Commitment to Equality Promotes Trust and Growth: Protiviti Celebrates Pride Month

By Steven Stachowicz, Managing Director
Risk and Compliance




As we progress through June, which is traditionally pride month for the lesbian, gay, transgender and bi-sexual (LGBT+) community, I want to take a moment to reflect on Protiviti’s commitment to the LGBT+ community and our employees, and share my thoughts on the value of diversity, and my experience as an out and proud executive within our firm.

At Protiviti, we know that diversity of ideas and experiences is essential to fulfilling our promises to our people and developing and maintaining a truly global, collaborative and diverse workforce. We strive to deliver an exceptional experience to our people, our clients and our communities. We know that we are stronger because of our inclusive work environment, where employees see one another’s uniqueness as assets and strengths. Stephen Covey, in his best-selling book, The Seven Habits of Highly Effective People, noted that valuing and respecting differences is “the essence of synergy,” because diverse individuals working together can bring their individual experience to the table, build on each other’s strengths, and produce far better results than they could individually. Diversity of thought is critical to the professional development of our people, the creativity, innovation and value we bring to our clients in the marketplace, and the way we engage with our communities as a responsible corporate citizen.

We work hard every day to be an inclusive organization, and so we are very proud that our parent company, Robert Half International, received a perfect score of 100 on the 2017 Corporate Equality Index (CEI). The CEI is a national benchmarking survey and reports on corporate policies and practices related to LGBT+ workplace equality, administered by the Human Rights Campaign (HRC) Foundation. The CEI criteria reflect leading policies, benefits and practices for the LGBT+ workforce and their families. These criteria are based on the notion of parity rather than prescription, and the CEI helps us know if we are achieving our goals to address the needs of the LGBT+ communities.

From an organizational standpoint, support is key to building a community. By promoting an environment of inclusion, all employees are respected and valued as demonstrated by equal access to opportunity and advancement reflected in our policies and programs. Our ProPride employee network group began in 2014 in the U.S., and now includes nearly 200 employees globally. This group, under the leadership of Philip Maziarz, Patrick Luong and Belton Flournoy, has made a tangible difference in promoting awareness within our organization and providing support to our LGBT+ employees and allies in their professional development through networking and mentoring. This outreach extends to Protiviti’s recruiting efforts, our community service through participation in AIDS Walks, and so much more.

Organizations that embrace inclusivity and diversity realize positive economic impacts. This should be common sense – people who feel comfortable within their companies tend to stay longer (reducing attrition rates), demonstrate increased productivity, and have less difficulty finding valuable mentorship and social networks. Research bears out this truth; these factors stimulate growth within organizations while reinforcing the fundamental principle – treat people the way you would want to be treated.

As a new Managing Director, I look back on my career with Protiviti and am thankful for all of the support that I have received over the years. I have grown in this organization “in my own skin,” as my authentic self, within my project teams and management teams, at my clients’ locations, social events, holiday parties, baseball games and in my day-to-day interactions with my leadership team and colleagues. I was recently engaged and married and am taking steps to form my own family, and the continued outpouring of congratulations and support has been and continues to be humbling.  I am closer to my coworkers and clients because of this, and have not once felt anything other than a strong sense of belonging.

However, it isn’t enough that I am grateful for the support I’ve received.  I believe it is important that I give back – that we give back. That we support others and truly listen to them and encourage them to be authentic in all aspects of their lives. That we work to promote awareness and understanding that we are all different, yet equally worthy of opportunities. That we actively recognize and value differences and diversity. That we communicate to the broader LGBT+ community, including among our peers, employees and clients, how we can support them, and why earning the CEI recognition is valuable to us and to them.

In other words, we must continue to be agents of change.

I am proud that Protiviti’s core values and vision embrace diversity and inclusion, and am proud to be a part of the firm.

From all of my LGBT+ colleagues and allies at Protiviti, happy pride month!

2016 Was an Eventful Year – This Is How We Covered It

As 2016 comes to a close, I want to look back on the events that made this year unique in ways both rewarding and challenging – and summarize the topics Protiviti professionals discussed, and our readers engaged with, here on The Protiviti View.

Perhaps the most seminal events of 2016 with the biggest implications were Brexit and the election of Donald Trump as president. The Brexit was brought about by sovereignty and immigration issues as those who voted to leave the European Union believed the UK – and no one else – should address UK-related decisions and control over its own borders. The U.S. presidential election arose from many issues such as immigration, trade, healthcare reform and jobs, among others.

We covered the implications of these events, both general and industry-specific, in special reports (here and here) and on the blog (here and here). But other events made waves too – record-setting security breaches across industries, including massive unauthorized release of financial data from offshore accounts, and DDoS attacks enabled by the Internet of Things.

In technology, Google’s AI robot AlphaGo defeated GO champion Lee Sedol, and Uber launched its fleet of driverless cars despite some opposition. Both of these events speak to the future of artificial intelligence, an emerging risk we continue to track in our PreView newsletter). Also in technology, the financial services industry seems poised for change and excited by the possibilities of new financial technology in payments, compliance and more.

Finally, natural disasters and viral diseases like the Zika virus created real economic damage, raising questions about resource availability and business continuity planning. We summarized the potential implications of these unpredictable business disruptors here.

Given the flavor of events this year, it is not surprising our top two most read blog posts had to do with cybersecurity and cyber awareness. Our third most popular blog had to do with money laundering and increased regulatory scrutiny in that area.

The posts that saw the most love on social media were submitted by our fraud investigation experts and focused on fraud prevention and fraud risk management. 2016 was a big year in fraud, as the much-awaited Fraud Risk Management Guide was released by COSO and the FCPA launched its Pilot Program. (Also, SEC gave six out of its 10 highest whistleblower awards this year).

Also widely shared was anything related to cybersecurity and the protection of personal identity, an issue that continues to affect billions of people and to which no company or entity seems to be immune.

This is plenty to look back on and think about in planning for the new year. Once again, I want to thank both our readers and contributors for their participation and engagement. We look forward to continuing these conversations in 2017.

Jim DeLoach

New Evaluation Tool Enables Boards to Assess and Improve Their Risk Oversight

Jim DeLoach

By Jim DeLoach, Managing Director




Prudent risk-taking is essential to the success of organizations seeking market opportunities and executing aggressive growth strategies. Boards of directors have a growing role in overseeing risk in the companies they govern. In fact, risk oversight is an integral part of a board’s responsibility to ensure the company’s risk profile is aligned with its strategy. Yet according to a NACD study, only three of 10 directors have sufficient knowledge and understanding of their board’s emerging risks.

Identifying and understanding emerging risks is critical, as directors know that disorder and disruption are no longer the exception but the norm. Resilient organizations are the ones that are most likely to survive and thrive in this changing world, and boards play a key role in fostering resiliency in the companies they serve. Investors and regulators are recognizing the importance of boards taking an active approach to risk oversight and applying leading risk oversight practices. Every board has an opportunity to disclose beyond the boilerplate in the proxy statement.

Because it is imperative that directors stay educated about new and emerging risks, we believe that boards should evaluate the effectiveness of their risk oversight practices from time to time. This evaluation is made more effective when it is accompanied by an effective process and insights that provide directors assurance that the evaluation exercise is sufficient and sound. That’s why Protiviti is excited to collaborate with The Board Institute (TBI) in developing the TBI Protiviti Board Risk Oversight Meter to boards desiring to enhance and improve their risk oversight process.

The TBI Protiviti Board Risk Oversight Meter is a recent addition to The Board Institute’s suite of world-class, validated tools. It is unique in that it offers a flexible, cost-effective method for boards to self-evaluate their risk oversight in an objective, participatory exercise. Participants, who include directors and others chosen by the board, can provide input regarding the board’s processes using a web-based tool which saves time and simplifies the usual logistics to conducting board self-evaluations. It also allows participants to contribute their responses according to their own schedules.

Using the information gathered, the tool generates results in a robust, insightful and actionable report that highlights not only the board’s strengths in overseeing risk, but also the areas where the board can improve its practices. In this regard, the report includes quantitative and qualitative information, as well as anonymous commentary that provides further color and context to the results. Additionally, the report benchmarks against best practices and validates the quality of risk oversight considering the expectations of key constituencies in the marketplace. The overlay of best practices and market information enables directors’ confidence, by making it possible for them to come up to speed quickly and improve their risk oversight continuously in these rapidly changing times.

What I like most about the TBI Protiviti Board Risk Oversight Meter is that it not only supports a board best practice (i.e., periodically self-evaluate the board’s effectiveness), but mirrors how boards execute that practice. Having assisted boards with their self-assessment exercise, I particularly like how the tool can facilitate dialogue among directors as to where, how and why to improve their risk oversight process. That is what you look for in a tool of this nature in the board space. And because assessments can be repeated, the oversight process can be refreshed continually to stay current with a dynamic business environment.

Are you focused on improving risk oversight at your company? Engage in a dialog with us. To learn more, click here.

Internal Audit at a Tipping Point and Ten-Year Trends

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.


Brian Christensen - Protiviti PHX 2012_Low ResBy Brian Christensen
Internal Audit Global Practice Leader




In the tenth year of our Internal Audit Capabilities and Needs Survey, we believe internal audit has arrived at a tipping point. The issue is no longer whether or not your function is evolving, but rather how quickly and effectively it is transforming for the future toward a more strategic, collaborative and data-driven operation while maintaining the highest performance quality. As an additional insight for our readers, our latest annual survey this year includes 10-year trend data to illustrate top priorities and how they have evolved, dating back to when we began conducting the survey in 2007.

Here are the most significant changes our trend data revealed:

  • Tech versus technique. The most apparent difference between 2016 and 2007 is that all of the priorities in 2016 are tied to data and technology, while all of the priorities of 2007 were tied to technique – from mastery of the COSO Enterprise Risk Management Framework to compliance with international reporting standards.
  • Agile versus rigid. In 2007, mastery of the highly structured Six Sigma project management methodology was one of the top technical needs in our survey results. In 2016, that same level of priority is being placed on less-structured, agile methodologies, reflecting the increasingly dynamic nature of risks today.
  • Big Data versus information. Data security/information security emerged as a top concern in our 2008 survey. Back then, the primary focus was on protecting trade secrets and intellectual property. Today, it is more about data utilization. And although the phrase “Big Data” has yet to appear among internal audit’s top priorities, it is represented on the list in 2016 as the Internet of Things – a growing trend that promises to disrupt everything, from demand planning to health care.
  • External versus internal. At the time of our first survey, all of the top capabilities and needs were focused internally, and many centered on the internal audit function’s emergent role in enterprise risk management. In the past three years, almost all of the top capabilities and needs reflect strategic responses to external threats and a changing risk landscape.
  • Consultant versus constable. This outward-turning focus is indicative of the internal audit profession’s growing focus on strategic risk management and consultative value creation. Practitioners have long talked about moving away from the traditional policing and compliance role. This changing perspective is strong evidence of the progress that has been made along those lines.

One important observation from this year’s survey: We have, without a doubt, entered the age of the Internet of Things – an era of machine-to-machine communication where the amount of data in the world has entered an exponential upward climb. The threat window from misuse of this data has narrowed to real time. And the only way to even begin to manage such a risk is to invest in and master data analytics. This is mission-critical.

Internal audit knows that. Year after year, for the past five years, we’ve seen data analysis technologies show up in our surveys as a critical deficiency. An optimistic interpretation of this trend would be that the profession is attuned to this critical threat and it therefore weighs heavily on the minds of respondents. A less optimistic interpretation is that internal audit lacks either the knowledge or the resources, or both, needed to deal with a recognized threat.

The reality, in our experience, is that data analytic capabilities in a majority of internal audit departments have not kept pace with the speed of risk. The tipping point, however, has been reached. This risk is on the run, and unless we, as a profession, act now to aggressively address this deficiency, there is a substantial risk of failure. It’s not often we are given such an imperative. Now is one of those times.

What do you think it will take to meet the challenge? Please share in the comments.

The full survey report, video, podcast and infographic can be accessed here.

PreView: Checking the Rearview Mirror and Looking Ahead

In risk management, like driving, the safest way forward is to keep your eyes on the road ahead. Every now and again, however, it’s a good idea to check your mirrors. That’s the premise behind the latest issue of PreView, Protiviti’s ongoing series on emerging risks. In our first ever “look-back” edition, we revisit some of the risks we’ve highlighted since we initiated the series in early 2014. We often advise our clients to do a look back on their risk assessments, so it is appropriate for us to take our own medicine. Risks evolve, and checking to see whether we were on track with our predictions is worth the time and effort.

A little background: PreView is a “big picture” publication that focuses on macro-level emerging risks, classified according to the World Economic Forum’s five global risk categories – economic, technological, environmental, societal and geopolitical. Protiviti’s Risk and Compliance Solutions team scans the risk landscape and selects risks they believe have the potential to fundamentally change the profile portrayed in those risk categories.

The risks we revisited in the latest issue include municipal financial instability, Big Data, mobile banking and social media lending. Here, in short, is how these risks have evolved:

Municipal Financial Instability – In December 2014, we warned of municipal instability stemming from a decline in investor appetite for municipal bonds following a wave of defaults. We also warned of a pending debt crisis in Puerto Rico.

Update: Puerto Rico has defaulted on its debt in a case that is currently before the U.S. Supreme Court. At issue: The unprecedented possibility of a state-level debt restructuring – previous restructurings in the United States have all been at the municipal level. What to watch for: If the Supreme Court allows Puerto Rico to restructure its state debt, the bond market will turn a wary eye on the State of Illinois, which is experiencing its own financial crisis.

Big Data – In 2014, “big data” and machine-to-machine communication via the Internet of Things were all the buzz, and we cautioned against over-investing in data analytics without a clear quantification of benefits. We also called for strong data governance, security and management.

Update: Big Data and data analytics have moved from the fringe and into the mainstream due in part to the rapid expansion and dropping costs of data storage, cloud infrastructure and high-speed Internet bandwidth. Using this readily available data strategically promises to fundamentally change everything, from pizza delivery to health care. Big Data also has become the backbone of modern cybersecurity. And 79 percent of business leaders agree that companies that do not adopt Big Data will lose their competitive position and may face the possibility of extinction.

Mobile banking – In our first two issues of PreView, we noted the increasing popularity of mobile banking and suggested that successful financial institutions in the future would be those that found a way to integrate mobile banking and other banking options with traditional brick-and-mortar branch operations to allow customers to choose from multiple ways to conduct their banking.

Update: Trends have continued to show that consumers are interested in an “omni-channel” experience, where they can choose among different banking options, depending on their needs. In addition, nontraditional competitors such as PayPal, Amazon Payments and others continue to disrupt the market and threaten the relationship between the consumer and his or her bank. Cybersecurity and regulatory compliance remain key risks.

Social media lending – In January 2014, we predicted that an individual’s reputation on social media platforms, rather than their traditional credit score, could become a growing basis for lending. In addition, we anticipated that social media lending would create unique and complex fair-lending compliance issues and increase reputation risk with consumers. Lastly, we stated that social media disclosures and behavior might provide lenders with a source for validating information and a predictive profile of creditworthiness in the underwriting process.

Update: We hit two out of three right, as social media lenders in the United States entered and left the market, failing to pass the fair-lending standard. Target customers for this service today seem to be young entrepreneurs outside the United States who are shut out of traditional lending by a lack of a comprehensive credit history.

I know that this short overview doesn’t come close to doing these topics justice. For a more in-depth analysis and bibliographic links, download our Volume 3, Issue 1. In our next edition, we’ll continue to look forward: Technology enabled disruption in financial services, natural resources sustainability and competition, political shifts and climate change effects on the economy are among the topics on our radar. We hope you stay engaged with us to navigate these risks.


A Farewell to Michael Oxley

Staunch champions of corporate governance and fair financial reporting lost a friend over the holidays with the passing of former U.S. Rep. Michael Oxley on January 1. The Ohio Republican, co-author, with Democratic Senator Paul Sarbanes, of the landmark Sarbanes-Oxley Act of 2002 (SOX), was an ethical stalwart and strong advocate and warrior for corporate oversight and accounting reform.

SOX, drafted in response to a spate of high-profile corporate frauds around the turn of the century, significantly impacted the modern corporate governance landscape by elevating internal control over financial reporting to a top corporate priority. For anyone who entered the professions of accounting, finance, internal auditing and consulting after 2002, SOX has always been the law of the land. But those of us who remember the scandals of the Enron era can attest to the enormous problem placed on the doorstep of Congress at the time.

There are those who argue that SOX is excessively burdensome and overdone and, in essence, an overreaction to the acts of a few. But here’s the skinny: There were too many examples of egregious abuses. As a result of the bad behavior of an unscrupulous minority of executives, shareholders suffered significant losses, people lost their life savings and overall confidence in the capital markets waned dangerously. In the United States, a situation like this gives Congress a strong political will to act. And act they did. SOX is a compendium of the abuses of the Enron era. The law reads as if Mr. Oxley, Mr. Sarbanes and their authorship team listed all of the high-profile abuses on a whiteboard and then designed mechanisms to address each one. They did what they had to do to solve the problem they were faced with. In doing so, they sent a powerful message of accountability for fair public and financial reporting.

SOX certainly isn’t perfect, but it has stood the test of time. After an initial period of adjustment and the pains of a very messy learning curve following the law’s enactment, the increased emphasis on internal controls has resulted in a precipitous decline in restatements of financial statements. According to studies by Audit Analytics, the number of restatements has declined significantly since its 2006 peak. More importantly, the number and severity of accounting issues underlying each restatement also have declined. That’s good news.

SOX also created the Public Company Accounting Oversight Board (PCAOB) and popularized the COSO Internal Control – Integrated Framework. That Framework had been around since 1992 but it wasn’t used widely. When SOX Section 404 required an evaluation of the effectiveness of internal control over financial reporting, the Securities and Exchange Commission required “a suitable framework” to support that assessment. All heads turned to the COSO Framework, treating it as the only game in town. Today, the Framework is used by almost all issuers and their external auditors as a basis for their SOX Section 404 evaluations.

While debate on the relative costs and benefits of SOX Section 404 continues, there is empirical evidence that the capital markets place significant value on strong internal control. An earlier study released in May of 2006 by Lord & Benoit reported that shareholders benefit when companies have effective internal control over financial reporting. To illustrate, for the period from March 31, 2004 to March 31, 2006, the Russell 3000 share index increased by 17.7 percent. The Lord & Benoit study found that companies reporting no material weaknesses for either 2004 or 2005 enjoyed a 27.7 percent increase in share price. Companies reporting material weaknesses in 2004 but no material weaknesses in 2005 experienced a 25.7 percent increase in share price. However, companies reporting material weaknesses in both 2004 and 2005 suffered a 5.7 percent decline in share price. Therefore, the companies that reported that their internal control over financial reporting was ineffective both years experienced poorer performance in their stock price relative to the companies that did not.

Some have questioned the value of SOX, arguing that it did not prevent the financial crisis. The truth is that SOX wasn’t designed to prevent a crisis of this nature. The financial crisis was a systemic breakdown on a number of fronts involving an entire industry – a virtual “perfect storm.” To elaborate further on whether or not SOX could have prevented such a storm would detract from the message of this post. Suffice it to say that SOX doesn’t mandate how financial institutions are run, how risks are managed and when CEOs and their boards need to take a fresh look at the validity of the critical assumptions underlying their corporate strategy and business model.

SOX continues to fulfill its purpose, and Michael Oxley should be credited for the cultural change he enabled with this landmark legislation. He was a true statesman, a Republican who reached across the aisle to work with his fellow Democratic legislative partner, Paul Sarbanes, to enhance corporate management accountability to shareholders at a time when the reliability of public financial statements was called into question. These two men stepped into the arena as their country watched, with everyone knowing that something had to be done. Today, with forward progress in Washington D.C. so often hamstrung by partisan gridlock and intransigence, Sarbanes-Oxley shines as an example of what can be done when our elected officials come together to work for the common good.

Michael Oxley performed admirably when he had his moment in the legislative arena. He will be missed.


2015 Wrap-up: It’s Been a Great Year, Thanks to You

Before the ball drops in Times Square to usher in a new year, I wanted to revisit some of the high points of 2015 here on this blog, and thank you for your participation and readership.

A couple of observations:

  • You’re consistent. This year’s most-viewed blog entries tended to be those tied to risk, change, and cybersecurity. That aligns with the key areas of interest expressed in several of our surveys this year, including our Internal Audit Capabilities and Needs Survey, our Executive Perspectives on Top Risks Survey, the IT Priorities Survey, and the 2016 Finance Priorities Survey.
  • You’re forward-thinking. The topics of disruptive innovation and emerging trends received plenty of attention. This is a very good sign. Technology and global movements of people and workforce will continue to challenge businesses, and those with an eye on the emerging risks horizon are going to be the likely winners.

Not surprisingly, our most popular post of 2015 was Brian Christensen’s take on an article by The Institute of Internal Auditors’ President and CEO Richard Chambers advocating for continuous risk assessment as a way to elevate risk management and keep up with a rapidly evolving risk landscape.

Carol Beaumier’s piece on the changing role of chief compliance officers was our second-most viewed entry, followed by my take on cybersecurity. Matt Moore’s piece on risk appetite was among the most shared, along with our blog post on best global internal audit practices, drawn from our Internal Auditing Around The World report, which we published for the 11th year in a row.

Overall, it was an exciting year, with many important topics to consider. One of my personal favorites was the opportunity to write about the threat and promise of the Internet of Things. I would be remiss, however, if I didn’t take time, in this season of retrospect and gratitude, to extend my appreciation to those without whom our conversations wouldn’t be possible.

First, I’d like to thank the thousands of dedicated executives and professionals who took the time to respond to Protiviti’s many surveys. Without your valuable input, Protiviti professionals would literally have nothing to talk about other than their own personal experiences in the marketplace. While anecdotal knowledge is valuable, it is greatly enhanced with the “voice of the market” made possible through empirical studies. My hat is off to our many survey respondents – you gave generously of your time and experience, to the benefit of all.

I also want to thank our guest bloggers, my colleagues and friends, whose contributions consistently ranked among our most-read and most-shared entries. Your words and wisdom are invaluable, and your insights, profound. I enjoy learning from all of you.

Finally, I’d like to thank you, our readers. Your continued readership and engagement – as shown through your viewership, sharing and rating of our content – makes this effort worthwhile. Thanks to those of you who offered suggestions for topics. I cannot thank all of you enough for taking the time to read and contribute to The Protiviti View.

All of us have one thing in common – we seek an edge that helps us make a difference in what we do in the market. It is through shared knowledge that we will all move forward, together, informed and empowered to meet whatever challenges may come our way.

Best of the season to you and yours, and on behalf of Protiviti, I wish you all success and prosperity in 2016.