Partnering for CAE Success: Building the Audit Committee Relationship

There’s a lot of talk these days about what’s important for CAEs to be doing and why. It’s always useful to exchange sound practical advice on how to do what needs to be done. So it was gratifying for me to be participate in a recent MIS Training Institute Masters Program dedicated to providing real world solutions through peer-to-peer discussion on many of the issues raised by audit committee members in The Institute of Internal Auditors’ CBOK Stakeholder Study, conducted by The IIA and Protiviti.

I led a session on best practices for dealing with audit committees, how CAEs should prepare to present to the audit committee, and what tactics they can use to engage audit committee members with internal audit teams and other stakeholders.

Primarily, this is about communications — the people side of our business. Effective audit committee relationships are not possible without effective communication skills. It is common to call communication a “soft skill,” which is ironic because many auditors find communication to be quite challenging. And while the basics of assurance will always remain at the core of what we do, adding value should be our ultimate goal. It doesn’t matter how well we plan, execute and report if we fumble the ball when it comes to communicating with the audit committee. Fair or not, what they see and hear in their interactions with the CAE is a primary source of their assessment of internal audit’s performance.

So how does a CAE best prepare for an audit committee meeting? Using an American football analogy, this is the point when the CAE is inside the 5-yard line, and his or her actions are critical to advancing the ball for a score. Keeping the director audience foremost in mind is key. With input from the participating CAEs at the MIS event and based on our own experience, here’s how to prepare and present:

  • Appearances are everything. Make pre-reads and presentation materials visually appealing and focused on the key takeaways.
  • Tell the story. Summarize key messages and encourage discussion; synthesize data into key themes, observations and action items.
  • Keep it short. Be concise and to the point; distill the message into an elevator pitch and be ready to comment on specifics if asked (think 10 minutes, versus 30).
  • Speak with authority. Look committee members in the eye, pause for questions but don’t linger, and speed up or slow down the presentation cadence based on director feedback.
  • Respond to questions with direct responses. With respect to questions for which the answer isn’t known, take an action point to follow up to obtain the information. For questions that are or should be directed to management, pause to allow management to respond.
  • Tell them something they don’t know. Positioning internal audit as the eyes and ears of the board and senior management is the key to adding value.
  • Anticipate questions. One of the benefits of strong relationships is the insight that comes from ongoing dialogue. By the time you report to the audit committee, you should have a pretty good idea of what’s on their minds and have the answers ready.
  • Be a team player. If executive management wants to own a particular issue and bring it up to the audit committee, let them. Consider having business stakeholders join the meeting to co-present on the findings of a particular review (e.g., have the CIO or CISO co-present on the results of a cyber audit).
  • Keep management in the loop. Executive management should not be surprised by anything in your report. It’s a professional courtesy to vet its contents with management to help them prepare for any questions they might have to address later.
  • Play defense as well as offense. Yes, everyone wants to focus on value creation and upside. But in Super Bowl LI, the Patriots’ vaunted offense never would have had a chance to win the game in the second half had their defense not stepped up. In a business, the “lines of defense” model helps focus the necessary blocking and tackling in creating a risk management infrastructure and is a model directors understand.

As a best practice, the CAE should meet with the audit committee in executive session from time to time. With this mechanism in place, the CAE is positioned to be candid when the big dilemmas come up.

Of course, good communication and successful relationships extend beyond audit committee meetings into all aspects of internal audit. Internal audit departments, especially CAEs, are often perceived as reservoirs of knowledge and insight to be tapped and deployed to improve risk culture and risk management capabilities to inform senior management and the board of up-and-coming risks. This underscores how critical it is for the internal audit function to demonstrate an understanding of strategic risk. A strong business context enables the CAE to be an engaged, familiar face around the company, particularly with its leaders, bolstering the audit committee’s confidence in the CAE’s effectiveness.

With expectations increasing, internal audit needs to up its game with early warnings on emerging risks. Effective audit teams “connect the dots” when considering the enterprisewide implications of audit findings and look beyond the scope of the audit plan to identify patterns, trends and issues meriting attention at the top as well as signs of a deteriorating risk culture. Along with effective communications, the CAE will have a combination of capabilities that will position him or her to succeed. Soft skills may be hard, but they are worth their weight in gold.


Regtech: An Innovation Quickly Going Mainstream




By Vishal Ranjane, Managing Director
Risk and Compliance

and Shubhendu Mukherjee, Director
Risk and Compliance


Last year, we wrote about the various ways financial institutions were using technology to streamline and improve regulatory compliance. We thought it was time to revisit the topic, given regtech’s quiet but steady advancement in the financial services industry in the time that has passed.

A specific definition of “regtech” is still evolving, but generally speaking, the term applies to any automation or digitalization of manual regulatory compliance processes to add speed, security, accuracy and agility in complying with regulatory requirements. Part of a broader trend toward digital transformation in financial services, the term typically refers to the regulatory application of existing technology, not the technology itself — a point well-made by my colleagues John Harvie and Derek Cummings in Regtech: A Confluence of Opportunities, a paper Protiviti published earlier this year.

Much of the driving force behind this transformation is coming from financial institutions, who are replacing outdated and disjointed legacy systems with new core technology and are looking for ways to replace expensive and error-prone manual processes with automated processes across all functions, including compliance.

It is fair to say that, historically, technology funding for compliance functions has been low. As the regulatory expectations increased over the years, many compliance processes were enhanced in an ad hoc manner, utilizing antiquated systems and manual consolidation of multiple data streams from disparate sources that were hard to manage and/or update. A common solution to the complexity (which still exists today) is to add more resources to existing teams.

Digital transformation initiatives have created opportunities to consolidate and integrate these systems, generating efficiencies that organizations are using to reduce the time and resources devoted to routine compliance tasks. These opportunities and technology applications are in various stages of maturity. Financial institutions are now in a position to prioritize the more mature and proven technologies to provide real-world solutions to high-cost business problems in areas that cause the biggest expense.

One such technology that is higher on the maturity curve is robotic process automation (RPA) — the use of software to work alongside human operators to perform high-volume repetitive tasks. It is most commonly encountered in the automated menus most large companies use to route incoming calls, or schedule an automatic call-back at times of high call volume. Increasingly, financial institutions are using RPA to perform compliance tasks, specifically in AML transaction monitoring, OFAC screening, and ”know your customer” (KYC) activities.

Visual analytics is another technology seeing widespread regtech application. Dashboards and other graphic representations of real-time data with drilldown capabilities and cross-tabulation provide at-a-glance insights that were functionally impossible to achieve previously with manual-based reporting. (The Protiviti Risk Index is one such example of a dashboard used to provide dynamic risk information at glance.)

Other innovations, such as artificial intelligence and biometrics, are making regtech inroads as well, particularly in onboarding and KYC compliance, though they are behind in the maturity curve compared to RPA and visual analytics. Technology acceptance is changing fast, however, with regulators encouraging “responsible innovation” and testing of new applications in a controlled environment. The number of vendors offering regtech solutions is also increasing. One research cites $3.2 billion in funding raised in the past five years for startups specifically focused on regtech solutions, primarily for the financial services industry.

Regtech is an exciting trend, with a promising future. As our clients look for ways to drive down costs and increase compliance efficiency, we continue to advise them to assess their options carefully, invest time, effort and resources in those activities most likely to deliver value, and be prepared to learn quickly from the failures as well as the successes of others.

Internal Auditing Around the World: Stepping Up to the Challenge of Culture Audits

By Brian Christensen, Managing Director
Global Leader, Internal Audit and Financial Advisory




Weak organizational cultures are widely considered to be one of the primary causes of the global financial crisis that struck a decade ago. As a result, maintaining a strong risk culture has become a top priority for all major businesses today — as well as an expectation by their stakeholders, regulators and customers.

Business leaders are looking to the internal audit function to assess not only tone and conduct at the top of the organization, but also how and if this conduct is reflected throughout the business. They want to know if the company’s core values and strategic vision are understood and actively practiced by employees.

Culture is complex and different within every organization. The Risk Management Association (RMA) defines culture as “the set of encouraged and acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk within an institution.” But even when defined, culture remains largely abstract.

The 13th edition of Internal Auditing Around the World, debuting this week at The IIA’s International Conference in Sydney, Australia, examines this issue through the experience of 15 organizations around the world. As you will discover, there is no one-size-fits-all solution. Their journeys are as varied as the cultures they reflect.

As I wrote here back in May, every organization has its own ethos. But corporate values and “tone at the top,” alone, are not enough to prevent ethical lapses. Culture audits are an opportunity for auditors to talk to employees, managers, customers and vendors, and report on whether the company is living its values, or whether they are hollow.

For many of the organizations featured in the 13th edition of Internal Auditing Around the World, risk culture audits are new endeavors that are only at the planning or pilot stage. Senior management and boards are looking to internal audit leaders to help the business develop the right approach for, and get the most value from, these types of audits. The function has a clear opportunity to play a transformative role in responding to the needs of key stakeholders, particularly boards, who want assurance that the organization is aware of and addressing all types of potential risk.

Where to begin? Several of the leaders we interviewed said they recognized early the importance of examining and strengthening the culture within the internal audit function before moving to assess other business units, or the company as a whole.

Ruurd van den Berg, Executive Vice President and CAE of Group Internal Audit at Aegon N.V., a multinational life insurance company headquartered in The Hague, Netherlands, summed it up nicely when he said, “We believe we should lead by example. We knew that if we didn’t have a strong culture, we would lack the credibility to run culture audits.”

Richard W. Moore, inspector general for the Tennessee Valley Authority’s Office of the Inspector General, voiced a similar sentiment. “If you’re going to instill trust in people, you need to be vulnerable and fix yourself first, then invite other to join you in your journey to improve,” he said.

The profiles featured in this edition of Internal Auditing Around the World are all inspiring and informative. They will either validate your organization’s existing risk culture journey, or serve as a catalyst to spark transformation. Either way, I hope you’ll pick up a copy at the International Conference, or download one from our website. I think you will find valuable insights on auditing risk culture. For many of us, this is a new venture far afield from our accounting roots. But just like partnering effectively across the organization and working in a collaborative environment, it is a challenge worth conquering.

New Survey — Bridging the Gap Between Finance and Procurement

My colleague Bernie Donachie wrote earlier this week about high-performance procurement, focusing on some top performer characteristics that emerged from our procurement survey prior to its release. The full report is now out, and, top performers notwithstanding, it shows that there are divergent perspectives across stakeholders when it comes to the value generated by the procurement function.

The key takeaway from the results of Protiviti’s 2017 Procurement Survey is clear: Procurement functions need to focus on how they drive value and how they quantify and communicate their performance. In what is arguably the most notable finding in the survey, close to half of finance leaders say 20 percent or less of procurement savings drop to the bottom line. Just one in five finance leaders say their procurement functions effectively manage both direct and indirect costs. Overall, only a small percentage of bottom lines actually realize the savings that procurement functions have achieved. These and other issues identified in the study need to change.


In our report, we share key findings from the survey, examine the perceptual gap between finance and procurement regarding procurement’s objectives and value, identify traits commonly displayed by leading procurement functions, and present some action items for procurement and finance leaders to consider as they seek to get on the same page while increasing the value that the procurement function delivers to the bottom line.

Visit, where you can download a complimentary copy of our report.


Criminal Finances Act 2017 Aimed at Terrorist Financing Affects All Firms With UK Operations

By Bernadine Reese, Managing Director
Risk and Compliance, Protiviti UK




One of the recent examples of efforts to clamp down on terrorist financing and tax evasion comes from the UK, where the Criminal Finances Act 2017 received Royal Assent in April.

The Act, expected to take effect this September, is being touted as a powerful new tool in the investigation and prosecution of tax evasion and terrorist financing crime in the UK. In response to concerns raised by regulated firms, it also includes provisions that will make it easier for firms to share information on potential criminal activity, without violating privacy laws.

Essentially, the Act introduces two new offences of failure to prevent facilitation of a foreign tax evasion and UK tax evasion. The Act is intended to hold companies automatically liable, by criminalising the facilitation of domestic and foreign tax evasion by means of not having “reasonable prevention procedures” in place to prevent their “associated persons” from facilitating it. “Associated persons” is a purposely broad term and can include the employees, agents, subcontractors, or anyone else who performs work for or on behalf of the company. Protiviti has published a paper addressing some of the most common concerns regarding the new Act as a series of frequently asked questions. Here are some of them:

Q: How does the new law tackle terrorism?

A: A number of provisions that address money laundering will apply broadly to persons suspected of terrorist financing, or property that has been acquired with terrorist funds or with the intended purpose to facilitate terrorist financing. The law provides mechanisms for both voluntary and mandatory disclosures by regulated firms, as well as provisions for the seizure and freezing of assets.

Q: What is the difference between “tax avoidance” and “tax evasion?”

A: While the distinction between tax evasion and tax avoidance continues to be politically sensitive, tax avoidance is generally considered to be the lawful minimization of one’s tax burden — for example, taking legal tax deductions on expenses. Tax evasion is the unlawful non-payment of taxes that are legally due to the government. Examples might include intentionally misreporting taxable income in order to pay lower (or no) taxes, concealing assets in overseas accounts, failing to file a tax return, using false documentation, or deliberately suppressing taxable income.

Q: What are “reasonable prevention procedures?”

A: The paper examines this in detail, but briefly, law enforcement will be looking for evidence of top-level commitment to anti-money laundering; regular risk assessments; proportional, rather than one-size-fits-all, approach to risk as part of the organization’s overall risk management efforts; due diligence; robust communication; and monitoring and review of account activities.

Q: What should our priorities be to get ready for the new legislation?

A: Protiviti has put together a four-point plan:

  1. Understand how the new law affects your business and customers: The scope of the Act seems broad but many of its provisions relate to increasing transparency and information sharing intended to prevent the money trail from going any further, and to tackling financial crime, which now includes tax offences within its definition. Customers likely to be the target of increased scrutiny under this law include corporate clients with complex company structures; individuals who use tax planners, such as celebrities and politicians; wealthier private clients with large asset holdings and/or associations with low-tax offshore jurisdictions; and entities, such as religious organizations and charities, which may be used as vehicles for terrorist financing. A risk assessment will need to be performed.
  2. Review and update policies and procedures: Once senior management has articulated its position on tax evasion, this should be communicated through the firm’s policies and procedures in a clear and practical way. In particular, firms will be expected to demonstrate that they have “reasonable prevention procedures” in place to combat the facilitation of tax evasion and should consider whether new or additional procedures are necessary, including those for associated persons, depending on risk levels and potential exposure.
  3. Prepare and train staff: Identify staff likely to be impacted by the new legislation — such as customer-facing teams, compliance, and internal audit. Prepare and give tailored training to relevant employees to ensure that they are aware of legislative changes and the impact on their role. Circulate regular communications to reinforce the company’s policy and staff’s responsibilities.
  4. Review existing clients: Consistent with taking reasonable prevention procedures, firms should adopt a risk-based approach to dealing with the assessment of their existing customer base. This might include an immediate review of those customers considered to be at the highest risk of tax evasion, while lower risk customers might be covered as part of the firm’s periodic review of “know your customer” information for anti-money laundering purposes. Firms will need to plan and take action according to the risks presented by their existing customer base.

Companies should seek help early rather than late with some of the more complex and tedious elements of complying with the new legislation, including conducting a gap analysis, developing risk-based evaluations, reviewing customer files and providing training. For a detailed analysis of the UK Criminal Finances Act 2017, download the free paper from our website.

Digital Reporting, Dashboards Help Execute Store-Level Audits in Real Time

By Rick Childs, Managing Director
Consumer Products and Services Industry Leader




Retailers are under increasing pressure from all directions these days. In May, Credit Suisse estimated that a record 8,600 stores will close in 2017 and that 25 percent of U.S. shopping malls will be shuttered by 2020. At the same time, retailers are facing increasingly complex regulations on everything from public health to environmental issues. All of these pressures are creating a need to consistently and continually measure execution at the store level. Timely, accurate and actionable store-level audit data has never been more important.

In our recent report on mobile audits, we explored how internal auditors are applying web-enabled tools to engage stakeholders, automate workflows, improve decision making and drive operational efficiencies. I revisited these change drivers in a recent blog post, advocating for small but meaningful changes in retail digitalization. But with retailers having to make increasingly difficult decisions with less and less lead time in order to stay competitive, I wanted to address two even more important, and often overlooked benefits of digitalization: analytics and reporting.

Traditional paper-based store data collection is time-consuming and has always been fraught with inefficiency and error. Data collected on paper has to be compiled — via fax, scan, or physical transfer — and manually keyed into a computer before it can be analyzed. Digital data, on the other hand, is available in real time, and responses can be standardized for greater consistency to meet both operational and regulatory compliance objectives.

Web-enabled store audit tools provide accurate and actionable data, in real time. Audits performed via mobile app, for example, are updated automatically, eliminating the need to fax, transcribe or email audit results. The reduced cycle time from data entry to reporting eliminates information bottlenecks. Dashboards and other digital reporting tools allow market managers to make informed decisions on the fly, confident that they are working with the latest information, and that all users are looking at the same data — eliminating awkward spreadsheets and version control issues inherent in paper routing.

Application reporting permissions are synched to job titles — an important control given the dynamic organizational hierarchies in retail. At the same time, companies can track a store manager’s performance across multiple locations, or location performance relative to other locations.

Just-in-time feedback encourages user engagement with operational applications, remediation, electronic follow-up and reminders. By accelerating the audit cycle, management can make informed decisions about low-performing stores and implement meaningful change. Trend information can be used by asset protection and store operations to identify negative activity at the stores and potentially across districts and markets.

With this kind of instant reporting gratification, the older, slower, less accurate analog store audits seem well on their way out, and they should be. Digital store audits improve consistency, minimize interpretation, increase the number of locations that can be covered, generate action items immediately and enhance communication to the field.

The graphical interfaces of real-time reporting tools convert mind-numbing columns of numbers into color-coded dashboards for an easily read picture of performance, with drill-down capability to the store and indicator level.

At this point, the question is no longer whether retailers should adopt digital audit technology, but how quickly they can get it done, and what are the risks to their retail organizations if they don’t.



High Performance Procurement: Getting More Savings to the Bottom Line, Faster

By Bernie Donachie, Managing Director
Supply Chain




Only a low percentage of chief procurement officers and chief finance officers feel that they have “very effective” sourcing, according to the most recent research we conducted among 400 procurement and finance professionals. Effective sourcing equates to 10 percent or more in savings year over year. Unfortunately, finance executives say only a small fraction of those potential savings ever make it to the bottom line, according to our survey. Operational variables — overspending, changing needs, and buying from unauthorized suppliers — were among the primary causes for suboptimal savings, along with invalid savings assumptions, unrealistic savings projections, and a failure to effectively track realized savings.

Our full survey results will be released later this month, and there are definitely positive and encouraging findings — but they are not the majority. I thought it would be instructive here to examine the responses of self-reported top performers in the three areas below to see what traits they had in common — specifically, how they analyze spending patterns, align with other business functions, and establish an effective savings governance program.

Spend Analysis

Over two-thirds of our top performers consider their spend analysis to be robust and routine. These professionals do not consider analysis as an afterthought; rather, it is baked into their budgets, planning and strategy from the beginning.

Our data suggests that, as companies perform more robust analysis, their ability to minimize financial leakage greatly increases. The categories benefiting most from this trend are duplicate payments, unrealized credits, and paying non-contracted prices.

Notably, over half are using a third-party spend analysis tool, rather than in-house assessments. Clearly, they’ve decided it’s an expenditure that’s worth making, and find, or expect, it to help them drill down into spend data to drive insight, identify savings opportunities, and support budgeting and future planning efforts.

Organizational Design and Relationship

Most of our top respondents have centralized finance and procurement departments. They describe the relationship between procurement and finance as “collaborative decision making.” This relationship is crucial for visibility and understanding of the savings that the procurement team is generating.

Savings Methodology and Tracking

Given the strong relationship between the two functions, it makes sense that almost all of our top respondents feel that their finance and procurement teams are aligned on cost saving initiatives. For this to be the case, initiatives must be clearly conveyed, strategized and executed. Over two-thirds of these respondents felt that the savings from procurement are properly tracked and well understood.

For the most part, the answers of the top performers paint a picture of confidence and solid understanding of the need for strong connection between procurement and finance. For those not yet there, I have the following recommendations:

  • Start with spend analysis. A formal, robust spend analysis is perhaps the most essential building block of procurement success.
  • Consider investing in third-party spend analysis tools.
  • Track and measure savings. Top procurement functions quantify the value they generate, as well as how effectively they document and communicate that value to the rest of the organization.
  • Ensure that negotiated savings make it through to the bottom line. Ultimately, procurement’s objectives should include making the organization more profitable, driving competitive advantage and exerting a positive impact on the bottom line.
  • Understand the value of cross-functional collaboration. Establish a consistent, enterprisewide view of spending and value to help enable sustainable savings.
  • Align with finance. All organizations should assess the extent to which a gap is evident between the two functions and identify ways to close it as quickly as possible.

Our report, complete with full statistics, methodology, and participation by title, will be released later this month. To be notified of the release, click here.