A New Tool for Fast Times: Continuous Risk Assessment

Brian Christensen - Protiviti PHX 2012_Low ResBy Brian Christensen – Executive Vice President
Global Leader – Internal Audit and Financial Advisory Practice

 

 

 

Many internal audit functions work hard to complete one enterprisewide risk assessment each year and then plan, or hope, to rely on it for the next 12 months.

But what good is an annual audit plan that can become obsolete almost overnight by new risks we know are surfacing faster than the expected shelf life of the plan?

Richard Chambers, president and CEO of The Institute of Internal Auditors (IIA), in a recent article for Internal Auditor Magazine, called for the adoption of a new, continuous approach to risk assessment. I couldn’t agree more.

Audit plans need to evolve continuously, incorporating up-to-date information and assessments of potential risks as they emerge. There are several techniques that can be used to do this efficiently and effectively, but they must be embraced and practiced by the entire audit team. As Chambers emphasizes, a continuous risk assessment process can’t be executed by the CAE alone.

To adopt this new approach, Chambers recommends the following steps:

  • Identify key risk indicators (KRIs) – At the beginning of the year, identify KRIs and monitor them continuously, or at least periodically, throughout the year. KRIs can be linked to the results of the annual risk assessment or to risks that are known to be volatile. When anomalies appear in these KRIs, “red flags” should go up, triggering internal audit to evaluate whether risks are shifting and adjust coverage as needed.
  • Conduct “shoe-leather assessments” – This approach involves conducting risk assessment “by walking around.” As the name implies, auditors need to spend quality time with senior management leaders with the intent of learning about new risks as soon as management does. Though they may lack the structure of formal assessments, shoe-leather assessments can uncover vital new information that otherwise may skip detection. It’s imperative that the entire internal audit team develop relationships with all key executives – especially in large organizations with numerous business units – to ensure comprehensive coverage.
  • Establish a “bird’s-eye view” – Chambers recommends “setting your antenna as high as possible” to alert your organization as soon as possible about industry-wide changes, economic trends and other external factors. Practically speaking, this means, among other things, attending professional association meetings and seminars and keeping current with industry publications as some of the ways to see ahead of the curve.

Using these three approaches together best assures protecting the organization. And they work well with other key action steps recommended for CAEs in the most recent Common Body of Knowledge (CBOK) Study by The IIA Research Foundation. It echoes Chambers’s advice and urges organizations to develop a more responsive and flexible risk-based audit plan.

One way to help companies not just realize the importance of but fully embrace continuous assessment is to set new priorities and incentives for the audit team. In other words, make the identification of emerging issues a key performance responsibility for those who report to you directly.

CAEs are encouraged to discuss with executive management and the audit committee the need to make more frequent updates to the audit plan and establish a clear process to make changes to appropriately address emerging risks.

Businesses have improved their ability to manage risks and that’s great. Now it’s time for all of us to learn to do it faster.

Four Things to Know Before Your IPO

It is common sense than an uncertain global economy slows IPO activity, and yet, the IPO pipeline is at near-record levels.

In the U.S. market alone, there were more than 270 IPOs priced in 2014, up 23 percent from the prior year. And total proceeds raised reached more than $85 billion, an increase of 55 percent compared with 2013.

My colleague Steve Hobbs, managing director of Protiviti’s Public Company Transformation solution, says that 2014 was one of the strongest IPO years in the last decade, fueled by legislation such as the JOBS Act, which was enacted in 2012 to help ease regulatory burdens on emerging growth companies.

The IPO appeal is immense. But what companies don’t know about the process can drive an offering off the rails in a hurry. Last November, Protiviti held a nationwide webinar highlighting key challenges and offering tips to help companies avoid common missteps. Some highlights from the discussion:

Challenge #1 – Investor Relations: Many companies underestimate the amount and intensity of preparation required, especially regarding the growing demand for transparency from regulators and shareholders.

Just how much is required? For Barracuda Networks, provider of cloud-connected security and storage solutions, the time from IPO process launch to its first public call in January 2014 spanned eight months.

The journey to public company readiness involves a complex array of tasks, deadlines and focal points that require significant time, effort and attention throughout the organization.

Among the many tasks Barracuda tackled: scheduling organizational meetings to educate management on operational metrics; staging a “test-the-waters roadshow” to meet with prospective investors and obtain their feedback; and even holding a full mock earnings call with syndicated analysts to practice interacting with the investment community.

Challenge #2 – Tone at the Top: Setting the proper tone at the top to encourage “buy-in” is a top priority.

Public companies operate in a fishbowl of public disclosure and regulatory compliance. Finance, at the center of IPO preparations, is usually well-prepared by the end of the process, however, establishing a positive tone for compliance throughout the company is the job of executive management.

Another one of my colleagues, Gordon Tucker, managing director and leader of Protiviti’s Technology, Media and Communication Industry practice, recommends promoting compliance infrastructure not just as a system of controls, but as a tool for growth and scalability.

Challenge #3 – Documentation: Establishing documented policies and procedures is critical for expansion.

Beyond the initial buy-in, Tucker also emphasizes the importance of developing and documenting processes to ensure consistency and sustainability across the organization. If you want to be able to scale, new hires should be able to handle transactions according to well established and documented procedures.

Challenge #4 – IT Infrastructure: It is critical to properly assess the organization’s IT readiness.

An organization’s ability to conduct accurate, timely and effective financial reporting and regulatory compliance hinges on the strength of its applications and systems infrastructure. The topics that need to be addressed in this arena include selection and implementation of an ERP system and scaling of IT processes and governance. And during a time when cyberattacks routinely make headlines, it is imperative to evaluate IT security and privacy.

When Protiviti meets with pre-IPO companies’ executive teams, we ask the CFO:

  • Do you know what assets you are trying to secure?
  • Is there somebody in your organization who is responsible for securing the enterprise?
  • Would you know if you were breached? And if you were, would you be prepared to respond in a timely manner?

If the answer to any of those questions is ”No,” then it’s probably time to take a look at the IT systems from a security perspective.

The four points above underscore certain of the key challenges of successfully executing an IPO. But they also show where proper preparation can boost the odds in your favor.

And I’ve only skimmed the surface here. For a more thorough analysis, check out the online version of our November 18 webinar entitled “It’s What You Don’t Know That Can Affect Your IPO.”

Jim DeLoach

Is Your Data Safe and Are You Sure?

Cal Slemp mug

 

 

by Cal Slemp, Protiviti Managing Director
Leader – Security Program, Strategy and Policy Practice

Data is the lifeblood of any organization, fueling nearly every aspect of operations. But with reports of cyberattacks and data breaches making headlines routinely, the question needs to be asked:

Is your business really safe?

There is no better time than now to assess whether you have the protections you want in place to protect your information and data and, equally important, whether your organization is prepared to respond to a crisis.

Protiviti professionals have performed data security fieldwork for decades, and Protiviti has formally surveyed the cybersecurity landscape for the past 3 years. We’ve identified recurring issues among organizations that threaten to compromise their data and privacy security. To best protect your organization, here are a few key safety measures:

  • Classify data. Not all data is made equal. Some is useful or valuable, and some is critical. Companies should identify their most critical data – the “crown jewels” – and classify it accordingly so its protection can be addressed first. Protiviti’s 2014 IT Security and Privacy Survey indicates developments in data classification that are both positive and negative: While more organizations are becoming aware of the concept of data classification (“don’t know” responses to the question whether the organization has a classification scheme and policy in place dropped almost in half), a full one-third of organizations surveyed admit they have not yet performed such classification. This is a rise from 20 percent in 2013. Let’s hope this high number is tied to the increased awareness and that these companies tackle the complex but important task of data classification soon. With a clear data classification scheme and policy, those companies will be able to identify types of data (sensitive, confidential, non-sensitive, public, etc.) and allocate security resources accordingly.
  • Only keep what you need. Companies should adhere to the principle “If you don’t need it, don’t store it.” Not only is retaining all data and records inefficient and costly, it exposes your organization to a greater security risk and liability. Instead, companies should “stratify” data based on importance and type and then assign appropriate retention periods for each “stratum” according to regulatory and legal requirements, as well as industry- or company-defined standards. What’s alarming is the increase in the number of organizations that fail to adhere to this practice. 17 percent of respondents to our survey acknowledged retaining all data and records without a defined destruction date – up from 9 percent in 2013.
  • Make sure your cloud is safe. Although relatively few organizations are currently moving sensitive information to the cloud, Protiviti’s survey did document a significant year-over-year jump in the use of cloud-based vendors: 8 percent versus 3 percent in 2013. By comparison, 64 percent of respondents said they store sensitive data on on-site servers. For those choosing a cloud-based service, it’s critical to focus on terms and conditions and understand the information security standards that will be used. Many companies are discovering that cloud-based vendors are holding more data than they were contracted to store, potentially escalating risk. A related focus must be to ensure that the physical processing and storage of specific sensitive data is done in concert with established data privacy regulations.
  • Minimize legal exposure with information security policies. In the United States, almost every state has data privacy laws that impose penalties on organizations that expose confidential data. Nearly all of these laws, however, provide for leniency if the organization that suffers a data breach had a written information security policy (WISP) and a data encryption policy in place. Naturally, these policies should be well-communicated and understood by your employees and business partners. The value of such policies, aside from reducing legal liability, is obvious. But shockingly, one-third of respondents in the 2014 Protiviti survey acknowledged not having a WISP, and 41 percent had no data encryption policy.
  • Perform regular fire drills. Even the most secure organizations cannot expect to prevent all breaches. That’s why it’s critical for a company to have a documented crisis response plan, in which everyone involved knows what to do, and the ability to implement this plan quickly in the event of a crisis or cyberattack. Organizations with robust security protocols involve various senior management members, including the CIO, in their crisis response planning to bring different critical perspectives to the process and ensure an effective response. Again, it’s troubling to note that only 56 percent of respondents in our 2014 survey said they had a crisis response plan. Best practice calls for an annual risk assessment and testing of the response plan every six months.

With high-profile breaches making headlines almost daily, it is becoming clear that a security incident is not a matter of “if” but rather, “when.” With so much at stake, isn’t it best to be prepared?

Author’s note: I want to thank SingleHop for providing information to us as part of National Cybersecurity Awareness Month (NCSAM) in October. For more information, visit www.singlehop.com.