Strategic Risks: How Can CAEs Up Their Game?

The latest Common Body of Knowledge (CBOK) survey of internal audit stakeholders reports 7 out of 10 stakeholders want audit leaders to focus on strategic risks, as well as operational, compliance and financial risks, during an audit.

The message is loud and clear. Board members and senior executives are saying they wish to look to the internal audit function for insights that will help them stay ahead of the curve on managing strategic risks — a responsibility that requires collaborations across all lines of defense.

The last thing we, as internal auditors, ever want to hear when something goes wrong is: “Where was internal audit?” But how can CAEs up their game to ensure that this doesn’t happen, particularly when there is increased interest in strategic disruption risk? I recently had the pleasure of addressing this topic joined by an outstanding CAE – Chuck Windeknecht, Vice President of the Internal Audit Department at Atlas Air Worldwide, at The IIA International Conference in New York.

A progressive CAE establishes relevance with the board of directors by understanding the organization’s business objectives, strategy and culture, and identifying risks that could impede the successful execution and achievement of the organization’s strategy and objectives. This baseline understanding positions the organization and the internal audit function to constantly scan the horizon and sift through the noise so the audit committee and executive team can be given strategically relevant insights – something they don’t already know.

To do so, CAEs must be alert, informed, and able to quickly discern the vital signs of change. Success is not a matter of luck, but of preparation that leads to doing four things really well:

  1. Understand the critical assumptions underlying the business model. From an internal audit perspective, this is important to be able to adopt a contrarian view, as well as constantly be on the lookout for changes that could disrupt and threaten the company’s strategic plans and business model. CAEs must be able to access and understand opposing points of view within and outside the organization. But they need a context – and that context would be the organization’s strategic assumptions. That’s not to say auditors shouldn’t remain focused on important operational, compliance and reporting issues. The key is to leverage all available technology and tools to allow themselves more time to think strategically.
  2. Help the organization apply scenario analysis capabilities to evaluate potential situations. As the third line of defense, internal audit is one of the organization’s key components of a comprehensive risk management organization. Accordingly, if internal audit could help identify an event or combination of events that could invalidate one or more of the critical assumptions on a timely basis, it would contribute value to the organization’s leadership. While it is universally accepted that risk assessments must be refreshed periodically, the internal auditor’s line of sight is directed to timely recognition of emerging and changing risks.
  3. Ensure the organization’s intelligence gathering activities are aligned with the key indicators evidencing that scenarios of greatest concern are either developing or have occurred. It is one thing to know what can derail the strategy. It is another to align intelligence gathering with factors that signal when such events or circumstances are occurring or have occurred. Competitive intelligence creates enterprisewide transparency by seeking out forward-looking nontraditional information and data that may offer decision makers a contrarian view and early warning signs. Internal audit is well suited to assist the organization’s efforts with analyzing its early alert capabilities to more effectively mitigate the impact of disruptive developments. The understanding of strategic assumptions and an effective contrarian viewpoint enable this analysis.
  4. Help distill and de-mystify timely information about assumptions, scenario analyses and intelligence gathered. Reporting insights to decision makers is what it’s all about – setting us apart and establishing our relevance. To this end, it is critical to establish direct access to customer and marketplace feedback and provide insights that are unfiltered by the suppression occurring when information passes through traditional information siloes. Internal audit should place an emphasis on improving risk information across the organization. That can lead to better information for decision-making used in the business.

To echo my colleague Brian Christensen, these are exciting times for the internal audit profession. Our strategic advice and insight are being sought like never before. We’ve come a long way to get here. Now that all eyes are on us, it is critically important to perform with skill, intelligence and dedication, to prove that our leaders’ faith and trust in us are well-placed.


Sourcing SOX Compliance Costs: Fewer Controls, More Scrutiny

Nichole MiniceBy Nichole Minice, Managing Director
Internal Audit and Financial Advisory



In a recent post recapping our webinar on rising SOX compliance costs, we cited increased external auditor scrutiny of “information produced by entity” (IPE), or electronic audit evidence, as contributing significantly to the increase in costs, with the testing and validation of IPE requiring almost twice the eight-hour average time required to test other internal controls.

External auditors of public companies have come under increasing pressure from the Public Company Accounting Oversight Board (PCAOB). One area of particular emphasis has been the reliance of external auditors on IPE, and the need for increased rigor to ensure that the information is accurate and reliable.

IPE is the raw material from which external audits are crafted. It is, therefore, critical for organizations to be able to “show their work” in a way that can easily be verified and validated. This applies both to the integrity of the data itself and the processes underlying the generation of reports that control owners rely upon when executing an internal control. Under PCAOB standards, an external auditor should rely on an entity-produced report or spreadsheet only if there is sufficient evidence to prove that the information within the IPE document is both accurate and complete.

In my own field experience, it’s not unusual to encounter anywhere from 100 to 150 process-level controls. Because of the precision required by external auditors to meet the PCAOB standards, each of these controls might require 12 to 14 hours to test.

Overall, one in five public companies tests IPE every time a control is tested. Again, while respondents to our survey reported a decrease in the number of controls tested, the amount of effort being spent on the controls they do test has increased, and IPE certainly is one of the big contributors to that.

In such an environment, it’s easy to see how automated controls might significantly reduce the time and effort required for verification, particularly in comparison with a traditional spreadsheet in which every formula is a potential point of failure.

A more robust information technology environment provides a more reliable control environment, so we expect to see automated controls lead to a lot more efficiencies and eliminate human errors associated with manual entries into spreadsheets.

Not surprisingly, we’ve noticed that large accelerated and accelerated filers — entities that have adopted automated controls and reporting out of necessity and therefore tend to be more mature in their control environment — are doing the best job of managing the increasingly granular and transparent reporting requirements.

But companies of all sizes are making progress in this area, and we expect to see that continue. Well over half of the organizations surveyed reported that they have at least moderate plans to continue to automate their controls in 2016. We certainly see this trend at our clients and anticipate seeing more as organizations evolve from newly-public into more established entities.

Bottom line: In the current audit environment, organizations are placing an increasing emphasis on quality over quantity of controls. We’re seeing controls getting stronger, and the rigor from external audit related to PCAOB pressure certainly has an impact on that. I also think that companies are reaping the benefits of these strong controls that they can rely on internally and are looking to reduce the amount of controls that they ultimately have to focus on. It is important in all this that companies have a solid rationale behind their testing approach and communicate with their external auditors early and often.

From New York to Hong Kong: The Need for a Global AML Program

Carol BeaumierBy Carol Beaumier, Executive Vice-President and Managing Director
Regulatory Compliance Practice



Money launderers don’t recognize geographical boundaries and, while they often seek to launder money in those jurisdictions with the weakest regulatory environment, they are also attracted to major markets, which can accommodate large-scale movement of funds. They are masters at exploiting any weaknesses caused by differences among national anti-money laundering (AML) systems, which is why the regulation of money laundering needs to be a global effort.

Three major global financial centers – New York, London and Hong Kong – do share a high degree of commonality with the global AML principles of the Financial Action Task Force (FATF). Despite their common approach to AML, requirements are implemented or enforced differently, with a number of nuances within each jurisdiction – and potentially more in the future as the UK shapes its financial crime regime in a post-Brexit environment. This can be a minefield for global financial institutions seeking to establish and maintain an effective, global AML compliance program.

On the regulatory side, financial regulators have taken a proactive approach to close cross-regional collaboration and joint enforcement activities. This impacts financial institutions, as they may find themselves subject to the same inquiries in multiple jurisdictions at the same time. This regulatory approach highlights the need for compliance teams to be aligned and connected regionally as well as globally.

We discuss these issues, and much more, in a recently published white paper, The Challenges of Managing a Global AML Program. The paper examines the differences among the three global financial centers in four specific areas: regulatory examination and enforcement, correspondent banking, information sharing, and AML technology. It also considers the implications of these differences for financial institutions seeking to implement global AML programs and provides advice on how firms can implement efficiently a compliant AML program that is cost-effective and provides more value to the business.

The white paper offers a comprehensive discussion that’s worth your read. Financial services is, without question, a global business, and while money laundering will not go away any time soon, understanding how to align your global AML program to the nuances of key AML jurisdictions will go a long way in ensuring compliance.

Internal Audit Around the World: Collaboration, Technology and the Female CAE

Susan HaseleyBy Susan Haseley, Managing Director
Internal Audit and Financial Advisory



Technology is creating new areas of risk for businesses, requiring a collaborative mindset and strong relationships to manage risk effectively. At the same time, technology is creating new opportunities to improve how internal auditors manage risk – opportunities that come with the same requirements of collaboration and relationship-building. These changes to the internal audit landscape are becoming evident at a time when more women than ever before have risen to positions of senior leadership.

In our twelfth annual edition of Internal Auditing Around the World, we explore the accelerating change wrought by technology as a source of opportunity and as a source of risk. We also decided to focus this year’s edition solely on the viewpoints of women leaders in internal audit. This combination of themes yields a fresh perspective on the growing drive to collaborate – with IT, business units, senior management and external partners – to leverage specialist knowledge, harness emerging technologies and build influential relationships as trusted advisers to the enterprise.

Technology is going to completely change the way we audit,” says Kathy Swain, Vice President of Internal Audit at Horizon Blue Cross Blue Shield of New Jersey. “As more businesses are built entirely on technology, internal audit will need to follow suit.

In no area is this more true than in data analytics, a technological innovation embraced by many of this year’s internal audit leaders as a way to continuously monitor for emerging risks and potential optimizations. At Nordstrom, business intelligence serves not only to support the internal audit function, but also to share insights relevant to business decision-makers.

These insights will allow our team to become even better at what we’re already good at – risks and controls,” says Dominique Vincenti, Nordstrom’s Vice President of Internal Audit and Financial Controls. “They will also help us to underscore the direct value that the function is providing to Nordstrom in many other ways.

Some internal audit groups take a different approach – they collaborate with external partners not only to gain access to specialized expertise, but also to leverage technologies not available in-house. “We’re not necessarily making huge technology investments,” says Julie Eason, CNL Financial Group’s Internal Audit Director. “When I don’t have the tech internally, I rely on my co-sourced partners.

Last but not least, cybersecurity is a growing area of risk that has led internal audit functions to partner closely with IT. Monica Frazer, Vice President of Internal Audit for Baylor Scott & White Health, holds meetings with the chief information security officer at least once a month, and has new hires undergo extensive training in relationship-building skills. This emphasis on collaboration pays off, according to the surveys Frazer’s department holds after every audit. “We’re really viewed as a trusted business adviser,” says Frazer.

Mari Yonezawa, Chief Audit Executive at Obara Group, sums up this year’s theme well: “If auditors have strong communication skills, they can build good relationships, and the audits will go more smoothly.” Then she adds, “I think this is why women make good auditors. We tend to be effective communicators.

The full volume of our 12th edition of Internal Audit Around the World is available here – peruse at your leisure and let us know your thoughts.

AICPA Issues Audit Risk Alert on Revenue Recognition, With More Guidance to Come

Charles Soranno - MD New JerseyBy Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit



The American Institute of Certified Public Accountants (AICPA) recently issued an Audit Risk Alert on Revenue Recognition – an early and significant entry in what will be a growing body of guidance concerning the Financial Accounting Standards Board’s (FASB’s) new revenue recognition standard. It’s an important resource for preparers and auditors, because it explains the new revenue recognition accounting and auditing requirements for financial reporting and governance, expected to be released in 2017. The detailed Flash Report we published on July 11 gives an overview of this important alert, provides background on the new revenue recognition standard, and describes the implementation and internal control considerations it will engender.

In 2017, the AICPA will issue a new Revenue Recognition Guide, including several industry-specific implementation guides. The sheer volume of upcoming guidance stresses the significance of the new standard, and hints at the scope and number of implementation challenges confronting preparers and auditors of financial reports. Companies will want to act now to ensure an effective and timely transition to compliance.

After the FASB announced last summer that it is deferring implementation of the new standard by a year, the standard is now finally scheduled to go into effect – as early as 2017 for some entities, with others (those who prefer to keep to the original timeline) permitted to begin early application in 2016.

Accountants and financial reporting managers, as well as internal auditors and others charged with financial reporting compliance and governance, will benefit from becoming familiar the issues that must be addressed not only during the transition but also afterward. Thus, the alert should serve as a helpful resource for understanding the standard itself as well as its impacts on accounting, financial reporting, and disclosures.

The AICPA’s alert explains the new standard’s principles and emphasizes points that preparers and auditors should consider to avoid misstatements of revenue. The alert also mentions auditors’ responsibilities regarding consideration of fraud in conjunction with a financial statement audit. Preparers and auditors should recognize that improper revenue recognition is a fraud risk, and that misstatements can arise not only from overstatement, but sometimes also from understatement, of revenue.

FASB’s new revenue recognition standard will require management to exercise more judgment, and potentially formulate more estimates, in recognizing revenue than it ever has before. Organizations will want to design an effective system of internal controls to address the heightened financial reporting risk. The AICPA alert includes a table that aligns the new standard’s five-step revenue recognition model to corresponding control activities that could support compliance, and suggests that audit committees and executives include revenue recognition considerations in their audit plans.

As this new standard comes into effect, internal auditors might want to extend their monitoring of internal controls to management’s ongoing implementation of the new revenue recognition standard, and encourage its integration into their organizations’ audit plans. Familiarity with the standard’s requirements and technical accounting acumen are, of course, essential.

Beyond changes to accounting and reporting, the new revenue recognition accounting standard will prompt changes to “people, processes and technology.” AICPA’s publication of the alert – and their forthcoming comprehensive implementation guides – demonstrate the importance of mastering the material, planning the transition early, and making a plan to monitor results after implementing the changes.

Access our detailed Flash Report here.

Cloud Adoption: Putting the Cloud at the Heart of Business and IT Strategy

By Ed Page, Managing Director
IT Consulting



Cloud computing is on the rise as businesses respond to rapidly evolving consumer behaviors, changing business models, and the opportunities and risks brought by new market entrants. Chief information officers and chief technology officers must manage this shift under mounting regulatory pressure and growing concerns about data security and privacy, while simultaneously managing complex and aging legacy infrastructure in a “do more, faster, with less” environment.

Given the criticality of a successful cloud transformation, we are publishing a series of white papers focusing on cloud adoption. The first paper in the series focuses on strategy.

In a nutshell, cloud computing’s elastic capacity allows companies to rapidly deploy and scale technology by outsourcing IT infrastructure and maintenance. This not only allows companies to focus resources on their core business, but can also improve their agility, resiliency and business continuity management capabilities. By placing cloud adoption at the center of a renewed business and IT strategy, firms can capitalize on efficiencies and drive business success. The challenge, of course, is formulating a comprehensive adoption strategy. We break it down into four components:

  • Strategy — Deploying the right application on the right architecture is not as simple as migrating existing applications to the cloud. There are several strategic considerations to evaluate, including architecture, governance, readiness and platform integration with legacy systems.
  • Implementation — Implementation and day-to-day management of cloud operations should be owned by the organization’s service operations function to ensure timely issue resolution and minimal disruption of the technology stack (infrastructure, platform, applications). Considerations should include risk management, capacity and operational excellence, and vendor selection.
  • Service Assurance — A cloud migration is an excellent time for business process improvement. Legacy applications may not be ready for cloud deployment. Care must be taken to ensure a seamless customer experience. And the IT function will need to adapt to a new role of “service broker,” capable of navigating between cloud and non-cloud platforms to deliver the best possible service to end users.
  • Security — There is a notion that cloud deployment means lower security. Security is certainly a major concern, but it is also a differentiator among cloud service providers. During vendor selection, it is important to vet candidates for data security and privacy safeguards, access management, compliance with company standard policies and procedures as well as industry-specific regulations, and incident management practices.

Clearly, cloud adoption is much more than an IT issue, and requires carefully designing, developing and implementing a cloud transformation strategy. We’re happy to share what we’ve learned. Download the white paper and let us know what you think in the comment section below.

From Factory Workhorse to Factotum, Robotic Automation Is Evolving to Serve the Head Office

shawn seasongoodBy Shawn Seasongood, Managing Director
Business Performance Improvement



Introduced in the 1960s to perform simple manufacturing tasks, robotic automation has evolved into a jack-of-all-trades, moving into the head office to streamline and accelerate a variety of business processes as part of a global digital transformation.

Robotic process automation (RPA) and robotic desktop automation (RDA) use software for tasks such as processing sales and financial transactions, managing data, communications between different systems, access management, monitoring and reporting.

Visionary companies plan ahead so that they can face the future with confidence. That’s why many are considering robotic automation as a way to build efficiencies in performance and cost management. Protiviti’s Business Performance Improvement Services team examined this trend in our recently published white paper, Looking Deeper into Robotic Automation: Considerations and Case Studies for Robotic Process and Desktop Automation.

The benefits of robotic process automation are clear. Robots can eliminate human error, operate 24/7/365, and complete simple tasks with minimal overhead. The level of integration of robotic automation is flexible. A robot can work autonomously (RPA), or alongside a human (RDA).

RPA is specifically used for back-office tasks, including credit decisions, loan underwriting, insurance underwriting, insurance claims adjudication, payment processing, pricing, customer service, accounting data entry, procurement, purchase order creation and the issuance of online access credentials.

RDA is used in retail operations, call centers, and other back-office activities in which each employee uses automation to accelerate tasks. Examples include automated connectivity to eliminate separate logins across multiple systems, instantaneous consolidation and display of customer relationship data, validations to ensure compliance and completion, and productivity and utilization metrics. RDA is intended to minimize the burden of manual tasks on employees, freeing them to focus on more complex strategic and value-adding tasks.

As with any worthwhile solution, successful robotic automation requires careful planning and prioritization. Companies will achieve the greatest cost savings by automating high-volume tasks that are time-consuming for humans.

The best way to begin a robotic automation program is to map a prioritized process end to end and identify potential streamlining opportunities. To determine whether a process is a good candidate for automation, first determine whether the process contains logical elements that can be programmed into a software solution. The ideal automatable process is repeatable, sustainable, and mature enough to provide ample institutional knowledge. Data availability is key. Ideally, data should be available in existing IT systems with little or no manual intervention. Finally, determine the business value of such an investment. The best processes to automate are those that would generate the highest amount of net resource savings (total expected process cost savings over a reasonable time horizon less investment). Processes can be ranked high, medium or low based on their ability to meet the above criteria and considering the risks of implementation.

Robotic automation is not immune to challenges. Some of the most common include:

  • Failure of executive ownership to drive cross-functional implementation
  • Failure to effectively manage or sustain the new system
  • Failure to effectively redeploy resources freed by automation
  • Failure in user acceptance

These challenges can all be addressed with effective program management, including a comprehensive change-management plan and user-acceptance testing to ensure that the software will perform as promised and will be utilized effectively.

In today’s fast-moving and increasingly connected global marketplace, companies need to evolve continuously to remain relevant and on the leading edge. Robotic automation is an increasingly significant strategy for achieving those goals. I’d be interested in reading about ways your organization either has, or is planning to, incorporate RPA and RDA. Feel free to share in the comment section below.