Six Reasons Why Directors Should Care about COSO 2013

December 15 will be here before we know it. The updated COSO Internal Control – Integrated Framework already has been out for more than a year. For those companies with fiscal year-end dates beginning on or after December 15, 2014, COSO recommends transitioning to the updated 2013 framework. Thus, calendar year reporting companies should transition in 2014. While some companies are deferring the transition to the following year, most companies are proceeding with their transition process. Those companies that decide to defer must consider how they will disclose their use of the 1992 framework; these companies run the risk of possibly receiving a comment letter from the SEC staff.

A recent issue of Board Perspectives: Risk Oversight gives six good reasons why directors should care about COSO’s updated framework.

Pages from Board-Perspectives-Risk-Oversight-Issue58-COSO-2013-Protiviti UL-2

Internal controls have always been important to the success of any company, as they provide reasonable assurance that risks to the achievement of objectives are reduced to an acceptable level. That is why they are important to the governance process.

You’ll find the newsletter and Protiviti’s The Updated COSO Internal Control Framework: Frequently Asked Questions on our website. I encourage you to subscribe to Board Perspectives: Risk Oversight, register for upcoming webinars of interest and share your thoughts in this forum.

Note that the Board Perspectives: Risk Oversight article is also available on my blog for the National Association of Corporate Directors:

Developing an Effective, Scalable Third-Party Anti-Corruption Program

Scott Moritz - Protiviti NY 2013 (hi res) Scott Wisniewski - Protiviti Chicago -hi res 2012




by Scott Moritz and Scott Wisniewsk

Scott Moritz and Scott Wisniewski are Managing Directors with Protiviti. Moritz leads the firm’s Investigations and Fraud Risk Management practice, while Wisniewski is the head of Protiviti’s Risk Technologies group.

Honesty and trust aren’t what we want to be thinking about when it comes to the global partner ecosystems we are building out today. We’d rather be thinking about economies of scale, increased efficiency and agility, and a time to value that blows away the competition. Unfortunately, third parties represent a major and constant risk, and are the source of the majority of violations of the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act and other international anti-corruption laws. Because of this, an effective third-party anti-corruption program is now an essential component of the overall corruption program at many companies. An effective third-party anti-corruption program helps you to understand the risk that each third party represents, identify potential bad actors, and apply a heightened standard of care to these organizations, or even terminate the business relationship.

A successful program is all about designing sustainable, consistent global processes based on an understanding of which parties should be included in the program; applying a risk-scoring methodology to group the parties into high-, medium- and low-risk categories; and applying standard due diligence processes to all parties and enhanced due diligence processes to those that fall into the high-risk group.

Implementing a successful program also requires a global technology platform that centralizes – and can scale – all third-party anti-corruption activities across the global ecosystem. This is why Protiviti has just released the Governance Portal for Third-Party Anti-Corruption v4.1, a new Protiviti Governance Portal solution that makes it simpler, faster and easier to reduce risk and ensure compliance on a global scale. From creating a centralized repository for all program data and activity, to creating the required scorecards for vendors and partners, to managing workflow and maintaining an audit trail of activities, the Governance Portal for Third-Party Anti-Corruption enables key stakeholders to identify third parties with heightened risk and track investigations and resolutions – regardless of where the stakeholders or third parties are located.

By centralizing the third-party anti-corruption program and managing the processes more effectively, companies can more confidently focus on the business benefits of their ecosystems. For more information about third-party anti-corruption programs, check out Are Third Party Vendors Putting Your Company at Risk?” a July 15, 2014, webinar featuring Chris McClean, principal analyst and research director with Forrester Research, Inc. The webinar provides a detailed account of how to effectively apply best practices to identify potentially problematic commercial partners and the importance of an enabling technology platform.

Into the Breach: Is Your Retail Data Vulnerable?


by Ryan Rubin
Managing Director – Leader, Identity & Access Management Services


The fallout from recent headline-grabbing data breaches has entered a critical phase. Retailers face hundreds of lawsuits, according to stories appearing in the Los Angeles Times and Lawyers and Settlements. Executives at some retailers hit by cybercrime have been called before congressional committees of the U.S. government to discuss the breaches.

Protiviti has made the issue of retail data security a high priority, not only in the United States but also in the United Kingdom (where I reside) and worldwide. Our security experts in the field continue to see malware targeted at the retail sector, and point-of-sale systems in particular.

You’ll find a wealth of information on the topic of retail data security on our website. For discussion purposes, let’s start with the four basic questions every director of a retail organization should ask:

  • Have we already been breached?
  • Would the information technology department know?
  • If we have not been breached, do we know that our systems can stand up to a targeted cyberattack?
  • Are we ready to respond?

The answers to these questions, and others, are the subject of our recent Protiviti point-of-view paper entitled “High-Value Targets – Retailers Under Fire,” in which we lay out a macro approach for reducing the risk of cyberattack and recommend asking these additional questions:

  • Do our contracts with strategic partners include the right to a forensic review of their systems and system logs?
  • Do we segment partner systems that don’t require access to cardholder data from the cardholder data environment?
  • Do our security professionals focus on the highest-impact controls?
  • Do we acknowledge that a breach is inevitable and ask if the cost of detailed logging outweighs that of a long investigation?

I know I’m posing a lot of questions here, but as directors and managers, you are in the question-asking business. To that end, I’ll leave you with one final list of questions, composed by my colleagues Jeffrey Sanchez and Scott Laliberte, both managing directors here at Protiviti. Answering these questions will help you devise a ground-level approach to cyber risk management as introduced in their recent webinar, “Prevention of Data Breach in the Retail Industry.”

  • Do we have controls at each phase of the “breach kill chain,” that is, when the malware is trying to get into our system, for example, or trying to sneak our data out?
  • Have we installed password management software?
  • Do we have secure remote access and administration of our systems?
  • Do we run updated point-of-sale software apps—even though it’s a challenge to push new technology out to thousands of stores?
  • Do we use hardware-based, point-to-point encryption?
  • Are our payment applications PA-DSS-compliant and installed properly?
  • Do we use the latest version of our operating system?
  • Do we use application whitelisting to prevent unknown executables (the “.exe” files that are commonly used to download and install software and patches) from executing, and have we worked around the administrative issues that whitelisting can cause?
  • Have we ensured that only preauthorized ports, services and IP addresses are communicating with our network?
  • Do we know who has privileged access to our environment and are we in control of monitoring such users?
  • Have we created strict access control lists that segment public-facing systems and back-end database systems that house payment card data?
  • Have we implemented tools to detect anomalous network traffic and anomalous behavior by legitimate users?

The market is learning that the cost of the exposure of private customer or consumer information can be crippling; for a large organization, it can reach hundreds of millions of dollars.

Is your organization doing everything it can to prevent data breaches? Do you have any best practices you’d like to share in the comment section below?

On a final note, Protiviti is exhibiting at the Black Hat Conference in Las Vegas, August 2-7, where I’m looking forward to meeting colleagues and organizations engaged in improving security and privacy measures. We’re in Booth 1064. If you plan to be at the event, please stop by!

Some Interesting News from Australia – New Rules Boost Internal Assurance for ASX-Listed Companies

Mark Harrison

By Mark Harrison
Managing Director, Protiviti Australia


Editor’s note: This post was published originally on Work Life, a website and blog from Robert Half Australia. We thought this news about new internal audit requirements for publicly listed companies in Australia would resonate with companies in other countries, including the United States. (The NYSE has a similar requirement for its listed companies.)

Stronger Corporate Governance
From July 1, 2014, listed entities will disclose if they have an internal audit function, how it is structured and what role it performs, as per Recommendation 7.3 of the 3rd edition of the ASX Corporate Governance Principles and Recommendations.

The Recommendation further states that if the entity does not have an internal audit function, it should disclose that fact and the alternative processes employed for evaluating and continually improving the effectiveness of its risk management and internal control processes.

These new disclosures will deliver a long-overdue boost to the governance standards of approximately 1,800 Australian companies who have yet to embrace the assurance that internal audit provides.

The New York, UK, Hong Kong, Singapore and Malaysian stock exchanges have for many years either obliged listed companies to have an internal audit function or required a relevant disclosure in their annual report. Market regulators insist on this for the simple reason that internal audit enhances shareholder protections and is a fair quid pro quo for the privilege of raising capital from the public.

Internal Audit Is an Indicator of Corporate Health
Many institutional  and other sophisticated investors view the existence of an internal audit function as an indicator of the health and stability of the company.

Why? Because internal auditing is an essential element of good corporate governance. It’s an independent assurance process that helps companies improve their operations by ensuring there are effective risk management and controls in place to identify and mitigate problems before they escalate and to take advantage of new opportunities. Companies that disclose a solid internal audit function will therefore inspire greater market confidence and enhance their attractiveness to investors.

Most well-resourced companies at the ‘big end of town’ already have an internal audit function because quite apart from being good for governance, it adds value to the business. However, for the remaining 1,800 or so companies below the ASX 300, internal audit is still practically non-existent.

Implementing an Internal Audit Function
In many cases, it would not be cost-effective for a smaller company to establish a dedicated internal audit function. Fortunately, other competitive options are available.

Smaller companies could embrace a shared service model where two or three companies split the cost of an internal auditor, an approach which is common in the government sector. Another option is to outsource to an internal audit consulting firm.

Importantly, to safeguard the quality and integrity of its internal audit reviews, companies engaging an internal audit service provider should always insist their internal auditor apply The Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing. These are the only globally accepted standards for internal audit work and represent professional best practices.

Companies should be wary of service providers who use accounting standards or their own internal manuals to perform internal audit work. These references are simply not appropriate for internal audits and risk compromising the quality of the audit.

Applying the IIA’s internal audit standards guarantees that the work will be robust and that company directors and executives will receive reliable and objective information to improve their business processes.

Stand Out From the Crowd
There are many benefits in adopting an internal audit function and in making a quality internal audit disclosure. For smart operators in the small-to-medium company sector this is an excellent opportunity to positively differentiate themselves and to make an impression on investors seeking a more stable, sustainable investment.

Reflecting on the Fourth Anniversary of the Dodd-Frank Act

Carol Beaumier - Protiviti EVP - NY

Carol M. Beaumier, Executive Vice President, Protiviti


Protiviti’s quarterly financial services industry newsletter, FS Insights, has tracked the progress and reflected on the merits of the Dodd-Frank Act since its passage four years ago. After four years, we remain left with more questions than answers. Nearly half of the required rules still are not final.  Debate continues about the impact of the law.

In our latest issue, we look at notable regulatory developments, such as the Federal Reserve’s approval of a final rule implementing the enhanced prudential supervision standards of the Dodd-Frank Act and the Office of the Comptroller of the Currency’s proposed guidelines for heightened governance standards for banks with assets greater than $50 billion. We posit whether the regulators might have been able to effect significant change without Dodd-Frank, since most would agree that financial institutions with strong risk management, adequate capital and sufficient liquidity are not likely to fail.

You’ll find the newsletter and the Protiviti Dodd-Frank diagnostic tool on our website. This complimentary online tool helps banking, broker-dealer and mortgage companies to identify quickly the parts of the Dodd-Frank Act that are most relevant to their business. I encourage you to subscribe to the newsletter, check out our diagnostic tool, and provide any comments or responses here.


IT Risks Are Prevalent – Do You Have Enough IT Audit Coverage?

Brand.jpgBy David Brand
Managing Director – Leader, IT Audit Practice



IT risk is everyone’s problem. By “everyone,” we mean the board of directors, senior management, process owners and internal auditors. Internal audit departments play a critical role in ensuring that mitigating processes and procedures are in place and working effectively to manage the organization’s risks. An alarming number of organizations, however, are not maximizing the input internal audit can have in helping to manage their IT risks. This neglect results in embarrassing incidents to the top of the organization, CIO organization and the owners of affected processes.

With the rapid evolution and propagation of social media, cloud and mobile technologies, IT departments are often stretched to their limits. Under pressure to implement, it’s easy to miss vulnerabilities and potential security breaches.

Examples – such as the website launch debacle and any number of corporate mea culpas regarding security breaches exposing customer financial data – illustrate vividly how quickly a glitch or vulnerability can escalate from an IT problem to a critical business problem and a huge reputational risk.

When it comes to IT audit programs and practices, our annual IT Audit Benchmarking Survey consistently reveals that organizations leave themselves significant room for improvement. Too many fail to plan and institute the IT audit coverage necessary to ensure an available, secure and efficient IT environment.

Furthermore, some organizations don’t house their IT audit resources in their internal audit departments, and others lack such resources entirely. We have found that just 1 in 4 companies have an IT audit director or someone in an equivalent role focused on technology risks.

I could say a lot on this topic, but our benchmarking survey provides a much more thorough and detailed analysis. I encourage you to read it. For now, let me close with five key questions that every CEO and audit committee member should be asking about their organization’s IT audit capabilities:

  1. Is our internal audit function performing an effective IT risk assessment at least once a year, and are people who are knowledgeable of infrastructure, applications and IT involved in the process?
  2. Has our internal audit team reviewed the COSO (2013 update) and COBIT 5 frameworks, and are our audit plans based on those recognized policies and practices?
  3. Does our IT audit team have a clear understanding of our organization’s short- and long-term IT objectives?
  4. How do we quantify our IT risks? What industry benchmarks and best practices are used?
  5. Does our IT audit risk assessment process coordinate with other risk assessment areas, including financial, operational and compliance?

As with any growing or rapidly changing risk, it is important for organizations to stay ahead of the risk management curve – and make this a sustainable effort.

For more about Protiviti’s IT Audit Benchmarking Survey, watch our video. I also invite you to see how you rate in auditing your IT risks at