Risk and Compliance



Internal Audit's Evolving Cybersecurity Rolehttps://iaonline.theiia.org/2019/Pages/Internal-Audits-Evolving-Cybersecurity-Role.aspxInternal Audit's Evolving Cybersecurity Role<p>​Technology is progressing at such lightning speed that even IT specialists struggle to keep their fingers on the pulse of technological change. So how are internal auditors expected to adequately assess and examine the various risks emerging in this cyber age?</p><p>As technology continues to advance, internal auditing must evolve. For many years, internal audit departments relied on IT audit specialists as partners in integrated audits. Although those specialists focused on systems and technology, integrated audits worked best when operational and financial auditors knew what to look at from an IT perspective. </p><p>In today’s world, internal auditors cannot delegate responsibility to their IT departments or IT auditors. All auditors should have a solid understanding and awareness of more than just general and application controls. They should realize the technology risks and their potential impact. </p><p>One of the most prevalent issues organizations face today is the constant threat of cyberattacks. Every day there is some new threat, breach, or cybersecurity incident. It is now imperative that all internal auditors understand the underlying drivers as well as the nature and causes of cyber risks. With this knowledge, internal auditors can add significant value to the organization by assessing and helping management strengthen cybersecurity.</p><h2>Knowledge Is Power</h2><p>Yes, internal auditors know how to use a computer and a cell phone, but do they realize the risks these technologies pose? What you don’t know can hurt you! In today’s business environment, training on cybersecurity issues should be a basic curriculum expected of internal auditors. Training that is essential for internal auditors includes understanding: </p><p></p><ul><li>The threat of cyber fraud to their organizations and the manner in which it could present itself. </li><li>Procedures that should be followed to assess cyber risk.</li><li>Types of new and existing breaches. </li><li>Various tools for managing cybersecurity issues. </li><li>Methods to prioritize assets at risk for protection plans.</li><li>Methods to appropriately allocate resources to protect assets.</li></ul><h2>Understand Cyber Risk Frameworks</h2><p>Organizations need to understand and use a structured cyber risk framework to mitigate threats. Although there are several frameworks, some organizations may focus on a specific framework, depending on their industry. </p><p>One of the most widely used frameworks is the U.S. National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework. The framework directs organizations to use a standard protocol in their cybersecurity efforts to identify and protect assets, and respond to and recover from incidents.</p><h2>Identify and Protect Assets at Risk</h2><p>The NIST framework recommends that organizations identify assets within the organization that are most susceptible to cyber threat. Next, it advises organizations to prioritize assets for protection, and develop and implement appropriate safeguards to ensure delivery of critical infrastructure services.</p><p>Identifying and protecting assets is similar to other risk assessment processes and is an area in which internal auditors can provide valuable insight to help protect their organizations. Auditors can help their organization by: </p><p></p><ul><li>Following a structured approach to perform a top-down assessment.</li><li>Evaluating cyber risks within individual audits.</li><li>Assessing the organization’s capabilities to manage assets that might be impacted by a cyber risk event. </li><li>Evaluating whether management and the board have developed a comprehensive cybersecurity strategy.</li><li>Fully integrating cyber risks into the annual audit plan.</li><li>Determining whether management is using the most effective process to prioritize assets for protection and allocate resources.</li></ul><h2>Monitor Detection Procedures</h2><p>Detecting cyber threats is the third component the NIST framework recommends. Once assets have been identified and protected, the organization should develop and implement appropriate activities to take action when a cybersecurity event is detected.</p><p>As with The Committee of Sponsoring Organizations of the Treadway Commission’s <em>Internal Control–Integrated Framework</em> monitoring component, performing detection procedures is management’s responsibility. However, internal auditors can test detection procedures to ensure they are designed appropriately. </p><p>Management should follow a well-devised protocol to develop, design, and implement detection procedures. Auditors can review and test that protocol and ensure detection procedures are addressing the most vulnerable assets. This act requires auditors to collaborate with management to fully understand the procedures used in the design phase and in identifying which assets are prioritized as higher risk.</p><h2>Respond to Incidents</h2><p>This component of the NIST framework includes activities to undertake when the organization has detected a cybersecurity incident. The objective is to contain the incident’s impact on the organization.</p><p>Compare a cybersecurity incident to a fire. Both are “all hands on deck” events. If management has not structured a cyber risk program appropriately, there may be many reactive actions and ad-hoc approaches to plugging the gaps. Internal auditors can be important consultants in this situation. </p><p>Often when a breach occurs, management looks for the quick fix. This may not always be the best solution. The response must consider not just the tactical steps taken to fix the problem but all of the ancillary communication and documentation that is required. In this circumstance, internal auditors can provide an independent perspective and guide management on the best path to follow to respond to the incident. But to be helpful, auditors must understand the technology issues as well as the incident-response processes.</p><h2>Use Recovery to Learn Lessons </h2><p>Recovering from a cybersecurity incident is comparable to recovering from an illness. When a person discovers he or she has a serious illness, all focus is placed on acting to respond to the illness. At that point, the mindset is survival rather than recovery.</p><p>As defined by NIST, the recovery phase occurs after the organization has responded to a breach. This phase includes identifying activities to maintain plans for resilience and to restore any services that were impaired due to a cybersecurity incident. The organization must be able to constructively review what occurred and extract appropriate lessons learned from the incident. Then the organization must incorporate those lessons into its current response protocol. </p><p>By assessing the lessons learned from an incident, internal audit can contribute to the ongoing viability of the organization’s cybersecurity incident plan. This assessment can assist the organization in evaluating gaps in how assets were identified and prioritized, how protection procedures were prioritized and executed, how detection procedures were implemented, and how response procedures were put into effect.</p><h2>Internal Audit’s Expertise</h2><p>The NIST Cybersecurity Framework’s guidance is just a sample of important concepts to understand. As technology evolves, so do the duties of internal auditors. The profession needs to step out of its comfort zone and insert its expertise into addressing cyber risk.<br></p>Lynn Fountain1
Auditing Culture: History and Principleshttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-History-and-Principles.aspxAuditing Culture: History and Principles<p><em>With this first in a series of articles planned on auditing culture, I'm excited to share what has been my passion, in one form or another, for the last 26 years.</em> <em>I hope the series will serve as a forum for the creative, courageous internal auditors who are active in auditing culture to share what they're doing, thinking, and</em> <em>concerned</em> <em>about</em>.  <br></p><h2>Brief History </h2><p>I went into business for myself three months after the first Committee of Sponsoring Organizations of the Treadway Commission (COSO) report came out in September 1992. <em>Internal Control–Integrated Framework</em> emphasized the primary importance of the control environment, which focuses on "people — their individual attributes, including integrity, ethical values, and competence" — and includes "management's philosophy and operating style" as one of seven factors that contribute to the control environment's effectives. This emphasis matched that of my first chief audit executive, Roger Carolus, who was a member of the COSO advisory group. <br></p><p>We never had the support to fully realize Roger's vision, but COSO's authoritative guidance sparked interest in the profession on evaluating soft controls. And while there is more to auditing culture, evaluating soft controls was the forerunner to this type of assessment and remains an essential ingredient to this day.   <br></p><p>During the 1990s, the profession's main tool of choice for evaluating soft controls was the control self-assessment (CSA) workshop. This technique was powerful, but only a minority of internal audit functions adopted it, and most of them saw diminishing returns after the first few years. Today, workshops seem to be used more by risk managers for risk assessment than by internal auditors. <br></p><p>Based on my own research and discussions with other audit professionals, the emerging tools of choice for evaluating soft controls are employee surveys and structured interviews, where auditors ask questions of a sample of employees and tabulate the results. Of course, auditors' observations are also key to understanding an organization's culture, though they usually need to be corroborated with more objective evidence.<br></p><h2>Three Principles</h2><p>How can internal auditors evaluate an organization's culture? They can look at governance documents like the code of ethics, mission and vision statements, and stated values. But these documents reflect the board and executives' desired culture, not the actual culture. <br></p><p>They can interview executives, who will describe the culture as they see it. But the information those executives receive from direct reports and below, upon which their assessment is based, is usually filtered. No one wants to give his or her boss bad news, so employees present a somewhat idealized picture of the culture — not dishonest, just slightly rosy. As information moves up the organizational ladder, the picture gets increasingly rosier. The "emperor has no clothes" syndrome generally applies.<br></p><p>So where does the real culture exist? Three principles help explain where culture can be found and how it should be audited. <br></p><p><strong>1. Culture Exists in Employee Perceptions</strong> Ultimately, culture resides in the perception of employees. If employees believe the culture is x, y, or z, that's what it is, and they will act accordingly. Of course, getting employees to say what they honestly believe about the culture can be challenging. I will discuss some of the challenges in future articles.<br></p><p><strong>2. Cultural Evaluation Must Be Based on Self-assessment </strong><strong> </strong>This principle flows from the first. If culture exists in the perception of employees, internal auditors have to act more as facilitators than as independent, objective observers. I have seen many dozens of effective soft control evaluation tools, and I have yet to see one that is not somehow based on self-assessment. <br></p><p>Auditors should keep in mind an important caveat to this principle. The term <em>self-assessment</em> sounds like people assessing themselves. For obvious reasons, auditors can't rely on this type of assessment as audit evidence — they need some form of verification. To use employee surveys as an example, phrasing questions so that employees assess their own behavior or managers assess their own area is not reliable. But asking employees to assess aspects of the environment created for them by higher levels can be quite reliable if they feel comfortable answering candidly. In addition to building a certain level of reliability into the survey process, internal auditors usually follow up on survey results by looking for corroborating evidence.<br></p><p><strong>3. The Goal Is to Enrich Understanding of the Culture</strong><strong>  </strong>An organization's culture is amorphous, varied from place to place, and changeable over time. It does not lend itself to evaluation by any one technique alone or to reaching a definitive assessment. Rather, internal auditors should use a variety of techniques — some quantitative, some qualitative — with the goal of continually enriching key stakeholders' understanding of the culture. Moreover, stakeholders need to understand that this is internal audit's goal. <br></p><p>Internal auditors should keep in mind that they are only one source of cultural information. The first and second lines of defense also have a story to tell. Auditors should work cooperatively with the first line and coordinate their work with the second line. But with its independence and objectivity, together with the variety of techniques at its disposal, internal audit can be one of the most reliable sources of cultural knowledge in the organization. <br></p><h2>The Root of the Matter</h2><p>As many observers have noted, a root cause of almost every major scandal or fraud is dysfunction in the organization's culture. To give the kind of assurance required at the level they should give it, internal auditors must generate the best information they can about where the culture stands and what factors are driving it. <br></p><p>If you have techniques or methodologies you are willing to share, or would like advice on something you are developing, please let me know. And, of course, questions and comments are always welcome.<br></p><p><br></p><p>For those who are new to auditing culture, our video, "<a href="/Pages/video.aspx?v=E2cXRjaDE6XeakZnHydeR1EZ2WVMb1qk">Culture Audits: Getting Started</a>," provides advice on how to begin and where the challenges may lie.<br></p>James Roth1
Creating a Better Societyhttps://iaonline.theiia.org/2018/Pages/Creating-a-Better-Society.aspxCreating a Better Society<p>​The U.K. government’s recent launch of its Civil Society Strategy recognizes the social responsibility government and internal auditors have for creating the society we want to live in. Civil society in the U.K. today is not just about the well-being of the nation and everyone who lives there — it reflects the contributions we all make through our values to well-being in other civil societies across the globe. Those values are internal auditors’ greatest asset and resource. They also are what internal auditing is based on and should be all about.</p><p>The strategy’s aims are fourfold: Support people to play an active role in building a stronger society, unlock the full potential of the private and public sectors to support social good, help improve communities to make them better places to live and work in, and build stronger public services. I can think of no internal audit plan or program in any organization or sector that these aims and their achievement could not improve in terms of objectives, risk planning, engagement, results, findings, and follow-up. </p><p>Internal auditors all have a responsibility to make social auditing happen. Recent ventures into auditing culture and a new appreciation for culture’s role in establishing effective governance practices have touched on the importance of organizational stewardship and stakeholder engagement. Culture is not just about an organization’s values and how it performs. It also is about how the organization impacts the civil societies in which it operates. </p><p>Many institutional investors have signed on to the United Nations Principles of Responsible Investment with an environmental, social, and governance (ESG) duty: “To act in the best long-term interests of our beneficiaries. In this fiduciary role, we believe that [ESG] issues can affect the performance of investment portfolios.” ESG as a performance measure will continue to grow in importance for governments, investors, and organizations. It should also do so for all internal auditors in every country.</p><p>Good governance embraces environmental and social responsibilities in many ways. Achievement of the U.N. Sustainable Development Goals by its target of 2030 is just one aspect of this process. Today’s responses by organizations to the development and growth of integrated and strategic reporting will have a strong influence on the future of environmental and social responsibility declarations by organizations and the assurances they give and require. Internal auditors will always have a part to play to make this happen in their own organizations, across all sectors. The U.K.’s Chartered Institute of Internal Auditors has links into voluntary networks of internal auditors working in the charity, social housing, and higher education sectors. Their messages and progress are an excellent example of how professional internal auditing is already enhancing well-being in the U.K. and across the globe.  </p><p><em>A version of this article first appeared on </em>Audit & Risk<em> magazine’s website, </em><a href="http://www.auditandrisk.org.uk/" rel="nofollow" style="background-color:#ffffff;"><em>www.auditandrisk.org.uk</em></a><em>. Reproduced with permission.</em><br></p>Jeffrey Ridley1
A New Age of IT Governance Riskhttps://iaonline.theiia.org/2018/Pages/A-New-Age-of-IT-Governance-Risk.aspxA New Age of IT Governance Risk<p>Effective governance of IT is critical to organizational success and can transform an organization. While IT-enabled transformation can bring many rewards, poor governance of those projects can cause disruption and unintended consequences. </p><p>As an organization evaluates different technology investments, management must ensure the technology is aligned and delivered in accordance with the organization’s strategies and objectives. Internal auditors can help by providing independent assurance on the appropriateness and effectiveness of the governance structure. </p><h2>Technology’s Challenge</h2><p>IT departments manage the technology supporting business applications, disaster recovery, cloud services, and other mission-critical functions. In many organizations, the IT infrastructure is the foundation for business operations. Yet, new technology often creates new risks ranging from specific control weaknesses to potentially enterprisewide disruptions. Helping the organization assess and address these risks is an opportunity for internal auditors to add value. </p><p>According to Standard 2110-A2 of the <em>International Standards for the Professional Practice of Internal Auditing</em>, internal audit must assess whether IT governance supports the organization’s strategies and objectives. Consequently, the challenge for internal auditors is to help assess numerous risks associated with governance of enterprise IT. </p><h2>Frameworks<br></h2><p>Audit programs will be more useful if they differentiate governance risks from risks related to the management of enterprise IT. Internal auditors can leverage a variety of frameworks to develop high-quality, tailored audit programs for IT governance. </p><p>Governance frameworks include The Committee of Sponsoring Organizations of the Treadway Commission’s <em>Internal Control–Integrated Framework</em>, ISACA’s COBIT, and the Balanced Scorecard Institute’s Balanced Scorecard. Organizations also can use management frameworks such as ITIL, the U.S. National Institute of Science and Technology’s Cybersecurity Framework, and the International Organization for Standardization’s ISO/IEC 27001: Information Security Management, ISO/IEC 38500: Information Technology — Governance of IT, and ISO 9000: Quality Management. These frameworks explain risks, controls, and other details that can reduce the time required to develop an audit program. </p><h2>Audit Planning</h2><p>Internal auditors should become familiar with each of the governance frameworks so they can scope the audit engagement to focus on the appropriate risks. Audit programs should identify the impact of IT risk to the organization as well as the potential for compliance failure. During the risk assessment, auditors can determine the current state of risk management practices, assess design gaps, identify improvement opportunities, and recommend actions. They should consider several areas in their audit program. </p><p><strong>Strategic Alignment</strong> IT strategic alignment continues to be a top priority for most organizations and aligning technology with business strategies can be challenging for management. One of the key governance controls auditors can review is the process and methodology for justifying and prioritizing IT investments. Auditors can verify that the organization has a formal and periodic process for identifying business needs. Audit procedures also should validate that the IT budget cycle is part of the business operations budgeting process. Additionally, auditors can validate corporate objectives and strategic goal alignment by reviewing the decision rights and accountability framework documentation. <br></p><p><strong>Roles and Responsibilities</strong> IT executives need to collaborate with business-unit executives to ensure technology helps shape business strategy. Without clearly defined roles and responsibilities for IT management, the organization might risk not aligning IT and enterprise operations. To identify the links between business and IT plans, internal auditors can evaluate the strategic plan for IT-enabled initiatives, policies, presentations to the board that highlight the outcomes of a successful implementation, and third-party agreements. Additionally, auditors should verify IT’s involvement and responsibilities in the sourcing process. Appropriate involvement by IT can ensure new technology fits the organization’s current environment. Additionally, auditors, IT, and the information security group can collaborate to evaluate compliance requirements. <br></p><p><strong>Organizational Structure</strong> To enable better governance, the chief information officer should be part of an executive or senior management team and an active participant in setting business-unit-level strategy and goals. With the pace of change in today’s business environment, the IT organization must be agile and responsive, so auditors should review metrics associated with the length of projects as well as service satisfaction. <br></p><p>Auditors should try to identify unauthorized IT projects by business units — known as shadow IT — by reviewing technology acquisition processes, purchasing authority, application inventory, and sourcing processes. They should work with the IT support function to evaluate internet traffic to external sites that may identify unauthorized subscriptions to software as a service applications. Based on a sample, auditors can review IT’s level of participation on the organization’s steering committees and internal advisory boards. </p><p><strong>Risk Management</strong> Auditors should evaluate whether IT risks are included in the enterprise risk management program. Auditors also can review internal processes that identify, communicate, and manage IT risks. Change controls are a huge risk in this area, so auditors should review risk management activities such as communications planning, change management, and committee oversight. If the organization has a security operations center, auditors should assess how it manages the IT environment and responds to incidents. <br></p><p><strong>Project Management</strong> Organizations should have a project management office to provide governance to prioritize IT projects according to business need. Auditors should review program and project management methodology and ensure the organization complies with internal processes to request, evaluate, and approve IT projects. They should examine a sample of completed projects to determine whether those initiatives realized stated benefits. Moreover, auditors should review the process for evaluating and prioritizing projects at the business-unit and enterprisewide levels. Additionally, understanding and reviewing key performance metrics, such as planned vs. actual expenses and requirement backlog would be invaluable. <br></p><p><strong>Management Activities</strong> Without an appropriate focus on technology, organizations could mismanage critical IT resources such as the application environment, data, infrastructure, and people. Auditors should evaluate IT’s involvement in key projects, the demand forecasting process, and resource management practices. IT’s involvement and assessment before engaging software providers and consultants will help mitigate the implementation risks associated with large projects. Robust demand and resource management practices can provide the bottom-up approach to gain insights into business requirements, alignment, and priorities. By understanding IT resource commitments, internal audit can assess the organization’s ability to deliver on key initiatives. <br></p><h2>Identifying Key Risks</h2><p>Every organization’s risk profile is unique and depends on the organization’s culture, structure, and mission. Governance and management teams should identify and prioritize key risks for mitigation and formalize risk acceptance. Organizations should leverage internal audit’s knowledge of the business’ environment, IT investments, and internal processes. <br></p>Ashok (Ash) Kannan1
An Early Look at Internal Audit Priorities for 2019https://iaonline.theiia.org/blogs/chambers/2018/Pages/An-Early-Look-at-Internal-Audit-Priorities-for-2019.aspxAn Early Look at Internal Audit Priorities for 2019<p><span style="font-size:12px;"><img src="/2018/PublishingImages/risk-ahead-road-sign.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Like the speed of risk, the end of 2018 is approaching very rapidly. That means many of you are putting the finishing touches on your 2019 annual internal audit plan. I am sure that your process has been exhaustive, and you are preparing to present a plan for your audit committee that will reflect the risk-based priorities appropriate for your organization. However, before the ink dries on your plan, I thought you might find it useful to take an early look at the priorities your peers</span><span style="font-size:12px;"> are planning to address in the year ahead.</span></p><p>Risk defines the world of the internal auditor. Ultimately, risk is what shapes our audit plans, directs our stakeholders, and determines our success or failure. That is why we spend so much time and effort helping our organizations identify, understand, and mitigate or leverage risks. Understanding the unique mix of risks our organizations face, and the risk appetites of our stakeholders, is crucial to internal audit adding value.</p><p>A number of organizations produce annual reports that attempt to peer at the horizon to identify risks in the coming year. Sometimes, it is easy to predict what those risks will be, as some major ones are long term, if not perpetual. The challenge is to identify or anticipate unexpected, emerging, or atypical risks that may mature in the coming weeks or months, in hopes of preparing to gird against them or use them to benefit the organization.</p><p>Two recently published reports, one from Gartner Inc. and the other from the European Confederation of Institutes of Internal Auditing (ECIIA), identify a familiar foe as the top risk for 2019: cybersecurity. Over the years, this challenge to organizations has consistently climbed up the risk hierarchy in annual reports. It also has opened our eyes to other risk categories, as our understanding of cyber becomes more sophisticated and our approaches to managing it mature.</p><p>Indeed, the focus on cybersecurity has helped us to understand that technology and data are inexorably intertwined, and it has increased our awareness of risk related to data governance and data privacy. It has driven us to be more cognizant of risks related to third-party relationships, IT governance, and culture.</p><p>For example, four of the top five risks in the <a href="https://www.gartner.com/en/risk-audit/trends/audit-hot-spots.html">Gartner report</a> arguably stem from our focus on cybersecurity – cybersecurity preparedness, data privacy, data governance, and third-party risk. <a href="http://www.eciia.eu/wp-content/uploads/2018/09/Risk-in-Focus_2019.pdf"><em>Risk in Focus 2019</em></a><em>, </em>the report developed and produced by the ECIIA, groups cybersecurity, IT governance, and third-party risks into one category. Another category in the ECIIA report is data protection and strategies in a post-GDPR world.</p><p>Data and technology also are central to risk discussions on digitalization, automation, and artificial intelligence. These discussions neatly demonstrate the challenge of balancing risk and opportunity. As the ECIIA report points out:</p><p><em class="ms-rteStyle-BQ">"The cost and efficiency benefits of automation and other digital processes can be transformative, if harnessed to their full potential. But organizations must also consider the risk associated with such transformation."</em></p><p>Data collected since 2016 by The IIA in its annual Pulse of Internal Audit surveys reflect the same focus on cyber. The percentage of North American chief audit executives (CAEs) who rated cyber as a top risk to their organizations grew from 60 percent to 68 percent between 2016 and 2018. Over the same period, the percentage of CAEs rating IT as a top risk grew from 39 percent to 53 percent, and third-party relationships showed modest growth as well.</p><p>The Gartner report, which surveyed 144 CAEs, found two-thirds of respondents said they had experienced either a third-party-related disruption in the past two years or lacked sufficient knowledge of third-party activities to identify a disruption.</p><p>What is known is that third-party risks are growing more complex as digitalization, data sharing, and weak oversight of third-party relationships threaten to expose organizations to reputational harm. </p><p>It is easy to fixate on data- and technology-driven risks, but others certainly exist, as the two risk reports agree. Gartner identifies ethics and integrity as a risk that has evolved from culture risks identified in its 2018 report. The ECIIA report also identifies workplace culture as a risk.</p><p>In 2018, the #MeToo movement redefined how organizations see risks associated with sexual harassment and inequality in the workplace. While those two areas were known risk categories, the explosion of serious allegations against high-profile entertainment industry executives and the subsequent reputational damage to their organizations have significantly raised this risk level. The significant role of social media cannot be overstated. Here again, technology is influencing how we view risk.  </p><p>The Cambridge Analytica scandal provides another example. Facebook and its iconic founder, Mark Zuckerberg, suffered significant reputational damage for allowing the British company to mine personal information of millions of the service's users. It also raised awareness of the ethical responsibilities associated with data protection and privacy that now is viewed as a significant risk in both the Gartner and ECIIA reports.</p><p>As we look toward 2019, the risk landscape will likely focus on cybersecurity, data governance and privacy, third-party risk, and the evolving hazards associated with technology's impact on organizational ethics, culture, and integrity.</p><p>As you prepare your internal audit plans for the coming year, you should ensure that you have considered all of the risks facing your organization and discuss them with your audit committees and executive management. The list is by no means comprehensive or necessarily applicable to all organizations. However, it does provide a useful benchmark as you contemplate what may lie ahead in 2019.</p><p>As always, I look forward to your comments.<br></p>Richard Chambers0
Doing the Right Thinghttps://iaonline.theiia.org/2018/Pages/Doing-the-Right-Thing.aspxDoing the Right Thing<h2>​In light of recent, well-publicized corporate culture failings, what are boards doing to address culture?</h2><p> <strong>Christensen</strong> We definitely see the concept of culture gaining traction in the boardroom. More than ever, directors are acutely aware that culture plays a role in delivering outcomes — both good and bad — for the companies they serve. Because culture can break down anywhere in the company, it is important for directors to experience firsthand the real-world culture in the organization, rather than rely solely on boardroom discussions and management reports. One way to accomplish this is by engaging directly with operating personnel through site visits. Directors also should insist on observations regarding culture from the chief risk officer, chief compliance officer, chief information security officer, and human resources and environment, health, and safety personnel, as well as other independent second line-of-defense functions. Boards also expect internal audit to weigh in as the third-line assurance provider.</p><p> <strong>Keele</strong> Boards are asking more directed questions: What is the risk of this happening in our company? What steps have we taken to prevent/detect this type of misconduct? Do we apply our processes consistently? How does the organization respond to a finding of inappropriate or unethical behavior — is everyone held accountable, or are certain individuals given a pass? Do we have a crisis management plan to respond to an event? Boards also should be consistently asking the broader questions that get at the current state of the organization’s culture: Are expectations for what constitutes unacceptable behavior clear and understood? Is the workplace safe and respectful? Do individuals feel they can speak up without retaliation, expect they will be heard, and have their concerns investigated? </p><h2>What do boards need to understand about their role in overseeing culture?</h2><p> <strong><img src="/2018/PublishingImages/EOB-Tracey-Keele.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Keele</strong> Most boards now understand that culture is important, but determining what to do about it is another matter. Like management, boards are not entirely sure how to confirm whether the culture they want is the culture they have. Because measuring and overseeing culture isn’t easy, there is a risk of defaulting to seemingly simple, check-the-box solutions. Further, there is a risk of over-relying on hard controls — policies, training, and systems that only provide a partial view of risk management. Understanding the drivers of conduct — soft controls — and whether the “walk” matches the “talk” is fundamental to understanding culture and risk.</p><p>Boards also should guard against focusing on today’s expectations, without considering how they may differ tomorrow. Technological, social, economic, regulatory, and political changes are occurring faster than ever. How do organizations evolve quickly, focus on both the spirit and the letter of the law, and anticipate change to enhance resiliency, grow, and build trust with stakeholders? </p><p> <strong>Christensen</strong> Culture is a vital enterprise asset that must be cultivated, nurtured, and maintained. Directors need to be curious enough to probe on culture issues. First and foremost, the board must want to know whether there are any concerns pertaining to culture warranting its attention. Board members must address two fundamental questions: How do we know what we need to know regarding culture? Is our understanding representative of the entire organization or just certain areas? No director wants to be on a board that ends up asking itself: How did this happen and why didn’t we know?</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Cultural Misalignment</strong></p><p>Christensen and Keele say these red flags may indicate that the tone in the middle isn’t aligned with the tone at the top. </p><ul><li>Nobody is talking about culture.</li><li>Controversial deals and encouragement of risk taking to hit short-term targets.</li><li>Complex and unclear legal and reporting structures that obscure transparency. </li><li>Poorly executed takeovers that allow pockets of bad behavior to thrive.</li><li>Lack of financial discipline.</li><li>Employees constantly fear being fired.</li><li>Employees execute projects without a clear vision from company leaders.</li><li>Lack of knowledge sharing among employees.</li><li>A focus on blame or covering for each other rather than fixing the problem.</li><li>A perceived disconnect between words and action. </li><li>A focus on the letter rather than the spirit of the law and regulations.</li><li>Risk management and controls are regarded as an inconvenience. </li><li>Lack of prompt follow through on commitments.</li><li>Failure to escalate identified issues and active concealment of problems.</li><li>Dress rehearsals for leadership visits that are focused on appearance.</li></ul></td></tr></tbody></table> <h2>What can internal audit do to inform the board about the organization’s culture?</h2><p> <strong><img src="/2018/PublishingImages/EOB-Brian-Christensen.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Christensen</strong> Internal audit, the third line of defense,  is well-positioned to perform a culture audit, evaluating the processes used across the entity by first- and second-line personnel to assess culture. Ironically, it is internal audit — the objective eye of the organization — that is uniquely qualified to bring “a systematic, disciplined approach” to a potentially subjective process like measuring culture. Internal auditors should “connect the dots,” considering the findings and gratuitous observations from multiple audits to ascertain whether any meaningful patterns exist. With everyone having a stake in evaluating the enterprise’s culture, the board should be privy to the results of all evaluations — particularly from independent second-line functions and internal audit. </p><p> <strong>Keele</strong> Internal auditors can play a critical role in understanding and enhancing culture. Internal audit can act as “the eyes and ears” of the organization, helping the board deepen its understanding of culture to better fulfill its culture oversight responsibilities. Evaluating and evolving audit skills and capabilities, initiating and promoting dialogue within the organization, garnering organizational permissions and support, and understanding the organization’s culture expectations, initiatives, and current state are important first steps for establishing internal audit’s role in culture.</p><h2>What tools and techniques should internal audit use to audit culture?</h2><p> <strong>Keele</strong> The tools and techniques used in traditional audits also are relevant to culture audits — interviews, data review and analysis, and walk-throughs. Also, the use of surveys, facilitated workshops, focus groups, and advanced analytical techniques like sentiment analysis can be extremely valuable, deepening the understanding of employee experiences and perceptions. Internal audit should think expansively about data that exists within and outside the organization to support improved risk assessment and audit execution. Procedures should be tailored based on the organization’s culture maturity and appetite for improvement, and internal audit’s capability and ambition. </p><p> <strong>Christensen</strong> Survey results can validate themes from stakeholder interactions to gauge consistency of views regarding the company’s culture. Relevant data metrics should supplement insights from surveys and direct interactions with stakeholders. These include risk metrics, conduct-related compliance data, issue escalation and resolution data, human resources data and reports, whistleblower reports, turnover data, ethics hotline reports, unstructured social media data, and employee demographic data. These and other metrics should be used as supplements to performance measures linked to the strategy to drive the type of organizational culture that management and the board would like stakeholders to experience when they interact with it. </p>Staff1
Don't Overlook Physical Accesshttps://iaonline.theiia.org/2018/Pages/Don't-Overlook-Physical-Access.aspxDon't Overlook Physical Access<p></p> <p>In the digital age, security risks have become a rising concern for boards, management, and chief audit executives. They have responded to technology advances and growing cyber threats by focusing on controlling access to data, networks, and systems — known as logical security. That focus on logical security often comes​ at the expense of attention to physical security around buildings, facilities, equipment, and other areas. </p><p>Physical and logical access are closely intertwined and combine to provide a higher level of security throughout the organization. Both types of access control are key to risk mitigation efforts to protect systems and data. Moreover, physical access can have a great impact on the effectiveness of logical access controls. Internal auditors need to focus on the basics and include physical access in their audit plans to ensure that the organization is protected adequately.</p><h2>What’s at Risk?</h2><p>Physical security is one of the most critical components of the overall security landscape. Weak physical security controls expose organizations to greater risk of failure of other controls. Recent incidents have shown that even with the strongest controls around logical security and intrusion detection, organizations continue to be exposed to the risk of unauthorized access in the absence of strong physical access controls.</p><p>Physical security risks are unique to each organization and depend on the size, geographical spread, and type of assets that need to be protected. Internal auditors often consider enterprise systems and data to be the primary assets that are vulnerable to physical security risks. That list must be expanded to include property, office buildings, warehouses, utility rooms, machinery, equipment, and vehicles as well as employees, contractors, and visitors. </p><p>The broader risks resulting from the lack of effective physical access controls include inappropriate and unauthorized access to information, theft, vandalism, inappropriate actions from rogue employees or angry customers, accidents, and terrorism. While important for every organization, the consequences when physical security controls are compromised may be greater for data centers, defense-related organizations, educational institutions, hotels, hospitals, and retail businesses.</p><h2>The Audit Plan</h2><p>Including physical security audits in the annual audit plan can help ensure the organization is taking a more structured approach to mitigating security risks. Auditors also should provide assurance that management has performed a physical security threat assessment. Physical security audits should cover several areas.</p><p><strong>Governance and Oversight</strong> Auditors should start by evaluating policies and procedures, oversight, risk assessments, training, and other processes that are in place to facilitate strong physical controls. Effective governance typically indicates a solid foundation for oversight and controls. <br></p><p>Ownership and accountability of physical access can sometimes be murky. Roles and responsibilities of security personnel, property management, data management, and IT overlap and are interrelated. Generally, the IT team supports and helps manage identity and access management programs, but a different business unit may be responsible for physical access. The effectiveness of physical access controls depends on the collaboration among all the affected groups.</p><p><strong>Physical Access Control Layers</strong> The first step in protecting against physical access threats is developing the ability to keep unauthorized individuals off the organization’s property. In assessing physical access controls, internal auditors should test the effectiveness of perimeter barriers such as fences, walls, or gates; protective lighting; alarm systems; communications systems; vehicle identification and control systems; and guard systems. As auditors move beyond perimeter considerations to review specific buildings, they should test other key controls such as security alarm systems, cameras, motion detectors, turnstiles, door locks, and badging systems. </p><p>Despite the most sophisticated personnel identification and control processes, piggybacking is still a huge concern. Piggybacking refers to when an unauthorized person follows behind another person who is authorized to gain entry into a restricted area or past a checkpoint. Internal auditors must ensure that the organization is taking enough measures to restrict access by unauthorized individuals until their identity is confirmed by on-site security personnel. Auditors can review training and communication about piggybacking and even observe this process during busy entry times.</p><p>Within each building, internal auditors should inspect elevator and stairwell access, as well as evaluate whether individual and conference room doors have appropriate locking mechanisms. Rooms that contain valuable or sensitive information and other assets should be adequately protected to prevent access by unauthorized personnel.</p><p>Internal auditors should evaluate these multiple layers of controls carefully to ensure they are strong enough from both preventive and detective aspects. All these systems should be integrated with each other. For example, many organizations use a human resources database called Active Directory to validate an employee’s access credentials in real time.</p><p><strong>Monitoring</strong> Internal auditors should assess whether the organization has effective monitoring controls in place to review the logs created from various monitoring systems. This information can ensure that the organization investigates and remedies all relevant incidents timely. In case of a breach, facilities, IT, information security, human resources, and legal teams must collaborate as a formal committee to discuss the incidents, analyze the root cause from investigations, and take remedial action. Internal auditors can review minutes from these committee meetings to evaluate their content and the effectiveness of their remedies.<br></p><h2>Internal Audit’s Next Steps</h2><p>Going forward, internal audit should integrate physical security into the department’s risk assessment process to ensure it gets adequate overall coverage in the annual audit plan. It is important for auditors to evaluate whether the current plan integrates physical security audit steps into relevant audit programs. </p><p>As they develop the audit plan and perform the risk assessment, auditors should schedule meetings with facility and security personnel to learn about past incidents and get a sense of risk exposures in this area. From there, they should meet with the relevant stakeholders to discuss the current logical controls and determine how much logical and other controls depend on physical controls. By following these steps and recommending effective physical security controls, internal auditors also can help strengthen the organization’s overall security profile.  ​</p>Manoj Satnaliwala1
In Any Kind of Weatherhttps://iaonline.theiia.org/2018/Pages/In-Any-Kind-of-Weather.aspxIn Any Kind of Weather<p>​The world has changed radically since 2004, the year The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its original, principles-based <em>Enterprise Risk Management (ERM)–Integrated Framework</em>. Since that time, there have been tremendous technology advances, the continued development of a truly globalized economic system, and lingering impacts from a devastating recession that sprung from the banking and financial crises of 2007. </p><p>In parallel, risk management and internal audit practices have evolved as both professions have become more globalized and well-regarded within organizations. Risk guidance has improved. COSO significantly revised its ERM framework in 2017, introducing some important new features that can be of great help to organizations, risk managers, and internal auditors. In addition to COSO, the International Organization for Standardization published guidance in 2009 (ISO 31000:2009) and revised it this year (ISO 31000:2018). </p><p>One year after COSO issued its updated framework, many internal audit functions are working to apply the new framework to help their organizations weather the risks that are on the horizon. The ISO standard and COSO framework are now closely aligned and complementary. However, the COSO framework provides more detailed guidance around managing risk.</p><h2>Winds of Change</h2><p>The 2004 COSO ERM Framework introduced some advances in risk management. First, it helped bring greater consistency and veracity to risk management processes and systems. Second, it stated that the context in which business risk arose was crucial — risk needs to be seen in the light of an organization’s objectives. The framework emphasized the notion that risk management was not just about mitigating risk, but about providing organizations with a range of appropriate responses, depending on how much risk they wanted to take. These factors have helped risk management become mainstream in many organizations.</p><p>COSO’s <em>ERM Framework–Integrating With Strategy and Performance</em> makes those ideas much more central and extends them to cover recent thinking in risk management theory and practice. This can be seen throughout its 20 core principles (see “COSO ERM Components and Principles” below) and is further underpinned by giving governance and culture a powerful role to play. In addition, the revised framework emphasizes information, communication, and reporting to give boards and management accurate and timely information to make effective decisions. Moreover, the document urges organizations to look as much to the upsides of risk as to the potential downsides and for internal auditors and other advisors to do the same.</p><h2>Pinpointing Extreme Weather</h2><p>For internal audit to contribute effectively to the organization’s risk management efforts, it must understand how the revised COSO ERM framework can be applied in practice. COSO has produced some sector-specific examples of how to apply the framework in <em>Enterprise Risk Management–Integrating With Strategy and Performance: Compendium of Examples</em>. </p><p>One risk that almost any organization faces relates to extreme weather events such as hurricanes, tornados, and floods. The application of COSO ERM to this type of risk can be illustrated by mapping the framework to the COSO ERM components. Environmental risks are covered in draft guidance that COSO has developed with the World Business Council for Sustainable Development, Applying Enterprise Risk Management to Environmental, Social, and Governance-related Risks.</p><p><strong>Governance and Culture</strong> To start, the organization should establish governance for effective risk management for extreme weather events, just as it would for any other threat. However, discussions at the board level could evidence the importance the board places on understanding the potential impact and likelihood of weather events. Moreover, it should convey the board’s desire to ensure such events are managed appropriately. This step maps to the framework’s governance and culture component (principles 1–5). These principles cover everything from exercising board risk oversight to considerations of how to develop the operational structures and culture needed to deal effectively with extreme weather events.</p><p><strong>Strategy and Objective-setting</strong> In this step, internal auditors would seek to understand the risk in terms of the business’ context and strategy. In this respect, the board and management need to understand how extreme weather events may disrupt the pursuit of specific strategies and business objectives. The strategy and objective-setting component (principles 6–9) includes developing a risk appetite for this particular threat and considering alternative strategies for approaching risk management. This also includes how the business context impacts the organization’s risk profile.</p><p><strong>Performance</strong> Principles 10–14 cover performance of risk management. Selecting an extreme weather event as a specific risk covers principle 10 (identify risk). Management would next identify the possible outcomes from such events, based on its understanding of the business context and strategy, and this would feed into the assessment and prioritization of this risk. This assessment requires understanding the potential impact of weather event outcomes and the likelihood that those events would occur at the impact levels envisaged. As with all risk assessments, management must be careful not to fixate on a particular event or outcome. Rather, it needs to consider the full range of possible outcomes. </p><p>From this assessment, management can determine which of those events and outcomes should be a priority to manage. Management should then consider its ability to mitigate the impact of those risks, as well as its appetite for related risk outcomes, and select the most appropriate risk management responses or strategies. It is important that the business assigns responsibility and accountability for managing the risks. </p><p>Possible responses may include taking moves to reduce risk, such as disaster preparation, and taking measures to reduce the impact of extreme weather events. Organizations could consider risk sharing and secure insurance to limit the financial impact of such events. They may consider avoiding risk by moving a facility to a location less prone to hurricanes and flooding, for instance. Businesses may decide to accept the risk and wait to respond when the risk event happens because advance preparations may not be cost effective or practical. </p><p>Finally, management also could consider risk pursuit if the organization is in the type of business that can benefit from extreme weather risk. For example, it could quickly ship building products to areas affected by weather events to accelerate the rebuilding process or rapidly send medical supplies or water into affected areas. The key is that the organization should consider all potential scenarios and plan for the relevant ones.</p><p><strong>Review and Revision</strong> Weather patterns change, so organizations need to reassess the potential severity of extreme weather events and evaluate whether their risk responses remain optimal. Also, as these responses are tested by actual occurrences, management may reevaluate their capabilities to execute the desired responses based on their ongoing experiences. These map onto principles 15–17 in the review and revision component.</p><p><strong>Information, Communication, and Reporting</strong> This component (principles 18–20) focuses on how extreme weather risk is communicated and reported throughout the business. The board must understand the context, the potential events and outcomes, the assessment and prioritization results, the rationale for the responses that have been chosen, and the results of the periodic reviews and assessments. This process also may include communication from management to risk managers to help them make more timely and effective decisions related to their risk management activities. This is likely to be empowered by digital communication channels within the organization.</p><h2>The ERM Umbrella</h2><p>Not surprisingly, internal auditors need to thoroughly understand the new COSO ERM framework to help their organizations fully benefit from it. Part of internal audit’s role is to educate the board, executive management, and others throughout the business about these ERM components and principles. In addition, internal audit needs to advise management and provide input to enterprise risk assessments. </p><p>The current framework puts a lot of weight on boards and executives receiving the right information at the right time to provide risk oversight and evaluate the effectiveness of risk management. To that end, internal audit can provide assurance and advice about whether the information that is being reported upward is comprehensive, accurate, and timely. This could take the form of one-off consultancy style exercises, be part of an audit, or be a report to the board. </p><p>Finally, internal audit must be in a position to evaluate the overall effectiveness of ERM, a role that has been in The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em> for some time. Standards 2110: Governance and 2120: Risk Management direct internal audit to assess risk management. Despite that, there is not much guidance available on how to conduct a comprehensive assessment. Internal auditors could use the 20 principles to perform a gap analysis throughout the business to see which elements of the guidance point to areas of risk management that require improvement.</p><h2>An Accurate Forecast</h2><p>And what of the internal audit function, itself? There are two areas of internal audit practice that the current COSO ERM framework will impact — planning and projects. </p><p>More than ever, internal auditors must understand the organization’s business objectives and strategies when it comes to periodic audit planning. Auditors need to know what the risks are to those objectives and how those risks currently are managed. For example, has management considered alternative strategies to manage the risk, or are executives simply trying to mitigate it? What is management’s tolerance to risk in that area and how open is that tolerance to variation around certain risks? The answers to these questions will influence what projects internal audit should undertake.</p><p>Audit’s planning needs to be done in light of the organization’s risk culture and risk appetite. These factors could have a major impact on the scope and testing approach designed for a particular audit if that audit is to provide assurance that is targeted at the right level of the organization.</p><p>If audit planning is executed in light of business objectives and management’s risk culture and risk appetite, audit projects will take the same focus. That will mean that individual audit risk assessments will be better aligned with the organization’s own risk assessment — and project scope and testing will be based on risk tolerance. Internal audit will report any deficiencies in the specific context of their potential impact on business objectives and on management’s risk tolerances. Hopefully, this will lead to audit paying more attention to the potential upsides of specific risks.</p><h2>Clear Skies</h2><p>While many of the concepts in the current COSO ERM framework will be familiar to internal auditors, taken as a whole, it will represent a big leap in the quality of audit’s contribution to the business if implemented appropriately. Few internal audit departments are able to do a comprehensive assessment of the overall effectiveness of their organization’s ERM processes. The framework may enable internal audit to perform that assessment.</p><p>For internal auditors who are adopting the current framework for the first time, the key is to learn what it says and what it means to their organization in detail. Second, assessing the organization’s current ERM practices against the framework’s 20 principles can ensure auditors understand the guidance and have identified the most obvious gaps to remedy. </p><p>Third, if internal audit hasn’t already done so, it should start to audit and report in the context of the business’ objectives because this can help bring alive what the framework is about and make audits even more useful to management. Finally, internal audit should begin to take a more holistic approach to understanding the risks the organization faces and communicate that to management. That will help management understand risk better and how its responses to threats can turn into opportunities for the organization. </p><p><br></p><p><img src="/2018/PublishingImages/Sobel_Sidebar_COSO%20ERM.jpg" alt="" style="margin:5px;" /><br></p>Paul J. Sobel1
In Compliancehttps://iaonline.theiia.org/2018/Pages/In-Compliance.aspxIn Compliance<p>​One of the biggest challenges facing organizations today is keeping up with the ever-changing regulatory environment. Companies are dealing with complex compliance requirements in every area of the world in which they operate. Some new requirements, such as the European Union’s General Data Protection Regulation (GDPR), impact organizations regardless of whether they have a physical presence in the location where the law was enacted. Noncompliance with these regulatory requirements, whether it be involuntary or criminal, can create significant risks to an organization, including legal, reputation, and financial risks. Organizations must have strong governance around their compliance programs to ensure these risks are assessed and managed across the organization. </p><p>Internal audit can use their expertise in risk management and internal control to effectively offer assurance as to whether the risks associated with compliance are being managed to an acceptable level. The audit can be scoped to evaluate the governance process as a first step, and third parties can be used when additional assurance on specific regulations is necessary. </p><p>There are frameworks internal audit can leverage to help ensure it assesses all of the key components of a well-governed compliance program. For example, Chapter 8, Part B, of the U.S. Sentencing Commission Guidelines Manual presents guidelines for an effective ethics and compliance program (see “7 Elements of an Effective Compliance and Ethics Program” below). Although this framework is commonly used after an allegation of criminal misconduct has been made or adjudicated, it also can be used to ensure all of the elements of a robust compliance program are in place. </p><p>It can be overwhelming when internal audit begins analyzing a compliance program, given its overall complexity and the knowledge necessary to adequately audit all of the various regulations both in the home country and abroad, but this framework helps identify manageable components to be assessed. Management can begin by identifying all of the key compliance areas that affect the organization — environmental, data privacy, import/export, and anti-bribery/anti-corruption, just to name a few. Each key compliance area should have a designated individual with an appropriate level of authority and responsibility to oversee the compliance program. Using the framework, that person, or his or her delegates, can begin documenting how the organization would demonstrate a program that prevents or detects misconduct. A steering team of cross-functional leaders from legal, human resources, compliance, risk management, internal audit, and other key areas can help identify common program elements, such as an overall code of conduct, investigation processes, and hotline management. Internal audit can play a key role in monitoring the overall compliance program and auditing specific risk areas. </p><p>In early 2017, the U.S. Department of Justice issued supplementary guidance titled Evaluation of Corporate Programs (<a href="http://bit.ly/2Pec0fl" rel="nofollow" target="_blank">http://bit.ly/2Pec0fl</a>). This evaluation guide aligns with the federal sentencing guidelines and other referenced guidance and provides tactical questions that internal audit could use to evaluate the program. Two components, third-party and merger and acquisition risk, were added that should be considered when evaluating the effectiveness of the overall compliance program. </p><p>Third parties may be an integral part of organizational processes and considered part of the extended enterprise. The organization may have significant risk if those third parties, acting on behalf of the organization, commit an act of noncompliance. The third party may put the organization at a significant amount of reputation risk, and in certain instances, the organization may be liable for the actions of the third party. The evaluation guide indicates that certain actions must be taken such as due diligence, appropriate controls, management of the relationship, and appropriate consequences if noncompliance or misconduct is identified. </p><p>With mergers and acquisitions, management must ensure that a robust due diligence process is in place, and that the compliance function is integrated into the overall process to ensure that compliance risk is addressed. In the case of an acquisition, integration and transition of the compliance program to the new entity must be completed and any risks identified during due diligence addressed. </p><p>Overall, the framework and guide provide a solid base on which internal audit can ensure governance over compliance programs is effective. These documents should not be used as a checklist, as the elements may be present but a culture of compliance may not be developed, and the program becomes more form than substance. Internal audit should evaluate the adequacy of the evidence maintained in support of the program and ensure that the organization can demonstrate, both internally and externally, that the compliance program is robust. Both quantitative and qualitative factors should be evaluated. Soft controls evidence, such as how employees and leadership talk about the culture, also should be considered. </p><p>Although compliance can be a complex area to evaluate, these tools, along with third-party experts when needed, should enable internal audit to offer assurance around the effectiveness of the governance of compliance programs.</p><table class="ms-rteTable-4" width="100%" cellspacing="0" style="height:31px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>​7 Elements of an Effective Compliance and Ethics Program</strong><br><br>The U.S. Sentencing Commission’s seven elements of an effective program include:<br><ol><li>The organization will establish standards and procedures to prevent and detect criminal conduct. </li><li>The organization’s governing body should be knowledgeable of the ethics and compliance program. High-level employees within the organization should be responsible for program oversight, with day-to-day responsibility delegated to specific individuals. </li><li>The organization will exercise due diligence to ensure that delegation of authority is not granted to individuals who have previously engaged in illegal activity or other conduct inconsistent with an effective compliance and ethics program. </li><li>The organization will periodically communicate its ethics program, including standards and procedures, by conducting effective training programs, for employees and third parties, and otherwise disseminating information as appropriate.</li><li>The organization will take steps to ensure that the compliance program is followed, including monitoring. The program must be periodically evaluated to assess its effectiveness, considering both quantitative and qualitative evidence. In addition, a system must be established whereby employees, or third parties, may anonymously and confidentially voice concerns.</li><li>The program must be promoted and consistently enforced across all levels of the organization, including appropriate incentives to act in accordance with the program and disciplinary actions when noncompliance is identified. </li><li>When criminal conduct is identified, the organization must respond appropriately and take steps to prevent further similar misconduct, including adjusting the overall compliance program. </li></ol><br>Source: U.S. Sentencing Commission, §8B2.1: Effective Compliance and Ethics Program, <a class="vglnk" href="http://bit.ly/2Ped56T" rel="nofollow" target="_blank"><span class="ms-rteForeColor-8">http://bit.ly/2Ped56T</span></a>.</td></tr></tbody></table><p></p>Kayla Flanders1
Selling Enterprise Risk Managementhttps://iaonline.theiia.org/2018/Pages/Selling-Enterprise-Risk-Management.aspxSelling Enterprise Risk Management<p>​Although enterprise risk management (ERM) has a compelling value proposition, it may not always be intuitive to key stakeholders. That often is because the benefits of ERM are not easily observable or clearly quantifiable in the near term. As risk management professionals, internal auditors are easily sold on ERM’s merits because of our role in the third line of defense. We live and breathe risk management governance daily. But internal auditors and other risk professionals engaged in ERM efforts, by nature, do not tend to have strong sales competencies. So, when we propose ways to advance ERM principles to organizational leadership, the message often misses the mark. </p><p>The ability to convince stakeholders of ERM’s value may be the difference between an ERM program that flounders as a check-the-box compliance activity and one that develops into a strategic governance asset. It is vital for internal auditors and other risk management professionals to have a compelling and polished value proposition pitch in their ERM toolbox — one that is intuitive and presentable in terms and language that first and second line of defense managers will embrace.</p><p>Risk management is not a new idea, and most business professionals understand its importance. However, some are skeptical, writing ERM off as unnecessary or an academic theory that is unproven in the real world. When this skepticism is not based on an informed position, it is a shortsighted and misguided viewpoint that creates a major cultural barrier when attempting to implement or mature an ERM program. This is when ERM professionals need to be at their best as salespeople.</p><p>Just as professional athletes strive for a competitive edge, business professionals also should pursue measures to enhance their success. ERM can provide the same type of competitive edge that athletes get from personal trainers, data analytics, and other measures. But ERM benefits are realized when organizations appreciate, understand, and embrace the ERM value proposition. For an organization to unlock the potential of ERM as a strategic asset, a key element is a concise value proposition that leaders and managers can easily buy into.</p><p> <strong>Step 1: Start at the top.</strong> ERM programs are most successful when executive leadership supports them. The ERM value proposition must be understood at the highest management levels. But beyond that, leadership must be compelled to embrace ERM. Only then will leaders develop a vision for pursuing implementation with the requisite energy. Leaders will only embrace ERM when there is a clear value proposition. </p><p> <strong>Step 2: Don’t oversell.</strong> Internal audit must be careful not to sabotage ERM momentum by overpromising what the ERM value proposition can deliver. ERM will not solve all strategic risk management challenges. This message must be communicated with stakeholders by setting realistic expectations about what the organization can achieve. ERM implementation will inevitably encounter failures along with successes.</p><p> <strong>Step 3: Make the case for ERM by appealing to its intuitive nature.</strong> Internal audit should start by making a simple and intuitive case to legitimize ERM. Various entities have given ERM credibility by embracing its virtues. These include regulators (e.g., board requirements for risk oversight), credit rating agencies (e.g., ERM used as rating criteria by S&P and Moody’s), and major universities (e.g., ERM academic programs at North Carolina State University and St. John’s University). Additionally, ERM’s qualitative value is intuitive, as outlined in the waterfall diagram below.</p><p> <strong>Step 4: Draw a distinction between traditional risk management and ERM.</strong> All business professionals manage risk. Managers oversee various business functions and manage the risk inherent in these functions. Human resources (HR) managers manage HR risk, finance managers manage finance risk, and so on. The problem with this risk management model is that it does not promote an enterprise view of risk. Risk managers in these siloed functions make risk management decisions that can have negative impacts in other functional areas.</p><p>ERM is not designed to replace the traditional risk management model, but rather to enhance it by bringing greater visibility to risk management activities and impacts across functional silos. This is done by implementing risk management processes to methodically and purposefully identify, respond to, and monitor risks at the enterprise level. <br></p><p> <strong> Step 5: Make ERM a tool for aspirational risk management excellence.</strong> Compliance benefits may be an acceptable outcome for some organizations, but the real value of ERM is realized when its focus is more strategic. There are three imperatives of a strategic ERM value proposition:</p><p></p><ol><li><strong>Make informed decisions.</strong> ERM should support organizational decision-making for strategic planning, tactical execution, budgeting, and risk oversight.</li><li><strong>Protect stakeholder value.</strong> ERM should protect key stakeholders from value erosion.</li><li><strong>Optimize risk outcomes.</strong> ERM should seek the best possible risk outcomes by improving the likelihood of achieving strategic and business objectives, reducing the impact of organizational threats and weaknesses, exploiting organizational strengths and opportunities, and lessening the duration and persistence of negative risk outcomes.</li></ol><p>Aspirational and strategically designed ERM programs help organizations compete more aggressively in the marketplace. With the three imperatives in place, an organization is positioned to compete with an edge. </p><p>When designed to be a strategic governance asset, ERM facilitates advanced risk-taking capabilities and empowers a thoughtful, safe, and aggressive risk-taking approach. This can result in enhanced competitive agility and ultimately lead to enhanced organizational value.</p><p><img src="/2018/PublishingImages/Governance_p.65_ERM-qualitative-value.jpg" alt="" style="margin:5px;" /><br></p>Rick Wright1

  • GEICO_Mar 2019_Premium 1
  • IIA CIALS-_Mar 2019_Premium 2
  • IIA Group Training_Mar 18 to 31_2019_Premium 3