IT Risks Are Prevalent – Do You Have Enough IT Audit Coverage?

Brand.jpgBy David Brand
Managing Director – Leader, IT Audit Practice



IT risk is everyone’s problem. By “everyone,” we mean the board of directors, senior management, process owners and internal auditors. Internal audit departments play a critical role in ensuring that mitigating processes and procedures are in place and working effectively to manage the organization’s risks. An alarming number of organizations, however, are not maximizing the input internal audit can have in helping to manage their IT risks. This neglect results in embarrassing incidents to the top of the organization, CIO organization and the owners of affected processes.

With the rapid evolution and propagation of social media, cloud and mobile technologies, IT departments are often stretched to their limits. Under pressure to implement, it’s easy to miss vulnerabilities and potential security breaches.

Examples – such as the website launch debacle and any number of corporate mea culpas regarding security breaches exposing customer financial data – illustrate vividly how quickly a glitch or vulnerability can escalate from an IT problem to a critical business problem and a huge reputational risk.

When it comes to IT audit programs and practices, our annual IT Audit Benchmarking Survey consistently reveals that organizations leave themselves significant room for improvement. Too many fail to plan and institute the IT audit coverage necessary to ensure an available, secure and efficient IT environment.

Furthermore, some organizations don’t house their IT audit resources in their internal audit departments, and others lack such resources entirely. We have found that just 1 in 4 companies have an IT audit director or someone in an equivalent role focused on technology risks.

I could say a lot on this topic, but our benchmarking survey provides a much more thorough and detailed analysis. I encourage you to read it. For now, let me close with five key questions that every CEO and audit committee member should be asking about their organization’s IT audit capabilities:

  1. Is our internal audit function performing an effective IT risk assessment at least once a year, and are people who are knowledgeable of infrastructure, applications and IT involved in the process?
  2. Has our internal audit team reviewed the COSO (2013 update) and COBIT 5 frameworks, and are our audit plans based on those recognized policies and practices?
  3. Does our IT audit team have a clear understanding of our organization’s short- and long-term IT objectives?
  4. How do we quantify our IT risks? What industry benchmarks and best practices are used?
  5. Does our IT audit risk assessment process coordinate with other risk assessment areas, including financial, operational and compliance?

As with any growing or rapidly changing risk, it is important for organizations to stay ahead of the risk management curve – and make this a sustainable effort.

For more about Protiviti’s IT Audit Benchmarking Survey, watch our video. I also invite you to see how you rate in auditing your IT risks at

Cybersecurity at the board level: Is your intellectual property and sensitive information leakproof?

In my line of work, I have the pleasure of talking to boards of directors and C-Level executives all over the country. I’m often impressed with their commitment to their enterprises, their keen intelligence, their professionalism and their drive. But I’m frequently stunned to see organizations without a process and control environment for protecting their intellectual property online. Of particular interest, board communications are among the most vulnerable.

Too many organizations treat emails, stored internal document files and social media communications as operational exceptions to otherwise tight cybersecurity framework rules. In fact, Thomson Reuters Accelus pointed out in its annual Board Governance Survey that more than 75 percent of organizations “utilize unsecure, personal email accounts to distribute board documents.” And barely half ensure these communications are encrypted. In this day and age, I call that a “wow!”

Board books, in particular, are almost 70 percent bigger than they were just a couple of years ago, according to some estimates, and more than half of companies produce them digitally. We all realize the importance of saving trees and “going green” but, having said that, we also know that confidential information is included in these books. Interestingly, the number of companies that distribute them electronically has dropped of late.

Things are changing for the better. Thomson Reuters Accelus also reported that 52 percent of organizations use board-only portals to share sensitive board information. Another encouraging trend: More organizations are providing their boards with secure mobile devices for board communications.

I call that good news because protecting sensitive information is getting harder every day. We pointed out in an issue of our Board Perspectives: Risk Oversight newsletter that despite the U.S. Securities and Exchange Commission requirements to disclose cyberattacks, reported attacks are just the tip of a vast iceberg. And cybercriminals are using ever more sophisticated means to gain control of online information. Simply stated, they are playing for keeps. We know that because Protiviti helps companies all over the world assess and manage these growing threats.

For boards of directors, as well as any other level of the organization seeking to secure its data and communications, an approach toward security that focuses on information governance is critical. This fosters cross-organizational collaboration and structured policymaking. That kind of team approach is vital to managing the risk of cyberattacks on board documents; it seems perfectly tailored to the less-than-structured and flexible approach so many companies now take to their board communications.

Protiviti employs a number of content management measures, including document locking on our online intellectual property. Others have been known to go so far as to embed user verification codes that cause documents to electronically “shred” themselves if opened by an unauthorized user. Some swear by this kind of digital rights management. Others have found it cumbersome to the extreme. This is challenging in the board environment, as directors and executive teams like to keep things simple.

What do you do to protect your board communications and intellectual property and sensitive information online? Share your thoughts in the comments below.


The Future Auditor: The Chief Audit Executive’s Endgame

Brian Christensen - Protiviti PHX 2012_Low Res

by Brian Christensen
Executive Vice President – Global Internal Audit, Protiviti


In a recent issue of The Bulletin, we discuss Protiviti’s future auditor vision. This is something about which I am particularly passionate, as I think it speaks on many levels to how internal audit executives can make a difference in their organizations.

The future auditor is a CAE who is (a) positioned to be objective with regard to operating units, business processes and shared functions, (b) vested with a direct reporting line to the board of directors, (c) recognized throughout the organization as a positive change agent, and (d) recognized by executive management and the board as a valued sounding board in safeguarding the adequacy and effectiveness of activities that really matter to the organization’s success.

Auditor tableWe have long supported The IIA’s definition of internal auditing. The future auditor vision is all about taking concrete steps toward making the future state envisioned in The IIA definition a reality. We believe that executive management and boards of directors’ expectations of the internal audit function continue to rise. Therefore, CAEs must continuously upgrade their capabilities to keep pace with these higher expectations and add value.

I encourage you to read our issue of The Bulletin and learn more about the 12 ways the future auditor can contribute value.

As part of our ongoing efforts to advance the internal audit profession, we will continue to discuss the future auditor vision in our blogs and welcome your input. And later this month, look for Internal Auditing Around the World: Building on Experience to Shape the Future Auditor.


PCAOB Adopts New Requirements for Related Party and Significant Unusual Transactions, and Executive Officer Financial Relationships/Transactions

Some VERY significant news from the PCAOB: Earlier this month, the board adopted a new auditing standard and various amendments to other auditing standards to strengthen auditor performance requirements in three challenging areas:

  • Related party transactions;
  • Significant unusual transactions; and
  • A company’s financial relationships and transactions with its executive officers.

In a just-released Flash Report from Protiviti, we summarize the PCAOB’s new auditing standard and the board’s various amendments, along with the implications for auditors and companies.

The PCAOB’s intent in addressing these transactions and relationships is to improve existing standards by requiring additional procedures in each of these areas and provide direction to ensure the auditor’s approach to these areas is sufficiently risk-based and appropriately coordinated.

Of particular note, the requirements will be effective for calendar year 2015 audits, including interim periods (e.g., required for fiscal years beginning on or after December 15, 2014). They will apply to audits of companies listed on exchanges in the United States.

The significance of these requirements is that they address what the PCAOB considers to be insufficient work by auditors in these areas, based on the board’s inspections process. Accordingly, we can expect continued attention on the part of the inspections process, which will drive auditors to increase audit emphasis in these areas. In addition, these areas are quite pervasive, meaning every public company is likely to be affected.


It’s Not the Time for Banks to Abandon Vendors

Ed Page - Protiviti Chicagoby Ed Page
Managing Director – Leader, Protiviti’s National Financial Services IT Consulting Practice


A recent article in American Banker Bank Technology News raises the prospect that stiffer vendor risk management requirements may push banks to bring more IT work in-house. Given the rigor being demanded these days, it’s hard to argue against that position, but banks and regulators alike need to be aware that this could have unintended consequences, particularly at midsize and smaller banks.

Large banks generally have the scale and skills to run IT services in-house, so insourcing to reduce the overhead of vendor management may be a viable approach. However, driving IT services in-house at smaller institutions may create a whole different set of risks. Many midsize and smaller institutions have long depended on outsourced relationships to provide essential IT services, both as a means of acquiring technical competencies and to reduce costs related to IT operations. Consequently, many lack the core competencies, experience and expertise needed to run things in-house.

I liken this a little to the do-it-yourself (DIY) phenomenon in home improvement. Although there are certainly a lot of DIY projects that people can undertake, a project such as upgrading the 1940s era knob and tube electrical wiring currently in your home to current standards is better left to the professionals (unless, of course, you are an electrical wiring expert!).

Insourcing may also pose a secondary risk for the industry as a whole. At a time when banks need to innovate to stay competitive, banks may be discouraged from working with vendors – particularly smaller vendors – who may be creating breakthroughs. This may lead to financial institutions missing opportunities to either drive down costs or introduce new products and services, which in turn creates risk from those institutions and non-bank competitors who are more willing to work with outside providers.

Technology and data are the life blood of banking, so the regulatory intent to ensure accountability and governance over these critical services is undeniably correct, but banks must guard against overreacting in ways that create other equal or even greater risks. The industry needs to retain both insourcing and outsourcing as viable alternatives. Ultimately, organizations should develop an IT strategy based on their business priorities and competencies. That strategy should be supported by a well-defined IT architecture, strong IT and data governance, and – where outsourcing is dictated – sound vendor management.

And for more insights into vendor risk management, I encourage you to read the benchmark report that the Shared Assessments Program and Protiviti recently released on the maturity of vendor risk management in organizations today.

More on the New Revenue Recognition Rules

Many of my Protiviti colleagues and I have received numerous questions from clients and contacts about the new revenue recognition standard issued by the Financial Accounting Standards Board and International Accounting Standards Board. Therefore, I thought I’d comment further on the new standard and share some notable commentary and insights from others in the market.

The objective of the new standard, according to FASB and IASB, is to “establish the principles to report useful information to users of financial statements about the nature, amount, timing and uncertainty of revenue from contracts with customers.” In practice, it’s intended to:

  • Remove inconsistencies and weaknesses in existing revenue requirements;
  • Provide a more robust framework for addressing revenue issues;
  • Improve comparability of revenue recognition practices across entities, industries, jurisdictions and capital markets;
  • Provide more useful information to users of financial statements through improved disclosure requirements; and
  • Simplify the preparation of financial statements by reducing the number of requirements to which an organization must refer.

My colleagues and I have stated repeatedly that this is a big deal. Others agree:

The American Institute of Certified Public Accountants blog calls revenue recognition “the most pervasive and across-the-board important topic that the issuers could have tackled,” and notes that the new standard “eliminates transaction- and industry-specific guidance and replaces it with a principle-based approach that applies to all public, private and not-for-profit entities.”

The Wall Street Journal’s blog notes that public companies have until 2017 to prepare for it, and adds that software makers and wireless providers, among others, could record revenue more quickly than before, while, for example, auto and appliance makers may see the opposite trend.

A terrific article in CFO magazine points out that the new standard was “strongly opposed by many finance and accounting executives,” and adds that its changes could have a ripple effect on loan covenants, compensation packages, discounts, rebates taxes, and even new company start-ups.

Simply stated, the literature was all over the place. It was hard to know where to look when confronted with new and different revenue recognition situations.

The issuers’ bottom line is a contract-based approach to revenue recognition. Their core principle is to “recognize revenue in a manner that depicts the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.” To achieve the core principle, they outline these five steps:

  • Identify the customer contract(s).
  • Identify the separate performance obligations therein.
  • Determine the transaction price.
  • Allocate it to separate contract performance obligations.
  • Recognize revenue when the entity satisfies each one.

Naturally, it’s going to be more complex than that. To help with the changeover, the FASB and IASB have set up a joint Transition Resource Group that will meet publicly until the standard goes fully into effect. In the meantime, preparers worldwide need to get themselves educated on the new standard.

As a reminder, we published a detailed Flash Report on the new standard that I encourage everyone in an accounting/finance role to review. Let the transition process begin!