Risk and Compliance



The Upside of Riskhttps://iaonline.theiia.org/2019/Pages/The-Upside-of-Risk.aspxThe Upside of Risk<p>​Internal auditors characteristically interpret professional requirements to contribute to organizational risk management as helping senior management address weaknesses and threats to achieving the organization's objectives. The tendency to focus on downside factors that can actually or potentially impede organizational success is well-established and provides value that must continue to meet professional and stakeholder expectations. </p><p>But what about the organization's strengths and opportunities and their contribution to organizational goals? The concept of <em>positive auditing</em>, an approach that extends risk-based analyses and plans to improve strengths and opportunities, can enhance the value of independent assurance. While a typical internal audit provides assurances on downside organizational weaknesses and threats needing to be addressed, positive auditing provides assurances on upside organizational strengths and opportunities that need to be sustained. </p><p>Risk-based plans should include assurances on strengths, opportunities, and upside factors deemed critical to achieving organizational objectives. Importantly, this expansion complies with the current Definition of Internal Auditing and mandatory requirements of the International Professional Practices Framework (IPPF). Positive auditing enhances the organization's reputation by addressing the interests of the organization's stakeholders on what is working, as well as identifying areas needing improvement. </p><h2>A Shift in Approach</h2><p>Shifting focus to strengths is consistent with innovations in the fields of social behavior. In 1998, after more than 100 years of primarily addressing the negative aspects of individual and social behaviors, the psychology profession formally expanded its scope to include the now burgeoning field of positive psychology. As noted by C. R. Snyder, Jennifer Pedrotti, and Shane Lopez in their book, <em>Positive Psychology: The Scientific and Practical Explorations of Human Strengths</em>, "positive psychology offers a balance to this previous weakness approach by suggesting that we also must explore people's strengths along with their weaknesses. … Positive psychology seeks a balanced, more complete view of human functioning." </p><p>By making a similar enhancement to how it sees and promotes itself, and how it is seen by its stakeholders, internal audit offers a more balanced and complete orientation to the assurance paradigm, which is a new area for service innovation and professional growth. </p><h2>Balanced Engagement Reporting </h2><p>Internal auditors have taken initiatives to provide more balance in their reports by including positive findings for engagements that normally focus on downside issues requiring improvement. This added balance demonstrates a greater understanding of business operations by internal auditors, motivates managers by recognizing where their efforts are showing results, and, consequently, encourages greater acceptance to address recommendations for improvement. Positive auditing builds on these initiatives and benefits by designing risk-based plans and engagements from the outset that consider the provision of high levels of assurance on positive areas deemed critical to organizational success within the domain of internal audit. </p><h2>More Complete Risk Analyses</h2><p>The IPPF defines risk as "the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood." This definition is not limited to downside uncertainties; it also includes upside uncertainties, such as opportunities for gains.  </p><p>The concepts of risk and risk management applied by internal auditors characteristically focus on addressing adverse uncertainties that are likely to negatively impact the achievement of organizational objectives. The orientation toward negative risk may be partly explained by the desire to minimize audit risk, such as the risk of making inaccurate assessments. As organizational weaknesses and threats often are known or suspected, there is less risk in accepting an internal audit and its recommendations. Because management makes decisions involving both upside and downside uncertainties, internal audit's risk analyses should be more comprehensive, leading to the development of more complete analytical tools and critical thinking. </p><h2>More Complete Risk-based Internal Audit Planning</h2><p>With positive auditing, risk-based audit planning broadens the scope of risk assessments to consider strengths and opportunities critical to the organization and where independent confirmation adds value. It brings consultations on internal audit plans more in line with management's interests in what is working and where independent assurances address the interests of external stakeholders. There is likely to be wider coverage and fuller alignment with the organization's business priorities. </p><p>There are occasions when independent evaluation and confirmation by internal audit of organizational strengths and weaknesses adds value. Consider three internal audit domains — organizational governance, risk management, and controls processes — which in the examples shown are not given priority in internal audit plans because there are no indications of significant adverse risk.  </p><p><strong>Organizational Governance</strong> This domain can benefit from assurances on organizational opportunities and strengths, as well as threats and weaknesses. Internal audit's objectives might be to:</p><p></p><ul><li>Ensure the organization appropriately administrates complaints concerning social and personal behavior.</li><li>Ensure the integrity of positive performance information supporting year-end bonus payments to management. </li></ul><p><br><strong>Risk Management</strong> This domain benefits from oversight that provides comprehensive, validated information. The internal program of risk management considers strengths and opportunities, as well as weaknesses and threats to organizational success. Internal audit's objectives might be to:</p><p></p><ul><li>Ensure the robustness of the strengths and opportunities reported across the risk management program. </li><li>Ensure the quality of due diligence activities in support of significant organizational initiatives and decision-making. </li></ul><p><br><strong>Examinations of Control Processes</strong> This domain provides operational oversight to keep the organization on track in achieving its objectives. Control processes adapt to evolving organizational needs. Internal audit's objectives may be to:</p><p></p><ul><li>Ensure the continued relevance and quality of performance standards and information relied on by senior management. </li><li>Ensure the continued cost-effectiveness of systems of internal oversight. </li></ul><div><br></div><p>These examples show where positive auditing might provide value-added assurance to the organization's stakeholders, even when the internal audit program and engagement plans are not expected to make material recommendations for improvement. The expanded scope into positive areas has the additional benefit of increasing internal audit coverage to find possible fraudulent behavior within the organization. </p><h2>The Case for Positive Auditing </h2><p>Positive auditing broadens the range of internal audit assurance services by enhancing systematic consideration of upside factors — organizational strengths and opportunities — in support of achieving organizational objectives. It provides a direction for service innovation and professional growth within the current IPPF by addressing upside risks and confirming what is working — both of which are deemed critical to organizational success.  </p><p>It also contributes to organizational improvement by enhancing due diligence of management oversight and confirming the strengths in areas deemed critical to success. Internal audit processes increase analysis and attention to critical factors in the area being examined by all concerned. Should the examination disclose unexpected areas for improvement, management will have shown itself to be proactive and diligent in its pursuit of organizational performance. Either way, the confidence of external and internal stakeholders in management oversight is increased.</p><p>Positive auditing also provides an opportunity to enhance the paradigm of the internal audit profession, expand the range of assurance services in risk-based plans, and tell new stories to our varied stakeholders. The internal audit community should consider the matter together, consult with stakeholders, and determine the extent to which positive auditing offers a viable direction for innovation in the profession.<br></p>Basil Orsini1
Auditing Culture: Bumps in the Roadhttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspxAuditing Culture: Bumps in the Road<p>Internal auditors new to auditing culture should be aware of the challenges they might encounter during this type of assessment. In this latest installment of my "Auditing Culture" series, I present some of these challenges, together with potential ways of addressing them. Although the list is by no means exhaustive, it should give practitioners a few insights into what to expect.<br></p><h3>Culture is multifaceted and complex.<br></h3><p><strong></strong><span style="font-size:12px;">There are many models of culture available today. Those I have seen include anywhere from four to 30 cultural drivers. Moreover, each driver interacts with the others in complex ways. To foster the desired culture, each of these drivers should be well-designed, aligned with the other drivers, and operating effectively.  </span></p><p>It is impossible to deal with all the nuances of this complex web, but we don't have to. Internal audit's goal, as I said in my <a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">previous installment</a>, is to provide stakeholders insight about the culture and to continually enrich their understanding of it. We do need to be aware of the complexity of culture to avoid jumping to conclusions on limited evidence.<br></p><h3>There are no agreed upon criteria for what constitutes a good culture.</h3><p><strong></strong>The first researchers who studied organizational cultures tried to identify the characteristics of a good culture. Today, the general consensus is that there is no universally "right" or best culture. For example, a venture capital firm takes big risks for potentially big rewards, whereas a commercial bank should have a more balanced approach. Likewise, an internet startup may be almost completely focused on innovation, while an established internet service provider might be more conservative. <br></p><p>Cultural variations will even exist within the organization. Finance could have a more conservative culture, while the sales team's culture may be considerably more aggressive — both within limits, of course. That said, there is probably a "right" culture for each organization — the culture that will best help achieve its strategy and business objectives. The organization's strategy can be the starting point for internal auditors in dealing with this challenge.<br></p><h3>Managers create subcultures within their spheres of influence.</h3><p>These subcultures will often be appropriate, as in the example of finance vs. sales. But if they fail to align with the culture adopted by the organization at large, subcultures may be problematic. <br></p><p>While the multiplicity of subcultures can be challenging, it also presents an opportunity for internal auditors. Inconsistency between a subculture and the desired culture often creates risk, and business leaders need to be aware of it.<br></p><p>Before reporting these inconsistencies to higher levels, internal auditors should work with local managers to help resolve them. To help prevent managers from becoming defensive, auditors could try showing them evidence of the problem rather than just stating that a problem exists. That way, managers learn about the problem by seeing the inconsistencies for themselves. Although not always successful, this approach often works with well-intentioned managers who want to improve. When it does work and the risk is not severe, internal audit can monitor the resolution informally in a positive, collegial manner and may not have to embarrass the manager by reporting it to higher levels.<br></p><h3>Management and the board rarely define expectations for the culture.</h3><p>Ideally, expectations should be defined across each part of the business and include observable behaviors that illustrate consistency with, or variance from, the desired culture. Internal audit would then have specific criteria to audit against.</p><p>To deal with undefined cultural expectations, some internal audit functions use a published culture model, tailor the cultural drivers to their organization, and agree it with management and the board. The effectiveness of each driver in helping the organization achieve its objectives becomes their criteria.<br></p><p>Many, if not most, organizations have at least four or five stated values. Although general, these values can sometimes serve as criteria to audit against. One telecom company, for example, had a value of achieving work-life balance for its employees. While auditing a large project, the internal auditors observed people working 60 to 80 hours a week due to unrealistic targets and poor project leadership. After internal audit reported this finding to management, the CEO took prompt action to rectify the situation because it violated a value he believed in.<br></p><h3>Cultural inconsistency exists within the extended organization.</h3><p>Few organizations today are self-contained. They have outsourced functions, suppliers, joint ventures, global operations, and so on. These third parties create risks for the organization, and cultural inconsistencies can magnify those risks.<br></p><p>Internal auditors can help the organization come to grips with this challenge by finding out what, if anything, the organization is doing to address it and assessing whether those measures are sufficient. For example, I know of two organizations that require third parties to give them a report each year explaining how they conform with the organization's values. One of them meets with each third party to discuss the report, and those meetings are considered the most meaningful part of the assessment process.<br></p><h3>Employees are the best source, with a few caveats.</h3><p><strong></strong>In my <a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">first installment</a>, I proposed three principles for auditing culture, one of which is that an organization's culture exists in the perception of its employees. But finding out what employees really think of the culture can be difficult. Here are a few of the challenges.<br></p><p><strong>They might not be fully candid. </strong>Employees may hesitate to say negative things about their work environment to an auditor, fearing retribution if it gets back to their superiors. Dealing with this challenge depends on the situation. </p><p><span style="font-size:12px;">In a small organization in which auditors are trusted, a personal guarantee of confidentiality might be enough. At the other extreme is an anonymous employee survey, administered in a way that makes it physically impossible for anyone in the organization to know who said what. </span><br></p><p>Internal auditors may not always be able to fully convince employees that an online survey is anonymous. One public sector audit function that contends with this issue devised an in-person, group method of collecting information, tailored for its unique circumstances. The department reviews other agencies believed to have serious problems, heightening the potential for mistrust. To help maximize candor, the auditors gather employees in an auditorium with no managers present and ask them to complete hard copy surveys. The employees then pass their completed surveys to the end of the seating rows, and the auditors collect them with no way to know who completed each one. <br></p><p>Most audit departments fall somewhere between these extremes. They have to find the right balance, keeping in mind that the more they know where information comes from the better they can follow up, but with less actual or perceived confidentiality.</p><p><strong>They may have cultural "blind spots."</strong> A common definition of <em>culture</em> is "How we do things around here." When people join an organization, they want to fit in. They tend to accept the way things are done, assuming there must be a good reason for it — even if it doesn't seem quite right to them at first. <br></p><p>To deal with this challenge, internal auditors can apply their fresh perspective and broad knowledge of the organization to each audit. They are well-positioned to identify cultural inconsistencies that employees might not be aware of. </p><p><strong>They may be subject to cognitive bias and groupthink.</strong> By one count, behavioral economists have identified 188 cognitive biases that hinder effective decision-making. Knowledge of cognitive biases will help internal auditors address them. Jeff Desjardins, founder and editor of Canadian media and news firm Visual Capitalist, identifies a sampling of biases relevant to the business world in his article, "<a href="https://www.visualcapitalist.com/18-cognitive-bias-examples-mental-mistakes/">18 Cognitive Bias Examples Show Why Mental Mistakes Get Made</a>."</p><p><span style="font-size:12px;">Groupthink can also obscure organizational culture. It can infect workshops, focus groups, or similar assessment forums. Facilitation skills should include the ability to recognize and counter groupthink. Also, auditors can use interviews or surveys instead of, or in addition to, group-oriented techniques.  </span></p><p><strong>Internal auditors may have their own blind spots and biases. </strong>When auditors<strong> </strong>conduct surveys, interviews, and workshops, they bring their own baggage to the table. Auditors should be mindful of their potential to influence the assessment process or misinterpret results. One technique that might help is to have one or more "challenge sessions" during an audit, in which a more experienced auditor, independent of the audit team, meets with team members to challenge their thinking.<br></p><p><strong>Clients' response to the results will be influenced by the culture.</strong> This may be true of the overall culture or the subculture created by a manager. Whether preparing to deliver initial verbal reporting on an issue or the final written report, internal auditors should consider how culture might affect the client's response and plan accordingly. </p><p><span style="font-size:12px;">For example, in a company with an aggressive sales culture, managers might be successful in the short term by driving employees to meet unrealistic targets. In doing so, they create a highly stressful, even toxic environment. Neither local nor senior management in such an organization is likely to welcome a recommendation to lower the targets and, in turn, the pressure. Providing concrete examples of the long-term harm this </span><span style="font-size:12px;">environment</span><span style="font-size:12px;"> has caused in some parts of the organization or in other organizations (like Wells Fargo) would not guarantee success but would make acceptance more likely.</span><br></p><h3>Overcoming Roadblocks<br></h3><p><span style="font-size:12px;">Internal auditors experienced in culture audits have likely encountered at least some of these challenges, as well as many others. But for those just starting, or about to start, being alert to culture-related challenges can be critical to success. As daunting as auditing culture may seem, internal auditors who have the courage to meet these challenges usually find the assurance value gained is well worth the effort.  </span><br></p>James Roth1
The Velocity of Riskhttps://iaonline.theiia.org/2019/Pages/The-Velocity-of-Risk.aspxThe Velocity of Risk<p>​Only a few decades ago, the onset of problematic risk events often was slow, and organizations handled the corresponding aftermath over a manageable time frame. Organizations armed with extensive public relations resources responded to most post-event crises after planning and analyzing thoughtful responses. Additionally, organizations carefully calculated their transparency with stakeholders regarding the event to manage its impact on the organization.   </p><p>Fast forward to today, and the pace of information is almost instantaneous. For example, when a popular U.S. fast food restaurant chain experienced an outbreak of E. coli-infected lettuce, its stock price decreased 44 percent within 90 days amid intensive social media and news exposure. Recent privacy concerns directed at various social media companies caused stock valuations to drop within minutes and led to immediate calls for government investigations. Disclosure of inappropriate sales arrangements by a large U.S. financial institution caused a significant upheaval, including important personnel changes. </p><p>In today's environment, the timing between a catastrophic risk-driven crisis and the financial and reputational decline for an organization can be practically simultaneous. This new reality has forced senior executives and internal auditors to consider a new aspect of risk management — the velocity of risk. </p><p>The velocity of risk is the speed or ferocity with which events occur in today's business environment. Auditing within this "new normal" means changing, adapting, and understanding the imperative to respond to the speed of change with a strong sense of urgency. Supplemented by awareness of the velocity of risk, internal auditors can identify and address areas where organizations must take preemptive actions to reduce the possibility of a crisis caused by a catastrophic risk event. </p><h2>Velocity and ERM</h2><p>The <em>International Standards for the Professional Practice of Internal Auditing</em> frames the execution, conduct, principles, and practices that also serve as "guardrails" for the profession. The standards relevant to the velocity of risk logically connect with internal audit competencies such as demonstrating competence and due professional care; aligning with the organization's strategies, objectives, and risks; providing risk-based assurance; being insightful, proactive, and future-focused; and promoting organizational improvement.</p><p>Internal auditors contribute in myriad ways to enterprise risk management (ERM) goals by: </p><p></p><ul><li>Helping management manage risk.</li><li>Assessing and auditing risk assessment methods and approaches. </li><li>Creating a responsive, nimble, and agile audit plan. </li><li>Evaluating whether ERM programs are using the right metrics. </li><li>Assessing whether management is prioritizing risk appropriately.</li><li>Supporting and educating the board and senior management on recent advances in risk management thinking. </li></ul><p> <br> </p><p>Often, internal audit will review how the organization is addressing the chief risk officer's enterprisewide risk assessment, providing assurance about the prioritization and adequacy of response strategies. These assessments will include internal audit's perspective of all the organization's operations directed toward risk considerations. That perspective should include risk areas that potentially are detrimental to the organization, as anticipated by assessments of probability, size, and speed of impact. Internal audit should target the corresponding areas within the scope of its work program.</p><p>In performing these duties, internal auditors should ensure the organization's ERM program matrix highlights how velocity of risk can impact the organization. Auditors should recommend making it one of the risk program's key metrics. </p><p>Auditing the velocity of risk can ensure risks are more appropriately prioritized and management is able to more effectively prevent, manage, and respond to risks. Internal auditors can help management and the board measure and address catastrophic risk by understanding the specific risks that could impact the business, measuring risk in an organized and systematic way, and documenting and communicating those quantitatively and qualitatively assessed risk perspectives. </p><h2>Planning and Execution</h2><p>Internal auditors must consider the velocity of risk when prioritizing and creating their annual audit plans. The audit plan should include a risk velocity measure that reflects the magnitude and speed of reaction internally and externally should a catastrophic risk event occur. The department should adjust its perspective on risk management by recognizing and addressing velocity's influence on likely events and impacts. Internal auditors must be aware of risk's current and ongoing impacts on the business in designing and executing audits, compiling results, documenting historical trends, and communicating how management, business processes, and embedded technology are addressing risk. Moreover, auditors should assist and influence management teams to better calibrate, anticipate needs, and frame the impact of velocity on risk-event preventive actions. </p><p>In performing their work, internal auditors must become familiar with the phrase "auditing at the speed of risk." Post-catastrophic risk event reactions tend to be much costlier and more detrimental to an organization. Auditors should anticipate risk-related events by using continuous monitoring tools and auditing through the systems  via queries, specialized exception reporting, and similar techniques. These methods teamed with including "velocity of risk" as a parameter in risk-matrix discussions can highlight at-risk business processes and transactions, increase coverage, and add speed. For example, internal auditors can equip themselves with tools and techniques such as trended historical transaction reviews within supply chain operations. </p><p>These methods — supplemented by vendor-by-vendor analytics, internal control reviews, and interviewing techniques — can lead to earlier detection of fraudulent transactions, timing discrepancies, wasteful or nonoptimal spending, and product defects. Integrating velocity of risk into internal audit's environment, along with a sense of urgency, can add to overall effectiveness, improve organizational agility and resilience, and contribute value to management. </p><h2>The Third Dimension of Risk</h2><p>The velocity of risk is pushing the internal audit profession to grow and support its own and management's awareness of risk's speed of impact by accelerating and enhancing risk-based auditing. Connectedness to business risks and strategies now is even more imperative for internal audit to maintain its relevance. To keep pace, businesses need to embrace a three-dimensional risk management approach: probability, impact size, but most importantly, velocity — that sense of timing, speed, and mean-time-to-event mentality.</p><p>By adding the dimension of velocity, internal audit can facilitate deep-dive assessments of certain risk areas that could become catastrophic risk events. Identifying these areas can inspire a more robust dialogue with management and the board about how to remedy potential issues. Moreover, addressing the velocity of risk can enable internal audit to help management and the board anticipate and prevent these crisis events from occurring. </p>Sridhar Ramamoorti1
A Matter of Privacyhttps://iaonline.theiia.org/2019/Pages/A-Matter-of-Privacy.aspxA Matter of Privacy<h2>How do regulations like GDPR address issues with protecting personal data?<br></h2><p><strong>Maali</strong> Europe’s General Data Protection Regulation [GDPR] pushes companies doing business with Europeans’ data to do three things well: give people control over their data, respond quickly to breaches, and embed privacy controls throughout their business. The law has changed the privacy function from a paper-based exercise of policies and contracts to a business-transformation program affecting every product and service that uses European data.</p><p><strong>Hrubey</strong> GDPR and regulations like the California Consumer Privacy Act, Brazil’s new General Data Protection Law, and new and revised regulations in Australia, China, and Japan  highlight the need for companies to get their data protection practices in order. Organizations tend to have common challenges relating to data protection, including difficulty maintaining a current inventory of personal data, failing to connect privacy notices and privacy consents to personal data, and keeping personal data longer than is necessary to complete the business purpose described. Companies also are challenged with maintaining the accuracy of personal data and responding timely to data subject access requests.<br></p><h2>What are the consequences of failing to comply with data privacy regulations?</h2><p><strong><img src="/2019/PublishingImages/EOB-Hrubey-Pam.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Hrubey</strong> Under GDPR, fines for a failure to comply — particularly with data subject consent-related requirements — can be up to €20 million ($22.5 million), or 4 percent of the organization’s global annual turnover, whichever is larger. Organizations that have a data breach-related violation can be fined up to €10 million ($11.2 million), or 2 percent of the organization’s global annual turnover, whichever is larger. Operationally, regulators also can elect to stop the flow of personal data out of the European Union (EU), unless data is going to a country deemed to have adequate data protection provisions under EU regulations — the U.S., for example, does not have that designation. Regulators also can restrict an organization’s ability to use the personal data of EU residents until remediation is made of the underlying compliance problems. And perhaps more problematic is the damage to the organization’s reputation. In a highly digitized economy, customers must be able to trust organizations with their personal data.</p><p><strong>Maali</strong> A lot has been said about the maximum fine for an egregious violation of GDPR. But GDPR also gives European citizens a private right of action to bring lawsuits against companies for privacy violations, and courts have no limit to the penalties and awards they approve. Perhaps the biggest risk is if a regulator imposes an injunction to prevent a company from continuing to process EU personal data. This could stop a product or service overnight.</p><h2>How can organizations demonstrate that they are safeguarding information?<br></h2><p><strong><img src="/2019/PublishingImages/EOB-Mike-Maali.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Maali</strong> The most visible way for companies to demonstrate a high level of data-privacy maturity is to offer employees and consumers a portal where they can view, correct, and delete their data and express opt-in and opt-out privacy consents. In addition, a well-documented process for assessing, monitoring, and mitigating risk can provide confidence to key stakeholders.</p><p><strong>Hrubey</strong> Regulators expect organizations to be able to defend the risk-based decisions they have made regarding implementation of GDPR’s requirements. On the customer side, organizations should be transparent about the safeguards they are using to protect personal data. Privacy notices should, using plain language, include a description of how the organization protects the personal data under its care and be updated when the organization adjusts the safeguards used. Organizations should take a similar approach to privacy consent language, and take care to not process personal data before obtaining the data subject’s consent. Organizations also should consider including information about their privacy program on their website. </p><h2>What is audit’s role in assessing privacy governance?<br></h2><p><strong>Hrubey</strong> GDPR requires organizations to periodically assess compliance against the requirements. Internal audit generally is in an excellent position to make this assessment on behalf of the organization. The key to a successful privacy audit is to understand the organization’s privacy landscape and the potential risks it faces. Mindful of those risks, internal audit can leverage existing audit methodologies and follow standard internal audit methodology to understand the organization’s performance in those potential risk areas. Privacy is ever-changing, so being agile regarding the risk landscape is the best approach to the privacy audit. Privacy team members along with their legal support colleagues are responsible for determining how regulations like GDPR apply to the organization, and then ensuring that appropriate program materials are prepared. Internal audit can assess whether the organization has pulled through the policies and procedures as expected.</p><p><strong>Maali</strong> Internal audit can play a range of roles helping a company accelerate its privacy journey. The first is to consider data privacy as a material risk for the organization to monitor. Internal audit also can advise management on the selection of a privacy control framework that is most applicable to the company’s industry. It can assess and report the company’s status against that framework, and make recommendations on which stakeholders in each line of defense are best positioned to own the remediation of the control gaps. Internal audit also is positioned to test these controls on an ongoing basis, including reporting progress to senior management and the board.</p><h2>What should internal audit assess regarding third-party data privacy compliance?<br></h2><p><strong>Maali</strong> Internal audit can help the organization reduce third-party privacy risk in several ways. First, internal audit can ensure that management has sufficient processes to identify high-risk suppliers and perform ongoing monitoring. In addition, internal audit can ensure that sufficient protections exist within third-party contracts, including right to audit provisions. Finally, internal audit can play an important role in assessing the data privacy controls for high-risk suppliers.</p><p><strong>Hrubey</strong> Under GDPR, third parties who are processing personal data on behalf of an organization are accountable for complying with the related regulatory requirements. This does not mean that the organization hiring a third party is off the hook. Because the hiring organization is usually operating as a controller under GDPR — the entity that determines the purposes, conditions, and means of the processing of personal data — the controller may still have liability if the instructions provided to the third party regarding processing personal data were inappropriate. Organizations should have contracts that address expectations associated with privacy and data protection. Internal audit can evaluate contract compliance.</p><h2>What controls are most needed to ensure the organization complies with data privacy regulations?<br></h2><p><strong>Hrubey</strong> The answer depends, at least in part, on the organization’s work, its industry, and the specific personal data it processes. Generally, organizations need data privacy-related controls, including an individual responsible for determining what regulations apply and what the organization must do to comply; risk assessment processes that can pinpoint privacy and data protection-related risks; clear policies and procedures for employees to follow; periodic training; and investigations into noncompliance that identify associated root causes. Strong information security-related processes should include, for example, access controls by role and, where appropriate, by individual; encryption of electronic equipment, including laptops and mobile devices; physical security; and logical security.</p><p><strong>Maali</strong> The most difficult, but foundational and important privacy control, is to maintain a current inventory of all personal data, both within the organization and among relevant third parties. All lines of defense will have a role in meeting that objective. With a sustainable and accurate data inventory, companies can deploy other controls around information security and data-subject rights. <br></p>Staff1
A Board's Eye View of Digital Disruptionhttps://iaonline.theiia.org/2019/Pages/A-Boards-Eye-View-of-Digital-Disruption.aspxA Board's Eye View of Digital Disruption<p>At the end of every year, North Carolina State University and Protiviti publish a survey report on the enterprise risks occupying the minds of board directors and corporate executives for the following year. The Executive Perspectives on Top Risks report is always worth reading, and the 2019 edition does not disappoint.</p><p>What’s topping the charts for this year’s risks? Fear that the organization’s existing operations and technology won’t match performance expectations, especially against “born digital” competitors. That’s no surprise. Taxis vs. Uber, hotels vs. Airbnb, broker dealers vs. robo-advisors — even the record industry vs. iTunes, a bit further back in history. Fear of more nimble, next-generation competitors, while your own organization is too hide-bound to get out of its own way, is not new. </p><p>So how should boards approach digital transformation? “It’s something we talk about all the time,” says Tom Richlovsky, audit committee chair of United Community Banks (UCB), a regional bank based in Georgia. A generation ago, UCB would never find itself squeezed by fintech startups or global banks courting everyone with a mobile phone. Today, UCB does. As Richlovsky says: “We have a front-row seat to how digital disruption operates.” </p><h2>The Strategic Threat</h2><p>First, let’s appreciate what happens with digital disruption. Born-digital firms can be so disruptive because they build business models for existing problems with dramatically less commitment to physical assets. That’s the economics of it. </p><p>What happens operationally is a bit more nuanced. Digital firms can be more nimble because they are less bound to specific ways of doing things. Code is code, after all; if you don’t like how it works, you can change it.</p><p>So digital firms are less committed to physical assets, and they can pick off specific problems in a business, introducing whatever new solution they want. That’s how they disrupt the business models of established companies. They provide new choices to customers, who often  depart the organization’s model for the upstart’s. </p><p>A big part of success at digital transformation, then, involves close observation of the organization’s customers, plus a big dollop of imagination about what new relationships the organization can forge with them. “You have to understand what’s happening with your customers so that you can get a step ahead of them, and get them to adopt technologies and become a better customer who stays with you,” says Glenn Gow, a former board director at data analytics firm acuteIQ, who now advises boards on digital strategy. </p><p>Gow uses the example of ordering pizza. In the last decade, consumers have moved from placing orders by phone to placing them by app. Online ordering eases the transaction for the customer and generates more customer data for the pizza company — a great example, Gow says, of digital disruption benefitting all parties involved.</p><p>Too many boards fear the threats of digital disruption more than they embrace its opportunities. The truth is digital disruption will drive both threats and opportunities. “The ways in which disruption can occur are multiplying,” Richlovsky says, so the board needs to educate itself on all those ways. </p><h2>Governance of Digital Disruption</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } p.p2 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } p.p3 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; min-height:11.0px; } p.p4 { line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; } span.s2 { letter-spacing:-0.1px; } span.s3 { letter-spacing:-0.1px; } </style> <p><strong>Top Risks for 2019</strong></p><ol><li>Existing operations meeting performance expectations, competing against “born-digital” firms.</li><li>Succession challenges and ability to attract and retain top talent.</li><li>Regulatory changes and regulatory scrutiny.</li><li>Cyber threats.</li><li>Resistence to change operations.</li><li>Rapid speed of disruptive innovations and new technologies.</li><li>Privacy/identity management and information security.</li><li>Inability to use analytics and big data.</li><li>Organization’s culture may not sufficiently encourage timely identification and escalation of risk issues.</li><li>Sustaining customer loyalty and retention.</li></ol><p><em>Source: Executive Perspectives on Top Risks 2019, Protiviti and North Carolina State University Poole College of Management’s ERM Initiative</em><br></p><br></td></tr></tbody></table><p>In theory, if the board wants to gain more knowledge about the risks a certain issue might pose, step 1 is to ask the internal audit function. Digital disruption, however, poses so many strategic questions that it doesn’t lend itself to such straightforward analysis. It’s an open question whether most audit functions could understand and assess the challenges at hand.</p><p>“The concept is a good idea,” says Alan Siegfried, who is on a bank’s audit committee now and has served on the audit committees of UNICEF and Bon Secours Health System, “but realistically, probably 90 percent of the audit functions out there don’t have the qualifications or skill sets to do that well.” </p><p>Boards can take a few steps to improve that picture. First, they can identify strategic priorities for digital transformation more clearly, so the business units can determine which operations and business processes should be digitally transformed, and how. For example, should the business focus more on the “offense” of developing new products or services, or the “defense” of developing improvements to existing ones? Should it cut fixed costs by moving to cloud-based services, even if that drives up security, privacy, and litigation risks? </p><p>Gow suggests that boards work closely with the CEO and the chief information officer (CIO) on those points. After all, if success at digital disruption depends on astute data analytics and bold imagination on how to serve the customer in new ways — the CIO handles the former, the CEO the latter. </p><p>Then the board and management can develop a technology strategy that supports digital transformation, including the critical step of what new controls will be necessary to implement the strategy. For example, moving business processes to the cloud and taking advantage of mobile devices, so the organization can launch an international sales force with more in-the-field agents , is a reasonable digital transformation goal. </p><p>The technology strategy, however, will raise questions such as: How can the company harness all its operational data, if the data is stored within different apps? How does the company secure its data on employees’ personal devices? At that point, internal audit or compliance functions can return to the conversation, because the digital transformation goal is already laid out. The questions are more about risk management to ensure the transformation doesn’t go awry.</p><h2>Oversight of Digital Transformation</h2><p>So, which board committee should have digital transformation as part of its remit? A strong argument exists that no specific committee should own it. The only logical candidates would be the audit committee or a risk committee, and they are, to use Richlovsky’s phrase, “reactive committees.” That is, they seek to ensure that safeguards are in place for whatever strategies the organization pursues. How an organization moves into the digital world, however, is a strategic choice unto itself. Thus, the whole board should be responsible for infusing digital awareness into every organizational strategy and objective. </p><p>“When it’s a strategic journey the company is going through, it needs to be a full board topic,” says Eric Allegakoen, head of internal audit at Adobe and chair of The IIA’s Audit Committee. “Once the strategy becomes clear in how it’s getting executed, there would be responsibilities at the audit committee or risk committee level to monitor progress.”</p><p>Indeed. And if the risks listed by Protiviti, above, are any indicator, digital transformation will likely permeate boardroom conversations for some time. <br></p>Matt Kelly1
Editor's Note: GDPR Is Just the Beginninghttps://iaonline.theiia.org/2019/Pages/GDPR-Is-Just-the-Beginning.aspxEditor's Note: GDPR Is Just the Beginning<p>It is no surprise that cybersecurity and data protection remain top worries among chief audit executives (CAEs) responding to this year’s IIA North American Pulse of Internal Audit report. Seventy percent are highly concerned about the potential for reputational harm stemming from an inappropriate disclosure of private data. What is surprising is that CAEs are far less concerned about compliance with new data protection rules. Nearly 50 percent of respondents say their organizations have minimal or no concern. </p><p>Almost a year after the European Union’s General Data Protection Regulation (GDPR) went into effect, organizations are feeling “<a href="/2019/Pages/GDPRs-Global-Reach.aspx">GDPR’s Global Reach</a>.” And, it’s just the beginning. China has introduced regulations on cybersecurity, data protection, and cross-border data transfer that are reflective of GDPR. Brazil has a new General Data Protection Law that will go into effect in early 2020, and new and revised regulations are coming out of Australia and Japan, among many others. And, in the U.S., the California Consumer Privacy Act will take effect next year. </p><p>“Compliance requirements like GDPR are forcing changes in the way data is handled in many organizations,” Jan Hertzberg, a privacy consultant, tells author Arthur Piper. “For CAEs, it is not just about data privacy, but data integrity throughout the business.”</p><p>The many new data privacy regulations “highlight the need for organizations to get their data protection practices in order,” says Pam Hrubey of Crowe in this issue’s “<a href="/2019/Pages/A-Matter-of-Privacy.aspx">Eye on Business</a>.” Hrubey says organizations tend to have common challenges relating to data protection. She and Mike Maali of PwC consider those challenges and how organizations can safeguard information, as well as internal audit’s role in privacy governance. </p><p>In the Pulse report, concern about GDPR compliance escalates in line with the size of the respondent’s organization. In organizations with more than 50,000 employees, 62 percent rated compliance as a high concern compared to 29 percent who rated it that way overall. This suggests that larger organizations are more likely to have international operations. However, for others with international operations, there also could be some misunderstanding of when these new rules apply, as they are based not on the location of the organization, but on the location of the customer whose data is being gathered. To read the full 2019 Pulse report, visit <a href="http://bit.ly/pulse2019" rel="nofollow">http://bit.ly/pulse2019</a>.</p><p>On another note, it’s time once again to recognize high achievers in the profession. Nominations for <em>Internal Auditor</em>’s 2019 Emerging Leaders are now open. See the opposite page to learn how to nominate. Tell us who are the best and brightest in your internal audit functions and look for the article featuring this year’s leaders in October.<br></p>Anne Millage0
GDPR's Global Reachhttps://iaonline.theiia.org/2019/Pages/GDPRs-Global-Reach.aspxGDPR's Global Reach<p>​If U.S. businesses believed the broad waters of the Atlantic would save them from the European Union’s new General Data Protection Regulation (GDPR), that illusion was dispelled on Jan. 21. That was the day on which the French privacy regulator Commission Nationale de l’informatique et des Libertés (CNIL) fined Google about €50 million ($57 million) “for lack of transparency, inadequate information, and lack of valid consent regarding the [sic] ads personalization.”</p><p>NOYB–European Center for Digital Rights and La Quadrature du Net — two privacy activist groups — brought the case almost as soon as GDPR came into effect on May 25, 2018. They claimed that users could not give specific consent for Google to process private data because its terms and conditions were too ambiguous.</p><p>The regulator agreed. In the first big case to be decided under the new regulations, CNIL ruled that Google had breached the requirement for transparency. If customers wanted to find out how their data was used — especially for the business’ geo-tracking service — they would have to click through five or six different pages on the company’s site. Even then, some of that information was “not always clear nor comprehensive.” In addition, CNIL said that because the company used the data for an array of services, Google’s legal basis for processing it for each individual service was too opaque to the customer.</p><p>The regulator also found fault with Google’s consent procedures for targeting customers with personalized ads. It complained that users had to go into the “more options” menu to modify how their data would be used — the consent box there was already pre-ticked. More importantly, CNIL noted that in creating an account, the user was effectively agreeing to a range of data processing by the company — involving ads personalization, speech recognition, and more — which were all covered by a single agreement. “GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose,” CNIL concluded. </p><h2>GDPR Is Just the Start</h2><p>While Google has appealed the case to France’s top administrative body, the Council of State, CNIL’s train of logic provides an indication of how regulators are interpreting key aspects of GDPR for organizations based anywhere in the world and how they are applying fines. More than that, GDPR is likely to change the way organizations handle private data globally. No wonder internal auditors who felt they had crossed the finish line when GDPR went live are realizing they have just begun the race.</p><p>“Many U.S.-based organizations wish that they would have started their GDPR compliance efforts earlier,” says Jan Hertzberg, independent privacy consultant and adjunct professor at DePaul University in Chicago. Last year, many of them focused on updating their privacy policies and notices just before GDPR requirements went into effect. In the year to come, they plan to prioritize enterprisewide, GDPR risk assessments “to identify their greatest risks” and perform GDPR governance audits, he notes. </p><p>This new focus on data privacy is timely because GDPR’s underlying philosophy is finding its way into new regulations around the world: Customers have to specifically opt into services, their consent over data processing has to be explicit, they have a right to know what data organizations hold and how they use it, and organizations must have rapid response processes to notify regulators and customers of serious data breaches. In the EU, for instance, the provisions of GDPR will be extended to electronic communications by a new e-Privacy Regulation, which is expected to come into effect later this year. These rules will govern how organizations can send out unsolicited marketing emails and text messages, will enable web users to set their cookie preferences on their browsers, and will stiffen up confidentiality rules for internet businesses. </p><p>Further afield, China last year introduced a slew of regulations on cybersecurity, data protection, and cross-border data transfer with distinctive GDPR-type features. And in the U.S., the California Consumer Privacy Act of 2018, which takes effect in 2020, features opt-out clauses, transparency rules, and rights for customers to be forgotten similar to those contained in GDPR.</p><p>Internal auditors are working to better understand the regulators’ approach in balancing advice and punishment. And some are busy building networks within and outside of their organizations to help them understand the rules and what they mean to their enterprises. And while increasing their IT competencies is likely to be important, getting to grips with strategic issues is key.</p><h2>Regulators’ Approach</h2><p>GDPR applies to all businesses that hold the personal data of citizens of the EU, making businesses outside of Europe potentially subject to European rules. In this year’s Google case, CNIL made an important distinction that is likely to carry weight for complaints involving U.S. companies and others based outside of Europe. Despite the fact that Google’s European headquarters are in Dublin, Ireland, CNIL brought the case against the U.S. parent Google LLC. It ruled that because the U.S. office had the final say on how data collected through its Android app was used, the U.S. parent was legally responsible for complying with GDPR. Any fine is calculated, therefore, on the parent company’s turnover. In 2017, Google LLC had turnover of $110 billion, so the company could have been fined $4.4 billion, rather than the $57 million imposed by CNIL.</p><p>The U.K. regulator, the Information Commissioner’s Office (ICO), says fines do not represent the biggest threat to organizations from GDPR. It says the idea that there will be massive fines is “myth No. 1” when it comes to understanding how regulators are implementing and interpreting their new powers. “In terms of powers and sanctions, the ICO aims to educate and support organizations in fulfilling their responsibilities in relation to data protection,” says Debora Biasutti, lead communications officer for the ICO. “Issuing fines has always been, and will continue to be, a last resort.”</p><p>At the time of publication, the U.K. could potentially leave the EU without a formal set of agreements to govern how data on citizens is used between the two territories. If that happens, the U.K. will be covered by the 2018 Data Protection Act, which enshrines most of the provisions of GDPR into U.K. law.</p><p>Early indications are that regulators are working with businesses to help them comply but are prepared to fine them “proportionately” for perceived noncompliance. How regulators are seeking to help organizations can be seen by a series of cases involving much smaller businesses than Google. </p><p>In December 2018, for example, CNIL closed a GDPR consent case with a small French ad tech firm called Fidzup. According to the online magazine <em>TechCrunch</em>, Fidzup worked with CNIL to create a longer consent form so that customers could opt into, or out of, every service it offered individually, which echoes CNIL’s approach to Google. </p><p>“Now, okay, we have something between the initial asking for the CNIL — which was like a big book —  and our consent collection before the warning, which was too short with not the right information,” Fidzup CEO Oliver Magnan-Saurin told <em>TechCrunch</em>. The amended consent form is still a long read, he concedes. The company also had to alter the way its technology worked so that, for example, the app and its geolocation features worked even if the data did not go to advertisers when the user opted out. </p><h2>Slow Burn<br></h2><p>It is not clear whether internal auditors have fully grasped the extra-territorial reach of GDPR, according to recent IIA research. The 2019 North American Pulse of Internal Audit found that while 70 percent of chief audit executives (CAEs) surveyed were highly concerned about suffering reputational damage from privacy issues, only 29 percent expressed high concern about compliance with GDPR — although that concern grew to 62 percent among large organizations. “This could reflect some misunderstanding of how and when these new data protection and privacy rules apply,” the report says. The fact that the rules are not based on the location of the organization, but on the location of the customer whose data is being gathered, could have led some CAEs to believe their businesses are not affected, the report suggests.</p><p>Hertzberg says organizations’ apparent slowness to respond to GDPR requirements may be attributed in part to a lack of knowledge of GDPR requirements along with lack of clarity as to how to comply. He is somewhat critical of what he sees as the shortage of attention the EU has paid to educating businesses outside Europe. “Since this is so obviously a worldwide phenomenon, European regulators would do well to consider the foreign players more,” he says.</p><p>“Lack of awareness of GDPR requirements is a critical issue for organizations’ management, staff, and board,” Hertzberg adds. Internal auditors and compliance professionals often struggle to get those stakeholders to pay attention to what seems to be a European issue. “Now that the newness of GDPR has worn off, there is a concern that these requirements will get even less attention in the future,” he explains.</p><p>Hertzberg notes that some internal audit management — for example, CAEs and directors of internal audit — may be reluctant to hire cybersecurity and privacy specialists for their departments. Instead, they have chosen to collaborate with their own general counsels, chief information security officers, and chief privacy officers to help them come to grips with what the regulations mean in practice. They also have enlisted assistance from third-party consultants. </p><p>Overall, CAEs have put focus on cybersecurity and privacy awareness so those with operational responsibilities clearly understand that they must “own” the data they collect and use. In doing so, they will better understand the need for and the issues around the retention and protection of personal data. More problematically, he says, businesses have been less clear about which named person is ultimately responsible for the data that the organization owns.</p><p>“Compliance requirements, like GDPR, are forcing changes in the way that data is handled in many organizations,” Hertzberg says. “For CAEs, it is not just about data privacy, but data integrity throughout the business. That will mean internal auditors pay more attention than ever to data and become more data-centric in their approach to providing assurance.”</p><h2>Business Issues</h2><p>Dominique Vincenti, CAE at Uber and former vice president of internal audit at Seattle-based Nordstrom, says the initial risk for the department store business compared to larger online retailers was thought to be minimal because the proportion of shoppers based in Europe that use its online services is relatively small. “We used the opportunity to energize management around the topic because we felt that if it is not specifically GDPR, it is going to be something else that is GDPR-like,” she says. <br></p><p>Sure enough, a few months after GDPR took effect, California passed its own consumer protection laws. Vincenti says she would not be surprised if similar federal laws were in the pipeline. “California is significant to all U.S. businesses,” she explains. “If you are going to comply with its GDPR-like provisions, you are not just going to adapt your systems to only do so for your customers in California because it would be too difficult to segregate your customers. You just go with the highest common denominator.”</p><p>Vincenti says she expects most internal auditors will be ahead of the game when it comes to understanding the significance of such regulations. First, most will understand that the majority of organizations have poor data governance processes in place, so GDPR provides an opportunity to start addressing how businesses manage and govern data effectively. Second, those data governance weaknesses make GDPR a business issue, rather than a technology issue. “Internal audit needs to help the business understand whether it is leveraging and protecting this crucial asset as well as it should,” she says.</p><h2>Models and Strategy</h2><p>As GDPR-style regulations become more prevalent, businesses may need to rethink their strategic plans, says James Reinhard, audit director at Simon Property Group in Greenwood, Ind. For example, instead of modeling an online initiative to contain data in a centralized server, a company may need to devise a more disbursed, decentralized model where it retains data in various countries because some of its target jurisdictions may prohibit cross-border data transfers. This, in turn, could affect the cost, reach, and viability of such projects.</p><p>“If internal audit has a good seat at the table, it can be a sounding board for both executive management and the audit committee, and it can assess how well the changing environment is being monitored by management,” he says. “If such alignment with management is not there, this is going to be an increasing problem for internal audit.”</p><p>Reinhard says CAEs may strengthen their IT competencies to enable them to conduct more sophisticated data privacy reviews, tracking and protecting such data as it flows through increasingly digitalized businesses.</p><p>“Internal audit will need to rely on the company’s legal counsel to provide guidance on interpreting what is the use of a specific set of data and the manner in which it must be secured,” Reinhard says. “Naturally, if the company’s legal interpretation is incorrect, then internal audit’s opinion on attesting to compliance could be incorrect, too.” Expanding internal audit’s professional network can enable it to benchmark and find ideas that can be brought back into the organization, he adds.</p><h2>Finding Meaning</h2><p>Regardless of where they are based, many businesses are struggling to understand what GDPR means in practice, says James Castro-Edwards, a partner at the London law firm Wedlake Bell. “We’ve heard of organizations issuing hundreds of pages of information in response to subject access requests when that is not what the law required them to do,” he explains. There is a similar trend in reporting minor data breaches where the affected information is either low risk — people’s names and addresses — or where it has been suitably encrypted and protected. </p><p>“Internal auditors are going to have to focus a lot more sharply on data protection compliance,” Castro-Edwards says. That could include providing assurance on the business’ understanding of materiality so that management is not wasting time over-reporting. The ICO has commented on the widespread over-reporting of personal data breaches since GDPR took effect. Many incidents have been reported on a cautionary basis, while the mandatory obligation to maintain a record of incidents — including an explanation of any decisions not to report incidents — may have been overlooked.</p><p>Castro-Edwards says regulatory enforcement action will gradually help businesses understand GDPR better. But fresh legal risks are still emerging. </p><p>Last year, the U.K. supermarket Morrisons found itself on the end of group litigation — or class action as it is known in the U.S. — brought on behalf of just over 5,500 employees. The plaintiffs were among 100,000 Morrisons workers whose personal details were released on the internet by a disgruntled former employee. In what could be the first of many such cases, a U.K. lawyer brought the action following a relatively recent development in the common law that established the principle that people affected by a personal data breach may be able to claim compensation for pure distress. </p><p>“It is early days, but this could become as big a risk for businesses as ICO enforcement activity, because of the number of individuals typically affected by a high-profile data breach,” Castro-Edwards says. “Each affected individual need only claim a small sum for distress for the potential damages to mount up to a significant sum.” </p><p>That could mean that a U.S. company holding data relating to U.K. customers could find itself caught up in a class action. “The fact of the matter is that the ICO and other regulators have limited resources,” he says, “but any lawyer with the time and energy could bring this type of claim on behalf of a large number of individuals following a personal data breach.”</p><p>Perhaps the key lesson of GDPR for internal auditors is that the new regulations not only changed the rules on data privacy and processing, they changed the game. It is a game where the winners will have good data governance and pay close attention to how the rules are developing globally. Internal auditors who have strong networks across the business and beyond will be able to support the board on how GDPR may impact both operations and strategy. They will, in short, be a key player on the team. <br></p>Arthur Piper1
Banks and Bitcoinhttps://iaonline.theiia.org/2019/Pages/Banks-and-Bitcoin.aspxBanks and Bitcoin <style> div.WordSection1 { } </style> <p><span lang="EN-GB">Some 10 years ago Bitcoin became the world’s first cryptocurrency, but mass adoption of it and other digital currencies has been hampered by price volatility and a general reluctance by investors, financial institutions, and regulators to get behind the technology. Barriers include lack of understanding about how the cryptocurrency works, as well as a trading process that can be opaque and subject to abuse — namely through hacking, market manipulation, and potential fraud.<br></span></p><p><span lang="EN-GB">That may be changing, however. In February JPMorgan Chase launched “JPM Coin,” the first cryptocurrency created by a major U.S. bank. It will be used to settle payments between clients, and the lender will then work to transfer cross-border payments or corporate debt issuance services to the blockchain. The technology will facilitate near-instantaneous settlement of these money transfers and will, according to the bank, mitigate counterparty risk.</span></p><p><span lang="EN-GB">The move represents a dramatic change of attitude: Just a few years ago JPMorgan CEO Jamie Dimon called bitcoin a “fraud” and even threatened to fire employees who traded in it. Other banks, including HSBC, State Street, Credit Suisse, and Barclays, have either used blockchain and cryptocurrencies (albeit tentatively) or are planning to do so. </span></p><p><span lang="EN-GB">Yet within a month of JPMorgan’s announcement, the Basel Committee on Banking Supervision, comprising the governors of 10 key central banks, released a warning about cryptocurrencies. In a statement it said that “while the crypto-asset market remains small relative to that of the global financial system … the continued growth of crypto-asset trading platforms and new financial products related to crypto-assets has the potential to raise financial stability concerns and increase risks faced by banks.”</span></p><p><span lang="EN-GB">The committee said that crypto-assets “do not reliably provide the standard functions of money and are unsafe to rely on as a medium of exchange or store of value,” adding that crypto-assets are not legal tender and are not backed by any government or public authority. Furthermore, the Basel Committee cited crypto-assets’ history of volatility and lack of standardization and pointed to numerous risks it presents to banks, including liquidity risk, credit risk, market risk, operational risk, money laundering and terrorist financing risk, and legal and reputation risks. </span></p><p><span lang="EN-GB">Nonetheless, the committee accepts that banks may still want to participate in the crypto-market. As such, if a bank decides to acquire crypto-asset exposures or provide related services, it should adopt certain measures as a minimum — and internal auditors may want to take note.</span></p><h2><span lang="EN-GB">Crypto-risks</span></h2><p><span lang="EN-GB">First, adequate due diligence is a must, the committee says. A bank “should ensure that it has the relevant and requisite technical expertise to adequately assess the risks stemming from crypto-assets.”</span></p><p><span lang="EN-GB">Second, a bank’s risk management framework for crypto-assets should be fully integrated into the overall risk management processes, including those related to anti-money laundering, combating the financing of terrorism and the evasion of sanctions, and heightened fraud monitoring. Furthermore, boards and senior management should be provided with timely and relevant information related to the bank’s crypto-asset risk profile. </span></p><p><span lang="EN-GB">Third, a bank should publicly disclose any material crypto-asset exposures or related services as part of its regular financial disclosures. It should also specify the accounting treatment for such exposures, consistent with domestic laws and regulations.</span></p><p><span lang="EN-GB">Finally, the bank should inform its supervisory authority of actual and planned crypto-asset exposure or activity in a timely manner. Moreover, it should provide assurance that it has fully assessed the permissibility of the activity and the risks associated with the intended exposures and services, and explain how it has mitigated these risks.</span></p><p><span lang="EN-GB">Daniel Wolfe, managing director at specialized research and investment group Simoleon Long-Term Value in London, says there are four key areas of risk that internal auditors should be aware of. The first is secure storage. “Crypto assets are secured by a private access key, but it is important that this key – essentially, a long list of letters and numbers — is kept safe, and that it is not just known to one person and held on one laptop.”</span></p><p><span lang="EN-GB">In February QuadrigaCX gained worldwide media attention due to the unique circumstances surrounding its failure. After the death of its CEO Gerald Cotton, the collapsed exchange no longer had access to his laptop, which contained the keys for over US$100 million worth of customers’ funds. And while the company’s external auditor has since cracked the code, it found the funds had been transferred out of customers’ crypto wallets in April 2018. The company’s directors are still in the process of trying to pay off creditors, and many have accused QuadrigaCX of suspicious activity or at least extreme negligence. “It is safer to separate the assets across several private keys so that if a hack does occur or if a laptop goes missing, not all of the cryptocurrencies will be stolen or lost,” says Wolfe. </span></p><p><span lang="EN-GB">Another key risk that internal auditors need to be aware of, Wolfe says, is the poor governance and lack of adequate controls around cryptocurrency exchanges. “The people behind the technology are more intent on making the trading a possibility rather than focusing on whether the exchange meets the same regulatory standards and levels of assurance as you’d find in a normal exchange,” he explains. “Some don’t even have basic ‘know your customer’ controls, for example, raising concerns about money-laundering. As such, the levels of governance, monitoring, and internal control are much poorer in a lot of crypto-currency exchanges.” </span></p><p><span lang="EN-GB">Wolfe also warns that internal auditors should pay close attention to how crypto-assets are handled on the balance sheet. He points to the lack of standardization on cryptocurrency profit and loss treatment as a potential area of concern when reporting organizational value for tax purposes, particularly in light of current volatility.</span></p><p><span lang="EN-GB">Indeed, the volatility around cryptocurrencies is a major risk in itself, Wolfe says. During the space of a year, the total worth of the cryptocurrency market fell to $139.7 billion by December last year — a drop of more than 80 percent compared to a $819 billion market cap in January 2018. “Cryptocurrencies will remain volatile for some years yet, so banks need to question how much of these types of assets they want to hold and for how long,” Wolfe says. “Catastrophic losses may seem a remote possibility, but they remain a possibility nonetheless. For example, if Bitcoin was hacked, confidence in the cryptocurrency could collapse overnight.”</span></p><h2><span lang="EN-GB">Lack of Harmony</span></h2><p><span lang="EN-GB">Jay Gomez, senior associate in the financial services team at Gibraltar-based law firm Triay & Triay, says that internal auditors need to be aware that there is no agreed international standard regarding cryptocurrency regulation, oversight, or risk. “Some jurisdictions take a very tough line on cryptocurrencies, such as the U.S., while others might be more pragmatic,” he says. “Regulatory approaches and views differ from one market to the next, so this may impact how banks might want to provide cryptocurrency services in those jurisdictions.” </span></p><p><span lang="EN-GB">Gomez also warns that the technology and the development of the cryptocurrency market is outpacing the development of effective regulation. Regulators struggle to keep up with rapid changes, he notes, potentially resulting in cryptocurrency risks that either might not be identified or may be underestimated and not controlled adequately by regulators or industry participants. As a result, Gomez suggests that “banks that want to dip their toes into the cryptocurrency market should keep an open dialogue with regulators about what the banks are doing, and how the regulator may react to developments.” </span></p>Neil Hodge1
It's All About Trusthttps://iaonline.theiia.org/2019/Pages/Its-All-About-Trust.aspxIt's All About Trust<p>​Audit committees and chief audit executives (CAEs) talk constantly about how to foster more engagement with each other, and rightly so. Their relationship is one of the most important for an organization to get right, if it wants effective corporate governance. </p><p>A good place to begin, then, is to consider the origin of the word <em>engagement</em>. It descends from the French verb <em>engager</em>. Today that word means “to hire” or “to employ” — but 400 years ago, when <em>engagement</em> first crept into the English language, <em>engager</em> actually meant “to pledge.”</p><p>That’s a useful point to remember when contemplating how to improve the relationship between audit committee and audit executive. It’s about pledging to be there for each other: I will help you, and you will help me, <em>and we both know that</em>. In other words, it’s about trust. Audit committees and audit executives have to trust that the other is thoughtful, competent, and looking out for the best interests of the organization. </p><p>That’s all the more true today in an immensely complex modern business world. Audit committees have a fiduciary (and for publicly traded companies, statutory) responsibility to oversee risk management at their organizations. Audit executives are watching their profession transform from an older era of financial statement audits to a newer one of monitoring risk and working with other parts of the organization to manage risk (see <a href="/2019/Pages/The-Audit-Committee-Connection.aspx">“The Audit Committee Connection”</a>).</p><p>In other words, both parties now have more to do, and more to worry about. That’s why cultivating a strong working relationship is important. That’s why <em>fostering trust</em> is important. Each needs the other to succeed.</p><p>“It’s a whole new world,” says Theresa Grafenstine, a managing partner at Deloitte, audit committee chair of the Pentagon Federal Credit Union, former audit committee chair of ISACA, and former inspector general of the U.S. House of Representatives. “We need to see this as a partnership.” </p><h2>Trust Begins With Communication</h2> <p>For starters, audit committees and audit executives can simply talk more often. There should be executive sessions at the end of audit committee meetings without management present. The audit committee chair should schedule informal chats with the CAE between formal meetings, even without anything specific in mind. Talk.</p><p>Marty Coyne, audit committee chair at Ocugen and a past audit committee member at numerous other technology companies, swears by both practices. “It’s almost mandatory in my mind,” he says. “If the audit committee isn’t doing that, shame on them.” (In the most recent North American Pulse of Internal Audit survey, nearly one-third of audit executives say they do <em>not</em> meet in private session with the audit committee.) </p><p>What questions should audit committees put to CAEs in those sessions? Unless some specific issue demands attention, they should pose open-ended questions without any right or wrong answers. What’s been happening in the last quarter? Are there any challenges where they can help? Coyne’s go-to question in such meetings: “What <em>didn’t</em> you say?” </p><p>Those questions give the CAE a chance to speak his or her mind, and to lead the discussion where the CAE believes it should go. “It’s so you can draw that person out,” says Brenda Gaines, audit committee chair for Tenet Healthcare. That, in turn, can foster the CAE’s trust in the audit committee.</p><p>Audit committee chairs should take the extra step of regular communication with the audit executive beyond the standard audit committee meetings. Gaines schedules a monthly phone call; Coyne has met CAEs for coffee. However the chair does it, that casual, unstructured line of communication can be invaluable.</p><p>“It would help me frame out the agenda for the audit committee meeting,” Coyne says. After all, audit committees have plenty of risks they can discuss in a formal meeting, and time is limited. So Coyne would chat with the audit executive to pinpoint which risks (aside from any standard matters about financials, investigations, and so forth) truly warranted the audit committee’s attention. </p><p>“There’s always room for a topic,” Coyne says, “and I want to make sure that the topic we talk about, beyond the normal topics, is germane and important, and going to move the needle.”</p><h2>Trust Endures Difficulty </h2><p>All that communication and trust spadework can pay off in several ways. First, the very act of creating an open culture among senior executives and the audit committee reduces the chance that difficult matters will arise where the audit committee needs to “take sides” in an impasse between internal audit and management. Second, when those impasses <em>do</em> arise (spoiler alert: sooner or later, they will), the audit committee can resolve it with the least amount of acrimony. </p><p>That also means the audit committee needs a healthy relationship with management, and needs to ensure management and the CAE have a healthy, respectful relationship, too. Grafenstine calls it the “triangle of success” — each side having equal power, where they each understand the other’s roles and responsibilities.</p><p>Coyne’s approach is, whenever possible, to bring all sides together in open communication at a committee meeting. After all, the CAE may be disappointed with the pace of improvement in a business process, but management might have a good reason for the delay: product launches, sudden departure of key personnel, or some other operational issue. </p><p>The audit committee’s job is to ensure such differences of opinion are aired openly and respectfully. The best way to do that is to foster trust long before that conversation happens. </p><p>“What you don’t want is all sorts of back-door conversations going on,” Coyne says, like the CEO and CAE speaking to the audit committee members separately, but not to each other. “That’s a disaster when that happens.” </p><h2>An Environment of Trust</h2><p>That need for collegial relations with management raises another point. From today into the future, success as a CAE will be more about exercising leadership and working with other parts of the organization to manage risk, rather than technical mastery of audit techniques. </p><p>Good audit executives “are not only a valuable resource to help the audit committee discharge its duties,” Gaines says. “They provide management with valuable insight as well on whether risk mitigation is effective.” </p><p>Those risk issues can range from IT controls for cybersecurity, to successful integration of an acquisition, to the rapidly rising concern of “culture risk.” Business processes might need improvement. Data analytics might provide valuable insights that someone needs to translate into updated controls and practices. </p><p>A good audit executive can do all of that, even while balancing the need for independent analysis of risk issues — <em>if</em> the audit committee fosters an environment of trust and open dialogue, and assures that the CAE has the resources he or she needs (financial, technological, personnel) to do the job. </p><p>It’s a lot to ask, of the audit committee and CAE, alike. One might almost say the French had it right 400 years ago: Engagement really is about pledging yourselves to each other.<br></p>Matt Kelly1
GAM 2019: Risk and the Regulatorhttps://iaonline.theiia.org/2019/Pages/GAM-2019-Risk-and-the-Regulator.aspxGAM 2019: Risk and the Regulator<p>​In the second general session of the day, IIA President and CEO Richard Chambers spoke with Commissioner Hester M. Peirce of the U.S. Securities and Exchange Commission (SEC). Some takeaways from this session: <br></p><ul><li>Peirce, who was sworn in a little over a year ago, talked about changes at the SEC. She noted that internal auditors provide a vital service and "only as a last resort should we turn to regulation." </li><li>Chambers noted that the SEC recently created a chief risk officer (CRO) role. Peirce said the SEC is a very attractive target for a lot of risks. "[The CRO] comes at a time when we're trying to think through the risks our organization faces," she explained. "The goal is to think through those things before they become an issue."</li><li>Peirce said the SEC is very personnel focused, "but sometimes we need to think if there are ways we can bring technology in to make our personnel more effective." </li></ul><p style="text-align:left;"> </p><p style="text-align:left;">Chambers asked Peirce what the most serious risks to investor confidence in capital markets are. Pierce shared: </p><ul><li>Brexit. There is so much uncertainty about rules that are going to govern Brexit, she said, and the financial industry is such a global industry. </li><li>Cyber. The risk is that financial institutions do not do a good job of protecting themselves.</li><li>Regulating the capital markets: The SEC needs to modernize. "We tend to be very paper-based at the SEC. It's a risk. We need to be much more willing to let firms experiment with technology." </li></ul><p style="text-align:left;"> </p><p style="text-align:left;">The SEC's strategic focus moving forward?</p><ul><li>Focusing on retail investors — cases that deal with smaller issues but can wipe away someone's retirement savings.</li><li>Communicating with retail investors in a way they can understand. Giving them information the way that they need it. "What can we do to make our market more attractive to companies — to make them want to go public," she asks.</li><li>Innovation. "We're an old agency," she said. "How can we modernize our rules?"</li><li>Performance (elevating SEC analytical capabilities). The SEC has invested in technology that allows it to look at the market and see what activity is going on. <br></li></ul><p><br></p>Anne Millage0

  • IIA GRC_May 2019_Premium 1
  • IIA Awareness Month_Premium 2
  • IIA Sawyer-OrderToday Bookstore_May 2019_Premium 3