Top Risks in 2015: Webinar Takeaways with Mark S. Beasley

Given the critical importance of auditing the right risks, I’ve spent considerable time analyzing the results of the annual 2015 Executive Perspectives on Top Risks, conducted by Protiviti and the North Carolina State University’s ERM Initiative, and I continue to refer to it often to this day. Having already covered the release of the report itself and the key findings, today I’m going to touch on the significant shifts we’re seeing year over year.

Analyzing the trends behind shifting priorities isn’t easy but one trend calling for attention is this: Creating an organizational culture capable of effectively responding to the escalating speed of change and risk is key.

That’s the conclusion I reached with my good friend, Dr. Mark S. Beasley, Director of the North Carolina State University ERM Initiative. In a recent webinar I hosted with Mark, we reviewed the risks, noting that the familiar ones maintained their positions at or near the top of the list. For example, the impact of regulatory changes and heightened regulatory scrutiny has been the top risk annually since the study’s inception in 2013, and was number 1 again this year. We believe that’s a direct reflection of management concern that even marginally incremental regulatory change can add tremendous cost to a corporation – and the mere threat of regulatory change can create uncertainty in hiring and investment decisions.

Similarly, economic conditions – worries about oil price volatility, the effect of economic sanctions against Russia and other geopolitical matters, and currency issues rated highly again: number 2 this year, even if their scores were lower than last year.

Most striking, however, are the risks that moved dramatically up the list as well as those that showed the greatest increase in their significance. In nearly every case, these risks, directly or indirectly, are tied to technology and disruptive innovations.

Concern that organizations may not be sufficiently prepared to manage cyberthreats jumped from number 6 to number 3 – a growing indication that management now views such incidents as a matter of when, not if.

The following are the top 5 increasing risks (based on an increased risk rating in 2015 versus 2014, as determined through our analysis of the survey results):

  • Insufficient preparation to manage an unexpected crisis significantly impacting an organization’s reputation.
  • Inability to utilize data analytics and big data to achieve market intelligence and increase productivity and efficiency, significantly affecting an organization’s management of core operations and strategic plan.
  • Insufficient preparation to manage cyberthreats that have the potential to significantly disrupt core operations and/or damage an organization’s brand.
  • Inability to meet performance expectations related to quality, time to market, cost and innovation as well as an organization’s competitors.
  • The rapid speed of disruptive innovations and/or new technologies within the industry may outpace an organization’s ability to compete and/or manage the risk appropriately, without making significant changes to its operating model.

It is interesting that three of the fastest increasing risks deal with operational issues – and technology is emerging as a core theme which we will continue to watch closely.

Indeed, even concerns about sustaining customer loyalty and retention – a new risk introduced in the survey this year debuting at number 9 – can be linked to technology and its impact. My takeaway on this particular risk is that the rapid pace of change and disruptive innovations are leading to drastic changes in customer preferences as more choices and transparency emerge in the marketplace. These innovations are making it more challenging to retain customers in an environment of slower growth.

Which leads us back to the most critical issue that must be addressed – I suggest heeding Dr. Beasley’s warning:

“Ultimately, culture is king,” he said. “We need to be adjusting business models in this rapidly changing environment. … Our reluctance to embrace change could really put us at a disadvantage.”


Training Is Key to Maximizing SharePoint Investment

Mike SteadmanBy Mike Steadman
Managing Director, Leader of Protiviti’s SharePoint practice




If you are one of the more than 100 million customers who have purchased or licensed Microsoft SharePoint, you’ve probably adopted the platform to improve a spectrum of operations, ranging from optimizing business processes to enhancing efficiency to having better access to analytics within your organization.

Are you maximizing your investment?

According to a recent Association for Information and Image Management (AIIM) survey, nearly 50 percent of responding organizations reported that “lack of expertise” was the No. 1 issue limiting the organization from maximizing SharePoint’s usefulness. Furthermore, only 28 percent were using SharePoint across their entire workforce.

The disconnect between software purchase and user adoption is not only wasting the millions of dollars spent on acquisition, it is also preventing the realization of benefits, such as the additional revenue and savings that companies signed up for when they made a decision to invest in SharePoint.

One of the most common problems undermining SharePoint maximization is that organizations often task their overworked IT department with the responsibility for training users. That’s a daunting proposition for IT, which juggles a variety of business-critical initiatives on a daily basis. With IT departments busy implementing new technology almost continuously, user training frequently gets the short shrift.

The largest companies are beginning to see the problem. According to the results from Protiviti’s 2015 IT Priorities Survey, large company respondents have elevated “end user adoption of data tools” to a significant priority. In 2014, user adoption rated only moderate attention.

Typically, stakeholders involved in SharePoint implementation invest significant effort evaluating their options, selecting the software and partnering with the vendor to implement the solution. Often, however, once the “go-live” event is completed, they return to their previous duties. Meanwhile, end users are whisked onto a new platform, often with minimal training, even though they haven’t been engaged in the implementation and may not have even received an explanation for the change. Is it a surprise that they may not be hitting the ground running and fulfilling the efficiency promises of SharePoint?

That’s why it is imperative for individual business units to partner with IT and take the lead for adoption by clarifying and personalizing the benefits that can be achieved.

An overall strategy must be established up-front to address the big picture of the implementation: determining needs, setting objectives and understanding the audience for proper training. The latter includes taking into account factors such as demographics and preferred learning methods of different user groups. For example, classroom-based training may be best for baby boomers whereas online learning modules are better suited to engage Gen Y-ers.

The following are critical steps for establishing sustainable user adoption, taken from the white paper Keys to Sustainable User Adoption of SharePoint:

  • Generate awareness: The executive staff needs to engage end users early and actively by promoting specific benefits of adoption. The goal should be to proactively answer the question: “What’s in it for me?”
  • Assess capability: It is common for end users to exhibit a wide disparity in capability. Creating a simple survey that establishes a baseline of knowledge will help identify initial training priorities. The survey also can help the executive team identify and recruit potential leaders among the end users to serve as peer mentors.
  • Establish learning objectives: The assessment also should be used to develop specific learning objectives for the training process. The objectives should be practical and measurable. If the training focus is on using a key SharePoint functionality, end users need to demonstrate the ability – for example, upload and download documents, apply metadata to documents and create search queries.
  • Use curriculum-based training: In addition to demonstrating software functionality, end users need specific training in areas that will be most applicable to their roles and responsibilities. This is best done in a lab environment with active instruction and support to help end users obtain hands-on experience.
  • Use environment-based training: Similar to curriculum-based training, this approach introduces end users to best practices within the organization and can also familiarize them with governance strategy. Once this step is completed, the executive team can expect accountability from individuals and departments on the effective use of SharePoint.

Last but not least, it’s important to establish a budget for training – and to do so in the context of the projected financial benefits that will be achieved through high levels of adoption. A rule of thumb is to invest half of the expected benefits value (e.g., 20 percent process efficiency) over one year, aiming for a 6-month ROI. By making such a commitment to training, the organization stands to achieve greater adoption and a greater ROI both in the short and long term.

More on Cybersecurity – President Obama Issues Executive Order to Sanction Cyberattackers

As a follow-up to our recent posts related to cybersecurity and cyberthreats, President Obama issued an Executive Order this week authorizing sanctions against cyberattackers operating outside the United States. You can read the Executive Order here. Reuters also published an informative overview of the Executive Order.

As noted in Reuters’ article and other sources, the Executive Order has received some positive response, but concerns are raised, as well. How exactly will a cyberattack be attributed with certainty to an individual or group? How will the administration handle cyberattackers who are deemed to be state-sponsored, particularly by nations with which the United States conducts trade? Will such sanctions be effective against faceless perpetrators who operate independently (i.e., without state sponsorship)?

We will continue to monitor these issues and comment periodically here and in other forums.


Effective Date of Revenue Recognition Standard to be Deferred

Yesterday, the Financial Accounting Standards Board (FASB) voted to defer, by one year, the effective date of the board’s new revenue recognition standard. Issued almost a year ago, this new guidance resulted from a collaborative effort by the FASB and International Accounting Standards Board (IASB) to agree on a global standard based on common principles that can be applied across industries and regions. The FASB voted for a one-year deferral of the effective date of the new standard and will issue an exposure draft proposing the deferral, with a 30-day comment period.

With respect to public companies: In the original release, the new standard is expected to be effective for fiscal years, including interim periods within those years, beginning after December 15, 2016. The proposal would now require application of the new standard no later than annual reporting periods beginning after December 15, 2017, including interim reporting periods therein. For example, a calendar year reporting company would now be required to apply the new standard during 2018, including the interim periods therein.

For nonpublic entities: The standard, as originally issued, is expected to be effective for fiscal years beginning after December 15, 2017, and interim periods thereafter. The proposal would now require application of the new standard no later than annual reporting periods beginning after December 15, 2018, including interim reporting periods therein. For example, a calendar year reporting company would be required to apply the new standard during 2019, including the interim periods therein.

Under the proposal, public entities would be permitted to elect to early adopt the new standard as of the original effective date, as described above – in effect, a year earlier than the proposed new effective date. In addition, a nonpublic entity may elect to apply the amendments as of the original effective date for public companies. The originally proposed new standard did not allow early adoption.

The FASB’s proposal is based on its outreach to various stakeholders. The board determined that a deferral is necessary to provide companies adequate time to effectively implement the new standard. Interestingly, the IASB (which also issued this standard) has not provided a specific timeline to make a decision regarding a potential delay in its original effective date, although at least one of its board members has referred to such a delay as “inevitable.”

What does the deferral mean?

This deferral is not a surprise. Not only was it expected, but it has been an assumption baked into the planning and implementation practices among many companies that have started the transition to the new standard in earnest. In effect, a one-year delay still means “full steam ahead” for public companies, especially for those who may not have begun working on the transition process.

A quarter of the current year is now spent, and by the time the exposure draft and comment period are done, it could be half the year. Thus, the only delay is in the effective date of the standard; there should be no delay in management’s efforts to position the organization in a prudent state of readiness.

The introduction of the “early adoption” option presents an opportunity for those who have started, were focused on the new standard and now are, or will be, ready to adopt early. Also, it presents yet another choice (whether to early adopt) to the list of decisions for companies, which already includes deciding whether to adopt prospectively or retrospectively. This added choice is one with which the audit committee and the external auditor will want to be involved. In addition, analysts, regulators, lenders and other stakeholders may have an interest in the organization’s decision. The possibility of early adoption by some, but not all, also allows those who might be more cautious to learn from the triumphs and mistakes of the early adopters.

Whatever management’s take on the available options, the pressure remains on the immediate need for companies to perform diagnostic work to demystify the impact on their financial reporting. Otherwise, absent a determination of the impact of the applicability of this new standard, they risk overestimating either the simplicity or the complexity, and run the risk of doing too little, too late, or too much, too soon.

One other point: Now that early adoption will be available for those who have already moved forward with the transition under the original timeline, it will be interesting to see how companies respond when their peers early adopt.


IT Controls for Tech Startups? Yes, It’s Possible.

Steve Hobbsby Steve Hobbs, Managing Director
Leader of Protiviti’s Public Company Readiness Practice




For cutting-edge tech companies focused on not just staying ahead of but shaping the technological curve, compliance issues are hardly a top priority. In fact, it is common for these companies to treat the subject with disdain, and view it as running counter to a tech startup’s innovative, entrepreneurial and fast-paced culture.

Placing compliance on the back burner, however, can be costly, especially as a company grows its customer base or considers an initial public offering (IPO). A lack of IT controls not only could disrupt filing deadlines and cause headaches at audit time, it can also turn away cloud providers’ customers who themselves have to prove the presence of controls to their auditors.

Consider this:

  • Public companies are required to establish effective IT general control (ITGC) frameworks to comply with the Sarbanes-Oxley Act. This includes areas such as change management, data quality/governance and disaster recovery.
  • Cloud and other service providers increasingly are being asked to provide Statement on Controls (SOC) reports for the IT general control frameworks associated with their customer-facing systems environments.
  • The Public Company Accounting Oversight Board (PCAOB) and the new COSO framework have introduced requirements for financial controls assessment and increased scrutiny of ITGC frameworks and IT risk management.

In the face of these demands, what is a tech startup to do? Many find themselves halting development activities and backtracking to provide adequate evidence of approvals and other controls to audit teams. This is a time-consuming and disruptive process that can cause frustration and, in the end, may still fail to satisfy external auditors and customers.

A better approach is to move away from traditional control checklists and templates to a more flexible ITGC framework compatible with innovative software development practices. By matching the controls environment to their non-traditional business practices instead of vice versa, tech companies can strengthen controls and achieve compliance objectives without compromising flexibility, speed, drive and ingenuity.

Two strategies towards building this new framework are process rationalization and agile activity alignment.

  • Process rationalization: Companies can reduce process redundancy (rationalize processes) by aggregating similar but unconnected processes used by different teams under common control activities, which leads to more centralized controls and reduced time in applying them. This is especially true in areas such as software development and access management.
  • Agile activity alignment: In agile software development, approvals could be shifted to the end of each development iteration rather than at every sequential development phase. This ensures control while cutting down on administrative effort that doesn’t contribute to the production of quality software.

Is your company feeling the pressure to put better ITGC controls in place? Asking the following questions should help you get started:

  • What systems and processes are in scope for the purpose of your compliance audits (SOX or SOC)?
  • What areas are in need of additional controls?
  • What existing activities can be used to mitigate key risks?
  • What alternative approaches can be used to mitigate key risks?
  • What is the future-state vision for your controls framework (generating a backlog of improvements, leveraging automated activities, etc.)?

Customers demand speed, agility and assurance, and regulators demand formalized controls. Emerging tech firms can meet these demands without hampering their speed and innovation using out-of-the-box thinking and the approach we outlined here.

What control challenges does your tech company face? Let us know in the comments.

COSO 2013 Framework Adoption – Strong So Far …

Implementing the updated Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework (Framework) during 2014 was an important endeavor for many public companies in their efforts to comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). As background, the Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404. The COSO Framework meets the SEC’s criteria for suitability.

COSO has indicated that it no longer supports the original version of the Framework released in 1992 and considers it to be superseded for years ended after December 15, 2014, by the updated version of the Framework completed in 2013. Accordingly, it is just a matter of time before all companies use the revised Framework in conjunction with their annual evaluations of ICFR.

A strong majority of organizations have adopted the revised framework “on time,” with a handful of early adopters leading the way. For almost 1,900 annual reports with fiscal year ends after December 15, 2014, (the date COSO announced its cessation of support of the original 1992 Framework) filed through March 4, 2015,[1] 80 percent had transitioned to COSO 2013. Of the remaining 20 percent:

  • 75 percent (or 15 percent of the total filings) reported their continued use of the 1992 Framework.
  • 25 percent (or five percent of the total filings) did not identify the version of the Framework they used.

It is possible that some of these latter filers may have transitioned to the 2013 Framework and did not disclose they had done so because the transition period had run its course and, therefore, the parenthetical disclosure in the internal control report was considered by these filers to be unnecessary. That said, if any of these filers continued to use the 1992 Framework, their lack of disclosure in their internal control report could pose a concern for the SEC staff. Bottom line, any way the data is cut, we can report that a strong majority of filers have transitioned to the 2013 Framework. As we will report in April in an issue of The Bulletin, for most of these companies the level of effort in consummating the transition was manageable.

The implications of the “on time” transition rate to companies that still must complete their transition is clear. They need to get on with it. We are confident that the strong majority of companies who have transitioned successfully and their experience in consummating the transition process will ensure that the SEC staff will not provide a “free pass” for year ends after December 15, 2015, except perhaps in the most extreme circumstances.



[1] As reported by Audit Analytics® through its internal controls management report and audit report database, available by subscription (

New Protiviti Study – Assessing the Top IT Priorities for 2015

Protiviti has released another major research report today – this one details the findings from our annual IT Priorities Survey of CIOs and IT executives and professionals.

Infographic-2015-IT-Priorities-Survey-Protiviti We’ll be exploring some of the key themes that came out of this study, including cybersecurity concerns, in the weeks ahead. For now, I invite you to view our video and infographic here. Please visit our survey landing page for more information and a downloadable copy of our report: