Risk and Compliance



Into the Lighthttps://iaonline.theiia.org/2018/Pages/Into-the-Light.aspxInto the Light<p></p><p>When the dust settles, disgraced movie mogul Harvey Weinstein may actually end up helping women in the workplace. More than 85 women have come forward with their stories of sexual harassment and sexual assault at the hands of Weinstein, including retaliation in the form of blacklisting them from acting jobs for rejecting his advances. </p><p>The Weinstein scandal has become a social media firestorm that has propelled a movement — #MeToo — thousands of tweets, Instagram posts, and press conference comments, raising the profile of sexual harassment on legislative agendas and in corporate boardrooms. Publicity around the topic is drawing attention to the risks harassment represents and the processes companies implement to manage those risks — areas where internal auditors are key players in their organizations’ harassment prevention and mitigation efforts.</p><h2>A Shift in Response</h2><table class="ms-rteTable-default" width="100%" cellspacing="0" style="height:188px;"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​​<strong>History of #MeToo</strong><br> <style> p.p1 { line-height:12.0px; font:42.5px 'Interstate Light'; } p.p2 { line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } </style> <p> <br>Corporations addressing the risks represented by sexual harassment can thank civil rights activist Tarana Burke for spurring the improvements they’re making. She first used “Me, Too” in 2006 as shorthand for efforts to unify behind changing the harassment paradigm. In 2017, she was among the “Silence Breakers” Time named as “Person of the Year.” Actress Alyssa Milano took a friend’s advice to flood Twitter with the phrase, urging women who’ve been harassed or assaulted to retweet the two words. Her effort generated more than 200,000 responses in 24 hours. It became a top topic on Facebook, and Time’s Up, a defense fund and pressure group, formed to keep the message moving. ​</p></td></tr></tbody></table><p>Is the definition of <em>sexual harassment</em> changing? Betty McPhilimy, retired chief audit executive (CAE) at Northwestern University in Evanston, Ill., says no. Rather, “clarity is setting in.” Personal workplace priorities haven’t changed, either, she adds: “Everyone wants to be treated with respect.” </p><p>Brian Koegle, a partner in the employment and labor law department of the Los Angeles office of Poole & Shaffery LLP, agrees. “Legally speaking, the definition of <em>harassment</em> in the workplace has not changed,” he says. “It does evolve, but there have been no material changes to the definition or to how it’s interpreted under federal or state law for the better part of 15 years.” </p><p>What’s recently changed is the mix. “From the late 1980s until about 10 months ago, the most prevalent legal claims involved harassers creating hostile work environments,” Koegle says. “But now the overt, obscene cases are coming up more frequently, which we hadn’t seen for years until the Weinstein scandal broke.” He attributes this to the empowerment movement the scandal has spawned, where “women are feeling strong enough to come forward and say what’s actually happening after decades of fearing being blackballed.” The change, he adds, is especially evident in Hollywood, where there’s a groundswell of support. “It’s a social norm shift, rather than a legal shift.” </p><p>“Corporate response is changing, with more attention and responsibility focused on harassment issues and policies,” says Bettina Deynes, chief human resources officer at the Society for Human Resource Management, in Alexandria, Va. “The acceptance of primary responsibility for policy and enforcement by management is also increasing.” Human resources, she adds, must “create and publish policies that are clear and effective and that have strict penalties for unacceptable behavior.” It also must be simpler and less intimidating to report incidents of sexual harassment. “It’s a necessity,” she stresses, because “the risks of sexual harassment — lawsuits, internal conflicts, and employee terminations — are increasing.”</p><h2>Cases Are Climbing</h2><p>While the U.S. Equal Employment Opportunity Commission (EEOC) has not reported a surge in the number of harassment claims, Koegle says that it’s been exactly the opposite. “We’ve conducted more workplace investigations in the last four months than in the last five years, and we’re seeing more written in journals on harassment,” he says. There may be an explanation for the EEOC’s numbers, according to Robin Shea, an attorney with the Encino, Calif., firm Constangy Brooks Smith & Prophete LLP. In a blog post, Shea says the EEOC reporting period ended Sept. 30, before #MeToo gained prominence. “Brace yourself for 2018,” she says in the blog. “Retaliation was the most common claim in 2017, and pre-litigation monetary relief in harassment charges was at its highest since 2010.”</p><p>As women read more #MeToo stories, some may realize that an incident in their past — that at the time they felt was inappropriate — was, in fact, sexual harassment. Social media is causing the estimated 85 percent to 95 percent of women who don’t report the incident when it happens to reflect and come forward with their own stories. “I look back and I’m dumbfounded that I didn’t leave or tell someone,” says Tori Reid, a West Hollywood, Calif.-based actress, writer, and producer who grew up in a show business family. “I didn’t have kids to raise. I wasn’t desperate to keep the job. I guess I didn’t realize it was harassment. On a certain level, in the back of your mind, it’s the way we’ve known the entertainment workplace to be .” She avoided the worst of it. “Sixty percent of the work was making sure my boss didn’t put his hands on me,” she says. “I was dodging and ducking.” This year, she participated in the #MeToo unity demonstration at ​the Golden Globe Awards.</p><p>Harassment victims have testified about “slaps on the butt, repeated comments about breast size, and requests for sex,” a <em>Kaiser Health News</em> report found. And men are victims, too. A 1998 U.S. Supreme Court ruling in <em>Oncale v. Sundowner Offshore Services Inc.</em> said same-sex harassment of both sexes is actionable, and juries have held women responsible for harassing men. </p><h2>What's at Risk</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>More about sexual harassment in the workplace:</strong><br>​<br><ul><li><a href="/2018/Pages/MeToo-Felt-Far-and-Wide.aspx"><span class="ms-rteThemeForeColor-1-0">#MeToo Felt Far and Wide​</span></a> – ​Organizations are addressing sexual harassment.</li><li><a href="/2018/Pages/A-Fish-Rots-From-the-Head-Down.aspx" style="color:#222222;"><span class="ms-rteThemeForeColor-1-0">A Fish Rots From the Head Down​</span></a><span class="ms-rteThemeForeColor-1-0"> </span>– Sexual harassment mitigation must be dealt with at the top.  <br></li></ul></td></tr></tbody></table><p>Regardless of gender, this behavior has “a cumulative long-term negative impact on performance,” says Ed Lynch, assistant professor in the Department of Accounting at California State University at Fullerton’s Mihaylo College of Business and Economics. According to the Washington, D.C.-based National Women’s Law Center (NWLC), “victims suffer profound economic and emotional harm” — and its physical manifestations. Up to 70 percent of women and 45 percent of men have experienced harassment, University of Maine sociologist Amy Blackstone recently told <a href="http://livescience.com/" rel="nofollow">livescience.com</a>. Many victims feel self-doubt that turns into self-blame, which then turns into depression — and, for some women, post-traumatic stress disorder. Harassment has been tied to a range of stress-like physiological reactions, including sleep disturbances, neck pain, increased risk of cardiovascular disease, and, in extreme cases, increased risk of suicide. </p><p>The primary effects can destroy economic and career well-being. The New York Times examined the damage that fear of harassment allegations can cause to mentor-like relationships young executives develop with senior leaders. “All too often, we wind up prosecuting the victim as much as the alleged harasser,” Koegle points out, “with all the gossip and innuendo that can surround workplace harassment allegations.” One of the most important elements of an investigation, he says, is “making sure victims feel the company is supporting them, that someone’s got their back, and that nothing happens to them that’s retaliatory.”</p><p>There should be greater transparency in complaint handling, Lynch says, including how companies develop codes of conduct and related training and how they craft policies for follow up. He argues that transparency “enables the identification of prevention best practices” and outweighs any risk of reputation damage, which actually acts as an incentive for change.</p><h2>Employers' Risks Rising, Too </h2><p>In fact, organizations risk image damage anyway. “The primary risk is reputation,” says Robert Kuling, a partner in Enterprise Risk Services at Deloitte Canada in Calgary. “Getting into the public domain with issues around discrimination and harassment can absolutely destroy a company’s brand and trust.” For example:</p><ul><li>Weinstein’s studio has filed for bankruptcy, CNN reports, and terminated all confidentiality agreements that have kept more people from coming forward. Lantern Capital Partners agreed to acquire the studio after a separate deal to sell the assets fell apart. <br></li><li>The CBC News website reported that Toronto’s Soulpepper Theatre Co. lost $375,000 in planned federal funding after its artistic director, who resigned, was accused of sexual misconduct and harassment by four actresses. The women are suing for $4.25 million in damages from Soulpepper and $3.6 million from the executive. Canada’s Heritage Minister told CBC News that arts organizations lacking best practices for harassment and bullying also may be blocked from future funding. <br></li><li>After sexual harassment allegations targeted former CEO Steve Wynn, the <em>Boston Herald</em> reported that a casino under construction there would probably not carry Wynn’s name. Wynn stepped down and sold his shares, but the allegations caused Wynn Resorts stocks to plummet. Wynn reportedly settled one harassment suit for $7.5 million; regulators in Nevada and Massachusetts and in Macau, China, are examining the company.<br></li></ul> <p>The secondary risk organizations face is civil litigation saying the company didn’t do an appropriate job of providing a safe workplace, Kuling says. The government of Alberta recently amended safe workplace legislation to include mitigating the risk of discrimination and harassment, for example. “Harassment can be treated as a workplace injury,” he explains, creating regulatory risk as organizations prepare for and comply with their obligations under the law. </p><p>The third risk that’s developing, Kuling adds, “is where internal auditors can do a much better job: employee turnover.” People who don’t report harassment may just leave, he explains, and not mention the reason during exit interviews. But when internal audit conducts culture assessments, investigators “might get indicators of harassment and discrimination issues,” he says, adding that “the professional skepticism of internal auditors has to come to the forefront. That data could then inform future audits of turnover statistics.”</p><p>An ongoing culture of harassment and discrimination, Kuling argues, even if localized to a department, “is going to be hard to hide.” Lynch agrees and adds that internal audit should be prepared to identify and report suspicious behavior while working every assignment. “Th​e nature of internal audit brings the auditor in contact with a wide range of employees,” Lynch says. “Every internal auditor should receive training on identifying evidence of sexual harassment, or a failed reporting mechanism, and every audit report should provide an opportunity for the auditor to comment on compliance with the code of conduct.” </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​​<strong style="color:#222222;">How Internal Audit Can Help Address Sexual Harassment Risks​</strong><span style="color:#222222;background-color:#6eabba;"></span><p style="color:#222222;"><br>Internal audit has a responsibility to provide assurance that risks around sexual harassment policies, procedures, and reporting are being managed.</p><ul style="color:#222222;"><li>Follow U.S. Equal Employment Opportunity Commission guidance, <em>Proposed Enforcement Guidance on Unlawful Harassment</em> (January 2017), which sets the expectation that employers are being proactive in eliminating workplace harassment. It also outlines five core principles that have proven effective.<br></li><li>Make sure there is a written policy on how to handle harassment, discrimination, or retaliation claims. The absence of a written policy almost automatically triggers liability, Brian Koegle says. Policies need to address everybody in the liability universe — full-time and part-time employees, independent contractors, vendors, and clients who each pose some risk of potential liability. <br></li><li>Make sure company codes of conduct include examples of inappropriate behavior, Ed Lynch advises. Relevant examples are critical, he says, “because they serve as bright lines and consequently need to be continuously updated to reflect the changing work environments within each company.”<br></li><li>Human resources should conduct training and communicate to employees about how and where to report sexual harassment. Even with policies in place, not everyone knows the process for reporting.<br></li><li>Make sure there is an anti-retaliation policy. Inform personnel that the hotline may not only be used for obtaining information and reporting concerns, but also for reporting issues of retaliation. The code of conduct should plainly state that retaliation against anyone reporting harassment in good faith is a significant, punishable violation.<br></li><li>Compliance isn’t enough. Testing the effectiveness of compliance programs is another step and leveraging them to mitigate underlying risk is still another. That’s part of the reason The Committee of Sponsoring Organizations of the Treadway Commission has an internal controls framework and an enterprise risk management framework. <br></li><li>Internal audit or the chief compliance officer should report on the effectiveness of a company’s hotline to the audit committee. “Having lines of communication and, ultimately, an objective, confidential hotline process to lodge concerns to someone from outside that unit who will investigate is a critical control,” Betty McPhilimy says. “You don’t want hotline complaints squelched by a senior manager. They should go up to the board so people feel the hotline is a credible resource.”<br></li><li>Don’t reinvent the controls wheel. Risk management around harassment usually requires no new tools. An organization’s performance reviews, open-door policies, escalation procedures, ombudsmen, incentives, disciplinary action procedures, and ethics and compliance hotlines are all designed to accommodate anything that comes up, including sexual harassment. </li></ul></td></tr></tbody></table><h2>Being Proactive </h2><p>Organizations need to act, Kuling stresses. “Boards of directors need to have conversations with executive leaders around the culture of their organizations, and then be prepared to invest time and resources to seek assurance that these risks are being managed appropriately.” Deynes adds: “Internal audit can assist human resources in designing processes that confidentially discover existing problems and report them to the appropriate internal or external authorities. Legal can and should provide all necessary avenues for the execution of severe internal penalties and external prosecution for offenders.”</p><p>But organizations must ensure they don’t attack harassment with processes that simply separate the sexes. <em>The New York Times</em> reported that “some male investors have declined one-on-one meetings with women or rescheduled them from restaurants to conference rooms” because they worry about comments being misunderstood and becoming career-enders. </p><p>“That’s bad,” says Phyllis Hartman of PGHR Consulting Inc. in Freedom, Pa. “Clearly, we have to work together, and we’ve got to help people communicate respectfully, even when perceptions differ as far as how and when to say ‘lay off’ and end it then and there.” When managers say they’re afraid to talk to female employees, she tells them: “You probably can’t get into trouble talking about work. It’s highly unlikely you’ll be falsely accused.” And if a woman finds herself in a situation where she is “systematically excluded from important meetings and opportunities” or if her supervisor acts “in ways that adversely affect her advancement opportunities, learning opportunities, and so on,” she could legally claim discrimination under the Civil Rights Act of 1964. </p><h2>Handling Harassment </h2><p>What happens after sexual harassment is reported is critical, and internal audit has an important role in ensuring retaliation isn’t tolerated. Those acts, the NWLC points out, include a reprimand or other discipline, including termination; transfers to less-desirable positions or work schedules; and threats to report people to law enforcement based on immigration status. In some cases, just the threat of being penalized for speaking up constitutes retaliation, because the risk of career damage or being labeled a troublemaker is real. </p><p>Enforcement varies by jurisdiction. In Europe, member states are bound by the European Commission’s Directive 2006/54/EC, which defines sexual harassment as conduct intended to “violate the dignity of a person by creating an intimidating, hostile, degrading, humiliating, or offensive environment,” and Directive 2012/29/EU, which requires “assessments to determine if victims are at risk of retaliation” — and calls on employers to “offer appropriate measures to protect them.” In the U.S., claims of workplace harassment and retaliation are handled differently by state. California, for example, is particularly aggressive, maintaining “an affirmative legal obligation to protect victims from retaliation,” Koegle says. “This includes requiring employee handbooks to address with specificity what you do to investigate, remediate, and prevent acts of retaliation.” </p><p>A recent Harris Poll/CARE survey found that sexual harassment in the workplace isn’t illegal in nearly one-third of the world. One-third of respondents in India said it’s acceptable to whistle at colleagues, about the same as the portion of U.K. respondents from 25 to 35 who think touching a co-worker’s buttocks is fine.</p><h2>Addressing the Future</h2><p>Rehabilitation also is an important process concern, Hartman points out. In most cases, victims don’t want accusers fired, they just want it to stop — but returning an accused executive to meaningful leadership “takes a lot of work,” she says. “You have to help both parties deal with this, making sure perpetrators understand what they did wrong.” For victims, counseling is a good place to start, according to research published in <em>Psychotherapy: Theory, Research, Practice, Training</em>, the journal of the American Psychological Association. But the specifics, says Kuling, are best left to each to determine. “The complainants are the best source of what constitutes adequate resolution,” he says. </p><p>Counseling often helps the alleged perpetrators, too. Hartman has coached executives accused of inappropriate behavior whose companies felt they could be rehabbed, often as a condition of returning to their former posts, and she stresses that success is situational, depending on what happened, how the two parties work together, and what the workplace is like. </p><h2>Staying Focused</h2><p>It may trace its roots to a little hashtag and just five letters, but the media movement behind workplace sexual harassment has “helped organizations pay attention and give it serious thought,” McPhilimy says — and that implicates internal audit. “Part of internal audit’s role is looking for risks in human resources and employment,” she explains. “We have a big role to play in ensuring controls are in effect in hiring, managing, and evaluating personnel and ensuring effective interactions.” Essentially, making sure that there are training programs and policies and procedures that are documented, current, and effective. That’s a role internal audit always plays, of course. “It’s just that in the past, internal audit wasn’t so focused there,” she adds. “Maybe senior management didn’t think of internal audit as an effective tool for determining if there are problems in such areas. Particularly as it becomes a higher profile risk, though, that’s something internal audit should address with senior management.” </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p>​<strong>Harassment Doesn't Discriminate</strong><br> </p><p>Most types of workplaces have faced harassment challenges, including universities, hospitals, and government. </p><ul><li>Higher education has taken more than one hit in cases that go far beyond harassment. Michigan State University (MSU) fac​​es recurring headlines related to assault complaints against disgraced former staff and Olympic gymnastics team physician Larry Nassar and other school officials. Johns Hopkins University paid almost $200 million to about 8,000 former patients of deceased gynecologist Nikita Levy to settle 2014 charges involving his use of a concealed camera to photograph them during exams. And at Pennsylvania State University, the conviction of former president Graham Spanier and a new movie about former head coach Joe Paterno have kept alive the sexual misconduct case against former assistant coach Jerry Sandusky.<br></li><li>A 2016 Research Letter published in the <em>Journal of the American Medical Association</em>, “Sexual Harassment and Discrimination Experiences of Academic Medical Faculty,” reports that 30 percent of women on medical faculties experience sexual harassment. Its author says, “harassment is more common in fields where there are strong power differentials.” <br></li><li>In 2017, women working for U.S. Congress were “making fresh allegations of sexual harassment against unnamed members,” according to CNN. The Office of Compliance, which handles harassment complaints against members of Congress, paid victims more than $17 million, in 268 settlements, from 1997 to 2017 — including claims for racial, religious, or disability-related discrimination. <br></li><li> <a href="http://thehill.com/" rel="nofollow" style="background-color:#6eabba;"><span class="ms-rteThemeForeColor-1-0" style="text-decoration-style:solid;text-decoration-color:#b10026;">TheHill.com</span></a><span class="ms-rteThemeForeColor-9-4" style="text-decoration-style:solid;text-decoration-color:#b10026;"> </span>recently reported that “state legislatures across the country have reeled in recent months under allegations that legislators harassed or assaulted staff, lobbyists, and even colleagues.” The website noted that more than a dozen have resigned, and some have been expelled. ​<br></li></ul></td></tr></tbody></table><p></p> <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; letter-spacing:-0.3px; } </style>Russell A. Jackson1
Editor's Note: Where Have All Our Heroes Gonehttps://iaonline.theiia.org/2018/Pages/Editor's-Note-Where-Have-All-Our-Heroes-Gone.aspxEditor's Note: Where Have All Our Heroes Gone<p></p><p>My day ended yesterday with the news that Bill Cosby was found guilty in his sexual assault retrial. Not surprising, but discouraging, as I grew up watching America’s dad, Cliff Huxtable. I woke up this morning to the news that yet another iconic television news anchor has been accused of sexual harassment. I used to watch Tom Brokaw every night and have always admired him. </p><p>Many of my beliefs from adolescence have been shattered lately, probably because I was taught to respect those in authority. But perhaps the biggest blow to my beliefs was the recent accusations leveled at my alma mater, Michigan State University (MSU). This university has been a huge part of my life. I learned so much from the incredible professors in the School of Journalism. Beyond that, I have two nephews who currently attend the university and numerous family members who went there. My family cheers for MSU and considers its teams our teams, even though we’ve lived in Florida for nearly 20 years. I have an MSU flag flying outside my house. (You get the picture.)</p><p>The Larry Nassar story is beyond horrifying, and it breaks my heart that it happened at MSU. It would be bad enough if the story ended with Nassar, but it doesn’t. MSU’s former dean of the College of Osteopathic Medicine William Strampel reportedly failed to ensure restrictions were put on Nassar’s practice following a 2014 abuse complaint and now faces charges of sexual misconduct, himself. After this and more came to light, I had hope that MSU’s interim president, John Engler, would enact the changes necessary to make MSU whole again. However, he’s now being criticized for his response to survivors and there are calls for him to step down. </p><p>As this Editor’s Note was going into production, the Detroit Free Press reported that MSU had settled lawsuits with all 332 victims of Nassar’s assaults at a cost of nearly $500 million. Finally, some good news. The Free Press published a statement from the MSU Board: “We recognize the need for change on our campus and in our community around sexual assault awareness and prevention.” </p><p>It’s satisfying to see the women who have suffered sexual assault and harassment finally coming forward and getting restitution. The #MeToo movement (read <a href="/2018/Pages/Into-the-Light.aspx">“Into the Light”​</a>) is forcing organizations, and internal audit, to take a closer look at sexual abuse and misconduct and how it is investigated and addressed. </p><p>Where have all our heroes gone? They’re still here. They are the women who are stepping forward and fighting back. And, they are the men and women in our organizations who are listening and addressing these issues.​</p>Anne Millage0
A Fish Rots From the Head Downhttps://iaonline.theiia.org/2018/Pages/A-Fish-Rots-From-the-Head-Down.aspxA Fish Rots From the Head Down<p>​"No organization is squeaky clean," notes Betty McPhilimy, retired chief audit executive at Northwestern University in Lake Forest, Ill. "But if leadership is suspect, as far as not doing the right thing or only doing it when people are watching, the organization tends to take on the culture at the top." Harassment mitigation "can't play out at a manager level," she emphasizes. "It's got to be the same up and down. If not, your shield has a bunch of cracks in it."</p><p>That's why so many president-level executives resign amid harassment scandals: Organizations need substantive visual change, even if no one ever proves the executives knew what was happening. "Everyone generally realizes it's difficult to know what's going on at every single desk," McPhilimy says. "But that's what controls are for." And if the allegations concern more than a one-time incident, people assume that's how the organization runs — so "if you put in new leaders, people feel vindicated and you don't taint the new leaders with the sins of the past."</p><p>For the accused, there's no "innocent until proven guilty" in civil suits, explains Brian Koegle, a partner in the employment and labor law department of the Los Angeles office of Poole & Shaffery LLP. "The presumption of innocence is a construct of criminal law," he says. You're not found "guilty" in a civil case, you're found "liable," and your burden of proof is 50 percent plus one. He adds, "I would argue that in this climate, you're presumed guilty. If someone had the fortitude to come forward with a claim of harassment, juries are primed to believe that person is telling the truth." Particularly when numerous accusers come forward and social media rapidly publicizes accusations.</p>Russell A. Jackson1
Protecting Employeeshttps://iaonline.theiia.org/2018/Pages/Protecting-Employees.aspxProtecting Employees<p>​Ask any CEO what the organization's most important asset is, and he or she will likely answer that it's the business' employees. Employees make the cash register ring, invent new products and services, and help meet the needs of the organization's customers and market. </p><p>Yet too often, when chief audit executives (CAEs) are asked what organizational asset they most commonly audit, their answers include inventory, fixed assets, receivables, and petty cash. They are far less likely to audit processes for protecting employees. </p><p>CAEs can help their organization create a safer workplace by auditing the processes in place for protecting the organization's employees, contractors, vendors, and other third parties on the job. They can start by better understanding the emotional, physical, and financial risks that put workers' well-being in danger and developing a plan to evaluate the related business processes. </p><h2>Workplace Behavior</h2><p>Of the many troubling events that came to light in recent years, perhaps the most significant was the glaring inability of many organizations to protect their employees from the inappropriate behaviors of others at work. In terms of personal risks, two behaviors stand out: inappropriate sexual behavior and bullying. </p><p>Inappropriate sexual behavior includes leering inappropriately, standing too close to others, and touching others in ways that make them uncomfortable — or worse. Nonphysical bad behaviors include telling sexually explicit jokes, using sexual anecdotes, and sharing pornographic images.</p><p>The Workplace Bullying Institute (WBI) defines <em>workplace bullying</em> as abusive conduct that either threatens, humiliates, or intimidates co-workers, and other behaviors, such as verbal abuse or sabotage, that interfere with a co-worker's ability to perform his or her responsibilities. A 2017 WBI study notes that 19 percent of U.S. adults have experienced abuse and 37 percent, including witnesses, have been affected by it.</p><p>Internal auditors can help their organization prevent or detect inappropriate workplace behavior. Practitioners who have audited ethics processes should know to evaluate whether the organization has a code of conduct that highlights inappropriate workplace behavior. That code should provide information on how to report that behavior and detail its consequences. In addition to confirming that the CEO and senior management clearly and frequently communicate this message, internal auditors should evaluate whether middle managers are doing the same.</p><p>The audit scope also should include evaluating the channels available for employees to report inappropriate behavior. Auditors should determine whether the organization has a hotline, if employees are aware of it, and whether they can report anonymously or without fear of negative repercussions. Are hotline calls addressed timely, investigated thoroughly, and resolved? Are the CEO and the relevant board committee receiving information on hotline awareness, calls, and related investigations periodically?</p><h2>Physical Protection</h2><p>The impact of high-profile events such as the BP oil spill and shootings at businesses, schools, and universities put organizations on notice about the importance of physical safeguards to protect employees. But it's not just low likelihood but high impact events that can result in workers being hurt, hospitalized, disabled, or even killed. </p><p>Organizations sometimes put their employees at risk because of unsafe working conditions. This is especially true for employees who operate heavy equipment and machinery, work in construction zones, or work with or near hazardous materials. Organizations also may fail to protect their employees if they are not prepared for events such as tornadoes, hurricanes, geopolitical unrest, and violent acts by employees or others. </p><p>Internal auditors can perform many types of audits to evaluate how these security risks are being managed. Auditing to U.S. Office of Health and Safety Administration standards can help identify safety issues in different working conditions and whether workers are following generally accepted safety standards when working in high-risk areas. </p><p>Part of an organization's business continuity program should proactively identify the risks from natural disasters and terrorist incidents. The program also should determine whether employees are aware of, and trained on, the organization's crisis management plans. Internal auditors can leverage the ASIS physical security framework or the International Organization for Standardization's ISO 27001 standard on information security management to evaluate the mechanisms in place to deter or detect potential intruders. Moreover, they can recommend managing or restricting access to areas that may harm employees. </p><p>One way CAEs can focus the CEO's attention on employee safety is to remind executives that their own safety is at risk. They should evaluate the security measures in place to protect top executives and their families from being kidnapped or held for ransom.</p><h2>Data Privacy </h2><p>Loss and theft of employee data, including names, Social Security numbers, email addresses, and banking information, puts employees at serious risk of identity theft and fraud. This data allows criminals to take advantage of unaware employees by creating credit card or loan accounts in their names, or collecting medical payments or Social Security benefits. Hackers use sophisticated cyberattacks to steal employee data in bulk or use phishing tactics to steal it from individuals. Employee data also is at risk from other workers who have access to it and intend to misuse it.</p><p>Perhaps the easiest way a CAE can help protect employee data is to carry out a data governance and management project. Internal auditors can document what employee data their organization has, where it is located — such as in paper records or on the network — who has access to it, and the controls in place to prevent or detect unauthorized access.</p><p>Evaluating the organization's records management program can add value if employee data is stored in physical documents. Other audits include access-rights reviews of applications and systems that store sensitive employee data, and cybersecurity audits that evaluate how effectively an organization's network protects employee data and detects cyberattacks.</p><h2>A Top Risk</h2><p>Successful organizations understand it's their workers who make them thrive. Unsafe working conditions will make key employees flee, with lower revenues and margins quick to follow. Organizations with effective processes to protect their employees can experience higher employee morale and increased productivity. They also may be less likely to pay fines for noncompliance with related laws and regulations, better ensure the continuity of operations, and prevent damage to their reputation. </p><p>If people are an organization's most important asset, then the risks posed to those people should be among the top risks in the business. Internal auditors who can shed light on these risks and how well-controlled these processes are can gain their CEO's and board's attention and support. ​</p>Tom O'Reilly1
Risk Consumptionhttps://iaonline.theiia.org/2018/Pages/Risk-Consumption.aspxRisk Consumption<p>​The concepts of risk appetite and risk tolerance were introduced in 2004 in The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) <em>Enterprise Risk Management–Integrated Framework</em>. Specifically, COSO defines <em>risk appetite</em> as "the amount of risk — on a broad level — that an entity is willing to accept in pursuit of value." Naturally, organizations will have different risk appetites depending on their industry, management philosophy, operating style, culture, and objectives. Therefore, a range of appetites potentially exist for distinct risks, which may change over time. It is conceivable that organizations with separate business segments with various operations or subsidiaries operating in differing industries will have varying levels of risk appetite. In pursuing diverse business objectives, organizations should broadly understand the risk they are willing to undertake.</p><p> <em>Risk tolerance</em> is the acceptable range of variation in the achievement of objectives. Both quantitative and qualitative measures are recommended when evaluating risk tolerance. And while risk appetite is about the pursuit of risk, risk tolerance is about what an organization can actually cope with at a more granular level. There is a lot of confusion surrounding risk appetite and risk tolerance, providing an opportunity for internal auditors to educate organizational stakeholders and facilitate risk measurement and management. </p><h2>An Updated Risk Framework</h2><p>COSO's 2017 framework update, <em>Enterprise Risk Management–Integrating With Strategy and Performance</em>, likely will create a heightened expectation for risk and compliance functions. Internal auditors are expected to educate executive management and the board in this area and to apprise them of key enterprise risk management (ERM) developments. COSO's 2017 ERM revision appropriately reflects the growing realities of the complexities and speed of risks in the global business environment and the need to integrate risk considerations with strategy and performance. Internal audit is positioned to provide an assessment of the propriety of the measures of the organization's risk appetite and tolerance. </p><p>The 2008 financial crisis and the subsequent recovery highlight how some of the largest corporations defined and measured their areas of risk and related appetite for risk, but still experienced massive business failures due to their risk management systems crashing. Many of the failures can be attributed to the lack of understanding about the level of risk tolerance an organization can truly accept. Despite setting clear goals, there may not have been any articulation of risk appetite or identification of those responsible when risks were incurred. Since the recovery, organizations have developed even more systems to address and measure their level of risk appetite, but a disconnect continues to exist as to how much risk tolerance the organization can truly accept — despite the proliferation of chief risk officers in certain industries.</p><h2>Internal Audit's Role </h2><p>​As the independent function within an organization, internal audit ideally is positioned to assess what level of risk tolerance is truly being accepted by an organization. The unique relationship that internal audit has with operational management, senior management, and the board of directors allows for unbiased reporting of risk appetite and the level of tolerance that can be accepted. </p><p>Over the years, organizations were more aligned with documenting and reporting what their risk appetite was and did not extend that to the level of risk tolerance the organization might accept. In other words, organizations became adept at measuring the size of the risk meal, but not the potential consequences of consuming the whole meal. Taking that analogy further, the result of overconsumption typically leads to indigestion — and it may lead to dire consequences for the organization. </p><p>Addressing risk appetite and risk tolerance under the updated COSO ERM framework leads the internal auditor toward a matrix reporting of the organization's risk areas, risk appetite, and risk tolerance. Today, many internal audit functions use reporting tools such as heat maps, which can be adjusted to include qualitative and quantitative measures, enhanced visual presentations, and other forms of output indicating the potential risk tolerance outcomes the organization accepts. </p><p>​​​<img src="/2018/PublishingImages/Ramamoorti_SampleMatrix.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:530px;height:261px;" />A matrix reporting structure allows for a more robust picture of risk within the organization to senior management and the board. It includes results of internal audit testing presented by functional and business areas (See "Sample Matrix of Risk Reporting Within Organizations" at right). A risk issue in purchasing would be reported not solely for purchasing, but also for manufacturing and finance to reflect the wider impact to the organization. Further, this reporting would provide both quantitative and qualitative risk tolerance and risk appetite assessments and indicate whether additional action may be required. To illustrate, an automotive parts manufacturer provides its purchasing department the forecast for its aluminum raw material needs for the next six months. Purchasing is rewarded based on the level of cost controls over major essential purchases and in preventing stock outs of essential purchases. Suppose the purchasing department buys double the amount requested because the supplier offered a special volume discount. On the surface, the organization would have viewed its level of risk appetite in purchasing as low because raw materials are readily consumed. However, the level of risk tolerance being accepted by allowing the purchasing department to overstock has qualitative issues (e.g., rewards based on cost and on preventing stock outs). From a quantitative standpoint, the risk tolerance may be unacceptable given that the over-ordering of aluminum could lead to cash flow problems for payment, logistics costs for storing excessive amounts of inventory, and plant efficiency issues because of the space taken up by excess inventory. Reporting of this qualitative excess of risk appetite to purchasing, manufacturing, and finance would bring the wider effects into sharp relief. Given the integrated nature of manufacturing operations and incentive compensation systems, such effects must be carefully considered before taking action. </p><p>Frequently, the results of internal audit reporting require management to address risk appetite in a cross-functional manner. For instance, an acceptable level of risk appetite in purchasing may be unacceptable in finance. Although the planning phases of ERM typically may involve executive management across functions, this may not be true when results of risk assessments or findings are shared. A concerted effort should be made to share these results broadly to avoid narrow acceptance of findings and unintended consequences. In other words, the same breadth of organizational input that went into planning should exist when evaluating the output and outcomes as well.  </p><h2>​​​​A Complex Assessment</h2><p>The basic risk-reward theory from financial economics informs us that assuming a certain threshold of calculated risk is necessary for business success. Once a certain level of risk within the risk appetite has been assumed, the next step is to worry about how much more risk can be tolerated. Business environments globally are dynamic and ever-changing. As such, both risk appetite and risk tolerance must be evaluated in the context of a shifting landscape, tracking a constantly moving target — a complex assessment that is easier said than done. </p><p>Specifically, with regard to risk management policies, reference points, and boundaries, the internal audit function must evaluate existing risk tolerance and risk acceptance relationships to determine whether:</p><ul><li>Existing risk tolerances are appropriately linked to the organizational risk appetite.<br></li><li>Additional risk tolerances need to be created to ensure that the business is effectively managed relative to the risk appetite.<br></li><li>The company is operating within the risk tolerance parameters that it has established.<br></li></ul><p> <br> </p><p>Once it has completed the risk assessment, internal audit then must communicate its findings to help senior management and the board understand the company's current state. Reporting in a matrix format with assessment of risk tolerance and risk appetite by affected functional areas is useful to allow management to address issues in a more holistic manner. For board and audit committee reporting, the need is to be more concise and direct as to where quantitative or qualitative risk tolerance and appetite areas seem problematic (flag as red), could be cautionary (flag as yellow), or appear acceptable with no items to report or no action required (flag as green). Some boards and audit committees might only want to see items flagged as red or yellow to avoid information overload — critical due to myriad challenges that many organizations face in today's volatile, global economic environment. Volatility is the new norm in today's business climate and requires a greater need than ever to understand the relationship an organization has in its level of risk appetite and risk tolerance. Correspondingly, this reality also underscores the importance of continuously re-evaluating the risk appetite statement in light of changing conditions. </p><h2>Enhancing Risk Management Capabilities</h2><p>As organizations move aggressively to enhance their risk management capabilities, risk assessments of risk appetite and risk tolerance are going to assume a new and higher level of significance. While risk appetite will always mean different things to different people, a well-communicated, appropriate risk appetite statement can actively help organizations achieve goals and support sustainability. Clearly, risk management capabilities are evidenced by having disciplined and systematic ways of measuring, calibrating, and responding to risk. In today's environment, such capabilities have become indispensable. Unless internal audit coaches executive management and the board to thoroughly understand the relevance and importance of the vocabulary around risk and control, organizations will still not have learned real lessons from 2008's financial crisis.</p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p> <strong>​​Questio​​​​ns for Internal Audit, Executive Management, and the Board</strong></p><p> <strong>​Internal audit should consider:</strong><br></p><ol><li>Quantitative and qualitative reporting: As the internal audit department updates or develops its risk assessments of the organization by functional areas against pre-established criteria, do they report the level of risk appetite in both qualitative and quantitative terms?<br></li><li> <em>Traffic-light indicators:</em> Are there indictors reported in the assessment of the levels (red/problematic, yellow/cautionary, green/acceptable) of risk tolerance the organization is accepting?<br></li><li> <em>Variability reporting:</em> Are the levels of risk tolerance being presented in terms of variability? Are these within allowable bands of variation?<br></li><li> <em>ERM training adequacy: </em>Are the levels of training provided for internal audit personnel and for those in governance over risk policies, management, and acceptance processes adequate?<br></li></ol><p></p><p> <strong>Management should consider:</strong></p><p></p><ol><li>Enterprisewide risk communications: Have the organization's strategies and objectives been fully communicated throughout the organization? Has this communication addressed the level of risk tolerance and risk appetite that is considered acceptable? <br></li><li>Cross-functional application: Does management have a cross-functional opportunity to address issues raised by internal audit in its reporting of its assessment of risk tolerance and risk appetite?<br></li><li>Scenario analysis: Does management view risk tolerance and risk appetite assessments using "what if" scenarios to consider business volatility?<br></li></ol> <strong>The board and the audit committee should consider:</strong> <p></p> <em> </em><ol><li><em> </em><em>Comprehension of ERM philosophy:</em><em> </em>Does the board understand the level of risk tolerance and risk appetite being accepted in the organization and as implemented by management?<br></li><li><em> </em><em>Board/internal audit relationship:</em><em> </em>Does the board have direct input into the level of assessment being performed by internal audit to report its results quantitatively and qualitatively?<br></li><li><em> </em><em>Responsible and prudent governance:</em> Is the risk reporting in sufficient detail to allow the board to fulfill its governance responsibilities to address any concerns that could affect organizational stakeholders?​<br></li></ol></td></tr></tbody></table>Sridhar Ramamoorti1
An Appetite for Riskhttps://iaonline.theiia.org/2018/Pages/An-Appetite-for-Risk.aspxAn Appetite for Risk<p>​It is a time of great change in internal auditing, and the expectations to deliver have never been higher. There are many new — and some repackaged — concepts floating around, such as audit innovation, agile auditing, becoming a trusted advisor, and strategic auditing. One thing that has not changed, however, is internal audit's desire to add value to the organization through the execution of its work, whether through assurance or consulting activities. Internal audit, more than ever, is moving into areas of the business — such as strategic planning and culture — that are more subjective and require more auditor judgment. Venturing into these areas may require auditors to recalibrate their risk appetite and accept more risk going forward. </p><p>To successfully meet the expectations of their key stakeholders, chief audit executives (CAEs) must first ensure that, foundationally, internal audit is set up for success. A key element is that the objectives of the internal audit department are clearly defined and agreed upon with stakeholders, and an assessment of the risks to achieving those objectives are clearly identified. Building the elements of risk management into the day-to-day activities of internal audit, from the overall operations of the department down to the engagement level, will ensure sustainable activity and should facilitate more agile auditing through clear understanding of risk appetites and tolerances. </p><p>Internal auditors, while having the unique position and ability to provide opinion on the ability of others to identify and manage risk, whether strategic, operational, compliance, or financial, seem less inclined to look internally at their own risk management practices. Internal audit's appetite for risk may be too low, inhibiting agility, innovation, and the transformation of the function. Although there is no absolute assurance in internal auditing, it is easy to default to a risk-averse position when headlines call out internal audit specifically — Where were the auditors? — when analyzing compliance failures, cultural issues, and material weaknesses or significant deficiencies in internal control over financial reporting. </p><p>The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) updated <em>Enterprise Risk Management–Integrating With Strategy and Performance</em> provides the opportunity to take a fresh look not only at the organization's risk management practices, but also those within internal audit. Although it is directed at the enterprise level, the updated framework is scalable, and parallels can be drawn to the department or function level. </p><p>When looking at risk management within internal audit, CAEs can follow the model that the framework has established, starting with the mission, vision, and core values of the department and ending with the delivery of enhanced value through its risk management processes. </p><p><strong>Step 1 – Mission, Vision, and Core Values</strong> Internal audit should clearly articulate its mission, vision, and core values. It should start with The IIA's Definition of Internal Auditing and then survey key stakeholders to understand the expectations of the internal audit department. The mission and vision will vary by organization depending on many elements, including the industry, how highly regulated the entity is, and the overall governance structure. The mission and vision may be aspirational depending on the level of maturity of the internal audit function. The steps to achieve an aspirational mission and vision may be part of the risk profile. </p><p>The new COSO framework clearly indicates that a key component of sustainable and embedded risk management is to align with strategic objectives. The mission, vision, and core values are the foundation for the strategy, business objectives, and performance. Managing the risks associated with those items will drive enhanced performance. </p><p><strong>Step 2 – Define Strategy and Identify Business and Performance Objectives</strong> In identifying internal audit's business and performance objectives, there should be alignment to the organization's overall objectives and consideration of the feedback received from key stakeholders. For example, a proposed internal audit strategy could be that the function should primarily focus on compliance-related audits. The objective could be to ensure that the first — and second, if applicable  — line of defense have appropriate risk management and internal controls in place to address compliance-related risk. A risk implication of this strategy is that other risks are not covered by internal audit, as the strategy is too narrow. That risk (although not recommended) could be accepted by the appropriate stakeholder based on the governance structure in place. Clearly defining the audit strategy, and related business objectives and performance, should help facilitate audit operations and the audit plan, with all stakeholders aligned on what falls under internal audit's purview. </p><p><strong>Step 3 – Identify the Risks, Risk Appetite, Risk Tolerance, and Risk Response</strong> Internal audit should identify the risks of not achieving the determined audit strategy and business and performance objectives. For each risk, internal audit should consider its risk appetite, tolerance, and response. For example, a risk to performance of the audit plan may be lack of personnel with technical expertise in specific subject matters. The risk appetite for this situation may be relatively low, to comply with the <em>International Standards for the Professional Practice of Internal Auditing's</em> Standard 2230: Engagement Resource Allocation. The risk tolerance may be limited, and the likelihood of the risk occurring may be high, depending on the department make-up and audit universe. Appropriate risk responses include accept, avoid, pursue, reduce, or share. Internal audit may choose to share this risk by co-sourcing resources within the organization (as appropriate, considering independence and objectivity restrictions) or with an external subject-matter expert.</p><p><strong>Step 4 – Stakeholder Buy-in</strong> Throughout the various phases of the process, the CAE should work with key stakeholders to ensure buy-in with the finalized elements, as there is a cascading effect from the determination of the mission and vision; through the strategy, objectives, and performance; to the determination of relevant risks and the risk appetites, tolerances, and responses. The governing body, typically the audit committee, should have the final authority in concurring with the risk responses, especially when the risks are accepted. </p><p>As the internal audit risks are built out, with defined risk appetites, tolerances, and responses, this information should be distributed throughout the department to educate team members on expectations and enable them to use it to make risk-based decisions when executing audits. Defining authorities around risk decisions throughout the framework will empower the different levels within audit to make judgment calls and use critical thinking to complete audits in the most agile way. </p><p><br>Risk management should not be a once-a-year process, but instead continuous and evolving as necessary based on risk changes at the organizational level and within the internal audit department. The process and framework should be pliant enough to flex and pivot as needed, with clearly defined governance processes around when specific stakeholders from senior management to the audit committee need to authorize or review changes. Understanding internal audit's strategy and objectives, defining the risks to achieving them, and adding a new level of transparency to risk responses should facilitate internal audit's transformation into a trusted advisor and demonstrate the most effective use of its resources in creating and preserving value.</p>Kayla Flanders1
Governance in Viewhttps://iaonline.theiia.org/2018/Pages/Governance-in-View.aspxGovernance in View<p>​Today's business landscape creates some tricky terrain for organizations to navigate. Heightened scrutiny of boards and management, and transformational internal and market forces are the rule, rather than the exception. In this environment, a corporate governance assessment can yield significant value for organizations. Moreover, it enables internal audit to satisfy the requirements of Standard 2110: Governance.</p><p>Corporate governance is the system of rules, practices, and processes by which an organization is controlled and directed. It sets the foundation not only for business protection and strategic performance, but also for the confidence of the markets, investors, regulators, and other key stakeholders. Effective corporate governance is a powerful driver for achieving strategic objectives in dynamic environments while supporting a strong risk culture (see "The Value of Corporate Governance" below right).</p><h2>Laying the Groundwork</h2><p>Determining whether strong corporate governance practices are in place entails taking a hard look at big-ticket issues such as the board's and the executives' roles and practices, how leadership sets and agrees on strategy, how that strategy translates into overall action plans, how those plans are managed, and how progress is measured against goals. Performing this analysis has enormous advantages, but there is a potential catch. This is an assessment of the top of the organization — its board, management, business strategy, and risk management and compliance functions. The return is high, but so are the risks to internal audit. Planning, execution, and reporting must be aligned to the broad based stakeholder group so internal audit's findings and recommendations are fully supported and acted upon. That makes it imperative that corporate governance audits are well planned and skillfully executed. Internal audit must obtain the necessary buy-in at the highest levels, provide excellent communication and project management throughout the audit, and ensure it has the right expertise focused on the review from the start through the final deliverable. </p><p>​As chief audit executives consider these issues, they should keep in mind the expectations of key stakeholders such as the board, C-suite, and business unit management. Without stakeholder commitment — including making time for interviews, reviewing results, and implementing improvements — the audit can't succeed. By seeking high-level input and perspective early on, internal audit can respond to stakeholder concerns, incorporate their priorities, and ensure the audit goes forward with the appropriate backing from senior management.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>The Value of Corporate Governance</strong></p><p>Corporate governance has several tangible benefits:</p><ul><li> <strong>Meeting heightened expectations of regulators and stakeholders.</strong> Faced with unprecedented scrutiny, many boards are challenged to move their organizations forward while meeting the ever-increasing demands of stakeholders and regulators. <br></li><li> <strong>Managing the organization's shifting risk profile because of internal and market forces.</strong> Organizations in many industries are striving to transform themselves. Changing business models and expansion into new businesses, services, and products continually reshape an organization's risk profile. Adapting corporate governance to these new realities is an important component of a successful business transformation.<br></li><li> <strong>Identifying blind spots that could impede achievement of the organization's strategy.</strong> Without strong corporate governance, organizations may struggle with conflicting objectives or a competing strategy that is diverting resources from a priority project.<br></li><li> <strong>Addressing concerns about risk culture.</strong><em> </em>Without a business strategy, it's difficult — if not impossible — to determine whether the organization is taking appropriate risks. Robust corporate governance can maintain focus on the organization's strategy and how it aligns with its risk culture.<br></li><li> <strong>Surveying the organization's lines of defense.</strong> There's a great deal to be gained from looking carefully at the organization's 1) revenue-generating business units and their accountability for the risks they create, 2) risk management teams and the framework they have created for business units, and 3) internal audit function, including internal and board reporting objectives. ​<br></li></ul></td></tr></tbody></table><p>​It's also important to focus on the organization's external stakeholders such as regulators, shareholders, and external auditors. Once announced, internal audit's decision to undertake a corporate governance audit will generate intense interest. Auditors should prepare for regulator requests to look at their approach and findings. </p><div><p>Delving into governance audits without the right expertise, timeline, and scope can hurt the internal audit function. Depending on its depth of expertise, internal audit may want to bring in third-party subject-matter specialists to provide additional credibility, experience, and an industry sector perspective that is benchmarked against leading practices. Working closely with outside subject-matter experts also provides an excellent knowledge transfer opportunity that can assist internal audit in future reviews. </p><div><h2>Governance and Risk</h2><p>A look at the corporate governance risk framework is a helpful way to understand the structure for an audit (see "The Corporate Governance Risk Framework" below right). Internal auditors should ask several questions about the organization's corporate governance framework. Auditors at highly regulated organizations already may be hearing these questions from regulators. However, any organization would benefit from exploring whether its governance model:</p><ul><li>Guides strategic direction and day-to-day control.<br></li><li>Outlines the rules and procedures for making decisions.<br></li><li>Specifies and distributes rights and responsibilities, including decision-making authority, among the organization's various stakeholders.<br></li><li>Provides structure and accountability through which the organization can achieve its objectives and monitor how it performs.<br></li><li>Maintains the integrity of the organization's structure and accountability.<br></li><li>Influences the appropriate tone and risk culture.<br></li></ul><p> <br> </p><p>Risk culture merits special emphasis because it is at the heart of corporate governance. If internal auditors fail to consider the organization's risk culture, they may miss the subtle indicators of ineffective governance.​ For example, a company may have a well-designed governance structure but ineffective governance because its risk culture discourages managers from escalating risk issues for fear of the consequences. </p><p>Finally, the organization needs to decide where it wants to be in the corporate governance maturity model. Does it want to be a leader in one or more areas, or is average sufficient? A corporate governance audit can benchmark where the organization stands on categories ranging from board governance to strategic planning to tone at the top to risk management and corporate compliance. For each of these areas (and more), auditors can chart whether the organization is lagging, average, or leading against peers. </p><h2>Structuring the Audit</h2><p>There is not one ideal way to assess the state of corporate governance. An example of an approach that is well-suited to an organization embarking on this process for the first time is to execute a two-phase assessment comprising an initial advisory phase and an audit phase.​</p><p> <strong>Advisory Phase </strong>In the first phase, the goal is to establish a baseline by focusing on the entire governance framework. The assessment relies heavily on interviews with a selection of board members, senior executives, and others in the organization. The questions should focus on a broad range of governance topics, including corporate strategy, board oversight and committee structure, management committee structure, tone at the top and culture, the state of the compliance program, and the state of the risk management program. At the highest level, these interviews should provide a view of their understanding of the organization's governance processes and how those processes are aligned with corporate objectives. </p><p> Auditors also should review supporting documentation, such as bylaws, board committee charters, policies, and organizational charts, to create a holistic picture of the organization's culture and processes. They then should analyze information developed through the interviews and document review processes and assess it against a maturity scale. Audit recommendations should assist the organization to ultimately move farther along that scale.</p><p>A corporate governance assessment will require the audit team to make qualitative judgments about the design of the governance structure. Internal audit will need to determine how formal the corporate governance elements should be compared to leading practices in the industry and at peer companies. Performing the initial work as an advisory review allows for a freer two-way exchange of ideas and observations ahead of the formal audit.</p><p>During the advisory phase, internal audit should communicate the results of its interviews and assessment to management as recommendations instead of formal issues. The absence of an opinion positions the internal auditor as a business advisor, which promotes candid discussions and more informed recommendations. </p><p>At the end of the advisory phase, suitable time is needed to allow the organization to implement corrective actions in response to recommendations resulting from the first phase. The amount of time depends on the extent of remediation required and often will be more than a year to allow for policies to be developed or enhanced and implemented.​</p><p> <img src="/2018/PublishingImages/Schwartz-the-corporate-governance-risk-framework.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /> <strong>Audit Phase </strong>With an established framework in place, the company can conduct a formal audit to assess the effectiveness of governance processes. Here, the scope is narrower and builds on the previous review work. As during the first phase, interviewing board members and executives is a key component. In-depth testing of key risk areas also is important. Examples of key risk areas include delegation of authority, board and management committee charters, risk appetite, and the compliance testing program. The outcome is an analysis of targeted issues, leading practice recommendations for improvements, and a formal audit opinion. </p><p>Internal auditors should keep in mind that they are auditing the leadership of the organization. Presenting corporate governance audit findings to the CEO or board members is the ultimate "seat at the table" for CAEs. They must ensure their facts are thoroughly vetted and benchmarking against leading practices is well supported. Anything short of that could damage internal audit's credibility.</p><p>This two-phase method is just one approach to auditing corporate governance. Organizations with a well-honed governance structure may prefer to start directly with the audit phase. The key is to tailor an approach for the organization, considering issues such as the maturity of its structures, availability of resources, and leadership and regulatory expectations.</p><h2>Driving Change</h2><p>The value proposition for a corporate governance assessment is significant. Working closely with the board and senior management, internal auditors have an opportunity to drive change. This is a high-risk, high-reward effort, though. A thoughtful, measured approach and stakeholder buy-in are critical at every stage — from planning through report issuance. </p></div></div>Doug Watt1
Taking the Lead on Blockchainhttps://iaonline.theiia.org/2018/Pages/Taking-the-Lead-on-Blockchain.aspxTaking the Lead on Blockchain<p>​Internal auditors are no strangers to change, and change continues to transform even the most traditional of processes. The latest revolutionary innovation is blockchain. Initially the technology underlying digital currencies such as Bitcoin, blockchain is beginning to change processes across many industries. </p><p>Like all new technologies, blockchain may produce innumerable new risks. Yet ultimately, it has the potential to help manage and mitigate many traditional audit risks. Internal auditors need to understand how blockchain may change business processes, determine the risks to the organization, and revisit audit processes and procedures to leverage the technology in their work. </p><h2>How It Works</h2><p>A blockchain is effectively a type of decentralized database known as a distributed ledger. Unlike traditional databases, blockchains have no sole administrator. As each transaction is recorded, it is time-stamped in real time onto the "block." Each block is linked to the previous block, and each user has a copy of that block on his or her own device. That process effectively creates an audit trail. </p><p>Blockchain is most notably used for transactions involving the buying or selling of digital currencies. Although the electronic encrypted audit trail is one by-product of the underlying technology of interest to internal auditors, another interesting side effect of the process is an accounting methodology called triple-entry accounting. Modern financial accounting is based on double-entry bookkeeping dating back to the 1400s. With triple-entry accounting, all entries for a given transaction are made to the blockchain to verify and document receipt of the transaction.Thus, triple-entry accounting blends traditional double-entry accounting with third-party validation. As such, this methodology potentially could vastly alter traditional accounting processes and the subsequent control activities, risk assessment, and monitoring activities.</p><h2>Impact on Audit Process</h2><p>Often, internal auditors must catch up with technologies that are already in place, making modifications to the existing audit plan arduous and further emphasizing the need for a dynamic and adaptable audit plan. The complexity and incremental cost associated with blockchain implementation creates additional risk to the organization, making it vital that auditors are involved from inception and not just after implementation when a final process must be audited. Other risks associated with blockchain include scalability constraints, new privacy and security risks, and the need to consider new regulatory requirements, many of which have not yet been promulgated.</p><p>Historically, auditors have been tasked with verifying the management assertions of existence, valuation, rights and obligations, completeness, and presentation and disclosure. The use of a distributed general ledger virtually eliminates the possibility of altering transactional data or inputting fictitious data, as the encrypted signatures of both parties involved in a given transaction are required. </p><p>Even with recent media coverage of digital currency hacks, the supporting technology underlying blockchain continues to be touted as "tamper-proof," "validated," "secure," and "private." Hacks are possible on applications that use blockchain, just as on an organization's intranet. However, for a hack or data leak to occur, an attacker not only has to concurrently hack each user on the network, but also bypass encryption. Such an intrusion would be highly visible to those on the network.<strong><em> </em></strong>Internal auditors must perform comprehensive risk assessments to determine the likelihood, magnitude, and nature of potential threats as well as the appropriate preventive, detective, and corrective controls. </p><p>In addition to the data being more secure and valid, using a distributed public ledger gives auditors access to transactional data needed for the audit in real time, thus allowing for more continuous auditing. While continuous auditing has the potential to enable auditors to be more efficient, proactive, adaptive, and forward-looking, internal audit departments must explore the impact continuous auditing may have on existing audit programs and the potential disruption to the traditional audit cycle. Specifically, auditors must consider how it could impact scheduling, planning, and the actual collection of audit evidence.  </p><p>While blockchain would in no way be a substitute for U.S. Sarbanes-Oxley Act of 2002 control testing, it could greatly increase the efficiency of traditional audits, creating a more uniform and highly verified audit trail from which to work. The improved quality of data and fewer reconciliations can potentially reduce the amount of work necessary throughout the year. Auditors may be able to conduct more work remotely, because less fieldwork will have to occur at the client's site.<strong><em> </em></strong>Moreover, efficiency gains from blockchain may enable internal auditors to focus on other high-risk areas such as internal control, compliance, or operational audits. </p><h2>Audit Implications</h2><p>With the advent of blockchain, the nature of audit work may change pervasively. Potential changes to consider include: </p><ul><li> <em>Systematically less reliance on paper documentation that can be altered or falsified easily.</em> Matching and vouching to test for existence and appropriate valuation may largely be outdated, as auditors will have easy access to transactional data that already has been mutually agreed upon and verified by an independent third party.<br></li><li> <em>Differing cybersecurity risks and controls.</em><strong> </strong>As the use of blockchain makes data available to everyone on the network, both physical and logical access controls will be more important than ever. In addition, use of a distributed public ledger can decrease the risk of successful computer attacks and may increase the visibility of attacks. The increased visibility elevates the importance of an organization's incident response plan.   <br></li><li> <em>More involvement in creating new processes based on blockchain technology.</em><strong> </strong>As recent publications from the Big 4 firms note, the reliance on blockchain technology may require auditors to collaborate with IT professionals and raise the demand for auditors with IT expertise. Subsequent documentation of new processes and changes to old processes are key controls that auditors should not overlook. Over time, the use of blockchain may lead to increased standardization in both business processes and audit processes across industries as best practices emerge. <br></li></ul><h2>Risks and Rewards</h2><p>To prevent or lessen the risk of crisis that often precedes imminent change, internal auditors must stay abreast of emerging technologies such as blockchain. Yet, as with many new technologies and processes, blockchain may present a steep learning curve for auditors. Understanding the underlying technology of a distributed public ledger can enable auditors to assess the new control environment and new risks to the organization. In this way, internal auditors can be change agents who help mitigate the negative risks that all too often accompany the rewards associated with any new technology.​</p>Jamie L. Hoelscher1
When It Comes to Supply Chain, Count Your Chickenshttps://iaonline.theiia.org/blogs/chambers/2018/Pages/When-It-Comes-to-Supply-Chain-Count-Your-Chickens.aspxWhen It Comes to Supply Chain, Count Your Chickens<p>​In its own words, fast-food giant KFC had "a hell of a week" as it scrambled recently to manage a supply-chain disruption that left most of its 900 franchise stores in the United Kingdom with no chicken. </p><p>KFC blamed the disruption on "a couple of teething problems" with its new U.K. delivery partner, DHL, which explained that numerous deliveries had been incomplete or delayed because of unspecified operational issues.</p><p>It is interesting that, in the 21<span style="line-height:0;vertical-align:baseline;top:-0.5em;">st</span> century, when critical risks are assumed to be strategic or cyber-related, a good old-fashioned risk like supply chain could wreak such havoc. The incident offers a couple of informative lessons for internal audit in supply chain and crisis management.</p><p>Supply-chain disruptions must rank among the top risks for any restaurant chain, much less the world's second largest. So, when KFC and DHL announced their new partnership last year, they did so with a promise of "putting greater focus on innovation, quality and service performance."</p><p>According to a DHL news release, "Key areas of focus will be reducing logistics-related emissions to net zero over the life of the contract, optimizing delivery scheduling to provide a faster turnaround of orders, and greater integrity of food during transportation allowing for even fresher products upon arrival at KFC restaurants."</p><p>A spokesman for QSL, a food-logistics company that is the third partner in the new distribution process, said, "With DHL, we are confident of establishing a new benchmark for quick-service restaurants in the U.K." </p><p>Improving efficiency and long-term sustainability are laudable goals for any company. But any time an organization makes significant changes to a core business function, such as supply chain, there is a risk of significant disruption. Indeed, changes to any of the practices and processes that support corporate goals and objectives come with a level of risk that should be clearly understood by management and communicated to the board.</p><p>This should be of particular concern to organizations making a push to innovate. Organizations should understand the risk/reward components to innovation from the outset. In such instances, it serves the organization well to involve internal audit on the front end to help identify any potential pitfalls.</p><p>Internal audit's unique and holistic view of the organization also helps provide assurance on agreements that turn over key operational functions to third parties. In KFC's case, DHL's promise to "rewrite the rule book" and "set a new benchmark for delivering fresh products to KFC in a sustainable way" should have raised a risk flag.</p><p>One silver lining from this incident is how well KFC handled the fallout. The company wasted no time in taking responsibility and offering an apology, primarily through social media channels. It quickly set up a website where customers could search for the nearest open KFC restaurant. One almost has to wonder whether the crisis management plan was built in as a contingency to the rollout of the new supply-chain arrangement.</p><p>KFC then took out full-page ads in two of the U.K.'s largest newspapers with a clever and sincere apology. One public relations professional described it as, "A masterclass in PR crisis management."</p><p>Of course, the best form of crisis management is to avoid the crisis in the first place, and that is what great internal auditing helps the organization do.</p><p>As always, I look forward to your comments.</p>Richard Chambers0
Implementing a Shared Services Modelhttps://iaonline.theiia.org/2018/Pages/Implementing-a-Shared-Services-Model.aspxImplementing a Shared Services Model<p></p> <p>Many organizations are pursuing sustainable cost reductions via a shared services model. A shared service is a centralized service that was once found in more than one department of the organization such as accounts payable, supply chain, accounts receivable, human resources, and IT. Auditors are increasingly expected to expand their traditional audit services to include consulting expertise around a shared service implementation. </p><p>While the benefits of shared services are many, the implementation of a shared services model has potential pitfalls. Though organizations may want to achieve the cost reductions associated with a shared services model, this may be a high-risk decision unless there is a well-thought-out strategy. Internal auditors can play a key role in that strategy during the implementation phases of a shared services model.</p><h2>Pre-implementation </h2><p> Internal auditors can add value to the organization by providing consulting services before implementation of a shared services model. During the pre-implementation phase, decisions include determination of the business functions best suited for a shared service, technology platforms to improve efficiency of the shared service, and personnel decisions that will align employees with the shared services model. During this phase, management also should be developing the project charter and metrics for the shared service center. Internal audit can provide insight on various operational, financial, and regulatory risks, and evaluate management internal control design during this stage. </p><p>A primary goal for internal audit during this phase is to consult with the business to ensure an effective internal control structure is designed during the implementation. To accomplish this goal, coordination with management should focus on areas management has determined to be best suited for shared services implementation and the various risk factors that can negatively impact a successful implementation. Internal auditors with backgrounds in IT, human resources, or accounts payable may be considered particularly helpful in these discussions. IT auditors can be used to ensure IT system decisions are given appropriate due diligence. </p><p>Another consideration during the pre-implementation phase is identifying operational redundancies that can be eliminated within the processes. Current industry practices or trends regarding shared service centers also should be considered. For example, traditional financial shared service centers (e.g., accounts payable) versus nontraditional (e.g., corporate communication and legal) can present different challenges. The internal auditor’s knowledge of operational processes can provide insight to management in the decision-making process. Auditors also can help ensure the right stakeholders are identified and decisions are approved correctly during product charter development. </p><h2>Implementation</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Scorecard Metrics</strong><br> <style> p.p1 { line-height:12.0px; font:42.5px 'Interstate Light'; } p.p2 { line-height:12.0px; font:9.0px 'Interstate Light'; } p.p3 { line-height:12.0px; font:9.0px Interstate; min-height:11.0px; } p.p4 { line-height:12.0px; font:9.0px Interstate; } p.p5 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } p.p6 { line-height:12.0px; font:9.0px 'Interstate Light'; min-height:11.0px; } span.s1 { } </style> <p><br>Scorecards can alert management of a process or control breakdown and help determine which reports should be used to gather performance metrics. Scorecards can include a variety of key performance indicators, and can be developed in these categories.</p><p>Financial</p><ul><li>Cost savings achieved.<br></li><li>Year-over-year unit-cost targets and trends since implementation.<br></li><li>Budget vs. actual vs. historical reviews.<br></li><li>Fixed vs. variable expenses. <br></li><li>Activity-based costing to evaluate the cost effectiveness of specific activities within the shared service center. <br></li></ul><p><br></p><p>Customer or Stakeholder Satisfaction</p><ul><li>Tracking of information received from customer satisfaction surveys.<br></li><li>Number of customer complaints.<br></li><li>Feedback from internal stakeholders.<br></li></ul><p><br></p><p>Process Management</p><ul><li>Productivity measures. <br></li><li>Quality metrics.<br></li><li>Turnaround trends (e.g., the number of invoices processed per day and per employee).<br></li><li>Number of transactions processed in a day, reviewed for trends.<br></li><li>Cases touched or issues raised multiple times. <br></li><li>Number of transactions in a hold or pending status.<br></li></ul><p><br></p><p>People</p><ul><li>Employee engagement survey results.<br></li><li>Employee retention and attrition rates.​<br></li></ul><br></td></tr></tbody></table><p>The challenges management may encounter during a shared services implementation include coordinating various geographic locations, maintaining a good transaction turnaround time, and ensuring quality customer service. Internal audit should focus its efforts on helping management address these challenges. As part of its consulting services, internal audit can work with management to ensure these questions have been addressed adequately or anticipated by management before implementation:</p><ul><li>Are the decision rights well defined, communicated, and understood?<br></li><li>Have policies and procedures been established?<br></li><li>Has a project management plan, aligned with the goals of the shared service center, been submitted and approved?<br></li><li>Are appropriate internal controls being planned?<br></li><li>Will the shared service use the existing system/technology platform, a new system, or both? <br></li><li>Have IT solutions such as e-procurement or imaging tools been considered to improve process efficiency?<br></li><li>Do employees have the appropriate system access with attention given to segregation of duty concerns?<br></li><li>Is the right staff in place with the skills and desire to deliver quality services to customers, drive cost efficiencies, and initiate improvements? <br></li><li>Do employees have appropriate training?<br></li><li>Has management considered how to ensure a control environment is maintained after the transition?<br></li><li>Have regulatory considerations in different states or countries been evaluated and addressed?<br></li><li>Have key performance indicators (KPIs) been determined to evaluate performance and make adjustments accordingly? <br></li><li>Have KPIs been organized into effective scorecards? (See “Scorecard Metrics” on this page.)<br></li></ul><p><br></p><p>While providing consulting services, internal auditors should maintain objectivity and independence. Most independence concerns can be removed by ensuring the auditors do not assume management decisions and do not process transactions. However, careful consideration should be given to safeguard compliance with professional standards. </p><h2>Post-implementation</h2><p>Once the shared service center is in operation, auditors can test transactions, monitor service levels, and recommend process improvements through objective reviews of operations. Auditors should review the monitoring and testing of shared service controls as part of continuous monitoring, or compliance, operational, or process-driven audits. Because the shared service is now functioning for the entire organization and the impact can be greater if there is a process breakdown, audits should be conducted promptly. After implementation of the shared services model, auditors should consider these audit procedures:</p><ul><li>Test IT access to ensure appropriate access and segregation of duties. </li><li>Test reports (KPIs) to determine data accuracy and completeness.</li><li>Identify transactions outside established parameters using data analytic tools and techniques. <br></li><li>Determine specific regulations by geographic location or industry.<br></li><li>Test controls to verify regulatory compliance. <br></li><li>Review the reporting process management has established to ensure performance is in line with expectations. Gain an understanding of the actions taken when actual metrics are outside of expectations. Review the scorecards in place to assess and manage performance.<br></li><li>Verify the application of policies and procedures to the process, review known control breakdowns and ongoing challenges, and verify that appropriate approval controls have been embedded in the process.<br></li></ul><p><br></p><p>Refer to Standard 1130.A3 regarding the internal audit activity providing assurance services where it previously performed consulting services to ensure independence and objectivity. </p><h2>Uniquely Qualified</h2><p>In addition to cost savings, a successful shared services implementation can result in important benefits for organizations, including consistent processes and quality standards across the organization and enhanced business process integration following mergers or acquisitions, which can result in improved quality and productivity. The alignment of business services in a global operating structure often results in better information for management decision-making. A shared services model also allows local business managers to focus more on items of strategic importance, such as business development and improved customer service. On the technology side, system enhancements typically involved in a shared services environment serve to improve the effectiveness of the shared service operation.</p><p>There also are human resource benefits to a shared services model, as the expertise of shared service employees benefit the entire organization, and in-house expertise is developed versus outsourcing for that skill. Challenges with attracting and retaining employees have decreased as companies find innovative ways to make shared services a specific career path.</p><p>Because of their knowledge of the business and its related processes, auditors should work with management during the planning and implementation phases of a shared services model. When wearing their consultant hats, internal auditors can add value during the post-implementation phase of the shared service to ensure the service is functioning as intended and significant problems are quickly identified and corrected. Performing consulting activities is part of the Definition of Internal Auditing, and it can be a significant benefit to organizations in the rapidly changing global business environment.   ​</p>Darrick Fulton1

  • Gleim-cia-changes-webinar_June 18-30_PRemium 1
  • SCCE 2018 June 19-30_Premium 2
  • IIA CIALS-CIA-Learning_June 2018_Premium 3