Some Interesting News from Australia – New Rules Boost Internal Assurance for ASX-Listed Companies

Mark Harrison

By Mark Harrison
Managing Director, Protiviti Australia


Editor’s note: This post was published originally on Work Life, a website and blog from Robert Half Australia. We thought this news about new internal audit requirements for publicly listed companies in Australia would resonate with companies in other countries, including the United States. (The NYSE has a similar requirement for its listed companies.)

Stronger Corporate Governance
From July 1, 2014, listed entities will disclose if they have an internal audit function, how it is structured and what role it performs, as per Recommendation 7.3 of the 3rd edition of the ASX Corporate Governance Principles and Recommendations.

The Recommendation further states that if the entity does not have an internal audit function, it should disclose that fact and the alternative processes employed for evaluating and continually improving the effectiveness of its risk management and internal control processes.

These new disclosures will deliver a long-overdue boost to the governance standards of approximately 1,800 Australian companies who have yet to embrace the assurance that internal audit provides.

The New York, UK, Hong Kong, Singapore and Malaysian stock exchanges have for many years either obliged listed companies to have an internal audit function or required a relevant disclosure in their annual report. Market regulators insist on this for the simple reason that internal audit enhances shareholder protections and is a fair quid pro quo for the privilege of raising capital from the public.

Internal Audit Is an Indicator of Corporate Health
Many institutional  and other sophisticated investors view the existence of an internal audit function as an indicator of the health and stability of the company.

Why? Because internal auditing is an essential element of good corporate governance. It’s an independent assurance process that helps companies improve their operations by ensuring there are effective risk management and controls in place to identify and mitigate problems before they escalate and to take advantage of new opportunities. Companies that disclose a solid internal audit function will therefore inspire greater market confidence and enhance their attractiveness to investors.

Most well-resourced companies at the ‘big end of town’ already have an internal audit function because quite apart from being good for governance, it adds value to the business. However, for the remaining 1,800 or so companies below the ASX 300, internal audit is still practically non-existent.

Implementing an Internal Audit Function
In many cases, it would not be cost-effective for a smaller company to establish a dedicated internal audit function. Fortunately, other competitive options are available.

Smaller companies could embrace a shared service model where two or three companies split the cost of an internal auditor, an approach which is common in the government sector. Another option is to outsource to an internal audit consulting firm.

Importantly, to safeguard the quality and integrity of its internal audit reviews, companies engaging an internal audit service provider should always insist their internal auditor apply The Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing. These are the only globally accepted standards for internal audit work and represent professional best practices.

Companies should be wary of service providers who use accounting standards or their own internal manuals to perform internal audit work. These references are simply not appropriate for internal audits and risk compromising the quality of the audit.

Applying the IIA’s internal audit standards guarantees that the work will be robust and that company directors and executives will receive reliable and objective information to improve their business processes.

Stand Out From the Crowd
There are many benefits in adopting an internal audit function and in making a quality internal audit disclosure. For smart operators in the small-to-medium company sector this is an excellent opportunity to positively differentiate themselves and to make an impression on investors seeking a more stable, sustainable investment.

Reflecting on the Fourth Anniversary of the Dodd-Frank Act

Carol Beaumier - Protiviti EVP - NY

Carol M. Beaumier, Executive Vice President, Protiviti


Protiviti’s quarterly financial services industry newsletter, FS Insights, has tracked the progress and reflected on the merits of the Dodd-Frank Act since its passage four years ago. After four years, we remain left with more questions than answers. Nearly half of the required rules still are not final.  Debate continues about the impact of the law.

In our latest issue, we look at notable regulatory developments, such as the Federal Reserve’s approval of a final rule implementing the enhanced prudential supervision standards of the Dodd-Frank Act and the Office of the Comptroller of the Currency’s proposed guidelines for heightened governance standards for banks with assets greater than $50 billion. We posit whether the regulators might have been able to effect significant change without Dodd-Frank, since most would agree that financial institutions with strong risk management, adequate capital and sufficient liquidity are not likely to fail.

You’ll find the newsletter and the Protiviti Dodd-Frank diagnostic tool on our website. This complimentary online tool helps banking, broker-dealer and mortgage companies to identify quickly the parts of the Dodd-Frank Act that are most relevant to their business. I encourage you to subscribe to the newsletter, check out our diagnostic tool, and provide any comments or responses here.


IT Risks Are Prevalent – Do You Have Enough IT Audit Coverage?

Brand.jpgBy David Brand
Managing Director – Leader, IT Audit Practice



IT risk is everyone’s problem. By “everyone,” we mean the board of directors, senior management, process owners and internal auditors. Internal audit departments play a critical role in ensuring that mitigating processes and procedures are in place and working effectively to manage the organization’s risks. An alarming number of organizations, however, are not maximizing the input internal audit can have in helping to manage their IT risks. This neglect results in embarrassing incidents to the top of the organization, CIO organization and the owners of affected processes.

With the rapid evolution and propagation of social media, cloud and mobile technologies, IT departments are often stretched to their limits. Under pressure to implement, it’s easy to miss vulnerabilities and potential security breaches.

Examples – such as the website launch debacle and any number of corporate mea culpas regarding security breaches exposing customer financial data – illustrate vividly how quickly a glitch or vulnerability can escalate from an IT problem to a critical business problem and a huge reputational risk.

When it comes to IT audit programs and practices, our annual IT Audit Benchmarking Survey consistently reveals that organizations leave themselves significant room for improvement. Too many fail to plan and institute the IT audit coverage necessary to ensure an available, secure and efficient IT environment.

Furthermore, some organizations don’t house their IT audit resources in their internal audit departments, and others lack such resources entirely. We have found that just 1 in 4 companies have an IT audit director or someone in an equivalent role focused on technology risks.

I could say a lot on this topic, but our benchmarking survey provides a much more thorough and detailed analysis. I encourage you to read it. For now, let me close with five key questions that every CEO and audit committee member should be asking about their organization’s IT audit capabilities:

  1. Is our internal audit function performing an effective IT risk assessment at least once a year, and are people who are knowledgeable of infrastructure, applications and IT involved in the process?
  2. Has our internal audit team reviewed the COSO (2013 update) and COBIT 5 frameworks, and are our audit plans based on those recognized policies and practices?
  3. Does our IT audit team have a clear understanding of our organization’s short- and long-term IT objectives?
  4. How do we quantify our IT risks? What industry benchmarks and best practices are used?
  5. Does our IT audit risk assessment process coordinate with other risk assessment areas, including financial, operational and compliance?

As with any growing or rapidly changing risk, it is important for organizations to stay ahead of the risk management curve – and make this a sustainable effort.

For more about Protiviti’s IT Audit Benchmarking Survey, watch our video. I also invite you to see how you rate in auditing your IT risks at

Cybersecurity at the board level: Is your intellectual property and sensitive information leakproof?

In my line of work, I have the pleasure of talking to boards of directors and C-Level executives all over the country. I’m often impressed with their commitment to their enterprises, their keen intelligence, their professionalism and their drive. But I’m frequently stunned to see organizations without a process and control environment for protecting their intellectual property online. Of particular interest, board communications are among the most vulnerable.

Too many organizations treat emails, stored internal document files and social media communications as operational exceptions to otherwise tight cybersecurity framework rules. In fact, Thomson Reuters Accelus pointed out in its annual Board Governance Survey that more than 75 percent of organizations “utilize unsecure, personal email accounts to distribute board documents.” And barely half ensure these communications are encrypted. In this day and age, I call that a “wow!”

Board books, in particular, are almost 70 percent bigger than they were just a couple of years ago, according to some estimates, and more than half of companies produce them digitally. We all realize the importance of saving trees and “going green” but, having said that, we also know that confidential information is included in these books. Interestingly, the number of companies that distribute them electronically has dropped of late.

Things are changing for the better. Thomson Reuters Accelus also reported that 52 percent of organizations use board-only portals to share sensitive board information. Another encouraging trend: More organizations are providing their boards with secure mobile devices for board communications.

I call that good news because protecting sensitive information is getting harder every day. We pointed out in an issue of our Board Perspectives: Risk Oversight newsletter that despite the U.S. Securities and Exchange Commission requirements to disclose cyberattacks, reported attacks are just the tip of a vast iceberg. And cybercriminals are using ever more sophisticated means to gain control of online information. Simply stated, they are playing for keeps. We know that because Protiviti helps companies all over the world assess and manage these growing threats.

For boards of directors, as well as any other level of the organization seeking to secure its data and communications, an approach toward security that focuses on information governance is critical. This fosters cross-organizational collaboration and structured policymaking. That kind of team approach is vital to managing the risk of cyberattacks on board documents; it seems perfectly tailored to the less-than-structured and flexible approach so many companies now take to their board communications.

Protiviti employs a number of content management measures, including document locking on our online intellectual property. Others have been known to go so far as to embed user verification codes that cause documents to electronically “shred” themselves if opened by an unauthorized user. Some swear by this kind of digital rights management. Others have found it cumbersome to the extreme. This is challenging in the board environment, as directors and executive teams like to keep things simple.

What do you do to protect your board communications and intellectual property and sensitive information online? Share your thoughts in the comments below.


The Future Auditor: The Chief Audit Executive’s Endgame

Brian Christensen - Protiviti PHX 2012_Low Res

by Brian Christensen
Executive Vice President – Global Internal Audit, Protiviti


In a recent issue of The Bulletin, we discuss Protiviti’s future auditor vision. This is something about which I am particularly passionate, as I think it speaks on many levels to how internal audit executives can make a difference in their organizations.

The future auditor is a CAE who is (a) positioned to be objective with regard to operating units, business processes and shared functions, (b) vested with a direct reporting line to the board of directors, (c) recognized throughout the organization as a positive change agent, and (d) recognized by executive management and the board as a valued sounding board in safeguarding the adequacy and effectiveness of activities that really matter to the organization’s success.

Auditor tableWe have long supported The IIA’s definition of internal auditing. The future auditor vision is all about taking concrete steps toward making the future state envisioned in The IIA definition a reality. We believe that executive management and boards of directors’ expectations of the internal audit function continue to rise. Therefore, CAEs must continuously upgrade their capabilities to keep pace with these higher expectations and add value.

I encourage you to read our issue of The Bulletin and learn more about the 12 ways the future auditor can contribute value.

As part of our ongoing efforts to advance the internal audit profession, we will continue to discuss the future auditor vision in our blogs and welcome your input. And later this month, look for Internal Auditing Around the World: Building on Experience to Shape the Future Auditor.