Risk and Compliance



An Appetite for Riskhttps://iaonline.theiia.org/2018/Pages/An-Appetite-for-Risk.aspxAn Appetite for Risk<p>​It is a time of great change in internal auditing, and the expectations to deliver have never been higher. There are many new — and some repackaged — concepts floating around, such as audit innovation, agile auditing, becoming a trusted advisor, and strategic auditing. One thing that has not changed, however, is internal audit's desire to add value to the organization through the execution of its work, whether through assurance or consulting activities. Internal audit, more than ever, is moving into areas of the business — such as strategic planning and culture — that are more subjective and require more auditor judgment. Venturing into these areas may require auditors to recalibrate their risk appetite and accept more risk going forward. </p><p>To successfully meet the expectations of their key stakeholders, chief audit executives (CAEs) must first ensure that, foundationally, internal audit is set up for success. A key element is that the objectives of the internal audit department are clearly defined and agreed upon with stakeholders, and an assessment of the risks to achieving those objectives are clearly identified. Building the elements of risk management into the day-to-day activities of internal audit, from the overall operations of the department down to the engagement level, will ensure sustainable activity and should facilitate more agile auditing through clear understanding of risk appetites and tolerances. </p><p>Internal auditors, while having the unique position and ability to provide opinion on the ability of others to identify and manage risk, whether strategic, operational, compliance, or financial, seem less inclined to look internally at their own risk management practices. Internal audit's appetite for risk may be too low, inhibiting agility, innovation, and the transformation of the function. Although there is no absolute assurance in internal auditing, it is easy to default to a risk-averse position when headlines call out internal audit specifically — Where were the auditors? — when analyzing compliance failures, cultural issues, and material weaknesses or significant deficiencies in internal control over financial reporting. </p><p>The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) updated <em>Enterprise Risk Management–Integrating With Strategy and Performance</em> provides the opportunity to take a fresh look not only at the organization's risk management practices, but also those within internal audit. Although it is directed at the enterprise level, the updated framework is scalable, and parallels can be drawn to the department or function level. </p><p>When looking at risk management within internal audit, CAEs can follow the model that the framework has established, starting with the mission, vision, and core values of the department and ending with the delivery of enhanced value through its risk management processes. </p><p><strong>Step 1 – Mission, Vision, and Core Values</strong> Internal audit should clearly articulate its mission, vision, and core values. It should start with The IIA's Definition of Internal Auditing and then survey key stakeholders to understand the expectations of the internal audit department. The mission and vision will vary by organization depending on many elements, including the industry, how highly regulated the entity is, and the overall governance structure. The mission and vision may be aspirational depending on the level of maturity of the internal audit function. The steps to achieve an aspirational mission and vision may be part of the risk profile. </p><p>The new COSO framework clearly indicates that a key component of sustainable and embedded risk management is to align with strategic objectives. The mission, vision, and core values are the foundation for the strategy, business objectives, and performance. Managing the risks associated with those items will drive enhanced performance. </p><p><strong>Step 2 – Define Strategy and Identify Business and Performance Objectives</strong> In identifying internal audit's business and performance objectives, there should be alignment to the organization's overall objectives and consideration of the feedback received from key stakeholders. For example, a proposed internal audit strategy could be that the function should primarily focus on compliance-related audits. The objective could be to ensure that the first — and second, if applicable  — line of defense have appropriate risk management and internal controls in place to address compliance-related risk. A risk implication of this strategy is that other risks are not covered by internal audit, as the strategy is too narrow. That risk (although not recommended) could be accepted by the appropriate stakeholder based on the governance structure in place. Clearly defining the audit strategy, and related business objectives and performance, should help facilitate audit operations and the audit plan, with all stakeholders aligned on what falls under internal audit's purview. </p><p><strong>Step 3 – Identify the Risks, Risk Appetite, Risk Tolerance, and Risk Response</strong> Internal audit should identify the risks of not achieving the determined audit strategy and business and performance objectives. For each risk, internal audit should consider its risk appetite, tolerance, and response. For example, a risk to performance of the audit plan may be lack of personnel with technical expertise in specific subject matters. The risk appetite for this situation may be relatively low, to comply with the <em>International Standards for the Professional Practice of Internal Auditing's</em> Standard 2230: Engagement Resource Allocation. The risk tolerance may be limited, and the likelihood of the risk occurring may be high, depending on the department make-up and audit universe. Appropriate risk responses include accept, avoid, pursue, reduce, or share. Internal audit may choose to share this risk by co-sourcing resources within the organization (as appropriate, considering independence and objectivity restrictions) or with an external subject-matter expert.</p><p><strong>Step 4 – Stakeholder Buy-in</strong> Throughout the various phases of the process, the CAE should work with key stakeholders to ensure buy-in with the finalized elements, as there is a cascading effect from the determination of the mission and vision; through the strategy, objectives, and performance; to the determination of relevant risks and the risk appetites, tolerances, and responses. The governing body, typically the audit committee, should have the final authority in concurring with the risk responses, especially when the risks are accepted. </p><p>As the internal audit risks are built out, with defined risk appetites, tolerances, and responses, this information should be distributed throughout the department to educate team members on expectations and enable them to use it to make risk-based decisions when executing audits. Defining authorities around risk decisions throughout the framework will empower the different levels within audit to make judgment calls and use critical thinking to complete audits in the most agile way. </p><p><br>Risk management should not be a once-a-year process, but instead continuous and evolving as necessary based on risk changes at the organizational level and within the internal audit department. The process and framework should be pliant enough to flex and pivot as needed, with clearly defined governance processes around when specific stakeholders from senior management to the audit committee need to authorize or review changes. Understanding internal audit's strategy and objectives, defining the risks to achieving them, and adding a new level of transparency to risk responses should facilitate internal audit's transformation into a trusted advisor and demonstrate the most effective use of its resources in creating and preserving value.</p>Kayla Flanders1
Governance in Viewhttps://iaonline.theiia.org/2018/Pages/Governance-in-View.aspxGovernance in View<p>​Today's business landscape creates some tricky terrain for organizations to navigate. Heightened scrutiny of boards and management, and transformational internal and market forces are the rule, rather than the exception. In this environment, a corporate governance assessment can yield significant value for organizations. Moreover, it enables internal audit to satisfy the requirements of Standard 2110: Governance.</p><p>Corporate governance is the system of rules, practices, and processes by which an organization is controlled and directed. It sets the foundation not only for business protection and strategic performance, but also for the confidence of the markets, investors, regulators, and other key stakeholders. Effective corporate governance is a powerful driver for achieving strategic objectives in dynamic environments while supporting a strong risk culture (see "The Value of Corporate Governance" below right).</p><h2>Laying the Groundwork</h2><p>Determining whether strong corporate governance practices are in place entails taking a hard look at big-ticket issues such as the board's and the executives' roles and practices, how leadership sets and agrees on strategy, how that strategy translates into overall action plans, how those plans are managed, and how progress is measured against goals. Performing this analysis has enormous advantages, but there is a potential catch. This is an assessment of the top of the organization — its board, management, business strategy, and risk management and compliance functions. The return is high, but so are the risks to internal audit. Planning, execution, and reporting must be aligned to the broad based stakeholder group so internal audit's findings and recommendations are fully supported and acted upon. That makes it imperative that corporate governance audits are well planned and skillfully executed. Internal audit must obtain the necessary buy-in at the highest levels, provide excellent communication and project management throughout the audit, and ensure it has the right expertise focused on the review from the start through the final deliverable. </p><p>​As chief audit executives consider these issues, they should keep in mind the expectations of key stakeholders such as the board, C-suite, and business unit management. Without stakeholder commitment — including making time for interviews, reviewing results, and implementing improvements — the audit can't succeed. By seeking high-level input and perspective early on, internal audit can respond to stakeholder concerns, incorporate their priorities, and ensure the audit goes forward with the appropriate backing from senior management.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>The Value of Corporate Governance</strong></p><p>Corporate governance has several tangible benefits:</p><ul><li> <strong>Meeting heightened expectations of regulators and stakeholders.</strong> Faced with unprecedented scrutiny, many boards are challenged to move their organizations forward while meeting the ever-increasing demands of stakeholders and regulators. <br></li><li> <strong>Managing the organization's shifting risk profile because of internal and market forces.</strong> Organizations in many industries are striving to transform themselves. Changing business models and expansion into new businesses, services, and products continually reshape an organization's risk profile. Adapting corporate governance to these new realities is an important component of a successful business transformation.<br></li><li> <strong>Identifying blind spots that could impede achievement of the organization's strategy.</strong> Without strong corporate governance, organizations may struggle with conflicting objectives or a competing strategy that is diverting resources from a priority project.<br></li><li> <strong>Addressing concerns about risk culture.</strong><em> </em>Without a business strategy, it's difficult — if not impossible — to determine whether the organization is taking appropriate risks. Robust corporate governance can maintain focus on the organization's strategy and how it aligns with its risk culture.<br></li><li> <strong>Surveying the organization's lines of defense.</strong> There's a great deal to be gained from looking carefully at the organization's 1) revenue-generating business units and their accountability for the risks they create, 2) risk management teams and the framework they have created for business units, and 3) internal audit function, including internal and board reporting objectives. ​<br></li></ul></td></tr></tbody></table><p>​It's also important to focus on the organization's external stakeholders such as regulators, shareholders, and external auditors. Once announced, internal audit's decision to undertake a corporate governance audit will generate intense interest. Auditors should prepare for regulator requests to look at their approach and findings. </p><div><p>Delving into governance audits without the right expertise, timeline, and scope can hurt the internal audit function. Depending on its depth of expertise, internal audit may want to bring in third-party subject-matter specialists to provide additional credibility, experience, and an industry sector perspective that is benchmarked against leading practices. Working closely with outside subject-matter experts also provides an excellent knowledge transfer opportunity that can assist internal audit in future reviews. </p><div><h2>Governance and Risk</h2><p>A look at the corporate governance risk framework is a helpful way to understand the structure for an audit (see "The Corporate Governance Risk Framework" below right). Internal auditors should ask several questions about the organization's corporate governance framework. Auditors at highly regulated organizations already may be hearing these questions from regulators. However, any organization would benefit from exploring whether its governance model:</p><ul><li>Guides strategic direction and day-to-day control.<br></li><li>Outlines the rules and procedures for making decisions.<br></li><li>Specifies and distributes rights and responsibilities, including decision-making authority, among the organization's various stakeholders.<br></li><li>Provides structure and accountability through which the organization can achieve its objectives and monitor how it performs.<br></li><li>Maintains the integrity of the organization's structure and accountability.<br></li><li>Influences the appropriate tone and risk culture.<br></li></ul><p> <br> </p><p>Risk culture merits special emphasis because it is at the heart of corporate governance. If internal auditors fail to consider the organization's risk culture, they may miss the subtle indicators of ineffective governance.​ For example, a company may have a well-designed governance structure but ineffective governance because its risk culture discourages managers from escalating risk issues for fear of the consequences. </p><p>Finally, the organization needs to decide where it wants to be in the corporate governance maturity model. Does it want to be a leader in one or more areas, or is average sufficient? A corporate governance audit can benchmark where the organization stands on categories ranging from board governance to strategic planning to tone at the top to risk management and corporate compliance. For each of these areas (and more), auditors can chart whether the organization is lagging, average, or leading against peers. </p><h2>Structuring the Audit</h2><p>There is not one ideal way to assess the state of corporate governance. An example of an approach that is well-suited to an organization embarking on this process for the first time is to execute a two-phase assessment comprising an initial advisory phase and an audit phase.​</p><p> <strong>Advisory Phase </strong>In the first phase, the goal is to establish a baseline by focusing on the entire governance framework. The assessment relies heavily on interviews with a selection of board members, senior executives, and others in the organization. The questions should focus on a broad range of governance topics, including corporate strategy, board oversight and committee structure, management committee structure, tone at the top and culture, the state of the compliance program, and the state of the risk management program. At the highest level, these interviews should provide a view of their understanding of the organization's governance processes and how those processes are aligned with corporate objectives. </p><p> Auditors also should review supporting documentation, such as bylaws, board committee charters, policies, and organizational charts, to create a holistic picture of the organization's culture and processes. They then should analyze information developed through the interviews and document review processes and assess it against a maturity scale. Audit recommendations should assist the organization to ultimately move farther along that scale.</p><p>A corporate governance assessment will require the audit team to make qualitative judgments about the design of the governance structure. Internal audit will need to determine how formal the corporate governance elements should be compared to leading practices in the industry and at peer companies. Performing the initial work as an advisory review allows for a freer two-way exchange of ideas and observations ahead of the formal audit.</p><p>During the advisory phase, internal audit should communicate the results of its interviews and assessment to management as recommendations instead of formal issues. The absence of an opinion positions the internal auditor as a business advisor, which promotes candid discussions and more informed recommendations. </p><p>At the end of the advisory phase, suitable time is needed to allow the organization to implement corrective actions in response to recommendations resulting from the first phase. The amount of time depends on the extent of remediation required and often will be more than a year to allow for policies to be developed or enhanced and implemented.​</p><p> <img src="/2018/PublishingImages/Schwartz-the-corporate-governance-risk-framework.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /> <strong>Audit Phase </strong>With an established framework in place, the company can conduct a formal audit to assess the effectiveness of governance processes. Here, the scope is narrower and builds on the previous review work. As during the first phase, interviewing board members and executives is a key component. In-depth testing of key risk areas also is important. Examples of key risk areas include delegation of authority, board and management committee charters, risk appetite, and the compliance testing program. The outcome is an analysis of targeted issues, leading practice recommendations for improvements, and a formal audit opinion. </p><p>Internal auditors should keep in mind that they are auditing the leadership of the organization. Presenting corporate governance audit findings to the CEO or board members is the ultimate "seat at the table" for CAEs. They must ensure their facts are thoroughly vetted and benchmarking against leading practices is well supported. Anything short of that could damage internal audit's credibility.</p><p>This two-phase method is just one approach to auditing corporate governance. Organizations with a well-honed governance structure may prefer to start directly with the audit phase. The key is to tailor an approach for the organization, considering issues such as the maturity of its structures, availability of resources, and leadership and regulatory expectations.</p><h2>Driving Change</h2><p>The value proposition for a corporate governance assessment is significant. Working closely with the board and senior management, internal auditors have an opportunity to drive change. This is a high-risk, high-reward effort, though. A thoughtful, measured approach and stakeholder buy-in are critical at every stage — from planning through report issuance. </p></div></div>Doug Watt1
Taking the Lead on Blockchainhttps://iaonline.theiia.org/2018/Pages/Taking-the-Lead-on-Blockchain.aspxTaking the Lead on Blockchain<p>​Internal auditors are no strangers to change, and change continues to transform even the most traditional of processes. The latest revolutionary innovation is blockchain. Initially the technology underlying digital currencies such as Bitcoin, blockchain is beginning to change processes across many industries. </p><p>Like all new technologies, blockchain may produce innumerable new risks. Yet ultimately, it has the potential to help manage and mitigate many traditional audit risks. Internal auditors need to understand how blockchain may change business processes, determine the risks to the organization, and revisit audit processes and procedures to leverage the technology in their work. </p><h2>How It Works</h2><p>A blockchain is effectively a type of decentralized database known as a distributed ledger. Unlike traditional databases, blockchains have no sole administrator. As each transaction is recorded, it is time-stamped in real time onto the "block." Each block is linked to the previous block, and each user has a copy of that block on his or her own device. That process effectively creates an audit trail. </p><p>Blockchain is most notably used for transactions involving the buying or selling of digital currencies. Although the electronic encrypted audit trail is one by-product of the underlying technology of interest to internal auditors, another interesting side effect of the process is an accounting methodology called triple-entry accounting. Modern financial accounting is based on double-entry bookkeeping dating back to the 1400s. With triple-entry accounting, all entries for a given transaction are made to the blockchain to verify and document receipt of the transaction.Thus, triple-entry accounting blends traditional double-entry accounting with third-party validation. As such, this methodology potentially could vastly alter traditional accounting processes and the subsequent control activities, risk assessment, and monitoring activities.</p><h2>Impact on Audit Process</h2><p>Often, internal auditors must catch up with technologies that are already in place, making modifications to the existing audit plan arduous and further emphasizing the need for a dynamic and adaptable audit plan. The complexity and incremental cost associated with blockchain implementation creates additional risk to the organization, making it vital that auditors are involved from inception and not just after implementation when a final process must be audited. Other risks associated with blockchain include scalability constraints, new privacy and security risks, and the need to consider new regulatory requirements, many of which have not yet been promulgated.</p><p>Historically, auditors have been tasked with verifying the management assertions of existence, valuation, rights and obligations, completeness, and presentation and disclosure. The use of a distributed general ledger virtually eliminates the possibility of altering transactional data or inputting fictitious data, as the encrypted signatures of both parties involved in a given transaction are required. </p><p>Even with recent media coverage of digital currency hacks, the supporting technology underlying blockchain continues to be touted as "tamper-proof," "validated," "secure," and "private." Hacks are possible on applications that use blockchain, just as on an organization's intranet. However, for a hack or data leak to occur, an attacker not only has to concurrently hack each user on the network, but also bypass encryption. Such an intrusion would be highly visible to those on the network.<strong><em> </em></strong>Internal auditors must perform comprehensive risk assessments to determine the likelihood, magnitude, and nature of potential threats as well as the appropriate preventive, detective, and corrective controls. </p><p>In addition to the data being more secure and valid, using a distributed public ledger gives auditors access to transactional data needed for the audit in real time, thus allowing for more continuous auditing. While continuous auditing has the potential to enable auditors to be more efficient, proactive, adaptive, and forward-looking, internal audit departments must explore the impact continuous auditing may have on existing audit programs and the potential disruption to the traditional audit cycle. Specifically, auditors must consider how it could impact scheduling, planning, and the actual collection of audit evidence.  </p><p>While blockchain would in no way be a substitute for U.S. Sarbanes-Oxley Act of 2002 control testing, it could greatly increase the efficiency of traditional audits, creating a more uniform and highly verified audit trail from which to work. The improved quality of data and fewer reconciliations can potentially reduce the amount of work necessary throughout the year. Auditors may be able to conduct more work remotely, because less fieldwork will have to occur at the client's site.<strong><em> </em></strong>Moreover, efficiency gains from blockchain may enable internal auditors to focus on other high-risk areas such as internal control, compliance, or operational audits. </p><h2>Audit Implications</h2><p>With the advent of blockchain, the nature of audit work may change pervasively. Potential changes to consider include: </p><ul><li> <em>Systematically less reliance on paper documentation that can be altered or falsified easily.</em> Matching and vouching to test for existence and appropriate valuation may largely be outdated, as auditors will have easy access to transactional data that already has been mutually agreed upon and verified by an independent third party.<br></li><li> <em>Differing cybersecurity risks and controls.</em><strong> </strong>As the use of blockchain makes data available to everyone on the network, both physical and logical access controls will be more important than ever. In addition, use of a distributed public ledger can decrease the risk of successful computer attacks and may increase the visibility of attacks. The increased visibility elevates the importance of an organization's incident response plan.   <br></li><li> <em>More involvement in creating new processes based on blockchain technology.</em><strong> </strong>As recent publications from the Big 4 firms note, the reliance on blockchain technology may require auditors to collaborate with IT professionals and raise the demand for auditors with IT expertise. Subsequent documentation of new processes and changes to old processes are key controls that auditors should not overlook. Over time, the use of blockchain may lead to increased standardization in both business processes and audit processes across industries as best practices emerge. <br></li></ul><h2>Risks and Rewards</h2><p>To prevent or lessen the risk of crisis that often precedes imminent change, internal auditors must stay abreast of emerging technologies such as blockchain. Yet, as with many new technologies and processes, blockchain may present a steep learning curve for auditors. Understanding the underlying technology of a distributed public ledger can enable auditors to assess the new control environment and new risks to the organization. In this way, internal auditors can be change agents who help mitigate the negative risks that all too often accompany the rewards associated with any new technology.​</p>Jamie L. Hoelscher1
When It Comes to Supply Chain, Count Your Chickenshttps://iaonline.theiia.org/blogs/chambers/2018/Pages/When-It-Comes-to-Supply-Chain-Count-Your-Chickens.aspxWhen It Comes to Supply Chain, Count Your Chickens<p>​In its own words, fast-food giant KFC had "a hell of a week" as it scrambled recently to manage a supply-chain disruption that left most of its 900 franchise stores in the United Kingdom with no chicken. </p><p>KFC blamed the disruption on "a couple of teething problems" with its new U.K. delivery partner, DHL, which explained that numerous deliveries had been incomplete or delayed because of unspecified operational issues.</p><p>It is interesting that, in the 21<span style="line-height:0;vertical-align:baseline;top:-0.5em;">st</span> century, when critical risks are assumed to be strategic or cyber-related, a good old-fashioned risk like supply chain could wreak such havoc. The incident offers a couple of informative lessons for internal audit in supply chain and crisis management.</p><p>Supply-chain disruptions must rank among the top risks for any restaurant chain, much less the world's second largest. So, when KFC and DHL announced their new partnership last year, they did so with a promise of "putting greater focus on innovation, quality and service performance."</p><p>According to a DHL news release, "Key areas of focus will be reducing logistics-related emissions to net zero over the life of the contract, optimizing delivery scheduling to provide a faster turnaround of orders, and greater integrity of food during transportation allowing for even fresher products upon arrival at KFC restaurants."</p><p>A spokesman for QSL, a food-logistics company that is the third partner in the new distribution process, said, "With DHL, we are confident of establishing a new benchmark for quick-service restaurants in the U.K." </p><p>Improving efficiency and long-term sustainability are laudable goals for any company. But any time an organization makes significant changes to a core business function, such as supply chain, there is a risk of significant disruption. Indeed, changes to any of the practices and processes that support corporate goals and objectives come with a level of risk that should be clearly understood by management and communicated to the board.</p><p>This should be of particular concern to organizations making a push to innovate. Organizations should understand the risk/reward components to innovation from the outset. In such instances, it serves the organization well to involve internal audit on the front end to help identify any potential pitfalls.</p><p>Internal audit's unique and holistic view of the organization also helps provide assurance on agreements that turn over key operational functions to third parties. In KFC's case, DHL's promise to "rewrite the rule book" and "set a new benchmark for delivering fresh products to KFC in a sustainable way" should have raised a risk flag.</p><p>One silver lining from this incident is how well KFC handled the fallout. The company wasted no time in taking responsibility and offering an apology, primarily through social media channels. It quickly set up a website where customers could search for the nearest open KFC restaurant. One almost has to wonder whether the crisis management plan was built in as a contingency to the rollout of the new supply-chain arrangement.</p><p>KFC then took out full-page ads in two of the U.K.'s largest newspapers with a clever and sincere apology. One public relations professional described it as, "A masterclass in PR crisis management."</p><p>Of course, the best form of crisis management is to avoid the crisis in the first place, and that is what great internal auditing helps the organization do.</p><p>As always, I look forward to your comments.</p>Richard Chambers0
Truth Is, Fake News Has Always Been a Riskhttps://iaonline.theiia.org/blogs/chambers/2018/Pages/Truth-Is-Fake-News-Has-Always-Been-a-Risk.aspxTruth Is, Fake News Has Always Been a Risk<p>​</p><p>Misleading or patently false information has long been a risk for organizations. A disparaging comment, even one with little or no foundation in fact, can leave executives scrambling for a response that will contain and, hopefully, reverse any damage. Usually, the truth will prevail.</p><p>But as we are seeing more and more, an unceasing barrage of unsubstantiated and outright phony "news stories" powered by social media and biased websites can quickly overwhelm an organization and influence events. </p><p>That's why it was no surprise to me when Google's parent company, Alphabet, recently elevated objectionable content — specifically, content spreading across the internet and social media — as a key risk. Alphabet's concern, of course, regards the integrity of its own brands, but the risk applies to any organization and, indeed, any individual.</p><p>"Our brands may be negatively impacted by a number of factors, including, among others, reputational issues, third-party content shared on our platforms, data privacy issues and developments, and product or technical performance failures," Alphabet stated in its annual report, or 10-K, to the U.S. Securities and Exchange Commission. "If we fail to appropriately respond to the sharing of objectionable content on our services or objectionable practices by advertisers, or to otherwise adequately address user concerns, our users may lose confidence in our brands."</p><p>Did this risk just occur to executives at Alphabet? I highly doubt that. What's different, I believe, is the company's risk appetite.</p><p>The recent backlash against questionable content bombarding consumers of Alphabet's YouTube and Google, as well as Facebook and Twitter, are clearly driving the change. </p><p>Frankly, the company's description of risk might be considered by some as pretty mild. It doesn't warn of the societal dangers of objectionable content, but of the risk of losing advertisers and users of its services if it fails to respond appropriately. It also doesn't address an erosion of public confidence in legitimate media posed by questionable reports masquerading as news; rather, it focuses on "third parties" that are exploiting Alphabet's brands to spread the false information.</p><p>Striking a balance between a free flow of information, even if it's titillating or scandalous, and acting responsibly as a reliable and credible conduit for such "news" is nothing new. Organizations, including mainstream media, have played that game for centuries.</p><p>The lesson for internal auditors is that we must be attuned to our organization's risk appetite and offer warnings when the risks change. This may be what is driving the change in tone from Alphabet. </p><p>Speaking at The IIA's 2016 General Audit Management conference, Google's chief audit executive said the organization's internal audit function is practically built on that premise: "Our mission is to provide an objective view of all the risk they need to consider in making their decisions. Our responsibility is to help management have full information to make good risk-based decisions." </p><p>Ultimately, it is up to management and the board to set the risk appetite, but it falls on internal audit to make sure the risk portfolio is accurately reported all the way to the top. In Alphabet's case, I'm confident management and the board are fully aware of the undercurrents of information dissemination, and that they will continue to adjust their risk appetite to fit those changing dynamics.</p><p>In pondering the very real risk of fake news, I am reminded of the story of a famous radio broadcast in 1938. Orson Welles, an American actor, writer, director, and producer, "interrupted" CBS radio programming with breaking "news" that Martians had invaded Earth. He was actually reading from author H.G. Wells' science fiction novel,​ "The War of the Worlds." But his delivery was so compelling and so realistic that, for some listeners, it was also very believable and set off a panic. The iconic broadcast and the reaction of those who thought it was real have been part of lore for decades. Yet, <a href="https://www.npr.org/sections/thetwo-way/2013/10/30/241797346/75-years-ago-war-of-the-worlds-started-a-panic-or-did-it">a 2013 article</a> cast doubt on the fact that the broadcast caused panic. So, now even the news about the fake news may be fake. We are living in interesting times.</p><p>As always, I look forward to your comments.</p>Richard Chambers0
Are You Prepared?https://iaonline.theiia.org/2017/Pages/Are-You-Prepared.aspxAre You Prepared?<h2>​What is internal audit's role in ensuring the organization has a disaster recovery plan? </h2><p>As we've recently seen, disasters — whether natural or from human activity — have shown the need for sound disaster recovery plans. Internal auditors play an assurance and consulting role in this arena, so they need to understand attitudes toward disaster recovery risk within their organizations. Disaster recovery should be part of the overall business continuity management process. For organizations that are ad hoc or reactive in their level of disaster recovery maturity, internal audit may need to assist in making the case to senior management for better preparedness.</p><p>As part of its risk assessment process, internal audit should examine the plan to determine if operations have been prioritized appropriately, and risk assessments and responses are sufficient and cost effective. Internal audit should note whether the plan is a working document that is updated timely as important changes take place, including acquired businesses and new software and technologies. Based on the level of risk, internal audit should schedule audits of the disaster recovery processes to provide assurance there are no significant gaps. ​Another opportunity for internal audit is educating senior management and the board on their responsibilities for ensuring effective risk management practices are in place for any outsourcing arrangements.​<br></p><h2>What should internal audit look for in a disaster recovery audit?</h2><p>The areas to cover in a disaster recovery audit can depend to some extent on the size, number of locations, and complexity of the organization. The most common areas to review are which functions and systems are covered or excluded in the plan and why, testing multiple scenarios to identify vulnerabilities and gaps in the plan, inventory of equipment and software, and documentation of backup and recovery processes (IT and non-IT). Auditors should consider critical data back-up storage and frequency — including data stored on computers, smartphones, and devices, which employees may use for work and personal use. Other items to review include testing of back-up systems to be sure data can be restored; insurance coverage; legal involvement and review; disaster recovery contract provisions, including service-level agreements with outsourcers and suppliers; and whether responsibilities are clearly defined.​​</p>Staff0
Tomorrow’s ERM Todayhttps://iaonline.theiia.org/2017/Pages/Tomorrow’s-ERM-Today.aspxTomorrow’s ERM Today<p>​As enterprise risk management (ERM) programs continue to mature at organizations around the world, internal auditors are now facing a new challenge. Technology risks are evolving and changing so rapidly, it is difficult for management to assess the new threats and adjust its strategies to manage and mitigate them. Applications that use disruptive techn​ologies, such as artificial intelligence, advanced robotics, 3D printing, blockchain, and the Internet of Things, are being designed quickly and often generate new high-growth markets. Internal auditors are struggling to stay abreast of the most recent developments and identify new internal controls that add value.</p><p>Additionally, the exponential growth of computing power has enabled organizations to capitalize on the use of mobile devices and leverage the ubiquity of the internet to reach their markets almost instantly. While this is an exciting and challenging opportunity for marketers and business managers, it has injected new risk considerations for internal auditors. </p><h2>Business Advances</h2><p>Digitalization of data has created opportunities to improve data analytics, use algorithms to facilitate cognitive intelligence, and create bot applications that perform automated tasks. The essence of the risks and controls has not changed as much as the underlying technology. The processes still need to adhere to organizational policies and procedures, change management practices are still a vital component in transitioning to new tools and processes, and system and access controls must be enforced. </p><p>However, some controls that were important in the past now take on a new level of criticality. Automated algorithms result in less transparency of the underlying process. When data is used and shared through these processes, accuracy, and completeness become a necessity. An organization needs very specific controls to ensure a bot does not proliferate erroneous data. Information security and access control processes must treat the bot as if it were a person and only allow access to appropriate data. Checks and balances must be integrated into the process to ensure the results are accurate, service level agreements are met, and contracts are adhered to.</p><p>Advanced materials, 3D printing, and autonomous vehicles are other advances that are transforming the business landscape. New businesses created by these technologies need to follow established governance processes and design risk management and internal controls into their business processes. As entirely new markets and products are developed, it is important that risk managers and internal auditors are involved proactively.</p><p>Many applications using the cloud and the internet are being transformed by another new underlying process called blockchain. Blockchain is a distributed ledger that maintains a shared list of records. Each of these records contains time-stamped data that is encoded and linked to every other previous transaction in that chain of transactions. The decentralized and distributed storage of these records provides visibility to everyone in the network and ensures that no single entity can change any of the historical records. While blockchain is already being used in numerous applications, most notably digital currencies, many other industries are exploring the technology. Banks are testing cross-border financial transactions, and there is much speculation about the potential to use blockchain to eliminate the middle man in real estate deals, contracts, stock purchases, and other similar transactions. If blockchain is effective at eliminating intermediaries, the new business model will expose all the transacting parties to new risks, which were previously being managed by the middle man. </p><h2>Audit's Effect on Disruption</h2><p>There are several ways internal auditors can help manage the effect of disruptive technologies on their organizations.<strong><em> </em></strong>By focusing on assurance, providing insight to management, and demonstrating proficiency and expertise in new technologies, internal auditors will be able to contribute significantly to the overall success of their organizations.</p><p> <strong>Focus on Assurance</strong> For many years organizations have been encouraged to focus on what they do best. That is wise advice for the internal audit profession, as well. By continuing to focus on governance, risk, and internal controls, auditors can help ensure processes are designed and operating effectively. Regardless of the nature or tempo of the changes, auditors will then be able to fulfill their mission. Moreover, proactively helping their organizations anticipate emerging risks and technological changes can position internal audit as an authority and help prepare the organization to respond to disruptive events.</p><p> <strong>Engage With Stakeholders and Subject-matter Experts </strong>By aligning with the expectations of its key stakeholders and working closely with subject-matter experts who are implementing disruptive technologies, internal audit can be focused on the most relevant and significant issues. For example, cybersecurity and data privacy are topics that every organization is managing. Identifying trends that will affect the organization, and collaborating with and providing insight to their stakeholders, can enable internal audit to significantly affect the business agenda.</p><p> <strong>Invest in Training on Disruptive Technologies</strong> More than ever, internal auditors must constantly pursue training to learn about new technologies and the complex and emerging new risks being introduced into their organizations. Additionally, chief audit executives need to focus on developing an adaptive, flexible, innovative staffing model. This new model must tap into a highly specialized talent pool that has the technological competence to rapidly understand and leverage new tools, techniques, and processes.​</p><p> <strong>Put New Technologies to Work </strong>Perhaps the most important thing auditors can do to prepare for technological innovations is to embrace and leverage new technologies in their own work. Internal auditors need to be at the forefront of adopting artificial intelligence, cognitive computing, and smart robots. Auditors need to completely understand how technologies like blockchain work and how they can be used in their organizations. They must take advantage of machine learning and data analytics in their audit processes. Moreover, continuous auditing should be the standard default for new audit routines, and real-time auditing should be a requirement as organizations implement new business processes. </p><h2>An Audit Upgrade</h2><p>Just when organizations were getting a handle on ERM, the threat of disruptive technologies has arrived and will affect every organization regardless of its size or objectives. When Gordon Moore observed in 1965 that the number of transistors on an integrated circuit had doubled every year since transistors were invented, one doubts he imagined that exponential growth would continue for more than 50 years. As computing power increases, technology becomes more mobile, data becomes more accessible and usable, and new competitors capitalize on the opportunities that arise. Risk managers will have to assess emerging threats consistently. Internal auditors will need to respond to those threats<strong><em> </em></strong>with new and better ways to perform audits and redesign their own processes — or they may face disruption, themselves.​</p>Charlie Wright1
The Time Has Come for Marks on Governancehttps://iaonline.theiia.org/blogs/marks/2017/Pages/The-time-has-come-for-Marks-on-Governance.aspxThe Time Has Come for Marks on Governance<p>​In <em>The Walrus and the Carpenter</em>, Lewis Carroll wrote:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><p>"The time has come," the Walrus said,</p><p>      "To talk of many things:</p><p>Of shoes — and ships — and sealing-wax —</p><p>      Of cabbages — and kings —</p><p>And why the sea is boiling hot —</p><p>      And whether pigs have wings."</p></blockquote><p> <br> </p><p>[I will let my friend and fellow blogger, <a href="/blogs/jacka" target="_blank">Mike Jacka</a>, talk about flying pigs.]</p><p> <br> </p><p>Yes, the time has come — to talk about concluding this blog. After all, I have been retired for five years and it is time to start slowing down.</p><p>The blog was born in 2008 with "<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=607cd1df-2cc8-490e-bac2-ba8391dee68f" target="_blank">A Broken Relationship</a>." Since then, I have written hundreds of articles on governance, risk management, internal auditing (of course), and technology. Not a single reference, I am afraid, to flying pigs.</p><p>While this blog will come to end, the world and its challenges will not. I will continue to write and speak about them. I hope to see you at IIA and other conferences, and I will continue to share my thoughts in <em>Internal Auditor</em> magazine and on my personal site.</p><p>Perhaps my last blog post should be about how the future of internal auditing is in auditing and then communicating what matters. I was recently honored to make a keynote presentation on that topic at IIA–Brasil's annual conference in Rio de Janeiro.</p><p>I asked the attendees whether they wanted, as internal auditors, to have a seat at the top table alongside senior executives from finance, operations, legal, marketing, and so on. They all said internal audit should have a seat at the top table. As Richard Chambers says in his latest book, they want internal audit to be seen as <a href="https://bookstore.theiia.org/trusted-advisors-key-attributes-of-outstanding-internal-auditors" target="_blank">trusted advisors</a>.</p><p>Then I asked who they would invite to sit at <em>their</em> table. I suggested that they would welcome people who had something interesting and valuable to offer. They wouldn't invite people (except family members) simply because of their title or position.</p><p>Similarly, internal audit heads (chief internal auditors, CAEs) will be welcomed at the top table when they have something interesting and valuable to offer on the topics typically discussed at that table: the enterprise's objectives and strategies, major projects, performance, and risks to success.</p><p>If we do what I suggested in <a href="https://www.amazon.com/Auditing-that-matters-Norman-Marks/dp/1537662023/ref=asap_bc?ie=UTF8" target="_blank"><em>Auditing That Matters</em></a>, we would be considered trusted advisors that provide assurance, insight, and advice that helps the organization succeed. I said:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><p>For internal audit to "matter," it needs to:</p><ol><li>Focus on the risks that matter to the board and top management — risks to the successful delivery of value to stakeholders, the achievement of objectives set by the board.</li><li>Provide assurance on those risks that is readily consumable, relevant, actionable, and timely — helping board members and executives make informed decisions that lead the organization to success; where action is necessary, it can be taken promptly and effectively.</li><li>Provide a formal opinion by the CAE on whether the systems of internal control and risk management provide reasonable assurance that the more significant risks are managed at desired levels.</li><li>Provide, in addition to formal assurance, its objective insight on any area critical to the achievement of success. For example, internal audit cannot be fearful of sharing its opinion on the performance of key personnel, the structure of the organization, and so on.</li><li>Communicate <em>what</em> its stakeholders need to know, <em>when</em> they need to know, and <em>in a form</em> that is easily consumed, relevant, and actionable.</li><li>Work effectively with management to help upgrade its processes, systems, organizational structure, controls, and people as needed.</li></ol></blockquote><p>These principles are consistent with The IIA's four results-oriented <a href="https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx" target="_blank">Core Principles for the Effective Practice of Internal Auditing</a>. They state that an effective internal audit function:</p><ul><li>Communicates effectively.</li><li>Provides risk-based assurance.</li><li>Is insightful, proactive, and future-focused.</li><li>Promotes organizational improvement.</li></ul> <br> <p>Internal audit should focus on the more significant risks to the enterprise, not just those that may be important to a process, business unit, or middle manager. If you focus on risks to individual processes, business units, and so on you merit a seat at the <em>middle</em> management table — because those are the people interested in what you have to say. But if you have an eye on the future, on the risks that could either derail or represent opportunities to succeed today and in the next year or so, your insights are valuable to senior leadership.</p><p>We simply cannot continue to perform audits of history and write reports that stakeholders read out of duty. We need to provide forward-looking assurance and advice on what matters and will matter in the days ahead: communications that matter to our stakeholders because they help them succeed.</p><p>We need to discard the outdated concept of an audit universe and focus instead on a risk universe. We audit and provide assurance on the management of risks, not the management of business units.</p><p>One of the challenges is going to be to understand what risk and risk management are all about. Frankly, I don't think enough people (and especially internal auditors) understand that it is not about the periodic review of a list of risks.</p><p>No, risk management is about ensuring that people are able to make informed and intelligent decisions, taking the desired amount of risk. It's about making sure they think things through, considering all the things that might happen, both good and bad, before making a decision — and every decision creates or modifies risk.</p><p>Internal audit should audit the management of risk within and across the enterprise, not simply compliance with risk policies and standards.</p><p>Think about this. <a href="https://www.mckinsey.com/business-functions/organization/our-insights/five-fifty-better-decision" target="_blank">According to McKinsey</a>, "60% of senior executives say that bad decisions were about as frequent as good ones"! This is an opportunity for internal audit — but we have to know what is possible and desirable, and that is beyond putting together a risk inventory. We need to be brave and talk about the elephants in the room.</p><p>Almost always, the root cause of risk and control problems is <em>people</em>. Maybe it's an ineffective manager or an individual who does not have the training or experience to do the job. Maybe a control is not being performed reliably because the function is understaffed.</p><p>Our goal is not popularity. Our goal has to be to provide our stakeholders with <em>actionable</em> information that will enable them to correct what needs to be corrected.</p><p>Our goal has to be to help the organization succeed! Providing a list of problems is not nearly enough.</p><p>As I look back on nine years of blogging here, I can see progress. For example, perhaps half of internal audit functions have moved from a rigid annual audit plan to a flexible one that makes sure you are auditing what matters now, rather than what used to matter. That progress needs to continue.</p><p>The path to success lies in our ability to challenge <em>everything</em> we have done because it is what we have always done. We wouldn't accept that from process owners. Why accept it in our own profession?</p><p>Challenge:</p><ul><li>What we are auditing.</li><li>How we are auditing.</li><li>How we communicate the results of our work.</li><li>How we provide stakeholders with what they need — actionable information.</li><li>How we can help the organization succeed.</li></ul><p> </p><p>We need to be <a href="https://www.youtube.com/watch?v=QUQsqBqxoR4" target="_blank">brave</a> (watch the video). Not everybody in our world, from board members to staff members, is going to be happy with change.</p><p>But if we move forward and show them the value <strong><em>to them</em></strong><strong> </strong>of addressing and then communicating what matters, it is not only possible to get their enthusiastic support but will earn you a seat at the top table.</p><p>What do you think?</p><p>Are we there yet?</p><p> </p>Norman Marks0
Risky Relationshipshttps://iaonline.theiia.org/2017/Pages/Risky-Relationships.aspxRisky Relationships<p>​Third parties are becoming increasingly important to succeeding in today’s complex business environment. Many organizations are assessing their core strengths and turning to a diverse range of outside organizations where specialist capabilities are required. While such relationships can give organizations a competitive advantage, they also can impact their reputations. </p><p>Like all business relationships, trust is integral in working with third parties. Internal auditors can help their organization ensure that trust is fostered and maintained. Moreover, they can assess whether the organization has established effective processes to support its third-party relationships.</p><h2>A History of Setbacks</h2><p>Using third parties has its risks. Choosing a partner and determining the type of contractual arrangement to put in place can be difficult because of the range of options available (see “Third-party Relationships and Impacts” at right).</p><p>Once chosen, there is no guarantee that the third-party relationship will succeed. There are numerous examples where the actions of third parties have significantly damaged the reputation and financial strength of the contracting organization. In these instances, competitors press their advantage.</p><p><strong><img src="/2017/PublishingImages/Arnold-third-party-relationships-and-impacts.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:400px;height:500px;" />TSKJ</strong> A joint venture formed by the U.S.’s M.W. Kellogg Co. (now known as KBR), France’s Technip, Japan’s JGC, and Italy’s Snamprogetti, TSKJ won four contracts worth more than $6 billion between 1995 and 2004 to design and build liquefied natural gas facilities on Bonny Island, Nigeria. None of the participants had a majority stake in the joint venture. TSKJ reportedly used agents to bribe Nigerian government officials, and the U.S. Securities and Exchange Commission (SEC) initiated the case in 2009. The SEC declared that each joint venture partner had culpable knowledge of the payments because senior executives from each company, including some who were serving on the TSKJ steering committee, participated in meetings where the bribery was discussed. <br></p><p>The four companies paid a combined $1.7 billion in civil and criminal sanctions for the decade-long bribery scheme. These include: Snamprogetti and its parent company ENI paid $365 million; Technip paid $338 million; and consortium leader KBR and its former parent Halliburton paid $579 million. </p><p>The nonfinancial impacts in this case included reputational damage and criminal charges against current and past joint venture parent employees. KBR’s U.S. Foreign Corrupt Practices Act (FCPA) violations impacted successor liability after Halliburton acquired KBR in 1998. These were based on book and record violations and Halliburton’s lack of post-acquisition vigilance. On the financial side, the FCPA and U.K. Bribery Act investigations affected share price and capitalization for all the companies.</p><p><strong>Supermarket Cyberattack</strong> In 2013, a cyberattack of a U.S. supermarket chain impacted an estimated 40 million customer debit and credit cards. A phishing attack was used to gain access to the company’s network and compromise a third-party vendor. The chain suffered significant reputational damage. The cost of the breach was an estimated $202 million, and the chain paid $18.5 million to settle legal claims by 47 states.<br></p><p><strong>Food Contamination</strong> In January 2013, news outlets reported that foods advertised as containing beef contained undeclared or improperly declared horse meat — as much as 100 percent of the content in some cases. This initially was discovered by the Food Safety Authority of Ireland, who found horse DNA in frozen beef burgers sold in several Irish and British supermarkets. Investigations uncovered complex supply chains — one involved eight separate vendors and traders across five European countries. The supermarkets lacked visibility across the supply chain and did not have suitable controls to verify the end product.<br></p><p>The supermarkets’ reputations suffered significantly, with financial repercussions as well. A U.K. House of Commons report stated, “The evidence suggests a complex network of companies trading in and mislabeling beef or beef products, which is fraudulent and illegal.”</p><h2>The Importance of Audit Planning</h2><p>Third-party trust features in most audit plans, whether it’s part of a review, a review of the third party​ itself, or a holistic third-party governance framework audit. Understanding the organization’s risk profile/supply chain and benchmarking against a third-party governance framework can help internal audit address the correct risks, prevent adverse outcomes, and add value to management. Whether auditing individual activities or an entire third-party governance framework, auditors can compare them with the elements of the “Third-party Governance Framework” below to identify improvement areas.</p><h2>Plan</h2><p>With a vast range of partnership structures and operations across industries, implementation of a governance process can be challenging. Risk management within trust relationships will depend on the nature of the relationship, including level of influence, ownership/management control, and the third parties’ appetite for control monitoring and risk management. Questions to ask include:</p><ul><li>Is the organization able to perform the service in-house?<br></li><li>Has the organization performed appropriate due diligence before third-party engagement?<br></li><li>Has the organization prioritized and ranked its third-party relationships according to risk?<br></li><li>Has the organization selected the correct type of third-party relationship, such as an alliance, joint venture, or contract?<br></li><li>Will the third-party represent the organization effectively and align with its culture?<br></li><li>Does the third-party contract include an audit clause?<br></li></ul><p></p><p>Audit objectives include:</p><ul><li>A clear vision and third-party strategy for service delivery.<br></li><li>Consistent third-party governance structure design.<br></li><li>A risk stratification model.<br></li><li>Due diligence procedures, including cultural alignment.<br></li><li>Design and use of a risk-based, standard contract template. ​</li></ul><h2>Execute</h2><p><img src="/2017/PublishingImages/Arnold-third-party-governance-framework.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:326px;" />Internal audit typically perceives the execution phase as having the most direct impact on performance. Auditors should assess whether there are processes to support working with third parties to achieve shared objectives. Audit questions include:</p><ul><li>Is there clear stakeholder and role definition for all aspects of the contract life cycle?<br></li><li>Do all of the relevant personnel have the appropriate knowledge, skills, and experience?<br></li><li>Are established performance metrics based on identified risks?<br></li><li>Is cultural alignment continually reinforced?<br></li><li>Are technology and data being used as effective enablers to manage the relationship?<br></li><li>Does the provision of information between partners align with anti-trust requirements?<br></li></ul><p><br></p><p>Audit objectives include:<br></p><ul><li>Timely identification and resolution of issues.<br></li><li>Effective performance management throughout the contract life cycle.<br></li><li>Timely, accurate, and transparent third-party reporting.<br></li><li>A joint culture of continual improvement within the organization and the third party.<br></li></ul><h2>Monitor</h2><p>Third-party assurance often focuses on how the third party is directly managed. It also is important to understand how it is monitored and assessed. In large, complex organizations, this involves understanding how responsibilities are split between the first and second lines in the three lines of defense. </p><p>The audit also must consider how management uses data to ensure effective monitoring. Organizations often generate significant volumes of complex data but do not always use it effectively. Auditors should ask:</p><ul><li>Have key risks been factored into third-party assurance?<br></li><li>What level of assurance is required and can third-party assurance reports be used?<br></li><li>What assurance is provided by the second line of defense?<br></li><li>Have data-based key performance indicators (KPIs) and red flags been identified? Are they continually monitored, with management taking action where poor performance is identified?<br></li><li>Does the third party have effective assurance mechanisms?<br></li></ul><p><br></p><p>Audit objectives include:</p><ul><li>Risk-based assurance model.<br></li><li>Scope covering end-to-end third-party risks, such as subcontractors.<br></li><li>Analytically driven contract compliance program.<br></li><li>KPI-based dashboard reporting, including red flags.<br></li></ul><p><br></p><p>During this stage, internal audit should look for warning signs such as whether management is identifying and taking action on red flags. Examples include:</p><ul><li>Safety: safety incidents, a high number of recordable injuries, and significant audit findings.<br></li><li>Performance: missed KPIs, disrupted service, and poor third-party governance.<br></li><li>People: high turnover, poor culture and tone at the top, and reduced capacity and capability.<br></li><li>Information: data leaks, bad press, and regulatory breaches.<br></li></ul><h2>Improve</h2><p>To achieve effective third-party relationships, areas for improvement must be identified, communicated, and resolved so problems do not escalate. Management and assurance activities often overlook this phase. Improvement should be continual and can be applied to individual third parties and the overarching governance framework. Internal audit should assess whether this is being undertaken by asking: </p><ul><li>Are contract managers sufficiently trained to embed continual improvement?<br></li><li>Are issues used to drive improvement actions?<br></li><li>Is the effectiveness of the framework monitored through the use of portfolio-based metrics?<br></li><li>How often are overarching processes controls reviewed?<br></li><li>Are third-party outcomes routinely successful?<br>​​</li></ul><p>Audit objectives include:</p><ul><li>Improvement actions are routinely implemented.<br></li><li>A joint culture of continual improvement is in place.<br></li><li>The third-party governance framework is systematically evaluated and improved.<br></li></ul><h2>Achieving Success</h2><p>Collaboration, communication, and engagement are key to sustaining third-party relationships. Key principles for sustainable success are:</p><ul><li>Establish strong leadership and sponsorship.<br></li><li>Involve third parties early.<br></li><li>Develop agreements that include two-sided incentive plans.<br></li><li>Identify continuous improvement opportunities.<br></li><li>Align benefit realization to strategic objectives.<br></li><li>Collaborate on product and service design.<br></li><li>Engage in joint process improvement.<br></li><li>Integrate systems and apply technology effectively.<br></li><li>Establish shared KPIs focused on outcomes.<br>​​</li></ul><p>​Third parties can cause significant exposure and adverse consequences to an organization’s objectives. Implementing and assessing a governance framework will maximize the opportunity to mutually achieve strategic objectives.</p><p>Risk management and internal audit should be active in third-party governance, from thought leadership and support during strategy development to controls monitoring, execution of third-party audits, and follow-up. The right audit and risk process will include thought and definition around risk exposures and the implementation of risk performance criteria and monitoring. Continuous monitoring throughout the process will help ensure appropriate oversight of, and ultimately comfort with, third parties. </p>Ben Arnold1
How to Improve Your SOX Compliance Programhttps://iaonline.theiia.org/blogs/marks/2017/Pages/How-to-Improve-Your-SOX-Compliance-Program.aspxHow to Improve Your SOX Compliance Program<p>If you have been following either of my blogs (hopefully both, here and at <a rel="nofollow" href="http://normanmarks.wordpress.com/" class="vglnk"><span>normanmarks</span><span>.</span><span>wordpress</span><span>.</span><span>com</span></a>), you know that I frequently call out so-called expert guidance that is anything but expert.</p><p>Recently, a software vendor teamed up with a mid-size accounting firm to publish a white paper, with guidance for companies on optimizing their Sarbanes-Oxley program that should never have seen the light of day. Frankly, I am not going to waste time and space criticizing it.</p><p>Instead, I will share some suggestions of my own:</p><ol><li>Make sure you are focused on financial reporting risk! The scope should include controls required to provide <em>reasonable assurance</em> that <em>material errors or omissions</em> will be either prevented or detected. That means that the likelihood is more than a <em>reasonable possibility</em>. That means more than simply a theoretical possibility, and the error or omission has to be <em>material</em> to the consolidated financial statements.</li><li>Question why you have controls included in scope where, should they fail, there is less than a reasonable possibility of a material error or omission.</li><li>Apply the risk-based, top-down approach to the whole program, including IT general controls (ITGC) and how you address the COSO Principles. The ITGC scoping should be a continuation of the scoping, not a separate evaluation. Identify the controls that provide reasonable assurance that the COSO Principles are <em>present and functioning</em> (as defined by COSO, a defect would not be a <em>major</em> deficiency).</li><li>Be experts not only in the U.S. Public Company Accounting Oversight Board (PCAOB) standards (including AS10 and so on) but also in the U.S. Securities and Exchange Commission's (SEC's) <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwiztpXW5vrXAhUJ8GMKHXpgBkwQFggpMAA&url=https://www.sec.gov/rules/interp/2007/33-8810.pdf&usg=AOvVaw2N8inpeXRkZw96h-p_Q7qh">Interpretive Guidance</a> and SEC/PCAOB staff guidance.</li><li>Re-evaluate the program every year! The business changes every year and the scope should be reviewed and refined every year.</li><li>Read The IIA's updated guidance (my book): <a href="https://bookstore.theiia.org/managements-guide-to-sarbanes-oxley-section-404-4th-edition">Management's Guide to Sarbanes-Oxley Section 404, 4th Edition</a>. (FYI, I receive no income from sales of this book: It all goes to the Internal Audit Foundation.)</li></ol><p>I welcome your thoughts.</p><p> </p>Norman Marks0

  • MNP_Apr 2018 IAO_Premium 1
  • ITACS_Spring18_sapr 2018 IAO_Premium 2 Apr15_Apr30
  • IIA CIA Cert_Apr2018 IAO_Premium 3