2016 Audit Committee Agenda Webinar Q & A (Part 4)

We are wrapping up our series of blog posts based on our popular January 7 webinar on the 2016 Audit Committee Agenda. This series answers some of the questions we were unable to address during the webinar.

In our first installment, we touched on the relationship between the audit committee and independent auditors, new rules on lease accounting and board-level engagement with cybersecurity. Part 2 of the series continued the cybersecurity discussion and focused on the opportunity for many organizations to add data analytics capabilities to their internal audit functions. Part 3 addressed fraud and clarified the role of internal control in the three-lines-of-defense model.

The questions Jim DeLoach addresses in this final installment pertain to new FASB rules on revenue recognition and lease accounting.

Q: The Financial Accounting Standards Board (FASB) has announced two major changes in Generally Accepted Accounting Principles (GAAP) – revenue recognition and lease accounting. How can companies make both of these changes concurrently?

Jim: The good news is, these changes are not concurrent. FASB and the International Accounting Standards Board (IASB) published the new revenue recognition standards in May 2014. The new rules apply for reporting periods beginning after December 15, 2017, but companies should be taking steps now to determine how the rules will affect their business. It is expected that the new lease accounting standards would apply to reporting for periods beginning after December 15, 2018. Companies have ample time to prepare for both of these changes, if they act now. We strongly advise against waiting until the last minute.

Q: What value do you think internal audit can add to the revenue recognition transition process?

Jim: Internal audit can play an important role in ensuring that the organization is making sufficient progress in transitioning to the new revenue standard by evaluating management’s progress. During the webinar, we suggested seven steps for management to take to get on top of and size the transition process:

  1. Educate executives and their teams with their overall responsibility for the transition
  2. Assess the current revenue recognition policy against the standard and identify expected changes
  3. Depending on the significance of the identified accounting policy gaps, consider the need for involving others
  4. Perform a high-level analysis of any data gaps
  5. Develop a high-level approach to the transition method
  6. Identify and assess additional resource needs
  7. Educate the decision makers

These steps provide guidance to internal auditors on what to look for when evaluating whether their companies are gaining traction. In assessing the efficacy of preparations, it would be helpful to ask: Does management understand what is expected? Do they have a plan to comply? Is the plan resourced? Has it been budgeted? Iss the organization making progress against the plan? As various components of the plan are implemented, internal audit can do testing to ensure the new processes and procedures are operating effectively in the new environment.

Not to sound like a broken record, but we’ve seen enough procrastination out there to warrant concern, particularly with the revenue recognition rules. By now, companies should be well along in the process of determining how the new standards apply to them, and preparing for the implementation of the needed changes.

This four-part blog series covers most of the questions asked by our webinar attendees that we were unable to address live. Thanks, again, to those of you who attended the live webinar broadcast. The archived version can be accessed here.

2016 Audit Committee Agenda Webinar Q & A (Part 3)

We are picking up our previous discussion of audit committee priorities as we continue to answer your questions from our popular January 7 webinar, The 2016 Audit Committee Agenda. This blog series answers questions we were unable to address during the webinar.

In our first installment, we addressed questions regarding the relationship between the audit committee and independent auditors, new rules on lease accounting, and board-level engagement with cybersecurity. Part 2 of the series continued the cybersecurity discussion and focused on the opportunity for many organizations to add data analytics capabilities to their internal audit function.

The questions addressed here, in Part 3, pertain to fraud and the various lines of defense. Jim DeLoach provides the answers.

Q: Relative to other rising concerns (such as cybersecurity), is fraud less important than in previous years?

Jim: Fraud is, and always will be, a huge area for concern, particularly for public companies and not-for-profits dependent on continued funding, because of its impact on reputation and brand image. As fast-paced and globally connected as everything is today, and as many alternatives as there are for investors, money can move from one organization to another in a heartbeat. The reality is that capital flight from a company besieged by significant fraud can be brutal.

There are certain things investors take as a given about a company. They are going to inherently assume that its products are safe, that it complies with all applicable laws and regulations, and that people aren’t stealing from it. This understanding is often taken for granted, and therefore may not come up in conversation. But once the veil of that inherent presumption is pierced when a problem arises, then it’s going to be all that people talk about. Given that investors/donors can easily move their money elsewhere, a significant reputation hit from material fraud can mean “game over.”

Q: Aren’t the auditors the third line of defense?

Jim: If by auditors you mean external auditors, the answer is no. The third line of defense is internal audit, or the assurance function.

Those of us who spend a lot of time around internal auditors have become so familiar with the “three lines of defense” model for organizing risk management that we may not always explain it as well as we should.

The model, promulgated by The Institute of Internal Auditors, was designed to clarify the risk management responsibilities of internal auditors, as distinguished from those of independent risk oversight functions (the second line of defense), and the day-to-day risk mitigation efforts of operational management and staff whose activities create risk (the first line of defense).

In our fourth and last part of this discussion, we will address the critical importance of preparing now for pending changes in the revenue recognition rules.

2016 Audit Committee Agenda Webinar Q & A (Part 2)

We are continuing our Q&A series stemming from our January 7 webinar on the 2016 Audit Committee Agenda. We’ve been exploring audit committee priorities for 2016, based on the findings published in the latest issue of The Bulletin. This four-part Q&A blog series provides our responses to some of the many interesting questions from our 1,500 webinar participants that we were unable to address during the webinar itself. Jim DeLoach and David Brand address the questions below.

In our first installment, we touched on the relationship between the audit committee and independent auditors, new rules on lease accounting, and board-level engagement with cybersecurity. Cybersecurity is a top concern for audit committees right now, and it should be. For additional insight, see Issue 67 of our Board Perspectives series, which is devoted entirely to briefing board members on IT matters in a manner that directors can understand.

Q: Are you seeing cybersecurity experts being added to the audit committee?

David: Generally speaking, no. Organizations face a broad and ever-changing spectrum of risks. For that reason, boards and audit committees should be staffed with people from a variety of backgrounds who stay well-informed on the current risk landscape and emerging risks, and know where to go and whose advice to seek to educate themselves as needed – through the CIO, CISO, or independent cybersecurity experts. An exception to this, of course, would be technology companies, or organizations where technology is the centerpiece of the business strategy, and in such cases we see some boards setting up a separate technology committee. But from a purely risk oversight perspective, no.

Q: Do you see differences between cybersecurity risk and data privacy risk, and should a risk profile have both? Or do you see in the industry that these risks are combined?

David: Although there tends to be a heavy focus on cybersecurity these days, it is important to remember that information – including personally identifiable information (PII), non-public financial information, drug formulas, customer lists and price sheets – often exist in non-electronic formats, including paper printouts on people’s desks. Cybersecurity deals exclusively with electronic data that’s housed in computer systems. Data privacy risk encompasses information in all forms, and is therefore both distinct from, and inclusive of, cybersecurity risk.

It’s a misnomer to say if a company is doing cybersecurity, it has achieved data privacy. Data privacy is related to cybersecurity, but broader than cybersecurity.

Jim: Let me add that our 2016 Top Risks Survey report, which will be released in March, reports on cybersecurity risk and privacy/identity management risks separately, and both were highly rated in our global survey results.

Q: Do you have a toolkit available for auditing cyber risks?

Jim: The National Institute of Standards and Technology (NIST) has developed and publicized a cybersecurity framework that has become the de facto standard for control areas that need to be addressed. That’s the best place to start in the public domain.

Q: Why don’t more organizations use data analytics to support internal audit?

Jim: Good question. It’s hard to pin down the why. Improved data analytics has been one of the top-rated capabilities and needs in our annual survey of chief audit executives for the past ten years. If you are asking whether your organization should be investing in analytics to keep pace with an increasingly complex environment, the answer is yes.

We’ll pick up with this discussion of technology in Part 3 of this series. The archived version of the webinar can be accessed here.

2016 Audit Committee Agenda Webinar Q & A (Part 1)

Our January 7 webinar, The 2016 Audit Committee Agenda, based on our latest issue of The Bulletin, drew more than 1,500 participants. The audience was diverse and included a large number of directors and executives, so it’s not surprising that a lot of interesting and relevant questions were asked.

We promised we would get to as many questions as we could but, due to our time constraints, we were only able to answer a few in real time. Here, in the first of several posts, we want to answer some questions we did not have time to address in the live session. Jim DeLoach and David Brand, Protiviti’s IT Audit practice leader, take turns with the answers.

Q: How involved should the audit committee be in inspecting its independent auditor? (Question submitted by a new audit committee member.)

Jim: As set forth in the listing standards for U.S. exchanges, the audit committee oversees the hiring, retention and independence of the external auditor and the quality of the external audit process. So the audit committee’s job, insofar as the external auditor is concerned, is not a matter of “inspection” as it is providing oversight. As part of the hiring and retention process, audit committee members are encouraged to be mindful of the firm’s PCAOB inspection reports. These reports may have an impact on the demands and expectations issuers receive from their external auditors and, therefore, warrant the audit committee’s attention.

Furthermore, the committee should inquire of the auditor if PCAOB inspections of the firm and recent PCAOB guidance are impacting the audit approach in any significant way and, if so, how and in which areas. For a good reference on the responsibilities of an audit committee, see the standards for listed companies established by Sarbanes-Oxley and promulgated by the Securities and Exchange Commission.

Q: Does the new Financial Accounting Standards Board (FASB) lease accounting standard (requiring both financing and operating leases to be accounted for on the balance sheet) apply to both public and private companies, and are there any exceptions?

Jim: To the best of our knowledge, the new rule, which will primarily affect lessees, will apply to all companies in all industries – although the effect will be greater on companies that have previously relied on leases as a form of off-balance-sheet financing. We won’t know with certainty, however, until the FASB issues its new standard, which is expected soon.

Q: Have you seen any best practices that organizations have used to get everyone on board with the idea that cybersecurity is a business issue, not simply an IT issue?

David: The only way to get people to see that this is a business issue is to start at the top. You have to start with a clear understanding of what assets the organization wants to protect. These so-called “crown jewels” have to be defined by the business. IT can’t decide. Once the organization has decided what’s important, then the capital committee and risk management committee must decide how much they want to spend protecting those crown jewels. IT’s role is to execute the protection scheme.

Q: Our board engagement and level of understanding of cybersecurity are not aligned. How would you address this?

David: Board members are always looking for educational opportunities, and internal audit can play an important role in this process. There’s nothing to stop internal audit from scheduling an educational briefing session with the board, or hiring a third party to come in and facilitate. For additional insight, see Issue 67 of our Board Perspectives series on board risk oversight, which is devoted entirely to briefing the board on IT matters in a manner that directors can understand.

In our next installment, we’ll pick up on this thread with a discussion of whether boards should be recruiting members with cybersecurity expertise. The entire webinar can be found here.

FAST Act Paves the Road for Streamlining IPOs

Steve Hobbs 2By Steve Hobbs
Managing Director, Public Company Transformation




Good news for small companies considering an IPO. On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the FAST Act). Aside from directing transportation spending, this act includes provisions relevant to startup companies and companies seeking to pursue the IPO path. Below, I’ve outlined the major ways in which this act affects so-called “emerging growth companies,” or EGCs – defined as companies with revenues of less than $1 billion in their most recent fiscal year – by potentially reducing the costs related to initial filings and allowing them to keep their information confidential longer.

  1. Longer confidentiality period. Under the JOBS Act, which created the EGC category, a company that meets that definition needs to publicly file a registration statement for its IPO no fewer than 21 days before the start of its roadshow. Under the FAST Act, this time period has been reduced to 15 calendar days.
  2. Maintaining EGC status longer. In some cases, companies that have started the IPO process as EGCs have lost that status – for example, if the SEC review process continued past the end of the fiscal year in which the issuer crossed over the $1 billion revenue threshold. Under the FAST Act, such a company would remain an EGC through the earlier of either its IPO date or the 1-year anniversary of it otherwise losing EGC status. By retaining this status, the company is entitled to reduced regulatory and reporting requirements under the Securities Act and the Exchange Act.
  3. Reduced disclosure requirements. The FAST Act permits EGCs to omit historical financial information from their initial confidential submission or public filing of the IPO registration statement if this historical financial information would not be required in a registration statement (S-1 or F-1) at the time of the road show.For example, EGCs are currently required to include 2 years of audited financial statements in their public IPO filings. For some issuers, the timing of the IPO process may be such that the fiscal year would complete while the review process is still going on, and therefore the company would need to add audited financial statements for that most recent year. Under the FAST act, in a situation like that, financial statements for the earlier year would not be required in the registration statement. Instead of going through the expense and effort to audit and include financial statements from that prior year, the issuer could simply omit that year from the initial and subsequent filings.

These provisions do not free small companies of the onerous task of preparing and filing their IPO-related financial statements but they do provide some relief, including a longer confidentiality period.

Watch What You Say: Auditing Cybersecurity Disclosures

David BrandBy David Brand
Managing Director, Leader of Protiviti’s IT Audit practice




In the face of ongoing, persistent and ever-more dramatic data breaches, corporate assurances to the security of information are rightfully met with investor and regulatory skepticism. And while companies have rushed to inoculate themselves against potential damage by purchasing cyber insurance, regulators – and insurers – are reviewing published cybersecurity disclosures carefully to determine whether the companies’ claims regarding their cybersecurity programs – people, processes and technology – are consistent with reality.

These reviews merit attention for several reasons. For example, the price for failing to adequately assess and disclose cyber risks could be regulatory sanction and/or a denied insurance claim.

Questions about disclosures – and inquiries from external auditors related to cybersecurity – have been raised at several conversations with our clients recently. The basis for the questions can be traced back to a U.S. Securities and Exchange Commission Guidance published in October 2011. But the urgency and frequency of the questions in meeting rooms and board rooms have increased, in apparent contradiction to public corporate cybersecurity assurances.

External auditors are generally asking two questions:

  1. For companies making disclosures: What programs exist to ensure the disclosures are accurate?
  2. For companies without disclosures: What controls and procedures are in place to ensure that there is nothing occurring that should be disclosed?

The typical response, to date, has been for management to provide a memo with a general description of relevant risks; a list of the people, processes and technology in place to address cyber risk; a list of relevant internal audit efforts addressing cyber risk; and a statement that management is not aware of any relevant undisclosed breaches.

These responses tend to be quantitative, which begs the question: Should Internal Audit evaluate and weigh in on the efficacy of cyber risk mitigation programs? A 2015 article in the Harvard Law School Forum on Governance and Financial Regulation says yes. I would agree.

Critical intellectual property (IP) – the so-called “crown jewels” – must be identified and protected. In addition to traditional perimeter defenses, companies need to develop and regularly review an intrusion response plan. The plan needs to account not only for theft, but also for the possible destruction of data. Response plans should be tested with live simulations designed to break and fix vulnerabilities before they can be exploited by hackers.

Sounds like common sense, doesn’t it? It has been my experience, however, that all too often, companies tend to address theoretical risks with theoretical responses. A self-assuring, “no stranger danger here” mentality may, in fact, be your organization’s greatest vulnerability. Instead, what companies are better off doing – and what most cybersecurity experts these days recommend – is to assume that they have already been breached, and focus their security efforts on rapid detection, interdiction and recovery.

To that, I would add the need for a strong cyber risk control and governance framework, such as the one developed by the National Institute of Standards and Technology (NIST).

As for internal audit, it definitely should be auditing cybersecurity disclosures to make sure that what management is telling shareholders is consistent with actual risks. Words matter, and the world is watching.

For more on current IT audit trends, views and challenges, download the latest ISACA/Protiviti IT Audit Benchmarking survey or view the highlights.

Your SharePoint Investment: Don’t Leave It to Chance

Scott Gracyalny smallBy Scott Gracyalny
Managing Director, Software Services




If your organization is like most, you probably have at least one installation of SharePoint. Chances are, it’s running your intranet, or maybe a document sharing system. Maybe users love it. Maybe they don’t. Perhaps you could be getting a better return on your investment. If your organization is like most, you have no way of knowing.

We know this, because you told us. According to the results of a just-released Protiviti survey, 95 percent of companies that use SharePoint say it is an important collaboration and communication tool for them. They even give it a high level of importance (7.4 on a 10-point scale). And yet, 90 percent said they don’t have a formal way of tracking how employees use SharePoint (user adoption). Half rated user adoption as only fair or inadequate.

These numbers point to a lack of a cohesive, constructive SharePoint adoption and governance strategy. The reasons are varied, but may stem from the fact that, more often than not, SharePoint enters the organization as a point solution – either direct from IT, or by the request of a department with a specific use in mind.

From there, the road to enterprisewide adoption is typically a winding path, with additional applications being added from the bottom up as users learn of, and request, expanded functionality. Most commonly, SharePoint evolves from a content storage tool, to a tool for business intelligence using all that newly accessible data, before moving on to more complex and mature collaborative workflows.

This evolution doesn’t have to be left to chance – and it appears, you agree. More than two-thirds (69 percent) said additional training would improve user adoption.

A clear strategy can make a big difference. By tying SharePoint use to specific business goals and working with users to develop and adopt processes utilizing SharePoint’s untapped potential, companies can get much more from their SharePoint investment.

We’ve seen clients put SharePoint to work in a variety of critical processes, including automating contracting and sales, and to facilitate risk and compliance workflows. Workflow capabilities are native to SharePoint, but often require third-party assistance to configure properly.

Of course, as with any proposed change, change management is key. Users need to be engaged early in the planning process to ensure that any new processes will truly enhance their experience and not just create more work.

For every organization that has made the investment in SharePoint, I recommend taking a hard look at how to maximize it. In fact, I think this should be a number one SharePoint priority. Complementary third-party products can also be leveraged to enhance or extend SharePoint functionality. Most organizations would be surprised by how much value SharePoint can deliver with sustained attention to the issues above.