PreView Evaluates Emerging Risks

Data breach vulnerabilities. Social media issues. On-demand service challenges.

These dynamic and challenging trends are the topic of the latest issue of PreView, Protiviti’s emerging risks newsletter. The latest issue scans the landscape of the increasingly data-rich and hacker-vulnerable online economy and spotlights the challenges and opportunities posed by this increased data availability; it also casts a look at the benefits and pitfalls of social media in the business environment, the accelerating impact of technology in fulfilling consumer needs in parallel with the generational shift of millennials toward collaborative and on-demand commerce providers, and more.

Please download and read the full newsletter at your leisure. Here are the highlights:

Data Breaches: Hundreds of millions – that’s the typical volume of records exposed when industry-leading companies and household brands get hacked, as they did at alarmingly regular intervals during 2013 and 2014. In fact, in 2014, data breach activity reached a record high, resulting in more than 1 billion compromised records and underscoring the heightened capabilities of hackers to obtain sensitive information.

The greater occurrence and visibility of such incidents are leading to interesting developments. Among them:

  • A growing interest in cyber liability insurance, to mitigate the risk of a potential large-scale breach. In 2014, spending on cyber insurance nearly doubled from 2013 – to roughly US$2 billion.
  • Increased regulatory attention and oversight, including penalties designed to ensure sound cyber risk management practices. The Securities and Exchange Commission, for example, is considering measures to compel organizations to disclose expanded information about cybersecurity vulnerabilities in their financial statements.
  • Rising attacks on healthcare organizations due to the high desirability of patient medical records among cybercriminals. Health records, which can be exploited for identity theft, false insurance claims and drug prescriptions, fetched 20 times more on the black market than the traditional object of cybertheft, credit card numbers.

Social Media Interactions with Consumers: As social media becomes omnipresent, companies need to be especially focused on how they use this channel to interact with consumers. Failure to manage customer expectations can unleash waves of complaints and go viral in a matter of hours. Consumer expectations are changing as a result of social media as well, with 42 percent of consumers now expecting a response and issue resolution to happen within an hour, including on weekends.

In addition, 50 percent of journalists now state they use social media accounts as their main source of information. This means that social media-enabled public conversation between companies and their customers can spill easily into major news cycles causing a potential reputational crisis – all this underscoring the importance of carefully managing this public relations channel.

Crowdfunding: Crowdfunding took root during the 2008 recession as a nontraditional way of seeking funds for a project or venture – typically by raising small amounts of money from a large number of people through the Internet. For a number of reasons, among them shifting generational attitudes in favor of collaborative business models, crowdfunding has continued to gain acceptance, and is attracting the attention of supervisory bodies seeking to regulate this type of funding, and of financial institutions, which view it as a new competitive threat. Crowdfunding offers both a great opportunity to streamline the funding process for entrepreneurs and investors by eliminating the intermediary, and an increased risk of uncertainty for both parties – something regulators are beginning to look into and design measures to address.

On-Demand Services: Uber has revolutionized transportation in cities by providing cheaper alternatives to cabs via mobile technology. Airbnb, with over 800,000 listings across nearly 200 countries, is among the largest hoteliers in the world – and it was founded just seven years ago. Such on-demand service companies – capitalizing on technology and evolving consumer preferences – are creating new risks for users and competitors, and facing challenges themselves.

One such challenge is these providers’ reliance on mobile platforms, making them vulnerable to data glitches, service failures and information security breaches that pose risks to providers and users alike.

For traditional companies, on-demand spells a need to adjust their business models to meet new consumer demands – or risk losing market share. However, those that incorporate on-demand services in their business models are not assured of risk avoidance: regulatory, operational and reputational risks all can rise, and need to be watched and managed correctly.

These are just a few of the highlights in our latest issue of PreView; click here to access the full newsletter and let me know your thoughts in the comments section.


3 “Musts” for Rapidly Growing Companies – A Conversation with Lumosity and Oracle

Steve HobbsBy Steve Hobbs, Managing Director
Protiviti’s Public Company Transformation practice



Earlier this month, I had the pleasure of sitting down with the Tyler Chapman, Director of Finance at Lumosity and Jeff Henley, Oracle’s Executive Vice Chairman, to discuss the challenges that rapidly growing companies face, and what these companies, such as Lumosity, can do to handle these challenges successfully. Our entire conversation will be available as a webinar in the fall. For now, I’d like to share with you the top 3 takeaways from our discussion:

  1. Address the finance function. When a company is experiencing fast growth, as Lumosity has in recent years, it’s pretty common for the supporting functions, such as finance, to lag behind the rest of the business. To properly address this challenge, leadership must answer these questions:
    • When do we start dedicating resources and funds to building out the finance function?
    • How do we efficiently build out the finance function so that it is effective in supporting the business now and has the ability to scale with the business in the future?
  2. Implement an effective technology solution. Companies must choose an enterprise resource planning (ERP) platform and other technology applications that will be able to scale with the growth of the business and be able to handle complex challenges. This technology must be able to work with existing systems for a streamlined approach.
  3. Prioritize and plan. There are many “make-or-break” decisions to be made throughout the growth process. It is important to logically prioritize foreseeable challenges and have a plan to address each one.

This is only a glimpse of the expertise shared in our discussion. To hear more from these experts, look for our invitation in your email, subscribe to our IPO Insider newsletter for the webinar update, or email us and ask to be placed on an email list for the webinar notice.

The Renaissance of the Chief Compliance Officer: An Artist and a Scientist

Carol BeaumierBy Carol Beaumier, Executive Vice President and Managing Director
Protiviti’s Regulatory Compliance Practice



The Renaissance man, in the traditional sense, was adept in many different fields. Think Leonardo Da Vinci – a painter, sculptor, architect, scientist, musician, mathematician, engineer, inventor and anatomist. Fast forward to today’s financial services world, and the Renaissance man is enjoying a rebirth in an unlikely place – the risk and compliance industry. It is not every day that compliance managers are compared to Renaissance men, but if you read Protiviti’s newest publication, The Art & Science of Compliance, you will understand why today’s chief compliance officer (CCO) is to be perceived as exactly that.

For one, the modern CCO needs to be a highly learned and skilled performer – an artist and a scientist – who interprets and is able to understand and comply with myriad technical requirements of laws and regulations – the science of compliance. This artist also needs to be a visionary, peering forward into risks that haven’t yet fully emerged, and engaging in a top-level discourse with the board and management to help steer the organization in the right direction.

Long gone are the days when CCOs were primarily responsible for writing compliance policies and procedures. The role of the compliance officer is expanding rapidly, and this has broadened the range of skills required to become an effective head of compliance. Robust risk management capabilities and technological know-how are essential skills,  but the modern CCO also needs to be proficient at developing and maintaining strong relationships with internal and external stakeholders – relationships as vital as those between Renaissance artists and their sponsors. No compliance officer can practice his or her art successfully without this support.

I highly recommend you read the publication for yourself, but here are the trends surrounding the role of the new, “Renaissance CCO” I find the most interesting:

  • Increased oversight with more than a hint of acumen
    • Compliance requirements and supervisory scrutiny have surged, especially in the area of consumer protection. Compliance officers are increasingly being asked to look beyond technical compliance with new rules to address more broadly whether acts or practices are unfair, deceptive or abusive.
    • Compliance officers are also expected to be aware of Bring Your Own Device (BYOD) policies and employees’ use of social media and keep an eye on the new privacy and consumer protection risks that stem from these activities.
  • Technological involvement and know-how
    • The many recent regulatory changes are placing a burden on legacy systems and necessitating technological upgrades. As a result, compliance officers are increasingly involved in the technology change process to ensure that all legal and regulatory risks are addressed.
  • A seat at the leadership table
    • Regulators are demanding that compliance be managed as part of an integrated risk management framework – independent of the business and with clear access to senior management and the board of directors. This requires compliance officers to embrace a more visible and vocal role at the top of the organization.
  • Doing a lot more with less
    • Compliance officers are expected to cover a much broader set of compliance requirements than before with the same, or fewer, technological and personnel resources. CCOs with the skills and competence to handle this mounting pressure are in short supply, and firms are competing heavily for talented individuals to join their compliance functions.

Ultimately, the CCO’s job has become that of a compliance spokesperson and critical decision-maker who occupies an important seat at the leadership table. Getting that seat requires modern CCOs to become true, versatile, resourceful and outspoken masters in the art and the science of 21st century compliance.

I am interested in your thoughts on this topic. You can access the Art & Science of Compliance Spring issue here. While there, I also recommend the in-depth discussion with Chetan Shah, a director in our Charlotte, NC office, on AML transaction monitoring – a necessary, but often ineffective, component of an AML compliance program, and the highlights section which in this issue sheds light on consolidated mortgage origination disclosures as well as debt collection.

Cybersecurity Capabilities: Jordan Reed Answers Questions from our Internal Audit Capabilities and Needs Survey Webinar in March

Jordan ReedJordan Reed, Managing Director
Internal Audit and Financial Advisory practice



More than 800 chief audit executives and audit professionals from around the world participated in Protiviti’s 2015 Internal Audit Capabilities and Needs Survey. Our subject-matter experts discussed the results in depth in a March 24th webinar, From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions.

We received so many questions from webinar attendees that we were unable to address them all within the allotted time. A number of those questions centered on cybersecurity. Jordan Reed, a managing director in Protiviti’s Houston office, answers those questions here:

Q: Do you typically see cybersecurity risks discussed with audit committees, or would that be better situated at the board risk committee?

A: I see both, although more frequently at the board level. Some companies have risk committees that focus specifically on areas like technology and other emerging risks, and cybersecurity certainly fits within that scope. Others provide education, current events and hot topics for the full board, and cybersecurity almost always finds its way onto that agenda. If the board delegates its risk oversight responsibility to the audit committee, then that committee may oversee the management of cyber threats. To the extent cybersecurity has been included in an internal audit risk assessment or internal audit, the topic and results would obviously be discussed with the audit committee versus the entire board. Additionally, any security breach that required a public disclosure would certainly be discussed with the audit committee. So you can see, there is no one-size-fits-all approach.

Q: Can you provide more information about The IIA’s GAIT framework?

A: The best answer to this would come from The Institute of Internal Auditors’ website:

“The IIA’s General Assessment of IT Risk (GAIT) series describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each practice guide in the series addresses a specific aspect of IT risk and control assessments.

The IIA classifies GAIT as recommended guidance under its international professional practices framework (IPPF). GAIT practice guides include:

  • The GAIT methodology: A risk-based approach to assessing the scope of IT general controls as part of management’s assessment of internal control required by Section 404 of the Sarbanes-Oxley Act.
  • GAIT for IT general control deficiency assessment: An approach for evaluating whether any ITGC deficiencies identified during Section 404 assessments represent material weaknesses or significant deficiencies.
  • GAIT for business and IT risk: Guidance for helping identify the IT controls that are critical to achieving business goals and objectives.”

Q: Does increasing board engagement with cybersecurity require a more technically astute appointee, similar to members with finance backgrounds, so the severity of threats can be better understood?

A: We are seeing a lot of organizations starting to move in that direction. As you might expect, this has been especially true for organizations with a greater concentration of “crown jewels,” such as personally identifiable information — financial services, retail and healthcare companies, for example.

Q: Should cybersecurity be addressed within the organization’s audit charter?

A: Yes, it is already covered in most of the charters I see, in the “Responsibility” section of the Internal Audit Activity Charter. I typically do not see cybersecurity specified at that granular of a level, but it is covered within the overall responsibilities of the internal audit function.

Please see Protiviti’s 2015 Internal Audit Capabilities and Needs Survey Report for additional insights on cybersecurity and other topics.

GRC Platforms: Harmonization or Hegemony?

Scott Wisniewski - Protiviti Chicago -hi res 2012By Scott Wisniewski, Managing Director
Leader, Protiviti’s Risk Technologies practice



Governance, risk and compliance (GRC) technology integrating multi-stakeholder requirements on a single platform is often held out as the holy grail of GRC – especially by GRC vendors. Nevertheless, we’re still seeing many companies combine ERP platforms, such as Microsoft SharePoint, with multiple GRC point solutions to effectively manage compliance.

The question is, should companies be investing in a single platform to develop a more aggregated picture, or are there more significant benefits to using multiple custom point solutions to support GRC efforts?

At the recent GAM conference in Las Vegas, one of the speakers mentioned that he uses a single GRC platform from a certain vendor to support multiple efforts. The speaker said the software required his company to harmonize processes, propounding this as a benefit and noting that many of the GRC platform providers advocate process harmonization in order to make best use of the platform.

But GRC is a big tent, and just because two different stakeholder groups within an organization are doing some type of GRC-related effort, that doesn’t mean the data set required for one group is going to be relevant to another.

Similarly, the frameworks and methodologies used to assess and evaluate assurance often vary, depending on the subject matter, and even localized factors, such as regulatory requirements of the countries the company operates in. Other factors that may prevent key stakeholders from collaborating on the same platform may include inability to sync across all groups or support the onboarding of new groups, additional software licensing required, project phasing, etc.

This begs the question: While convergence on a single platform sounds right, is it optimal in all cases, or may it be more advantageous to use the same platform when such synergies actually exist, while allowing different stakeholder teams to pursue solutions tailored to the unique GRC elements of their specific disciplines?

For single or synergistic department GRC efforts, implementation of point solutions – especially using SaaS deployment models – can often be more cost-effective and efficient than attempting to onboard all stakeholders on the same platform. For larger, multi-stakeholder deployments, market feedback suggests that the implementation cost for so-called off-the-shelf configurable GRC software is often comparable to the cost of developing custom applications that leverage existing technology platforms within the enterprise, such as SharePoint.

Which choice is better for your organization? That’s not for me to say. But here are some questions to help you decide for yourself:

  • Which of your GRC or assurance groups have the potential for synergy among them?
  • What elements of your framework are shared across multiple groups?
  • What is best for each stakeholder group?
  • What specific capabilities do you have and need? (Most GRC platforms provide good risk and control assessment functionality, but if you’re looking for a specific capability – regulatory insight, advanced analytics or eLearning – others might do better.)
  • In terms of timing, how well do the projects of different stakeholders sync with each other?
  • Does licensing new modules of the GRC platform already in-house approximate the cost of licensing another application?
  • Does the “configurable” GRC solution require significant technical competence to implement new features and support? If so, do you already have more technical competence on another platform that is a better fit with your overall enterprise IT architecture?

I’m not advocating here one solution over another. It’s a conversation for you and your GRC stakeholders. I’d love to read your thoughts on the matter.

Vendor Fraud — Scott Moritz Answers Your Questions

Scott Moritz - Protiviti NY 2013 (hi res)Scott Moritz, Managing Director
Leader, Protiviti’s Fraud Risk Management Practice



Our webinar series on internal investigations is generating lots of good questions from participants. The series kicked off in November 2014 with Internal Investigations for Non-Investigators, which offered a broad overview of the topic. The second webinar, Misplaced Trust: Investigating Vendor Fraud, was held in March 2015.

The series is co-presented by Scott Moritz, global lead of Protiviti’s Investigations & Fraud Risk Management practice, and Peter Grupe, a director in that group. Scott has 28 years of investigative experience, including nearly 10 years as an FBI special agent. Peter, a former assistant special agent in charge of the FBI’s white collar crime program in New York, has over 25 years of experience investigating financial crime.

In this blog entry, Scott answers some great caller questions that came up in the Vendor Fraud session.

Q: What is a best practice to validate new vendors?

A: Historically, companies collected information from vendors in order to set up payments. This basic data falls far short of what is required to make informed risk-based decisions — for regulatory compliance and fraud risk management, among other things.

Today, companies need to be able to readily segregate upstream suppliers from those empowered to act on the organization’s behalf (often referred to as “intermediaries”). If a company acts on your behalf, Protiviti recommends collecting richer data — including the names of executives, owners, and whether the company is public, private, or government-owned; how long the company has been in existence, revenue (if disclosed), and whether the client is the vendor’s largest customer.

Q: If you are performing a typical vendor audit (i.e., no initial suspicion of fraudulent activity), what are the best techniques to identify fraud, such as vendor kickbacks?

A: Just because you don’t suspect vendor fraud, doesn’t mean it’s not going on. Vendor fraud is the most common type of fraud and accounts for 18 percent of fraud losses — particularly at large organizations.

Top of mind:

  • Compare vendor master data with personnel data. Look for addresses in common. (Be mindful of privacy restrictions in certain jurisdictions such as the EU).
  • Vendors of almost any size will leave some sort of footprint in the public domain – social media presence, etc. You would expect any commercial entity to have some record of its existence in the public domain. Entities that exhibit little to no footprint warrant closer scrutiny.
  • It is also prudent to search global watch lists, such as by the Office of Foreign Assets Control (OFAC), which tracks international trade violators and sanctions; the U.S. General Services Administration’s (GSA) System for Award Management (SAM) list, which includes a list of companies that have either failed to perform or have committed fraud against the U.S. government and have been debarred; and the U.S. Department of Commerce Bureau of Industry and Security list, which includes companies that have violated U.S. boycott laws.
  • Look for red flags. Kickbacks are a type of fraud that may raise very specific red flags. Compare contracts for a vendor suspected of paying kickbacks to those of comparable vendors – is unit pricing or aggregate spend out of line? Did your investigation reveal that one or more employees are unusually close to someone at the suspect vendor?

Q: Can you give some examples of the types of background checks you perform on new or existing vendors?

A: First, let me distinguish between a background check and the watchlist matching process (sometimes referred to as “screening”) we were discussing earlier. Screening deals primarily with vendor-supplied information and comparing it to one or more lists of debarred parties. Background investigations use publicly available information, beyond the watch lists I’ve mentioned, to bring to light past bad behavior by vendors that may cast doubt on their character and the veracity of self-reported data. Public information includes things such as regulatory actions, pending or prior criminal actions, lawsuits, bankruptcies, liens, judgments, affiliated companies, companies with common ownership, etc.

If the public record shows that somebody has done something improper or illegal in the past, there’s a good chance they’re going to do something similar in the future. Not a lot of people (or companies) wake up one day and decide to embark on a life of white collar crime. Most people involved in fraud or corruption have been involved in similar crimes for many years and very few of them find redemption.

Q: In doing a standard, cyclical vendor audit, what are some things we should look for to identify vendor-related fraud? Presumably, the vendor itself in all these cases is legitimate as we are doing business with them.

A: The GSA produces a blacklist of companies that have either consistently failed to perform their obligations under government contracts, or have defrauded the government. If a vendor has no qualms about defrauding the federal government and facing those kinds of sanctions, they’re going to have no qualms about defrauding you. Debarments are a sign you want to pay attention to, as past behavior is a good predictor of future behavior. There is a wide array of debarment lists maintained by the federal, state and local government as well as several of the larger, multilateral banks (World Bank, European Bank for Reconstruction and Development, Inter-American Bank, etc.)

We’ve seen a significant uptick in demand for master vendor file audits. Not sure what is contributing to this, but a lot of organizations are finding that the volume of vendor contracts requiring auditing is overwhelming and are seeking to leverage electronic tools to detect undisclosed conflicts of interest, fictitious vendors and any vendors who have pending or historical sanctions against them.

Protiviti will continue to promote an ongoing dialogue on fraud, fraud risk, financial crime and corruption through its thought leadership and continuing its webinar series on internal investigations.

COSO 2013 Implementation Webinar: Your Questions Answered

Keith Kawashima

Keith Kawashima, Managing Director
Internal Audit and Financial Advisory practice



Wrapping up our Internal Audit Awareness Month webinar Q&A series, Keith Kawashima, managing director in our Silicon Valley office, answers some of the questions we weren’t able to get to in our April 29th webinar, Top 10 Lessons Learned From Implementing COSO 2013.

In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a comprehensive update to its original 1992 Internal Control — Integrated Framework. This COSO framework is the de facto framework used by more than 99 percent of the organizations required to comply with Section 404 — Internal Controls over Financial Reporting (ICFR) requirement of the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX). Based on financial filings reviewed through the end of May, 2015, approximately 83 percent of companies subject to the external auditor attestation requirement have transitioned from the 1992 version of COSO to the revised 2013 version.

The U.S. Congress enacted SOX, in 2002, in the wake of several high-profile public company financial frauds, to provide additional comfort to investors that public company financials were built on reasonable standards. Among other things, this legislation created the Public Company Accounting Oversight Board (PCAOB) and charged it with establishing auditing and related professional practice standards for registered public accounting firms to follow in the preparation and issuance of audit reports.

Below, Keith addresses some SOX-specific questions regarding the application of COSO 2013.

Q: Given the increased regulatory focus on internal control deficiencies, how does COSO connect the dots between deficiencies and the scope of potential misstatements they could create?

A: The PCAOB is telling external auditors that they need to further scrutinize both the design and operating effectiveness of a company’s internal controls over financial reporting, as well as to better support the conclusions they come to in their evaluation of ICFR. Both the old COSO framework and the revised framework have five components by which internal controls were evaluated. The new framework further expands and defines each of those five components through its 17 mandatory principles. These principles are broken down even further through the points of focus.

For a control environment to be deemed to be effective, the company needs to be able to demonstrate that all principles are present and functioning, as well as operating together. The application of the new framework has and will continue to help both the external auditors and management to identify control gaps and evaluate the potential exposure that these gaps create. This allows them to understand the potential for misstatement that exists and helps to size the gaps as deficiencies, significant deficiencies or material weaknesses.

Q: If there is a discrepancy between the COSO 2013 internal control framework and SOX, which takes precedence? And what part of SOX compliance, specifically, does COSO address?

A: The COSO internal controls framework was released 10 years before the Sarbanes – Oxley act was passed. As one can imagine, both the 1992 and 2013 version were designed for broader application than those required by the internal controls over financial reporting (ICFR) evaluation required to comply with SOX section 404. While the focus of SOX is limited to the controls in place to ensure material accuracy of the company’s outwardly facing financial reports, the COSO framework is intended to apply more broadly to the company’s overall internal control environment. This has led some companies to either intentionally or un-intentionally expand their control evaluation efforts beyond what is required for SOX purposes. As it pertains specifically to SOX, however, COSO has clearly communicated that it has provided a thorough and useful framework for evaluating internal controls, and continues to reiterate that it is not a legislative body. The SOX 404 requirement continues to focus on a top-down risk-based scoping approach. It also has defined the evaluation criteria and reporting requirements for control gaps or deficiencies. COSO has stated that in the instance where additional criteria is required, the framework is flexible enough to accommodate it. So for SOX, the focus will be on ICFR, and the evaluation and reporting requirements remain aligned to the SOX criteria of deficiency, significant deficiency and material weakness.

Q: The PCAOB, which was created by SOX, has said that not enough work is being done by external auditors to verify the presence and functioning of internal controls over outsourced processes and third-party vendors within the scope of ICFR. How can COSO 2013 be applied to address this concern?

A: I think it’s important to recognize that while a company can outsource a process, it can never outsource the responsibility for maintaining an appropriate control environment over that process, particularly when the outputs from that process have an impact on public financial statements.

External auditors and management both need to conclude that the overall control environment is adequate and that all 17 of the COSO principles are present and functioning, regardless of whether a process or a series of processes is performed by the company or by third-party providers. The additional granularity of the revised version – including additional emphasis for areas such as use and reliance on technology and an enhanced focus on fraud risks and other areas – helps us to understand the broad control environment, including areas where outsourcing in deployed.

For a more in-depth examination of COSO 2013 internal control framework and how to implement it, you might be interested in Protiviti’s Frequently Asked Questions (FAQ) COSO publication, as well as our 5-part webinar series covering COSO 2013. Follow the links below to register for one, or all, of the free archived sessions:

COSO 2013: What is New, What Has Changed, Why Does it Matter, and Other Frequently Asked Questions (May 28, 2014)
COSO 2013: Managing the Project for Success and IPO Readiness (June 4, 2014)
COSO 2013: Mapping Controls to Principles (June 11, 2014)
COSO 2013: The Implications to IT Controls (June 18, 2014)
COSO 2013: Assessing Fraud Risks in ICEFR and Implementation Insights Panel (June 25, 2014)

Protiviti is offering these webinar Q&As in May as part of Internal Audit Awareness Month. For additional information about the month-long initiative, spearheaded by the Institute of Internal Auditors, please visit The IIA’s website.