Cybersecurity, Automation, Next-Gen Audit Skills: Key Themes From the SIFMA IAS Conference

Evolving cybersecurity and operational challenges continue to reshape internal audit and risk and compliance functions. On October 27-30, the SIFMA Internal Auditors Society hosted its annual internal audit conference in Miami, exploring topics ranging from audit fundamentals, to intelligent automation, analytics and auditing cyber. Protiviti Managing Director Doug Wilbert from our Risk and Compliance practice and Carl Hatfield, Managing Director in our Internal Audit practice, co-hosted a breakout session on the topic of business resilience with Maz Kothari, Managing Director at JPMorgan Chase and Amy Shanle, Global Head of Enterprise Resiliency Strategy at BNY Melon. Rick Magliozzi, Managing Director in our Internal Audit practice, attended the event. Below is an overview from Rick of the key themes and discussions that emerged from the two-day conference.

SIFMA IAS Annual Conference – Rick Magliozzi
November 5, 2019

Kevin Donahue: Hi. This is Kevin Donahue with Protiviti, happy to welcome you to a new edition of Powerful Insights. I’m pleased to be talking today with Rick Magliozzi. Rick is a managing director with Protiviti with our internal audit and financial advisory practice based in New York. Rick just attended the SIFMA Internal Audit Annual Conference, which obviously focused on some of the different internal audit issues, changes happening, especially within the financial services industry, and I’m happy that Rick could join me to share some of his insights with me.

Rick, thanks for jumping on here.

Rick Magliozzi: Hi, Kevin. Yes. I know, it’s great. Appreciate you having me.

Kevin Donahue: Rick, as I just mentioned, I know you were at the conference. Tell me a little bit about it and some of the things you were talking to folks about and some of the key takeaways you had from the event.

Rick Magliozzi: Sure, not a problem. Well, Kevin, it was a very exciting conference. First of all, it was held in Miami and we experienced beautiful weather in October. This conference was very well attended, probably 250 FSI IA professionals from firms of the likes of J.P. Morgan, Goldman Sachs, Bank of New York Mellon, and Guggenheim, just to name a few. I’m not sure if you are aware but I’m also on the SIFMA Advisory Board and I was on the planning committee for this event and was able to secure both our own Carl Hatfield, Managing Director, and Doug Wilbert, Managing Director, speaking also at the event on operational resiliency and they did a great job. Again, Kevin, there were a lot of really exciting things going on in IA today.

That was just a little background, but you asked also about some of the key topics and takeaways. Cybersecurity, top of mind. Cybersecurity is top of mind I think on every audit committee that I attend in terms of high-risk area. In fact, one of the speakers said that bad folks in Iran, Russia, China can collaborate and within 20 minutes hack about any site that’s out there, so it’s scary times but cyber risk and what to do in case of a breach still are high on the minds of auditors and the audit committee, as well as developing robust risk assessments. That was another common theme.

But Kevin, I think probably automation was the key theme that dominated the conversation both on and off the stage. It’s pretty cool that we’re able to see how RPAs are now being used to identify payment limits, that they aren’t exceeded; that traders are kept in check on their trade limits; notifications go out real-time as a result of these things. There’s just a lot going on with the RPAs and trade authorization area, as well as giving us the ability to look at whole populations in cases in much less time that it used to take us to look at manual samples. RPAs continue to be a focus. They’re developing – one speaker mentioned that they’re even used for issue trackers to identify what the root causes of the issues were and, of course, let’s not forget common staples of AML/BSA and stocks testing. RPAs are used there extensively.

We’re doing a lot more smart auditing, Kevin. That was a common theme. They talked quite a bit about smart auditing and how we can go at the riskier areas and cover more traditional or more transactional data using automation, and the benefits were extensive in terms of being more efficient and effective auditors. Automation definitively was a key topic and theme.

Another key area of focus that struck me was people and their evolving skills. They continued to talk about how auditors are changing their skills, how those skills, both now and in the future, need to really be heavily weighted more to IT or technology skills, and that needs to be in the DNA of all our people. The skills of the auditor of the future really will continue to evolve, and one CAE mentioned that she was doing a lot more hiring of data analytics folks, data scientists, people with engineering degrees or more complicated or more complex backgrounds.

This is another thing in terms that they talked a little bit more. They talked a little bit more about auditors being innovators. Now, where have we heard that before? I’ll have to ask someone from the Protiviti end. Innovation is a trend, Kevin, and automation is a license for those auditors to have permission to get creative and audit it. We’re seeing many CAEs who are giving their people really the ability to color outside the line. They’re using audit tools to adjust the audit approach and the new members of the teams continue to be really part of the innovative solutions. Again, we keep seeing the trend is around automated tools, end-to-end automated tools to improve efficiencies in audits, developing D&A, data analytics teams in both big and small shops, and then more training around these more complicated areas. People need to get the skills in data analytics and understanding of those automated tools again in their DNA, and that continues to evolve within internal audit.

The trend, the war for talent, Kevin, continues to be especially in areas like data analytics and cybersecurity. It continues to be a big area of focus and we’re seeing more companies focus on to beef up their recruiting, their talent, robust risk assessment and training programs, and maintaining the skills around that. Those are some of the bigger ticket items.

One or two other items that I think were probably noteworthy coming out, or takeaways coming out of the conference, was cross-functional collaboration. It was another topic or issue, right? IA working collaboratively with the first-line to develop remediation solutions, control enhancements and the like, so emphasis was placed on getting IA involved early, not late in the game.

Then I think one of the final things that I noted was another key goal, a trend coming out of it was really – that permeated throughout the conference was getting to a continuous monitoring state, really going after big data and doing a lot of continuous testing and, again, to innovation and automation tools and our people, that’s how we’re going to get there.

All right. A little exhausted after all that. That’s what I had as some of the key takeaways, Kevin.

Kevin Donahue: That’s a great rundown, Rick, and I can’t help but think of the fact that of all the themes you touched on, I think we cover in our next generation internal audit model and approach. You can find more information on that at

Rick, thanks for jumping on and joining me today. Clearly, a lot going on in the industry and a lot happening from that event so, again, thank you.

Rick Magliozzi: Kevin, it has been my pleasure debriefing on the SIFMA Annual Conference with you, and I really appreciate it.

– End of Recording –

1 comment