3 “Musts” for Rapidly Growing Companies – A Conversation with Lumosity and Oracle

Steve HobbsBy Steve Hobbs, Managing Director
Protiviti’s Public Company Transformation practice



Earlier this month, I had the pleasure of sitting down with the Tyler Chapman, Director of Finance at Lumosity and Jeff Henley, Oracle’s Executive Vice Chairman, to discuss the challenges that rapidly growing companies face, and what these companies, such as Lumosity, can do to handle these challenges successfully. Our entire conversation will be available as a webinar in the fall. For now, I’d like to share with you the top 3 takeaways from our discussion:

  1. Address the finance function. When a company is experiencing fast growth, as Lumosity has in recent years, it’s pretty common for the supporting functions, such as finance, to lag behind the rest of the business. To properly address this challenge, leadership must answer these questions:
    • When do we start dedicating resources and funds to building out the finance function?
    • How do we efficiently build out the finance function so that it is effective in supporting the business now and has the ability to scale with the business in the future?
  2. Implement an effective technology solution. Companies must choose an enterprise resource planning (ERP) platform and other technology applications that will be able to scale with the growth of the business and be able to handle complex challenges. This technology must be able to work with existing systems for a streamlined approach.
  3. Prioritize and plan. There are many “make-or-break” decisions to be made throughout the growth process. It is important to logically prioritize foreseeable challenges and have a plan to address each one.

This is only a glimpse of the expertise shared in our discussion. To hear more from these experts, join us for a webinar on August 25 at 10 a.m. PST (1 p.m. EST). To learn more about future events and webinars,  subscribe to our IPO Insider newsletter.

The Renaissance of the Chief Compliance Officer: An Artist and a Scientist

Carol BeaumierBy Carol Beaumier, Executive Vice President and Managing Director
Protiviti’s Regulatory Compliance Practice



The Renaissance man, in the traditional sense, was adept in many different fields. Think Leonardo Da Vinci – a painter, sculptor, architect, scientist, musician, mathematician, engineer, inventor and anatomist. Fast forward to today’s financial services world, and the Renaissance man is enjoying a rebirth in an unlikely place – the risk and compliance industry. It is not every day that compliance managers are compared to Renaissance men, but if you read Protiviti’s newest publication, The Art & Science of Compliance, you will understand why today’s chief compliance officer (CCO) is to be perceived as exactly that.

For one, the modern CCO needs to be a highly learned and skilled performer – an artist and a scientist – who interprets and is able to understand and comply with myriad technical requirements of laws and regulations – the science of compliance. This artist also needs to be a visionary, peering forward into risks that haven’t yet fully emerged, and engaging in a top-level discourse with the board and management to help steer the organization in the right direction.

Long gone are the days when CCOs were primarily responsible for writing compliance policies and procedures. The role of the compliance officer is expanding rapidly, and this has broadened the range of skills required to become an effective head of compliance. Robust risk management capabilities and technological know-how are essential skills,  but the modern CCO also needs to be proficient at developing and maintaining strong relationships with internal and external stakeholders – relationships as vital as those between Renaissance artists and their sponsors. No compliance officer can practice his or her art successfully without this support.

I highly recommend you read the publication for yourself, but here are the trends surrounding the role of the new, “Renaissance CCO” I find the most interesting:

  • Increased oversight with more than a hint of acumen
    • Compliance requirements and supervisory scrutiny have surged, especially in the area of consumer protection. Compliance officers are increasingly being asked to look beyond technical compliance with new rules to address more broadly whether acts or practices are unfair, deceptive or abusive.
    • Compliance officers are also expected to be aware of Bring Your Own Device (BYOD) policies and employees’ use of social media and keep an eye on the new privacy and consumer protection risks that stem from these activities.
  • Technological involvement and know-how
    • The many recent regulatory changes are placing a burden on legacy systems and necessitating technological upgrades. As a result, compliance officers are increasingly involved in the technology change process to ensure that all legal and regulatory risks are addressed.
  • A seat at the leadership table
    • Regulators are demanding that compliance be managed as part of an integrated risk management framework – independent of the business and with clear access to senior management and the board of directors. This requires compliance officers to embrace a more visible and vocal role at the top of the organization.
  • Doing a lot more with less
    • Compliance officers are expected to cover a much broader set of compliance requirements than before with the same, or fewer, technological and personnel resources. CCOs with the skills and competence to handle this mounting pressure are in short supply, and firms are competing heavily for talented individuals to join their compliance functions.

Ultimately, the CCO’s job has become that of a compliance spokesperson and critical decision-maker who occupies an important seat at the leadership table. Getting that seat requires modern CCOs to become true, versatile, resourceful and outspoken masters in the art and the science of 21st century compliance.

I am interested in your thoughts on this topic. You can access the Art & Science of Compliance Spring issue here. While there, I also recommend the in-depth discussion with Chetan Shah, a director in our Charlotte, NC office, on AML transaction monitoring – a necessary, but often ineffective, component of an AML compliance program, and the highlights section which in this issue sheds light on consolidated mortgage origination disclosures as well as debt collection.

Cybersecurity Capabilities: Jordan Reed Answers Questions from our Internal Audit Capabilities and Needs Survey Webinar in March

Jordan ReedJordan Reed, Managing Director
Internal Audit and Financial Advisory practice



More than 800 chief audit executives and audit professionals from around the world participated in Protiviti’s 2015 Internal Audit Capabilities and Needs Survey. Our subject-matter experts discussed the results in depth in a March 24th webinar, From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions.

We received so many questions from webinar attendees that we were unable to address them all within the allotted time. A number of those questions centered on cybersecurity. Jordan Reed, a managing director in Protiviti’s Houston office, answers those questions here:

Q: Do you typically see cybersecurity risks discussed with audit committees, or would that be better situated at the board risk committee?

A: I see both, although more frequently at the board level. Some companies have risk committees that focus specifically on areas like technology and other emerging risks, and cybersecurity certainly fits within that scope. Others provide education, current events and hot topics for the full board, and cybersecurity almost always finds its way onto that agenda. If the board delegates its risk oversight responsibility to the audit committee, then that committee may oversee the management of cyber threats. To the extent cybersecurity has been included in an internal audit risk assessment or internal audit, the topic and results would obviously be discussed with the audit committee versus the entire board. Additionally, any security breach that required a public disclosure would certainly be discussed with the audit committee. So you can see, there is no one-size-fits-all approach.

Q: Can you provide more information about The IIA’s GAIT framework?

A: The best answer to this would come from The Institute of Internal Auditors’ website:

“The IIA’s General Assessment of IT Risk (GAIT) series describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each practice guide in the series addresses a specific aspect of IT risk and control assessments.

The IIA classifies GAIT as recommended guidance under its international professional practices framework (IPPF). GAIT practice guides include:

  • The GAIT methodology: A risk-based approach to assessing the scope of IT general controls as part of management’s assessment of internal control required by Section 404 of the Sarbanes-Oxley Act.
  • GAIT for IT general control deficiency assessment: An approach for evaluating whether any ITGC deficiencies identified during Section 404 assessments represent material weaknesses or significant deficiencies.
  • GAIT for business and IT risk: Guidance for helping identify the IT controls that are critical to achieving business goals and objectives.”

Q: Does increasing board engagement with cybersecurity require a more technically astute appointee, similar to members with finance backgrounds, so the severity of threats can be better understood?

A: We are seeing a lot of organizations starting to move in that direction. As you might expect, this has been especially true for organizations with a greater concentration of “crown jewels,” such as personally identifiable information — financial services, retail and healthcare companies, for example.

Q: Should cybersecurity be addressed within the organization’s audit charter?

A: Yes, it is already covered in most of the charters I see, in the “Responsibility” section of the Internal Audit Activity Charter. I typically do not see cybersecurity specified at that granular of a level, but it is covered within the overall responsibilities of the internal audit function.

Please see Protiviti’s 2015 Internal Audit Capabilities and Needs Survey Report for additional insights on cybersecurity and other topics.

GRC Platforms: Harmonization or Hegemony?

Scott Wisniewski - Protiviti Chicago -hi res 2012By Scott Wisniewski, Managing Director
Leader, Protiviti’s Risk Technologies practice



Governance, risk and compliance (GRC) technology integrating multi-stakeholder requirements on a single platform is often held out as the holy grail of GRC – especially by GRC vendors. Nevertheless, we’re still seeing many companies combine ERP platforms, such as Microsoft SharePoint, with multiple GRC point solutions to effectively manage compliance.

The question is, should companies be investing in a single platform to develop a more aggregated picture, or are there more significant benefits to using multiple custom point solutions to support GRC efforts?

At the recent GAM conference in Las Vegas, one of the speakers mentioned that he uses a single GRC platform from a certain vendor to support multiple efforts. The speaker said the software required his company to harmonize processes, propounding this as a benefit and noting that many of the GRC platform providers advocate process harmonization in order to make best use of the platform.

But GRC is a big tent, and just because two different stakeholder groups within an organization are doing some type of GRC-related effort, that doesn’t mean the data set required for one group is going to be relevant to another.

Similarly, the frameworks and methodologies used to assess and evaluate assurance often vary, depending on the subject matter, and even localized factors, such as regulatory requirements of the countries the company operates in. Other factors that may prevent key stakeholders from collaborating on the same platform may include inability to sync across all groups or support the onboarding of new groups, additional software licensing required, project phasing, etc.

This begs the question: While convergence on a single platform sounds right, is it optimal in all cases, or may it be more advantageous to use the same platform when such synergies actually exist, while allowing different stakeholder teams to pursue solutions tailored to the unique GRC elements of their specific disciplines?

For single or synergistic department GRC efforts, implementation of point solutions – especially using SaaS deployment models – can often be more cost-effective and efficient than attempting to onboard all stakeholders on the same platform. For larger, multi-stakeholder deployments, market feedback suggests that the implementation cost for so-called off-the-shelf configurable GRC software is often comparable to the cost of developing custom applications that leverage existing technology platforms within the enterprise, such as SharePoint.

Which choice is better for your organization? That’s not for me to say. But here are some questions to help you decide for yourself:

  • Which of your GRC or assurance groups have the potential for synergy among them?
  • What elements of your framework are shared across multiple groups?
  • What is best for each stakeholder group?
  • What specific capabilities do you have and need? (Most GRC platforms provide good risk and control assessment functionality, but if you’re looking for a specific capability – regulatory insight, advanced analytics or eLearning – others might do better.)
  • In terms of timing, how well do the projects of different stakeholders sync with each other?
  • Does licensing new modules of the GRC platform already in-house approximate the cost of licensing another application?
  • Does the “configurable” GRC solution require significant technical competence to implement new features and support? If so, do you already have more technical competence on another platform that is a better fit with your overall enterprise IT architecture?

I’m not advocating here one solution over another. It’s a conversation for you and your GRC stakeholders. I’d love to read your thoughts on the matter.

Vendor Fraud — Scott Moritz Answers Your Questions

Scott Moritz - Protiviti NY 2013 (hi res)Scott Moritz, Managing Director
Leader, Protiviti’s Fraud Risk Management Practice



Our webinar series on internal investigations is generating lots of good questions from participants. The series kicked off in November 2014 with Internal Investigations for Non-Investigators, which offered a broad overview of the topic. The second webinar, Misplaced Trust: Investigating Vendor Fraud, was held in March 2015.

The series is co-presented by Scott Moritz, global lead of Protiviti’s Investigations & Fraud Risk Management practice, and Peter Grupe, a director in that group. Scott has 28 years of investigative experience, including nearly 10 years as an FBI special agent. Peter, a former assistant special agent in charge of the FBI’s white collar crime program in New York, has over 25 years of experience investigating financial crime.

In this blog entry, Scott answers some great caller questions that came up in the Vendor Fraud session.

Q: What is a best practice to validate new vendors?

A: Historically, companies collected information from vendors in order to set up payments. This basic data falls far short of what is required to make informed risk-based decisions — for regulatory compliance and fraud risk management, among other things.

Today, companies need to be able to readily segregate upstream suppliers from those empowered to act on the organization’s behalf (often referred to as “intermediaries”). If a company acts on your behalf, Protiviti recommends collecting richer data — including the names of executives, owners, and whether the company is public, private, or government-owned; how long the company has been in existence, revenue (if disclosed), and whether the client is the vendor’s largest customer.

Q: If you are performing a typical vendor audit (i.e., no initial suspicion of fraudulent activity), what are the best techniques to identify fraud, such as vendor kickbacks?

A: Just because you don’t suspect vendor fraud, doesn’t mean it’s not going on. Vendor fraud is the most common type of fraud and accounts for 18 percent of fraud losses — particularly at large organizations.

Top of mind:

  • Compare vendor master data with personnel data. Look for addresses in common. (Be mindful of privacy restrictions in certain jurisdictions such as the EU).
  • Vendors of almost any size will leave some sort of footprint in the public domain – social media presence, etc. You would expect any commercial entity to have some record of its existence in the public domain. Entities that exhibit little to no footprint warrant closer scrutiny.
  • It is also prudent to search global watch lists, such as by the Office of Foreign Assets Control (OFAC), which tracks international trade violators and sanctions; the U.S. General Services Administration’s (GSA) System for Award Management (SAM) list, which includes a list of companies that have either failed to perform or have committed fraud against the U.S. government and have been debarred; and the U.S. Department of Commerce Bureau of Industry and Security list, which includes companies that have violated U.S. boycott laws.
  • Look for red flags. Kickbacks are a type of fraud that may raise very specific red flags. Compare contracts for a vendor suspected of paying kickbacks to those of comparable vendors – is unit pricing or aggregate spend out of line? Did your investigation reveal that one or more employees are unusually close to someone at the suspect vendor?

Q: Can you give some examples of the types of background checks you perform on new or existing vendors?

A: First, let me distinguish between a background check and the watchlist matching process (sometimes referred to as “screening”) we were discussing earlier. Screening deals primarily with vendor-supplied information and comparing it to one or more lists of debarred parties. Background investigations use publicly available information, beyond the watch lists I’ve mentioned, to bring to light past bad behavior by vendors that may cast doubt on their character and the veracity of self-reported data. Public information includes things such as regulatory actions, pending or prior criminal actions, lawsuits, bankruptcies, liens, judgments, affiliated companies, companies with common ownership, etc.

If the public record shows that somebody has done something improper or illegal in the past, there’s a good chance they’re going to do something similar in the future. Not a lot of people (or companies) wake up one day and decide to embark on a life of white collar crime. Most people involved in fraud or corruption have been involved in similar crimes for many years and very few of them find redemption.

Q: In doing a standard, cyclical vendor audit, what are some things we should look for to identify vendor-related fraud? Presumably, the vendor itself in all these cases is legitimate as we are doing business with them.

A: The GSA produces a blacklist of companies that have either consistently failed to perform their obligations under government contracts, or have defrauded the government. If a vendor has no qualms about defrauding the federal government and facing those kinds of sanctions, they’re going to have no qualms about defrauding you. Debarments are a sign you want to pay attention to, as past behavior is a good predictor of future behavior. There is a wide array of debarment lists maintained by the federal, state and local government as well as several of the larger, multilateral banks (World Bank, European Bank for Reconstruction and Development, Inter-American Bank, etc.)

We’ve seen a significant uptick in demand for master vendor file audits. Not sure what is contributing to this, but a lot of organizations are finding that the volume of vendor contracts requiring auditing is overwhelming and are seeking to leverage electronic tools to detect undisclosed conflicts of interest, fictitious vendors and any vendors who have pending or historical sanctions against them.

Protiviti will continue to promote an ongoing dialogue on fraud, fraud risk, financial crime and corruption through its thought leadership and continuing its webinar series on internal investigations.