From the GAM Conference: Changing Priorities, Analytics in Auditing and More

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

On Day 2 of the conference, Protiviti Managing Director Jordan Reed shared some thoughts on the panel discussion titled “The Internet of Things: What Does This Mean to Internal Audit?” Jordan led the panel together with Jeff Rowland, Vice President, Audit Services at USAA. Below in Jordan’s own words are highlights from the discussion. For more on why the Internet of Things matters, and the risks and expectations arising from it, read the recently published Protiviti white paper (download).

Share on Twitter

Also hear Protiviti Managing Director and The Protiviti View blog host Jim DeLoach share his view on stakeholder expectations as reflected in the Global Internal Audit CBOK Stakeholder Study.

Share on Twitter

Finally, Protiviti Managing Director Matt McGivern discusses the current state of data analytics in internal auditing, including findings from Protiviti’s latest internal audit survey. Listen below.

Share on Twitter

The Four C’s in Overseeing Internal Audit

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

By Brian Christensen, Managing Director
Internal Audit Global Leader

 

 

 

In 2016, The Institute of Internal Auditors and Protiviti conducted the world’s largest ongoing study of the internal audit profession — the Global Internal Audit Common Body of Knowledge (CBOK) study — to ascertain expectations from key stakeholders, including board members, regarding internal audit performance. Several imperatives for internal audit emerged from the responses of the participants in the study. Among them: focus more on strategic risks, think beyond the scope of the audit plan, and add more value through consulting.

Continue reading

Embracing Analytics in Auditing: New Protiviti Survey Takes a Look

In a digital world, the time for internal audit functions to embrace analytics is now. This is the most significant takeaway from Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, released today. The results show that chief audit executives and internal audit professionals increasingly are leveraging analytics in the audit process, as well as for a host of continuous auditing and monitoring activities.

Learn more by watching our video below. For more information and our full report, visit www.protiviti.com/IASurvey.

Assessing the Expectations of Internal Audit Stakeholders at The IIA GAM Conference

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

Panel Session at the 2017 IIA GAM Conference:
Stakeholder Expectations (Updates from CBOK Stakeholder Studies)

Today at The IIA 2017 GAM Conference, Brian Christensen, Executive Vice President, Global Internal Audit for Protiviti, participated in a panel discussion before more than 1,000 conference attendees, on the expectations of internal audit stakeholders and how internal audit can continue to improve its performance. The panel was moderated by Paul Sobel, Vice President and Chief Audit Executive, Georgia-Pacific LLC. Panelists were Angela Witzany, Chair, IIA Board of Directors and Head of Internal Audit at Sparkassen Versicherung AG; Larry Harrington, Vice President, Internal Audit at Raytheon Company; and Brian Christensen, Executive Vice President, Global Internal Audit at Protiviti.

Following are some highlights from Brian’s comments:

  • Are we in the so-called “golden age” of internal audit? Membership in The IIA is at an all-time high. Conferences and programs are near capacity. As internal auditors, we are part of the conversation in the boardroom and management circles. And internal audit has been rated one of the 10 best professions to start a career. But, it’s important to ask, what can we do better? How do we remain relevant and serve our constituents better? Answering these questions was the goal of the 2016 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study.
  • Stakeholders agree that internal audit is focused on the most significant areas in their organizations. Internal audit is keeping up with changes in the business and is communicating well with management and the board.
  • Internal audit needs to further leverage its positive reputation for quality in other areas of the business where it can add value.
  • Management and the board want internal audit to “move beyond its comfort zone” to help organizations bring internal audit perspective on strategic initiatives and changes – digitalization, cybersecurity, Internet of Things and more. Change is all around us. In light of these many changes, what are new and emerging risks that organizations need to understand and manage? Internal audit can and is expected to provide information and insights to board members and management on these new risks.

Brian also offered some calls to action:

  • As internal auditors, we need to rise up to the expectations of our stakeholders. We’ve been told we’re doing a great job, but we can do more, and our stakeholders want us to do more.
  • We need to break out of historical thinking and approaches. We’ve earned a solid reputation – we now need to build on it.
  • We need to focus on and embrace the four C’s – Culture, Compliance, Competitiveness, Cybersecurity.
  • We need to ask ourselves: Where do we want to be in five years? In 10 years? How do we continue our “golden age”? The answer: Take on bold ideas and new concepts.
  • Finally, we need to own the discourse to fulfill the expectations of our stakeholders.

We have a great opportunity – not just for ourselves, but to create a path for those behind us. Stakeholders have given us a road map to success. Let’s fulfill our destiny and continue our golden age.

Listen to Brian Christensen summarize the highlights:

Share on Twitter

OCC Handbook Update Consolidates 13 Years of Evolving Financial Services Audit Policy and Guidance

Cory Gunderson MD NYCBy Michael Thor, Leader of Protiviti’s North American Internal Audit Practice
and
Cory Gunderson, Global Leader, Financial Services

 

 

On December 30, the federal Office of the Comptroller of the Currency (OCC) issued OCC Bulletin 2016-47, Revised Comptroller’s Handbook Booklet and Rescissions. The handbook is the official field guide for federal bank examiners. The update consolidates 13 years of policy changes and guidance to create a single source of truth for all audit-related supervisory matters going forward.

Further, the bulletin expands the definition of internal audit to include consultation and advisory services, and emphasizes the internal auditor’s role in risk assessment and assurance.

Although the handbook is primarily intended for bank examiners to guide their supervisory review, it is a public document, which gives financial institutions the opportunity to review requirements and remediate gaps prior to an examination. In that sense, it serves as an open-book test.

At 152 pages, the bulletin is heavy reading. We published a Flash Report last month, which offers a high-level summary. Highlighted changes include policy and guidance related to:

  • Additional focus on risk management and internal audit’s role in providing assurance that the system is in place and operating effectively
  • Clarification of risk-based auditing and the need for dynamic audit plans and risk assessments
  • Internal audit’s role in challenging management’s strategic decisions (effective challenge)
  • Audit committee composition and responsibilities
  • The chief auditor’s independence with respect to administrative reporting relationships
  • Continuous auditing
  • Talent management
  • Identification and reporting of the root cause of control deficiencies and thematic control issues
  • Non-internal audit assurance activities

The bulletin also highlights the need for increased governance and oversight by boards and audit committees and the need for more robust policies and procedures around internal audit methodologies, including risk assessment, execution and reporting.

Much of the featured guidance is sourced from OCC Bulletins, the OCC’s heightened standards for certain large banks (12 CFR, Part 30), and internal audit guidance issued by the Basel Committee on Banking Supervision (BCBS). Changes by standard-setting bodies (the American Institute of Certified Public Accountants, The Committee of Sponsoring Organizations of the Treadway Commission, and more), were also incorporated.

There shouldn’t be any shocks here. These are things financial institutions have been hearing from their examination teams for years. The bulletin just brings everything under one umbrella.

Nor should anyone look to the bulletin for implementation instruction. Any changes in the bulletin are principles-based.

Taken as a whole, OCC Bulletin 2016-47 paints a picture of the escalating expectations and responsibilities placed on internal and external auditors, particularly in the years since the 2008 financial collapse. All this has happened over a span of several years, and it’s easy to miss the full scope of change, which only becomes apparent when everything is pulled together under one umbrella.

Read the full Flash Report here.

Customer Loyalty Through Better Security — and How to Achieve It

Rick ChildsBy Rick Childs, Managing Director
Consumer Products and Services Industry Leader

 

 

 

Customer loyalty programs are among the basic building blocks of successful consumer products and services companies today. These programs are not only competitive differentiators, but also key drivers of revenue and profits for retailers, restaurants, hotels, airlines and many other businesses. The success of loyalty programs, however, hinges on more than inspiring customers to opt in and offering them rewards that they find compelling. Consumer trust is also essential.

Consumers want to be assured that the companies they interact with through various touch points — online, offline and through mobile applications — are doing everything possible to protect their personal data and privacy. Even millennial consumers, who are generally more willing than customers in other demographic groups to share personal information with businesses in exchange for rewards, have high expectations that companies will keep their data secure and respect their privacy. And if the companies don’t, they are quick to hold them accountable.

Privacy concerns are weighing on the minds of executives in the consumer products and services industry this year, according to a survey, Executive Perspectives on Top Risks for 2017, from Protiviti and North Carolina State University’s ERM Initiative. Representatives of this industry group who took the survey ranked the following concern third among the top five risks: Ensuring privacy/identity management and information security/system protection may require significant resources for us.

Digitalization, the IoT and cyberthreats add to the challenge

Like most things related to information security in a digital world, privacy, customer identity management and information security are all easier said than done. In fact, they are becoming only more challenging for consumer products and services companies as these businesses:

  • Introduce more mobile and digital offerings to their customers
  • Collect, store and analyze more and more customer data from applications and devices
  • Develop and use applications and devices designed for the rapidly emerging and highly interconnected Internet of Things (IoT)
  • Embrace digitalization and migrate “analog” approaches to customers, products, services and operating models to an “always-on,” real-time and information-rich marketplace

It is hardly surprising then that consumer products and services businesses face a constant barrage of sophisticated and stealthy cyberthreats designed to target customer and payment information.

Recent high-profile data breaches and targeted hacks involving major retailers, fast food chains and hotels are just the latest headache-causing wrinkle as consumer products and services companies are scrambling to evaluate their ability to protect customer and payment information. (Executives no doubt had these incidents on their minds when responding to the latest risk survey: they also ranked cyberthreats among the top five risks for their industry in 2017.)

Drive results through strategy and collaboration

Certainly, there is no getting around the need for consumer products and services companies to devote more resources toward ensuring privacy, addressing identity management issues, and protecting information and systems. This is an imperative for any business that handles customer and financial data in a digital world. But organizations also must be very strategic when aligning and deploying these resources if they want to see results.

Developing the right strategy requires effective collaboration between the business and IT. If they are not doing so already, business executives in consumer products and services organizations should resolve to reach out to their counterparts in IT sooner rather than later.

Another party to include in discussions about privacy risk and cyberthreats this year: internal audit. We are seeing more organizations increasing business, IT and internal audit collaboration not only to address known risks, but also to help the business prepare for new challenges related to digitalization and the IoT. As Protiviti’s white paper, The Internet of Things: What Is It and Why Should Internal Audit Care?, explains, “Businesses developing and using applications and devices within the IoT must be aware of how the data they are collecting, analyzing and sharing impacts user privacy.”

Engaging business, IT and internal audit leaders to share their perspectives on these risks will help consumer products and services companies to ensure they are doing everything necessary to protect their customers’ privacy and information in a digital and hyperconnected world. It will also give them more confidence to interact with consumers through more channels, and to innovate programs and other offerings that will earn — and keep — their business.

Taking a Global Look at IT Audit Best Practices – ISACA/Protiviti Survey

infographic-6th-annual-it-audit-benchmarking-survey-isaca-protivitiProtiviti and ISACA, a global business technology professional association for IT audit/assurance, governance, risk and information security professionals, have released the results of our joint annual IT Audit Benchmarking Survey. Key takeaways from this year’s study include the following:

  • Cybersecurity is viewed as the top technology challenge.
  • There appears to be more executive-level interest in IT audit.
  • More CAEs are assuming a direct leadership role for IT audit.
  • Most IT audit shops have a significant or moderate level of involvement in key technology projects.
  • Most IT audit shops perform IT audit risk assessments, though a majority do so annually or less frequently.

Take a look at our infographic and video here. For more information and to download a complimentary copy of our report, A Global Look at IT Audit Best Practices – Assessing the International Leaders in an Annual ISACA/Protiviti Survey, visit www.protiviti.com/ITauditsurvey.