claims of workplace harassment and retaliation are handled differently by state. California, for example, is particularly aggressive, maintaining “an affirmative legal obligation to protect victims from retaliation,” Koegle says. “This includes requiring employee handbooks to address with specificity what you do to investigate, remediate, and prevent acts of retaliation.” </p><p>A recent Harris Poll/CARE survey found that sexual harassment in the workplace isn’t illegal in nearly one-third of the world. One-third of respondents in India said it’s acceptable to whistle at colleagues, about the same as the portion of U.K. respondents from 25 to 35 who think touching a co-worker’s buttocks is fine.</p><h2>Addressing the Future</h2><p>Rehabilitation also is an important process concern, Hartman points out. In most cases, victims don’t want accusers fired, they just want it to stop — but returning an accused executive to meaningful leadership “takes a lot of work,” she says. “You have to help both parties deal with this, making sure perpetrators understand what they did wrong.” For victims, counseling is a good place to start, according to research published in <em>Psychotherapy: Theory, Research, Practice, Training</em>, the journal of the American Psychological Association. But the specifics, says Kuling, are best left to each to determine. “The complainants are the best source of what constitutes adequate resolution,” he says. </p><p>Counseling often helps the alleged perpetrators, too. Hartman has coached executives accused of inappropriate behavior whose companies felt they could be rehabbed, often as a condition of returning to their former posts, and she stresses that success is situational, depending on what happened, how the two parties work together, and what the workplace is like. </p><h2>Staying Focused</h2><p>It may trace its roots to a little hashtag and just five letters, but the media movement behind workplace sexual harassment has “helped organizations pay attention and give it serious thought,” McPhilimy says — and that implicates internal audit. “Part of internal audit’s role is looking for risks in human resources and employment,” she explains. “We have a big role to play in ensuring controls are in effect in hiring, managing, and evaluating personnel and ensuring effective interactions.” Essentially, making sure that there are training programs and policies and procedures that are documented, current, and effective. That’s a role internal audit always plays, of course. “It’s just that in the past, internal audit wasn’t so focused there,” she adds. “Maybe senior management didn’t think of internal audit as an effective tool for determining if there are problems in such areas. Particularly as it becomes a higher profile risk, though, that’s something internal audit should address with senior management.” </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p>​<strong>Harassment Doesn't Discriminate</strong><br> </p><p>Most types of workplaces have faced harassment challenges, including universities, hospitals, and government. </p><ul><li>Higher education has taken more than one hit in cases that go far beyond harassment. Michigan State University (MSU) fac​​es recurring headlines related to assault complaints against disgraced former staff and Olympic gymnastics team physician Larry Nassar and other school officials. Johns Hopkins University paid almost $200 million to about 8,000 former patients of deceased gynecologist Nikita Levy to settle 2014 charges involving his use of a concealed camera to photograph them during exams. And at Pennsylvania State University, the conviction of former president Graham Spanier and a new movie about former head coach Joe Paterno have kept alive the sexual misconduct case against former assistant coach Jerry Sandusky.<br></li><li>A 2016 Research Letter published in the <em>Journal of the American Medical Association</em>, “Sexual Harassment and Discrimination Experiences of Academic Medical Faculty,” reports that 30 percent of women on medical faculties experience sexual harassment. Its author says, “harassment is more common in fields where there are strong power differentials.” <br></li><li>In 2017, women working for U.S. Congress were “making fresh allegations of sexual harassment against unnamed members,” according to CNN. The Office of Compliance, which handles harassment complaints against members of Congress, paid victims more than $17 million, in 268 settlements, from 1997 to 2017 — including claims for racial, religious, or disability-related discrimination. <br></li><li> <a href="http://thehill.com/" rel="nofollow" style="background-color:#6eabba;"><span class="ms-rteThemeForeColor-1-0" style="text-decoration-style:solid;text-decoration-color:#b10026;">TheHill.com</span></a><span class="ms-rteThemeForeColor-9-4" style="text-decoration-style:solid;text-decoration-color:#b10026;"> </span>recently reported that “state legislatures across the country have reeled in recent months under allegations that legislators harassed or assaulted staff, lobbyists, and even colleagues.” The website noted that more than a dozen have resigned, and some have been expelled. ​<br></li></ul></td></tr></tbody></table><p></p> <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; letter-spacing:-0.3px; } </style>Russell A. Jackson1
Editor's Note: Where Have All Our Heroes Gonehttps://iaonline.theiia.org/2018/Pages/Editor's-Note-Where-Have-All-Our-Heroes-Gone.aspxEditor's Note: Where Have All Our Heroes Gone<p></p><p>My day ended yesterday with the news that Bill Cosby was found guilty in his sexual assault retrial. Not surprising, but discouraging, as I grew up watching America’s dad, Cliff Huxtable. I woke up this morning to the news that yet another iconic television news anchor has been accused of sexual harassment. I used to watch Tom Brokaw every night and have always admired him. </p><p>Many of my beliefs from adolescence have been shattered lately, probably because I was taught to respect those in authority. But perhaps the biggest blow to my beliefs was the recent accusations leveled at my alma mater, Michigan State University (MSU). This university has been a huge part of my life. I learned so much from the incredible professors in the School of Journalism. Beyond that, I have two nephews who currently attend the university and numerous family members who went there. My family cheers for MSU and considers its teams our teams, even though we’ve lived in Florida for nearly 20 years. I have an MSU flag flying outside my house. (You get the picture.)</p><p>The Larry Nassar story is beyond horrifying, and it breaks my heart that it happened at MSU. It would be bad enough if the story ended with Nassar, but it doesn’t. MSU’s former dean of the College of Osteopathic Medicine William Strampel reportedly failed to ensure restrictions were put on Nassar’s practice following a 2014 abuse complaint and now faces charges of sexual misconduct, himself. After this and more came to light, I had hope that MSU’s interim president, John Engler, would enact the changes necessary to make MSU whole again. However, he’s now being criticized for his response to survivors and there are calls for him to step down. </p><p>As this Editor’s Note was going into production, the Detroit Free Press reported that MSU had settled lawsuits with all 332 victims of Nassar’s assaults at a cost of nearly $500 million. Finally, some good news. The Free Press published a statement from the MSU Board: “We recognize the need for change on our campus and in our community around sexual assault awareness and prevention.” </p><p>It’s satisfying to see the women who have suffered sexual assault and harassment finally coming forward and getting restitution. The #MeToo movement (read <a href="/2018/Pages/Into-the-Light.aspx">“Into the Light”​</a>) is forcing organizations, and internal audit, to take a closer look at sexual abuse and misconduct and how it is investigated and addressed. </p><p>Where have all our heroes gone? They’re still here. They are the women who are stepping forward and fighting back. And, they are the men and women in our organizations who are listening and addressing these issues.​</p>Anne Millage0
A Fish Rots From the Head Downhttps://iaonline.theiia.org/2018/Pages/A-Fish-Rots-From-the-Head-Down.aspxA Fish Rots From the Head Down<p>​"No organization is squeaky clean," notes Betty McPhilimy, retired chief audit executive at Northwestern University in Lake Forest, Ill. "But if leadership is suspect, as far as not doing the right thing or only doing it when people are watching, the organization tends to take on the culture at the top." Harassment mitigation "can't play out at a manager level," she emphasizes. "It's got to be the same up and down. If not, your shield has a bunch of cracks in it."</p><p>That's why so many president-level executives resign amid harassment scandals: Organizations need substantive visual change, even if no one ever proves the executives knew what was happening. "Everyone generally realizes it's difficult to know what's going on at every single desk," McPhilimy says. "But that's what controls are for." And if the allegations concern more than a one-time incident, people assume that's how the organization runs — so "if you put in new leaders, people feel vindicated and you don't taint the new leaders with the sins of the past."</p><p>For the accused, there's no "innocent until proven guilty" in civil suits, explains Brian Koegle, a partner in the employment and labor law department of the Los Angeles office of Poole & Shaffery LLP. "The presumption of innocence is a construct of criminal law," he says. You're not found "guilty" in a civil case, you're found "liable," and your burden of proof is 50 percent plus one. He adds, "I would argue that in this climate, you're presumed guilty. If someone had the fortitude to come forward with a claim of harassment, juries are primed to believe that person is telling the truth." Particularly when numerous accusers come forward and social media rapidly publicizes accusations.</p>Russell A. Jackson1
Protecting Employeeshttps://iaonline.theiia.org/2018/Pages/Protecting-Employees.aspxProtecting Employees<p>​Ask any CEO what the organization's most important asset is, and he or she will likely answer that it's the business' employees. Employees make the cash register ring, invent new products and services, and help meet the needs of the organization's customers and market. </p><p>Yet too often, when chief audit executives (CAEs) are asked what organizational asset they most commonly audit, their answers include inventory, fixed assets, receivables, and petty cash. They are far less likely to audit processes for protecting employees. </p><p>CAEs can help their organization create a safer workplace by auditing the processes in place for protecting the organization's employees, contractors, vendors, and other third parties on the job. They can start by better understanding the emotional, physical, and financial risks that put workers' well-being in danger and developing a plan to evaluate the related business processes. </p><h2>Workplace Behavior</h2><p>Of the many troubling events that came to light in recent years, perhaps the most significant was the glaring inability of many organizations to protect their employees from the inappropriate behaviors of others at work. In terms of personal risks, two behaviors stand out: inappropriate sexual behavior and bullying. </p><p>Inappropriate sexual behavior includes leering inappropriately, standing too close to others, and touching others in ways that make them uncomfortable — or worse. Nonphysical bad behaviors include telling sexually explicit jokes, using sexual anecdotes, and sharing pornographic images.</p><p>The Workplace Bullying Institute (WBI) defines <em>workplace bullying</em> as abusive conduct that either threatens, humiliates, or intimidates co-workers, and other behaviors, such as verbal abuse or sabotage, that interfere with a co-worker's ability to perform his or her responsibilities. A 2017 WBI study notes that 19 percent of U.S. adults have experienced abuse and 37 percent, including witnesses, have been affected by it.</p><p>Internal auditors can help their organization prevent or detect inappropriate workplace behavior. Practitioners who have audited ethics processes should know to evaluate whether the organization has a code of conduct that highlights inappropriate workplace behavior. That code should provide information on how to report that behavior and detail its consequences. In addition to confirming that the CEO and senior management clearly and frequently communicate this message, internal auditors should evaluate whether middle managers are doing the same.</p><p>The audit scope also should include evaluating the channels available for employees to report inappropriate behavior. Auditors should determine whether the organization has a hotline, if employees are aware of it, and whether they can report anonymously or without fear of negative repercussions. Are hotline calls addressed timely, investigated thoroughly, and resolved? Are the CEO and the relevant board committee receiving information on hotline awareness, calls, and related investigations periodically?</p><h2>Physical Protection</h2><p>The impact of high-profile events such as the BP oil spill and shootings at businesses, schools, and universities put organizations on notice about the importance of physical safeguards to protect employees. But it's not just low likelihood but high impact events that can result in workers being hurt, hospitalized, disabled, or even killed. </p><p>Organizations sometimes put their employees at risk because of unsafe working conditions. This is especially true for employees who operate heavy equipment and machinery, work in construction zones, or work with or near hazardous materials. Organizations also may fail to protect their employees if they are not prepared for events such as tornadoes, hurricanes, geopolitical unrest, and violent acts by employees or others. </p><p>Internal auditors can perform many types of audits to evaluate how these security risks are being managed. Auditing to U.S. Office of Health and Safety Administration standards can help identify safety issues in different working conditions and whether workers are following generally accepted safety standards when working in high-risk areas. </p><p>Part of an organization's business continuity program should proactively identify the risks from natural disasters and terrorist incidents. The program also should determine whether employees are aware of, and trained on, the organization's crisis management plans. Internal auditors can leverage the ASIS physical security framework or the International Organization for Standardization's ISO 27001 standard on information security management to evaluate the mechanisms in place to deter or detect potential intruders. Moreover, they can recommend managing or restricting access to areas that may harm employees. </p><p>One way CAEs can focus the CEO's attention on employee safety is to remind executives that their own safety is at risk. They should evaluate the security measures in place to protect top executives and their families from being kidnapped or held for ransom.</p><h2>Data Privacy </h2><p>Loss and theft of employee data, including names, Social Security numbers, email addresses, and banking information, puts employees at serious risk of identity theft and fraud. This data allows criminals to take advantage of unaware employees by creating credit card or loan accounts in their names, or collecting medical payments or Social Security benefits. Hackers use sophisticated cyberattacks to steal employee data in bulk or use phishing tactics to steal it from individuals. Employee data also is at risk from other workers who have access to it and intend to misuse it.</p><p>Perhaps the easiest way a CAE can help protect employee data is to carry out a data governance and management project. Internal auditors can document what employee data their organization has, where it is located — such as in paper records or on the network — who has access to it, and the controls in place to prevent or detect unauthorized access.</p><p>Evaluating the organization's records management program can add value if employee data is stored in physical documents. Other audits include access-rights reviews of applications and systems that store sensitive employee data, and cybersecurity audits that evaluate how effectively an organization's network protects employee data and detects cyberattacks.</p><h2>A Top Risk</h2><p>Successful organizations understand it's their workers who make them thrive. Unsafe working conditions will make key employees flee, with lower revenues and margins quick to follow. Organizations with effective processes to protect their employees can experience higher employee morale and increased productivity. They also may be less likely to pay fines for noncompliance with related laws and regulations, better ensure the continuity of operations, and prevent damage to their reputation. </p><p>If people are an organization's most important asset, then the risks posed to those people should be among the top risks in the business. Internal auditors who can shed light on these risks and how well-controlled these processes are can gain their CEO's and board's attention and support. ​</p>Tom O'Reilly1
Risk Consumptionhttps://iaonline.theiia.org/2018/Pages/Risk-Consumption.aspxRisk Consumption<p>​The concepts of risk appetite and risk tolerance were introduced in 2004 in The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) <em>Enterprise Risk Management–Integrated Framework</em>. Specifically, COSO defines <em>risk appetite</em> as "the amount of risk — on a broad level — that an entity is willing to accept in pursuit of value." Naturally, organizations will have different risk appetites depending on their industry, management philosophy, operating style, culture, and objectives. Therefore, a range of appetites potentially exist for distinct risks, which may change over time. It is conceivable that organizations with separate business segments with various operations or subsidiaries operating in differing industries will have varying levels of risk appetite. In pursuing diverse business objectives, organizations should broadly understand the risk they are willing to undertake.</p><p> <em>Risk tolerance</em> is the acceptable range of variation in the achievement of objectives. Both quantitative and qualitative measures are recommended when evaluating risk tolerance. And while risk appetite is about the pursuit of risk, risk tolerance is about what an organization can actually cope with at a more granular level. There is a lot of confusion surrounding risk appetite and risk tolerance, providing an opportunity for internal auditors to educate organizational stakeholders and facilitate risk measurement and management. </p><h2>An Updated Risk Framework</h2><p>COSO's 2017 framework update, <em>Enterprise Risk Management–Integrating With Strategy and Performance</em>, likely will create a heightened expectation for risk and compliance functions. Internal auditors are expected to educate executive management and the board in this area and to apprise them of key enterprise risk management (ERM) developments. COSO's 2017 ERM revision appropriately reflects the growing realities of the complexities and speed of risks in the global business environment and the need to integrate risk considerations with strategy and performance. Internal audit is positioned to provide an assessment of the propriety of the measures of the organization's risk appetite and tolerance. </p><p>The 2008 financial crisis and the subsequent recovery highlight how some of the largest corporations defined and measured their areas of risk and related appetite for risk, but still experienced massive business failures due to their risk management systems crashing. Many of the failures can be attributed to the lack of understanding about the level of risk tolerance an organization can truly accept. Despite setting clear goals, there may not have been any articulation of risk appetite or identification of those responsible when risks were incurred. Since the recovery, organizations have developed even more systems to address and measure their level of risk appetite, but a disconnect continues to exist as to how much risk tolerance the organization can truly accept — despite the proliferation of chief risk officers in certain industries.</p><h2>Internal Audit's Role </h2><p>​As the independent function within an organization, internal audit ideally is positioned to assess what level of risk tolerance is truly being accepted by an organization. The unique relationship that internal audit has with operational management, senior management, and the board of directors allows for unbiased reporting of risk appetite and the level of tolerance that can be accepted. </p><p>Over the years, organizations were more aligned with documenting and reporting what their risk appetite was and did not extend that to the level of risk tolerance the organization might accept. In other words, organizations became adept at measuring the size of the risk meal, but not the potential consequences of consuming the whole meal. Taking that analogy further, the result of overconsumption typically leads to indigestion — and it may lead to dire consequences for the organization. </p><p>Addressing risk appetite and risk tolerance under the updated COSO ERM framework leads the internal auditor toward a matrix reporting of the organization's risk areas, risk appetite, and risk tolerance. Today, many internal audit functions use reporting tools such as heat maps, which can be adjusted to include qualitative and quantitative measures, enhanced visual presentations, and other forms of output indicating the potential risk tolerance outcomes the organization accepts. </p><p>​​​<img src="/2018/PublishingImages/Ramamoorti_SampleMatrix.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:530px;height:261px;" />A matrix reporting structure allows for a more robust picture of risk within the organization to senior management and the board. It includes results of internal audit testing presented by functional and business areas (See "Sample Matrix of Risk Reporting Within Organizations" at right). A risk issue in purchasing would be reported not solely for purchasing, but also for manufacturing and finance to reflect the wider impact to the organization. Further, this reporting would provide both quantitative and qualitative risk tolerance and risk appetite assessments and indicate whether additional action may be required. To illustrate, an automotive parts manufacturer provides its purchasing department the forecast for its aluminum raw material needs for the next six months. Purchasing is rewarded based on the level of cost controls over major essential purchases and in preventing stock outs of essential purchases. Suppose the purchasing department buys double the amount requested because the supplier offered a special volume discount. On the surface, the organization would have viewed its level of risk appetite in purchasing as low because raw materials are readily consumed. However, the level of risk tolerance being accepted by allowing the purchasing department to overstock has qualitative issues (e.g., rewards based on cost and on preventing stock outs). From a quantitative standpoint, the risk tolerance may be unacceptable given that the over-ordering of aluminum could lead to cash flow problems for payment, logistics costs for storing excessive amounts of inventory, and plant efficiency issues because of the space taken up by excess inventory. Reporting of this qualitative excess of risk appetite to purchasing, manufacturing, and finance would bring the wider effects into sharp relief. Given the integrated nature of manufacturing operations and incentive compensation systems, such effects must be carefully considered before taking action. </p><p>Frequently, the results of internal audit reporting require management to address risk appetite in a cross-functional manner. For instance, an acceptable level of risk appetite in purchasing may be unacceptable in finance. Although the planning phases of ERM typically may involve executive management across functions, this may not be true when results of risk assessments or findings are shared. A concerted effort should be made to share these results broadly to avoid narrow acceptance of findings and unintended consequences. In other words, the same breadth of organizational input that went into planning should exist when evaluating the output and outcomes as well.  </p><h2>​​​​A Complex Assessment</h2><p>The basic risk-reward theory from financial economics informs us that assuming a certain threshold of calculated risk is necessary for business success. Once a certain level of risk within the risk appetite has been assumed, the next step is to worry about how much more risk can be tolerated. Business environments globally are dynamic and ever-changing. As such, both risk appetite and risk tolerance must be evaluated in the context of a shifting landscape, tracking a constantly moving target — a complex assessment that is easier said than done. </p><p>Specifically, with regard to risk management policies, reference points, and boundaries, the internal audit function must evaluate existing risk tolerance and risk acceptance relationships to determine whether:</p><ul><li>Existing risk tolerances are appropriately linked to the organizational risk appetite.<br></li><li>Additional risk tolerances need to be created to ensure that the business is effectively managed relative to the risk appetite.<br></li><li>The company is operating within the risk tolerance parameters that it has established.<br></li></ul><p> <br> </p><p>Once it has completed the risk assessment, internal audit then must communicate its findings to help senior management and the board understand the company's current state. Reporting in a matrix format with assessment of risk tolerance and risk appetite by affected functional areas is useful to allow management to address issues in a more holistic manner. For board and audit committee reporting, the need is to be more concise and direct as to where quantitative or qualitative risk tolerance and appetite areas seem problematic (flag as red), could be cautionary (flag as yellow), or appear acceptable with no items to report or no action required (flag as green). Some boards and audit committees might only want to see items flagged as red or yellow to avoid information overload — critical due to myriad challenges that many organizations face in today's volatile, global economic environment. Volatility is the new norm in today's business climate and requires a greater need than ever to understand the relationship an organization has in its level of risk appetite and risk tolerance. Correspondingly, this reality also underscores the importance of continuously re-evaluating the risk appetite statement in light of changing conditions. </p><h2>Enhancing Risk Management Capabilities</h2><p>As organizations move aggressively to enhance their risk management capabilities, risk assessments of risk appetite and risk tolerance are going to assume a new and higher level of significance. While risk appetite will always mean different things to different people, a well-communicated, appropriate risk appetite statement can actively help organizations achieve goals and support sustainability. Clearly, risk management capabilities are evidenced by having disciplined and systematic ways of measuring, calibrating, and responding to risk. In today's environment, such capabilities have become indispensable. Unless internal audit coaches executive management and the board to thoroughly understand the relevance and importance of the vocabulary around risk and control, organizations will still not have learned real lessons from 2008's financial crisis.</p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p> <strong>​​Questio​​​​ns for Internal Audit, Executive Management, and the Board</strong></p><p> <strong>​Internal audit should consider:</strong><br></p><ol><li>Quantitative and qualitative reporting: As the internal audit department updates or develops its risk assessments of the organization by functional areas against pre-established criteria, do they report the level of risk appetite in both qualitative and quantitative terms?<br></li><li> <em>Traffic-light indicators:</em> Are there indictors reported in the assessment of the levels (red/problematic, yellow/cautionary, green/acceptable) of risk tolerance the organization is accepting?<br></li><li> <em>Variability reporting:</em> Are the levels of risk tolerance being presented in terms of variability? Are these within allowable bands of variation?<br></li><li> <em>ERM training adequacy: </em>Are the levels of training provided for internal audit personnel and for those in governance over risk policies, management, and acceptance processes adequate?<br></li></ol><p></p><p> <strong>Management should consider:</strong></p><p></p><ol><li>Enterprisewide risk communications: Have the organization's strategies and objectives been fully communicated throughout the organization? Has this communication addressed the level of risk tolerance and risk appetite that is considered acceptable? <br></li><li>Cross-functional application: Does management have a cross-functional opportunity to address issues raised by internal audit in its reporting of its assessment of risk tolerance and risk appetite?<br></li><li>Scenario analysis: Does management view risk tolerance and risk appetite assessments using "what if" scenarios to consider business volatility?<br></li></ol> <strong>The board and the audit committee should consider:</strong> <p></p> <em> </em><ol><li><em> </em><em>Comprehension of ERM philosophy:</em><em> </em>Does the board understand the level of risk tolerance and risk appetite being accepted in the organization and as implemented by management?<br></li><li><em> </em><em>Board/internal audit relationship:</em><em> </em>Does the board have direct input into the level of assessment being performed by internal audit to report its results quantitatively and qualitatively?<br></li><li><em> </em><em>Responsible and prudent governance:</em> Is the risk reporting in sufficient detail to allow the board to fulfill its governance responsibilities to address any concerns that could affect organizational stakeholders?​<br></li></ol></td></tr></tbody></table>Sridhar Ramamoorti1

  • SCCE2018_August2018_Premium 1
  • IIA FSACACGABookstore_August2018_Premium 2
  • IIA EHS2018_August 2018_Premium 3