Risk and Compliance



A Rational Mindsethttps://iaonline.theiia.org/2020/Pages/A-Rational-Mindset.aspxA Rational Mindset<p>​Remember the scene from <em>Raiders of the Lost Ark</em> where Indiana Jones enters the Well of the Souls, which happens to be a snake-infested pit? After throwing a torch into the pit to reveal his plight, he exclaims, "Snakes … why did it have to be snakes?"</p><p>Granted, this scene is plotted to presume the snakes are venomous, so Indiana's fear is rational. But his initial reaction reveals his bias about snakes in general — the same way some people are irrationally averse to risk. </p><p>Internal auditors have a professional duty to remain objective as they perform their work. This unbiased mindset must extend to remaining rational when it comes to communicating with audit clients about risk.</p><h2>Why Did It Have to Be Risk?</h2><p>Snakes are vilified as animals that hide in dark places, stealthily seeking out prey and striking when they least expect it. An objective study of snakes reveals a much more accurate view of these complex creatures. Not all snakes are aggressive, nor are they all venomous or massive constrictors capable of inflicting great harm to people, as we often see in movies or hear about in the news. </p><p>In fact, snakes can be beneficial. Take the black rat snake, which is effective at controlling harmful rodent populations. One black rat snake can eat 100 mice per acre in a year. What farmer wouldn't readily adopt at least a couple of these hunters to offset the negative impact mice have on property and equipment, not to mention the potential spread of disease?<br></p><p>People sometimes perceive risk with the same irrational viewpoint. Too often, when discussing risk and risk management philosophy with business professionals in the course of internal audit work, the conversation gravitates toward an unbalanced, negative attitude about risk. </p><p>One time, my audit team was conducting an audit workshop with a group of business managers. The team was explaining how our audit activities were risk-based so that we focused on things that matter most to their functions' success. The supervisor for this group of managers interrupted our discussion to admonish the group that they needed to be focused on risk to eliminate it from the company. While it was an innocent exclamation the supervisor truly believed, it was an unfortunate and unplanned distraction from our discussion that the audit team had <br>to clarify with the workshop participants. </p><p>The interruption turned out to be a blessing in disguise. It enabled the internal audit team to lead a healthy discussion about the opportunities that also accompany risk, while explaining that eliminating risk was not realistic nor necessarily a desirable goal.</p><h2>Shifting the Risk Mindset</h2><p>With all the focus organizations have devoted to enterprise risk management and updated risk management frameworks, they still get trapped in a vortex where risk is seen in a lopsidedly negative light. Internal audit should thoughtfully redirect this line of thinking when such an uninformed view of risk and risk management is expressed. </p><p>The snake analogy is a good proxy for reframing the risk discussion. The word <em>risk</em> often is misunderstood. Like snakes, risk can do serious harm, so people instinctively project harm to all risk. But is this rational? </p><p>In finance, <em>risk</em> frequently is paired with the word <em>reward</em> to describe offsetting outcomes related to a decision. While taking any given risk may result in a bad outcome, there also is the prospect of a good outcome. No risk, no reward, as the saying goes. This is a more rational view of risk. </p><p>Internal auditors can help organizations balance attitudes about risk by talking and acting rationally about risk. For instance, they shouldn't use risk exclusively as a "four-letter word" in discussions with other business professionals. Risk mitigation is only one potential risk response alternative. When approaching risk assessments or new audit engagements, internal auditors should talk about how informed risk-taking is essential to the organization's growth prospects. </p><p>Internal auditors should counsel clients that risk acceptance is sometimes the best risk response. This can be the case when other risk response alternatives are costly or when the risk is relatively mild. Accepting a risk while continuing to monitor it for changes that may justify a different response is a rational reaction. </p><p>In other instances, it is appropriate to exploit risk for its opportunity. In times of crisis or disruption, offsetting opportunities can present themselves in the face of emerging risks. In these instances, risk opportunities can serve as a hedge against simultaneous negative risk outcomes. When internal auditors set a good example, clients and other stakeholders are more likely to respond to risk with a more rational mindset.</p><h2>Thinking Differently About Risk</h2><p>Let's think about snakes and risk a little differently. A more neutral word to use for snake is reptile. Some reptiles can cause harm to people in certain circumstances such as swimming in a lake known to have large alligators or walking through terrain known for rattlesnakes. In other situations, such as rodent control, reptiles are benign or helpful. </p><p>Likewise, a less polarizing term for risk is uncertainty — specifically, about some outcome. Risk is neither bad nor good; it's just uncertainty. When auditors use the word <em>uncertainty</em> when discussing risk, they can have a more objective, and less polarized, discussion and avoid the biased, negative connotation. This allows auditors to unlock the real value of an intellectual discussion about risk — refocusing attention on decision-making. </p><p>Uncertainty hinders decision-making. The more uncertainty that exists about a pending decision, the more difficult it is to make a decision that will result in a favorable outcome. The better decision-makers can understand the uncertainty they are faced with in a decision, the more likely they should be able to optimize the outcome they are seeking from any given decision. </p><p>The coronavirus pandemic comes to mind. In the present, fear of the unknown is dominating the response conversation. This is a crisis that has not been experienced in most of the modern world, and government leaders are struggling to craft effective responses because of the uncertainty that exists. </p><p>In time, this threat will subside. The world is currently experiencing negative outcomes; however, positive outcomes could emerge, such as a more resilient health-care system to deal with similar threats in the future.</p><h2>Risk Doesn't Have to Be Scary</h2><p>When risk is obscure and lurking in the darkness, it seems more like a rattlesnake waiting to strike against an unsuspecting victim. But when risk is visible, understood, and appreciated for its potential benefit, organizations can exploit it for a beneficial outcome or control it to minimize a negative outcome. With this shift in mindset, risk becomes less of a scary monster and more of a device that uses rational decision-making to optimize risk outcomes. <br></p>Rick Wright1
Testing the Boundarieshttps://iaonline.theiia.org/2020/Pages/Testing-the-Boundaries.aspxTesting the Boundaries<p>​The outbreak of COVID-19 has forced regulators in the U.S. and around the world to focus on the immediate impacts that the pandemic is having on companies, markets, and consumers. And while some watchdogs have said they may relax some rules or reduce scrutiny to help businesses operate more smoothly, experts warn it does not mean companies should loosen their internal controls. Nor should they take advantage of the situation by engaging in questionable, or even illegal, practices in the hope that authorities have less appetite — or means — to investigate and enforce the rules. As companies face temptation and risk noncompliance, internal audit has a strong role to play in helping them adhere to the rules.<br></p><h2>Business as Usual</h2><p>"Companies are still liable for compliance failures," says Hermès Marangos, partner at U.K. law firm Signature Law. "The virus emergency does not postpone or modify the law — there are no exemptions unless so provided by the legislation itself. Despite this, there are already individuals and entities trying to profiteer, behave unethically and contrary to laws and regulations in many instances," he says.<br></p><p>One area of corporate activity that has seen a relaxation of some rules is competition law. To enable the supply of key medicines, health-care equipment, food stuffs, and other urgent goods, anti-trust regulators have allowed competitors to work together — albeit in very specific and limited circumstances. In some regions, such as Europe, companies can even apply for "comfort letters" to gain increased assurance from the regulator as to what practices may be allowable under these exceptional circumstances, and for how long.  But lawyers warn companies against thinking that such arrangements are the "new normal," or that a relaxation of the rules in one area means that closer cooperation in other areas of business has been tacitly allowed.<br></p><p>Some companies also risk misinterpreting signals from regulatory agencies that enforcement may be pared down. They may assume that watchdogs will focus their resources on tackling companies committing the worst abuses or causing harm to the biggest number of consumers, rather than target organizations generally that have failed to comply. For example, in Europe — which has probably the toughest and most punitive data protection laws in the world under the General Data Protection Regulation — several data protection authorities have said they will naturally be drawn to investigating the "worst offenders."<br></p><p>But lawyers point out that this does not mean companies have been given any special dispensation not to follow the rules as normal. It simply means that the regulators have prioritized their resources.   <br></p><p>"As regards data privacy and enforcement, it is business as usual," says Sarah Pearce, privacy and cybersecurity partner at international law firm Paul Hastings. "No dispensations are being made under current circumstances. Most data regulators have said data protection principles still apply and should be adhered to, so businesses should certainly not view COVID-19 as an excuse for noncompliance."<br></p><p>Companies risk noncompliance by misinterpreting any sign of rules easing — or they may even assume a relaxation simply due to the pandemic. "While there may be some delayed reaction in terms of enforcement by certain regulators due to limited resources during this time, that is not to say there won't be enforcement later down the line," Pearce says. <br></p><h2>Penalties Still Apply</h2><p>Experts also warn against assuming that penalties will be reduced because firms are under financial pressure. Michael Ruck, partner at U.K. law firm TLT, says that although regulators are redeploying their resources during the response to coronavirus, resulting in a reduction in the number or progress of investigations, the top-level amount of fines or penalties imposed will not be relaxed. <br></p><p>"In periods where it is difficult to trade or where profit is hard to come by, there are inevitably instances of a small number of corporates or individuals being increasingly willing to stretch the interpretation of regulatory requirements — sometimes beyond their breaking point," Ruck says. "A perceived relaxation of regulatory intervention may encourage such behavior, but those that are tempted should beware."<br></p><p>While regulators may have discretion to reduce penalties in circumstances where incidents of accidental or low-level noncompliance occur, experts still warn that it will always be the authority that calls the shots.<br></p><p>"Regulators understand that the crisis is putting pressure on firms meeting their day to day obligations and are likely to be reasonable with firms that are making a reasonable effort to comply with regulations in a trying times," says Ian Thomas, regulatory solutions specialist at Quorsus, a financial services consulting firm. "That said, the keywords here are 'reasonable' and 'comply.' Cash crisis or not, the regulators are unlikely to hesitate to issue fines for serious breaches or offences — for example, those financial services firms that put client money at risk." <br></p><h2>An Essential Resource</h2><p>Due to fears that organizations might choose to sail close to the wind if they feel that regulators might allow it, several experts believe that internal audit has a strong role to play in ensuring their organizations follow the usual strict codes of compliance.  <br></p><p>Camilla Winlo, director at international data protection and privacy consultancy DQM GRC, says that "it's good to see regulators taking a pragmatic view of enforcement." But she warns that organizations still need to be mindful of the need for regulatory compliance. <br></p><p>"Internal audit functions need to be particularly aware of the need to carry out risk assessments and policy and process gap analyses to identify where risks have been introduced and ensure that their organizations come back within their risk appetites as quickly as possible," she says.<br></p><p>Nicola Howell, senior compliance and privacy attorney at commercial data and analytics firm Dun & Bradstreet, agrees that there should be no "let up" in following the rules. "Internal audit teams should not be complacent about enforcement and should proceed with upholding the policies their organizations had in place before COVID-19 took hold," she says. "While justifiable allowances may be made, any significant departure from legal requirements or previous company policy could significantly backfire on a business."<br></p>Neil Hodge1
Responding to the Crisishttps://iaonline.theiia.org/2020/Pages/Responding-to-the-Crisis.aspxResponding to the Crisis<p>While many organizations were monitoring the spread of COVID-19 from China to the U.S., executive leadership at The IIA was already taking action. They were meeting regularly to discuss several upcoming events scheduled in March within a span of three weeks, including the General Audit Management (GAM) conference in Las Vegas, Global Assembly in London, and Leadership Academy in Orlando. </p><p>"We started monitoring COVID-19 early on because of our certifications business in China," said Bill Michalisin, The IIA's chief operating officer. "Our testing centers there started shutting down in early February, so we took note and began mobilizing to explore alternatives." With attendees from more than 50 countries planning to attend GAM, IIA leadership had to take a closer look at the safety of IIA staff and attendees. </p><p>Once cases of COVID-19 emerged in Washington State and California, events unfolded quickly and the decision was made to turn the in-person GAM conference into a virtual event, livestreamed from the conference hotel. But even as IIA staff arrived in Las Vegas, they were notified that the hotel was closing down due to the pandemic, and the three-day event would now be a one-day event. </p><p>"When times get tough, that's when your people rise to their best," Michalisin shared. "We focused on delivering the program and getting our staff and members back home safely." IIA staff did not return to the office, however, as IIA President and CEO Richard Chambers had shut down Headquarters and instructed employees to work from home.</p><p>As this was happening, Chief Risk Officer Greg Jaynes was conducting a risk assessment to ensure employees had the resources to work from home. "We had to develop guidance for people who had never used the VPN to log in to the office," he explained. "People were taking on roles that they never had before to get people up and running."</p><p>As decisions were being made, Lynn Moehl, The Institute's chief audit executive, was taking on a monitoring and advisory role and looking across the organization to make sure it was a cross-functional effort. In the highly charged situation, she told webinar attendees, she had to ask, "Are we making decisions based on the best set of information we have? How do we communicate about GAM, issue refunds, and switch people from in-person to virtual attendees?" </p><h2>Driving Change</h2><p>An event like COVID-19 can be a significant change driver for organizations. According to Michalisin, The IIA has taken a step back to look at what its members need and want and asked, "How can we help them survive and thrive?" The IIA immediately began developing daily news items in the <a href="/2020/Pages/COVID-19-Newswire.aspx"><span style="text-decoration:underline;">COVID-19 Newswire</span></a>, pulling together content related to the pandemic in the <a href="https://na.theiia.org/Pages/Updates.aspx"><span style="text-decoration:underline;">COVID-19 Resource Exchange</span></a>, and looking at how to evolve training and certifications so members can still access the resources they need virtually to help them navigate the crisis now and be better positioned to help their organizations do the same in the long term. The Audit Executive Center began hosting roundtable discussions so CAEs could connect on issues and The IIA could share what CAEs are doing in their organizations with the broader membership.  </p><p>"I think it's going to change the way we do business going forward," Jaynes said. "Whether it's flexibility, taking on different roles, reprioritizing goals for the year or deferring some, it's forced us to look at our operations differently." </p><p>This scenario has allowed The IIA to think differently about how it operates and apply a more entrepreneurial spirit while identifying opportunity to better serve our members and the profession, Michalisin told attendees.</p><h2>Staying Connected With Members<br></h2><p>Members are at the core of The IIA's business so The Institute continues to reach out to CAEs and members to help them navigate the crisis, Michalisin said. Internal auditors still have to maintain their primary roles within their organizations and now they're trying to figure out how to do that in the shadow of a global pandemic. They're looking for guidance on how to complete a virtual quality assessment, or continue their professional development, or revamp a risk assessment, and The IIA is trying to meet all those needs, he explained. </p><p>"We've continued to have great engagement with our members and we're learning as they're learning," Michalisin shared.</p><h2>Opportunity for the Profession</h2><p>COVID-19 has provided a huge opportunity for internal audit to step up, and stakeholders may be taking note of that for the first time. As Jaynes said, "Internal auditors have been exposed to all the nuts and bolts of a business. Who else can bring that perspective and information to the table very quickly?"</p><p>Moehl added that it has highlighted the need for internal auditors to be viewed as a critical resource. "It's an opportunity for your function to demonstrate the value it can bring the organization —being agile and getting things done in a different way." As the crisis began to develop, Moehl put aside her audit plan and asked where she could be of help.</p><h2>Front-line Advice</h2><p>This pandemic won't be the last, but it has taught organizations that they can never be fully be prepared, said Michalisin. Testing business continuity plans, learning to be flexible, and not losing sight of emerging risks can at least give them a head start. </p><p>"Learn from what you're dealing with every single day and commit to the fact that whatever the new normal will be will move your organization forward," Michalisin advised. "If we go back to where we were before COVID-19, then we haven't applied that learning." Part of that is staying focused on your people and communication.</p><p>"As an internal auditor, continue building relationships and your brand within the company," Moehl said. "Relationships with all levels of staff are key to being plugged into risk." <br></p><p>And integrating risks into decision-making, planning, and forecasting, said Jayne, is where we all can do a better job.<br></p><p>View the full webinar: <a href="https://www.workiva.com/resources/roundtable-iia-executives-business-continuity-speed-covid-19-risk">Roundtable With IIA Executives — Business Continuity at the Speed of COVID-19 Risk</a>.<br></p>Shannon Steffee0
The Value in the Business Ecosystemhttps://iaonline.theiia.org/2020/Pages/The-Value-in-the-Business-Ecosystem.aspxThe Value in the Business Ecosystem<p>​Whether they know it or not, consumers in today’s economy are likely being impacted by an organization’s third parties daily. From online merchants, and the delivery partners they use to complete the transaction, to call centers and other support services, third parties support organizations in almost every imaginable way. </p><p>In the end, these end-to-end business “ecosystems” are what drive value creation and revenue for today’s organizations. Some examples may not be in the control of the organization or its third parties, such as the recent coronavirus outbreak that has had a global impact on operational value chains. And as things go wrong, it is likely that the organization with the brand name is the one impacted and not the third party supporting the product or service in the marketplace. </p><p>Understanding an organization’s end-to-end processes and how those processes deliver value should be the objective and outcome of an internal audit. That means internal auditors must look beyond third parties to incorporate key fourth, fifth, and sixth parties into planning, scoping, and executing every audit — a process known as “ecosystem management.” </p><h2>Shifting the Emphasis</h2><p>Focusing on an organization’s ecosystem can change the underlying approach and output of an internal audit. Aiming scoping questions, walk-throughs, and outputs at the organization’s external partners shifts the emphasis from control gaps, issues, and items requiring resolution to how the business protects its value-driving activities and profit-making ability. This doesn’t mean that an organization should change how it plans its annual internal audit schedule. Instead, it should integrate three key principles into how it executes each audit. In other words, the annual audit schedule should continue to focus on higher risk areas, but the scope of each audit should include the ecosystem principles. This approach may result in longer and more complex audits.</p><p><strong>Focus on End-to-end Processes</strong> Audits should focus on the auditable entity and how each process supports the desired inputs and outputs. The scope of the audit of each end-to-end process should include a view of third, fourth, and fifth parties that drive business value. This approach requires auditors to conduct activities as if the external parties are internal to the organization. The audit should demonstrate how the auditable entity delivers value: through internal people, processes, and technologies only; external parties; or a mix of both.</p><p><strong>Focus on Return on Investment (ROI) and Value-generating Activities</strong> Audits should focus on how each process and end-to-end activity supports ROI generation. If the process doesn’t support the organization’s ROI, auditors should question its role in the broader organizational ecosystem. The role of external parties in supporting value-generating activities should be a key focus of this exercise. </p><p><strong>Include Business Resilience in the Context of Business Activities</strong> To get operational resilience right requires a change in perspective by management, boards, IT functions, and control functions. For a long time, organizations have focused on determining the probability of an adverse event occurring and ways to prevent it or minimize the damage. As part of this approach, most organizations have developed business continuity and disaster recovery plans, including simulated testing. Business resilience is broader than those traditional topics, though, encompassing business, cyber, infrastructure, and third-party resilience. Internal audit can help drive the broader perspective of operational resilience by integrating these concepts into its ecosystem management approach. </p><h2>Integrate Process Documentation</h2><p>When conducting integrated ecosystem audits, internal audit should combine internal and external process documentation into a single and consistent documentation standard. Auditors should communicate this standard to the auditable entity to allow enough time to capture external party documentation in the preferred format, including process and control information. </p><p>This approach gives internal audit and other internal parties a single viewpoint on how business activities are driving value and profits. Additionally, it enables internal audit to effectively challenge each auditable entity on the risks and underlying strength of its controls, and how they protect the interests of the organization. </p><h2>Manage Third and Fourth Parties</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>​Ecosystem and Extended-party Risk Questions</strong><p>The following examples are questions specific to third-party management that can be used in ecosystem audits:</p><ol><li>Does a third party support the business activity in meeting its market and customer needs?</li><li>How does the organization monitor the quality of its third parties and their ability to continue to meet the organization’s needs?</li><li>Does the decision to leverage a third party align with the organization’s strategic decisions and key competencies? </li><li>Does the use of a third party expose the organization to additional reputation and brand risks that must be monitored and managed? </li><li>What outputs of the process drive value- and profit-generating activities for the organization? </li><li>Does the use of a third party create potential disruption risks, including impacting the organization’s ability to continue to operate and generate value? </li><li>Does the third party maintain plans to ensure its services would continue in the event of a disruption? </li></ol></td></tr></tbody></table><p>Does the organization know who its third parties are and how they support value-generating activities (see “Ecosystem and Extended-party Risk Questions” at right)? If it does not know, that could spell problems for the organization as a whole and for auditors conducting an audit, as it should be the starting point to completely understanding the ecosystem. </p><p>Maintaining a list of contracts and data that does not explain which processes are supported by third parties does little to enhance this understanding. Organizations should go beyond such lists by determining who the third parties of the third party (fourth parties) are. This exercise boils down to two questions: </p><p></p><ul><li>Does the organization understand how it delivers its value proposition to the marketplace? </li><li>Does that understanding include how its suppliers, service providers, or other entities contribute to that overall mission? </li></ul><p><br></p><p>The organization does not need to know every single party within the chain of external relationships. However, it should have a solid understanding of those parties that help to support its value-generating activities. Parties that have direct inputs are defined as value-generating.</p><p>Once an organization has an end-to-end view of internal and external processes, it should consider controls among the entities. This requires internal audit to document the operating controls of both the auditable entity and the external parties supporting the delivery of the activity. They also must capture the controls monitoring the transition of processes (hand-offs) between the entities. </p><p>That last category becomes more important for key activities that are outsourced to fourth, fifth, or sixth parties. In such scenarios, the organization may rely on an external entity to monitor the quality of delivery of those activities. While this may seem like a lot of additional work, in theory, the business already should have a view of these key activities and monitoring protocols in place to protect its own interests. </p><p>If a third party refuses to provide the requested support or documentation, auditors should still be able to understand how the auditable entity monitors third parties’ performance in delivering inputs or services. That knowledge can improve their understanding of the value external parties deliver to the entity. </p><h2>Link to Operational Resilience</h2><p>Business resilience requires organizations to focus on activities that are critical to their customers and markets, and the infrastructure needed to continue to provide those services. Within ecosystem audits, internal audit should help capture and challenge the business understanding of the end-to-end ecosystem, and whether business leaders are considering all the risks associated with it. Auditors should leverage recent industry and world events as examples to challenge the business on whether it is truly resilient to known and unknown risks to value-generating activities.</p><p><strong>Identify Critical Services</strong> The organization should identify which of its activities are critical to customers, other market participants, the ongoing continuity of the organization, or the economy. It should prioritize these services for resiliency and have clear tolerances for disruption to those services.</p><p><strong>Understand Impact Tolerance</strong> The organization should use scenarios to estimate the extent of disruption to a business service that it could tolerate. Scenarios should be severe but plausible and assume that a failure of a system or process has occurred. The organization must then decide the point at which disruption becomes no longer tolerable. While using cyber events for such scenarios can focus attention, the organization also should use other events in scenario analysis such as failure of change or IT implementation, and disruption at third parties, outsourced providers, or offshore centers. Senior management and the board should use the information to update policies and contractual agreements, and drive investment decisions around improving business processes.</p><p><strong>Understand Change Processes</strong> The operational resilience program should evolve with the business as it changes. The organization should understand what external or internal factors could change over time and the trends that could impact key business services, and adjust its resilience plans accordingly.</p><h2>Focus on Value </h2><p>Embedded in the audit methodology should be a focus on the business’ value-identification, value-generation, and value-realization activities. Every business audit should capture documentation consistently to support the understanding of internal and external processes and controls. </p><p>Internal auditors should ask about external entities and collect data to understand the future state of key third parties. They should discuss the criticality of activities and their relation to value-generating activities. Auditors should link the concept of key activities, third parties (and additional parties), and process inputs and outputs to value generation and ROI across the organization. Finally, they should provide an opinion on whether activities are generating the most value possible and whether the business is allocating the necessary resources to meet that objective.</p><p><strong>Business-as-usual Audits</strong> Integrating these concepts into business-as-usual audits can benefit the organization by focusing on the criticality of value-generating activities. As a result, they can help the organization identify key business risks. During these audits, business personnel typically are more comfortable discussing why the business operates in the manner it does. Moreover, integrated audits limit the need to perform targeted audits on third-party risk, business continuity, cyber risk, and operational resilience.</p><p><strong>Standalone Audits</strong> For organizations that can’t integrate these ecosystem concepts into business-as-usual audits, an ecosystem management audit can help them understand how the business delivers value. That understanding is fundamental to gaining a holistic view of the organization’s risks. Conducting this audit starts with answering questions about the value delivered to external and internal stakeholders. </p><p>Questions for external stakeholders include: </p><p></p><ul><li>What products and services does the organization offer?</li><li>How does the organization deliver its products and services?</li><li>What would happen if the organization couldn’t deliver its products and services?</li><li>How does the organization confirm that its products and services are meeting the needs of the market?</li><li>How does the organization confirm that its products and services are meeting its legal and regulatory obligations?</li><li>For internal stakeholders, auditors should ask:</li><li>How does the organization continue to operate profitably and promote its core values?</li><li>How does the organization continue to meet board members’ expectations?</li><li>How does the organization promote the continued success of its employees and their future well-being?</li></ul><p><br><strong>Risk Management Program</strong> The answers to these questions can help the organization build core data to support an ecosystem risk management program. The organization can leverage this data across its enterprise risk management frameworks to provide a common taxonomy for how the business drives value.</p><p>Moreover, the answers can help the organization address additional questions that could provide a basis for developing an ecosystem mindset for future-state audits: </p><p></p><ul><li>What products and services do we offer, and how do we deliver them? For example, does the organization provide 100% of products and services through internal processes, or does it rely on third parties to provide 50% of inputs, outputs, or continued servicing?</li><li>What are the core business objectives, and how does the organization manage them? </li><li>Does the organization’s culture align with its products and services, and is it consistent with the core business objectives?</li></ul><p><br></p><h2>A Deeper Understanding of the Business</h2><p>Some internal auditors may find the ecosystem management audit concept far-fetched. These professionals may think such audits are beyond their organization’s capabilities. While this is a reasonable view, those practitioners should keep in mind that without the value the business generates, their role within the organization would not exist.</p><p>Internal audit functions should drive value to an organization wherever possible. Standalone audits of value-chain operations can be beneficial to ensuring they function effectively. However, by embedding ecosystem management concepts into business-as-usual activities, internal auditors can drive a deeper understanding of the organization’s value-generating activities and most profitable businesses. </p>Brian Kostek1
On the Money: Time to Revisit Financial Riskhttps://iaonline.theiia.org/2020/Pages/On-the-Money-Time-to-Revisit-Financial-Risk.aspxOn the Money: Time to Revisit Financial Risk<p>​A decade of unprecedented loose monetary policy designed to stimulate the global economy has been a godsend for businesses. Cheap financing has allowed companies to invest in growth and reward shareholders with share buybacks, pushing stock markets to record highs. Recent years have been good to CEOs. </p><p>Meanwhile, increasingly sophisticated automation and a belief that financial risks were relatively well-understood, compared with some emerging audit areas, mean that many internal audit functions had put financial risk on a back burner. But accommodating financial conditions also have allowed risks to build. "In advanced economies, corporate debt and financial risk-taking have increased, the creditworthiness of borrowers has deteriorated, and so-called leveraged loans to highly indebted borrowers continue to be of particular concern," Tobias Adrian, financial counselor of the International Monetary Fund, told an audience in April 2019 at the launch of the most recent Global Financial Stability Report.</p><p>It is hardly surprising then that financial risk has moved back toward the top of the list of business risks cited by chief audit executives in the Risk in Focus 2020 report, a collaboration among IIA institutes in Belgium, France, Germany, Italy, the Netherlands, Spain, Sweden, and the United Kingdom and Ireland. Nearly one-third of respondents listed it in their top five risks. As news headlines highlight a plethora of concerning indicators — anti-globalist trade policy, weak manufacturing data, the inversion of the yield curve on various government bonds, decelerating global growth, and other recessionary signals — boards and audit committees are increasingly likely to seek assurances that financial risk is being mitigated effectively.</p><h2>Coming Full Circle</h2><p>The management of financial risk on a day-to-day level lies ultimately with the finance function. Called the treasury in many countries, the finance function manages the business' liquidity and monitors cash inflows and outflows, current and projected, to ensure sufficient funds are available to support the company's operations and excess cash is invested effectively. Although finance is fundamental to the success of the business, it's useful for internal auditors to remember that some board members may have blind spots in their knowledge and awareness of the basics, particularly when it comes to the company's balance sheet.</p><p>"Nonfinance directors tend to be less familiar with the balance sheet and the cash flow statement than the profit and loss (P&L). By extension, they are typically less comfortable with the balance sheet lexicon, such as the true meaning of assets, liabilities, and equity," warns Steve Giles, a course leader at the London-based Institute of Directors on its Finance for Non-finance Directors learning program. "They are aware of concepts such as 'cash is king,' but do not readily translate this to the importance of managing working capital and the cash cycle in their business." He adds that the "corporate killer" is rarely a lack of profits, but the business' inability to pay debts when they are due.</p><p>This is why internal auditors in many sectors may now be urging boards to think seriously about market conditions and financial risks. In times of growth, when markets are calm, auditors conducting routine finance audits should watch for signs that the finance function is becoming complacent or that financial risk management standards are slipping. But when rising trade tensions combine with the highest-ever levels of corporate debt, they should scrutinize all aspects of financial risk, as earnings are likely to be under pressure.</p><p>"Trade wars are bad for everybody. Their ultimate impact is a movement toward lower earnings," says Pat Leavy, CEO at FTI Treasury, a Dublin-based treasury outsourcing and audit firm. "This combined with the presence of leverage obviously increases risk, but, from an audit perspective, when we're looking at individual companies, we need to understand the data we see." </p><p>Leavy explains that although gross corporate debt has risen, internal audit should focus more on net corporate debt. The risk is lower when corporations have high debt and also high levels of cash and liquid assets — a good example is the airline industry. "The focus should be on debt repayment capability, rather than profits and earnings before interest, tax, depreciation, and amortization alone," he says. "What we're really looking at is cash generation."</p><h2>Qualities of a Good Finance Function</h2><p>So, what does a good finance function look like, and what should internal auditors consider when they audit it? Leavy likens the quality of the finance function to Maslow's hierarchy of motivation. At the bottom of the pyramid is the quality of the infrastructure in place to manage the function: the resources and people, the competency of those people and the quality of the technology infrastructure, including any automation, and the commitment to the processes that are in place. The next level up is the control environment, the segregation of duties, the checks and balances, the flow of information, and compliance with those safety measures.</p><p>"As you move up the pyramid, it becomes more subjective," Leavy says. "Success at the next level depends on getting the right balance between developing strategy and managing the operations." Finance functions often spend 10% of their time on strategy and 90% on managing operations and getting the day-to-day work done. "In reality, getting the treasury strategy right can have a much more significant impact on the business," he says.</p><p>Finance functions often operate in isolation from the business and can be reactive. Ideally, they should be proactive and able to anticipate and be part of the corporate decision-making process. In this kind of finance function, the group treasurer moves up the value chain, working directly with the chief financial officer and risk committee to help define and achieve the corporate strategy. </p><h2>Where Audits Focus</h2><p>Similarly, Leavy says, finance audits tend to focus on the lower (although essential) rungs — operations controls and governance — and less on the finance function's strategy and how it enables the overarching corporate strategy. His points are echoed by Angela O'Hara, who spent five years as group assurance and risk director at an FTSE 100 chemicals and technology company before recently stepping into a director role. She also sits on the finance and general purposes committee of the Royal Veterinary College. O'Hara says limited resources meant that the finance audit she oversaw was outsourced and focused almost entirely on the basics.</p><p>"That audit looked at processes and governance, but not at the impact of the financial risks in the business and the treasury's role in relation to those risks," she explains. Auditors assessed how well the finance function managed bank accounts, and whether it reviewed the business' credit rating and funding arrangements regularly, as well as access rights for critical systems, the payment and processing platform, and foreign exchange (forex) trading. "But it didn't look at, for example, whether there had been a forex gain or loss, what led to that, and whether there should be changes to the roles and responsibilities associated with that," she says.</p><p>O'Hara says it is common for internal audit to assess how a function is set up, but there is additional value to add in assessing that function's effectiveness and what it means for the business. Reviewing structure, governance, policies, procedures, and key controls is fundamental. But, building on that, internal audit needs to challenge the function and its assumptions, even if it is not an expert on forex hedging or financing strategies. </p><p>"It's not a case of suggesting that what the treasury is doing is incorrect, but of raising questions that need to be considered in a rational and objective manner," Leavy adds. "And also of considering alternative approaches that might be more suitable and being open to that dialogue."</p><p>Alistair Smith, U.K. internal audit, risk, and control director at EDF Energy, says the transactional and frequent nature of finance activities makes them suitable for automation. However, in organizations using this kind of technology, internal audit should consider how key person risks and segregation of duties are managed. Another key risk, especially in long-established finance teams, is over-familiarity with the business, which can lead to "passive checking" of approvals for things like setting up new bank accounts. The best finance functions also will be able to provide metrics to demonstrate how they add value, whether through their forex hedging strategy or by optimizing financing.</p><h2>Standard Deviation</h2><p>Internal audit may not be able to predict whether the economy will go into recession, but there are more mundane matters that should be well-understood and managed. Changes to International Financial Reporting Standards (IFRS) accounting standards, for example, can catch finance functions off guard in companies that are required to comply with them.</p><p>IFRS 15, which came into effect in January 2018, requires that businesses subject to IFRS recognize revenues only when they are collected and not when customer contracts are signed, a change that has affected the top lines of high-profile companies. IFRS 16, which went live in January 2019, also has caused some turbulence. The new standard requires that payments made on operating leases — used for property and equipment in asset-heavy industries — must for the first time be reported as a liability on balance sheets. In September, FTSE 100 construction rental business Ashstead reported a huge jump of £1.4 billion ($1.8 million) in its net debt to £5.2 billion ($6.8 million) in the second quarter, well over half of which directly resulted from the accounting switch. </p><p>"The one we are coming across more and more is IFRS 9 on the impairment of intercompany loans," Leavy cautions. "There may be a requirement to calculate potential credit losses and include that as a repairment charge on intercompany debt. So suddenly there can be a movement on the P&L as the result of an accounting amendment, and intercompany lending is a bread-and-butter issue for every large corporation with an international footprint."</p><p>Another consideration for global businesses is the finance function's strategy of cash pooling, whereby the debit and credit balances of numerous subsidiaries' accounts are aggregated, allowing them to centralize group liquidity management. This can improve the interest terms they are offered when they raise finance and optimize cash flow within the group.</p><p>Certain jurisdictions, however, place restrictions on the strategy. "Not-ional cash pooling," a virtual rather than physical concentration of cash, is prohibited in Argentina, Brazil, Chile, India, Mexico, Sweden, Turkey, and Venezuela, in favor of physical pooling. India has even stricter rules that forbid cross-border physical pooling. Internal audit departments working across geographically diverse businesses should bear in mind the complications that can arise from subsidiaries that may sit outside of the pool.</p><p>"You need to look at those outliers as well as at the big risks," O'Hara says. "Clearly there is a big gross risk in the central treasury function, but each of the outliers could impact the P&L."<br><br><em>A version of this article first appeared in the November 2019 issue of </em>Audit & Risk<em>, the magazine of the Chartered Institute of Internal Auditors. Adapted with permission.</em></p>Brendan Scott1
Auditing Culture: Familiar Techniqueshttps://iaonline.theiia.org/2020/Pages/Auditing-Culture-Familiar-Techniques.aspxAuditing Culture: Familiar Techniques<p>​The idea of auditing culture can be intimidating to internal auditors. How can you find objective evidence about something that is inherently subjective? Do you need strange new techniques and psychologists on the audit staff? <br></p><p>Fortunately, internal auditors can accomplish a great deal without the need for a radically different approach. A combination of well-known audit techniques, applied more rigorously by practitioners looking for cultural issues, can go a long way. Four techniques, in particular, can yield valuable information:</p><ul><li>Establishing a participative relationship with audit clients.</li><li>Observing culture while on site.</li><li>Leveraging data that gives perspective on the culture and supports audit observations.</li><li><p>Carrying root cause analysis further than usual.</p></li></ul><p>Incorporating these approaches into routine internal audit work gives practitioners insight into organizational culture and can surface issues critical to the organization's continued success.<br></p><h2>Participative Relationship</h2><p>Establishing participative relationships is perhaps the most important technique, as audit clients are far more likely to discuss their culture if they feel involved in the audit process. This involvement can come during three stages of an audit project.<br></p><p><strong>Planning </strong>Auditors commonly get input from the manager responsible for the area they're reviewing. Some auditors go further and actually plan the audit with that manager. Together, they develop the specific audit objectives, scope, and overall approach. <br></p><p>Does planning the audit with the client compromise independence? It would if the auditor is not thinking critically; but if the client tries to divert internal audit from looking into a risk area, an experienced auditor is likely to recognize it.<br></p><p>For example, as part of the planning process the auditor presumably would explain why he or she thinks a risk area should be examined; the client might then explain why it would be a waste of time. If the client's explanation makes sense, the auditor thanks the client and explains that internal audit needs to confirm what he or she says. If confirmation is established, the auditor saves time. If not, or if what the client says does not make sense, the auditor sees the attempted diversion as a red flag and looks into the risk area with that in mind. <br></p><p>Audit clients are likely to be concerned about how much of their time the joint planning process will take. Internal audit should promise to minimize the impact by performing all the detailed analyses and keeping the planning at a high level.<br></p><p><strong>Risk Assessment </strong>Once the audit objective and scope are agreed upon, the auditor performs a more detailed risk assessment of the key risk areas. Involving the manager in the assessment — or his or her direct reports if the manager can't take the time — has many benefits. First, business owners know their risks better than an auditor coming in from the outside; most of them are just not used to thinking about risk in a systematic way. Guiding the client through a risk assessment gives the auditor a better understanding of the real risks and helps the client become a better risk manager. For auditing culture, it allows the auditor to guide the client's thinking toward cultural objectives and risks to address during the audit. <br></p><p><strong>Reporting </strong>The best way to "report" audit issues — and this is especially true for sensitive cultural issues — is not by telling the client they exist. The most effective way is showing the evidence, enabling clients to realize for themselves that there's a problem. Ideally, the discussion begins before the auditor has all the evidence, when he or she thinks there's an issue but is not quite sure.<br></p><p>For example, suppose an area's staff members complain of unrealistic performance targets. The auditor, being careful to preserve confidentiality, could ask their manager if he or she is aware of the staff's concerns. If the auditor can pique the manager's interest in whether it's true or not, they can design a test to determine that together. If the results indicate it's false, the client will have evidence to show the staff and dispel a morale issue. If the results indicate it's true, the manager is much more likely to be receptive, having asked for the information and helped design the test. <br></p><h2>Observations and Data </h2><p>In any area they review, auditors observe the behavior and attitudes of client management and staff. Their perceptions of the culture are generally accurate, but they are subjective. For most internal auditors, reporting a cultural issue based only on observations results in a fight they can never win. The good news is that there is usually objective data to support those observations.<br></p><p>A negative culture, for example, usually results in high rates of turnover and sick time. These statistics are readily available. Employee survey and exit interview results can also support the auditors' observations and sometimes help identify the cause. A review of customer complaints, frequency of missed performance targets, or project failures can show the impact of the cultural issue. For more examples of metrics that can support auditors' observations, see <a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">"Auditing Culture: Observation and Data</a>."<br></p><h2>Root Cause Analysis</h2><p>When conducting training programs during the early to mid-1990s, I would often say that soft (i.e., cultural) controls are more important to controlling an organization than hard controls. I would present tools like control self-assessment workshops, employee surveys, and structured interviews as ways to identify soft control weaknesses. Sometimes a trainee would ask, "If you just did transaction testing and really got at the cause of hard control deficiencies, wouldn't you get to the same place?" The answer is yes, but that rarely happens. Auditors usually stop short, ending with a more objective, easily defensible intermediate cause.<br></p><p>Today, in my course for new internal auditors I like to illustrate root cause analysis by starting with a hypothetical example where auditors discover inaccuracies on a computer report. I then ask the class to identify potential reasons for the erroneous report. A typical, though abbreviated, exchange between myself and the course participants looks something like this: <br></p><p><span class="ms-rteStyle-IndentBoth">"Why is this information not accurate?"<br></span></p><p><span class="ms-rteStyle-IndentBoth">            "Input errors"</span></p><p><span class="ms-rteStyle-IndentBoth">"Why are there input errors?"<br></span></p><p><span class="ms-rteStyle-IndentBoth">            "Lack of training"</span></p><p><span class="ms-rteStyle-IndentBoth">"Why haven't the input clerks been properly trained?"</span></p><p><span class="ms-rteStyle-IndentBoth">            "No budget for training"</span><br></p><p>At this point I explain the need to look at the effect of the errors. If the organization shifts funds to training, those funds have to come from somewhere else. The loss of funds elsewhere might have a worse effect than these errors:<br></p><p><span class="ms-rteStyle-IndentBoth">"So let's say the effect of these errors is clearly great enough that training is needed, but local management is allocating its budget as best it can."</span></p><p><span class="ms-rteStyle-IndentBoth">            "Then they need a budget increase."</span></p><p><span class="ms-rteStyle-IndentBoth">"Why isn't upper management giving them enough money to train their staff?"</span></p><p><span class="ms-rteStyle-IndentBoth">           "Upper management just looks at numbers and has no idea of the impact of their decisions on lower level employees."</span><br></p><p>Now we have the real root cause. And as often happens when analysis leads to the executive level, the cause is a cultural issue. Correcting it will not just correct the condition, but it will prevent future instances of the same or similar conditions. In this example, the root cause has a pervasive impact on the entire organization — Wells Fargo provided a clear example of what that can lead to.<br></p><p>Of course, upper management is not going to change its approach to managing the organization because of the errors on this computer report — it is one symptom of a deeper problem. The audit report will have to stop at an intermediate cause. The auditors, though, should keep track of this issue and look for similar issues in other audits. If they can connect the dots from enough audits, they may have sufficient evidence to at least discuss the underlying issue with upper management. And this points back to the importance of establishing a participative relationship with management. Finding a root cause on our own is rarely as effective as working with the client to identify it. This is especially true if the root cause is cultural.<br></p><h2>A Powerful Combination</h2><p>Taken together, a participative relationship with audit clients, auditors' observations supported by objective data, and rigorous root cause analysis is a powerful combination. None of these techniques is novel — they are things internal auditors have always done to some extent. Performing them more rigorously, with the goal of identifying cultural issues, can enable internal auditors to provide a deeper, more meaningful level of assurance. <br></p><p>Despite the value of these techniques, auditors should keep in mind that, even when performed together, they do not provide sufficient means to support overall conclusions about the organization's culture. Accomplishing that requires a model or framework that identifies the elements of the culture to be evaluated. And some of these elements might require other techniques.<br></p><p>Nonetheless, this multipronged combination should be a central part of the auditors' approach. Even without overall conclusions, internal auditors using these techniques can identify issues in their organization's culture that need to be addressed. And ultimately, that is the greatest value organizations derive from an internal audit assessment of culture.<br></p><p><em>Read other articles in this series:</em><br></p><p><a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">Auditing Culture: History and Principles</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspx">Auditing Culture: Bumps in the Road</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Where-to-Begin.aspx">Auditing Culture: Where to Begin</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">Auditing Culture: Observation and Data</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Audit-Project-Surveys.aspx">Auditing Culture: Audit Project Surveys</a><br></p><p><a href="/2020/Pages/Auditing-Culture-Employee-Surveys.aspx">Auditing Culture: Employee Surveys</a><br></p>James Roth0
The Board and Whistleblowershttps://iaonline.theiia.org/2020/Pages/The-Board-and-Whistleblowers.aspxThe Board and Whistleblowers<p>In 2018 the CEO of Barclays, Jes Staley, was castigated by British regulators for trying to unmask a whistleblower who had raised concerns about one of Staley's top lieutenants. Barclays' board clawed back a £500,000 bonus from Staley, and regulators fined him £640,000. Regulators in New York then hit Barclays, itself, with another $15 million penalty.</p><p>The year prior, life sciences company Bio-Rad had to pay nearly $8 million to former general counsel Sanford Wadler after he reported fears of possible bribe payments to government officials in China. The company sacked Wadler, who filed a whistleblower retaliation lawsuit. </p><p>Bio-Rad and Barclays are especially noteworthy because in both cases, the whistleblowers' allegations were later determined to be unfounded. An arbitrary approach to handling whistleblowers is what got those companies into hot water. In our highly regulated, highly litigious, highly transparent world, it always is. Hence the need for rigor — and the need for boards to assure that rigor exists. </p><p>"It's important to set up a process [for addressing whistleblower complaints] in advance because you have to take every one of these issues seriously," says Dotty Hayes, a former CAE at both Intuit and Hewlett-Packard and now chair of the board of directors at First Tech Federal Credit Union in San Jose, Calif., and a board member and audit committee chair at a range of organizations. "You can't do it haphazardly." </p><p>That point is true even if the allegation doesn't seem credible, and even if it's proven wrong, Hayes says. The last thing a board wants is to improvise a response.  </p><h2>Be Disciplined; Be Independent</h2><p>The good news is that truly grave whistleblower reports — allegations so serious that the board should oversee them, and should do so immediately — seem to be rare. "In my experience, if you have one or two a year that are significant and require high priority, that's a lot," says David Diamond, former head of internal audit at Lionsgate Entertainment, and now audit committee chair for The Daily Breath, a chain of Pilates studios in Brazil and the U.S. Likewise, Charlotte Valeur, CEO of the Global Governance Group and currently a director on seven boards, says that in 14 years of working in board governance, she has encountered only two instances of whistleblower allegations so serious that only the board could address it. </p><p>Again, so what? Boards don't know the veracity of a whistleblower allegation when the report first arrives. So establishing a consistent, disciplined, objective process to evaluate whistleblower reports is paramount.</p><p>"Independence on boards is key for whistleblowing," Valeur says. "If you don't have independent board members who can deal with it — and <em>will</em> deal with it, truly independently — everybody is at risk. The whistleblower is at risk, and the company is at risk."</p><p>In truth, that triage process is a nuanced tango between board and management. Boards might <em>receive</em> reports, but they should not <em>investigate</em> reports; that duty should go to trained professionals: internal audit, the compliance or legal team, human resources (HR), or even outside counsel. Even in grave scenarios such as allegations of CEO misconduct, the board should oversee that investigations are happening and moving forward — but not <em>participate</em> in the investigation, itself. "The last thing I want to do is be the investigator," Hayes says. </p><p>Conversely, management receives lots of reports, and might even investigate many of them without troubling the board. That's fine, so long as all parties have a clear understanding of which reports <em>should</em> be escalated to the board right away.</p><p>So what should that process look like? Who's involved in the triage? Typically a large company will outsource its whistleblower hotline; that's one layer of independence. A whistleblower might be able to select categories of complaint (accounting fraud, employee bullying, discrimination, theft, and so forth), or specialists at the outsourced hotline provider could assign one based on certain key phrases, issues, or even names the whistleblower might include.</p><p>A critical question is which categories of complaint should automatically go to the board, even if the board then bats the issue right back to audit, legal, or compliance for further action. For example, anything that mentions corporate accounting, compliance violations, or CEO misconduct should go to the board. If the issue involves personal misconduct rather than financial, consideration by a risk or governance committee might be the best option.  </p><p>Should the accused be informed of the allegations against him or her? Generally no, although some privacy rules in Europe can make that a complicated question best left to professional investigators. And should a company try to unmask a whistleblower? Pretty much never, since that action is a whisker away from retaliation and violates the spirit of following the facts wherever they may lead. ("It's irrelevant," Valeur says of the idea.)</p><p>And regardless of how any specific allegation is investigated, boards still need a process to oversee whistleblower reporting holistically. Valeur, for example, says she wants regular briefings on the total number of reports, the issues they involve, substantiation rates, and so forth. </p><p>"All companies over a certain threshold should have a mature process," Diamond adds. "If you don't, in this day and age, you're way behind."</p><h2>Speaking of Substantiation...</h2><p>Boards might also be surprised at this news: Whistleblower reports based on secondhand knowledge — that is, information passed along to the whistleblower from someone else; or that the whistleblower discovers by finding evidence of misconduct, without witnessing the act directly — tend to be more reliable than reports from people with firsthand knowledge. So says research from The George Washington University and the University of Utah, where academics studied 2 million whistleblower reports filed at more than 1,000 companies from 2004 through 2017. They found that management was 48% more likely to substantiate whistleblower reports based on secondhand information. Those reports were more likely to be about accounting and business integrity issues, too; while firsthand reports are more often about HR issues.</p><p>That makes sense when you think about it. People filing firsthand reports are usually claiming that they have somehow been wronged personally — and, yes, some portion of those reports will be false, or based on hot-headed judgments that don't hold up under scrutiny.</p><p>Whistleblowers with secondhand information, however, are claiming that something in the company is amiss. You typically wouldn't do that unless you care about the organization. And if you care about the organization, you're probably not involved in the misconduct, so it's more likely you have fragments of evidence. In other words, boards should welcome whistleblower reports based on secondhand information, even though that means more investigative spadework to find the truth.  </p><p>"Many times the report needs to be ferreted out," Diamond says. "A lot more details need to be derived to understand the full significance of the report."</p><p>True, but investigations are the subject for a different day. The importance of establishing a process to oversee whistleblower allegations in an objective, disciplined way and follow the facts where they lead — that advice is irrefutable. <br></p>Matt Kelly1
A Study in Risk Tolerancehttps://iaonline.theiia.org/2020/Pages/A-Study-in-Risk-Tolerance.aspxA Study in Risk Tolerance<p>​The general public accesses more information more frequently and expects both private and government organizations to provide more services at a proportionate rate. Each successful technological advancement to provide this information has been accompanied by numerous failures — mistakes that expose vulnerabilities and consequently entrench a risk-averse mindset within organizations. A lack of risk-taking leads to unrealized opportunities and stifled innovation. Conversely, uncontrolled risk-taking can result in disaster. Trying to find a balance between the two can lead organizations to analysis paralysis. Measuring the risks that organizations currently take and those they are willing to take can help avoid over-analysis and enable timely, informed decision-making.</p><p>In 2016, the Canada Revenue Agency (CRA), which administers tax laws for the Government of Canada and most of the country’s provinces and territories, published its Risk Tolerance Tool to quantifiably measure the maximum level of risk exposure that management was willing to accept. The objective of this tool was to provide a basis for management discussions and to inform decisions on actions related to targeted risks. Initially, the CRA used the tool internally in yearly corporate risk profile cycles. It has since been piloted in the agency’s IT security function and internal audit department with positive results.</p><h2>The Tool</h2><p>When approaching risk analysis, distinguishing risk exposure from risk tolerance is critical. Organizations establish risk exposure based on the likelihood that a given risk will occur and its potential impact on the organization. Risk tolerance is the maximum amount of residual risk exposure that an organization is willing to accept while working toward an expected outcome. By comparing how these concepts are quantified, management and assurance providers can more effectively identify the risks that must be mitigated, those that do not require additional action, and even those existing in an overcontrolled environment.</p><h2>Make an Action Plan</h2><p>The risk tolerance portion of the tool consists of five clear tolerance criteria that are selected based on their relevance to audit engagements and their ability to be applied consistently from one engagement to the next: </p><p></p><ul><li>Maturity — The level of experience the agency has dealing with the issue or risk.</li><li>Criticality — The level of critical service that this risk applies to the government or the CRA.</li><li>Sensitivity — The level of sensitivity that the CRA has toward this risk occurring. </li><li>Span of control — The level of control the CRA has over this risk. </li><li>Base profile — A consistent factor that lowers the tolerance to each risk. </li></ul><p><br></p><p>The first four criteria each receive a score out of 25; the lower the number of points, the lower the organization’s tolerance for the risk. A risk that is highly critical and sensitive, and for which the organization has a large span of control, would receive few or no points for those criteria. However, a risk with which an organization has a high level of experience would contribute to a higher tolerance, receiving up to 25 points to account for the organization’s maturity. The tool adds the points for each criterion to calculate the level of tolerance for each risk. But, because the organization is not fully tolerant of any risk, the tool applies a base factor uniformly to all risks by giving 0 points out of a possible 20 points. The final score is out of 120 (see “The Risk Tolerance Model” below). </p><p><img src="/2020/PublishingImages/Risk-Tolerance%20Model-rev.jpg" alt="" style="margin:5px;width:850px;height:300px;" /><br></p><p>Auditors calculate the more traditional residual risk exposure by assessing the risk likelihood and the risk impact and multiplying them. Note that likelihood and impact each have a maximum of 5 points. Therefore, to obtain the residual risk score out of 100, the product of the likelihood times the impact is multiplied by 4. For example, if the likelihood is 3 and the impact is 5, the residual risk exposure would be 3 x 5 x 4 = 60. The tool then factors in the trend for a given risk by considering if it is increasing, decreasing, or stable; +20, -20, and 0 respectively. Adding the trend to the residual risk exposure results in a total risk exposure out of 120. </p><p>The tool compares total risk exposure with the total tolerance to determine if controls should be maintained, if the risk is in a caution zone, or if risk mitigation is required. </p><p>The CRA developed a slider figure alongside the risk tolerance tool to help management visualize the output of its risk analysis (see “Risk Tolerance Slider” below). By inputting the exposure and tolerance values into the slider bar, the user can quickly and clearly visualize the residual risk exposure in relation to the risk tolerance threshold and the necessary level of action. Auditors flag risks that are within the caution zone for closer observation. However, although there is no mandatory requirement for mitigation, management can choose to mitigate or monitor the risk as it sees appropriate. </p><p>One of the CRA’s priorities when developing this tool was ensuring the flexibility and adaptability of the risk criteria. Users can modify these criteria based on organizational needs and scale them to fit any type of project. Because the scoring methodology remains constant across different criteria, organizations can maintain consistency in decision-making when assessing the need for intervention. Additionally, users can modify and adjust both the set of criteria and the weight attributed to each criterion over time to better reflect the organization’s risk environment. Therefore, although consistent criteria allow for comparability, auditors can tailor the tool to any audit phase, as long as it is consistent within that phase. </p><p><img src="/2020/PublishingImages/Risk-Tolerance_Slider.jpg" alt="" style="margin:5px;width:600px;height:300px;" /><br></p><h2>Addressing Risk</h2><p>Internal audit’s use of the tool assessed the risks related to differing opinions of the audit client and audit team about the significance of a finding and internal audit’s recommendation — namely, where the client indicated no action was necessary.</p><p>The tool indicated to management that action was preferable and allowed the audit client to address the areas where risk exposure was above tolerance. Of the three risks related to the recommendation, management confirmed that one risk did not need to be mitigated. However, two risks with gaps between tolerance and exposure should be addressed with a balanced set of actions. Those actions included interim measures to mitigate a risk expected to be eliminated by a system change in a few years. Management may not have recognized the importance of acting on the risk until the system change, but the tool helped executives realize that the risk needed to be mitigated leading up to the system change.</p><p>Having audit client subject-matter experts fill out the risk tolerance tool helped them better understand the recommendation and the possible actions that they could take. This improved relationships between auditors and audit clients so clients could focus their energy on developing solutions for addressing identified gaps instead of negotiating recommendations. </p><p>By applying this stable risk-tolerance process, employees can have a consistent understanding of both the organization’s approach to risk and management’s risk mitigation criteria. This predictability also can lead to increased employee confidence in senior management’s decision-making and improved mitigation strategies by allowing management to concentrate on the most critical risks first.</p><h2>Applying the Tool Across the Organization</h2><p>During the pilot, internal audit management realized there are many other possibilities for using the risk tolerance tool in the audit and evaluation communities. Applying it within an organization’s risk-based audit planning process can facilitate the identification and subsequent triage of potential engagements, so it could focus on those with the highest exposure above tolerance. </p><p>Similarly, incorporating it into the planning phase of an audit could simplify the scope and depth of the audit program. This, in turn, may increase the audit’s effectiveness by focusing audit procedures on risks that have surpassed the caution zone. </p><p>In fact, since the first pilot in the reporting on recommendations, internal audit piloted the tool during scoping in the planning phase of one of its audits. Benefits to this approach are currently being analyzed. Also, internal audit successfully piloted the tool to determine if an outstanding management action plan had become obsolete as a result of changes to the environment that affected the underlying risks that led to the original recommendation. </p><h2>A Risk-aware Culture</h2><p>While the CRA continues to pilot and refine the risk-tolerance assessment approach within internal audit, other Canadian government departments have expressed interest in piloting the tool to identify additional applications. This has expanded intelligent risk-taking across the government. By promoting and getting employee buy-in for a more risk-aware culture, the possibilities for using the tool have become endless. </p>Louis Seabrooke1
Risk in Sessionhttps://iaonline.theiia.org/2020/Pages/Risk-in-Session.aspxRisk in Session<p>Executive sessions should be on the agenda of every audit committee meeting. This means that all members of management leave the room, and the chief audit executive (CAE) has time alone with audit committee members. Executive sessions enable the committee to share risk concerns candidly. Scheduling an executive session at every meeting makes it less unusual when the CAE needs to ask for a session to discuss a specific concern.</p><p>While audit committee agendas can be routine and well-defined, executive session agendas normally are less clear. Although the CAE may have a few prepared remarks, theses sessions typically revolve around one question asked by the audit committee: “Is there anything we need to talk about this time?” Yet, CAEs can make these executive sessions more valuable by engaging committee members in a dialogue about the organization’s risk culture. </p><h3>Set the Agenda</h3><p>As with the full audit committee meeting, having an agenda for the executive session is helpful. This should be a casual agenda that is not distributed; instead, the CAE should use it to ensure the session covers all topics of interest. The executive session agenda can include standard updates and risk topics specific to committee member concerns.</p><p>Because committee members may not know what to ask CAEs during executive sessions, CAEs can engage the audit committee in a variety of topics, including risk culture — how the business understands and manages risk.</p><p>In preparing for executive sessions, CAEs can create a list of ongoing and meeting-specific topics that address risk culture. Examples include tone at the top, corporate culture, governance, or overall risk monitoring. CAEs can provide insight into these areas without the committee having to ask for it, while hearing committee members’ perspectives.</p><h3>Share Risk Perspectives </h3><p>Communication in executive sessions is a two-way street. The committee can provide valuable information to the CAE, while the CAE can share risk information and preferred action steps. During the session, the CAE can ask:</p><ul><li>What decisions is the board contemplating that may represent a strategy change?</li><li>What concerns do audit committee members have about specific strategies or risks?</li><li>What risks should internal audit prioritize? </li></ul><p><br>Additionally, listening to committee member concerns  is valuable for understanding what they view as important. </p><p>For CAEs, targeted questions can yield details that may lead them to update the audit plan or add a project to ensure risk coverage is timely and relevant. For the committee, discussing a specific concern or question can prompt the CAE to share white papers or training information in the materials for future meetings. The better the committee understands risk and its true impact, the better it can influence the risk culture with the board and management.</p><h3>Request Focus or Action</h3><p>Because some topics can be politically charged, executive sessions exclude management to ensure open communication about sensitive topics. In the confidential environment of the session, CAEs can discuss risks that are not receiving necessary management focus along with recommended actions. For example, a change in privacy laws may require specific action by the organization. If the organization is not acting swiftly enough to comply, the CAE can alert the committee. </p><p>CAEs should share the specific requirements or a summary of the risk topic as background information for the committee, along with the potential impact and likelihood of occurrence. They should state whether the discussion is for the committee’s awareness only or if they are asking for action.  </p><p>These situations require tact. Unless the CAE is using the executive session to disclose fraud or wrongdoing by management, a no-surprises approach is best. In the privacy law example, the CAE should exhaust efforts to influence management to take appropriate action before bringing it up to the audit committee. As a courtesy, the CAE should inform management of plans to discuss the matter with the committee. </p><h2>Collaborate for Success</h2><p>Sharing risk culture successes with the audit committee during executive sessions can help it better understand how internal audit impacts the organization’s risk culture. For example, sharing ways that internal audit provided consulting or assurance services to a system implementation demonstrates the function’s key role and proactive risk approach. Moreover, these examples can help committee members see future anomalies with how internal audit may be positioned or used. <br></p>Sarah Duckwitz1
A Plan for Regulatory Changehttps://iaonline.theiia.org/2020/Pages/A-Plan-for-Regulatory-Change.aspxA Plan for Regulatory Change<p>​Noncompliance with laws and regulations carries potentially steep consequences for organizations. Fines, penalties, sanctions, debarment, and public relations nightmares are among the many impacts of compliance failure, not to mention the reputational damage and loss of business that may occur. Moreover, failure to identify and consider laws and regulations may result in missed business opportunities and lack of strategic alignment. In many ways, neglecting to address and manage regulatory change can lead to significant organizational harm. </p><p>In fact, The IIA’s recent OnRisk 2020 research identified regulatory change as one of the most critical risks facing organizations this year. Other risks included cybersecurity, data protection, business continuity, talent management, and third parties. Depending on the industry, each of the risks identified in the report may have a regulatory component. For example, organizations that fail to protect personal data through a cybersecurity control framework can face significant penalties. The data may have been processed through an insufficiently vetted third party, or by unqualified employees whose inclusion in the organization resulted from inadequate talent management. If a data breach occurs, the organization must be able to respond within regulatory time frames and, depending on the significance of the breach, possess reliable crisis response and business continuity plans. </p><p>Internal auditors have a responsibility, under the <em>International Standards for the Professional Practice of Internal Auditing</em>, to help ensure their organizations are addressing and managing regulatory risk effectively. According to Standard 2120: Risk Management, internal audit “must evaluate the effectiveness and contribute to the improvement of risk management processes.” More specifically, according to The IIA’s interpretation for this standard, “The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding … compliance with laws, regulations, policies, procedures, and contracts.” Practitioners may benefit from an assessment tool aimed at achieving that objective.</p><h3>The Assessment Model</h3><p>Using a top-down framework based on compliance guidance from the U.S. Federal Sentencing Guidelines, internal auditors can assess whether the organization is addressing and managing regulatory change effectively. Governments of other countries have emulated the guidance when outlining steps to ensure compliance with major laws and regulations. It can guide auditors, step by step, through a structured review of what’s to be expected by regulators in the management of regulatory risk. <br></p><p><strong>Identification of Laws and Regulations</strong> The group responsible for identifying regulatory change can vary from one organization to the next. Depending on the size, regulatory complexity, and maturity of the organization, internal auditors may be able to perform a top-down assessment of how well the enterprise risk management program, or risk management function, identifies and manages changes in regulatory risk. Moving down a level, if these functions do not exist or are ineffective, auditors can assess the overall compliance program, if one exists. Otherwise, the legal department may be responsible for identifying and disseminating information on changes in laws and regulations. And while not optimal, business management of each function, as the first line of defense, may hold sole responsibility for knowing and managing legal and regulatory changes, as well as regulatory risk overall. </p><p>To assess whether regulatory change is managed effectively, internal auditors should be aware of the common categories of laws and regulations that impact most organizations. These include employment/labor; tax; advertising; environment, health, and safety; financial crimes/anti-bribery/anti-money laundering/anti-trust; and data protection. Internal auditors must also be aware of the laws and regulations that impact their specific industry. Finding reliable sources of industry knowledge and perusing them regularly helps in the identification process. And while the best sources will vary depending on country and industry, one free resource that compiles global legal analysis from law firms is <a href="http://mondaq.com/" rel="nofollow">Mondaq.com</a>. Auditors may also find it helpful to develop relationships with those in the organization who would most benefit from sharing news of regulatory change.<br></p><p><strong>Risk Assessment </strong>Regulatory change risk assessment occurs after identification of regulatory and legal requirements. Internal auditors should examine the effectiveness of processes in place to assess how and where regulatory change will impact the organization, and how that information is communicated to those who need to know. As with the identification process, which function performs the risk assessment depends on the size, maturity, and regulatory complexity of the organization. <br></p><p><strong>Policy Development</strong> To help ensure all impacted employees — and in some cases even third parties — understand what is expected of them, the organization needs to provide an overview of the new law or regulation. Regardless of which function develops such policies, the organization should have a standard template, centralized storage location, and established controls for publishing, reviewing, and updating them. Assessment of these elements may be included in the internal auditor’s program.  <br></p><p><strong>Compliance Procedures</strong> Organizations develop procedures to provide employees with the exact steps they need to perform to ensure compliance with changes in laws or regulations. Procedures may be developed by a dedicated function, a committee, the chief risk officer, compliance, the first line of defense, or other areas. They may be published at the same time, and even within the same document, as the corresponding policy. Internal auditors may determine whether policies are developed timely, are updated periodically, and describe the steps to be taken to ensure compliance.  <br></p><p><strong>Regulatory Communication</strong> The organization’s communication on upcoming regulatory change may include general information about the change, implementation timing, and training. The targeted audience depends on who will need to comply. Communication may be in any form, including emails, intranet bulletins, and staff meetings. Regardless of the vehicle, communications about regulatory change should be maintained in a data repository as documentation for regulators, if needed. Internal audit may decide to assess the timeliness, effectiveness, and retention of the communication. <br></p><p><strong>Staff Training</strong> Effective training is key to ensuring that employees, and in some cases third parties, understand the regulatory change and the importance of compliance. Depending on the targeted audience, training may be general or include specific procedures. For example, everyone in the organization needs to know the importance of complying with anti-bribery and corruption laws and regulations. However, employees in the finance department, for example, may need detailed training on how to monitor payments to ensure compliance. </p><p>Training should be provided to the appropriate targeted populations — including new hires and new third parties — as applicable. The training should include information on available resources, as well as specifics on how to report potential issues of noncompliance. Depending on the topic, targeted population, and in some instances regulatory requirements, the training may be provided online or in person. Regardless of the offering, detailed records of training completion must be maintained, and an escalation procedure should be in place to follow up with individuals who have not completed the training.  <br></p><p><strong>Acknowledgment Procedure</strong> Employee and, in some instances, third-party acknowledgment of the regulatory change, and any corresponding policy and procedures, is critical to document and maintain. Acknowledgment often is tied to, or included in, training completion. An escalation process should be in place to ensure receipt, and documentation of follow-up efforts should also be maintained. Internal auditors can assess whether acknowledgments have been received and stored, and whether the escalation process has been followed. <br></p><p><strong>Whistleblower Hotline</strong> An anonymous reporting mechanism, or whistleblower hotline, represents an important element of the overall legal and regulatory compliance program. Many organizations outsource this responsibility to third-party providers, which offer the ability to report online or by phone. The topics that may be reported depend on the data privacy regulations in each country, although most at least allow reporting of noncompliance with financial laws and regulations. In some countries, however, anonymous reporting is discouraged. The most effective reporting mechanisms include vetting of potential compliance concerns or questions. </p><p>The organization needs to have formal procedures in place for conducting investigations. The procedures should involve the functions that will lead or conduct the investigations, as well as legal counsel. They should also specify how the crisis management plan will be triggered, and the insurance carrier notified, as applicable, and a process for closing and reporting on each investigation. Internal audit may be part of the intake process and investigation. Regardless, internal audit may include in its review an assessment of how concerns or potential issues of noncompliance brought to the hotline are handled, closed, and reported. <br></p><p><strong>Monitoring Controls</strong> The organization needs to implement monitoring controls to ensure that employees, and in some cases third parties, are following procedures. If procedures are not being followed, additional training may be warranted or disciplinary action may be taken, depending on the root cause. Often, the second line of defense establishes and performs the monitoring process. If that’s the case, internal audit can review the work of the second line to assess effectiveness. Monitoring may be continuous or performed at periodic intervals. Regardless, the organization needs to follow established time frames. <br></p><p><strong>Compliance Auditing</strong> Although often mistakenly combined with monitoring, auditing is a separate activity. Whereas the focus of monitoring controls is to ensure procedures are followed, auditing focuses on all of the elements that have been put in place to ensure compliance with regulatory change in a particular risk area. For example, a monitoring control to ensure compliance with insider trading laws may entail electronically scanning emails for keywords and phrases. Auditing for compliance with insider trading laws, on the other hand, would involve a review to ensure the establishment of policy, procedures, training, effective monitoring controls, and disciplinary action in the event of noncompliance. If the second line of defense is responsible for auditing the program’s elements, internal audit may assess its effectiveness. Otherwise, internal audit would perform the audit, including a review of all of the elements. <br></p><p><strong>Corrective Action</strong> The organization needs to take corrective action in response to monitoring, auditing, and investigations. Corrective action may mean implementing additional or different controls or training, or disciplining noncompliant employees. In the case of discipline, employees should be treated equitably, regardless of their position in the organization. For example, a lower level employee should not be treated more harshly than a company officer for the same offense. Often, the organization assigns a committee to monitor equity of disciplinary measures across the board. </p><p>To ensure future compliance, control measures must be evaluated whenever noncompliance is discovered. The review needs to be conducted timely and include root cause identification as well as implementation of appropriate controls. <br></p><h3>Keeping Pace With Change</h3><p>Internal audit should serve as a trusted advisor to management by helping the organization address regulatory change. It all starts by understanding and staying current on industry-specific developments, and considering the regulations that may impact the organization. Using a top-down approach, internal audit may review the entire framework, the compliance program, or the specific elements in place, depending on its risk assessment. The right approach can enable internal auditors to get a bead on regulatory change and help ensure the organization is prepared for what lies ahead.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4" style="height:30px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:50%;"><p><strong>​The Model in Practice</strong><br> <br> </p> <p>To demonstrate how the model works in practice, consider the high-risk area of data protection — more specifically, the European Union’s General Data Protection Regulation (GDPR). The regulation’s purpose is to strengthen and unify data protection for individuals within the EU, regardless of where their personal data is processed. Noncompliance with GDPR carries steep penalties, with fines of up to 4% of worldwide turnover. Following the model’s cadence, internal audit can perform a step-by-step examination of GDPR-related change impacting the organization. </p><p><strong>Step 1.</strong> After identifying relevant GDPR provisions, the organization performs a risk assessment to determine whether the regulation will impact it, and if so, how, where, and when. Because many organizations already have data protection controls in place, the assessment may include a gap analysis to determine changes or additions that may be needed to ensure compliance. <br></p><p><strong>Step 2.</strong> Because data protection constitutes an area of high risk, and given the entitywide importance of data protection compliance, the organization establishes a compliance policy. Specific procedures are developed for the marketing function, as just one example, to ensure all contacts are vetted before release of communications. <br></p><p><strong>Step 3.</strong> The organization develops messaging and disseminates it to employees, explaining GDPR requirements, their impact on the organization, and each individual’s responsibility for compliance. The communication informs employees that the organization is developing GDPR policy and procedures, and provides a time frame for rollout of these items.<br></p></td><td class="ms-rteTableOddCol-4" style="width:50%;"><br><p><br></p><p><span style="color:#222222;background-color:#6eabba;"><strong>Step 4.</strong><strong> </strong>The organization implements a training course for all employees that includes explanation of organizational policy on compliance with all data protection laws and regulations, and </span><span style="color:#222222;background-color:#6eabba;">specifically on GDPR. During the training, employees are required to acknowledge the GDPR policy. Meanwhile, the marketing department employees, as one example, are trained on vetting contacts for campaigns. </span><br></p><p><strong>Step 5.</strong> The organization has already established an anonymous reporting mechanism to help address any potential issues of noncompliance. However, it adds the data protection policy to both the hotline resources and the company intranet resource section.<br></p><p><strong>Step 6. </strong>The organization implements monitoring controls. For example, emails sent directly by individuals<br>to more than 40 external recipients are reviewed each quarter for marketing content, to determine whether contact vetting controls may have been bypassed. <br></p><p><strong>Step 7.</strong> Internal audit either reviews the second line of defense’s program to ensure compliance with data protection regulations, or it reviews the specific elements that have been put in place, depending on the size, maturity, and regulatory complexity of<br>the organization.<br></p><p><strong>Step 8.</strong> If monitoring controls reveal that procedures are not followed, or if internal audit finds that elements of the program are deficient, the organization initiates corrective action. <br></p></td></tr></tbody></table><p></p>Nancy Haig1

  • AuditBoard_Pandemic_May 2020_Premium 1_
  • Galvanize_May 2020_Premium 2
  • IIA CERT-Online Proctering_May 2020_Premium 3