Risk and Compliance

 

 

Cybersecurity Effectivenesshttps://iaonline.theiia.org/blogs/marks/2017/Pages/Cyber-security-effectiveness.aspxCybersecurity Effectiveness<p>​I think it is fair to say that cybersecurity is one of the issues that are top of mind for board​​s, risk, and audit professionals.</p><p>I have written quite a lot about it in previous posts, including:</p><ul><li> <a href="https://normanmarks.wordpress.com/2017/02/18/cyber-and-reputation-risk-are-dominoes/" target="_blank">Cyber and Reputation Risk Are Dominoes</a>.</li><li> <a href="https://normanmarks.wordpress.com/2017/01/07/how-much-cyber-risk-should-an-organization-take/" target="_blank">How Much Cyber Risk Should an Organization Take?</a></li><li> <a href="/blogs/marks/2017/Pages/Cyber-root-cause-alarm-bells-are-ringing.aspx">Cyber Root Cause Alarm Bells Are Ringing</a>. </li><li> <a href="/blogs/marks/2017/Pages/An-important-cyber-risk-framework.aspx">An Important Cyberrisk Framework</a>.</li><li> <a href="/blogs/marks/2016/Pages/How-much-cyber-risk-should-we-take.aspx">How Much Cyberrisk Should We Take?</a></li></ul><p> <br> </p><p>Now The IIA's Internal Audit Foundation has partnered with Crow​e Horwath to publish <a href="http://theiia.mkt5790.com/Cybersecurity/?sessionGUID=5c051ece-e16a-13e0-b38b-da55b8b8848b&sessionGUID=5c051ece-e16a-13e0-b38b-da55b8b8848b&sessionGUID=5c051ece-e16a-13e0-b38b-da55b8b8848b&sessionGUID=5c051ece-e16a-13e0-b38b-da55b8b8848b&sessionGUID=5c051ece-e16a-13e0-b38b-da55b8b8848b&sessionGUID=516a1ea5-7b55-d03c-63cd-03d7306428dc&sessionGUID=516a1ea5-7b55-d03c-63cd-03d7306428dc&webSyncID=2108194b-b0bb-6d83-1a67-76610ace2dc4&sessionGUID=165ca4ac-a077-7724-4b68-271483c0b918" target="_blank" style="background-color:#ffffff;">The Security Intelligence Center Next Steps: Beyond Response to Anticipation</a>.<br></p><p>I recommend it to every IT auditor and CAE.</p><p>But, it's not perfect (sorry, IIA).</p><p>This is good:</p><blockquote><ul><li>As cyberattacks become increasingly commonplace, much of the discussion among security professionals has moved from the desire to avoid and block all intrusions. Instead, there is growing recognition that despite everyone's best efforts to prevent it, there is always a probability that an intrusion will occur. This shift in outlook has extensive implications in terms of cybersecurity operations. Once it is recognized that 100 percent protection 100 percent of the time is not achievable, the cybersecurity emphasis can begin to shift from a defensive posture to a more offensive and proactive one that focuses on learning about how certain threats operate, how their effects can be limited or mitigated, and how the incident response time (from identification to remediation) can be accelerated.<br><br></li><li>Organizations that rate higher on the cybersecurity maturity scale are not necessarily spending more dollars overall, but are taking a more predictive approach to cybersecurity intelligence by integrating well-rounded security solutions and avoiding bolt-on products. As they do this, they also help bring the issue of cybersecurity further into the mainstream and make the anticipation and mitigation of attacks a more manageable experience. By following this example, organizations that are less mature in cybersecurity can begin to focus their existing IT security resources and budgets more intelligently as they make the transition to a more mature approach to the overall cybersecurity challenge.</li></ul></blockquote>​ <p> <br> </p><p>The report has some good reference materials, identifying cyber and information security frameworks and guides.</p><p>It focuses on the existence and attributes of security operations centers, which may be of value in assessing what your organization has implemented.</p><p>I also like the emphasis on the emerging field of threat intelligence — trying to anticipate attacks and how they may be made.</p><p>But when it comes to the involvement of internal audit and some basic first steps, I have a problem.</p><p>This is what the report says:</p><p>The authors of the report recommended seven key questions for internal audit to ask about cybersecurity preparedness. The questions are:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><ol><li>Is the organization able to monitor suspicious network intrusion?<br></li><li>Is the organization able to identify whether an attack is occurring?<br></li><li>Can the organization isolate the attack and restrict potential damage?<br></li><li>Is the organization able to know whether confidential data is leaving the organization?<br></li><li>If an incident does occur, is a written crisis-management plan in place that has been tested and is in line with organizational risk?<br></li><li>If an incident does occur, does the organization have access to forensic skills to assist with the incident?<br></li><li>Is the incident team in place, and do they know their roles and responsibilities?<br></li></ol></blockquote><p> <br> </p><p>The most critical omission is a business risk assessment. As I have explained in other posts (listed above), it is mandatory in my opinion to understand how the business and the achievement of its objectives would be affected by a breach.</p><p>Then there is the omission of any question relating to the adequate resourcing of the cyber team, or the <span style="text-decoration:underline;">timely</span> detection of a breach.</p><p>The seven questions are a decent start, but there is more that needs to be done.</p><p>I welcome your thoughts.</p><p> <br> </p>Norman Marks0
Cyber Root Cause Alarm Bells Are Ringinghttps://iaonline.theiia.org/blogs/marks/2017/Pages/Cyber-root-cause-alarm-bells-are-ringing.aspxCyber Root Cause Alarm Bells Are Ringing<p>​<a href="https://www.tripwire.com/state-of-security/tripwire-news/new-research-highlights-top-cyber-attack-concerns-for-2017/" target="_blank" style="background-color:#ffffff;">A new study by Tripwire</a> should be setting off your alarms.</p><p>The company surveyed 403 IT security professionals, the people who should know about the true state of information security or cyber at their organization.</p><p> <strong>90 percent of organizations lack the </strong> <span style="text-decoration:underline;"> <strong>skills</strong></span><strong> to address the full range of cyber threats!</strong></p><p>There have been repeated reports that information security experts are in high demand but low supply. This confirms the problem.</p><p> <strong>97 percent of organizations lack the </strong> <span style="text-decoration:underline;"> <strong>technology</strong></span><strong> they need to address the threats!</strong></p><p>If I was on the board and heard this, I would be questioning the executive team hard.</p><p>Other surveys indicate that the majority of executives know they have been hacked in the past and expect hackers to be successful in the future.</p><p>​But do they know the true extent of the problem?</p><p>Do they know their defenses are down — and that their people don't have the ability to detect intrusions promptly?</p><p>When I took over the internal audit function at a company years ago, I was concerned by what I saw in the information security area.</p><p>Rather than audit the defenses, I had my team audit whether the company had the <strong>capability</strong> to build, maintain, and manage the defenses.</p><p>Key questions include:</p><ul><li>Do you understand the risk to the business (the consequences) if there is a successful intrusion? How will the objectives of the organization be affected? Can you and have you assessed cyber risk in business terms? How recent is that assessment?</li><li>Are you satisfied and if so why? If not, what are you doing about it?</li><li>Do you have the people to understand (on a continuing basis) and then address cyber risk?</li><li>Do they have the tools? Is that your opinion or theirs?</li><li>Is the voice of information security heard and listened to at senior and board levels?</li><li>Would a reasonable, prudent individual believe the risk to the organization is at an acceptable level, and will continue to be at an acceptable level over the next year?</li><li>How often is an <strong>objective</strong> assessment of information security performed and is it reliable? Are its recommendations acted on?</li><li>Does it still make sense to expect employees to handle cyber risk? Is it better to outsource it, and to what extent should we do that?</li></ul><p> <br> </p><p>I welcome your comments.</p><p> <br> </p>Norman Marks0
​​​Reports That Provide Actionable Informationhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Reports-that-provide-actionable-information.aspx​​​Reports That Provide Actionable Information<p>​Stories make it easier, in my experience, to explain a concept. So if you are sitting comfortably, its storytime (fictional).​</p><p>A young couple is fast asleep when they feel a tug on the bedsheets.</p><p>"Mommy, daddy, my tummy hurts and I don't feel well!" Sob.</p><p>"Come here. Let me feel your forehead. Oh, it's quite hot. Darling, get the thermometer. We need to check his temperature."</p><p>"Here it is."</p><p>"Son, you have a temperature. Where does it hurt?"</p><p>"Here," pointing and then doubling up in pain.</p><p>They look at each other and decide to take him to the ​doctor. They don't want to wait until the morning to see their regular doctor so they dress, bundle the boy up, and drive to the hospital.</p><p>A doctor is found quickly and checks the boy out. He decides some tests are needed, including (to the child's distress) taking some blood.</p><p>The doctor leaves them in the care of a nurse, telling them that he will get the results to them as quickly as possible.</p><p>An hour passes. Two hours.</p><p>Finally, the nurse appears.</p><p>"Here's the doctor's report. I know it's quite long but you can see from the Table of Contents that the Executive Summary starts on page 2."</p><p>The father takes the report and starts to leaf through it.</p><p>"OK, it has his picture on the cover so we know it's the right report. But, that looks like an old picture. Let's see what's in the Executive Summary.</p><p>"His weight is 45 pounds, which the doctor notes is average for his height and age. I guess that's good. His temperature is a few degrees above normal. We already knew that. His white cell count is …"</p><p>The father stops talking except to mumble to himself as he reads on. Every so often you hear a muttered "So what?"</p><p>Finally, he throws the report down and accosts the nurse.</p><p>"Is our boy going to be all right? Why is his fever high and why does he have stomach pain? What can we do to help him?"<br></p><p>There's a huge difference between reporting facts and providing the information your audience needs.</p><p>For risk practitioners, can you answer these questions?</p><ul><li>Do you know what decisions your executive team and board are trying to make?</li><li>Do you know what information they need about what might happen, information they could use to make more intelligent and informed decisions?</li><li>Are you helping them be more successful or are you only helping them avoid harm?</li></ul><p> <br> </p><p>For internal auditors:</p><ul><li>Do you know what your executive management team and board are trying to achieve?</li><li>Do you know what they need from you to have assurance that risks to success are being managed at acceptable levels?</li><li>Do you only provide assurance on controls rather than risks to objectives?</li><li>When you assess the adequacy of controls, is it clear what potential effect they may have on specific objectives?</li></ul><p> <br> </p><p>For everybody, do you know what your customer wants from you?</p><p>Are you informing him or her what they need to know — will their child (the organization) be OK, what do they need to know about the condition of risk management and internal control, and, what do they need to do about it?</p><p>Are your providing <strong> <em>actionable</em></strong> information?</p><p>I welcome your comments.</p><p> <br> </p>Norman Marks0
Changing of the Guardhttps://iaonline.theiia.org/2017/Pages/Changing-of-the-Guard.aspxChanging of the Guard<h2>​What compliance trends can auditors expect in 2017?</h2><p>This will be a year of tremendous change that creates volatility and uncertainty in the internal audit profession. Top political appointees at U.S. regulatory agencies will turn over, and there will be marked changes in priorities with the incoming presidential administration. Those changes in priorities will filter down to the enforcement arena. With a new president who is prone to using social media to provoke policy confrontations with corporations and individuals, there is a material risk that companies may face some negative consequences if they become the focal point of President Trump’s attention.</p><h2><br>How can a new presidential administration affect the risks that organizations face?</h2><p>President Trump was elected on an agenda to tear down the central legislative, regulatory, and executive actions of his predecessor. There will be a number of recent rulemakings rescinded through legislation, a number of in-progress rulemakings halted or significantly modified, and a number of pending court cases over regulations abandoned to better reflect the new president’s priorities and philosophies. It will be critical for internal auditors to stay aware of the state of play for laws and regulations that most affect their organization’s operations on a daily basis.</p>Staff0
​​What Is Holding the Company Back?https://iaonline.theiia.org/blogs/marks/2017/Pages/What-is-holding-the-company-back.aspx​​What Is Holding the Company Back?<p>​Okay, the risk purists are going to be annoyed with me — again.</p><p>We like to focus on potential events or situations that could affect the achievement of objectives. </p><p>That's fine.</p><p>But they argue that if the event or situation is <em>certain</em>, then it's not something covered by risk management. It's no longer a possibility; it's a sure thing.</p><p>Hmm.</p><p>My thinking is that while it may be <em>certain</em> that the event or situation will happen, the <em>effect</em> may be <em>uncertain </em>[1]. Maybe there's something we can and should do about it to change the potential effect and/or its likelihood.</p><p>In an earlier post, <a href="https://normanmarks.wordpress.com/2016/12/31/the-real-risks-the-ones-not-in-the-typical-list-of-top-risks/" target="_blank">The Real Risks: The Ones Not in the Typical List of Top Risks</a>, I included a number of situations (the purists could argue, correctly, that they are <em>sources of risk</em> rather than a risk themselves).</p><p>Included in the list were:</p><ul><li>Not having sufficient people.<br></li><li>Lack of teamwork.<br></li></ul><p> <br> </p><p>Some of the comments I received said that these were very often conditions already in place, so they weren't really risks (or sources of risk).</p><p>I have to question whether that matters, even if correct (which I doubt)!</p><p>Both of these conditions create the possibility of harm to the organization.</p><p>There probably is harm now, but there is a possibility of harm continuing unless the conditions are changed.</p><p>Where I am going is this: Let's not get hung up over terminology! Words can get in our way.</p><p>Instead, let's focus on:</p><ul><li>What might happen?</li><li>Is that okay?</li><li>What are we going to do about it?</li></ul><p> <br> </p><p>Risk managers should include these conditions as sources of future risk as well as current harm.</p><p>Internal auditors should consider the value of auditing the controls to address these problems.</p><p>Management and the board should pay attention and fix the problems! Risk and audit practitioners can help by shining a light on the situation.</p><p>I still call <a href="https://www.amazon.com/Auditing-that-matters-Norman-Marks/dp/1537662023/ref=asap_bc?ie=UTF8" target="_blank">auditing what matters</a> "enterprise risk-based auditing." I don't care whether people want to call the topics covered by my audits risks, sources of risk, or gizmos.​</p><p>What do you think? </p><p> <br> </p><p>[1] Technically, risk is the <em>effect</em> of uncertainty on objectives, so the fact that the event or situation is certain is not the deciding factor.</p><p>​<br></p>Norman Marks0
Step Back and Read the Headlineshttps://iaonline.theiia.org/2016/Pages/Step-Back-and-Read-the-Headlines.aspxStep Back and Read the Headlines<p>​Discussions about ethics and reputation often include the “front page of the newspaper” test: Would you take a certain action if you knew it would be on the front page of tomorrow’s newspaper? And while the concept may be a little dated (Newspaper? What’s a newspaper?), the underlying premise still holds true. In fact, in a world where anything can be posted, tweeted, and spread instantly, it is even more relevant.<br></p><p>Reputational risk continues to be considered one of the biggest issues facing board members, executives, and anyone charged with the welfare of an organization. Accordingly, it represents an important consideration for all internal auditors. But despite this focus, organizations do not understand the real impact and power of reputational risk in the decision-making process.<br></p><p>Recently, some nonprofit organizations have faced increased scrutiny for their spending practices. Donors have raised serious questions about the percentage of donations going to those in need versus the percentage going to questionable operational expenses. The nonprofits defend these as justifiable expenses. But the arguments fall on deaf ears, resulting in substantial and often debilitating decreases in donations, as well as an increasing list of castoff C-suite executives.<br></p><p>But imagine yourself sitting in the original meetings. A board member asks about the cost of entertainment at a function, or the investment in a glossy new building, or high-class travel expenses, or the CEO’s salary. Someone provides a clear, cogent explanation, citing standards that must be maintained, the ability to attract more affluent donors with larger investments, or the need to reward executives for their success. Based on these sound and logical explanations, you might find that you agree with the decisions.<br></p><p>The problem is that such internal decisions are seldom viewed through the prism of public opinion. In the boardroom it makes perfect sense; on the front page, not so much so.<br></p><p>You may well argue that you are nothing more than a lowly internal auditor who has never seen the inside of a boardroom, let alone been allowed to help with high-level decisions. However, the same principles hold true for every question you raise. Listen closely to the explanations — how a decision was made, how an event occurred, and how it will be ignored or corrected. Then consider how it would look on the front page of tomorrow’s paper.</p><p>Given the importance of reputation to organizational success, internal auditors need to keep it in mind at all times. Reputation should not just be considered during the first risk assessment; it must continue to receive focus until the auditors and clients come to a conclusion that satisfies everyone — even the people who might see it in tomorrow’s headlines. <br></p>Mike Jacka1
A Winning Pairhttps://iaonline.theiia.org/2016/Pages/A-Winning-Pair.aspxA Winning Pair<p>​We’ve all seen the advertisements for the latest and greatest home security systems. Yet despite all of their bells and whistles  and the good they may do, security systems are useless if we forget to set the alarm. The technology and the person using it must work simultaneously to achieve the best results. In much the same way, governance and automation can be complementary, but they are not substitutes for each other. In some cases, automation may be used to force process steps and monitor actions, but a company cannot automate its way to compliance. Even the most sophisticated automated processes often contain at least an interface with what is usually the factor of greatest risk — the human being. Governance is a tool to help bridge the gap. </p><p>Take cybersecurity, for example. The Center for Internet Security’s Critical Security Controls calls for a defense-in-depth model to help prevent and detect malware. The intent is to use multiple tools, each specializing in different protections such as access control, intrusion protection/detection, malware identification, and vulnerability scanning. These products are “layered,” with each tool testing some aspect of the communication, usually with the ability to block or send alerts on questionable traffic. Only if the message passes through all appropriate gates can it be delivered to its intended destination. This is no inexpensive proposition. A company’s spending on cybersecurity may reach tens of millions of dollars.</p><p>And despite automated defenses, proactive technology tools, and the money, time, and resources invested, organizations remain at risk. Phishing, where a party with harmful intentions uses methods such as enticing emails to get recipients to click a link, is a prime example. The code behind the associated link may load malware onto the user’s machine, capturing login credentials, and spreading malware throughout the network. The intruder now has the same access as that of the victim and will seek elevated access privileges. All it takes is one person clicking one link containing malware in one email to infect the system.  </p><p>Governance can be effective in bolstering the line of defense. A sound policy, employee education, and monitoring for enforcement are all critical facets of such a program. Internal auditors should be looking for governance in all the right places.</p><p>The auditor should determine whether the organization has defined the level of risk it is willing to assume and whether there is a current risk profile. By identifying risks, mitigation activities in place, and residual risks, the organization can determine its current position. The auditor can then compare the risk appetite to the risk profile. Where the residual risk is too high, the organization can brainstorm alternatives and assess the cost/benefit of each. Results are likely to identify high-risk areas where automation alone cannot bridge the gap or is too costly to implement.</p><p>For those actionable items, ensuring good governance may be the best option. Access control is one example. When an employee or contractor is terminated, particularly for cause, access to systems and facilities must be removed immediately. While it is possible to automate access deactivation, the process must be initiated by a human interface. Having a policy that assigns responsibility for this function is best practice. </p><p>There must be widespread awareness and understanding of the policy and a sense of urgency and ownership in carrying it out. As the termination procedure may not be a frequent occurrence, reminders to all managers and inclusion in manager on-board training are necessary. Also, it’s imperative that human resources have this process top of mind. </p><p>A robust awareness program also contributes to driving behaviors. Executive behavior is key, and employees must know what is expected of them. Repeated education can be effective, as many need reminders. Auditors may recommend computer-based training, lunch-and-learn sessions, posters, gamification, and other methods to improve retention and reinforce desired behavior.  </p><p>Finally, there is a need to monitor for desired behavior. While many factors can be monitored electronically, governance still plays a role. The auditor can determine whether there are policies for monitoring employee behavior. Has there been a discussion with the legal department regarding an employee’s expectation of privacy? If employees should not have an expectation of privacy regarding company property, computerized activity on company networks, etc., have they been notified? The auditor may want to recommend a banner on the login page of the company’s systems.</p><p>Just like installing a home security system and remembering to use it, governance and automated controls should be complementary. Auditors can help companies see how a balance is needed. Desired behavior must be governed from the top, embraced by management, and exercised by all. ​</p>Debbie Shelton1
​Monitoring Laws and Regulations and Their Effect on Your Organizationhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Monitoring-laws-and-regulations-and-their-effect-on-your-organization.aspx​Monitoring Laws and Regulations and Their Effect on Your Organization<p>​This is an important topic for every organization, whether public or private, local or global.</p><p>It's especially true when you add interpretations by the regulators and courts of existing laws and regulations.</p><p>Something that you thought you understood to mean A now appears to mean B.</p><p>If you are not up to date on the laws and regulations with which you need to comply, there is a significant potential for harm.</p><p>OCEG recently shared an infographic on the topic of <a href="http://www.oceg.org/resources/regulatory-change-management/" target="_blank">Regulatory Change Management</a>. Sponsored and developed by Thomson Reuters, the accompanying article points out that technology assists that can help monitor changes in the regulatory environment that might affect the organization, its risks, and its ability to remain in compliance.</p><p>I agree that technology like this can be very useful. But I am not 100 percent convinced that it is sufficient.</p><p>If it were up to me, I would develop a map that shows all the areas where laws, regulations, and societal expectations might apply to the enterprise. I add societal expectations because failing to live up to them can be damaging, directly to the organization's reputation and indirectly to its revenue and more.</p><p>I would then, for each area, identify how we could ensure we remain up to date, and who is responsible. I would not ignore sources like:</p><ul><li>The external law firms.</li><li>The external auditors.</li><li>Government affairs consultants.</li><li>The management team and other advisors.</li></ul><p><br></p><p>But it's not enough for designated individuals to receive notification of changes that might affect the organization.</p><p>It's not enough, as implied in the piece, for analysis to be performed at HQ.</p><p>The changes and their implications need to be communicated to all potentially affected individuals across the extended enterprise. That population includes not only employees but partners, service providers, and others in the supply chain.</p><p>Training may be needed; policies and procedures may need to be updated. As noted by the authors, controls may need to be changed or adapted to the new environment.</p><p>It is quite possible that regulatory change may mean that current strategies and objectives need to be changed as well.</p><p>This is an important area, one that deserves the attention of both risk practitioners and internal auditors. From time to time, the board might consider asking management to report on its ability to both identify and then respond to regulatory change.</p><p>Perhaps you can share sources of information about regulatory change that I have missed, as well as measures that organizations should take to address them.</p><p>OCEG is a great source of <a href="http://www.oceg.org/resource_topic/free/?utm_source=OCEG+Members&utm_campaign=aa0204db3e-Reg+Change&utm_medium=email&utm_term=0_2afb06e6d3-aa0204db3e-122229369" target="_blank">materials</a> and <a href="http://www.oceg.org/education/grc-fundamentals/?utm_source=OCEG+Members&utm_campaign=aa0204db3e-Reg+Change&utm_medium=email&utm_term=0_2afb06e6d3-aa0204db3e-122229369" target="_blank">training</a>. Membership is free!​</p><p><br></p>Norman Marks0
Mapping Assurancehttps://iaonline.theiia.org/2016/Pages/Mapping-Assurance.aspxMapping Assurance<p>​When it comes to providing assurance, internal audit isn’t the only player in the game. Boards and executives seek assurance information on the effectiveness of an organization’s governance, risk management, and control processes from a variety of internal and external sources, including external auditors, the risk management function, health and safety auditors, government agencies, the compliance function, and quality auditors. Likewise, internal audit functions rely on other assurance providers for needed expertise.</p><p>Given this array of assurance providers, internal audit needs new tools to better monitor and communicate about the effectiveness of the organization’s enterprise risk management (ERM) process. IIA Practice Advisory 2050-2 recommends that CAEs use an assurance map to coordinate assurance activities with other providers to maximize coverage and minimize duplications. An assurance map presents a picture of all assurance activities across the organization that can enable the board and other stakeholders to better exercise their risk management oversight duties. </p><p>The many benefits of assurance maps include:</p><ul><li><p>Focusing on the strategic areas of concern and identifying key risk events that can affect the achievement of objectives.<br></p></li><li><p>Improving the value of the organization’s assurance activities by evaluating whether a combination of different internal controls have been designed adequately and are operating consistently to mitigate the target risks holistically. <br></p></li><li><p>Helping create a more efficient assurance process by spotlighting duplications.<br></p></li><li><p>Facilitating identification of key risk areas that have insufficient coverage or gaps. <br></p></li><li><p>Providing an integrated and comprehensive report about risk and assurance activities for boards, audit committees, senior executives, and assurance providers that helps them make informed governance decisions.<br></p></li><li><p>Helping internal audit provide its opinion on the effectiveness of ERM, wherever required. <br></p></li></ul><p>Taken together, these benefits can enhance the board’s risk management oversight efforts by helping improve its governance and monitoring processes and structures.<br></p><h2>Plotting a Map</h2><p>The internal audit function’s independent status, close interactions with other assurance providers, and knowledge and methodology for providing assurance services make it well-suited to lead efforts to coordinate assurance services. Moreover, internal audit has a strong vested interest in improving the effectiveness of assurance coordination across all functions, a principle known as combined assurance. Indeed, the internal audit functions of South African companies used assurance maps to achieve combined assurance as required by South Africa’s King Report on Corporate Governance. </p><p>The use of an assurance map aligns internal audit efforts with the organization’s identified risks. In one integrated document, the assurance map identifies and presents the specific assurance efforts that will be applied to manage each identified risk. “Risk Management and Assurance Integrated Framework” on page 56 illustrates the format of an assurance map, which internal audit functions can customize to meet their specific needs.</p><p><strong>Risk</strong> In creating the map, internal auditors should start with the organization’s strategic plan based on its key organizational objectives. Examples include launching three new products by the end of 2017, or reducing staff attrition to less than 7 percent annually by March 31, 2018. Key risks drawn from the organization’s ERM framework should present events that might prevent critical objectives from being achieved. Auditors should group these identified risks by category — strategic, operational, reporting, and compliance — to facilitate assessment and response considerations.<br></p><p>For each key risk, the assurance map should list the risk owner who is accountable for managing the risk and conducting assurance activities. It should rate the inherent risk of events based on their impact and likelihood on a scale ranging from minor (green) to critical (red). Mitigation strategies are designed to either prevent a risk event from occurring or to mitigate the effects after an event has taken place. Key controls are those responses that help manage and reduce risk within the risk appetite. Finally, the map illustrates the residual risk after management has implemented risk response activities.</p><p><strong>Assurance</strong> The next series of columns provides the coverage of assurance services by the organization’s three lines of defense. Tier 1 shows the process owners’ direct oversight of day-to-day operations. For example, front-line operational managers oversee control self-assessment and monitoring mechanisms and systems. Tier 2 displays the oversight functions that support management by providing expertise for policy development and monitoring their execution. Tier 3 shows the independent and objective providers of assurance on the overall adequacy and effectiveness of risk management, governance, and internal control, as established by the first and second tiers.<br></p><p>The next column on the map, Reliance on Assurance Providers, classifies the assurance coverage provided. Criteria may include:</p><ul><li>Primary, secondary, and tertiary responsibility.<br></li><li>Significant, moderate, insignificant, and unknown contributor to assurance.<br></li><li>Extensive, regular, ad-hoc, and no assurance provided.<br></li></ul><p><br></p><p>Internal audit’s overall assessment of both the quality and quantity of assurance received is based on criteria including subject-matter expertise, experience, skills, and methodology. For example, no reliance indicates there is no information available to evaluate the adequacy of the assurance activities provided. Low reliance means there is a lack of information to evaluate the adequacy of assurance activities. Limited reliance means only management reviews of the effectiveness of risk management have been applied. In this case, the organization has had limited or no independent evaluation of control design sufficiency and operating effectiveness. Moderate reliance indicates that oversight functions that support management have consistently evaluated the adequacy of assurance activities. Extensive reliance indicates that independent and objective assurance services have been provided to evaluate the adequacy of assurance activities.</p><p>The next column details the remedial actions to address weaknesses and ensure continuous improvement of the assurance process for reaching the desired and aspirational level of assurance. Objectives include eliminating assurance gaps, reducing assurance overlaps, and improving the strength and coverage of the assurance provided by documenting follow-up actions such as: </p><ul><li>Assigning assurance owners.<br></li><li>Specifying assurance scope and mission.<br></li><li>Identifying the nature and frequency of assurance activities being undertaken.<br></li><li>Coordinating planned assurance activities.<br></li><li>Determining the timing and frequency of assurance reviews.<br></li></ul><p></p><p>In the final column, global independent assurance opinion consists of the CAE’s written assessment of the effectiveness of the organization’s approach to managing the risk. For example, “Considering the assurance-based activities undertaken during the year, in our opinion the internal control and risk management systems are effective (ineffective) considering the company’s specified risk appetite.”</p><h2>An Integrated Process</h2><p>Assurance maps offer a consolidated picture of the risk and assurance framework by assessing the quality and level of assurance activities being provided against key risks. However, the internal audit function should consider several factors when building such a tool. Assurance maps are a tool whose production is more art than hard science. No assurance map fits all the needs of every organization. Internal audit should start with the top key risks confronting the organization, then expand as desired.</p><p>Internal audit also should view the risk management and assurance framework as an integrated process. Assurance maps are not a silver bullet for ensuring adequate risk management. Without a well-developed risk management framework, internal audit and other assurance providers won’t be able to pull the information required to plan their assurance activities appropriately. At the same time, internal auditors should update the assurance map periodically. </p><p>Internal audit should leverage the power of data without getting lost in it. To be effective, internal auditors must be able to explain the value, goal, and drivers of the assurance map. Most importantly, they must demonstrate how to use the map to identify assurance gaps that need attention.</p><p>Additionally, internal auditors should make assurance maps an informative tool for reporting to the board by focusing on the significant areas of concern. Using color-coded representation can highlight the important findings. </p><p>Finally, internal audit should get all assurance providers involved to develop the assurance map and share the results with all providers. Creating and using an assurance map should be a team effort, rather than one dominated by internal audit.</p><h2>A Catalyst for Assurance</h2><p>Leading the development of an assurance map and reporting on assurance coverage and gaps offers internal audit functions an opportunity to improve their effectiveness in governance. In addition to enabling internal audit to provide assurance on the organization’s risk management effectiveness, an assurance map can assist internal audit in assigning its resources efficiently with better knowledge about the entire assurance process. The insights gained from visual reporting and analysis of an assurance map also can enable internal audit to strengthen its relationship with management and the board to enhance risk management, internal control, and governance.   </p><p>The success that South Africa’s internal audit functions have had in using assurance maps demonstrates that a combined assurance approach can help internal audit raise its profile in facilitating the corporate governance process. Assurance maps also can transform internal audit into a catalyst for improving an organization’s assurance services. ​</p><p><img src="/2016/PublishingImages/Chen-Risk%20Management%20and%20Assurance%20Integrated%20Framework.jpg" alt="" style="margin:5px;" /><br></p>Y.S. Al Chen1
New Leadership, New Riskshttps://iaonline.theiia.org/2017/Pages/New-Leadership-New-Risks.aspxNew Leadership, New Risks<p>​<span style="text-align:justify;">When a momentous event happens — and without question, the election of Donald Trump to the Oval Office was momentous — people tend to overestimate the consequences for the short term, and underestimate them for the long term. That point is worth remembering as the intern​al audit community tries to decipher what the Trump administration means for business risk.</span></p><p style="text-align:justify;">After all, the Trump team has talked a great deal about sweeping change: tax reform, health-care reform, infrastructure spending, trade policy, and regulatory reform. The immediate impulse to brace for impact is natural. </p><p style="text-align:justify;">A better metaphor, however, might be that audit leaders should acclimate to a new environment — one that will arrive more subtly than people expect, but in the fullness of time, bring about potentially dramatic change. Fundamentally, the business risks themselves will not change. Regulatory enforcement, financial reporting, cybersecurity, supply chain, liquidity — all the risks that organizations faced in previous years will still exist in 2017 and beyond. What will change is the underlying forces and conditions that shape those risks. </p><p style="text-align:justify;">Identifying those changing conditions, and deducing their implications for the organization's own enterprise risk assessment, will be a key challenge for chief audit executives in the Trump Era. What are some of those tectonic shifts likely to happen in 2017 and beyond? Let's look at a few examples.​</p><h3>The Rise o​​​f Political Risk</h3><p style="text-align:justify;">Political risk — that is, dramatic, unpredictable political decisions that can carry far-reaching consequences for a business or industry — has not been a phenomenon in the United States for many years. Now it will be, owing to the new president's willingness to confront corporate decisions head-on. </p><p style="text-align:justify;">One example is his recent admonishments against Ford Motor Co. for its plans to locate a US$1.6 billion manufacturing plant in Mexico, and Ford's subsequent announcement on Jan. 3 that <a href="http://www.reuters.com/article/us-ford-mexico-idUSKBN14N1EO">it would scrap those plans to build a US$700 million plant in Michigan</a>. Another is Trump's comments during his Jan. 11 press conference, where he announced that <a href="http://www.wsj.com/articles/trump-attacks-drugmakers-on-pricing-1484167641">he wants to require pharmaceutical companies to bid on contracts for Medicare and Medicaid</a>. That would be a major shift in government health-care spending; the Nasdaq Biotech Index fell 3 percent within hours of his statement.</p><p style="text-align:justify;">Businesses will need to explore strategies that can withstand greater political risk. Manufacturers, for example, may invest more in work automation technologies. Services businesses might develop more customer self-help mechanisms to avoid the political risk of outsourcing call centers. Investment strategies might need to be shorter-term, so companies can tack into political winds more easily.</p><p style="text-align:justify;">More broadly, industries might see international sanctions reversed — removing them from Russia, re-imposing them on Iran — or well-understood markets up-ended in light of new political priorities (e.g., health care). For example, a 2017 political analysis published by the law firm Squire Patton Boggs identified several legislative events likely to happen this year: </p><ul><li>The end of free-trade efforts such as the Trans-Pacific Partnership or the Transatlantic Trade and Investment Partnership.</li><li>Significant changes (or even full abolition) of the Consumer Financial Protection Bureau and the Financial Stability Oversight Council, two oversight bodies created by the Dodd-Frank Wall Street Reform and Consumer Protection Act.</li><li>The repeal and replacement of the Patient Protection and Affordable Care Act. </li></ul><p style="text-align:justify;">Each of these potential changes could significantly impact the immediate industries to which they pertain, as well as the broader economy.</p><h3>The Shift in Enf​​orcement Risk</h3><p style="text-align:justify;">Businesses may also see a regulatory enforcement climate of smaller penalties against corporations, especially when companies cooperate with regulators to identify individual wrongdoers at their companies. A precursor to this idea emerged in 2016, in the Justice Department's Foreign Corrupt Practices Act Pilot Program: discounts in monetary penalties for companies that disclosed violations of anti-bribery law and then remediated control weaknesses.</p><p style="text-align:justify;">So what would the implications be if the Trump Administration applies that concept on a wider scale? Foremost, companies would want to revisit their compliance programs to ensure they can cooperate with regulators effectively. For example, if a company wants to win cooperation credit for helping regulators prosecute individuals, it must be able to identify (and gather evidence against) those individuals within its ranks. So the importance of e-discovery processes and investigation protocols goes up.</p><h3>From Che​​ap Money to Easy Money</h3><p style="text-align:justify;">The Trump Administration wants to ease oversight of bank lending and new capital formation. At the same time, we're likely to see more infrastructure spending <em>and</em> higher interest rates as the Federal Reserve keeps nudging rates higher amid stronger economic growth.</p><p style="text-align:justify;">String all those variables together: a world of stronger growth, where companies can get loans more easily but at higher interest rates. What risks emerge from a scenario like that? </p><p style="text-align:justify;">Companies could, for example, face greater liquidity risk if their finances are based on instruments that can't withstand higher interest rates. Or the demand for skilled labor will grow so fierce that companies might face workforce shortages. Merger targets could become unaffordable. Inflation might erode expected profits.</p><p style="text-align:justify;">An over-stimulated economy would be quite different from the past decade of low economic growth, low interest rates, and a tightly constrained financial sector. It would reverse many long-held assumptions businesses have used, with corresponding change to risks, policies, and controls. </p><p style="text-align:justify;">By the same token, the new lending climate could offer significant potential for growth without some of these downsides – and organizational leadership will want to consider whether they're positioned to leverage that opportunity. Chief audit executives could help ensure the organization has adequately examined the upside potential of economic growth. </p><p style="text-align:justify;">Every company would experience bank lending changes in its own way, but more than anything else, this new economic climate could be the most tangible change that a Trump Administration might bring about.</p><h3>Remember​​ the Limits</h3><p style="text-align:justify;">For all the potential transformations that the Trump Era might bring, internal audit professionals should also remember another truth: political power is often fragile. For <em>any</em> policy change to move forward, <em>all</em> Republicans in Congress and<em> </em>Trump must agree on the policy. Any crack in party resolve could fracture the whole plan.</p><p style="text-align:justify;">That could translate into delays and disputes on any number of legislative efforts. In fact, those delays have already emerged over health-care reform. Tax reform might see similar treatment, as special interests lobby to preserve their favorite corners of the tax code. (This also means that we're more likely to see change that the executive branch can enact itself, much like we saw in the later Obama years.)</p><p style="text-align:justify;">A recent analysis by the law firm Arnold Porter demonstrates the challenge. For tax reform, the analysis says, Trump's main thrust will be to increase the benefits of manufacturing in the U.S., to stimulate job growth. The early proposals also mean, however, that <a href="http://www.wsj.com/articles/toy-makers-gird-for-tax-code-change-1484143201">retailers that import cheaper goods from overseas could see painful tax increases</a>. </p><p style="text-align:justify;">That will likely lead to fierce battles in Washington, with some powerful corporate voices fighting to preserve their interests. When will those questions get resolved? Nobody knows.​​</p><p style="text-align:justify;">In other words, internal auditors shouldn't ask, "How will the Trump administration change my world?" A far better question is to ask, "How will the Trump administration change the broader world — and what is the organization doing to prepare for it?" </p>Matt Kelly0

  • MNP_Tech-Consulting_Feb2017_Prem 1
  • IIA COSO-OnDemand_Feb2017_Prem 2
  • IIA Quality_Feb2017_Prem3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z