Risk and Compliance

 

 

Truth Is, Fake News Has Always Been a Riskhttps://iaonline.theiia.org/blogs/chambers/2018/Pages/Truth-Is-Fake-News-Has-Always-Been-a-Risk.aspxTruth Is, Fake News Has Always Been a Risk<p>​</p><p>Misleading or patently false information has long been a risk for organizations. A disparaging comment, even one with little or no foundation in fact, can leave executives scrambling for a response that will contain and, hopefully, reverse any damage. Usually, the truth will prevail.</p><p>But as we are seeing more and more, an unceasing barrage of unsubstantiated and outright phony "news stories" powered by social media and biased websites can quickly overwhelm an organization and influence events. </p><p>That's why it was no surprise to me when Google's parent company, Alphabet, recently elevated objectionable content — specifically, content spreading across the internet and social media — as a key risk. Alphabet's concern, of course, regards the integrity of its own brands, but the risk applies to any organization and, indeed, any individual.</p><p>"Our brands may be negatively impacted by a number of factors, including, among others, reputational issues, third-party content shared on our platforms, data privacy issues and developments, and product or technical performance failures," Alphabet stated in its annual report, or 10-K, to the U.S. Securities and Exchange Commission. "If we fail to appropriately respond to the sharing of objectionable content on our services or objectionable practices by advertisers, or to otherwise adequately address user concerns, our users may lose confidence in our brands."</p><p>Did this risk just occur to executives at Alphabet? I highly doubt that. What's different, I believe, is the company's risk appetite.</p><p>The recent backlash against questionable content bombarding consumers of Alphabet's YouTube and Google, as well as Facebook and Twitter, are clearly driving the change. </p><p>Frankly, the company's description of risk might be considered by some as pretty mild. It doesn't warn of the societal dangers of objectionable content, but of the risk of losing advertisers and users of its services if it fails to respond appropriately. It also doesn't address an erosion of public confidence in legitimate media posed by questionable reports masquerading as news; rather, it focuses on "third parties" that are exploiting Alphabet's brands to spread the false information.</p><p>Striking a balance between a free flow of information, even if it's titillating or scandalous, and acting responsibly as a reliable and credible conduit for such "news" is nothing new. Organizations, including mainstream media, have played that game for centuries.</p><p>The lesson for internal auditors is that we must be attuned to our organization's risk appetite and offer warnings when the risks change. This may be what is driving the change in tone from Alphabet. </p><p>Speaking at The IIA's 2016 General Audit Management conference, Google's chief audit executive said the organization's internal audit function is practically built on that premise: "Our mission is to provide an objective view of all the risk they need to consider in making their decisions. Our responsibility is to help management have full information to make good risk-based decisions." </p><p>Ultimately, it is up to management and the board to set the risk appetite, but it falls on internal audit to make sure the risk portfolio is accurately reported all the way to the top. In Alphabet's case, I'm confident management and the board are fully aware of the undercurrents of information dissemination, and that they will continue to adjust their risk appetite to fit those changing dynamics.</p><p>In pondering the very real risk of fake news, I am reminded of the story of a famous radio broadcast in 1938. Orson Welles, an American actor, writer, director, and producer, "interrupted" CBS radio programming with breaking "news" that Martians had invaded Earth. He was actually reading from author H.G. Wells' science fiction novel,​ "The War of the Worlds." But his delivery was so compelling and so realistic that, for some listeners, it was also very believable and set off a panic. The iconic broadcast and the reaction of those who thought it was real have been part of lore for decades. Yet, <a href="https://www.npr.org/sections/thetwo-way/2013/10/30/241797346/75-years-ago-war-of-the-worlds-started-a-panic-or-did-it">a 2013 article</a> cast doubt on the fact that the broadcast caused panic. So, now even the news about the fake news may be fake. We are living in interesting times.</p><p>As always, I look forward to your comments.</p>Richard Chambers0
Are You Prepared?https://iaonline.theiia.org/2017/Pages/Are-You-Prepared.aspxAre You Prepared?<h2>​What is internal audit's role in ensuring the organization has a disaster recovery plan? </h2><p>As we've recently seen, disasters — whether natural or from human activity — have shown the need for sound disaster recovery plans. Internal auditors play an assurance and consulting role in this arena, so they need to understand attitudes toward disaster recovery risk within their organizations. Disaster recovery should be part of the overall business continuity management process. For organizations that are ad hoc or reactive in their level of disaster recovery maturity, internal audit may need to assist in making the case to senior management for better preparedness.</p><p>As part of its risk assessment process, internal audit should examine the plan to determine if operations have been prioritized appropriately, and risk assessments and responses are sufficient and cost effective. Internal audit should note whether the plan is a working document that is updated timely as important changes take place, including acquired businesses and new software and technologies. Based on the level of risk, internal audit should schedule audits of the disaster recovery processes to provide assurance there are no significant gaps. ​Another opportunity for internal audit is educating senior management and the board on their responsibilities for ensuring effective risk management practices are in place for any outsourcing arrangements.​<br></p><h2>What should internal audit look for in a disaster recovery audit?</h2><p>The areas to cover in a disaster recovery audit can depend to some extent on the size, number of locations, and complexity of the organization. The most common areas to review are which functions and systems are covered or excluded in the plan and why, testing multiple scenarios to identify vulnerabilities and gaps in the plan, inventory of equipment and software, and documentation of backup and recovery processes (IT and non-IT). Auditors should consider critical data back-up storage and frequency — including data stored on computers, smartphones, and devices, which employees may use for work and personal use. Other items to review include testing of back-up systems to be sure data can be restored; insurance coverage; legal involvement and review; disaster recovery contract provisions, including service-level agreements with outsourcers and suppliers; and whether responsibilities are clearly defined.​​</p>Staff0
Tomorrow’s ERM Todayhttps://iaonline.theiia.org/2017/Pages/Tomorrow’s-ERM-Today.aspxTomorrow’s ERM Today<p>​As enterprise risk management (ERM) programs continue to mature at organizations around the world, internal auditors are now facing a new challenge. Technology risks are evolving and changing so rapidly, it is difficult for management to assess the new threats and adjust its strategies to manage and mitigate them. Applications that use disruptive techn​ologies, such as artificial intelligence, advanced robotics, 3D printing, blockchain, and the Internet of Things, are being designed quickly and often generate new high-growth markets. Internal auditors are struggling to stay abreast of the most recent developments and identify new internal controls that add value.</p><p>Additionally, the exponential growth of computing power has enabled organizations to capitalize on the use of mobile devices and leverage the ubiquity of the internet to reach their markets almost instantly. While this is an exciting and challenging opportunity for marketers and business managers, it has injected new risk considerations for internal auditors. </p><h2>Business Advances</h2><p>Digitalization of data has created opportunities to improve data analytics, use algorithms to facilitate cognitive intelligence, and create bot applications that perform automated tasks. The essence of the risks and controls has not changed as much as the underlying technology. The processes still need to adhere to organizational policies and procedures, change management practices are still a vital component in transitioning to new tools and processes, and system and access controls must be enforced. </p><p>However, some controls that were important in the past now take on a new level of criticality. Automated algorithms result in less transparency of the underlying process. When data is used and shared through these processes, accuracy, and completeness become a necessity. An organization needs very specific controls to ensure a bot does not proliferate erroneous data. Information security and access control processes must treat the bot as if it were a person and only allow access to appropriate data. Checks and balances must be integrated into the process to ensure the results are accurate, service level agreements are met, and contracts are adhered to.</p><p>Advanced materials, 3D printing, and autonomous vehicles are other advances that are transforming the business landscape. New businesses created by these technologies need to follow established governance processes and design risk management and internal controls into their business processes. As entirely new markets and products are developed, it is important that risk managers and internal auditors are involved proactively.</p><p>Many applications using the cloud and the internet are being transformed by another new underlying process called blockchain. Blockchain is a distributed ledger that maintains a shared list of records. Each of these records contains time-stamped data that is encoded and linked to every other previous transaction in that chain of transactions. The decentralized and distributed storage of these records provides visibility to everyone in the network and ensures that no single entity can change any of the historical records. While blockchain is already being used in numerous applications, most notably digital currencies, many other industries are exploring the technology. Banks are testing cross-border financial transactions, and there is much speculation about the potential to use blockchain to eliminate the middle man in real estate deals, contracts, stock purchases, and other similar transactions. If blockchain is effective at eliminating intermediaries, the new business model will expose all the transacting parties to new risks, which were previously being managed by the middle man. </p><h2>Audit's Effect on Disruption</h2><p>There are several ways internal auditors can help manage the effect of disruptive technologies on their organizations.<strong><em> </em></strong>By focusing on assurance, providing insight to management, and demonstrating proficiency and expertise in new technologies, internal auditors will be able to contribute significantly to the overall success of their organizations.</p><p> <strong>Focus on Assurance</strong> For many years organizations have been encouraged to focus on what they do best. That is wise advice for the internal audit profession, as well. By continuing to focus on governance, risk, and internal controls, auditors can help ensure processes are designed and operating effectively. Regardless of the nature or tempo of the changes, auditors will then be able to fulfill their mission. Moreover, proactively helping their organizations anticipate emerging risks and technological changes can position internal audit as an authority and help prepare the organization to respond to disruptive events.</p><p> <strong>Engage With Stakeholders and Subject-matter Experts </strong>By aligning with the expectations of its key stakeholders and working closely with subject-matter experts who are implementing disruptive technologies, internal audit can be focused on the most relevant and significant issues. For example, cybersecurity and data privacy are topics that every organization is managing. Identifying trends that will affect the organization, and collaborating with and providing insight to their stakeholders, can enable internal audit to significantly affect the business agenda.</p><p> <strong>Invest in Training on Disruptive Technologies</strong> More than ever, internal auditors must constantly pursue training to learn about new technologies and the complex and emerging new risks being introduced into their organizations. Additionally, chief audit executives need to focus on developing an adaptive, flexible, innovative staffing model. This new model must tap into a highly specialized talent pool that has the technological competence to rapidly understand and leverage new tools, techniques, and processes.​</p><p> <strong>Put New Technologies to Work </strong>Perhaps the most important thing auditors can do to prepare for technological innovations is to embrace and leverage new technologies in their own work. Internal auditors need to be at the forefront of adopting artificial intelligence, cognitive computing, and smart robots. Auditors need to completely understand how technologies like blockchain work and how they can be used in their organizations. They must take advantage of machine learning and data analytics in their audit processes. Moreover, continuous auditing should be the standard default for new audit routines, and real-time auditing should be a requirement as organizations implement new business processes. </p><h2>An Audit Upgrade</h2><p>Just when organizations were getting a handle on ERM, the threat of disruptive technologies has arrived and will affect every organization regardless of its size or objectives. When Gordon Moore observed in 1965 that the number of transistors on an integrated circuit had doubled every year since transistors were invented, one doubts he imagined that exponential growth would continue for more than 50 years. As computing power increases, technology becomes more mobile, data becomes more accessible and usable, and new competitors capitalize on the opportunities that arise. Risk managers will have to assess emerging threats consistently. Internal auditors will need to respond to those threats<strong><em> </em></strong>with new and better ways to perform audits and redesign their own processes — or they may face disruption, themselves.​</p>Charlie Wright1
The Time Has Come for Marks on Governancehttps://iaonline.theiia.org/blogs/marks/2017/Pages/The-time-has-come-for-Marks-on-Governance.aspxThe Time Has Come for Marks on Governance<p>​In <em>The Walrus and the Carpenter</em>, Lewis Carroll wrote:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><p>"The time has come," the Walrus said,</p><p>      "To talk of many things:</p><p>Of shoes — and ships — and sealing-wax —</p><p>      Of cabbages — and kings —</p><p>And why the sea is boiling hot —</p><p>      And whether pigs have wings."</p></blockquote><p> <br> </p><p>[I will let my friend and fellow blogger, <a href="/blogs/jacka" target="_blank">Mike Jacka</a>, talk about flying pigs.]</p><p> <br> </p><p>Yes, the time has come — to talk about concluding this blog. After all, I have been retired for five years and it is time to start slowing down.</p><p>The blog was born in 2008 with "<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=607cd1df-2cc8-490e-bac2-ba8391dee68f" target="_blank">A Broken Relationship</a>." Since then, I have written hundreds of articles on governance, risk management, internal auditing (of course), and technology. Not a single reference, I am afraid, to flying pigs.</p><p>While this blog will come to end, the world and its challenges will not. I will continue to write and speak about them. I hope to see you at IIA and other conferences, and I will continue to share my thoughts in <em>Internal Auditor</em> magazine and on my personal site.</p><p>Perhaps my last blog post should be about how the future of internal auditing is in auditing and then communicating what matters. I was recently honored to make a keynote presentation on that topic at IIA–Brasil's annual conference in Rio de Janeiro.</p><p>I asked the attendees whether they wanted, as internal auditors, to have a seat at the top table alongside senior executives from finance, operations, legal, marketing, and so on. They all said internal audit should have a seat at the top table. As Richard Chambers says in his latest book, they want internal audit to be seen as <a href="https://bookstore.theiia.org/trusted-advisors-key-attributes-of-outstanding-internal-auditors" target="_blank">trusted advisors</a>.</p><p>Then I asked who they would invite to sit at <em>their</em> table. I suggested that they would welcome people who had something interesting and valuable to offer. They wouldn't invite people (except family members) simply because of their title or position.</p><p>Similarly, internal audit heads (chief internal auditors, CAEs) will be welcomed at the top table when they have something interesting and valuable to offer on the topics typically discussed at that table: the enterprise's objectives and strategies, major projects, performance, and risks to success.</p><p>If we do what I suggested in <a href="https://www.amazon.com/Auditing-that-matters-Norman-Marks/dp/1537662023/ref=asap_bc?ie=UTF8" target="_blank"><em>Auditing That Matters</em></a>, we would be considered trusted advisors that provide assurance, insight, and advice that helps the organization succeed. I said:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><p>For internal audit to "matter," it needs to:</p><ol><li>Focus on the risks that matter to the board and top management — risks to the successful delivery of value to stakeholders, the achievement of objectives set by the board.</li><li>Provide assurance on those risks that is readily consumable, relevant, actionable, and timely — helping board members and executives make informed decisions that lead the organization to success; where action is necessary, it can be taken promptly and effectively.</li><li>Provide a formal opinion by the CAE on whether the systems of internal control and risk management provide reasonable assurance that the more significant risks are managed at desired levels.</li><li>Provide, in addition to formal assurance, its objective insight on any area critical to the achievement of success. For example, internal audit cannot be fearful of sharing its opinion on the performance of key personnel, the structure of the organization, and so on.</li><li>Communicate <em>what</em> its stakeholders need to know, <em>when</em> they need to know, and <em>in a form</em> that is easily consumed, relevant, and actionable.</li><li>Work effectively with management to help upgrade its processes, systems, organizational structure, controls, and people as needed.</li></ol></blockquote><p>These principles are consistent with The IIA's four results-oriented <a href="https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx" target="_blank">Core Principles for the Effective Practice of Internal Auditing</a>. They state that an effective internal audit function:</p><ul><li>Communicates effectively.</li><li>Provides risk-based assurance.</li><li>Is insightful, proactive, and future-focused.</li><li>Promotes organizational improvement.</li></ul> <br> <p>Internal audit should focus on the more significant risks to the enterprise, not just those that may be important to a process, business unit, or middle manager. If you focus on risks to individual processes, business units, and so on you merit a seat at the <em>middle</em> management table — because those are the people interested in what you have to say. But if you have an eye on the future, on the risks that could either derail or represent opportunities to succeed today and in the next year or so, your insights are valuable to senior leadership.</p><p>We simply cannot continue to perform audits of history and write reports that stakeholders read out of duty. We need to provide forward-looking assurance and advice on what matters and will matter in the days ahead: communications that matter to our stakeholders because they help them succeed.</p><p>We need to discard the outdated concept of an audit universe and focus instead on a risk universe. We audit and provide assurance on the management of risks, not the management of business units.</p><p>One of the challenges is going to be to understand what risk and risk management are all about. Frankly, I don't think enough people (and especially internal auditors) understand that it is not about the periodic review of a list of risks.</p><p>No, risk management is about ensuring that people are able to make informed and intelligent decisions, taking the desired amount of risk. It's about making sure they think things through, considering all the things that might happen, both good and bad, before making a decision — and every decision creates or modifies risk.</p><p>Internal audit should audit the management of risk within and across the enterprise, not simply compliance with risk policies and standards.</p><p>Think about this. <a href="https://www.mckinsey.com/business-functions/organization/our-insights/five-fifty-better-decision" target="_blank">According to McKinsey</a>, "60% of senior executives say that bad decisions were about as frequent as good ones"! This is an opportunity for internal audit — but we have to know what is possible and desirable, and that is beyond putting together a risk inventory. We need to be brave and talk about the elephants in the room.</p><p>Almost always, the root cause of risk and control problems is <em>people</em>. Maybe it's an ineffective manager or an individual who does not have the training or experience to do the job. Maybe a control is not being performed reliably because the function is understaffed.</p><p>Our goal is not popularity. Our goal has to be to provide our stakeholders with <em>actionable</em> information that will enable them to correct what needs to be corrected.</p><p>Our goal has to be to help the organization succeed! Providing a list of problems is not nearly enough.</p><p>As I look back on nine years of blogging here, I can see progress. For example, perhaps half of internal audit functions have moved from a rigid annual audit plan to a flexible one that makes sure you are auditing what matters now, rather than what used to matter. That progress needs to continue.</p><p>The path to success lies in our ability to challenge <em>everything</em> we have done because it is what we have always done. We wouldn't accept that from process owners. Why accept it in our own profession?</p><p>Challenge:</p><ul><li>What we are auditing.</li><li>How we are auditing.</li><li>How we communicate the results of our work.</li><li>How we provide stakeholders with what they need — actionable information.</li><li>How we can help the organization succeed.</li></ul><p> </p><p>We need to be <a href="https://www.youtube.com/watch?v=QUQsqBqxoR4" target="_blank">brave</a> (watch the video). Not everybody in our world, from board members to staff members, is going to be happy with change.</p><p>But if we move forward and show them the value <strong><em>to them</em></strong><strong> </strong>of addressing and then communicating what matters, it is not only possible to get their enthusiastic support but will earn you a seat at the top table.</p><p>What do you think?</p><p>Are we there yet?</p><p> </p>Norman Marks0
Risky Relationshipshttps://iaonline.theiia.org/2017/Pages/Risky-Relationships.aspxRisky Relationships<p>​Third parties are becoming increasingly important to succeeding in today’s complex business environment. Many organizations are assessing their core strengths and turning to a diverse range of outside organizations where specialist capabilities are required. While such relationships can give organizations a competitive advantage, they also can impact their reputations. </p><p>Like all business relationships, trust is integral in working with third parties. Internal auditors can help their organization ensure that trust is fostered and maintained. Moreover, they can assess whether the organization has established effective processes to support its third-party relationships.</p><h2>A History of Setbacks</h2><p>Using third parties has its risks. Choosing a partner and determining the type of contractual arrangement to put in place can be difficult because of the range of options available (see “Third-party Relationships and Impacts” at right).</p><p>Once chosen, there is no guarantee that the third-party relationship will succeed. There are numerous examples where the actions of third parties have significantly damaged the reputation and financial strength of the contracting organization. In these instances, competitors press their advantage.</p><p><strong><img src="/2017/PublishingImages/Arnold-third-party-relationships-and-impacts.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:400px;height:500px;" />TSKJ</strong> A joint venture formed by the U.S.’s M.W. Kellogg Co. (now known as KBR), France’s Technip, Japan’s JGC, and Italy’s Snamprogetti, TSKJ won four contracts worth more than $6 billion between 1995 and 2004 to design and build liquefied natural gas facilities on Bonny Island, Nigeria. None of the participants had a majority stake in the joint venture. TSKJ reportedly used agents to bribe Nigerian government officials, and the U.S. Securities and Exchange Commission (SEC) initiated the case in 2009. The SEC declared that each joint venture partner had culpable knowledge of the payments because senior executives from each company, including some who were serving on the TSKJ steering committee, participated in meetings where the bribery was discussed. <br></p><p>The four companies paid a combined $1.7 billion in civil and criminal sanctions for the decade-long bribery scheme. These include: Snamprogetti and its parent company ENI paid $365 million; Technip paid $338 million; and consortium leader KBR and its former parent Halliburton paid $579 million. </p><p>The nonfinancial impacts in this case included reputational damage and criminal charges against current and past joint venture parent employees. KBR’s U.S. Foreign Corrupt Practices Act (FCPA) violations impacted successor liability after Halliburton acquired KBR in 1998. These were based on book and record violations and Halliburton’s lack of post-acquisition vigilance. On the financial side, the FCPA and U.K. Bribery Act investigations affected share price and capitalization for all the companies.</p><p><strong>Supermarket Cyberattack</strong> In 2013, a cyberattack of a U.S. supermarket chain impacted an estimated 40 million customer debit and credit cards. A phishing attack was used to gain access to the company’s network and compromise a third-party vendor. The chain suffered significant reputational damage. The cost of the breach was an estimated $202 million, and the chain paid $18.5 million to settle legal claims by 47 states.<br></p><p><strong>Food Contamination</strong> In January 2013, news outlets reported that foods advertised as containing beef contained undeclared or improperly declared horse meat — as much as 100 percent of the content in some cases. This initially was discovered by the Food Safety Authority of Ireland, who found horse DNA in frozen beef burgers sold in several Irish and British supermarkets. Investigations uncovered complex supply chains — one involved eight separate vendors and traders across five European countries. The supermarkets lacked visibility across the supply chain and did not have suitable controls to verify the end product.<br></p><p>The supermarkets’ reputations suffered significantly, with financial repercussions as well. A U.K. House of Commons report stated, “The evidence suggests a complex network of companies trading in and mislabeling beef or beef products, which is fraudulent and illegal.”</p><h2>The Importance of Audit Planning</h2><p>Third-party trust features in most audit plans, whether it’s part of a review, a review of the third party​ itself, or a holistic third-party governance framework audit. Understanding the organization’s risk profile/supply chain and benchmarking against a third-party governance framework can help internal audit address the correct risks, prevent adverse outcomes, and add value to management. Whether auditing individual activities or an entire third-party governance framework, auditors can compare them with the elements of the “Third-party Governance Framework” below to identify improvement areas.</p><h2>Plan</h2><p>With a vast range of partnership structures and operations across industries, implementation of a governance process can be challenging. Risk management within trust relationships will depend on the nature of the relationship, including level of influence, ownership/management control, and the third parties’ appetite for control monitoring and risk management. Questions to ask include:</p><ul><li>Is the organization able to perform the service in-house?<br></li><li>Has the organization performed appropriate due diligence before third-party engagement?<br></li><li>Has the organization prioritized and ranked its third-party relationships according to risk?<br></li><li>Has the organization selected the correct type of third-party relationship, such as an alliance, joint venture, or contract?<br></li><li>Will the third-party represent the organization effectively and align with its culture?<br></li><li>Does the third-party contract include an audit clause?<br></li></ul><p></p><p>Audit objectives include:</p><ul><li>A clear vision and third-party strategy for service delivery.<br></li><li>Consistent third-party governance structure design.<br></li><li>A risk stratification model.<br></li><li>Due diligence procedures, including cultural alignment.<br></li><li>Design and use of a risk-based, standard contract template. ​</li></ul><h2>Execute</h2><p><img src="/2017/PublishingImages/Arnold-third-party-governance-framework.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:326px;" />Internal audit typically perceives the execution phase as having the most direct impact on performance. Auditors should assess whether there are processes to support working with third parties to achieve shared objectives. Audit questions include:</p><ul><li>Is there clear stakeholder and role definition for all aspects of the contract life cycle?<br></li><li>Do all of the relevant personnel have the appropriate knowledge, skills, and experience?<br></li><li>Are established performance metrics based on identified risks?<br></li><li>Is cultural alignment continually reinforced?<br></li><li>Are technology and data being used as effective enablers to manage the relationship?<br></li><li>Does the provision of information between partners align with anti-trust requirements?<br></li></ul><p><br></p><p>Audit objectives include:<br></p><ul><li>Timely identification and resolution of issues.<br></li><li>Effective performance management throughout the contract life cycle.<br></li><li>Timely, accurate, and transparent third-party reporting.<br></li><li>A joint culture of continual improvement within the organization and the third party.<br></li></ul><h2>Monitor</h2><p>Third-party assurance often focuses on how the third party is directly managed. It also is important to understand how it is monitored and assessed. In large, complex organizations, this involves understanding how responsibilities are split between the first and second lines in the three lines of defense. </p><p>The audit also must consider how management uses data to ensure effective monitoring. Organizations often generate significant volumes of complex data but do not always use it effectively. Auditors should ask:</p><ul><li>Have key risks been factored into third-party assurance?<br></li><li>What level of assurance is required and can third-party assurance reports be used?<br></li><li>What assurance is provided by the second line of defense?<br></li><li>Have data-based key performance indicators (KPIs) and red flags been identified? Are they continually monitored, with management taking action where poor performance is identified?<br></li><li>Does the third party have effective assurance mechanisms?<br></li></ul><p><br></p><p>Audit objectives include:</p><ul><li>Risk-based assurance model.<br></li><li>Scope covering end-to-end third-party risks, such as subcontractors.<br></li><li>Analytically driven contract compliance program.<br></li><li>KPI-based dashboard reporting, including red flags.<br></li></ul><p><br></p><p>During this stage, internal audit should look for warning signs such as whether management is identifying and taking action on red flags. Examples include:</p><ul><li>Safety: safety incidents, a high number of recordable injuries, and significant audit findings.<br></li><li>Performance: missed KPIs, disrupted service, and poor third-party governance.<br></li><li>People: high turnover, poor culture and tone at the top, and reduced capacity and capability.<br></li><li>Information: data leaks, bad press, and regulatory breaches.<br></li></ul><h2>Improve</h2><p>To achieve effective third-party relationships, areas for improvement must be identified, communicated, and resolved so problems do not escalate. Management and assurance activities often overlook this phase. Improvement should be continual and can be applied to individual third parties and the overarching governance framework. Internal audit should assess whether this is being undertaken by asking: </p><ul><li>Are contract managers sufficiently trained to embed continual improvement?<br></li><li>Are issues used to drive improvement actions?<br></li><li>Is the effectiveness of the framework monitored through the use of portfolio-based metrics?<br></li><li>How often are overarching processes controls reviewed?<br></li><li>Are third-party outcomes routinely successful?<br>​​</li></ul><p>Audit objectives include:</p><ul><li>Improvement actions are routinely implemented.<br></li><li>A joint culture of continual improvement is in place.<br></li><li>The third-party governance framework is systematically evaluated and improved.<br></li></ul><h2>Achieving Success</h2><p>Collaboration, communication, and engagement are key to sustaining third-party relationships. Key principles for sustainable success are:</p><ul><li>Establish strong leadership and sponsorship.<br></li><li>Involve third parties early.<br></li><li>Develop agreements that include two-sided incentive plans.<br></li><li>Identify continuous improvement opportunities.<br></li><li>Align benefit realization to strategic objectives.<br></li><li>Collaborate on product and service design.<br></li><li>Engage in joint process improvement.<br></li><li>Integrate systems and apply technology effectively.<br></li><li>Establish shared KPIs focused on outcomes.<br>​​</li></ul><p>​Third parties can cause significant exposure and adverse consequences to an organization’s objectives. Implementing and assessing a governance framework will maximize the opportunity to mutually achieve strategic objectives.</p><p>Risk management and internal audit should be active in third-party governance, from thought leadership and support during strategy development to controls monitoring, execution of third-party audits, and follow-up. The right audit and risk process will include thought and definition around risk exposures and the implementation of risk performance criteria and monitoring. Continuous monitoring throughout the process will help ensure appropriate oversight of, and ultimately comfort with, third parties. </p>Ben Arnold1
How to Improve Your SOX Compliance Programhttps://iaonline.theiia.org/blogs/marks/2017/Pages/How-to-Improve-Your-SOX-Compliance-Program.aspxHow to Improve Your SOX Compliance Program<p>If you have been following either of my blogs (hopefully both, here and at <a rel="nofollow" href="http://normanmarks.wordpress.com/" class="vglnk"><span>normanmarks</span><span>.</span><span>wordpress</span><span>.</span><span>com</span></a>), you know that I frequently call out so-called expert guidance that is anything but expert.</p><p>Recently, a software vendor teamed up with a mid-size accounting firm to publish a white paper, with guidance for companies on optimizing their Sarbanes-Oxley program that should never have seen the light of day. Frankly, I am not going to waste time and space criticizing it.</p><p>Instead, I will share some suggestions of my own:</p><ol><li>Make sure you are focused on financial reporting risk! The scope should include controls required to provide <em>reasonable assurance</em> that <em>material errors or omissions</em> will be either prevented or detected. That means that the likelihood is more than a <em>reasonable possibility</em>. That means more than simply a theoretical possibility, and the error or omission has to be <em>material</em> to the consolidated financial statements.</li><li>Question why you have controls included in scope where, should they fail, there is less than a reasonable possibility of a material error or omission.</li><li>Apply the risk-based, top-down approach to the whole program, including IT general controls (ITGC) and how you address the COSO Principles. The ITGC scoping should be a continuation of the scoping, not a separate evaluation. Identify the controls that provide reasonable assurance that the COSO Principles are <em>present and functioning</em> (as defined by COSO, a defect would not be a <em>major</em> deficiency).</li><li>Be experts not only in the U.S. Public Company Accounting Oversight Board (PCAOB) standards (including AS10 and so on) but also in the U.S. Securities and Exchange Commission's (SEC's) <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwiztpXW5vrXAhUJ8GMKHXpgBkwQFggpMAA&url=https://www.sec.gov/rules/interp/2007/33-8810.pdf&usg=AOvVaw2N8inpeXRkZw96h-p_Q7qh">Interpretive Guidance</a> and SEC/PCAOB staff guidance.</li><li>Re-evaluate the program every year! The business changes every year and the scope should be reviewed and refined every year.</li><li>Read The IIA's updated guidance (my book): <a href="https://bookstore.theiia.org/managements-guide-to-sarbanes-oxley-section-404-4th-edition">Management's Guide to Sarbanes-Oxley Section 404, 4th Edition</a>. (FYI, I receive no income from sales of this book: It all goes to the Internal Audit Foundation.)</li></ol><p>I welcome your thoughts.</p><p> </p>Norman Marks0
Structured for Strengthhttps://iaonline.theiia.org/2017/Pages/Structured-for-Strength.aspxStructured for Strength<p>​​​Audit, compliance, and risk functions have always emphasized first line of defense ownership of risk management and controls. Yet audit professionals routinely encounter clients who lack a basic understanding of controls for managing risks. How pervasive is this condition, and should senior management and the board be concerned? A formal review of the first line's risk and control capabilities may identify some significant findings:</p><ul><li>Lack of clear accountability for developing and sustaining risk and control proficiency across the first line.<br></li><li>Insufficient knowledge and skills among first line personnel regarding control design and risk management fundamentals.<br></li><li>Nonexistent monitoring of first line control design competence.<br></li><li>Inadequate integration of risk and control disciplines within management activities.<br></li></ul><p> <br> </p><p>If such potential findings ring true for your organization, I recommend establishing a function that is fully devoted to, and accountable for, closing these gaps and maintaining a capable first line. This first line center of excellence (CoE) is primarily responsible for demonstrably improving the risk and control capabilities and performance of the first line of defense across all organizational units.</p><p>Services and deliverables provided by the CoE go beyond training and awareness to include risk management tools, best practice sharing, risk and control advisement, and collaboration with the second and third lines of defense on matters of common interest. Suitably positioned, the CoE could influence management activities, performance incentive mechanisms, and operations methodologies to integrate sound risk management and control design into the organizational culture.</p><p>The CoE should be staffed with a small team of professionals who have strong working relationships across business units and all lines of defense. Their qualifications should include an understanding of a broad range of disciplines used by the organization, and how these disciplines map to risk and control frameworks. Skills and experience in internal consulting, change management, and developing training and tools also are desirable, supported by the ability to lead, collaborate, and influence to overcome obstacles.</p><p>Where should this team reside within the organization? Let's look for a home in each of the lines of defense.</p><p> <strong>Third Line — Internal Audit — Functions That Provide Independent Assurance</strong> While audit shops have expertise in risk and control, and audit fieldwork provides insights into control weakness themes across the enterprise, internal audit is not chartered to equip the first line. Audit teams need to maintain their independence, and their primary focus is completion of the audit plan to enable relevant reporting to senior management and the board. Advisement to the first line is a secondary role, and accountability for enabling first line capabilities would be an awkward fit within the third line. </p><p> <strong>Second Line — Specialty Risk and Compliance Groups — Functions That Oversee Risk</strong> These functions likewise have expertise in risk and control, but their focus is on specialty areas such as financial control, security, fraud, quality, risk quantification, and compliance. Though enterprise risk management departments sometimes provide first line training and advisement, these services are subordinate to their risk oversight obligations, such as standards, risk aggregation, and reporting. As oversight units, second line functions are commonly perceived by the first line as enforcers of requirements rather than enablers, reflecting the natural tension between overseers and the overseen.</p><p> <strong>First Line — Business Operations — Functions That Own and Manage Risks</strong> Personnel across the first line are, by definition, embedded in the business and thus closest to the action. They take and manage risks constantly. They design, redesign, and execute controls daily. However, there are generally only limited pockets of risk and control proficiency, and the typical first line professional has little exposure to control design and risk management training or advice. Given the expectation that the first line excel in owning and managing risk, it appears this would be the most logical place to insert the CoE.</p><p>Many organizations have precedents for CoEs within the first line, such as specialty units devoted to project management, data analytics, or supplier management. A CoE dedicated to the first line's fundamental control and risk management responsibilities, positioned within the first line, itself, would be a natural fit. It would provide first line process owners and management an unintimidating place to go to for risk and control expertise, advice, and best practices.</p><p>The pluses for the first line are clear: improved design of control environments, stronger risk management, and smarter risk taking, leading to more effective operations and increased likelihood of achieving business objectives. Moreover, an effective CoE fosters stronger ownership of risk and control where it belongs.</p><p>The second line benefits by having to spend less energy cultivating the first line, thereby enabling stronger second line concentration on its oversight mandate and risk specialties. A proficient first line also will contribute to more positive messaging in the second line's oversight reports, reflecting a more effective first line and an improved risk management culture.</p><p>The third line can enhance its assurance that the first line is committed to excellence in risk management. The CoE, itself, is an auditable entity and should be regularly reviewed as such, along with its impact on the organization's risk maturity.</p><p>Senior management can leverage the existence and effectiveness of the CoE to tangibly illustrate dedication to proactive management of risk across the organization. This may be especially beneficial in highly regulated industries, as external auditors and regulatory examiners are likely to be interested in how the CoE approach improves risk diligence and operational compliance.</p><p>The organization as a whole benefits by enabling lines of defense functions to focus more fully on their primary and distinct responsibilities. This approach also improves the risk culture by enabling a healthy balance between proactive risk management through capable control design, and reactive identification of issues that need fixing.</p><p>As a key advocate for effective risk management and controls, internal audit can wield its influence with senior management and the board in support of the CoE. To bolster this business case, audit may conduct a root-cause analysis pointing to a lack of controls understanding as a key contributor to weaknesses across the enterprise. Internal audit can highlight the dangers of not having a risk and control savvy first line, and play a part in holding the CoE accountable for embedding risk and control know-how across operations.</p><p>Internal audit also may collaborate with the second line of defense to analyze repositories of audit reports, reviews, and assessments to distill control weakness themes and best practice recommendations. These would be combined with lessons learned by the first line, itself, and disseminated by the CoE to help process owners and managers avoid similar problems.</p><p>Judicious risk takers and control designers don't happen by accident, and they warrant a targeted investment. But the promise of an effective CoE goes well beyond reducing the number of disconcerting interactions with clients who don't understand risk and control. The entire organization stands to gain as improvements in business results arise from a risk culture characterized by pervasive control capabilities.</p>Lane Kimbrough1
The Challenge of Risky Decisionshttps://iaonline.theiia.org/blogs/marks/2017/Pages/The-challenge-of-risky-decisions.aspxThe Challenge of Risky Decisions<p>​I have said many times that decision-making is at the heart of risk management. Every decision creates or modifies risk.</p><p>Decisions are where risks are taken! Decisions determine how risks are "treated" (if you like that word; "modified," "managed," or "addressed" if you don't). So we should be concerned about the quality of decision-making.</p><p>But, let's first remind ourselves about the core principles of risk management. Then let's see where decision-making fits.</p><p>The ISO 31000:2009 global risk management standard has 11 principles:</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p> <strong>1:</strong><strong> </strong>Risk management creates and protects value.</p><p> <strong>2:</strong><strong> </strong>Risk management is an integral part of all organizational processes.</p><p> <strong>3:</strong><strong> </strong>Risk management is part of decision making.</p><p> <strong>4:</strong><strong> </strong>Risk management explicitly addresses uncertainty.</p><p> <strong>5:</strong><strong> </strong>Risk management is systematic, structured and timely.</p><p> <strong>6:</strong><strong> </strong>Risk management is based on the best available information.</p><p> <strong>7:</strong><strong> </strong>Risk management is tailored.</p><p> <strong>8:</strong><strong> </strong>Risk management takes human and cultural factors into account.</p><p> <strong>9:</strong><strong> </strong>Risk management is transparent and inclusive.</p><p> <strong>10:</strong><strong> </strong>Risk management is dynamic, iterative and responsive to change.</p><p> <strong>11:</strong><strong> </strong>Risk management facilitates continual improvement of the organization.</p></blockquote><p> <br> </p><p>These are all very good. But I think they can be simplified and clarified. In <a href="https://www.amazon.com/World-Class-Risk-Management-Norman-Marks/dp/151199777X/ref=sr_1_1?ie=UTF8&qid=1451362676&sr=8-1&keywords=world+class+risk" target="_blank" style="background-color:#ffffff;"> <em>World-Class Risk Management</em></a>, I have six principles:</p><ol><li>Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.</li><li>Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.</li><li>Risk management is dynamic, iterative and responsive to change.</li><li>Risk management is systematic and structured.</li><li>Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.</li><li>Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.</li></ol><p>The very first sentence in COSO's 2017 <em>Enterprise Risk Management: Integrating with Strategy and Performance</em> is: "Integrating enterprise risk management practices throughout an organization improves de​cision-making in governance, strategy, objective-setting, and day-to-day operations."</p><p>Unfortunately, while COSO has 20 risk management principles, not one relates to decision-making.</p><p>Let me suggest that if the processes for making decisions are poor, that is a huge source of risk to any organization. It is highly likely that the wrong risks are being taken (or not taken) and this will significantly impact the achievement of objectives and the delivery of value. So achieving ISO's and my principles (arguably, they all relate to decision-making) is essential if risk management (in fact, 'management') is to be effective.</p><p>Here's an interesting fact. <a href="https://www.mckinsey.com/business-functions/organization/our-insights/five-fifty-better-decision" target="_blank" style="background-color:#ffffff;">According to McKinsey</a>, "60 percent of senior executives say that bad decisions were about as frequent as good ones"! That should worry us all.</p><p>The McKinsey piece (see link above) has some useful information on the causes of poor decision-making. I recommend reading it. The causes of poor decision-making, which I refer to as "risks to effective risk management," are also covered in Chapter 18 of <em>World-Class Risk Management</em>.</p><p>Here are a couple of additional, useful articles on decision-making:</p><ul><li>"<a href="https://www.farnamstreetblog.com/2009/07/an-introduction-to-decision-making/" target="_blank">The Anatomy of a Decision: An Introduction to Decision Making</a>"</li><li> <span style="text-decoration:underline;">"<a href="https://www.farnamstreetblog.com/2013/03/what-matters-more-in-decisions-analysis-or-process/" target="_blank">What Matters More in Decisions: Analysis or Process?​</a>"</span></li></ul><p> <br> </p><p>So what does this all mean?</p><p> <span style="text-decoration:underline;">For board members and the executive team</span>:</p><ul><li>Do you have reasonable assurance that quality decisions are being made? </li><li>Are the right risks being taken? Remember that risk is not taken only by the board or executive team. It is being taken through decisions made every day across the extended enterprise.</li><li>If the wrong risks are being taken as a result of poor decision-making processes, when will you know?</li><li>What is the risk of poor quality decisions?</li><li>How can the incidence and effect of poor decision-making be reduced to acceptable levels?</li></ul><p> <span style="text-decoration:underline;"><br></span></p><p> <span style="text-decoration:underline;">For risk professionals</span>:</p><ul><li>What is the level of risk of poor decisions?</li><li>Is that acceptable?</li><li>What can and should be done?</li><li>Should there be guidance from risk practitioners on decision-making?</li><li>Should the chief risk officer help management develop a decision-making framework?</li></ul><p> <span style="text-decoration:underline;"><br></span></p><p> <span style="text-decoration:underline;">For internal audit practitioners</span>:</p><ul><li>Should the risk of poor decisions be included as a priority on the audit plan?</li><li>Are there specific sources of risk to decision-making (such as poor information, lack of process and discipline, failure to work as a team and include all affected parties, and so on) that should be addressed in the audit plan?</li><li>Should the chief audit executive facilitate a discussion with the executive team on this topic?</li></ul><p> <br> </p><p>I believe this is a very important topic.</p><ol><li>Do you agree with me?</li><li>What should be done and by whom?</li><li>Is this something that should concern every practitioner?</li></ol><p>I welcome your thoughts.</p><p> </p>Norman Marks0
Sexual Harassment Risk, Governance, and Audithttps://iaonline.theiia.org/blogs/marks/2017/Pages/Sexual-harassment-risk,-governance,-and-audit.aspxSexual Harassment Risk, Governance, and Audit<p>​None of us want to see our organizations in the news and our people accused of sexual harassment. The implications for our reputation as an organization, as well as that of our executives, can be huge. So what do we do:</p><ul><li>As members of the board?</li><li>As risk practitioners?</li><li>As internal auditors?</li></ul><p><br></p><p>Let's start by making sure that:</p><ul><li>We not only have a policy in place but that is the <em>right</em> policy. It is understood by all employees, who are trained in and regularly certify their understanding of and adherence to the policy.</li><li>We not only have a whistleblower mechanism available for any of our employees to tell us of suspected sexual (or other) harassment, but they know about it and it is answered by people outside the regular chain of command — people who can listen objectively and make sure the right people are notified promptly.</li><li>Reports of suspected sexual harassment are properly investigated by objective and competent professionals and the results brought to the attention of the proper authorities within the organization.</li><li>Care is taken to avoid punishing those who come forward, paying particular attention to employees whom their managers say are under-performing. While those employees may be seeking to avoid disciplinary action with a false report, the performance assessment may be an attempt by their manager either to escape punishment themselves or to punish the employee for coming forward.</li><li>The right people receive the results of such investigations and deal with them objectively, without bias, and without regard for position or title — and ensure appropriate action is taken consistently.</li></ul><p><br></p><p>But let's also ensure that:</p><ul><li>The same protections apply to everybody who works at the organization or is subject to the actions of its employees, such as temporary personnel, contractors, consultants, vendors, customers, and partners.</li><li>Appropriate training is in place for everybody. That training goes beyond reading the policy to training based on scenarios and case studies; training not only on what not to do but also training that guides people on what to do if they see or are told of sexual (or other) harassment. Additional training may be required for the executive team to ensure they know what to do, how to set expectations, and how to respond to incidents.</li><li><span style="text-decoration:underline;">We understand the level of risk</span>. How many reports are received? How many are investigated? How many are found to be credible? What disciplinary actions are being taken? What are the trends? The Risk function (not internal audit, please) may want to use analytics to monitor the area.</li><li><span style="text-decoration:underline;">We monitor, spot patterns, and act</span>. I heard one large organization talking about hundreds of allegations over a short period. Questions should be asked about the culture, the leaders of the area of the organization where most of the reports arose, and whether there was a broader problem.</li><li><span style="text-decoration:underline;">The level of risk is discussed by the executive committee and the board</span>. I would expect at least annual discussion at the board level, more frequent if the level of reports demands.</li><li><span style="text-decoration:underline;">We are confident that people are coming forward</span>. If the culture is perceived as punishing the innocent, then people will be reluctant to come forward — even anonymously. There are tools that can help, from monitoring social media (especially internal posts) to providing safe venues for employees to speak up anonymously.</li><li><span style="text-decoration:underline;">Our leaders are setting the right example</span>. Not only are they vocal, but exemplars in practice.</li><li><span style="text-decoration:underline;">We are prepared for the worst case</span> of a senior executive or board member being subject to accusations. When will the board, CEO, and others be informed? What should they do when? How will the organization respond to media reports?</li><li><span style="text-decoration:underline;">This is on the radar of internal audit</span>. The CAE should work with Legal, HR, and the board to ensure appropriate audit work is performed to ensure the organization understands, monitors, and addresses the risk.</li></ul><p><br></p><p>Anybody, even people we view as high integrity people, may be accused. Let's not get caught by surprise.</p><p>I welcome your comments.</p><p> </p>Norman Marks0
CISOs and Many Others Need to Talk the Language of the Businesshttps://iaonline.theiia.org/blogs/marks/2017/Pages/CISOs-and-many-others-need-to-talk-the-language-of-the-business.aspxCISOs and Many Others Need to Talk the Language of the Business<p>​</p><p>I came across an interesting piece by Cybereason, <a href="https://hi.cybereason.com/hubfs/Content%20PDFs/CISO-Tips-Speaking-the-Language-of-Business.pdf?t=1510177968617" target="_blank">CISO Tips: Speaking the language of business</a>.</p><p>The concept of using the language of the business to connect with leadership extends to people like the CRO, CAE, CIO, and many others.</p><p>They recommend six phrases:</p><p>1.      Risk</p><p>2.      Revenue</p><p>3.      Employee efficiency</p><p>4.      Strategic value</p><p>5.      Cost</p><p>6.      Customer satisfaction</p><p>These are six phrases that can come in useful, although I don't like their definition of risk at all!</p><p>I can think of other phrases that should be learned, not in any particular order:</p><p>7.      Opportunity</p><p>8.      Agility</p><p>9.      Compliance</p><p>10.   Objectives</p><p>11.   Win</p><p>12.   Competitive environment</p><p>There are many more.</p><p>But, it all comes down to thinking like your customer and talking in ways that resonate with them.</p><ul><li><span style="font-size:12px;">Know what your organization is trying to achieve.</span><br></li><li><span style="font-size:12px;">Know how you can help it succeed, not just avoid failure.</span><br></li><li><span style="font-size:12px;">Communicate in plain language without techno-babble, and listen actively.</span><br></li><li><span style="font-size:12px;">Help everybody else succeed. Make that your job.</span><br></li></ul><p></p><p>What do you think?</p><p>Are there phrases that should be embraced? What about ones that should be avoided?</p><p>I welcome your comments.</p><p> </p><p> </p>Norman Marks0

  • MNP_Feb2018 IAO_Premium 1
  • IIA Training_Feb2018_Premium 2
  • IIA CIA_Feb2018_Premium 3