From the GAM Conference: Changing Priorities, Analytics in Auditing and More

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

On Day 2 of the conference, Protiviti Managing Director Jordan Reed shared some thoughts on the panel discussion titled “The Internet of Things: What Does This Mean to Internal Audit?” Jordan led the panel together with Jeff Rowland, Vice President, Audit Services at USAA. Below in Jordan’s own words are highlights from the discussion. For more on why the Internet of Things matters, and the risks and expectations arising from it, read the recently published Protiviti white paper (download).

Share on Twitter

Also hear Protiviti Managing Director and The Protiviti View blog host Jim DeLoach share his view on stakeholder expectations as reflected in the Global Internal Audit CBOK Stakeholder Study.

Share on Twitter

Finally, Protiviti Managing Director Matt McGivern discusses the current state of data analytics in internal auditing, including findings from Protiviti’s latest internal audit survey. Listen below.

Share on Twitter

The Four C’s in Overseeing Internal Audit

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

By Brian Christensen, Managing Director
Internal Audit Global Leader

 

 

 

In 2016, The Institute of Internal Auditors and Protiviti conducted the world’s largest ongoing study of the internal audit profession — the Global Internal Audit Common Body of Knowledge (CBOK) study — to ascertain expectations from key stakeholders, including board members, regarding internal audit performance. Several imperatives for internal audit emerged from the responses of the participants in the study. Among them: focus more on strategic risks, think beyond the scope of the audit plan, and add more value through consulting.

As for directors, there are four features to consider when evaluating the sufficiency of any risk-based audit plan: culture, competitiveness, compliance and cybersecurity – let’s call them the Four C’s, for short. We explored these four C’s in a recent issue of our Board Perspectives: Risk Oversight series. And I had the opportunity to discuss them yesterday at The IIA’s 2017 General Audit Management (GAM) conference in Orlando, as well. I want to share some of that discussion.

Culture

Executives and directors understand that a breakdown in risk management, internal control or compliance is almost always due to a dysfunctional culture. They also know that cultural dysfunction doesn’t develop overnight. Risks stemming from a culture breakdown typically incubate for a long time before noticeable symptoms appear — often in the form of some potentially reputation-damaging event. Examples of dysfunctional culture include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override public safety, empowers fraud, or encourages unacceptable risk-taking. Internal audit can assist in assessing whether the tone in the middle and at the bottom match the leaders’ perceptions of the tone at the top.

Competitiveness

Most organizations use some form of balanced scorecard when monitoring whether they are successfully establishing and sustaining competitive advantage in the marketplace. The board should expect internal audit to look beyond traditional compliance and financial reporting to help the organization continuously improve operations. Internal audit can help improve operating efficiency and effectiveness by identifying business processes that are not performing at a competitive level because of practices that are inferior to competitors’ and industry best practices. In addition, internal audit can benchmark selected metrics to identify performance gaps.

Compliance

Traditionally, the internal audit plan deals with ensuring that areas related to the organization’s compliance with laws, regulations and internal policies are under control. As the third line of defense, internal audit should ascertain whether:

  • frontline operators and functional leaders whose activities have significant compliance implications (first line of defense) own their responsibility and have effective controls to reduce compliance risk; and
  • the scope of the independent compliance function (second line of defense) is appropriate for the company’s level of compliance issues and results in timely and reliable insights to management and risk owners.

In the absence of a second line, internal audit can determine whether a cost-effective monitoring process is in place to address top compliance risks. It can also assess implementation of compliance programs to ensure that the company is current with changes to applicable laws and regulations.

Cybersecurity

This area is a significant and growing concern to boards and is not likely to go away any time soon. Cybersecurity was cited as the third most critical uncertainty for executives in the Executive Perspectives on Top Risks Survey for 2017 by Protiviti and the North Carolina State University’s ERM initiative, and deemed the number one technology challenge by respondents to Protiviti’s IT Audit Benchmarking Survey. Internal audit can assist in several ways: First, by assessing whether the company’s processes give adequate attention to high-value “crown jewels” information and information systems, rather than an all-systems-are-equal approach; second, by helping the board and senior management with understanding the threat landscape; and finally, by assessing the organization’s cyber incident response readiness.

Focusing on the Four C’s enables internal audit functions to consider more broadly the implications of their audit findings and to think beyond the expressed or implied boundaries set by the audit plan. This, in turn, positions internal audit to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.

Embracing Analytics in Auditing: New Protiviti Survey Takes a Look

In a digital world, the time for internal audit functions to embrace analytics is now. This is the most significant takeaway from Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, released today. The results show that chief audit executives and internal audit professionals increasingly are leveraging analytics in the audit process, as well as for a host of continuous auditing and monitoring activities.

Learn more by watching our video below. For more information and our full report, visit www.protiviti.com/IASurvey.

Assessing the Expectations of Internal Audit Stakeholders at The IIA GAM Conference

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

Panel Session at the 2017 IIA GAM Conference:
Stakeholder Expectations (Updates from CBOK Stakeholder Studies)

Today at The IIA 2017 GAM Conference, Brian Christensen, Executive Vice President, Global Internal Audit for Protiviti, participated in a panel discussion before more than 1,000 conference attendees, on the expectations of internal audit stakeholders and how internal audit can continue to improve its performance. The panel was moderated by Paul Sobel, Vice President and Chief Audit Executive, Georgia-Pacific LLC. Panelists were Angela Witzany, Chair, IIA Board of Directors and Head of Internal Audit at Sparkassen Versicherung AG; Larry Harrington, Vice President, Internal Audit at Raytheon Company; and Brian Christensen, Executive Vice President, Global Internal Audit at Protiviti.

Following are some highlights from Brian’s comments:

  • Are we in the so-called “golden age” of internal audit? Membership in The IIA is at an all-time high. Conferences and programs are near capacity. As internal auditors, we are part of the conversation in the boardroom and management circles. And internal audit has been rated one of the 10 best professions to start a career. But, it’s important to ask, what can we do better? How do we remain relevant and serve our constituents better? Answering these questions was the goal of the 2016 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study.
  • Stakeholders agree that internal audit is focused on the most significant areas in their organizations. Internal audit is keeping up with changes in the business and is communicating well with management and the board.
  • Internal audit needs to further leverage its positive reputation for quality in other areas of the business where it can add value.
  • Management and the board want internal audit to “move beyond its comfort zone” to help organizations bring internal audit perspective on strategic initiatives and changes – digitalization, cybersecurity, Internet of Things and more. Change is all around us. In light of these many changes, what are new and emerging risks that organizations need to understand and manage? Internal audit can and is expected to provide information and insights to board members and management on these new risks.

Brian also offered some calls to action:

  • As internal auditors, we need to rise up to the expectations of our stakeholders. We’ve been told we’re doing a great job, but we can do more, and our stakeholders want us to do more.
  • We need to break out of historical thinking and approaches. We’ve earned a solid reputation – we now need to build on it.
  • We need to focus on and embrace the four C’s – Culture, Compliance, Competitiveness, Cybersecurity.
  • We need to ask ourselves: Where do we want to be in five years? In 10 years? How do we continue our “golden age”? The answer: Take on bold ideas and new concepts.
  • Finally, we need to own the discourse to fulfill the expectations of our stakeholders.

We have a great opportunity – not just for ourselves, but to create a path for those behind us. Stakeholders have given us a road map to success. Let’s fulfill our destiny and continue our golden age.

Listen to Brian Christensen summarize the highlights:

Share on Twitter

Four Ways for Insurers to Prepare for New NAIC Cybersecurity Rules

By Adam Hamm, Managing Director
Risk and Compliance

 

 

 

Cybersecurity and technology represent immense challenges and opportunities for all insurers and financial services companies. Organizations need to protect sensitive information and customer data to the greatest extent possible, and to recover as quickly as possible in the event of a breach.

Insurance companies store large amounts of personal information about their policyholders. Cybercriminals know this, and have been increasingly targeting insurers. The past two years have seen a dramatic increase in successful cyberattacks, exposing the personally-identifiable information of more than 100 million Americans. As a result, state insurance regulators have been looking for ways to protect consumers and ensure the integrity of the industry. This month, New York became the first state to adopt cybersecurity guidelines. And the National Association of Insurance Commissioners (NAIC) is working towards completing its Data Security Model Law.

Continue reading

Data Security Alarms Should Be Sounding for Oil and Gas

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

 

 

 

Oil and gas industry executives don’t need to see a new Wikileaks story about secret CIA hacking tools or hear more about the electronic penetration of presidential campaigns to understand the seriousness of a potential digital hack to their operations.

But it’s a large step from knowing a risk exists to being ready for it. Achieving confidence in the ability to manage such risk can involve substantial new investments and operational adjustments, even for an industry accustomed to meeting regulatory, operational and market challenges.

Protiviti’s recently released 2017 Security and Privacy Survey indicates that oil and gas companies are facing their cybersecurity challenges in ways similar to other industries. The survey’s main findings include:

  • Nearly one in five companies cannot confidently identify or locate their “crown jewels,” or most valuable data assets, because they lack an effective enterprisewide data classification scheme and policies.
  • How well companies manage their vendors’ security practices marks a notable difference between top security performers and the rest.
  • Companies with a high level of board engagement in information security issues rate considerably higher than those without such involvement in nearly all facets of information security best practices. These companies also report a higher level of confidence in their ability to prevent an opportunistic data breach.

These findings largely correspond to what we have seen among our own energy clients. One difference we have noticed, however, is that energy companies tend to have little to no formal documentation on testing of security incident response plans, compared to other industries. This could mean that energy executives have not substantiated a basis for the same level of breach-prevention preparedness as some other industries. I would argue that as a critical infrastructure, they should.

Although Protiviti energy clients indicate they are committed to security, we see about the same 38-percent level of compliance with implementation of the five core information security policies identified in the Protiviti survey: acceptable use, records retention/destruction, data encryption, information security, and social media policies.

In addition, energy companies, specifically those in exploration and production (E&P), have been hesitant to invest in tools to identify where their “crown jewels” are stored, apparently on the basis that many do not feel their company is much at risk because it does not retain much sensitive data. However, many common processes at E&P companies (i.e., escheat and royalty owner payments) do involve sensitive information protected by state privacy laws (e.g., individual tax ID numbers are actually Social Security numbers). Further, company confidential information, such as reservoir data, land acquisition data, and merger and acquisition activity, would be considered data that requires identification and protection. Very commonly, even where these processes are mostly manual, this information is digitized (e.g., scanned documents) or entered into a system. If the company does not know what data exists and where, it will have a difficult time protecting it.

Energy executives and boards would be wise to ask themselves some worst case scenario questions and know the answers now rather than having to discover them under fire later:

  • If our data assets were compromised, could they be reconstructed, and how long would it take?
  • If field operations were disrupted by an attack on the operational control system, how much revenue would be lost per week? Per month?
  • If competitors or counter-parties were able to learn confidential details of our strategies and plans, where would our company be most vulnerable?

The bottom line is that what you don’t know, such as where your critical data is, can, and eventually will, hurt you. With all issues of cybersecurity, it’s only a matter of time.

Alyssa Brister and Luis Castillo from Protiviti’s Technology Consulting practice contributed to this post.

Partly Cloudy: Outage Raises Resiliency Concerns

By Jeff Weber, Managing Director
Technology Strategy and Operation

 

 

 

Everyone needs a little downtime – critical IT infrastructure, not so much. Security and reliability have long been the two primary enterprise concerns when it comes to the cloud. And while security has been the dominant concern over the past couple of years, recent high-profile cloud outages have brought reliability front and center.

A recent outage affected almost 150,000 sites. In the not so distant, cloud-less past, most companies would have had in-house servers, and the disruption would have been limited and isolated. Included in the outage was an internet messaging and chat service popular among IT professionals, who were quick to notice and spread the word. More importantly, this service enables IT services and communication and impacted organizations in their ability to maintain service levels.

Even companies with on-premise enterprise systems could find themselves unexpectedly cut off from critical services, vendor portals and clients, in the event of a service interruption at a cloud-based communications provider.

Cloud functionality affects virtually everyone. These days, if any company thinks it doesn’t have significant cloud exposure, it needs to think again. Now is the time for companies to be asking themselves whether their risk management framework is robust enough to identify risk exposure they may not have thought about.

The worst time to discover a critical exposure to a cloud outage is…well, always. Protiviti recommends that companies act now to conduct a cloud risk assessment and impact analysis and develop an effective response plan. Key elements include:

  • Conducting a thorough process review to identify any hidden cloud exposures
  • Identifying and prioritizing “crown jewels” – in this case, critical functions that must be protected from disruption
  • Comparing exposures against the company’s risk appetite and establishing a remediation threshold – for example, frequency and duration of outage
  • Creating an awareness of susceptibilities and developing response procedures

Although for many companies this type of exercise is new when it comes to cloud computing, it is essentially the same process they have applied in the past to telecommunications, infrastructure and other “always-on” systems and applications. The chief information officer should lead, or at least be at the table for this discussion, and ensure that the right people are involved in the conversation. Furthermore, the discussion should be conducted in business-relevant terms (risk, effect on operations) rather than IT terms (systems downtime, for example).

Public reaction to cloud outages, to date, has been relatively muted. That is likely to change, and quickly, as connectivity increases and digitization and the Internet of Things transforms existing business models. No one is really shocked that cloud outages happen, but now that they are on the radar, it is important to plan for the occasional yet inevitable “inclement weather.”