Risk and Compliance



Confronting Climate Changehttps://iaonline.theiia.org/2019/Pages/Confronting-Climate-Change.aspxConfronting Climate Change<p>​The adverse impacts of rising global temperatures and extreme weather conditions are becoming a front-line risk for businesses. A 2015 Economist Intelligence Unit study estimated that the value of global manageable assets at risk due to climate change could be as much as $4.2 trillion between now and 2100 in discounted, present-value terms. That is roughly on par with the total value of all the world’s listed oil and gas companies. Meanwhile, increased regulation to confront climate change is gaining momentum around the world.</p><p>These trends are leading boards and executives to realize that today’s climate-related decisions may dramatically impact their organizations in the future. Leaders are recognizing that the magnitude of climate change risks warrants a collective action as their impacts are widespread and not just a future threat. As a result, organizations may incur increased production costs, decreased demand, and delayed delivery of goods and services to their customers. </p><p>The growing stakeholder concern about climate change risks is creating demand for climate-competent auditors to help analyze the threats and recommend remedies. Such practitioners can help their organization address financial, process, and governance implications. Through a multipronged approach encompassing both strategic and tactical activities, internal audit can assist organizations in confronting climate change risks. </p><h2>Being Climate-competent</h2><p>Today, audit stakeholders are seeking answers to the basic questions about what climate change risks might impact them and the arrangements in place to mitigate them. Internal audit must adapt to these expectations and demonstrate the “insightful, proactive, and future-focused” characteristics described in The IIA’s Core Principles for the Professional Practice of Internal Auditing. </p><p>Internal audit functions that conform to the International Professional Practices Framework should be qualified to audit climate change risks. To supplement their knowledge, The IIA has published the Practice Guide on Evaluating Corporate Social Responsibility/Sustainable Development.</p><p>Yet, a worrying trend in audit reports is that many auditors do not see climate change risks beyond financial risks to the business. Some internal audit functions may not include climate change risks in the audit plan because they are not considered a principal risk to the business. For example, according to the KPMG Survey of Corporate Social Responsibility Reporting 2017, 72% of large and midcap companies did not acknowledge the financial risks of climate change. This could be because boards, executives, and internal audit lack understanding of climate change risks and their implications. </p><p>In other cases, although internal auditors may consider climate change risks in the audit plan, they may not understand the assumptions and estimates used in preparing the financial statements. Likewise, auditors may not comprehend the implications of climate change risks when applying existing accounting treatments and audit standards. Additionally, standard audit programs may not be helpful in assessing climate change risks, control criteria, and their potential impact. Finally, the audit team may not have climate-change risk specialists to assist the teams in focusing on key areas of concern. </p><h2>Strategy and Risk Management Insight </h2><p>Those internal audit functions can’t ignore climate change for long. With these risks looming on the near-horizon, auditors can advise the board and management by promoting accountability in addressing climate change risks.</p><p>Internal audit can help ensure the organization is identifying, prioritizing, and remedying key climate change risks appropriately. For example, internal audit can advise on strategies for developing a process to define, monitor, and assess climate change risks. Auditors can ask management about the organization’s resilience and sustainability, as well as audit the organization’s sustainability report. </p><p>Another way internal audit can provide value is reviewing whether the business strategy aligns with the applicable regulatory environment. Auditors can facilitate root-cause analysis of potential regulatory noncompliance. Coordinating control self-assessment workshops can identify the areas where the organization’s climate-change response strategy does not align with its business processes.</p><p>Internal auditors also should evaluate the financial and strategic implications of climate change risks. While the changes to carbon-free or low-carbon technology could pose potential financial risks, they also could result in opportunities such as alternative technologies, business processes, services, and products.</p><p>Internal audit should ensure the organization’s enterprise risk management process includes an appropriate focus on climate change risks. Auditors can assist in developing a granular view of risks that can enable management to create appropriate risk management strategies. In addition, they should evaluate whether management has established benchmarks, metrics, success criteria, key performance indicators, and leading practices.</p><p>Where management is reluctant to consider climate change risks, internal audit can help change executives’ attitudes by enhancing their knowledge of the risks and demonstrating how to assess and predict their impacts. In addition, internal auditors who have assisted other organizations in addressing climate change risks can share information and analysis of their experiences and promote the use of tools and systems for these purposes. </p><h2>The Way Forward</h2><p>The audit function should understand the climate change risks affecting the organization and be able to add value proactively, timely, and effectively. It is important to assess whether the organization fully grasps the implications of climate change risks. To move forward, internal audit should: </p><ul><li>Develop a consensus with the board and senior management about internal audit’s role. </li><li>Champion a focus on climate change-related risks by participating in the risk analysis process and educating management on the best practices in climate change-related governance, risks, and controls.</li><li>Ensure the audit function has the appropriate skills to evaluate climate change risks and execute related audit engagements.</li><li>Empower audit teams by developing appropriate tools and procedures for assessing climate change risks, capacity building through mentoring and effective onboarding, and including climate experts in the audit teams.</li><li>Incorporate climate change risks into the organization’s risk register and ensure appropriate audit units are contained in the audit universe. The chief audit executive should ensure that the identified risks are embedded in each audit engagement.</li></ul><p>Climate change risks impact all of humanity. Consequently, there is much work to be done. The responsibilities of internal audit and the required skills are changing quickly. As a partner in a good governance process, the modern internal audit function can be pivotal in addressing climate change by positioning itself as an agent of change.  <br></p><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { line-height:12.0px; font:10.0px Amplitude; } p.p5 { text-indent:-12.0px; line-height:12.0px; } p.p6 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p7 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { vertical-align:1.0px; letter-spacing:-0.1px; } span.s3 { font:8.0px Interstate; letter-spacing:-0.1px; } </style>Israel Sadu1
The Risks in Supply Chainshttps://iaonline.theiia.org/2019/Pages/The-Risks-in-Supply-Chains.aspxThe Risks in Supply Chains<p>Over the last couple of years, supply chain risk has become a key concern for the U.S. government. In December last year, for example, the U.S. Senate passed the Federal Acquisition Supply Chain Security Act of 2018, which contains powers to establish a security council specifically charged with supply chain risk. Further legislation with ramifications for supply chain management — such as the Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property, and Supply Act — has been tabled at a federal level. The hazards are many, but all point to a recognition that with increasing globalization and digitalization, supply chains have become longer, less transparent, and open to a range of threats. That means a business anywhere in the chain with weak security and controls is a potential target. <br></p><p>“Supply chain risk is a huge issue in the U.S. right now,” says Dan Shoemaker, director of the Master of Science in Information Assurance Program at the University of Detroit Mercy Center for Cyber Security and Intelligence Studies. He says it came to the attention of the U.S. government over fears that Chinese malware was turning up in U.S. military equipment. The risk with purchasing software is that vendors never give buyers the source code because of their need to protect intellectual property. So, companies effectively buy most software blind.</p><p>Shoemaker says this exposes organizations that build and use complex systems to two key risks: 1) malware can be injected into components at the bottom of the supply chain where transparency tends to be lowest; and 2) poor-quality counterfeit products can slip into a system because of cost-cutting pressures.</p><p>“This is the frontier in supply chain risk — we have systems built on top of systems that have all been built by mysterious people, and we have no idea who <span style="font-size:12px;">they are, and we often have no idea of how secure they are,” Shoemaker says. He adds, half-jokingly, if he were a country that wanted to take over the world, he would set up shop as a cut-price programming shop. “Everything I sent up the process ladder would have a killer piece of software in it that basically said, ‘When I push the button, I’ll take over the world,’” he says. “That would be easy to do because unlike other things, we just buy software without carefully looking at the ingredients.”</span></p><p>Internal auditors can suggest processes to reduce such supply chain risk, he says, and insist their organizations follow procedures established by the U.S. National Institute of Standards and Technology (NIST), such as NIST 800-161 that deals specifically with IT procurement and supply chain management, and also International Organization for Standardization (ISO) standards such as ISO 27000 dealing with information security.               </p><p>“Installing a standards-based process will help you understand what you are buying, because you can demand to see everything that is going on at any level of the supply chain,” he explains. “It will be documentation — not a physical examination of the actual activity — but that documentation will not be available otherwise.”</p><h2>Complex Contracts</h2><p>In fact, supply chain documentation is often ignored or badly managed by the purchasing organization. Without a solid understanding of the contracts upon which agreements to buy are based, organizations run the risk of being arbitrarily overcharged by suppliers.</p><p>“Once signed, a shrewd supplier will hand the contract to their commercial department to start drafting claims against you while the ink is still wet,” Christopher Kelly, partner at Kelly & Yang in Melbourne, Australia, says. Complex supply chains that entail huge, ongoing projects subject to multiple amendments can be daunting. But internal auditors typically can get to grips with the structure of their supply chains by mapping what it looks like. That will help flush out conflicts of interest between related-party companies, directors, and shareholders who may sit on both sides of a procurement deal, as well as reduce the risk of compounding overhead costs, for instance, within the project. </p><p>Contract agreements can be voluminous and take effort to digest, so internal auditors who put in the hours have a fighting chance of helping their organizations manage them because each contract effectively builds its own distinctive rules around costs, profits, and target parameters, Kelly says. Failing to understand the contractual intricacies is the No. 1 mistake internal auditors make, he adds. Internal auditors trained in financial accounting, for instance, cannot assume that they will be able to apply Generally Accepted Accounting Principles to any items of expenditure. IT costs allowable under the contract as a direct cost, for example, may already be included in the overhead rate. Accruals may or may not be allowed. Only the contract’s terms will make the correct treatments clear. </p><p>If the organization and its internal auditors are on top of their contracts, however, data mining and analytics become a powerful way of validating the costs charged against those allowed under the contract. That requires attention to detail. Keyword searches for entertainment, gifts, parties, or rework because of the supplier’s mistakes can expose multiple errors, duplications, and advance charges, for instance. Cost analysis also reduces the risk of organizations being charged up front by the supplier for work not yet completed and then the supplier going out of business.</p><p>“When the internal auditor does his or her job well, the cost recoveries are amazing,” Kelly says. The biggest recovery he achieved was about $9 million. “I didn’t get a bonus, but it got me noticed,” he says. “And as an auditor wanting to advance in his or her career, that’s not a bad thing.” </p><p>Outside of the contract terms, changing the manager on the buyer side of the contract can be disastrous. On one audit, Kelly found that while the supplier had used the same manager on the project for 10 years, there were frequent changes to management personnel at the buying business. “The contractor was running rings around the buyer with unbudgeted charges, and when I asked for the contract, I was shown a heap of boxes and told, ‘We think it’s in there,’” he recalls. “It’s vital to keep continuity of knowledge when managing large-scale projects.”</p><h2>Building Resilience</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } p.p2 { line-height:12.0px; font:9.0px 'Interstate Light'; } p.p3 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } p.p4 { line-height:12.0px; font:6.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; } span.s2 { letter-spacing:-0.1px; } </style> <p><strong>2019 Supply Chain Trends </strong></p><p>The five themes impacting supply chains most in 2019:</p><ul><li>Revision of the Minimum Security Criteria under the U.S. Border Protection’s Customs-Trade Partnership Against Terrorism (CTPAT).</li><li>Supply chain growth in Africa, which increases exposure to risks.</li><li>Ongoing mass migration, which poses both security and corporate social responsibility risks.</li><li>Dramatic shifts in politics, such as elections in Brazil, the U.S.-China trade dispute, and uncertainty over Great Britain’s departure from the European Union.</li><li>The continued threat to supply chains posed by cybersecurity issues.</li></ul><p><em>Source: BSI’s Supply Chain Risk Insights 2019 report.</em><br></p></td></tr></tbody></table><p>New supply chain risks are not as easy to detect and deal with. “We’re seeing key shifts to global supply chains this year, driven by quite dramatic changes in the geopolitical landscape,” said Jim Yarbrough, global intelligence program manager at BSI, the business standards company, at the launch of a new report this year (see “2019 Supply Chain Trends” on this page). “The concern is that as supply chains change — with Chinese companies moving operations to Africa, for example, or the U.S. sourcing goods from other Southeast Asian nations — major implications will also evolve.”</p><p>Rapid change requires a flexible strategy from internal audit teams. “It is important to look at the supply chain through the lens of risk and resilience,” Jonathan Eaton, practice leader in Grant Thornton’s National Supply Chain Practice in Charlotte, N.C., says. “That means digging into the operating model to identify the potential failure points.” </p><p>Internal auditors can do that by using a Six Sigma tool called failure mode and effects analysis (FMEA), for instance, or a host of other tools. But, he says, the question they need to address is, “In your unique business model and industry, what are the failure modes within your supply chain that can hurt your business?” Eaton says that’s something audit leadership will ultimately need to determine. “The buck stops with the chief internal audit executive on this,” he says. “If he or she knows that a business could be vulnerable within the supply chain, but does not know where, when, or why, then he or she must take action to find out. A deep dive into the processes using FMEA is a great place to start.”</p><p>Internal audit leaders need to ensure they are positioned as a trusted advisor to the business; otherwise, helping the business deal with supply chain risk is going to be virtually impossible. </p><p>“You have to be able to proactively track, manage, and measure risk,” he says. “But nobody has a silver bullet that is going to deal with all of the possible combinations of risk that can arise. That is why having a good relationship with the business is important for internal auditors, because the people who manage the supply chain have to be forthright with internal audit about what the risks are and the triggers that make them real.” </p><p>This task recently has become more difficult. Many companies have expanded their business and sales through the use of multiple sales channels, and they often have not reconfigured their supply chains to deal with the range of new platforms or delivery requirements that are in play. Managing risk in the supply chain in this scenario becomes a way of protecting against the potential erosion of profitability, says Eaton, and internal audit needs to have an in-depth knowledge of the business’ operations to be able to truly assist the organization in this area.</p><p>He sees the ability to track, manage, and measure risk as internal audit’s central role when it comes to supply chain resilience — particularly because those processes should be aligned to the biggest financial supply chain risks the business faces. Eaton describes robotic process automation (RPA) as a brilliant tool once audit understands the business’ failure modes and its strategy for tracking, managing, and measuring risk. RPA deals with high-volume, repetitive processes, so it can continually scan supply chain transactions in real time and be programmed to alert for weaknesses and red-flag events. He says too few businesses have made this move. “Internal auditors can introduce thought leadership into an organization in this area by bringing in these advanced technologies to mitigate the risk and build supply chain resilience,” he adds. But he also warns that an overdependence on technology and analytics can equally make internal audit blind to the more complex interrelated risks in the supply chain. For supply chain technology to work well, it needs to be aligned strategically with the business’ objectives for supply chain risk management.</p><h2>Preventing Crime<br></h2><p>Supply chains are also open to bribery, corruption, money laundering, and human trafficking risks. More recently, sanctions have become a pressing issue as the trade war between China and the U.S. gathers pace, and the Trump Administration applies pressure on its allies to keep its sanctions against Iran effective, for instance. The Office of Foreign Assets Control, the U.S. sanctions watchdog of the Department of the Treasury, has been increasing its activity in this area.</p><p>“Corporations need to make sure they understand the risk in their supply chain if they want to avoid being caught in the crosshairs,” says Samar Pratt, managing director of Exiger, a global governance, risk, and compliance business in London. But she warns that the boundaries between different types of risks can be porous. “If people want to evade sanctions, they will lie — which is where sanction risk crosses over into potential fraud,” she says. </p><p>Internal auditors should expect their organizations to do solid due diligence checks, she says. “While there is only so much a firm can do, as long as it can demonstrate it is taking a risk-based approach to its due diligence, it will help the organization demonstrate to internal audit it is taking appropriate steps. As part of this process, organizations are increasingly using artificial intelligence-powered, automated due diligence technology to detect red flags while onboarding new suppliers, or to monitor third parties on an ongoing basis.” Other methods include looking at the countries where raw materials are coming from, for instance, and, potentially, where the risk warrants it, sending people to those countries to ask questions on the ground. </p><p>“The due diligence needs to be proportionate to the risk and reflect the risk appetite of the organization,” she adds. While internal auditors are not specialists in investigating fraud in the supply chain, IIA standards require them to look for fraud indicators. If found, internal audit is likely to refer those issues to the organization’s fraud or financial crime team and possibly the legal team. Pratt says internal audit’s follow-up role is frequently overlooked. That involves coming back in post-investigation to examine what went wrong in the supply chain and add significant value to the business by focusing on the lessons learned and whether controls need to be strengthened. </p><h2>Making an Impact</h2><p>While the direct impact of mishandling a contract or breaking a government sanction can be significant, the reputational damage can be equally long-lasting and harmful. And as geopolitical risk increases and digitalization gathers speed, supply chain resilience is likely to become even more important. It is a difficult area for internal auditors to master. Doing so requires wide-ranging knowledge of different types of contracts, the business, and its supply chain structure — as well as keeping up to date with fast-changing threats. But the rewards can be great. Internal auditors who can play a central role in helping their organizations build robust supply chains will enable them to compete globally and successfully integrate new products and services into their offerings. <br></p>Arthur Piper1
Auditing Culture: Audit Project Surveyshttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-Audit-Project-Surveys.aspxAuditing Culture: Audit Project Surveys<p>​Internal auditors looking to gauge organizational culture can choose from a variety of assessment techniques. Some are innovative, robust, and resource-intensive, while others are fairly simple. Typically, using a combination of techniques provides a more well-rounded picture of the culture.</p><p>Some of the most commonly used assessment techniques include: </p><ul><li>Entitywide employee surveys.</li><li>Open-ended interviews.</li><li>Structured interviews, in which a sample of employees is asked the same set of questions.</li><li>Combining objective data with auditors' perceptions.</li><li>Focus groups.</li><li>Self-assessment workshops.</li><li><p>In-depth root cause analysis.</p></li></ul><p>One of the simplest tools for auditing culture is an audit project survey — a survey conducted during the course of an audit engagement. There are several advantages to using a survey tool, as well as limitations and challenges that should be considered. Armed with this knowledge, and familiarity with suggested development and implementation practices, auditors may be better positioned to harness audit project surveys as a means of gaining valuable insight on organizational culture.</p><h2>Advantages</h2><p>Employee surveys have several advantages over other techniques for evaluating culture, including:</p><ul><li> <strong>Anonymity. </strong>If employees know survey results will remain anonymous, they may be more candid than they would in an interview.</li></ul><ul><li> <strong>Potentially Greater Validity. </strong>If employees feel safe and believe action will be taken to address their concerns, surveys usually constitute an accurate measure of employee perceptions.</li></ul><ul><li> <strong>Quantitative Results</strong>. Most employee surveys I have seen ask respondents to indicate the extent to which they agree or disagree with statements (see, for example, the "University of Minnesota Employee Survey" below). The percentage of employees who disagree or strongly disagree with a statement is an objective fact, and significant disagreement represents strong evidence that something needs to be examined.</li></ul><ul><li><p> <strong>Efficiency.</strong> Audit project surveys provide an efficient way of gathering input from a large sample of employees. Effective project surveys often yield a response rate of 60-70%, and online survey tools make aggregating and analyzing the responses relatively easy. Unless the audited area is unusually small, interviewing and analyzing responses from a comparable percentage of employees would be prohibitively time-consuming.<br></p></li></ul><h2>Challenges and Drawbacks</h2><p>While the advantages of employee surveys are considerable, internal auditors should be aware of several potential drawbacks. Recommendations for addressing these limitations are also provided. </p><ul><li> <strong>Possible Lack of Candor. </strong>Employees may not be candid, in which case positive results will produce false assurance.<strong> </strong>Although surveys can be anonymous, employees might not believe they are. And if employees fear retribution from their manager, responses are likely to be positive regardless of how they really feel. </li></ul><ul><li> <strong>Potential Blind Spots. </strong>Employees may have blind spots about cultural issues, which can affect their assessments. An often used definition of culture is "how we do things around here." When someone joins an organization, he or she wants to fit in and may accept the way things are done without question. Similar to a lack of candor, this will produce false assurance.<br><em>Recommendation. </em>To address both lack of candor and cultural blind spots, auditors should avoid relying solely on survey results. Some people will be more candid in an interview than on a survey. For example, I think of an objection I received when discussing entitywide surveys at a conference in the Pacific Rim. An attendee who worked for a U.S. multinational company that used this type of survey said, "Surveys don't work here. People in this country will never be honest on a survey. They'll tell us exactly what's going on but they would never write it down." I now tell this story when I teach in that country, and the attendees always agree.<br>No single tool or technique is sufficient. Auditors need to be aware of limitations that exist in a given location and complement surveys with their own observations, available data that reflects the culture, interviews, and whatever other tools might be useful in that context. <br></li><li> <strong>Employee Misperceptions. </strong>Although surveys can be an accurate measure of employee perceptions, employees can be wrong. I think, for example, of a lead auditor who worked for me when I was an audit manager. She would occasionally come into my office, ask to close the door, and say, "What are you managers thinking? Do you have any idea what the staff is saying about this decision you made two weeks ago?" I'd say, "But Pam, they don't understand why we made that decision," and realize that we needed to tell them. Pam did a great service by alerting us to the staff's misperceptions, which we could then correct.<br><em>Recommendation.</em> Auditors should not present negative survey results as an issue unless they find corroborating evidence. However, if they can't find such evidence, or what they find contradicts the survey results, they should report it to local management as a possible misunderstanding it might want to correct.<br> </li><li> <strong>Ambiguity. </strong>Developing survey statements that are clear and unambiguous can be difficult. Take, for example, the statement, "Management is ethical, fair, and open to employee suggestions." This statement asks about three different qualities. A manager might have one or two of these qualities, but not the third. Also, does "management" refer to the employee's immediate supervisor, the head of the organization, or something in-between? <br><em>Recommendation. </em>Auditors can use a couple of methods to prevent survey statement ambiguity. First, they can draw from good models. Examples of effective surveys can be found in internal audit literature, obtained from colleagues, and accessed on the internet. With established models, any initial ambiguity is likely to have already been identified and corrected. Moreover, auditors will be able to approach prewritten survey statements more objectively, and identify any residual ambiguity more easily, compared to statements written by themselves.<br> Auditors can also field-test the survey once it's been developed. Before finalizing the survey instrument, they can give it to several people and ask what they thought each statement was asking. This exercise should identify most or all remaining ambiguity.</li></ul><ul><li> <strong>Scope Limitations. </strong>Surveys are limited to the predefined issues they include. And obviously, culture encompasses much more than a brief survey can assess. <br><em>Recommendation. </em>Internal auditors can address this concern by asking survey participants for explanatory comments. The University of Minnesota Employee Survey below has only 12 statements, but it asks respondents, "Would you like to tell us anything else about the operations of your (college, department, center, or other term as appropriate)?" Respondents can elaborate on any of the 12 statements or include something else they want the auditors to consider. </li></ul><h2>Development, Implementation, and Analysis</h2><p>Audit project surveys should be adjusted to best fit the environment in which they will be applied. Several considerations should be kept in mind when tailoring a survey for use with a particular client or organization, and during survey implementation and analysis. </p><ul style="list-style-type:disc;"><li>Design the survey carefully. Provide clear instructions for completing the survey, and phrase statements carefully using simple, easy-to-understand language.</li><li>Ask for level of agreement/disagreement with statements — such as those shown in the University of Minnesota Employee Survey's Likert scale below — and for explanatory comments.</li><li>Ask managers if they want to add issues they're concerned about. Good managers often wonder what their employees really think about certain decisions they've made or aspects of the environment. This is their chance to get honest feedback that employees might not want to give them in person.</li><li>If the content might be highly sensitive, consider asking the legal department to review the survey instrument. The lawyers are less likely to object if they are consulted up front than if they see the survey once it's underway. And they might have legitimate concerns.</li><li>To demonstrate management's support, ask the head of the audited area, as well as the chief audit executive, to sign the survey invitation email.</li><li>Consider using online survey tools to survey 100% of the population and to facilitate results analysis. </li><li>Stratify responses by level — for example, senior management, middle management, staff — and compare the differing perceptions.</li><li>Remember that surveys measure employee perceptions; they must be substantiated to be reported as audit issues. If they can't be substantiated, they still provide valuable information for the manager. </li><li><p>Involve the "experts" in interpreting the results. Some audit departments review the stratified results with a focus group of experienced employees who know better than the auditors why employees responded as they did. The confidentiality of individuals' comments, of course, must be preserved.</p></li></ul><p>Regardless of the technique or combination of techniques used, auditors and their stakeholders must keep in mind the objective of culture auditing: to continually enrich stakeholders' understanding of the culture through a blend of qualitative and quantitative evidence; the objective is not to reach final conclusions. Without this shared understanding, internal auditors risk giving false assurance when assessment results are positive and assigning unfair blame when results are negative. </p><h2>An Important Tool</h2><p>Project audit surveys can provide key insight on organizational culture. Like other tools used for this purpose, they will not be effective in every situation. But when applied with discretion and in conjunction with other techniques, they can be a valuable asset in the culture auditor's toolbox.<br></p><p><img src="/2019/PublishingImages/auditing-culture-questionnaire-smaller.jpg" alt="" style="margin:5px;" /><br></p>James Roth1
Social Media Governancehttps://iaonline.theiia.org/2019/Pages/Social-Media-Governance.aspxSocial Media Governance<p>Social media’s strategic role within organizations has grown exponentially as it has become a ubiquitous juggernaut of nonstop information of varying degrees of accuracy and relevance. But its risks to the organization have accelerated, as well. To keep up, organizations need a strong governance structure that specifically emphasizes social media.<br></p><p>Similarly, social media’s high impact and high risks mean internal audit should look closely at all related activities. Perhaps the most important of these activities for internal audit is ensuring the organization’s social media governance is effective. </p><h2>It Starts at the Top</h2><p>Any aspect of governance starts with the board. As part of its assurance efforts, internal audit should ensure the board understands the broad scope of risks related to social media, as well as the board’s role in establishing an appropriate governance structure. </p><p>Foundationally, the organization already should have an effective governance structure in place. But the fast pace of change related to social media means the board should take a more active role in ensuring the organization’s governance structure addresses unique social media issues effectively. This not only helps the organization successfully achieve these objectives, but also further ensures the organization will not be broadsided by change, irrelevance, and damaging reputation issues.</p><p>The board must understand the changing landscape of social media, as well as the current and evolving risks. Further, directors must understand the organization’s social media strategies — both the strategies specific to social media and those using social media to better achieve objectives. This includes understanding how the strategies were developed and how they support the organization’s overall mission. Finally, the board should understand how the organization will address emerging issues, potential crises, and the overall changes in the social media environment. </p><p>Ultimately, board members must be able to lead conversations that get to the heart of the organization’s approach (see “Questions the Board Should Ask” at the bottom of this page). To ensure the board is prepared to successfully oversee social media activities, internal audit should focus on three areas: knowledge, training, and communication. </p><p><strong>Knowledge</strong> The constant press coverage related to social media “fails” has resulted in boards becoming more aware of social media’s risks and pitfalls. But it also has led many boards to focus on the latest YouTube debacle or Twitter mistake, rather than understanding the broader risks. Therefore, internal audit should ensure board members fully understand the risks and opportunities related to social media, as well as the organization’s activities. <br></p><p><strong>Training</strong> Internal audit should ensure the board has been trained appropriately on new and emerging social media technologies, how they are used, the risks to the organization and its industry, and how competitors are using social media. Such training will help the board understand how the organization developed its strategic approach and what it needs to be successful. <br></p><p><strong>Communication</strong> Internal audit should ensure communication channels allow the board unfettered and timely access to the information it needs about social media. In addition to information from executives, this communication should come from committees responsible for social media, departments involved in developing and communicating through social media, and front-line personnel who are dealing with day-to-day issues that can quickly grow into organizational disasters.<br></p><p>Internal audit can provide assurance that board members are prepared by examining activities at the highest levels of the organization. The best way is for auditors to speak directly with board members to gain assurance that directors are providing the best oversight possible. Additionally, auditors should review correspondence and minutes of board meetings, as well as the information received by the board, to ensure that it has been kept in the loop. They also should review training materials to ensure materials cover all appropriate areas and that all board members have participated.<br></p><p><img src="/2019/PublishingImages/Jacka-social-media-governance-at-a-glance-chart.jpg" alt="" style="margin:5px;width:800px;height:562px;" /><br></p><h2>Executive Oversight</h2><p>At the next layer of governance, the executive level is responsible for developing and implementing the organization’s social media strategies and objectives, as well as ensuring they align with the organization’s other strategies and objectives. Like the board, executives should obtain assurance that social media projects are advancing as expected, the projects are aligned with other strategies, the objectives are being met, significant risks and issues are communicated, and all other necessary information is brought to executives’ attention timely.</p><p>Best practice is to assign a social media champion at the executive level to oversee social media activities organizationwide and be responsible for their success. The executive should fully understand and believe in the value of social media to the organization, while also understanding the associated risks. This individual also should have the status to freely communicate potential issues and concerns to fellow executives. Otherwise, social media activities may fail because of lack of interest.</p><p>It also is best practice to establish a social media oversight committee to handle responsibilities at a more granular level. The committee should encompass all departments with a role in social media and include individuals with the authority to initiate changes. The committee will be responsible for ensuring the alignment and success of all social media strategies, objectives, and plans; monitoring project progress; and communicating potential issues. The executive champion should be an active member of this committee, providing guidance and ensuring necessary communication between the committee and executives.</p><p>Much of internal audit’s review of executive oversight is similar to that outlined for the board — just more detailed. This includes obtaining assurance that executives receive ongoing training that allows them to understand how social media can best be used, and that executives are adequately updated on social media. In addition, internal audit should determine whether executives are actively ensuring their individual departments are using social media appropriately, and that those activities are aligned with other departments and functions.</p><p>Interviews with executives are the best way for auditors to obtain this information. And, while social media-focused interviews can be an important part of the review, an effective alternative is to discuss the topic in meetings about departmental risks, concerns, and upcoming initiatives. Special attention should be paid to the executive champion, who can be a significant source of information about the status and growth of social media. If the relationship is cultivated appropriately, the champion can be a source for potential areas of review.</p><h2>The First Line of Defense</h2><p>A challenge in any governance structure is ensuring coordination among the teams that manage the various aspects of risk. Effective social media governance requires each of the three lines of defense — operational management, risk management and compliance functions, and internal audit — to understand the specific risks and responses that apply to their functions. </p><p>The first of these lines, operational management, owns and manages the risk. These are the operational managers responsible for maintaining effective internal controls and executing ongoing risk and control procedures. Each operational function must understand the impact of social media on its responsibilities, as well as the function’s role in the organization’s social media presence. Although their roles and responsibilities can vary from one organization to the next, the following are functions that could be involved with social media. </p><p><strong>Marketing</strong> This function is responsible for marketing through social media channels, including brand management. Responsibilities include ensuring social media delivers a consistent message to the right customers, brand integrity and standards are maintained in all social media channels — including the activities of agencies and third-party vendors — and the message being delivered matches organizational objectives. <br></p><p><strong>Sales</strong> The sales function’s responsibilities include ensuring sales efforts on social media match marketing’s message, delivery of products and services sold through social media is accurate and timely, and follow-up is taken on leads generated through social media. The department also must keep online sales information updated and accurate, and use social media data to analyze trends related to leads, sales, and returns. Ultimately, the function should ensure social media improves sales efficiencies and costs.<br></p><p><strong>Customer Service</strong> This function ensures complaints received through social media are handled efficiently, customer satisfaction in the online sales process is maintained at the desired levels, and customers are referred to the appropriate goods and services. Customer service also makes sure all online communications maintain the appropriate tone and social media is used to accurately measure customer satisfaction.<br></p><p><strong>Public Relations</strong> Also known as corporate communications or community relations, public relations manages how the public perceives the organization. Its responsibilities include ensuring social media messages related to public relations match the overall messaging strategy and monitoring exists to identify, avert, and mitigate crisis situations. Public relations also should have an effective crisis management plan that includes responding to social media issues and using social media as part of the crisis management process.<br></p><p><strong>IT</strong> This function develops and maintains hardware and software used for social media. IT’s responsibilities include ensuring customers have a seamless experience while using social media and maintaining sufficient backups to reduce or eliminate downtimes. This function implements technology to achieve the organization’s social media objectives and ensures access to the organization’s social media sites is controlled.</p><p><strong>Human Resources</strong> This function uses social media to recruit new employees and potentially uses social media to deliver training. Human resources should ensure that training on the use of social media includes all employees and all facets of social media use. It should ensure a social media policy is developed that complies with existing regulations and the organization’s other policies, and monitor employee satisfaction through external comment boards and websites.<br></p><h2>The Second Line</h2><p>The second line of defense comprises those functions that ensure first line of defense controls are designed appropriately, in place, and operating as intended. Spanning the organization, these functions provide assurance related to their field of expertise. Second line functions need to keep abreast of changes in social media with a particular emphasis on issues impacting the areas they oversee. As with the first line of defense, the specific structure and responsibilities of second-line functions differs among organizations. In reviewing governance, internal audit should ensure that the organization is addressing all of the potential social media oversight roles these functions perform.</p><p><strong>Risk Management</strong> This function ensures social media risks are understood throughout the organization and included in risk assessment processes. Responsibilities include ensuring all risk assessments consider social media, departments keep abreast of emerging issues and risks related to social media, and those issues and risks are communicated timely. The risk function also must ensure all departments’ risk assessment and management procedures address social media risks appropriately.<br></p><p><strong>Compliance</strong> The compliance function is responsible for ensuring existing regulations are reviewed for reinterpretations that may impact social media and that new and changing regulations are monitored. It must advise all departments of regulations that will impact their use of social media and ensure that potential noncompliance issues are reported and acted upon.<br></p><p><strong>Security</strong> The security function must ensure appropriate access to and control over social media activities. It ensures general IT security controls such as password, antivirus, anti-malware, and firewalls have been established and are being used effectively. It also makes sure that access to the organization’s social media accounts is restricted appropriately, all accounts are monitored for suspicious activity, and accounts that are no longer in use have been decommissioned. Additionally, the security function should ensure all employees understand the risks related to inappropriate use of social media.<br></p><p><strong>Quality</strong> This function is responsible for ensuring the organization’s use of social media complies with standards related to brand and image. Its responsibilities include ensuring branding and imaging within social media accounts match established standards, and making sure overall quality and professionalism of social media interactions match the desired level. The quality function also should ensure information reported through social media channels is accurate, and the organization takes effective corrective action on identified issues.<br></p><h2>The Third Line</h2><p>Internal audit provides the board and senior management with independent and objective assurance of the other two lines’ efficiency and effectiveness. To that end, auditors should ensure that all entities in the three lines understand social media risks as well as their responsibilities for those risks. Internal audit can use two approaches to provide this assurance.</p><p>The first is to conduct an overall review of social media, focusing on the functions where the greatest risk may reside. This review may entail separate audits of social media for each function — which will provide detail on how the function is performing — or a review of social media risks, adding focus on potential gaps among departments. </p><p>The second approach is to include social media as a risk area in all audits planned for the year. The results should be included in the individual reports, but auditors also should consider providing an overview of organizationwide responses to social media risks.</p><h2>Audit’s Social Impact</h2><p>Social media has become an integral part of any organization’s success and an area that internal audit functions ignore at their own peril. In providing assurance regarding social media, governance can be one of the most impactful areas in which internal audit can provide value. Moreover, reviewing governance establishes a foundation upon which internal audit can begin to build its understanding of, and assurance work related to, social media. <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​Questions the Board Should Ask</strong></p><p>A well-informed board is equipped to ask the important questions about the organization’s use of social media. To ensure the organization understands its social media strategies and direction, here are some questions board members should be prepared to ask and the organization should be able to answer.</p><p><strong>How are we using social media to engage with our customers, open new markets, and recruit top talent?</strong> </p><p>These three areas are only a small part of how the organization is using social media. But they provide a good foundation to ensure the organization understands the impact of social media, and they may help the organization explore how best to use it.</p><p><strong>How are our competitors using social media?</strong></p><p>Social media is a competitive advantage. Without understanding how the competition is involved, the organization cannot know if it is ahead of or behind the curve. Understanding the competition’s use of social media also provides lessons learned without actually taking the risks. In addition, following competitors on social media provides insights into their strategies and plans beyond social media.</p><p><strong>How are our employees and other stakeholders using social media? What do we allow?</strong></p><p>This question generally will lead to a discussion about existing social media policies. But the primary purpose is to provide assurance that the organization is aware of the risks related to employee and stakeholder use of social media, is monitoring those activities, and is prepared to respond quickly to potential issues.</p><p><strong>What regulations regarding social media does our organization need to be aware of?</strong></p><p>Board members need assurance that the organization understands the impact of regulators on the organization’s use of social media, monitors compliance with those regulations and regulatory changes, and takes appropriate actions.</p><p><strong>How are we monitoring social media activity for potential negative issues? Does this include plaintiff, activist, regulator, and vendor social media activity?</strong></p><p>Monitoring is an important part of the organization’s social media risk management process. Almost every social media fail could have been better controlled had the organization monitored and responded to social media conversations appropriately. Monitoring can provide early warning about public relations, brand, regulatory, or legal issues before they get out of hand. </p><p><strong>How are we interacting with the organization’s followers, friends, etc.?</strong></p><p>The board needs to understand how success is measured related to the investment in social media. The important aspect of this question relates to how any measures of success will be used to positively impact organizational objectives. Board members should be asking for a direct link between social media metrics and broader organizational success.</p><p><strong>What do board members need to do to ensure they keep out of trouble?</strong></p><p>First, the board must be assured that it has the information necessary to understand and respond to relevant social media risks. Second, board members must understand how their use of social media — whether as a representative of the organization or as a private citizen — can impact the organization. While these are questions that should be asked by board members, they also are excellent questions for internal audit to use during its reviews, particularly at a governance level. The questions dig deeply into the knowledge and awareness of all social media participants.<br></p><p><em>Adapted from “Critical Social Media Questions for the Board Room” by Richard S. Levick, Fast Company, 11/27/12.</em><br></p></td></tr></tbody></table><p><em>Jacka and Scott are the authors of Auditing Social Media, Second Edition, published in August by The IIA’s Internal Audit Foundation.</em><br></p>Mike Jacka1
A Limited Viewhttps://iaonline.theiia.org/2019/Pages/A-Limited-View.aspxA Limited View<p>​<span style="font-size:12px;">Boards still largely think of internal audit as a control function rather than a resource they can call upon for help on a wide range of strategic and risk-related issues, say senior internal auditors. Several leading figures from the profession attended the National Association of Corporate Directors Global Board Leaders' Summit last month in Washington, D.C., and all of them were taken aback by the presenters' lack of reference to internal audit and corporate governance. They were surprised at the absence of discussion on contributions the function could make to a range of key emerging risk issues, including cyber risk, corporate social responsibility, and climate risk.</span></p><p>Nancy Haig, head of internal audit and compliance at a professional services firm in New York, and a member of The IIA's North American and Global boards, says that directors are "still missing a trick" by overlooking the contribution internal audit can make to assisting in the governance process. "In most of the talks that I attended, speakers regularly said that they wanted more risk assurance, and they wanted to be better informed, but they rarely said that they sought help from internal audit to deliver this," she says. "It just didn't seem to occur to any of them that internal audit is an excellent resource to call upon for this kind of work."<br></p><p>The audit leaders who attended the event agree that internal audit's capabilities appear largely underappreciated by members of corporate boards. They point to the need for change and for increased board awareness regarding the important role practitioners can play in organizational governance.<br></p><h2>Untapped Potential<br></h2><p>Haig says that directors seem to view internal audit as a function that just checks financial controls, noting that they overlook how much more the profession can provide. "It is a key internal resource that can help review whether there are sound processes in place for determining corporate strategies, and how best to implement them," she says. "Internal audit can help identify future risks to the business and suggest approaches to mitigate them. These are all crucial elements of good corporate governance, but directors may still not be making the best use of the skills that internal audit has to offer."<br></p><p>Haig suggests that, in some organizations, there may be too much focus on determining what directors' responsibilities are rather than on how support functions such as internal audit can help directors, as well as management, achieve their goals. "This is an area that may be ripe for change," she notes.<br></p><h2>Relationship Building</h2><p>Benito Ybarra, chief audit and compliance officer at the Texas Department of Transportation in Austin, Global IIA board member, and chair of The Institute's North American Board, says the relationship between internal audit and the board needs some work to ensure better outcomes. Typically, he says, communication between the two is largely "one-way," with internal auditors working to make the most of the board members' limited time through varying methods of communication and boards not fully understanding the potential breadth of an internal auditor's role. <br></p><p>"Board members understand that internal audit exists within the organization, but it is a function that is assigned to the audit committee," Ybarra says. "It doesn't usually occur to them to call upon the function to do anything that the audit committee has not already agreed upon. The board's primary function is oversight of the organization, with the organization's leadership within its focus — not internal audit."<br></p><p>Internal audit can also face challenges stemming from its reporting relationships. Many chief audit executives find themselves reporting functionally to the board or audit committee, but administratively to the chief financial officer or other members of the organization's management team. "This inhibits the internal auditor from gaining access to the CEO and limits their perspective regarding the organization's strategy," Ybarra says. "This can negatively impact the internal auditor's ability to formulate and position the function's skill set to ensure alignment and focus on advancing the organization."<br></p><p>Another part of the problem, Ybarra says, is that some internal auditors can be reluctant or "too timid" to participate in discussions involving strategy, risk management, culture, and governance. The profession may be associated more with what it won't do rather than what it is capable of doing. <br></p><p>"Boards can be frustrated by internal audit," Ybarra explains. "Executives get tired of hearing that internal audit can help identify risks but can't provide solutions for managing them."<br></p><p>As a result, it's time for the profession to "step forward," Ybarra asserts. He says that internal auditors should focus on "ways it can say 'yes'" more often, rather than saying that something does not fall within their remit, or citing independence, expertise, or resource issues. "Saying 'yes' more often can result in advancing yourself, the organization, and the profession much more than limiting yourself to being in a documentary in which you can't participate," he says.<br></p><p>Ybarra adds that internal audit functions should position themselves to be trusted advisers that can provide ideas and solutions and think about how to add value in the same way that a consultant would do. "Internal auditors need to understand what boards are focusing on, the problems they are facing, and think of ways of helping," he explains. "It is not tenable anymore to take a step back from these kinds of discussions. They need to think more strategically and about the contribution they can bring to the table. In short, they need to do and deliver more."<br></p><p>A recent IIA report, <a href="https://na.theiia.org/periodicals/OnRisk/Pages/default.aspx">OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk</a>, provides insight on how internal audit can make contributions along these lines. Citing misalignment on risk among board members, executive management, and internal audit, the report points to deficiencies in the completeness and quality of information flow to boards as a potential cause. Suggested internal audit remedies include asking board members if they are comfortable that the information provided to them is complete, accurate, and timely, and reviewing certain board materials, such as those involving mission-critical risks, to verify and communicate whether any information is incomplete or inaccurate.<br></p><h2>Demonstrate Value</h2><p>Neil Frieser, senior vice president, Internal Audit, at telecommunications company Frontier Communications in Norwalk, Conn., and IIA North American Board member, says that if internal audit wants to engage board members' hearts and minds, they need to increase awareness about how the organization can leverage its skills. <br></p><p>"Reminding boards what kind of work we already do will only achieve so much," Frieser says. "We need to educate them about where the profession is heading and the new areas of focus that we are interested in working on. We need to demonstrate proficiency in key areas such as data analytics, robotic process automation, cyber risk management, business ethics, corporate reputation, and environmental risk awareness. As a profession, we need to show that we are more than a function that just looks at compliance and internal controls — we need to give them confidence that we understand how the business works, identify obstacles to achieving established business strategy, and how we can help the board fulfill its duties." <br></p><p>He also points out, however, that time allotted for interaction with board members can be very limited and notes the importance of being thoughtful about agenda items and crisp in the delivery of information.<br></p><p>The best way to get the board's attention, Frieser says, is for internal auditors to be thought leaders and advocates for their functions and the profession. "If we want to raise our status, we need to make sure we truly engage the board at a higher level than we have done historically," he says. "We need to show what we can do and be accountable for it." <br></p>Neil Hodge0
Blue Bell Blueshttps://iaonline.theiia.org/2019/Pages/Blue-Bell-Blues.aspxBlue Bell Blues<p>Investor lawsuits seeking to hold directors liable for failures in their oversight duties were bolstered in June by a case involving Blue Bell Creameries. <em>Marchand v. Barnhill</em> did not signal a change in law, but it did affirm a legal standard that boards that fail to make a good faith effort to oversee a material risk area breach their “duty of loyalty.”</p><p>Legalese aside, the Blue Bell case provides a compelling example for directors to examine. While legal standards set a high bar, Marchand demonstrates that, in certain circumstances, ignorance about poor risk management is not a defense against board liability. </p><p>The details around the lawsuit are well-established. A 2015 listeria outbreak linked to three deaths caused Blue Bell Creameries to shut down production, recall all products, and later reduce its workforce by more than one-third. An investor suit alleged senior management disregarded warnings about contamination risks and kept the board in the dark about the issue.</p><p>From 2009 through 2014, regulators identified numerous health safety compliance failures. Yet, even though several positive tests showed the presence of listeria, including one test from an independent lab, board minutes reflected “no board-level discussion of listeria.”</p><p>Despite what would appear to be a glaring lack of board oversight, the Delaware Court of Chancery dismissed the case in fall 2018, ruling the plaintiff failed to show that directors had breached their “Caremark duties.”</p><h2>What Are Caremark Duties?</h2><p>Caremark duties are the result of a 1996 Delaware Chancery Court decision in the derivative action case brought by shareholders of Caremark International Inc., alleging the board of directors breached its duty of care by failing to put in place adequate internal control systems. The Caremark Rule that came from the case, and set a precedent for future director liability claims, states, “a director’s obligations includes a duty to attempt in good faith to assure that a corporate compliance information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by noncompliance with applicable legal standards.”</p><p>Cutting through the legalese again, Caremark establishes an obligation for directors to at least try to make sure “a reasonable board-level system of monitoring and compliance” is in place. Failing to do so could make directors liable for losses relating to compliance failures. </p><p>In <em>Marchand</em>, the Delaware Supreme Court overturned the lower court’s dismissal, concluding “the complaint supports an inference that no system of board level compliance monitoring and reporting existed at Blue Bell.” The court noted the board failed to establish a committee to monitor food safety or devote time in meetings to discuss food safety compliance. Of significance is the court’s opinion that “... food safety was essential and mission critical.” </p><h2>Protecting Against Caremark Failures</h2><p>Reasonable and informed directors typically should not have to worry about Caremark failures. As the Delaware Supreme Court made clear, boards get into trouble when they ignore their oversight responsibilities.</p><p>There are valuable lessons in the court’s findings in <em>Marchand</em> that can help protect boards and head off behaviors that make them vulnerable to successful Caremark claims. It is important to note that the court’s findings that follow center on the Blue Bell board’s failure to understand its “mission-critical” risk:  food safety. </p><p><strong>Blue Bell had no board committee that addressed food safety.</strong> Boards must understand what is mission critical for their organization, whether it’s food safety at Blue Bell or data protection at Facebook, and assure that it has systems in place to monitor compliance with mission-critical regulations.<br></p><p><strong>Blue Bell management was not required to keep the board informed about food safety compliance practices.</strong> Boards cannot assume management will bring all problems to their attention, and, therefore, must be proactive in seeking out information about compliance with mission-critical risks.<br></p><p><strong>Blue Bell had no regularly scheduled discussions about food safety.</strong> Mission-critical risks must be discussed and assessed on a routine basis by the board.<br></p><p><strong>Blue Bell’s board received favorable information about food safety but negative information was not shared. </strong>Boards cannot assume that management will willingly present the bad along with the good. It must establish processes to discover all relevant information from management and seek additional reliable sources of information, including turning to internal audit to provide independent assurance on the accuracy, completeness, and timeliness of the information the board receives, particularly around mission-critical risks.<br></p><p><strong>Blue Bell board minutes reflect meetings were “devoid of any suggestion that there was any regular discussion of food safety issues.” </strong>Traditional approaches to protecting the board include limiting details in minutes, which often only reflect official board actions. In Blue Bell’s case, this strategy backfired in that the official account of business reflected that no time was spent discussing mission-critical issues.<br></p><h2>What’s Next?</h2><p>The <em>Marchand</em> case and its relevant Caremark implications are but one of a growing number of pressure points on boards relating to oversight duties. As the list of governance failures and scandals grows, regulators, investors, and the general public are demanding more oversight and more accountability.</p><p>A February article in <em>Business Law Today</em> eloquently articulates the need for a fundamental change in how board directors approach their jobs:</p><p>“A substantive checks and balances approach addresses the roles, responsibilities, and relationships among the key elements and players in a firm’s governance, controls, and oversight system. Institutional investors, individual investors, and other market and regulatory interests increasingly demand that those involved in corporate governance recognize their responsibilities and are held accountable in addressing these responsibilities. An additional emerging expectation is that senior leaders in an organization, both board and management, recognize that a leader’s role is one of service rather than entitlement.” </p><p>The article goes on to say that governing structures that consolidate power and authority into fewer hands often fail if individuals in power feel entitled to do as they please. It adds that boards must be involved in formulating checks and balances and take active roles in executing them. “Carrying out these active roles will necessarily lead to regular interaction with the CEO and others in senior management as well as with a company’s internal and external auditors,” the authors write. “While tone at the top may sometimes remain only as words that do not actually affect behavior, the institution of checks and balances can exert considerable influence.”</p><p>These fundamental changes won’t happen overnight, especially in organizations with entrenched systems and practices. But clearly the era of boards providing obsequious approval to management is over. To continue to do so is not just counter to prevailing investor sentiment, it also makes boards increasingly susceptible, as demonstrated in <em>Marchand</em>.</p><p>Such a transition cannot happen without a system of effective checks and balances, as described in the <em>Business Law Today</em> article. Given this current environment of increased exposure, boards would do well to seek internal audit’s independent assurance and advice on critical issues. <br></p>Jim Pelletier1
A Lesson in Ethicshttps://iaonline.theiia.org/2019/Pages/A-Lesson-in-Ethics.aspxA Lesson in Ethics<p>​Recent reports of the extremes some parents have pursued to get their children admitted into elite colleges have raised questions about what example these parents are setting for their children. In some cases the children were unaware of their parents’ extraordinary efforts, though others allegedly knew about it and therefore may have been complicit. Perhaps the scandal comes as no surprise to many in the audit profession — after all, we see cheating, rule bending, and outright falsehoods regularly. But rather than simply shrugging our shoulders and pretending it has nothing to do with us, internal auditors need to be part of the solution. </p><p>Research suggests that dishonesty among students is common. Donald McCabe, founding president of the International Center for Academic Integrity, analyzed surveys of nearly 71,000 college students conducted between 2002 and 2015. He reported that 39% admitted to cheating on tests, and 68% admitted to some form of cheating. Why do college students cheat? They want a good job and career. </p><p>Think about that last statement — college students cheat to get a job. Many of them obtain their first job as new hires in the audit department. If these students view cheating as acceptable, what can internal auditors do to help them understand their organization’s ethical expectations, as well as those of the internal audit profession? </p><p>Many years ago, a university colleague shared with me the story of a phone call he received from a local employer. The firm’s representative bluntly asked what the university was teaching its students, as his company had just caught an auditor signing off on an audit program for work not actually performed. My colleague privately observed later that he had always thought this individual, as a student at our university, had cheated in his classes, even though he never caught him in the act. From a professional viewpoint this anecdote points to a big risk — students who cheated in college may continue to cheat in their career.</p><p>Efforts to address such risk should begin as soon as students enter the workforce. Internal audit onboarding<br> activities and employee mentoring, for example, should be aimed at helping new hires do the right thing. Encouragement should focus on guidance to help them comprehend what it means to be an internal audit professional — including adherence to ethical standards. Recent graduates should be reminded that behavior they may have viewed as acceptable in college is not acceptable in the workforce.</p><p>We also need to promote success stories of individuals who have not cheated — of those who exemplify high standards of ethical conduct. We should celebrate individuals who stopped a fraud from happening, or who helped prevent the company from erring in judgment. Sending the right message up front will help the next generation of audit practitioners make good choices and maintain the standards of integrity that have long defined our profession.  <br></p>Perry Moore1
A Question of Audit Prerogativeshttps://iaonline.theiia.org/2019/Pages/A-Question-of-Audit-Prerogatives.aspxA Question of Audit Prerogatives<p style="text-align:justify;">Call it the Battle of Bismarck — a political turf battle unfolding in the state capital of North Dakota, which actually turns on a question audit executives everywhere can appreciate. <br></p><p style="text-align:justify;">How does an audit function work when the chief audit executive and audit committee disagree over what the function should do?<br></p><p style="text-align:justify;">On one side of the issue is Josh Gallion, elected state auditor in 2016. On the other is the  Legislative Audit and Fiscal Review Committee, the state's version of an audit committee. Earlier this year lawmakers quietly adopted a provision requiring Gallion to get approval from the audit committee before he conducts "performance audits" of government offices. <br></p><p style="text-align:justify;">Gallion politely but firmly told the Legislature in July that he doesn't believe the law is constitutional, since it impedes his autonomy as a duly elected executive officer of the state. The state attorney general agrees with him. The top budget analyst for the Legislature does not.<br></p><p style="text-align:justify;">"We will not be seeking approval of performance audits, but what I will tell you is communication is key,"  Gallion <a href="https://bismarcktribune.com/news/local/govt-and-politics/north-dakota-state-auditor-lawmakers-remain-at-odds-over-new/article_fad595f7-ad1e-541b-abdd-a8b49469f31f.html">told North Dakota lawmakers during a recent hearing</a>.<br></p><p style="text-align:justify;">That wasn't what state Rep. Gary Kreidt, chair of the legislative audit committee, wanted to hear. He was unhappy that Gallion has been announcing the results of performance audits to the public, without first letting audit committee members review the findings. <br></p><p style="text-align:justify;">"I don't like to read in the newspaper an audit that's been completed and not have been notified that this audit was done," Kreidt said in that same legislative hearing. <br></p><p style="text-align:justify;">The backstory here is interesting reading for political junkies and audit professionals alike. First, "performance audits" are defined as examinations of specific agencies or offices, to assess whether the agency achieves its stated goals <em>and </em>whether it does so in an economical manner.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<p style="text-align:justify;"><strong>Putting Differences Aside</strong></p><p style="text-align:justify;">In the corporate world, best practices to avoid these situations abound. Among them: <br></p><ul style="list-style-type:disc;"><li>The chief audit executive should meet with the audit committee chair regularly <em>and</em> informally, between committee meetings, just to build rapport and trust. </li><li>The CAE, management, and the audit committee should collaborate while drawing up the risk assessment and preparing the audit plan. That at least prevents anyone from being caught by surprise, which is one criticism North Dakota lawmakers had about Gallion.</li><li>Allow management sufficient time to review the audit findings and prepare a rebuttal that is included in the report, again to prevent anyone from being caught by surprise.</li><li>Incorporate the IIA's model charter language as much as possible, spelling out roles and responsibilities clearly. "A flawed charter will certainty trigger challenges to the authority of any internal audit function," Hughes says.<br></li></ul><br></td></tr></tbody></table><p style="text-align:justify;">Gallion undertook such an audit last year, to examine Gov. Doug Burgum's use of state aircraft. That audit came after reports that Minnesota energy company <a href="https://www.minotdailynews.com/opinion/community-columnists/2019/05/nd-no-longer-has-an-independent-auditor-thanks-to-burgum-legislature/">Xcel Energy flew Burgum and his wife to Super Bowl LII</a> in 2018. Gallion also <a href="https://www.inforum.com/news/education/1005685-Audit-ND-college-VP-whos-a-Fargo-commissioner-didn%E2%80%99t-disclose-conflict-of-interest-with-wife%E2%80%99s-firm">released an audit earlier this year that raised questions about a powerful state senator</a>, who didn't disclose a conflict of interest while working at a North Dakota state college. <br></p><p style="text-align:justify;">In April, just before the end of North Dakota's legislative session, lawmakers tucked that provision about seeking the audit committee's permission for performance audits into the state's must-pass budget bill. <br></p><p style="text-align:justify;">Cynics say the provision <a href="https://www.minotdailynews.com/opinion/community-columnists/2019/05/nd-no-longer-has-an-independent-auditor-thanks-to-burgum-legislature/">was retribution for an auditor unapologetic about doing his job</a>. That may be so. For the rest of us, the tensions here set up an important lesson in best practices — how can organizations avoid this sort of a standoff? <br></p><p style="text-align:justify;"><strong>Lines of Authority</strong></p><p style="text-align:justify;">In the corporate world, an audit committee telling the audit executive <em>not</em> to examine certain issues without the committee's permission would be a big red flag. ("I'd certainly look for the exit," one IT audit executive told me.) But as daft as that idea might be, a corporation's audit committee theoretically could do it. <br></p><p style="text-align:justify;">Public sector audits are different, because they're more susceptible to criticism that an audit was driven by political motives. Audit committees overseeing public sector audit functions are likewise susceptible to accusations of undermining the independence or objectivity of the function for political purposes. <br></p><p style="text-align:justify;">"There's a huge risk of [those arguments] happening," says Kip Memmott, director of audits for the Oregon secretary of state. "Actually, it's not a risk — it happens quite frequently." <br></p><p style="text-align:justify;">Memmott sees the challenge as one of strained relationships and communications. Not everyone might see the value in a performance audit, or understand the risk that audit is trying to assess. The employees in question might also feel vulnerable as targets of the audit. <br></p><p style="text-align:justify;">That means the audit executive really needs to work on communication with those stakeholder groups if he or she wants to succeed. So one fair but pointed question: does the audit function have leadership in place to handle those human challenges? Or is it run by skilled technical auditors who have been promoted into a role that needs different skills? <br></p><p style="text-align:justify;">"Audit is about relationships and communications," Memmott says — and "as a field, we have not done as well as we could have."<br></p><p style="text-align:justify;"><a href="https://www.gao.gov/yellowbook/overview">Generally Accepted Government Auditing Standards</a>, maintained by the U.S. Government Accountability Office and commonly known as "The Yellow Book," spell out exacting standards for independence. If a public auditor doesn't meet them, the auditor should disclose that in the performance audit itself, along with whatever mitigating steps the auditor has taken. Even then, the auditor is still open to accusations of pursuing certain audits for political reasons.<br></p><p style="text-align:justify;">"Given that the public has long been 'sold' on the integrity and objectivity associated with unqualified or unmodified opinions, any qualifiers tend to trigger concerns regarding the objectivity of an audit," says Peter Hughes, assistant auditor-controller and chief audit executive for Los Angeles County. "Thus the reason that state and legislative auditors may challenge the benefit of such qualified audits."<br></p><p style="text-align:justify;">The wrinkle in North Dakota is that nobody can fire anybody else for flouting any of these practices; the auditor, the lawmakers, and the governor are all elected by voters. They must work together. <br></p><p style="text-align:justify;">Which brings us back to Memmott's point that communication to foster strong, working relationships is paramount. Yes, that can be painstaking, and in some instances political motivations will be entrenched. Audit leaders still need to try.<br></p><p style="text-align:justify;">"I don't know if chief auditors can control it, but certainly if they can't, they better be aware of it," Memmott says. <br></p><p style="text-align:justify;">We don't know how North Dakota's impasse over performance audits will end. A proposed <a href="https://www.grandforksherald.com/news/government-and-politics/3828217-North-Dakota-group-falls-short-on-all-three-referral-petitions-wont-challenge-auditor-restrictions-at-the-polls">voter referendum to repeal the restrictions failed to gather enough signatures</a>. Some lawmakers say they will try to repeal the restrictions in the 2021 legislative session. And despite Gallion and the legislative audit committee being at odds on that issue, both sides also say they will continue to work together on other issues. <br></p><p style="text-align:justify;">The rest of us can watch and wonder what we might do.<br></p>Matt Kelly1
Auditing Culture: Observation and Datahttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-Observation-and-Data.aspxAuditing Culture: Observation and Data<p>There are many ways to audit an organization's culture. With strong support from the top and sufficient resources, some internal audit functions adopt a comprehensive, resource-intensive method. For others — I suspect most — it is best to start with a fairly simple approach and build from there. One such approach combines auditors' observations with data metrics. And because this strategy is not dramatically different from traditional audit techniques, clients shouldn't find it jarring or outside the norm. When implemented correctly, it can be a powerful means of gauging the cultural environment.    <br></p><h2>Auditors' Observations<br></h2><p>In "<a href="/2018/Pages/Beneath-the-Surface.aspx">Beneath the Surface</a>" (<em>Internal Auditor</em>, June 2018) author Doug Anderson compared culture to a volcano that can look calm on the outside while churning internally with lava and gases that could make it erupt without warning. Hard evidence of a culture — such as policies, programs, and even employee surveys in many cases — focuses on the surface. To really understand the culture, employees have to get inside it. <br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Signs of a Healthy Culture </strong></p><ul style="color:#222222;background-color:#6eabba;"><li>Strong tone at the top, in words and deeds.</li><li>Open communication, an atmosphere of mutual trust.</li><li>Accountability is enforced and accepted, without unrealistic expectations or unfair repercussions.</li><li>A "just culture," which distinguishes among:</li><ul><li>honest mistakes (no one is blamed).</li><li>risky behavior (addressed with coaching and education).</li><li>reckless behavior (intentionally excessively risky or unethical, which is punished).</li></ul><li>Effective challenge is encouraged and valued.</li><li>Incentives that encourage healthy risk taking.<br></li></ul></td></tr></tbody></table><p>I've heard some audit practitioners say that an experienced internal auditor can almost predict an audit rating on the second or third day of an engagement just by sheer presence in the work environment. Talking with people, reading body language, sensing employee's attitudes, observing the physical environment — all contribute to a typically accurate understanding of an area's culture. <br></p><p>Auditors must, of course, keep an open mind and remain objective. Accordingly, many put their perceptions to the side and focus only on the objective, hard evidence. I'm reminded of an audit director who once told me about an instance where he became extremely frustrated with his team. The auditors returned to the office talking about the negative atmosphere of the client's area, citing lack of employee motivation and a hostile manager, among other problems. But when the team submitted a draft of the audit report, it indicated the area was well-run. When he asked about the discrepancy, his team said, "The area is a total disaster, but the controls are fine." Wrong answer! <br></p><p>Internal auditors should not ignore their perceptions — they can lead to the most significant issue of an audit. Observation can be a key tool for gauging culture, as reflected in "Signs of a Healthy Culture" (right), "Red Flags of a Toxic Culture" (below) and "Examples of Toxic Leadership Styles" (below). <br></p><h2>Combined With Metrics<br></h2><p>For most internal auditors, reporting a cultural issue based only on observations results in a fight they can never win. The good news is that there is usually objective data to support those observations, such as those listed in "Metrics That Might Support Auditors' Observations" below. <br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Red Flags of a Toxic Culture </strong></p><ul><li>Excessive focus on short-term results.</li><li>Unrealistic performance targets.</li><li>"My way or the highway" management, inhibiting input and healthy debate.</li><li>Lack of open communication (caused by fear, lack of trust, or information hoarding).</li><li>Competition to get ahead rather than cooperation.</li><li>Favoritism.</li><li>Lack of work-life balance.</li><li>Chronic grumbling by employees.</li><li>Cliquishness, gossip, rumors.</li><li>Chronic stress.</li><li>Lack of employee development.</li><li>Lack of accountability (in general or for top performers).</li><li>Lack of motivation in a work group (could be caused by any of the above).<br></li></ul></td></tr></tbody></table><p>Metrics like these can be a powerful tool when combined with observations. For example, if auditors spot red flags of a toxic workplace, employee survey results might corroborate those observations. Turnover and sick leave statistics might reflect the culture's negative impact on the business. Discussing these links with audit clients won't always succeed, but it is far more robust than the auditors' observations alone. <br></p><p>A growing number of audit functions are using metrics that support observations in a variety of other ways, including:</p><ul><li> <strong>To plan and scope an audit project.</strong> An audit function might gather a standard set of metrics for risk assessment on every audit. When some of these metrics appear to be negative, the auditors can seek to determine why. For example, if turnover and sick leave are unusually high and the company has received an excessive number of customer complaints or hotline reports, or if projects regularly fail, the root cause may well be a cultural issue. If auditors suspect this is the case, they can conduct confidential interviews with employees and gather evidence to support and explain the link between the cause and effect. </li><li><p> <strong>To populate a dashboard that executives and the audit committee review regularly for indications of entitywide issues or trends</strong>. This in fact seems to be a growing trend. In "The Board Needs Culture Dashboards" (FEI Daily, March 2018), Dennis Whalen, leader of KPMG's Board Leadership Center, said, "I'd be shocked if, by the end of 2018, most companies didn't have some kind of culture dashboard that somebody monitors and presents for the board on a regular basis so they can see outside the C-suite and the corporate office."<br></p></li></ul><p>If an internal audit function developed a set of metrics meaningful to the organization and got buy-in from executives and the audit committee, it could use them for both of these purposes, in addition to leveraging them for support of audit observations.<br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>Examples of Toxic Leadership Styles </strong></p><ul><li>Narcissistic (egotistic, power hungry, care more about themselves than the organization).</li><li>Autocratic ("my way or the highway," intolerant of ideas contrary to their own).</li><li>Manipulative (charming to superiors, "kiss up, kick down").</li><li>Secretive (hoards information to appear superior or use it to get ahead unfairly).</li><li>Deflecting (blames others for problems or talks around issues to avoid being found out).</li><li>Hypocritical ("Do what I say, not what I do").</li></ul>Disorganized, lacking focus (followers don't feel a real sense of direction). <br> <p></p></td></tr></tbody></table><p>A particularly interesting use of metrics occurred in 2002 when the Office of the City Auditor in Austin, Texas, performed a citywide ethics audit. The audit team gathered indicators of a positive or negative ethical climate in each of the city's departments from a citywide employee survey and a series of management interviews. Using statistical software, the auditors correlated these indicators with metrics like turnover and sick leave usage, complaints and successful claims by citizens, injuries to employees, and employee intentions to continue working for the city. They found that departments with strong ethical climates had significantly less turnover and sick leave, fewer complaints and claims, etc. The city responded by centralizing and strengthening oversight of ethics, drawing on the best practices of high-performing departments documented in the audit report.<br></p><h2> A Powerful Combination</h2><p>Internal auditors' perceptions of a work environment are usually sound but rarely stand by themselves. By combining their observations with data that management trusts, and by discussing the linkage tactfully with their audit clients, auditors can make a real difference in the organization. For auditors struggling with how to begin a culture audit, this could be a useful starting point.<br></p><p></p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p> <strong>​Metrics That Might Support Auditors' Observations </strong></p><ul><li>Employee survey results.</li><li>Structured interview results.</li><li>Customer survey results.</li><li>Customer complaints.</li><li>Hotline statistics, including evidence of whistleblower protection.</li><li>Statistics for hotline open to suppliers.</li><li>Frequency of legal problems.</li><li>Frequency of audit issues with the same or similar culture-related root cause.</li><li>Frequency of repeat audit findings.</li><li>Timeliness and effectiveness of corrective actions.</li><li>Turnover statistics.</li><li>Sick time statistics.</li><li>Exit interview results.</li><li>IT surveillance results.</li><li>Performance review timeliness.</li><li>Frequency of negative media coverage, including social media.</li><li>Warranty claims.</li><li>Diversity statistics.</li><li>Level of community engagement.</li><li>Environmental impact data, with effective monitoring and continuous improvement.</li><li>Frequency of performance targets being missed (suggesting unrealistic targets that pressure managers to meet them "whatever it takes").</li><li>Frequency of large projects failing.<br></li></ul> </td></tr></tbody></table>James Roth1
GRC Conference 2019: Transformative Technologyhttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Transformative-Technology.aspxGRC Conference 2019: Transformative Technology<p>​Pamela Nigro, senior director of Information Security at Health Care Service Corp., opened the final day of the Governance, Risk, and Control (GRC) Conference with her general session, "The Future of IT Audit and Industry 4.0." Negro shared with audience members her thoughts on emerging technologies affecting today's organizations and those that will transform the businesses of tomorrow.</p><p>"Organizations are shifting from traditional ways of engaging and interacting with customers, prioritizing digital ones," she says. Citing health care as an example, Nigro pointed to the common practice of sharing patient test results via a portal rather than a phone call. She also cited Tesla as operating not so much as a car company but as a software company that collects and leverages data to serve its customers. <br></p><p>"Now every business is a digital business with software at the core," she says. "There used to be a focus on running IT like a business. Now IT is the business — there is not a business that is not run by IT."</p><p>Data, Nigro adds, has become the world's most valuable resource — much more so than oil. And it's not just about collecting and storing data, it's about transforming that data into useful and consumable information.</p><p>"Digital transformation is the foundation on how organizations deliver value to their customers," she says. "It's more than simply remaining competitive. There's a radical rethinking of how organizations use technology and processes to fundamentally achieve business performance."</p><p>Nigro cited artificial intelligence and Internet of Things interconnectivity as examples of transformative technologies that are driving business ecosystems and changing the way business is done. But this interconnectedness, she points out, creates a host of risks. Among them, she pointed to cyberthreats recently identified by <em></em><em>Security </em>magazine, including cryptojacking, software subversion, and cryptocurrency ecosystem attacks.</p><p>She also referenced the threat of breaking encryption using quantum computers. "As auditors, encryption is an important part of our structure," she says. "It is important that we feel confident that we can rely on that encryption for our security, for our privacy, for our protection. What happens if that is easily breached?" The thinking has shifted, she says, from considering <em></em><em>if </em>a company will get hacked to <em></em><em>when </em>it will get hacked.</p><p>In response to these threats, Nigro challenged auditors to not just keep up, but to "set the pace." "Why can't we and our development partners get sandboxes to start to play and understand and learn this technology so that we can help be a value-added partner to our organizations as they move into these new technologies?" she asked.<br></p><p>Nigro says auditors need to become leaders in the digital transformation space and help organizations move into this technology. She encourages auditors to adapt and think about how to "get ahead of the digital curve."</p><p>Toward that end, she advised attendees to make sure they have the necessary competencies and understanding to tackle digital challenges. "Think about how you are maintaining, or even leading, in your skills set," she says. "Understand how the technology really supports strategic objectives. Focus on those risks that can delay or derail business objectives, and identify how the algorithms are being used."</p><p>Nigro also encouraged auditors to get involved early in technology projects and to partner with the first and second lines of defense to help best manage the risks appropriately. "We have to stop being the 'department of no,'" she says, "and find a way to bake compliance and build controls into these new technologies and processes."<br></p>David Salierno0

  • IIA AuditBoard_Nov 2019_Premium 1
  • IIA GAM_Nov 2019_Premium 2
  • IIA OnRisk_Nov_Premium 3