IT Controls for Tech Startups? Yes, It’s Possible.

Steve Hobbsby Steve Hobbs, Managing Director
Leader of Protiviti’s Public Company Readiness Practice




For cutting-edge tech companies focused on not just staying ahead of but shaping the technological curve, compliance issues are hardly a top priority. In fact, it is common for these companies to treat the subject with disdain, and view it as running counter to a tech startup’s innovative, entrepreneurial and fast-paced culture.

Placing compliance on the back burner, however, can be costly, especially as a company grows its customer base or considers an initial public offering (IPO). A lack of IT controls not only could disrupt filing deadlines and cause headaches at audit time, it can also turn away cloud providers’ customers who themselves have to prove the presence of controls to their auditors.

Consider this:

  • Public companies are required to establish effective IT general control (ITGC) frameworks to comply with the Sarbanes-Oxley Act. This includes areas such as change management, data quality/governance and disaster recovery.
  • Cloud and other service providers increasingly are being asked to provide Statement on Controls (SOC) reports for the IT general control frameworks associated with their customer-facing systems environments.
  • The Public Company Accounting Oversight Board (PCAOB) and the new COSO framework have introduced requirements for financial controls assessment and increased scrutiny of ITGC frameworks and IT risk management.

In the face of these demands, what is a tech startup to do? Many find themselves halting development activities and backtracking to provide adequate evidence of approvals and other controls to audit teams. This is a time-consuming and disruptive process that can cause frustration and, in the end, may still fail to satisfy external auditors and customers.

A better approach is to move away from traditional control checklists and templates to a more flexible ITGC framework compatible with innovative software development practices. By matching the controls environment to their non-traditional business practices instead of vice versa, tech companies can strengthen controls and achieve compliance objectives without compromising flexibility, speed, drive and ingenuity.

Two strategies towards building this new framework are process rationalization and agile activity alignment.

  • Process rationalization: Companies can reduce process redundancy (rationalize processes) by aggregating similar but unconnected processes used by different teams under common control activities, which leads to more centralized controls and reduced time in applying them. This is especially true in areas such as software development and access management.
  • Agile activity alignment: In agile software development, approvals could be shifted to the end of each development iteration rather than at every sequential development phase. This ensures control while cutting down on administrative effort that doesn’t contribute to the production of quality software.

Is your company feeling the pressure to put better ITGC controls in place? Asking the following questions should help you get started:

  • What systems and processes are in scope for the purpose of your compliance audits (SOX or SOC)?
  • What areas are in need of additional controls?
  • What existing activities can be used to mitigate key risks?
  • What alternative approaches can be used to mitigate key risks?
  • What is the future-state vision for your controls framework (generating a backlog of improvements, leveraging automated activities, etc.)?

Customers demand speed, agility and assurance, and regulators demand formalized controls. Emerging tech firms can meet these demands without hampering their speed and innovation using out-of-the-box thinking and the approach we outlined here.

What control challenges does your tech company face? Let us know in the comments.

COSO 2013 Framework Adoption – Strong So Far …

Implementing the updated Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework (Framework) during 2014 was an important endeavor for many public companies in their efforts to comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). As background, the Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404. The COSO Framework meets the SEC’s criteria for suitability.

COSO has indicated that it no longer supports the original version of the Framework released in 1992 and considers it to be superseded for years ended after December 15, 2014, by the updated version of the Framework completed in 2013. Accordingly, it is just a matter of time before all companies use the revised Framework in conjunction with their annual evaluations of ICFR.

A strong majority of organizations have adopted the revised framework “on time,” with a handful of early adopters leading the way. For almost 1,900 annual reports with fiscal year ends after December 15, 2014, (the date COSO announced its cessation of support of the original 1992 Framework) filed through March 4, 2015,[1] 80 percent had transitioned to COSO 2013. Of the remaining 20 percent:

  • 75 percent (or 15 percent of the total filings) reported their continued use of the 1992 Framework.
  • 25 percent (or five percent of the total filings) did not identify the version of the Framework they used.

It is possible that some of these latter filers may have transitioned to the 2013 Framework and did not disclose they had done so because the transition period had run its course and, therefore, the parenthetical disclosure in the internal control report was considered by these filers to be unnecessary. That said, if any of these filers continued to use the 1992 Framework, their lack of disclosure in their internal control report could pose a concern for the SEC staff. Bottom line, any way the data is cut, we can report that a strong majority of filers have transitioned to the 2013 Framework. As we will report in April in an issue of The Bulletin, for most of these companies the level of effort in consummating the transition was manageable.

The implications of the “on time” transition rate to companies that still must complete their transition is clear. They need to get on with it. We are confident that the strong majority of companies who have transitioned successfully and their experience in consummating the transition process will ensure that the SEC staff will not provide a “free pass” for year ends after December 15, 2015, except perhaps in the most extreme circumstances.



[1] As reported by Audit Analytics® through its internal controls management report and audit report database, available by subscription (

New Protiviti Study – Assessing the Top IT Priorities for 2015

Protiviti has released another major research report today – this one details the findings from our annual IT Priorities Survey of CIOs and IT executives and professionals.

Infographic-2015-IT-Priorities-Survey-Protiviti We’ll be exploring some of the key themes that came out of this study, including cybersecurity concerns, in the weeks ahead. For now, I invite you to view our video and infographic here. Please visit our survey landing page for more information and a downloadable copy of our report:







Eliminating Blind Spots: Shifting Risk Focus from Technology to Business

Ed Page - Protiviti ChicagoJonathan WyattBy Ed Page, Managing Director, FSI IT Consulting Practice Leader, U.S.

and Jonathan Wyatt, IT Consulting Practice Leader, UK


Most organizations are critically dependent on technology to operate in the modern world. For these organizations, technology risk management often becomes a one-dimensional exercise: an obsession with the technology rather than the business it supports.

Consider an IT-centric metric such as “99.9 percent server availability.” The metric sounds interesting, perhaps even impressive, but it is insufficient on its own. What is critically missing is a business risk management perspective: What are the potential business consequences of the 0.1 percent of the time the server is unavailable? This is the question that really needs to be answered.

Comprehensive, detailed assessment of risks requires aligning technology risk management and business risk management. Achieving this goal is not easy, but it is essential to establish a transparent and understandable link between the two elements to better achieve company objectives.

The general steps required to achieve an effective alignment of the two perspectives include:

  • Identification of key business services
  • Mapping of IT services to business services
  • Monitoring, measuring and managing the risks this process identifies

Take, for example, a major global bank that spent significant time identifying, managing and massaging its technology risk factors. Its efforts focused singularly on incidents, by tackling questions such as: How many incidents occurred? What was their duration? How long did it take IT to recover from the incidents?

But a different exercise – refocusing efforts on the success rate of completing transactions instead of the incidents impacting availability of the system – led to surprising insights. Though the reduction in incidents was helpful, the bank discovered that planned maintenance windows, which temporarily prevented transactions from occurring, had a greater impact on the number and success of online transactions. Immediately, the bank’s IT function redirected efforts to reduce the number and duration of the maintenance windows. This resulted in redesigned architecture and practices, which yielded a positive effect on transaction success rates.

As illustrated by the bank’s initial attempt, a misaligned technology risk approach often yields isolated and less-impactful results. Instead, by starting with the examination of a business service and working backward to IT, companies can identify and quantify risks that were more relevant to business success.

Some key signs of misalignment companies should watch for are:

  • Technology risk reporting that is performed for reporting’s sake or seen as a compliance exercise
  • Technology risk metrics expressed solely in IT terms (e.g., server or network availability, number of incidents)
  • Confusion about prioritization of IT investments

As companies begin to work toward alignment, it is important to remember that the process may take time. Misalignment is so prevalent because it runs deep and is often embedded into IT organizational processes and habits. Fixing this requires patience and organizational fortitude.

Once implemented, however, risk alignment not only leads to operational efficiencies, but yields other positive byproducts, such as facilitating IT funding requests. Budget increase requests tied to improving specific or critical business operations are likely to be considered more seriously than requests for general IT asset improvements.

Ultimately, alignment of IT and business needs leads to a more nimble organization that is better equipped to manage emerging technology risks and support innovation vital for success.

Top Risks for 2015 – Are You Asking the Right Questions?

Companies need useful information to stay abreast, if not ahead, of critical issues looming on the horizon and to prepare for potential opportunities and adverse scenarios. The third annual Executive Perspectives on Top Risks survey, published by Protiviti and North Carolina State University’s ERM Initiative last month, provides just such intelligence. I’d like to highlight the key findings once again because they are informative of the perspectives at the top and the direction in which executives are likely to direct risk management inquiries, effort and resources in the near future.

Globally, more than 275 board members and executives from a variety of industries participated in the survey, which was conducted in person and online in the fourth quarter of 2014. Each participant was asked to rate 27 risks of macroeconomic, strategic and operational nature and assess their potential impact over the next year.

Top issues? Regulatory scrutiny, economic uncertainty, and cyberthreats – not a great surprise.

Interesting among the key findings is an overall perception, based on survey results, that the global business environment in 2015 is somewhat less risky compared the past two years. This, however, doesn’t diminish the significant risks that exist today – or the need for vigilance. Respondents indicated increased likelihood in 2015, compared to both 2014 and 2013, for their organizations to invest additional resources toward risk management, reflecting a rise in expectations for a more effective risk oversight.

The top five risks concerns for 2015, according to the survey, are:

  • Regulatory change and heightened regulatory scrutiny – This continues to be the top overall risk for the third consecutive year for most organizations.
  • Economic conditions in domestic and international markets – While stabilized at 2014 levels, this risk is again highly ranked as uncertainty still exists.
  • Concerns about cyberthreats disrupting core operations – With little surprise, this risk is now a top-five concern for 2015, as well as the top operational risk overall and for the largest organizations.
  • Succession challenges and the ability to attract and retain talent – This risk made the top-five risk list for all sizes of organizations. This is likely due to a tightening labor market and a resulting perception among respondents that their organizations might experience significant operational challenges if they can’t attract and retain a workforce with the skills needed for growth.
  • Organization’s culture not supporting timely risk identification and escalation – This risk was introduced in the survey this year and was recognized as a top-five risk concern right away.

Other critical risks outside of the top five – but trailing closely – included:

  • Lack of resilience – Resistance to change may restrict an organization from making necessary adjustments to its business model and core operations.
  • Privacy and security risk – Ensuring privacy/identity management and information security/system protection may require significant resources.
  • Inability to manage a crisis – Organizations may not be sufficiently prepared to manage an unexpected crisis significantly impacting their reputations.
  • Customer loyalty/retention risk – Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base.
  • Performance gap risk – Existing operations may not be able to meet performance expectations related to quality, time to market, cost and innovation as well as competitors.

One interesting fact the survey revealed is that board members, CEOs and other members of the executive team hold differing views of the top risks facing their organizations. These findings suggest there is a strong need for dialogue among key stakeholders to ensure there is agreement within the organization about the emerging risks that need to be tackled.

To evaluate their risk assessment process effectively, leaders of organizations need to ask themselves questions such as:

  • Is management evaluating changes in the business environment to identify new risks?
  • Is the board sufficiently involved and aware of the most critical risks?
  • Are risks evaluated in the context of strategy and are they a key consideration in decision-making?
  • Does the organization’s risk culture encourage an open, positive dialogue on identifying and evaluating opportunities and risks?

Indeed, asking the right questions in a timely and periodic manner is the central difference between organizations that implement a proactive approach to risk management and those that respond with too little, too late in the face of impending disaster.


Protiviti’s Practice Leaders Discuss the 2015 Audit Committee Agenda

I recently wrote about the publication of Volume 5, Issue 9 of The Bulletin, which focuses on setting the 2015 Audit Committee Agenda. Response to this piece has been tremendous and I wanted to remind anyone interested in a deeper dive to check out our free webinar from February 10, where two of our leaders in the internal audit and financial advisory (IAFA) practice, Brian Christensen and Dave Brand, and I had the privilege of addressing these issues.

Navigating a constantly evolving business environment means setting clear priorities and establishing a risk management framework that asks the right questions at the right time to yield effective risk response solutions. The webinar emphasizes the importance of finance and audit functions going beyond their traditional roles to become true strategic partners. It also discusses the impact of technology and the audit committee’s responsibility to understand it better.

As I said in the webinar, it is important to demonstrate a bias toward action. In addition to communicating the top risks, management needs to articulate who owns the risks and the strategies for mitigating the risks. If the audit committee is chartered to oversee risk, it should expect these communications from management. If another committee is so chartered or the responsibility falls on the full board, the expectation of management still applies.

The rapid rate of change in today’s business environment demands that the audit committee review the organization’s risk profile at least annually. Ideally, this evaluation should be supported by an updated risk assessment by management. For the most significant risks – for example, the cybersecurity issues that captured headlines in 2014 – either the audit committee or another appropriate committee tasked by the board should ensure that the company has appropriate action plans in place to address them.

Another critical responsibility for the audit committee is to oversee the capabilities of the finance organization and internal audit to ensure they can deliver to expectations. Brian Christensen, a member of our executive team and global leader of IAFA, recommends a holistic approach that goes beyond the traditional “rearview” financial reporting. Rather, companies should strive to develop forward-looking financial analyses, enterprise level processes and technically proficient staff that is well-versed in new technologies, communication/collaboration and regulatory compliance.

This can be challenging, because many audit committee members were chosen for their backgrounds in finance, and may not possess the technical expertise to understand technology risks. To address this, Dave Brand, who leads our global IT audit practice with IAFA, recommends avoiding the technical aspects of technology and focusing the discussion on specific operational or strategic threats or advantages tied to key technologies. Dave urged effective dialogue around these issues, over the fear-mongering that has dominated the discussion of cyberthreats lately. His point is that this conversation should be a business discussion.

Perhaps most important, it is imperative for the audit committee to pay attention to risk culture to address the risk of dysfunctional behavior undermining risk management and internal control. When issues are identified, for example, does management follow up in a timely fashion to address control deficiencies? Is the board always surprised by risk incidents? Does the organization lack timely board involvement in decisions involving significant risk?

Undoubtedly, 2015 will pose interesting challenges. By adopting a proactive philosophy and managing change, the audit committee will be better positioned to steer the company toward success. I hope this webinar will help in clarifying your agenda during this forthcoming year.


Protiviti Is One of the 2015 Fortune 100 Best Companies to Work For – Wow!

I want take a moment to divert from our usual commentary and share some great news that I am very excited about.

How many people out there do you know who would readily say they like their boss, love what they do, and feel they are treated fairly by their employer? Whatever your answer to this question, this is what our employees overwhelmingly told the Great Place To Work Institute, the organization that conducted an anonymous survey among randomly chosen Protiviti employees last year. I couldn’t be more proud of what I heard. And I couldn’t be more pleased that, as a result of the survey, Protiviti made the 2015 Fortune 100 Best Companies to Work For list!

This wonderful and well-deserved acknowledgement reminds me once again what talented, enthusiastic and dedicated professionals we have here at Protiviti. Ninety-six percent of our people said they are proud to work here. I want to believe this is because of the great care our organization takes to ensure our people are professionally challenged, respected, rewarded and given opportunities to grow, both personally and professionally.

Now, I know we’re not perfect, but I also know that no one on the planet is, either! In fact, my experience is that the very best organizations are quite tough on themselves and are never satisfied. And here at Protiviti, we, as an organization, are constantly striving to improve how we challenge and reward our people and create memorable experiences for everyone.

For example, at Protiviti, we take work-life balance and helping our communities seriously. In the consulting business, this sounds almost like an oxymoron, but 83 percent of our people said they feel encouraged to balance their work with their personal lives, and 92 percent said they are able to take time for personal matters, including personal growth and volunteering, when needed. This is a big deal at Protiviti. We encourage personal responsibility for achieving the work-life balance that works best for each person. It is this deep respect for our people as individuals, not just as cogs in a wheel, that makes this vital balancing act work.

We also encourage and support professional growth. Eighty-eight percent of our employees report that Protiviti often or almost always provides needed training, fair promotions and personally challenging work. Another nine percent report the company sometimes provides these opportunities, for a combined positive rating from 97 percent of employees in the “Great Challenges” category of the survey. Add the open communication and accessibility among the ranks and the support and mentoring that result from that, and you have an organization that keeps everyone in touch with what’s relevant in the marketplace and to their careers. These, I believe, are some of the factors that underlie the confidence and positive spirit of our professionals – and translate into exceptional work for our clients.

People often ask me why I’m still as active as I am. The answer is simple. I enjoy the people I work with and the clients we serve! So I’m not surprised that 88 percent of our employees say they often or almost always enjoy their colleagues and find their workplace to be fun and cooperative.
See what else our employees said at

Thanks for allowing me to share these exciting results. What do you think makes a company a great place to work?