Internal Audit Reminder: Opportunity to Comment on the New Professional Standards Ends April 30

Kyle FurtisBy Kyle Furtis
Managing Director, Internal Audit and Financial Advisory Practice




Thanks, again, to everyone who tuned in to the live stream of our What’s on the Internal Audit Horizon webinar on March 31. For those of you who missed it, we had a packed agenda covering a wide variety of topics. I’ll hit the highlights, but you’re going to need to watch the archived version of the one-hour webinar to get more detailed information, including best practice summaries and our road map for implementing data analytics.

We spent a good deal of time talking about proposed changes to The IIA’s International Standards for the Professional Practice of Internal Auditing, comments for which are due this week, April 30. The changes, which were published for public comment on February 1, are focused on three areas:

  • Enhancing existing standards on communications and quality assurance
  • Creating new standards addressing objectivity in assurance and consulting roles, as well as addressing new roles internal audit functions are taking on, and
  • Aligning existing standards to a new set of core principles incorporated into the International Professional Practices Framework (IPPF) last year.

With the looming April 30 deadline for comments in mind, I thought I’d call the proposed new standards out for your attention, and expand a little bit about the changes, which speak to the future of the internal auditing profession.

  • Proposed Standard 1112 addresses the chief audit executive’s expanding role beyond traditional internal auditing into areas previously within the exclusive domain of the first and second lines of defense – areas such as the independent compliance or risk management oversight functions. Although there is nothing wrong with CAEs providing proactive compliance and risk management assurance in a consultative capacity, the new standard calls for safeguards to ensure that such responsibilities do not impair, or appear to impair, the organizational independence of the internal audit function or the individual objectivity of the CAE. Such safeguards might include periodic reviews of reporting lines and responsibilities, and developing alternative processes to assure that areas of potential conflict receive objective assurance.
  • Proposed Standard 1130.A3 states that the internal audit function and individuals involved in providing consultative services may continue to provide assurance regarding those activities in which they have provided consulting services, provided they can demonstrate that there has not been any impairment to their organizational independence or individual objectivity. The Standards Board deemed this clarification necessary because Standard 1130 did not previously address consultative activities.

Again, comments on the exposure draft are due in to The IIA by April 30. This is your opportunity to weigh in and ensure that the proposed changes to the Standards sufficiently support the demands of the profession, its practitioners, and your organization. The new standards are scheduled to be announced October 1, and become effective January 1. Protiviti recommends that you familiarize yourself with the proposed standards, evaluate the potential effects on your internal audit infrastructure and methodology, and start implementing them as soon as they become effective, so that you’ll be fully ready to apply them in practice by January 1.

Top Risks 2016 Webinar Follow-Up: Jim DeLoach on Changes in Risk, Technology and Culture Challenges

A few weeks ago, Protiviti and North Carolina State University’s Enterprise Risk Management (ERM) Initiative published Executive Perspectives on Top Risks for 2016, the results of an annual survey. Regulatory changes topped the list of executives’ and directors’ concerns for the fourth consecutive year, followed by economic concerns and worries about cyber threats. Operational risks dominated, overall, accounting for five of the top 10 risks. I had a chance to discuss some of the findings in a March 23 webinar, along with Mark Beasley, the Deloitte Professor of Enterprise Risk Management at North Carolina State University, and Pat Scott, Protiviti’s executive vice president of global industry and client programs.

The online Q&A dialogue was robust, and we were only able to get to a few questions. I wanted to continue the discussion here, responding to those we did not have time to address, or address in detail:

Q: Are you surprised that operational risks are trending higher than strategic risks? I would think strategic risks would have a much deeper impact in the long term.

A: Sustaining growth is a challenge in the current global economy for many companies, so no, it’s not surprising that operational issues and bottom-line concerns are top of mind for executives right now. We have been experiencing a slower growth rate, and there does not appear to be, at least over the near-to-intermediate term, a prospect for a significant upturn in economic activity. So organic growth is more challenging, which drives companies to focus intrinsically on sustaining customer loyalty by improving their customer fulfillment processes and customer service, while also improving quality, time, cost and innovation continuously to maintain margins. This commitment to operational excellence is not suggesting strategic risks aren’t important. It’s more a question of preserving bottom-line performance.

Q: Why do you think the concern over economic risk is so high? No major economies are in recession or expected to be, according to the International Monetary Fund.

A: I think it’s a matter of judgment as to what that really means. Economic risk is very fluid, and I think if we had conducted this survey in the first quarter of 2016 instead of the fourth quarter of 2015, the perspective might have been totally different. I do think CEOs have some concerns as to what the economic outlook is. China is a concern. You’ve got challenges in Brazil, and growing concerns about the stability of the European Union. In addition, the concern over economic risk may be less of an issue with regard to recessionary fears and more a concern over achieving more robust growth rates that facilitate aggressive hiring plans and investments to expand in new markets. We expect this risk to continue to fluctuate as time goes on.

Q: What do you think is the contributing factor to this uptick in the perceived global risk environment given that most of the highly ranked risk environments have been here for the last couple years? Are companies just waking up to this?

A: Another macroeconomic question, and one we discussed on the call. We stated that we didn’t think anyone was just waking up to recognize the global risk environment. We’ve done this study for four years, and each year it was clear that executives and directors perceive a risky environment in which to do business. But to the question about this year’s results specifically, you’ve got the geopolitical environment exemplified by the Syrian refugee crisis, a rise in terrorism, an acute decline in oil prices, global tensions, and uncertainties raised in the U.S. presidential race. C-level executives are looking at this environment and saying: “We see a higher level of risk this year.”

Q: Any advice on how to mitigate risk caused by use of technology that is more advanced than the controls available?

A: This question is also one we discussed during the webinar, but it bears repeating here. Disruptive change through advances in digital technologies has two primary impacts. The first is strategic, and involves constant vigilance to ensure that an organization’s business model is current and competitive. You have to compete at, or ahead of, the pace of change or you risk becoming obsolete or disintermediated. The second, which gets to the control issue, involves 1) knowing what your “crown jewels” are – that is, the information and proprietary assets you want to protect at all costs; 2) constantly monitoring and assessing the threat landscape; and 3) having an effective response program. Today’s rapidly changing technology environment – with its constantly moving targets of third parties, mobile computing, BYOD and the cloud – makes the management of security and privacy issues more complex. Therefore, the organization’s control framework has to be agile and flexible enough to adapt to the changing risk landscape.

Q: How can internal audit work with the C-suite to achieve consensus on the top risks on which they differ? What should be the main objective of the risk discussion? (e.g., alignment to business objectives, consensus on the top risks)?

A: A couple of things: One of the main takeaways of our study, in my opinion, is that C-level executives and board members have differing perspectives as to what the key risks are. This isn’t, in itself, a problem, because it represents a healthy diversity of opinion and perspectives. What is important is that organizations have a process by which they capture these differing opinions and perspectives, by making sure they are heard and understood by the organization’s leaders, and bring these perspectives to bear in assessing risks and developing a comprehensive risk mitigation strategy.

Q: Can you talk about the difficulty in changing a company’s culture to deal with risk?

A: This is a great question. It’s difficult to alter any organization’s culture. The challenge is to ensure there is a strong tone at the top (which requires effective board oversight), and that the tone in the middle is aligned with the tone at the top. The objective should be to make sure that your line managers and middle managers are talking the same message and practicing the same core values communicated and practiced by the CEO and senior executive team. The rank-and-file pay more attention to what their immediate supervisors say than what the CEO says. In that sense, the tone in the middle is at least as important as the tone at the top and is the key to ensuring that the tone at the bottom is consistent with the tone at the top. While this doesn’t make it easy, it does provide insight as to what needs to be done to shape the culture to fit the core values espoused by the organization’s leaders.


Ten Cybersecurity Action Items for CAEs and Internal Audit Departments

David BrandBy David Brand
IT Audit Practice Leader




Since the release of our 2016 Internal Audit Capabilities and Needs Survey last month, I’ve been going back and looking at the results, which also include some insightful 10-year trends. We will get back to these in another post; instead, I prefer to focus here on one aspect of the results – the growing need for cybersecurity skills and resources.

Cybersecurity risk is a growing concern – not only for internal stakeholders, but for customers and insurers. More than half (57 percent) of the survey respondents said they’d received inquiries from customers, clients or insurers about the organization’s state of cybersecurity.

It’s hardly surprising then, that nearly three out of four respondents (73 percent) said their organizations are evaluating cyber risk as part of the annual audit plan, compared to just over half in 2015. They listed brand and reputation damage, data security (company information) and data leakage (employee personal information) as representing the greatest risks.

Similar to last year, our results show two differentiators between top performers and the rest of the pack – a high level of board engagement in information security and inclusion of cybersecurity in the audit plan. But that’s just the tip of the iceberg.

Here, then, are ten internal audit to-do’s, aimed to ensure that your organization is prepared to avoid a cyber “collision” with what’s below the surface:

  1. Work with management and the board to develop and/or validate a cybersecurity strategy and policy.
  2. Identify and act on opportunities to improve the organization’s ability to identify, assess and mitigate cybersecurity risk to an acceptable level.
  3. Recognize that cybersecurity risk is not only external – assess and mitigate potential threats that could result from the actions of employees or business partners.
  4. Leverage relationships with the audit committee and board to a) heighten awareness and knowledge of cyber threats; and b) ensure the board remains highly engaged with cybersecurity matters and up to date on the changing nature of cybersecurity risk.
  5. Ensure cybersecurity risk is integrated formally into the audit plan.
  6. Develop, and keep current, an understanding of how emerging technologies and trends are affecting the company and its cybersecurity risk profile.
  7. Evaluate the organization’s cybersecurity program against the National Institute of Standards and Technology (NIST) cybersecurity framework, recognizing that because the framework does not reach down to the control level, your cybersecurity program may require additional evaluations using ISO 27001 and 27002.
  8. Seek out opportunities to communicate to management that, with regard to cybersecurity, the strongest preventative capability has both human and technological aspects – a complementary blend of education, awareness, vigilance and technology tools.
  9. Emphasize that cybersecurity monitoring and cyber-incident response should be a top management priority – a clear formal escalation protocol can help make the case for (and sustain) this priority.
  10. Address any IT audit staffing and resource shortages as well as any lack of supporting technology tools, either of which can impede efforts to manage cybersecurity risk.

I know I’m preaching to the choir here, but it is important for organizations to understand that cybersecurity is not an IT issue – it is a business risk requiring a comprehensive risk-based approach to manage. To focus on what may be lingering below the surface, cybersecurity risk management strategies must be both present and effective.

Cybersecurity and information security are not the same thing. Each requires its own set of controls. Boards should not only be aware of cybersecurity risks, but they also should be engaged, at least at a high level, with the organization’s information security measures. And internal audit should integrate cybersecurity into its daily activities as well as its annual audit plan.

The report covers this issue in much greater detail. It’s definitely worth a read.

Guide to Public Company Transformation Answers What You Always Wanted to Know About the IPO and Beyond

Steve Hobbs 2

By Steve Hobbs
Managing Director, Public Company Transformation




If you’re preparing to take your company public, you surely know you have a lot of new reporting and legal requirements to meet, and that your organization will require a number of changes. You may also know that you will need help in this process, or at least some good guidance.

The latest edition of Protiviti’s Guide to Public Company Transformation: Frequently Asked Questions, released last month, offers just such guidance. It’s a comprehensive and helpfully organized 55-page reference that organizations can use to find an answer to just about every question during the exhilarating and exhausting time surrounding an initial public offering (IPO) – from when is the best time to go public to how to make sure transformation efforts, including Sarbanes-Oxley (SOX) compliance, are maintained in the post-IPO period.

An IPO frequently requires a complete company transformation. Newly public companies may need to upgrade their financial reporting processes, information technology (IT) environments, as well as their governance, risk and compliance (GRC) capabilities. They will need to meet and maintain compliance with SOX and other financial reporting requirements, none of which are easy or straightforward.

While ringing the bell is perhaps the most exciting moment in an IPO journey, the actual transformation work behind the scenes is just beginning. Once listed on the exchange, the company needs to continue to evolve its functions, transforming itself into a business that meets and reports on an entirely different set of public and regulatory expectations. It’s a lengthy, complicated process, and mistakes can be time-consuming and costly.

To lessen the burden and increase the chance of success during this transformation, the new edition of the guide places a greater focus on the post-IPO period – in other words, we look beyond the IPO itself to ensure that companies know what’s needed to become – and stay – scalable and fully compliant in the future. This change in focus is reflected throughout the guide, as well as in the guide’s title − we’ve replaced the word “readiness” with “transformation” to indicate what an IPO truly is.

Other new or updated areas in the third edition of the FAQ guide include:

  • A section on developing an executable strategy and action plan prioritization map; this replaces prioritization maps used in previous editions.
  • Updated information on current laws, including the Jumpstart Our Business Startups (JOBS) Act and the Fixing America’s Surface Transportation (FAST) Act.
  • Updates about revenue recognition, including updated accounting standards from the Financial Accounting Standards Board (FASB). That includes a specific update, Revenue from Contracts with Customers, and the FASB’s recently issued new standard on accounting for leases.
  • A discussion about accurate forecasting and budgeting.
  • Updates on IT policy and process-related evaluations and activities.
  • A discussion about data security and privacy strategies and policies.
  • An update on the costs of becoming a public company, and an overview of the largest cost components.

Last but not least, it’s been our goal to make this guide as user-friendly as possible so that executives and managers can continue to consult it at every step of the process – let us know what you think in the comments.

And we will continue this conversation on April 26, in a webinar on the challenges faced by growing companies. You can register here.

The Company You Keep: A Case for Supplier Codes of Conduct

Bernie DonachieBy Bernie Donachie
Managing Director, Supply Chain Practice




Las Vegas tourism promoters used to promise, “What happens in Vegas, stays in Vegas.” It’s much harder to make such a claim these days, when even the most benign shenanigans are only a smartphone video away from global critique. Corporations are being held accountable, as well – not only by regulators, but by citizen journalists, activists, whistleblowers and customers, empowered by social media and the internet.

Companies are aware of this, and 92 percent have adopted formal codes of conduct for their organizations, according to a 2015 survey by Protiviti and the Economic Crime and Justice Studies Department at Utica College. According to that same survey, however, only a small fraction of those companies hold their vendors to the same standard, or even conduct reasonable due diligence on business practices – and that’s a problem.

In today’s collaborative economy, regulators (and consumers) recognize that companies are outsourcing everything from labor to IT infrastructure, and are holding the companies accountable for their vendors’ behavior. Witness the massive fines levied against global conglomerates under the Foreign Corrupt Practices Act. Consider recent personal data breaches attributable to third-party security lapses. In every instance, the corporation, and not only the vendor, was held accountable – especially in the court of public opinion.

Clearly, there is a case to be made for adopting – and enforcing – a supply chain “code of conduct,” establishing clear and communicated expectations for how suppliers will conduct their business – especially vendors authorized to act as agents on behalf of the organization. After all, it’s the company’s reputation and brand image that is at stake.

Codes of conduct are designed to prohibit any number of ethical lapses, including conflicts of interest, self-dealing, bribery and other inappropriate actions. They can be brief, although most are fairly detailed. A code of conduct is characteristically very concrete, delineating specific required and prohibited behaviors and practices. It differs from a code of ethics, which tends to deal more with principles and values and is difficult to enforce – although a code of ethics is often specified as a requirement of the code of conduct.

A code of conduct would typically address things like:

  • Human rights – requiring vendors to treat their workers with dignity and respect and provide proof of a penalty-free reporting mechanism for employees to report violations. This provision typically includes anti-discrimination, anti-harassment, compensation and hours, as well as prohibitions against forced labor and child labor.
  • Health and safety – including workplace temperatures, noise levels, ventilation, lighting, toilet facilities, safe working facilities and drinkable water.
  • Environment – setting standards for environmental sustainability.
  • Ethics – promoting fair trade and prohibiting corruption, unfair competition and conflicts of interest.
  • Other critical items, including financial integrity, confidentiality, regulatory compliance and social responsibility.

In the increasingly connected global economy, it is critical for organizations to look beyond fiscal imperatives and hold suppliers to the same ethical conduct expected of employees, management and directors. Of course, a code of conduct is only going to be as good as the intentions of the vendors who sign on to it. That’s where third-party audit comes in. And that’s a topic for another day.

IT Audit Benchmarking Webinar: David Brand and Robert Kress Answer Your Questions

David BrandRobert E. Kress (Accenture)By David Brand
IT Audit Global Practice Leader, Protiviti
Robert E. Kress
Managing Director, IT, Financial and Operational Audit, Accenture


It has been a few months since the release of Protiviti’s  5th Annual IT Audit Benchmarking Survey (conducted jointly with ISACA) – documenting the top tech challenges of executives and IT professionals around the world. We covered the highlights in a webinar and a blog post back in December. We’ve said a lot on the topic, online and offline, but what’s needed is a dialogue. To that end, we want to address some of the questions that were asked during our December webinar that we didn’t have time to address then. The questions are as relevant now as they were then, and will continue to be for some time. Protiviti’s David Brand and Accenture’s Bob Kress presented at the webinar and took the time to provide the answers below:

Q: What are some of the top customer relationship management (CRM) tools for risk assessments?

Bob: There are many reputable CRM systems in the market. We use the CRM contact management functionality to support our continuous risk assessment – tracking the people we have risk discussions with, scheduling meetings, tracking meeting notes and reporting. Accenture uses Microsoft Dynamics in a software-as-service model for this capability. This works well for us, as MS Dynamics interfaces directly with Office 365 Exchange for email, which enables easy scheduling and calendaring.

Q: Which framework would you recommend for IT audit? COBIT or COSO, or is there something else?

Bob: Accenture uses the COBIT framework for the IT risk universe. We use it to assess risk across all businesses and functions, with particular emphasis on those functions or businesses that contain IT infrastructure (e.g., data centers, hosting servers, networks) and those that manage confidential data. For IT audit reporting, we use the COSO framework to assess the severity of findings. The NIST cybersecurity framework is well-aligned with the major risk frameworks in the market, such as ISO, COBIT, and ISMS. NIST provides a comprehensive framework to assess cybersecurity and is becoming increasingly popular and accepted in the marketplace.

David: Frameworks are good tools to ensure that your thinking is broad enough to cover areas that might not be top-of-mind. But I’d also suggest that sticking to a single framework probably isn’t the right idea. You need to consider various frameworks that are out there and pick and choose the right framework components and points of focus that are going to work for your organization.

Q: For advisory projects, do you issue an audit report at the end of the project with detailed audit objectives and conclusions?

Bob: For advisory services projects we typically do not issue audit reports. Our observations and recommendations are communicated via a variety of forms, depending upon the nature of the advisory service. This includes a report, an email, verbally in review meetings, etc.

Q: Please elaborate more on the meaning of the term “integrated auditing.”

Bob: For Accenture, integrated audits typically combine an assessment of financial or operational risk and technology risk. A combined team of financial, operational and technology auditors is used for these audits.

Q: What are some best practices when developing an IT audit universe?

David: Start with an inventory of all the applications an organization has deployed, all the technology used to deliver products to market. List all of the databases, platforms, networks, etc. that those applications run on. Then look at all of the services required to manage all of those tools and infrastructure – user administration, configuration, patch management and so on. You really need to look at both halves – the technology infrastructure (software and hardware) and the processes that deliver and support the infrastructure, and assess the risk of each component. That gives you a bottom-up view of the technology risk environment. You also must seek to understand how technology supports and interacts with the achievement of the company’s strategies and objectives and how it is used to support key risk mitigation strategies. Mapping this thinking back to the infrastructure components and services inventoried above will provide you with a top-down view of technology risk. Both views are necessary to obtain a complete picture.

Q: Do you assess just inherent, or both inherent and residual risks, as part of the risk assessments? Would you recommend developing an audit plan based on inherent or residual risk rating of auditable unit risk rating?

David: Traditionally, we like to talk about inherent risk. The challenge is that a risk assessment is typically based on the perspectives of management, and getting management to understand the difference between inherent and residual risks, and divorce themselves from their knowledge of the control environment to answer in an inherent way, is too difficult. In other words, once a manager knows all of the controls that have been implemented to mitigate a risk, it is very difficult for that manager to step back and try to think philosophically about that risk and all of the things that are inherently risky about it, because that risk has already been addressed. So, I like to go in and talk about both the risks and the strength of the control environment, and then I can conduct audits from there.

Q: As you perform continuous risk assessments and note changes, do you issue a new risk assessment report with each change or just one annual report for the audit committee?

David: As you progress from performing annual risk assessments to performing assessments quarterly, or even continuously, you are not re-issuing risk assessment reports, but you might have a heat map or some other dashboard or indicator that is updated as the risk landscape changes. You’ll present risks to the audit committee based on that heat map – this is not really a report but more of an update, or a summarized updated view of risks. By the time you get to a true continuous risk monitoring model, there would no longer be a need for an annual report, because risks are being assessed and reported in real time.

Given the rapid and accelerating pace of change in data management, security and infrastructure, IT audit will continue to be a hot topic and one we will be monitoring closely, revisiting our survey results and webinars for more insights. In the meantime, feel free to share your experiences in the comment section below.