From the GAM Conference: Changing Priorities, Analytics in Auditing and More

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

On Day 2 of the conference, Protiviti Managing Director Jordan Reed shared some thoughts on the panel discussion titled “The Internet of Things: What Does This Mean to Internal Audit?” Jordan led the panel together with Jeff Rowland, Vice President, Audit Services at USAA. Below in Jordan’s own words are highlights from the discussion. For more on why the Internet of Things matters, and the risks and expectations arising from it, read the recently published Protiviti white paper (download).

Share on Twitter

Also hear Protiviti Managing Director and The Protiviti View blog host Jim DeLoach share his view on stakeholder expectations as reflected in the Global Internal Audit CBOK Stakeholder Study.

Share on Twitter

Finally, Protiviti Managing Director Matt McGivern discusses the current state of data analytics in internal auditing, including findings from Protiviti’s latest internal audit survey. Listen below.

Share on Twitter

Embracing Analytics in Auditing: New Protiviti Survey Takes a Look

In a digital world, the time for internal audit functions to embrace analytics is now. This is the most significant takeaway from Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, released today. The results show that chief audit executives and internal audit professionals increasingly are leveraging analytics in the audit process, as well as for a host of continuous auditing and monitoring activities.

Learn more by watching our video below. For more information and our full report, visit www.protiviti.com/IASurvey.

From Tiny Tech to Populism: Latest Issue of PreView Scans the Global Risk Horizon

jason-dailyBy Jason Daily, Director
Risk and Compliance

 

 

 

Imagine a DNA-programmed nanoparticle capable of hacking cancer cells, a plankton-sized carbon tube that can remove pollutants from water, or food packaging that changes color in the presence of dangerous bacteria. Nanotechnology, with a market predicted to reach almost $13 billion by 2021, has the potential to change the world, and every industry — from healthcare to the military — has a stake in its advances.

Use of Nanomaterials by Industry

With that potential, of course, comes risk. Nanotech may be applied in controversial ways — such as surveillance, or weapons capable of attacking people, plants or livestock at the molecular level. The technology is not visible to the naked eye, raising concern among some, who worry that self-replicating nanobots could destroy the planet if not properly controlled.

Nanotech is only one of the macro-level trends we’re watching as part of Protiviti’s ongoing PreView global risk series. We evaluate emerging risks according to the five global risk categories established by the World Economic Forum. In the January edition, in addition to nanotechnology, we consider the risk of a global water crisis and the “morality” of thinking machines, and we look ahead at the risk of marching populism and what cybersecurity means on a national and global scale.

WEF Global Risk Categories

The flip side of risk is opportunity. While governments and industries grapple with the shortage of fresh, clean water, particularly in developing countries, opportunities for water applications of nanotechnologies abound. As artificial intelligence increasingly replaces humans in making key decisions, opportunities to improve the underlying algorithms can translate into market share and increased profits for the early movers. And finally, with cyber the new warfare, governments and companies have an opportunity to stake a claim in the cybersecurity space by designing products, as well as policies, that protect both digital assets and societal freedoms.

Several of the topics in our current issue are a continuation from previous issues. This trend will continue, as the risks we are keeping an eye on evolve over time and their implications change, sometimes quickly. Whether continuing or newly emerging, such as populism, all of these risks are fascinating to follow, and imperative to take into consideration in mapping long-term business strategies. That’s probably one reason why our PreView series is among our most popular publications.

I encourage you to both read and share our latest issue with your board and executives, to spark discussion and help ensure these emerging risks are part of risk discussions. And, we encourage a discussion here as well. Tell us what you think in the comments.

Internal Audit Around the World: Collaboration, Technology and the Female CAE

Susan HaseleyBy Susan Haseley, Managing Director
Internal Audit and Financial Advisory

 

 

Technology is creating new areas of risk for businesses, requiring a collaborative mindset and strong relationships to manage risk effectively. At the same time, technology is creating new opportunities to improve how internal auditors manage risk – opportunities that come with the same requirements of collaboration and relationship-building. These changes to the internal audit landscape are becoming evident at a time when more women than ever before have risen to positions of senior leadership.

In our twelfth annual edition of Internal Auditing Around the World, we explore the accelerating change wrought by technology as a source of opportunity and as a source of risk. We also decided to focus this year’s edition solely on the viewpoints of women leaders in internal audit. This combination of themes yields a fresh perspective on the growing drive to collaborate – with IT, business units, senior management and external partners – to leverage specialist knowledge, harness emerging technologies and build influential relationships as trusted advisers to the enterprise.

Technology is going to completely change the way we audit,” says Kathy Swain, Vice President of Internal Audit at Horizon Blue Cross Blue Shield of New Jersey. “As more businesses are built entirely on technology, internal audit will need to follow suit.

In no area is this more true than in data analytics, a technological innovation embraced by many of this year’s internal audit leaders as a way to continuously monitor for emerging risks and potential optimizations. At Nordstrom, business intelligence serves not only to support the internal audit function, but also to share insights relevant to business decision-makers.

These insights will allow our team to become even better at what we’re already good at – risks and controls,” says Dominique Vincenti, Nordstrom’s Vice President of Internal Audit and Financial Controls. “They will also help us to underscore the direct value that the function is providing to Nordstrom in many other ways.

Some internal audit groups take a different approach – they collaborate with external partners not only to gain access to specialized expertise, but also to leverage technologies not available in-house. “We’re not necessarily making huge technology investments,” says Julie Eason, CNL Financial Group’s Internal Audit Director. “When I don’t have the tech internally, I rely on my co-sourced partners.

Last but not least, cybersecurity is a growing area of risk that has led internal audit functions to partner closely with IT. Monica Frazer, Vice President of Internal Audit for Baylor Scott & White Health, holds meetings with the chief information security officer at least once a month, and has new hires undergo extensive training in relationship-building skills. This emphasis on collaboration pays off, according to the surveys Frazer’s department holds after every audit. “We’re really viewed as a trusted business adviser,” says Frazer.

Mari Yonezawa, Chief Audit Executive at Obara Group, sums up this year’s theme well: “If auditors have strong communication skills, they can build good relationships, and the audits will go more smoothly.” Then she adds, “I think this is why women make good auditors. We tend to be effective communicators.

The full volume of our 12th edition of Internal Audit Around the World is available here – peruse at your leisure and let us know your thoughts.

Data Analytics in Internal Audit: An Imperative That Can’t Wait

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.

 

Kyle Furtis

By Kyle Furtis
Managing Director, 
Internal Audit and Financial Advisory practice

 

 

 

Data analytics is a hot topic for internal audit departments. In our most recent Internal Audit Capabilities and Needs survey, data analytics figured among the top ten priorities for internal audit professionals, and CAEs ranked big data and business intelligence their number one priority. When we concluded that internal audit has arrived at a tipping point, it’s fair to say that data analytics is one of the items sure to cause the precipitous changes in how we, as internal auditors, do our work.

The profession is aware that businesses are now more data-driven than ever before, and that not utilizing this data can be detrimental to the proper evaluation of risks and controls and, more importantly, meeting stakeholder expectations. Even so, many internal audit departments are still struggling to come up with a formal methodology for integrating data analytics into their work. A formal data analytics program has a mission and a purpose. It also specifies how data is to be identified, acquired and analyzed to determine potential breakdowns of selected controls. But how do you begin?

One recommendation, based on observing successful data analytics programs within internal audit, is to start in areas where you’re comfortable with the data – whether it’s account reconciliations, journal entries, payables, fixed assets, payroll, human resources or threshold/limit controls. It’s easy to test data based on information you’re comfortable with. Just start in an area where enhanced visibility into the underlying data can add value to internal audit findings.

An interesting example of how to begin came from one internal audit shop I worked with. One of the required steps in each audit was for auditors to explain why they didn’t analyze data when performing testing of internal controls. The auditor’s manager and the director of internal audit were also required to sign off on the explanation. The idea was that inserting that step into the audit program forces auditors to think about data in advance of the audit, knowing that they have to answer that question. They couldn’t just give a flip answer, such as “We didn’t have the time,” or “This type of audit is not conducive to data analysis.” It really forces the internal audit staff to think about the risks, the data behind the risks, and whether some data analysis is appropriate.

For those already thinking ahead in this manner, I suggest below a high-level road map that outlines what data analytics may look like in a few years, and how to get there:

  • In Year 1, define your objectives for data analytics and set the basics: Train staff, identify tools, access and normalize data. You may need to prove the value of data analytics through strategies such as pilot and proof-of-concept programs.
  • In Year 2, identify opportunities to fully embed data analytics in internal audit. Define the data-access model, establish key performance indicators (KPIs), and integrate ad hoc analysis.
  • In Year 3 (and perhaps beyond), fully embed data analytics, broadening its use within the organization, and move toward data governance.
  • Next, engage in continuous analytics, fully integrating the analytics program and establishing standard reporting practices. Enable access to analytics reports throughout the enterprise and increase the level of data governance.
  • Finally, introduce predictive analytics. This would be a new frontier for internal auditors, as predictive analytics is not 100 percent accurate, and, as auditors, we’re used to high precision and accuracy when we analyze data – but it will yield interesting results that you can use for discussion.

Incorporating data analytics into internal audit won’t happen overnight. It’s a multistage process, with components introduced over the course of several years. As with everything, the most important step is the first one – so get started on defining your objectives now. By following the road map outlined here, the benefits of more efficient and effective audits will not be too far down the road.

IT Audit Benchmarking Webinar: David Brand and Robert Kress Answer Your Questions

David BrandRobert E. Kress (Accenture)By David Brand
IT Audit Global Practice Leader, Protiviti
and
Robert E. Kress
Managing Director, IT, Financial and Operational Audit, Accenture

 

It has been a few months since the release of Protiviti’s  5th Annual IT Audit Benchmarking Survey (conducted jointly with ISACA) – documenting the top tech challenges of executives and IT professionals around the world. We covered the highlights in a webinar and a blog post back in December. We’ve said a lot on the topic, online and offline, but what’s needed is a dialogue. To that end, we want to address some of the questions that were asked during our December webinar that we didn’t have time to address then. The questions are as relevant now as they were then, and will continue to be for some time. Protiviti’s David Brand and Accenture’s Bob Kress presented at the webinar and took the time to provide the answers below:

Q: What are some of the top customer relationship management (CRM) tools for risk assessments?

Bob: There are many reputable CRM systems in the market. We use the CRM contact management functionality to support our continuous risk assessment – tracking the people we have risk discussions with, scheduling meetings, tracking meeting notes and reporting. Accenture uses Microsoft Dynamics in a software-as-service model for this capability. This works well for us, as MS Dynamics interfaces directly with Office 365 Exchange for email, which enables easy scheduling and calendaring.

Q: Which framework would you recommend for IT audit? COBIT or COSO, or is there something else?

Bob: Accenture uses the COBIT framework for the IT risk universe. We use it to assess risk across all businesses and functions, with particular emphasis on those functions or businesses that contain IT infrastructure (e.g., data centers, hosting servers, networks) and those that manage confidential data. For IT audit reporting, we use the COSO framework to assess the severity of findings. The NIST cybersecurity framework is well-aligned with the major risk frameworks in the market, such as ISO, COBIT, and ISMS. NIST provides a comprehensive framework to assess cybersecurity and is becoming increasingly popular and accepted in the marketplace.

David: Frameworks are good tools to ensure that your thinking is broad enough to cover areas that might not be top-of-mind. But I’d also suggest that sticking to a single framework probably isn’t the right idea. You need to consider various frameworks that are out there and pick and choose the right framework components and points of focus that are going to work for your organization.

Q: For advisory projects, do you issue an audit report at the end of the project with detailed audit objectives and conclusions?

Bob: For advisory services projects we typically do not issue audit reports. Our observations and recommendations are communicated via a variety of forms, depending upon the nature of the advisory service. This includes a report, an email, verbally in review meetings, etc.

Q: Please elaborate more on the meaning of the term “integrated auditing.”

Bob: For Accenture, integrated audits typically combine an assessment of financial or operational risk and technology risk. A combined team of financial, operational and technology auditors is used for these audits.

Q: What are some best practices when developing an IT audit universe?

David: Start with an inventory of all the applications an organization has deployed, all the technology used to deliver products to market. List all of the databases, platforms, networks, etc. that those applications run on. Then look at all of the services required to manage all of those tools and infrastructure – user administration, configuration, patch management and so on. You really need to look at both halves – the technology infrastructure (software and hardware) and the processes that deliver and support the infrastructure, and assess the risk of each component. That gives you a bottom-up view of the technology risk environment. You also must seek to understand how technology supports and interacts with the achievement of the company’s strategies and objectives and how it is used to support key risk mitigation strategies. Mapping this thinking back to the infrastructure components and services inventoried above will provide you with a top-down view of technology risk. Both views are necessary to obtain a complete picture.

Q: Do you assess just inherent, or both inherent and residual risks, as part of the risk assessments? Would you recommend developing an audit plan based on inherent or residual risk rating of auditable unit risk rating?

David: Traditionally, we like to talk about inherent risk. The challenge is that a risk assessment is typically based on the perspectives of management, and getting management to understand the difference between inherent and residual risks, and divorce themselves from their knowledge of the control environment to answer in an inherent way, is too difficult. In other words, once a manager knows all of the controls that have been implemented to mitigate a risk, it is very difficult for that manager to step back and try to think philosophically about that risk and all of the things that are inherently risky about it, because that risk has already been addressed. So, I like to go in and talk about both the risks and the strength of the control environment, and then I can conduct audits from there.

Q: As you perform continuous risk assessments and note changes, do you issue a new risk assessment report with each change or just one annual report for the audit committee?

David: As you progress from performing annual risk assessments to performing assessments quarterly, or even continuously, you are not re-issuing risk assessment reports, but you might have a heat map or some other dashboard or indicator that is updated as the risk landscape changes. You’ll present risks to the audit committee based on that heat map – this is not really a report but more of an update, or a summarized updated view of risks. By the time you get to a true continuous risk monitoring model, there would no longer be a need for an annual report, because risks are being assessed and reported in real time.

Given the rapid and accelerating pace of change in data management, security and infrastructure, IT audit will continue to be a hot topic and one we will be monitoring closely, revisiting our survey results and webinars for more insights. In the meantime, feel free to share your experiences in the comment section below.

PreView: Checking the Rearview Mirror and Looking Ahead

In risk management, like driving, the safest way forward is to keep your eyes on the road ahead. Every now and again, however, it’s a good idea to check your mirrors. That’s the premise behind the latest issue of PreView, Protiviti’s ongoing series on emerging risks. In our first ever “look-back” edition, we revisit some of the risks we’ve highlighted since we initiated the series in early 2014. We often advise our clients to do a look back on their risk assessments, so it is appropriate for us to take our own medicine. Risks evolve, and checking to see whether we were on track with our predictions is worth the time and effort.

A little background: PreView is a “big picture” publication that focuses on macro-level emerging risks, classified according to the World Economic Forum’s five global risk categories – economic, technological, environmental, societal and geopolitical. Protiviti’s Risk and Compliance Solutions team scans the risk landscape and selects risks they believe have the potential to fundamentally change the profile portrayed in those risk categories.

The risks we revisited in the latest issue include municipal financial instability, Big Data, mobile banking and social media lending. Here, in short, is how these risks have evolved:

Municipal Financial Instability – In December 2014, we warned of municipal instability stemming from a decline in investor appetite for municipal bonds following a wave of defaults. We also warned of a pending debt crisis in Puerto Rico.

Update: Puerto Rico has defaulted on its debt in a case that is currently before the U.S. Supreme Court. At issue: The unprecedented possibility of a state-level debt restructuring – previous restructurings in the United States have all been at the municipal level. What to watch for: If the Supreme Court allows Puerto Rico to restructure its state debt, the bond market will turn a wary eye on the State of Illinois, which is experiencing its own financial crisis.

Big Data – In 2014, “big data” and machine-to-machine communication via the Internet of Things were all the buzz, and we cautioned against over-investing in data analytics without a clear quantification of benefits. We also called for strong data governance, security and management.

Update: Big Data and data analytics have moved from the fringe and into the mainstream due in part to the rapid expansion and dropping costs of data storage, cloud infrastructure and high-speed Internet bandwidth. Using this readily available data strategically promises to fundamentally change everything, from pizza delivery to health care. Big Data also has become the backbone of modern cybersecurity. And 79 percent of business leaders agree that companies that do not adopt Big Data will lose their competitive position and may face the possibility of extinction.

Mobile banking – In our first two issues of PreView, we noted the increasing popularity of mobile banking and suggested that successful financial institutions in the future would be those that found a way to integrate mobile banking and other banking options with traditional brick-and-mortar branch operations to allow customers to choose from multiple ways to conduct their banking.

Update: Trends have continued to show that consumers are interested in an “omni-channel” experience, where they can choose among different banking options, depending on their needs. In addition, nontraditional competitors such as PayPal, Amazon Payments and others continue to disrupt the market and threaten the relationship between the consumer and his or her bank. Cybersecurity and regulatory compliance remain key risks.

Social media lending – In January 2014, we predicted that an individual’s reputation on social media platforms, rather than their traditional credit score, could become a growing basis for lending. In addition, we anticipated that social media lending would create unique and complex fair-lending compliance issues and increase reputation risk with consumers. Lastly, we stated that social media disclosures and behavior might provide lenders with a source for validating information and a predictive profile of creditworthiness in the underwriting process.

Update: We hit two out of three right, as social media lenders in the United States entered and left the market, failing to pass the fair-lending standard. Target customers for this service today seem to be young entrepreneurs outside the United States who are shut out of traditional lending by a lack of a comprehensive credit history.

I know that this short overview doesn’t come close to doing these topics justice. For a more in-depth analysis and bibliographic links, download our Volume 3, Issue 1. In our next edition, we’ll continue to look forward: Technology enabled disruption in financial services, natural resources sustainability and competition, political shifts and climate change effects on the economy are among the topics on our radar. We hope you stay engaged with us to navigate these risks.

Jim