Risk and Compliance



In Any Kind of Weatherhttps://iaonline.theiia.org/2018/Pages/In-Any-Kind-of-Weather.aspxIn Any Kind of Weather<p>​The world has changed radically since 2004, the year The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its original, principles-based <em>Enterprise Risk Management (ERM)–Integrated Framework</em>. Since that time, there have been tremendous technology advances, the continued development of a truly globalized economic system, and lingering impacts from a devastating recession that sprung from the banking and financial crises of 2007. </p><p>In parallel, risk management and internal audit practices have evolved as both professions have become more globalized and well-regarded within organizations. Risk guidance has improved. COSO significantly revised its ERM framework in 2017, introducing some important new features that can be of great help to organizations, risk managers, and internal auditors. In addition to COSO, the International Organization for Standardization published guidance in 2009 (ISO 31000:2009) and revised it this year (ISO 31000:2018). </p><p>One year after COSO issued its updated framework, many internal audit functions are working to apply the new framework to help their organizations weather the risks that are on the horizon. The ISO standard and COSO framework are now closely aligned and complementary. However, the COSO framework provides more detailed guidance around managing risk.</p><h2>Winds of Change</h2><p>The 2004 COSO ERM Framework introduced some advances in risk management. First, it helped bring greater consistency and veracity to risk management processes and systems. Second, it stated that the context in which business risk arose was crucial — risk needs to be seen in the light of an organization’s objectives. The framework emphasized the notion that risk management was not just about mitigating risk, but about providing organizations with a range of appropriate responses, depending on how much risk they wanted to take. These factors have helped risk management become mainstream in many organizations.</p><p>COSO’s <em>ERM Framework–Integrating With Strategy and Performance</em> makes those ideas much more central and extends them to cover recent thinking in risk management theory and practice. This can be seen throughout its 20 core principles (see “COSO ERM Components and Principles” below) and is further underpinned by giving governance and culture a powerful role to play. In addition, the revised framework emphasizes information, communication, and reporting to give boards and management accurate and timely information to make effective decisions. Moreover, the document urges organizations to look as much to the upsides of risk as to the potential downsides and for internal auditors and other advisors to do the same.</p><h2>Pinpointing Extreme Weather</h2><p>For internal audit to contribute effectively to the organization’s risk management efforts, it must understand how the revised COSO ERM framework can be applied in practice. COSO has produced some sector-specific examples of how to apply the framework in <em>Enterprise Risk Management–Integrating With Strategy and Performance: Compendium of Examples</em>. </p><p>One risk that almost any organization faces relates to extreme weather events such as hurricanes, tornados, and floods. The application of COSO ERM to this type of risk can be illustrated by mapping the framework to the COSO ERM components. Environmental risks are covered in draft guidance that COSO has developed with the World Business Council for Sustainable Development, Applying Enterprise Risk Management to Environmental, Social, and Governance-related Risks.</p><p><strong>Governance and Culture</strong> To start, the organization should establish governance for effective risk management for extreme weather events, just as it would for any other threat. However, discussions at the board level could evidence the importance the board places on understanding the potential impact and likelihood of weather events. Moreover, it should convey the board’s desire to ensure such events are managed appropriately. This step maps to the framework’s governance and culture component (principles 1–5). These principles cover everything from exercising board risk oversight to considerations of how to develop the operational structures and culture needed to deal effectively with extreme weather events.</p><p><strong>Strategy and Objective-setting</strong> In this step, internal auditors would seek to understand the risk in terms of the business’ context and strategy. In this respect, the board and management need to understand how extreme weather events may disrupt the pursuit of specific strategies and business objectives. The strategy and objective-setting component (principles 6–9) includes developing a risk appetite for this particular threat and considering alternative strategies for approaching risk management. This also includes how the business context impacts the organization’s risk profile.</p><p><strong>Performance</strong> Principles 10–14 cover performance of risk management. Selecting an extreme weather event as a specific risk covers principle 10 (identify risk). Management would next identify the possible outcomes from such events, based on its understanding of the business context and strategy, and this would feed into the assessment and prioritization of this risk. This assessment requires understanding the potential impact of weather event outcomes and the likelihood that those events would occur at the impact levels envisaged. As with all risk assessments, management must be careful not to fixate on a particular event or outcome. Rather, it needs to consider the full range of possible outcomes. </p><p>From this assessment, management can determine which of those events and outcomes should be a priority to manage. Management should then consider its ability to mitigate the impact of those risks, as well as its appetite for related risk outcomes, and select the most appropriate risk management responses or strategies. It is important that the business assigns responsibility and accountability for managing the risks. </p><p>Possible responses may include taking moves to reduce risk, such as disaster preparation, and taking measures to reduce the impact of extreme weather events. Organizations could consider risk sharing and secure insurance to limit the financial impact of such events. They may consider avoiding risk by moving a facility to a location less prone to hurricanes and flooding, for instance. Businesses may decide to accept the risk and wait to respond when the risk event happens because advance preparations may not be cost effective or practical. </p><p>Finally, management also could consider risk pursuit if the organization is in the type of business that can benefit from extreme weather risk. For example, it could quickly ship building products to areas affected by weather events to accelerate the rebuilding process or rapidly send medical supplies or water into affected areas. The key is that the organization should consider all potential scenarios and plan for the relevant ones.</p><p><strong>Review and Revision</strong> Weather patterns change, so organizations need to reassess the potential severity of extreme weather events and evaluate whether their risk responses remain optimal. Also, as these responses are tested by actual occurrences, management may reevaluate their capabilities to execute the desired responses based on their ongoing experiences. These map onto principles 15–17 in the review and revision component.</p><p><strong>Information, Communication, and Reporting</strong> This component (principles 18–20) focuses on how extreme weather risk is communicated and reported throughout the business. The board must understand the context, the potential events and outcomes, the assessment and prioritization results, the rationale for the responses that have been chosen, and the results of the periodic reviews and assessments. This process also may include communication from management to risk managers to help them make more timely and effective decisions related to their risk management activities. This is likely to be empowered by digital communication channels within the organization.</p><h2>The ERM Umbrella</h2><p>Not surprisingly, internal auditors need to thoroughly understand the new COSO ERM framework to help their organizations fully benefit from it. Part of internal audit’s role is to educate the board, executive management, and others throughout the business about these ERM components and principles. In addition, internal audit needs to advise management and provide input to enterprise risk assessments. </p><p>The current framework puts a lot of weight on boards and executives receiving the right information at the right time to provide risk oversight and evaluate the effectiveness of risk management. To that end, internal audit can provide assurance and advice about whether the information that is being reported upward is comprehensive, accurate, and timely. This could take the form of one-off consultancy style exercises, be part of an audit, or be a report to the board. </p><p>Finally, internal audit must be in a position to evaluate the overall effectiveness of ERM, a role that has been in The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em> for some time. Standards 2110: Governance and 2120: Risk Management direct internal audit to assess risk management. Despite that, there is not much guidance available on how to conduct a comprehensive assessment. Internal auditors could use the 20 principles to perform a gap analysis throughout the business to see which elements of the guidance point to areas of risk management that require improvement.</p><h2>An Accurate Forecast</h2><p>And what of the internal audit function, itself? There are two areas of internal audit practice that the current COSO ERM framework will impact — planning and projects. </p><p>More than ever, internal auditors must understand the organization’s business objectives and strategies when it comes to periodic audit planning. Auditors need to know what the risks are to those objectives and how those risks currently are managed. For example, has management considered alternative strategies to manage the risk, or are executives simply trying to mitigate it? What is management’s tolerance to risk in that area and how open is that tolerance to variation around certain risks? The answers to these questions will influence what projects internal audit should undertake.</p><p>Audit’s planning needs to be done in light of the organization’s risk culture and risk appetite. These factors could have a major impact on the scope and testing approach designed for a particular audit if that audit is to provide assurance that is targeted at the right level of the organization.</p><p>If audit planning is executed in light of business objectives and management’s risk culture and risk appetite, audit projects will take the same focus. That will mean that individual audit risk assessments will be better aligned with the organization’s own risk assessment — and project scope and testing will be based on risk tolerance. Internal audit will report any deficiencies in the specific context of their potential impact on business objectives and on management’s risk tolerances. Hopefully, this will lead to audit paying more attention to the potential upsides of specific risks.</p><h2>Clear Skies</h2><p>While many of the concepts in the current COSO ERM framework will be familiar to internal auditors, taken as a whole, it will represent a big leap in the quality of audit’s contribution to the business if implemented appropriately. Few internal audit departments are able to do a comprehensive assessment of the overall effectiveness of their organization’s ERM processes. The framework may enable internal audit to perform that assessment.</p><p>For internal auditors who are adopting the current framework for the first time, the key is to learn what it says and what it means to their organization in detail. Second, assessing the organization’s current ERM practices against the framework’s 20 principles can ensure auditors understand the guidance and have identified the most obvious gaps to remedy. </p><p>Third, if internal audit hasn’t already done so, it should start to audit and report in the context of the business’ objectives because this can help bring alive what the framework is about and make audits even more useful to management. Finally, internal audit should begin to take a more holistic approach to understanding the risks the organization faces and communicate that to management. That will help management understand risk better and how its responses to threats can turn into opportunities for the organization. </p><p><br></p><p><img src="/2018/PublishingImages/Sobel_Sidebar_COSO%20ERM.jpg" alt="" style="margin:5px;" /><br></p>Paul J. Sobel1
In Compliancehttps://iaonline.theiia.org/2018/Pages/In-Compliance.aspxIn Compliance<p>​One of the biggest challenges facing organizations today is keeping up with the ever-changing regulatory environment. Companies are dealing with complex compliance requirements in every area of the world in which they operate. Some new requirements, such as the European Union’s General Data Protection Regulation (GDPR), impact organizations regardless of whether they have a physical presence in the location where the law was enacted. Noncompliance with these regulatory requirements, whether it be involuntary or criminal, can create significant risks to an organization, including legal, reputation, and financial risks. Organizations must have strong governance around their compliance programs to ensure these risks are assessed and managed across the organization. </p><p>Internal audit can use their expertise in risk management and internal control to effectively offer assurance as to whether the risks associated with compliance are being managed to an acceptable level. The audit can be scoped to evaluate the governance process as a first step, and third parties can be used when additional assurance on specific regulations is necessary. </p><p>There are frameworks internal audit can leverage to help ensure it assesses all of the key components of a well-governed compliance program. For example, Chapter 8, Part B, of the U.S. Sentencing Commission Guidelines Manual presents guidelines for an effective ethics and compliance program (see “7 Elements of an Effective Compliance and Ethics Program” below). Although this framework is commonly used after an allegation of criminal misconduct has been made or adjudicated, it also can be used to ensure all of the elements of a robust compliance program are in place. </p><p>It can be overwhelming when internal audit begins analyzing a compliance program, given its overall complexity and the knowledge necessary to adequately audit all of the various regulations both in the home country and abroad, but this framework helps identify manageable components to be assessed. Management can begin by identifying all of the key compliance areas that affect the organization — environmental, data privacy, import/export, and anti-bribery/anti-corruption, just to name a few. Each key compliance area should have a designated individual with an appropriate level of authority and responsibility to oversee the compliance program. Using the framework, that person, or his or her delegates, can begin documenting how the organization would demonstrate a program that prevents or detects misconduct. A steering team of cross-functional leaders from legal, human resources, compliance, risk management, internal audit, and other key areas can help identify common program elements, such as an overall code of conduct, investigation processes, and hotline management. Internal audit can play a key role in monitoring the overall compliance program and auditing specific risk areas. </p><p>In early 2017, the U.S. Department of Justice issued supplementary guidance titled Evaluation of Corporate Programs (<a href="http://bit.ly/2Pec0fl" rel="nofollow" target="_blank">http://bit.ly/2Pec0fl</a>). This evaluation guide aligns with the federal sentencing guidelines and other referenced guidance and provides tactical questions that internal audit could use to evaluate the program. Two components, third-party and merger and acquisition risk, were added that should be considered when evaluating the effectiveness of the overall compliance program. </p><p>Third parties may be an integral part of organizational processes and considered part of the extended enterprise. The organization may have significant risk if those third parties, acting on behalf of the organization, commit an act of noncompliance. The third party may put the organization at a significant amount of reputation risk, and in certain instances, the organization may be liable for the actions of the third party. The evaluation guide indicates that certain actions must be taken such as due diligence, appropriate controls, management of the relationship, and appropriate consequences if noncompliance or misconduct is identified. </p><p>With mergers and acquisitions, management must ensure that a robust due diligence process is in place, and that the compliance function is integrated into the overall process to ensure that compliance risk is addressed. In the case of an acquisition, integration and transition of the compliance program to the new entity must be completed and any risks identified during due diligence addressed. </p><p>Overall, the framework and guide provide a solid base on which internal audit can ensure governance over compliance programs is effective. These documents should not be used as a checklist, as the elements may be present but a culture of compliance may not be developed, and the program becomes more form than substance. Internal audit should evaluate the adequacy of the evidence maintained in support of the program and ensure that the organization can demonstrate, both internally and externally, that the compliance program is robust. Both quantitative and qualitative factors should be evaluated. Soft controls evidence, such as how employees and leadership talk about the culture, also should be considered. </p><p>Although compliance can be a complex area to evaluate, these tools, along with third-party experts when needed, should enable internal audit to offer assurance around the effectiveness of the governance of compliance programs.</p><table class="ms-rteTable-4" width="100%" cellspacing="0" style="height:31px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>​7 Elements of an Effective Compliance and Ethics Program</strong><br><br>The U.S. Sentencing Commission’s seven elements of an effective program include:<br><ol><li>The organization will establish standards and procedures to prevent and detect criminal conduct. </li><li>The organization’s governing body should be knowledgeable of the ethics and compliance program. High-level employees within the organization should be responsible for program oversight, with day-to-day responsibility delegated to specific individuals. </li><li>The organization will exercise due diligence to ensure that delegation of authority is not granted to individuals who have previously engaged in illegal activity or other conduct inconsistent with an effective compliance and ethics program. </li><li>The organization will periodically communicate its ethics program, including standards and procedures, by conducting effective training programs, for employees and third parties, and otherwise disseminating information as appropriate.</li><li>The organization will take steps to ensure that the compliance program is followed, including monitoring. The program must be periodically evaluated to assess its effectiveness, considering both quantitative and qualitative evidence. In addition, a system must be established whereby employees, or third parties, may anonymously and confidentially voice concerns.</li><li>The program must be promoted and consistently enforced across all levels of the organization, including appropriate incentives to act in accordance with the program and disciplinary actions when noncompliance is identified. </li><li>When criminal conduct is identified, the organization must respond appropriately and take steps to prevent further similar misconduct, including adjusting the overall compliance program. </li></ol><br>Source: U.S. Sentencing Commission, §8B2.1: Effective Compliance and Ethics Program, <a class="vglnk" href="http://bit.ly/2Ped56T" rel="nofollow" target="_blank"><span class="ms-rteForeColor-8">http://bit.ly/2Ped56T</span></a>.</td></tr></tbody></table><p></p>Kayla Flanders1
Selling Enterprise Risk Managementhttps://iaonline.theiia.org/2018/Pages/Selling-Enterprise-Risk-Management.aspxSelling Enterprise Risk Management<p>​Although enterprise risk management (ERM) has a compelling value proposition, it may not always be intuitive to key stakeholders. That often is because the benefits of ERM are not easily observable or clearly quantifiable in the near term. As risk management professionals, internal auditors are easily sold on ERM’s merits because of our role in the third line of defense. We live and breathe risk management governance daily. But internal auditors and other risk professionals engaged in ERM efforts, by nature, do not tend to have strong sales competencies. So, when we propose ways to advance ERM principles to organizational leadership, the message often misses the mark. </p><p>The ability to convince stakeholders of ERM’s value may be the difference between an ERM program that flounders as a check-the-box compliance activity and one that develops into a strategic governance asset. It is vital for internal auditors and other risk management professionals to have a compelling and polished value proposition pitch in their ERM toolbox — one that is intuitive and presentable in terms and language that first and second line of defense managers will embrace.</p><p>Risk management is not a new idea, and most business professionals understand its importance. However, some are skeptical, writing ERM off as unnecessary or an academic theory that is unproven in the real world. When this skepticism is not based on an informed position, it is a shortsighted and misguided viewpoint that creates a major cultural barrier when attempting to implement or mature an ERM program. This is when ERM professionals need to be at their best as salespeople.</p><p>Just as professional athletes strive for a competitive edge, business professionals also should pursue measures to enhance their success. ERM can provide the same type of competitive edge that athletes get from personal trainers, data analytics, and other measures. But ERM benefits are realized when organizations appreciate, understand, and embrace the ERM value proposition. For an organization to unlock the potential of ERM as a strategic asset, a key element is a concise value proposition that leaders and managers can easily buy into.</p><p> <strong>Step 1: Start at the top.</strong> ERM programs are most successful when executive leadership supports them. The ERM value proposition must be understood at the highest management levels. But beyond that, leadership must be compelled to embrace ERM. Only then will leaders develop a vision for pursuing implementation with the requisite energy. Leaders will only embrace ERM when there is a clear value proposition. </p><p> <strong>Step 2: Don’t oversell.</strong> Internal audit must be careful not to sabotage ERM momentum by overpromising what the ERM value proposition can deliver. ERM will not solve all strategic risk management challenges. This message must be communicated with stakeholders by setting realistic expectations about what the organization can achieve. ERM implementation will inevitably encounter failures along with successes.</p><p> <strong>Step 3: Make the case for ERM by appealing to its intuitive nature.</strong> Internal audit should start by making a simple and intuitive case to legitimize ERM. Various entities have given ERM credibility by embracing its virtues. These include regulators (e.g., board requirements for risk oversight), credit rating agencies (e.g., ERM used as rating criteria by S&P and Moody’s), and major universities (e.g., ERM academic programs at North Carolina State University and St. John’s University). Additionally, ERM’s qualitative value is intuitive, as outlined in the waterfall diagram below.</p><p> <strong>Step 4: Draw a distinction between traditional risk management and ERM.</strong> All business professionals manage risk. Managers oversee various business functions and manage the risk inherent in these functions. Human resources (HR) managers manage HR risk, finance managers manage finance risk, and so on. The problem with this risk management model is that it does not promote an enterprise view of risk. Risk managers in these siloed functions make risk management decisions that can have negative impacts in other functional areas.</p><p>ERM is not designed to replace the traditional risk management model, but rather to enhance it by bringing greater visibility to risk management activities and impacts across functional silos. This is done by implementing risk management processes to methodically and purposefully identify, respond to, and monitor risks at the enterprise level. <br></p><p> <strong> Step 5: Make ERM a tool for aspirational risk management excellence.</strong> Compliance benefits may be an acceptable outcome for some organizations, but the real value of ERM is realized when its focus is more strategic. There are three imperatives of a strategic ERM value proposition:</p><p></p><ol><li><strong>Make informed decisions.</strong> ERM should support organizational decision-making for strategic planning, tactical execution, budgeting, and risk oversight.</li><li><strong>Protect stakeholder value.</strong> ERM should protect key stakeholders from value erosion.</li><li><strong>Optimize risk outcomes.</strong> ERM should seek the best possible risk outcomes by improving the likelihood of achieving strategic and business objectives, reducing the impact of organizational threats and weaknesses, exploiting organizational strengths and opportunities, and lessening the duration and persistence of negative risk outcomes.</li></ol><p>Aspirational and strategically designed ERM programs help organizations compete more aggressively in the marketplace. With the three imperatives in place, an organization is positioned to compete with an edge. </p><p>When designed to be a strategic governance asset, ERM facilitates advanced risk-taking capabilities and empowers a thoughtful, safe, and aggressive risk-taking approach. This can result in enhanced competitive agility and ultimately lead to enhanced organizational value.</p><p><img src="/2018/PublishingImages/Governance_p.65_ERM-qualitative-value.jpg" alt="" style="margin:5px;" /><br></p>Rick Wright1
GDPR and Internal Audithttps://iaonline.theiia.org/2018/Pages/GDPR-and-Internal-Audit.aspxGDPR and Internal Audit<p></p> <p>Now that the May 25 deadline has passed to comply with the European Union’s (EU’s) General Data Protection Regulation (GDPR), compliance executives may be breathing a sigh of relief. Yet the real compliance work is only beginning. </p><p>GDPR consolidates the EU’s personal data privacy protection laws and redirects the way organizations approach data privacy. It greatly expands the privacy rights of E.U. citizens and residents, and it applies to any organization that does business with those individuals, regardless of its location. Organizations that don’t comply with GDPR face penalties of up to €20 million or 4 percent of annual worldwide turnover, whichever is greater. </p><p>Compliance will require continued focus and effort. Internal audit can help the organization mitigate GDPR compliance risks by identifying ways to improve controls, raising risk awareness, and assuring compliance.</p><h2>Improving Controls​</h2><p>Internal audit can help the organization shift from the preparation phase to the implementation phase of GDPR. The regulation specifically requires organizations to focus on these control-oriented topics:</p><ul><li><em>Accuracy and quality</em> requires organizations to ensure data is accurate and up-to-date and that individuals can correct their records. <br></li><li><em>Security and privacy</em> by design requires organizations to document decisions taken to inform EU residents about how their data will be used and restricted. They also must implement technical, administrative, and physical security/privacy controls to mitigate potential harm. <br></li><li><em>Security safeguards</em> ensure that technical and organizational measures are implemented for privacy and security. <br></li></ul><p><br>Internal audit should work with management to identify relevant controls over data entry, assess the accuracy of information and recommend improvements, and strengthen controls that prevent and detect data errors.</p><h2>Raising Risk Awareness </h2><p>The direct risks associated with GDPR relate to potential fines and reputational impact. However, by digging into the regulation’s purpose, internal auditors can see other data protection risks.</p><p><strong>Monitoring, Measuring, and Reporting</strong> Organizations must have a data protection officer (DPO) to lead privacy and compliance efforts. Among the DPO’s tasks are reporting on compliance monitoring, training staff, and ensuring privacy compliance audits take place. The organization must perform data privacy impact assessments when new technologies and systems are used, provide timely data breach notifications, and report on the use of third-party processors.</p><p><strong>Prevent Harm</strong> GDPR imposes sanctions and penalties on organizations that process data unlawfully or fail to deploy safeguards. In addition, individuals may request that the organization remove their personal data from automated processing and profiling.</p><p><strong>Breach Management</strong> Organizations must put processes in place to notify persons no later than 72 hours after they discover a data breach, if it is determined that the breach will result in a high risk of privacy harm to those individuals.<br></p><p><strong>Openness, Transparency, and Notice</strong> Organizations must keep data for specific and legitimate purposes and notify persons about how the organization will use their data. Organizations also must inform individuals of safeguards applied when personal data is transferred to a third country.<br></p><p><strong>Individual Participation</strong> EU residents may request access to data, obtain a copy of the data held, and withdraw consent to use personal data as long as withdrawal does not result in legal violations. Individuals may object to the use of their data for direct marketing and profiling, and they may contact the DPO for any issue related to processing their personal data.<br></p><p>Internal audit can educate management about potential risks and ways to manage risks in each area. Auditors can communicate relevant information about these risks via informal emails, a departmental newsletter, or meeting with management. <br></p><h2>Assuring Compliance</h2><p>As new policies and procedures become more mature, internal audit will need to perform regular compliance audits to determine the extent to which the organization is complying with GDPR. Auditors should focus on how the organization manages data to help strengthen privacy and security controls and ensure they are designed appropriately and operating effectively. Auditors will need to assure compliance with key aspects of the regulation and provide early warnings about problems.</p><p><strong>Choice and Consent</strong> Under GDPR, organizations must allow users to choose how their personal data is used. Also, organizations must document and maintain consents and request parental authorization before collecting a child’s data. </p><p><strong>Legitimate Purpose</strong> To ensure data collection is lawful and necessary, organizations can collect only personal data that is needed to achieve the intended purpose. Reviewing and handling requests for further processing, restricting requests for data related to criminal convictions, and documenting situations where the right to object does not apply are all important. Internal auditors can help reduce risk by sampling data collection mechanisms for compliance.<br></p><p><strong>Limitations</strong> Organizations may keep data no longer than the period required to support the purposes for which it was collected, and they must erase an individual’s personal data upon his or her request. GDPR permits organizations to retain data meant for archiving purposes in the public interest or for reasons of scientific or historical research. <br></p><p><strong>Free Flow of Information and Legitimate Restriction</strong> This principle includes protections for data transfers using legally binding agreements between public authorities, binding corporate rules, model clauses, and other mechanisms. <br></p><p><strong>Third-party Vendor Management</strong> This principle ensures that organizations gather third-party/vendor guarantees of GDPR compliance along with proof that third parties have the required technical and organizational safeguards. The DPOs of the data controller — organizations or individuals that determine the purposes and means of processing data — must provide written authorizations to use a given processor.<br></p><p><strong>Accountability</strong> GDPR’s accountability principle provides a legal basis for processing personal data, establishes the DPO role, and informs citizens and residents of existing privacy rights and safeguards. In addition to overseeing the data protection strategy, the DPO must maintain contact with the supervisory authority and demonstrate compliance.<br></p><p>Internal auditors will need to periodically assess processes and controls for each of these principles to ensure they are designed and operating effectively. Auditors can review a sample of data transfer documentation to look for data that should not be transferred to another organization. They can run reports to look for data that is being kept longer than necessary and review available documentation for any exceptions.<br></p><h2>A GDPR Audit Plan</h2><p>To help the organization maintain compliance, internal audit should include independent GDPR assessments and compliance testing in the audit plan. It can raise executive and board awareness of GDPR noncompliance by highlighting poorly designed or missing controls. Finally, it can identify opportunities to audit common processes across departments. ​</p>Jan Hertzberg1
Internal Audit and Emerging Risks: From Hilltops to Desktopshttps://iaonline.theiia.org/blogs/chambers/2018/Pages/Internal-Audit-and-Emerging-Risks-From-Hilltops-to-Desktops.aspxInternal Audit and Emerging Risks: From Hilltops to Desktops<p>​<img src="/2018/PublishingImages/meteorologists-cliff-storm-lightning-weather-map.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />As a profession, internal auditors have cultivated a long and respected legacy as purveyors of hindsight. Almost all of us are adept at looking at last year's data and telling management where past mistakes were made. While hindsight is a necessary part of internal auditing, 20/20 hindsight is one of our least valuable skills. Often, our clients are already aware of past mistakes.​</p><p>With the advent of operational auditing and, ultimately, the introduction of consulting/advice into our portfolio of services, we also became purveyors of insight. Insight is generally seen as more valuable than hindsight to our beleaguered stakeholders, but it too suffers from limitations in an era when risks emerge at warp speed. Today's insight may well be tomorrow's hindsight. </p><p>There will always be a need for hindsight and insight, but foresight is the ultimate source of value. Stakeholders seek to navigate the future more than revisit the past or dwell in the present. It is time for internal auditors to focus our telescopes ahead. We need to concentrate on the risks of tomorrow if we are to not only protect but enhance value for our organizations.</p><p>Yet, stakeholders are generally unimpressed with our acumen at detecting emerging risks. In a 2016 KPMG survey of chief financial officers and audit committee chairs, only 10 percent agreed that their internal audit function adequately identified and responded to emerging risks that threatened their companies.</p><p>Over the past year, I have turned often to weather analogies when addressing challenges and opportunities for the internal audit profession. In many ways, identifying future risks is like predicting the weather. When our parents and grandparents were young, there was no such thing as weather radar. If they were curious or concerned about potential changes in weather, they simply peered out their windows or stood on a hill and scanned the horizon for potential storms. Of course, their weather predictions were often wrong. Climbing to the hilltop may have expanded their view, but weather patterns are far too complex to know if the clouds you see contain damaging winds, or if they are even coming your way. </p><p>That's why modern meteorologists have turned to more advanced methods. They monitor approaching storms with Doppler radar. They use digital satellite images to record cloud patterns around the world, and they plug the data into supercomputers, applying advanced statistical equations and algorithms to create more accurate forecast models. Of course, we all know that even meteorologists sometimes get it wrong, but their degree of reliability has increased dramatically with the advent of new tools and technology.</p><p>From hilltops to desktops, we all need to get smarter about risks, and there's a lot we can learn from meteorologists. They don't just observe the weather and make guesses about what the future might hold. They use every resource at their disposal to identify potential trouble spots and patterns before the storm materializes or inflicts significant damage. </p><p>Internal auditors and meteorologists have much in common. But our scope is much broader than predicting the weather. It encompasses virtually every type of risk, from the impact of changing market conditions or pandemics to financial and compliance issues. And that means our focus must extend far beyond the immediate future.</p><p>It would be great if there were technologies like Doppler radar to identify emerging risks. Someday, such tools might exist, but until then, we need to create our own virtual radar for detecting and monitoring emerging/approaching risks. That requires us to become more analytical in our approach.</p><p>As KPMG Partner <a href="https://home.kpmg.com/au/en/home/insights/2016/09/internal-audit-emerging-risks.html">Michael Hill has noted</a>, "Emerging risks can arise from many sources — economic or demographic shifts, changes in the competitor landscape, technology advances, or customer preferences." So, there is a lot for us to watch for when it comes to emerging risks. The horizon is so vast that the job will simply be too great for a chief audit executive alone. It will take the proverbial internal audit "village" to monitor emerging risks for a typical company. Just as the department's resources are assembled when annual internal audit plans are formulated, so too should the various experts be deployed to identify and monitor emerging risks. For example, the staff with the greatest IT expertise should monitor the horizon for emerging technology risks. </p><p>Fred Stuckel, vice president of enterprise risk management and audit at Express Scripts, shared the process his company uses to identify emerging risks in a <a href="https://erm.ncsu.edu/library/article/identifying-and-evaluating-emerging-risks">recent video posted by North Carolina State Poole College of Management's Enterprise Risk Management Initiative</a>. Stuckel noted that within Express Scripts, he and his team "spend a lot of time on the internet and on social media." They "peruse through international newspapers that are converted from foreign language to English, to get different perspectives of what the impact of any kind of change might be to the United States or to the global market."</p><p>There is no silver bullet for identifying emerging risks. Like all risk assessment, there is a degree of art in addition to science. However, if internal audit isn't looking in the right direction, there is a greater likelihood of missing emerging risks. But just as storms in the Northern Hemisphere often emerge from the West, there are directions from which potential risks facing your company are likely to emerge. These include:</p><ul><li>Economic forecasts (macroeconomic as well as those facing your industry).<br></li><li>Known strategic business risks facing your company.<br></li><li>New corporate initiatives being planned.<br></li><li>Legislative and regulatory outlook facing your industry.<br></li><li>Geopolitical developments and political risks in regions where your company operates.<br></li><li>Disruptive threats or opportunities facing your industry.<br></li><li>Performance of your primary competitors.<br></li><li>Risks emerging as headlines via traditional or social media.</li></ul><p></p><p>Identifying emerging risks should be a collaborative process with management. After all, management is likely to have already identified many emerging risks​ that threaten the organization. We should position ourselves as a partner, not a competitor trying to on​e-up management, when it comes to emerging risk acumen. After fully vetting our inventory of emerging risks, we should be prepared to share our perspectives with the audit committee. Our conversation must include our own plans for monitoring and responding to these risks as the organization's internal auditors.</p>We have entered an era in which crises have become commonplace, and after each new crisis, the same questions arise: "Why didn't we see it coming?" "Where were the internal auditors?" The world's best internal audit functions are well-prepared to answer these questions, and they do so in part by focusing on the future, by maintaining agility, and by proactively identifying and addressing emerging risks.<p></p><p>Hindsight is one of our least essential skills. It's time to turn our telescopes in the other direction.</p>Richard Chambers0
Crisis Overconfidencehttps://iaonline.theiia.org/2018/Pages/Crisis-Overconfidence.aspxCrisis Overconfidence<p>​Companies are overconfident about their ability to cope in a crisis, and executive leadership on the issue may also be sorely lacking in some organizations, according to a new report. Research by professional services firm Deloitte has found that nearly 60 percent of crisis management and other executives surveyed believe organizations face more crises today than they did 10 years ago.</p><p>They are not wrong. In the past two years, 80 percent of organizations worldwide have had to mobilize their crisis management teams at least once, with cyber and safety incidents topping the list of crises requiring management intervention. And the impact of a crisis on organizations is immediate: nearly three-fifths experienced a leap in customer complaints, usually on social media.</p><p>More than four in five respondents say their organizations have a crisis management plan in place. However, Deloitte's study, Stronger, Fitter, Better: Crisis Management for the Resilient Enterprise,<em> </em>has<em> </em>uncovered dramatic gaps between a company's confidence that it can respond to crises and its level of preparedness. It found that while nearly 90 percent of respondents are confident in their organization's ability to deal with a corporate scandal, only 17 percent have tested that assumption through a simulation exercise. Similarly, 70 percent of organizations are confident in their ability to manage a product recall, though only 22 percent have carried out a simulation exercise.</p><p>The survey, which included participation from more than 500 crisis management, business continuity, and risk senior executives across 20 countries, also found that organizations feel more confident in confronting some types of risks rather than others — particularly IT risks because they feature so prominently on risk agendas. For example, nine out of 10 respondents have fairly or very high levels of confidence in their organization's ability to tackle system failures, with similar numbers confident in their organization's ability to respond to regulatory and policy changes (89 percent), corporate scandals (88 percent), and cyberattacks (87 percent). </p><p>Deloitte's research found that experiencing a crisis teaches organizations to avoid them. For example, nearly 90 percent of organizations surveyed have conducted (largely internal) reviews following a crisis, and while these crises were not always foreseen, companies recognized that they might have been averted. As a result, organizations are now more likely to take action to forestall future crises.</p><p>Indeed, a crisis management response plan is critical. Deloitte found that nearly half of respondent organizations that did not have a plan in place saw their finances negatively impacted when a crisis struck. For those organizations with a plan, it was less than a third. </p><p>"Crisis management shouldn't start with a crisis — at this point it may already be too late," says Peter Dent, Deloitte Global crisis management leader. "With the rapid pace of change facing companies worldwide, and with crises on the rise, it is critical for organizations to be ready to respond with skilled leadership and plans that have been tested and rehearsed." </p><p>Crisis plans work best when the board and senior management are involved in shaping them and sponsoring them. And to secure their participation, the study's authors say that it is important to keep the plan relevant to them so that it addresses the issues that "keep management awake at night," such as the impact on reputation and the bottom line.  </p><p>Organizations should also ensure that they set up a crisis management plan specifically for the board, because when a crisis hits executives may need to play a very different — and more interventionist — role from normal. For example, if the crisis is causing significant damage to reputation, affecting share price, or resulting in regulatory sanctions or litigation, it may be up to the board to plan the company's continuity and survival. And in terms of succession planning, it may be appropriate to recruit board members with prior crisis management experience, Deloitte says.</p><p>Leadership commitment to crisis management is critical. But nearly a quarter of respondents cite the effectiveness of leadership and decision-making as one of the greatest crisis management challenges their organizations face. In fact, leadership commitment — or lack of it — was deemed to be the primary challenge for respondents, followed by effectiveness of teamwork, familiarity with the crisis structure/response process, and clarity of roles and responsibilities.</p><p>Part of the problem, Deloitte says, is that leaders are unprepared for crisis management. Therefore, organizations should establish a leadership structure for a crisis to help define roles and responsibilities, and training should be provided, particularly around communicating with stakeholders. Organizations should also identify the leadership styles of particular executives and managers, and work out who would be best placed to deal with certain aspects of the crisis response: in a high-pressure environment, leaders will tend to rely heavily on their most natural leadership style — which may not be suitable. </p><p>Deloitte's research found that crises often emanate from the actions of third parties such as suppliers and alliance partners, but at the same time, these third parties often play an important role in helping to manage and mitigate the problem. Recognizing this, 59 percent of respondents say that they participate in crisis exercises with third parties, examine third parties' crisis plans, or both. In Europe, the proportion is 80 percent.</p><p>As a result, the researchers say that companies should determine which outside organizations need to be in the fold when managing a crisis. These could include advisors such as lawyers, public relations firms, or specialist cyber defense organizations, as well as crisis advisors. In addition, they say, critical service providers, joint venture partners, resellers, distributors, and any other entity that could trigger a crisis (or be affected by it) should be involved in crisis preparations too. </p><p>The report adds that — depending on the scenario — these outside parties should also be included in simulations and exercises where appropriate, and should also share their contingency plans and provide regular updates on response readiness. Companies should stress the benefits of such collaboration, and even consider stipulating in contracts and agreements that such information should be shared.</p><p>"Crises aren't inevitable," Dent says. "Many of them are avoidable, which is why smart business leaders invest in crisis management capabilities. These strengths can help their organizations avoid costly, and sometimes irreparable, damage to finances, employee morale, brand, and reputation."</p>Neil Hodge0
Risks Speak Louder Than Issueshttps://iaonline.theiia.org/2018/Pages/Risks-Speak-Louder-Than-Issues.aspxRisks Speak Louder Than Issues<p>​Mutual understanding between internal audit and its clients can be difficult to achieve. When audit clients hear jargon such as "issues" and "gaps," or read it in an audit report, they often stop listening. They're left with the impression that internal audit doesn't understand the risks their area faces and that its reporting is irrelevant. At the same time, auditors may experience frustration over clients' failure to understand audit issues. Why can't issue communication be easier and more effective? In many cases, it's because auditors don't "speak the same language" as their clients and fail to communicate adequately about risk. </p><p>The IIA Position Paper, The Three Lines of Defense in Effective Risk Management and Control, states that risk management and control duties must be coordinated carefully organizationwide "to assure that risk and control processes operate as intended." In reality, that coordination does not always happen. For the first-line business units conducting day-to-day operations, if there are no risks within the immediate processes they manage, there are no issues. At the same time, many internal auditors perform their work in isolation, targeting check boxes without comprehensive understanding of risks, even though second-line risk management and compliance functions are looking at risk appetite and the risk landscape enterprisewide. Effective risk communication can be challenging when internal auditors are out of sync with other assurance providers and adhere to an outdated, myopic approach. </p><p>In today's rapidly changing environment, the traditional method of identifying issues simply based on test results for design and operational effectiveness constitutes an insufficient means of risk analysis, reporting, and acceptance. Although test results provide a solid basis for showing how the client failed, they don't provide much insight into why clients should care other than a low score. And if our deliverables lose relevance to the audience, we lose buy-in. </p><p>Within the audit report, risk-based information tends to be underdeveloped and fails to provide adequate support for issues. Risk statements often appear merely as a single line in each issue table, and risk analysis may no​t be presented holistically anywhere in the report. Moreover, risk assessment usually occurs during the planning and scoping phase of an audit. Even if the assessment has been performed well and reveals areas of weakness, key risk indicators would be gradually lost during an audit and toward the conclusion of the engagement, leading to unclear answers about true risk. Risk conversations should instead take place throughout the entire audit.</p><p>Before presenting issues to clients, internal auditors should ask, "Did I perform sufficient risk analysis to cover significant areas?" rather than "Have I identified enough findings?" Overall, the goal of issue communication should not be putting down names on the sign-off sheet, but rather mutual agreement on risks and a willingness to address them. </p>Jingwen (Grace) Wu1
Model Governance, Where to Begin?https://iaonline.theiia.org/2018/Pages/Model-Governance,-Where-to-Begin.aspxModel Governance, Where to Begin?<p></p> <p>Models serve many purposes and support various decisions across an organization. A model is a mathematical representation of an entity system given certain operational, financial, compliance, and/or economic conditions that aims to quantify past, present, or future outcomes to provide decision-making information. Models typically are used to predict future results or to allow an entity to perform analysis within the mathematical model to determine the impacts of different drivers or variables on model output. Models can be simple calculations in an Excel spreadsheet with a small table of variable inputs, or they can be highly complex mathematical and statistical computations with a web of interrelated models using sophisticated software on a dedicated server. </p><p>Model governance provides oversight and control to minimize model risk, establishes policy to protect the integrity of the model output used in decision-making, prioritizes and authorizes changes to models used by the organization, and facilitates the sharing of information across the organization regarding the use and limitations of the models to improve transparency.</p><p>Before internal audit can evaluate the model governance structure and effectiveness, it needs to gain an understanding of the models that are used within the organization. This can be time-consuming. Documentation is valuable to any process, but it is difficult to find in practice. Internal audit may have to work with management to develop an initial listing that can be used to identify and assess risks and determine the audit scope. The list of models should include: </p><ul><li>Name for the model.<br></li><li>A brief description of the model’s purpose and use.<br></li><li>Key model personnel: model owner, developer, tester/validator, production operator, and users.<br></li><li>Frequency of model output reporting.<br></li><li>The software and platform used for the model.<br></li><li>The latest version of the model being used.<br></li><li>The model risk rating. <br></li></ul><p><br>The model owner should maintain more detailed information for each model regarding inputs, assumptions, methodologies, process documentation with risks and controls identified, data flow diagrams, items excluded from the model, approximations or assumptions used in the model, model limitations, manual outside adjustments to the model, and software and hardware used by the model.</p><p>The model risk rating should be based on probability and impact and be consistent with other risk rating structures used within the organization. When determining the model risk rating, internal audit should consider several risk drivers (along with other relevant criteria based on the industry or business), including: financial statement impact of results, level of model dependency in making business decisions, regulatory requirements, complexity of calculations and the extraction/transferring/loading of inputs, degree of interdependencies among models, subjectivity of assumptions or inputs, experience level of the personnel involved, historical experience of issues, effectiveness of controls, and degree of incentive compensation that may be tied to performance or output.</p><p>Once the listing of models is compiled, risk rated, and agreed upon by key stakeholders, internal audit can perform an assessment of model governance focusing on the high-risk models as a starting point. All high-risk rated models should be within the purview of a model governance committee.</p><p>The scope of responsibilities of a model governance committee is subject to debate and tends to be the victim of scope creep given the volume of risks associated with models. “Model Governance Committee Responsibilities,” below, provides a comprehensive listing of items to be considered in determining the scope of a committee. There may be other responsibilities specific to an organization or evolving risks.</p><p>The structure and oversight of the model governance committee should be tailored to the specific needs and level of maturity of the organization: </p><ul><li>The committee should report to the board directly, or indirectly via another committee. <br></li><li>Membership should include a variety of senior-level model stakeholders.<br></li><li>Responsibilities should be clearly defined for committee members and those involved in the modeling process. <br></li><li>Committee decisions should be clearly documented with supporting rationale in committee minutes.<br></li><li>A communication process should be in place to notify those who are responsible for any follow-up actions, noting anyone who should be consulted or informed.<br></li></ul><p><br>Having a model governance committee centralizes the identification of, and response to, model risks, which typically improves communication across stakeholders, builds consensus around decisions, establishes controls, and enables management action given the diversity of committee membership. The focus on model risks by regulators and external auditors has been increasing. Having a committee that receives and generates appropriate documentation makes it much easier to address those concerns. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><br><p><strong>Model Governance Committee Responsibilities</strong></p><p>Potential responsibilities may be completed by the committee, management or a project team with committee oversight, or some combination thereof. Responsibilities will vary but could include: </p><ul><li>Develop, approve, and communicate model policy, standards, and procedures.<br></li><li>Plan resources and prioritize tasks when there are competing priorities or dependencies.<br></li><li>Review and approve technical papers from subject-matter experts regarding gray areas or where there is disagreement on model approaches.<br></li><li>Prioritize and approve model changes, including tolerance and materiality levels for approvals needed for model changes.<br></li><li>Review and approve risk control matrices for material mo​dels. Also, have insight into control issues that impact the model, including general IT and application controls over inputs, processes, and outputs.<br></li><li>Monitor compliance issues that impact the model  and approve management actions to remediate issues.<br></li><li>Oversee model data quality — integrity; outliers; timeliness and availability; security; and extraction, transfer, and loading.<br></li><li>Oversee model validation — static and dynamic testing, sensitivity analysis, analytics, user acceptance testing, analysis and quantification of changes, and identification of risk-based deep dives into current models on an ad hoc, periodic, or rotational basis.<br></li><li>Provide an objective, robust check and challenge process on model results.<br></li><li>Approve outside-the-model adjustments and rationale for use.<br></li><li>Maintain a list of known model limitations and implications for use.<br></li><li>Approve the timing of model releases to production.<br></li><li>Coordinate the reporting calendar and use of model results.<br></li><li>Identify stress and scenario testing for the models and determine management actions.<br></li><li>Provide a consistent, common communication point to address questions and drive improvement.<br></li></ul></td></tr></tbody></table><p></p>Kelley Ellis1
Into the Lighthttps://iaonline.theiia.org/2018/Pages/Into-the-Light.aspxInto the Light<p></p><p>When the dust settles, disgraced movie mogul Harvey Weinstein may actually end up helping women in the workplace. More than 85 women have come forward with their stories of sexual harassment and sexual assault at the hands of Weinstein, including retaliation in the form of blacklisting them from acting jobs for rejecting his advances. </p><p>The Weinstein scandal has become a social media firestorm that has propelled a movement — #MeToo — thousands of tweets, Instagram posts, and press conference comments, raising the profile of sexual harassment on legislative agendas and in corporate boardrooms. Publicity around the topic is drawing attention to the risks harassment represents and the processes companies implement to manage those risks — areas where internal auditors are key players in their organizations’ harassment prevention and mitigation efforts.</p><h2>A Shift in Response</h2><table class="ms-rteTable-default" width="100%" cellspacing="0" style="height:188px;"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​​<strong>History of #MeToo</strong><br> <style> p.p1 { line-height:12.0px; font:42.5px 'Interstate Light'; } p.p2 { line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } </style> <p> <br>Corporations addressing the risks represented by sexual harassment can thank civil rights activist Tarana Burke for spurring the improvements they’re making. She first used “Me, Too” in 2006 as shorthand for efforts to unify behind changing the harassment paradigm. In 2017, she was among the “Silence Breakers” Time named as “Person of the Year.” Actress Alyssa Milano took a friend’s advice to flood Twitter with the phrase, urging women who’ve been harassed or assaulted to retweet the two words. Her effort generated more than 200,000 responses in 24 hours. It became a top topic on Facebook, and Time’s Up, a defense fund and pressure group, formed to keep the message moving. ​</p></td></tr></tbody></table><p>Is the definition of <em>sexual harassment</em> changing? Betty McPhilimy, retired chief audit executive (CAE) at Northwestern University in Evanston, Ill., says no. Rather, “clarity is setting in.” Personal workplace priorities haven’t changed, either, she adds: “Everyone wants to be treated with respect.” </p><p>Brian Koegle, a partner in the employment and labor law department of the Los Angeles office of Poole & Shaffery LLP, agrees. “Legally speaking, the definition of <em>harassment</em> in the workplace has not changed,” he says. “It does evolve, but there have been no material changes to the definition or to how it’s interpreted under federal or state law for the better part of 15 years.” </p><p>What’s recently changed is the mix. “From the late 1980s until about 10 months ago, the most prevalent legal claims involved harassers creating hostile work environments,” Koegle says. “But now the overt, obscene cases are coming up more frequently, which we hadn’t seen for years until the Weinstein scandal broke.” He attributes this to the empowerment movement the scandal has spawned, where “women are feeling strong enough to come forward and say what’s actually happening after decades of fearing being blackballed.” The change, he adds, is especially evident in Hollywood, where there’s a groundswell of support. “It’s a social norm shift, rather than a legal shift.” </p><p>“Corporate response is changing, with more attention and responsibility focused on harassment issues and policies,” says Bettina Deynes, chief human resources officer at the Society for Human Resource Management, in Alexandria, Va. “The acceptance of primary responsibility for policy and enforcement by management is also increasing.” Human resources, she adds, must “create and publish policies that are clear and effective and that have strict penalties for unacceptable behavior.” It also must be simpler and less intimidating to report incidents of sexual harassment. “It’s a necessity,” she stresses, because “the risks of sexual harassment — lawsuits, internal conflicts, and employee terminations — are increasing.”</p><h2>Cases Are Climbing</h2><p>While the U.S. Equal Employment Opportunity Commission (EEOC) has not reported a surge in the number of harassment claims, Koegle says that it’s been exactly the opposite. “We’ve conducted more workplace investigations in the last four months than in the last five years, and we’re seeing more written in journals on harassment,” he says. There may be an explanation for the EEOC’s numbers, according to Robin Shea, an attorney with the Encino, Calif., firm Constangy Brooks Smith & Prophete LLP. In a blog post, Shea says the EEOC reporting period ended Sept. 30, before #MeToo gained prominence. “Brace yourself for 2018,” she says in the blog. “Retaliation was the most common claim in 2017, and pre-litigation monetary relief in harassment charges was at its highest since 2010.”</p><p>As women read more #MeToo stories, some may realize that an incident in their past — that at the time they felt was inappropriate — was, in fact, sexual harassment. Social media is causing the estimated 85 percent to 95 percent of women who don’t report the incident when it happens to reflect and come forward with their own stories. “I look back and I’m dumbfounded that I didn’t leave or tell someone,” says Tori Reid, a West Hollywood, Calif.-based actress, writer, and producer who grew up in a show business family. “I didn’t have kids to raise. I wasn’t desperate to keep the job. I guess I didn’t realize it was harassment. On a certain level, in the back of your mind, it’s the way we’ve known the entertainment workplace to be .” She avoided the worst of it. “Sixty percent of the work was making sure my boss didn’t put his hands on me,” she says. “I was dodging and ducking.” This year, she participated in the #MeToo unity demonstration at ​the Golden Globe Awards.</p><p>Harassment victims have testified about “slaps on the butt, repeated comments about breast size, and requests for sex,” a <em>Kaiser Health News</em> report found. And men are victims, too. A 1998 U.S. Supreme Court ruling in <em>Oncale v. Sundowner Offshore Services Inc.</em> said same-sex harassment of both sexes is actionable, and juries have held women responsible for harassing men. </p><h2>What's at Risk</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>More about sexual harassment in the workplace:</strong><br>​<br><ul><li><a href="/2018/Pages/MeToo-Felt-Far-and-Wide.aspx"><span class="ms-rteThemeForeColor-1-0">#MeToo Felt Far and Wide​</span></a> – ​Organizations are addressing sexual harassment.</li><li><a href="/2018/Pages/A-Fish-Rots-From-the-Head-Down.aspx" style="color:#222222;"><span class="ms-rteThemeForeColor-1-0">A Fish Rots From the Head Down​</span></a><span class="ms-rteThemeForeColor-1-0"> </span>– Sexual harassment mitigation must be dealt with at the top.  <br></li></ul></td></tr></tbody></table><p>Regardless of gender, this behavior has “a cumulative long-term negative impact on performance,” says Ed Lynch, assistant professor in the Department of Accounting at California State University at Fullerton’s Mihaylo College of Business and Economics. According to the Washington, D.C.-based National Women’s Law Center (NWLC), “victims suffer profound economic and emotional harm” — and its physical manifestations. Up to 70 percent of women and 45 percent of men have experienced harassment, University of Maine sociologist Amy Blackstone recently told <a href="http://livescience.com/" rel="nofollow">livescience.com</a>. Many victims feel self-doubt that turns into self-blame, which then turns into depression — and, for some women, post-traumatic stress disorder. Harassment has been tied to a range of stress-like physiological reactions, including sleep disturbances, neck pain, increased risk of cardiovascular disease, and, in extreme cases, increased risk of suicide. </p><p>The primary effects can destroy economic and career well-being. The New York Times examined the damage that fear of harassment allegations can cause to mentor-like relationships young executives develop with senior leaders. “All too often, we wind up prosecuting the victim as much as the alleged harasser,” Koegle points out, “with all the gossip and innuendo that can surround workplace harassment allegations.” One of the most important elements of an investigation, he says, is “making sure victims feel the company is supporting them, that someone’s got their back, and that nothing happens to them that’s retaliatory.”</p><p>There should be greater transparency in complaint handling, Lynch says, including how companies develop codes of conduct and related training and how they craft policies for follow up. He argues that transparency “enables the identification of prevention best practices” and outweighs any risk of reputation damage, which actually acts as an incentive for change.</p><h2>Employers' Risks Rising, Too </h2><p>In fact, organizations risk image damage anyway. “The primary risk is reputation,” says Robert Kuling, a partner in Enterprise Risk Services at Deloitte Canada in Calgary. “Getting into the public domain with issues around discrimination and harassment can absolutely destroy a company’s brand and trust.” For example:</p><ul><li>Weinstein’s studio has filed for bankruptcy, CNN reports, and terminated all confidentiality agreements that have kept more people from coming forward. Lantern Capital Partners agreed to acquire the studio after a separate deal to sell the assets fell apart. <br></li><li>The CBC News website reported that Toronto’s Soulpepper Theatre Co. lost $375,000 in planned federal funding after its artistic director, who resigned, was accused of sexual misconduct and harassment by four actresses. The women are suing for $4.25 million in damages from Soulpepper and $3.6 million from the executive. Canada’s Heritage Minister told CBC News that arts organizations lacking best practices for harassment and bullying also may be blocked from future funding. <br></li><li>After sexual harassment allegations targeted former CEO Steve Wynn, the <em>Boston Herald</em> reported that a casino under construction there would probably not carry Wynn’s name. Wynn stepped down and sold his shares, but the allegations caused Wynn Resorts stocks to plummet. Wynn reportedly settled one harassment suit for $7.5 million; regulators in Nevada and Massachusetts and in Macau, China, are examining the company.<br></li></ul> <p>The secondary risk organizations face is civil litigation saying the company didn’t do an appropriate job of providing a safe workplace, Kuling says. The government of Alberta recently amended safe workplace legislation to include mitigating the risk of discrimination and harassment, for example. “Harassment can be treated as a workplace injury,” he explains, creating regulatory risk as organizations prepare for and comply with their obligations under the law. </p><p>The third risk that’s developing, Kuling adds, “is where internal auditors can do a much better job: employee turnover.” People who don’t report harassment may just leave, he explains, and not mention the reason during exit interviews. But when internal audit conducts culture assessments, investigators “might get indicators of harassment and discrimination issues,” he says, adding that “the professional skepticism of internal auditors has to come to the forefront. That data could then inform future audits of turnover statistics.”</p><p>An ongoing culture of harassment and discrimination, Kuling argues, even if localized to a department, “is going to be hard to hide.” Lynch agrees and adds that internal audit should be prepared to identify and report suspicious behavior while working every assignment. “Th​e nature of internal audit brings the auditor in contact with a wide range of employees,” Lynch says. “Every internal auditor should receive training on identifying evidence of sexual harassment, or a failed reporting mechanism, and every audit report should provide an opportunity for the auditor to comment on compliance with the code of conduct.” </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​​<strong style="color:#222222;">How Internal Audit Can Help Address Sexual Harassment Risks​</strong><span style="color:#222222;background-color:#6eabba;"></span><p style="color:#222222;"><br>Internal audit has a responsibility to provide assurance that risks around sexual harassment policies, procedures, and reporting are being managed.</p><ul style="color:#222222;"><li>Follow U.S. Equal Employment Opportunity Commission guidance, <em>Proposed Enforcement Guidance on Unlawful Harassment</em> (January 2017), which sets the expectation that employers are being proactive in eliminating workplace harassment. It also outlines five core principles that have proven effective.<br></li><li>Make sure there is a written policy on how to handle harassment, discrimination, or retaliation claims. The absence of a written policy almost automatically triggers liability, Brian Koegle says. Policies need to address everybody in the liability universe — full-time and part-time employees, independent contractors, vendors, and clients who each pose some risk of potential liability. <br></li><li>Make sure company codes of conduct include examples of inappropriate behavior, Ed Lynch advises. Relevant examples are critical, he says, “because they serve as bright lines and consequently need to be continuously updated to reflect the changing work environments within each company.”<br></li><li>Human resources should conduct training and communicate to employees about how and where to report sexual harassment. Even with policies in place, not everyone knows the process for reporting.<br></li><li>Make sure there is an anti-retaliation policy. Inform personnel that the hotline may not only be used for obtaining information and reporting concerns, but also for reporting issues of retaliation. The code of conduct should plainly state that retaliation against anyone reporting harassment in good faith is a significant, punishable violation.<br></li><li>Compliance isn’t enough. Testing the effectiveness of compliance programs is another step and leveraging them to mitigate underlying risk is still another. That’s part of the reason The Committee of Sponsoring Organizations of the Treadway Commission has an internal controls framework and an enterprise risk management framework. <br></li><li>Internal audit or the chief compliance officer should report on the effectiveness of a company’s hotline to the audit committee. “Having lines of communication and, ultimately, an objective, confidential hotline process to lodge concerns to someone from outside that unit who will investigate is a critical control,” Betty McPhilimy says. “You don’t want hotline complaints squelched by a senior manager. They should go up to the board so people feel the hotline is a credible resource.”<br></li><li>Don’t reinvent the controls wheel. Risk management around harassment usually requires no new tools. An organization’s performance reviews, open-door policies, escalation procedures, ombudsmen, incentives, disciplinary action procedures, and ethics and compliance hotlines are all designed to accommodate anything that comes up, including sexual harassment. </li></ul></td></tr></tbody></table><h2>Being Proactive </h2><p>Organizations need to act, Kuling stresses. “Boards of directors need to have conversations with executive leaders around the culture of their organizations, and then be prepared to invest time and resources to seek assurance that these risks are being managed appropriately.” Deynes adds: “Internal audit can assist human resources in designing processes that confidentially discover existing problems and report them to the appropriate internal or external authorities. Legal can and should provide all necessary avenues for the execution of severe internal penalties and external prosecution for offenders.”</p><p>But organizations must ensure they don’t attack harassment with processes that simply separate the sexes. <em>The New York Times</em> reported that “some male investors have declined one-on-one meetings with women or rescheduled them from restaurants to conference rooms” because they worry about comments being misunderstood and becoming career-enders. </p><p>“That’s bad,” says Phyllis Hartman of PGHR Consulting Inc. in Freedom, Pa. “Clearly, we have to work together, and we’ve got to help people communicate respectfully, even when perceptions differ as far as how and when to say ‘lay off’ and end it then and there.” When managers say they’re afraid to talk to female employees, she tells them: “You probably can’t get into trouble talking about work. It’s highly unlikely you’ll be falsely accused.” And if a woman finds herself in a situation where she is “systematically excluded from important meetings and opportunities” or if her supervisor acts “in ways that adversely affect her advancement opportunities, learning opportunities, and so on,” she could legally claim discrimination under the Civil Rights Act of 1964. </p><h2>Handling Harassment </h2><p>What happens after sexual harassment is reported is critical, and internal audit has an important role in ensuring retaliation isn’t tolerated. Those acts, the NWLC points out, include a reprimand or other discipline, including termination; transfers to less-desirable positions or work schedules; and threats to report people to law enforcement based on immigration status. In some cases, just the threat of being penalized for speaking up constitutes retaliation, because the risk of career damage or being labeled a troublemaker is real. </p><p>Enforcement varies by jurisdiction. In Europe, member states are bound by the European Commission’s Directive 2006/54/EC, which defines sexual harassment as conduct intended to “violate the dignity of a person by creating an intimidating, hostile, degrading, humiliating, or offensive environment,” and Directive 2012/29/EU, which requires “assessments to determine if victims are at risk of retaliation” — and calls on employers to “offer appropriate measures to protect them.” In the U.S., claims of workplace harassment and retaliation are handled differently by state. California, for example, is particularly aggressive, maintaining “an affirmative legal obligation to protect victims from retaliation,” Koegle says. “This includes requiring employee handbooks to address with specificity what you do to investigate, remediate, and prevent acts of retaliation.” </p><p>A recent Harris Poll/CARE survey found that sexual harassment in the workplace isn’t illegal in nearly one-third of the world. One-third of respondents in India said it’s acceptable to whistle at colleagues, about the same as the portion of U.K. respondents from 25 to 35 who think touching a co-worker’s buttocks is fine.</p><h2>Addressing the Future</h2><p>Rehabilitation also is an important process concern, Hartman points out. In most cases, victims don’t want accusers fired, they just want it to stop — but returning an accused executive to meaningful leadership “takes a lot of work,” she says. “You have to help both parties deal with this, making sure perpetrators understand what they did wrong.” For victims, counseling is a good place to start, according to research published in <em>Psychotherapy: Theory, Research, Practice, Training</em>, the journal of the American Psychological Association. But the specifics, says Kuling, are best left to each to determine. “The complainants are the best source of what constitutes adequate resolution,” he says. </p><p>Counseling often helps the alleged perpetrators, too. Hartman has coached executives accused of inappropriate behavior whose companies felt they could be rehabbed, often as a condition of returning to their former posts, and she stresses that success is situational, depending on what happened, how the two parties work together, and what the workplace is like. </p><h2>Staying Focused</h2><p>It may trace its roots to a little hashtag and just five letters, but the media movement behind workplace sexual harassment has “helped organizations pay attention and give it serious thought,” McPhilimy says — and that implicates internal audit. “Part of internal audit’s role is looking for risks in human resources and employment,” she explains. “We have a big role to play in ensuring controls are in effect in hiring, managing, and evaluating personnel and ensuring effective interactions.” Essentially, making sure that there are training programs and policies and procedures that are documented, current, and effective. That’s a role internal audit always plays, of course. “It’s just that in the past, internal audit wasn’t so focused there,” she adds. “Maybe senior management didn’t think of internal audit as an effective tool for determining if there are problems in such areas. Particularly as it becomes a higher profile risk, though, that’s something internal audit should address with senior management.” </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p>​<strong>Harassment Doesn't Discriminate</strong><br> </p><p>Most types of workplaces have faced harassment challenges, including universities, hospitals, and government. </p><ul><li>Higher education has taken more than one hit in cases that go far beyond harassment. Michigan State University (MSU) fac​​es recurring headlines related to assault complaints against disgraced former staff and Olympic gymnastics team physician Larry Nassar and other school officials. Johns Hopkins University paid almost $200 million to about 8,000 former patients of deceased gynecologist Nikita Levy to settle 2014 charges involving his use of a concealed camera to photograph them during exams. And at Pennsylvania State University, the conviction of former president Graham Spanier and a new movie about former head coach Joe Paterno have kept alive the sexual misconduct case against former assistant coach Jerry Sandusky.<br></li><li>A 2016 Research Letter published in the <em>Journal of the American Medical Association</em>, “Sexual Harassment and Discrimination Experiences of Academic Medical Faculty,” reports that 30 percent of women on medical faculties experience sexual harassment. Its author says, “harassment is more common in fields where there are strong power differentials.” <br></li><li>In 2017, women working for U.S. Congress were “making fresh allegations of sexual harassment against unnamed members,” according to CNN. The Office of Compliance, which handles harassment complaints against members of Congress, paid victims more than $17 million, in 268 settlements, from 1997 to 2017 — including claims for racial, religious, or disability-related discrimination. <br></li><li> <a href="http://thehill.com/" rel="nofollow" style="background-color:#6eabba;"><span class="ms-rteThemeForeColor-1-0" style="text-decoration-style:solid;text-decoration-color:#b10026;">TheHill.com</span></a><span class="ms-rteThemeForeColor-9-4" style="text-decoration-style:solid;text-decoration-color:#b10026;"> </span>recently reported that “state legislatures across the country have reeled in recent months under allegations that legislators harassed or assaulted staff, lobbyists, and even colleagues.” The website noted that more than a dozen have resigned, and some have been expelled. ​<br></li></ul></td></tr></tbody></table><p></p> <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; letter-spacing:-0.3px; } </style>Russell A. Jackson1
Editor's Note: Where Have All Our Heroes Gonehttps://iaonline.theiia.org/2018/Pages/Editor's-Note-Where-Have-All-Our-Heroes-Gone.aspxEditor's Note: Where Have All Our Heroes Gone<p></p><p>My day ended yesterday with the news that Bill Cosby was found guilty in his sexual assault retrial. Not surprising, but discouraging, as I grew up watching America’s dad, Cliff Huxtable. I woke up this morning to the news that yet another iconic television news anchor has been accused of sexual harassment. I used to watch Tom Brokaw every night and have always admired him. </p><p>Many of my beliefs from adolescence have been shattered lately, probably because I was taught to respect those in authority. But perhaps the biggest blow to my beliefs was the recent accusations leveled at my alma mater, Michigan State University (MSU). This university has been a huge part of my life. I learned so much from the incredible professors in the School of Journalism. Beyond that, I have two nephews who currently attend the university and numerous family members who went there. My family cheers for MSU and considers its teams our teams, even though we’ve lived in Florida for nearly 20 years. I have an MSU flag flying outside my house. (You get the picture.)</p><p>The Larry Nassar story is beyond horrifying, and it breaks my heart that it happened at MSU. It would be bad enough if the story ended with Nassar, but it doesn’t. MSU’s former dean of the College of Osteopathic Medicine William Strampel reportedly failed to ensure restrictions were put on Nassar’s practice following a 2014 abuse complaint and now faces charges of sexual misconduct, himself. After this and more came to light, I had hope that MSU’s interim president, John Engler, would enact the changes necessary to make MSU whole again. However, he’s now being criticized for his response to survivors and there are calls for him to step down. </p><p>As this Editor’s Note was going into production, the Detroit Free Press reported that MSU had settled lawsuits with all 332 victims of Nassar’s assaults at a cost of nearly $500 million. Finally, some good news. The Free Press published a statement from the MSU Board: “We recognize the need for change on our campus and in our community around sexual assault awareness and prevention.” </p><p>It’s satisfying to see the women who have suffered sexual assault and harassment finally coming forward and getting restitution. The #MeToo movement (read <a href="/2018/Pages/Into-the-Light.aspx">“Into the Light”​</a>) is forcing organizations, and internal audit, to take a closer look at sexual abuse and misconduct and how it is investigated and addressed. </p><p>Where have all our heroes gone? They’re still here. They are the women who are stepping forward and fighting back. And, they are the men and women in our organizations who are listening and addressing these issues.​</p>Anne Millage0

  • Gleim_Oct2018_Premium 1
  • IIA CERT CIA_Oct2018_PRemium 2
  • IIA CIALS_Oct2018_Premium 3