Embracing Analytics in Auditing: New Protiviti Survey Takes a Look

In a digital world, the time for internal audit functions to embrace analytics is now. This is the most significant takeaway from Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, released today. The results show that chief audit executives and internal audit professionals increasingly are leveraging analytics in the audit process, as well as for a host of continuous auditing and monitoring activities.

Learn more by watching our video below. For more information and our full report, visit www.protiviti.com/IASurvey.

Internal Audit Around the World: Collaboration, Technology and the Female CAE

Susan HaseleyBy Susan Haseley, Managing Director
Internal Audit and Financial Advisory

 

 

Technology is creating new areas of risk for businesses, requiring a collaborative mindset and strong relationships to manage risk effectively. At the same time, technology is creating new opportunities to improve how internal auditors manage risk – opportunities that come with the same requirements of collaboration and relationship-building. These changes to the internal audit landscape are becoming evident at a time when more women than ever before have risen to positions of senior leadership.

In our twelfth annual edition of Internal Auditing Around the World, we explore the accelerating change wrought by technology as a source of opportunity and as a source of risk. We also decided to focus this year’s edition solely on the viewpoints of women leaders in internal audit. This combination of themes yields a fresh perspective on the growing drive to collaborate – with IT, business units, senior management and external partners – to leverage specialist knowledge, harness emerging technologies and build influential relationships as trusted advisers to the enterprise.

Technology is going to completely change the way we audit,” says Kathy Swain, Vice President of Internal Audit at Horizon Blue Cross Blue Shield of New Jersey. “As more businesses are built entirely on technology, internal audit will need to follow suit.

In no area is this more true than in data analytics, a technological innovation embraced by many of this year’s internal audit leaders as a way to continuously monitor for emerging risks and potential optimizations. At Nordstrom, business intelligence serves not only to support the internal audit function, but also to share insights relevant to business decision-makers.

These insights will allow our team to become even better at what we’re already good at – risks and controls,” says Dominique Vincenti, Nordstrom’s Vice President of Internal Audit and Financial Controls. “They will also help us to underscore the direct value that the function is providing to Nordstrom in many other ways.

Some internal audit groups take a different approach – they collaborate with external partners not only to gain access to specialized expertise, but also to leverage technologies not available in-house. “We’re not necessarily making huge technology investments,” says Julie Eason, CNL Financial Group’s Internal Audit Director. “When I don’t have the tech internally, I rely on my co-sourced partners.

Last but not least, cybersecurity is a growing area of risk that has led internal audit functions to partner closely with IT. Monica Frazer, Vice President of Internal Audit for Baylor Scott & White Health, holds meetings with the chief information security officer at least once a month, and has new hires undergo extensive training in relationship-building skills. This emphasis on collaboration pays off, according to the surveys Frazer’s department holds after every audit. “We’re really viewed as a trusted business adviser,” says Frazer.

Mari Yonezawa, Chief Audit Executive at Obara Group, sums up this year’s theme well: “If auditors have strong communication skills, they can build good relationships, and the audits will go more smoothly.” Then she adds, “I think this is why women make good auditors. We tend to be effective communicators.

The full volume of our 12th edition of Internal Audit Around the World is available here – peruse at your leisure and let us know your thoughts.

IT Audit Benchmarking Webinar: David Brand and Robert Kress Answer Your Questions

David BrandRobert E. Kress (Accenture)By David Brand
IT Audit Global Practice Leader, Protiviti
and
Robert E. Kress
Managing Director, IT, Financial and Operational Audit, Accenture

 

It has been a few months since the release of Protiviti’s  5th Annual IT Audit Benchmarking Survey (conducted jointly with ISACA) – documenting the top tech challenges of executives and IT professionals around the world. We covered the highlights in a webinar and a blog post back in December. We’ve said a lot on the topic, online and offline, but what’s needed is a dialogue. To that end, we want to address some of the questions that were asked during our December webinar that we didn’t have time to address then. The questions are as relevant now as they were then, and will continue to be for some time. Protiviti’s David Brand and Accenture’s Bob Kress presented at the webinar and took the time to provide the answers below:

Q: What are some of the top customer relationship management (CRM) tools for risk assessments?

Bob: There are many reputable CRM systems in the market. We use the CRM contact management functionality to support our continuous risk assessment – tracking the people we have risk discussions with, scheduling meetings, tracking meeting notes and reporting. Accenture uses Microsoft Dynamics in a software-as-service model for this capability. This works well for us, as MS Dynamics interfaces directly with Office 365 Exchange for email, which enables easy scheduling and calendaring.

Q: Which framework would you recommend for IT audit? COBIT or COSO, or is there something else?

Bob: Accenture uses the COBIT framework for the IT risk universe. We use it to assess risk across all businesses and functions, with particular emphasis on those functions or businesses that contain IT infrastructure (e.g., data centers, hosting servers, networks) and those that manage confidential data. For IT audit reporting, we use the COSO framework to assess the severity of findings. The NIST cybersecurity framework is well-aligned with the major risk frameworks in the market, such as ISO, COBIT, and ISMS. NIST provides a comprehensive framework to assess cybersecurity and is becoming increasingly popular and accepted in the marketplace.

David: Frameworks are good tools to ensure that your thinking is broad enough to cover areas that might not be top-of-mind. But I’d also suggest that sticking to a single framework probably isn’t the right idea. You need to consider various frameworks that are out there and pick and choose the right framework components and points of focus that are going to work for your organization.

Q: For advisory projects, do you issue an audit report at the end of the project with detailed audit objectives and conclusions?

Bob: For advisory services projects we typically do not issue audit reports. Our observations and recommendations are communicated via a variety of forms, depending upon the nature of the advisory service. This includes a report, an email, verbally in review meetings, etc.

Q: Please elaborate more on the meaning of the term “integrated auditing.”

Bob: For Accenture, integrated audits typically combine an assessment of financial or operational risk and technology risk. A combined team of financial, operational and technology auditors is used for these audits.

Q: What are some best practices when developing an IT audit universe?

David: Start with an inventory of all the applications an organization has deployed, all the technology used to deliver products to market. List all of the databases, platforms, networks, etc. that those applications run on. Then look at all of the services required to manage all of those tools and infrastructure – user administration, configuration, patch management and so on. You really need to look at both halves – the technology infrastructure (software and hardware) and the processes that deliver and support the infrastructure, and assess the risk of each component. That gives you a bottom-up view of the technology risk environment. You also must seek to understand how technology supports and interacts with the achievement of the company’s strategies and objectives and how it is used to support key risk mitigation strategies. Mapping this thinking back to the infrastructure components and services inventoried above will provide you with a top-down view of technology risk. Both views are necessary to obtain a complete picture.

Q: Do you assess just inherent, or both inherent and residual risks, as part of the risk assessments? Would you recommend developing an audit plan based on inherent or residual risk rating of auditable unit risk rating?

David: Traditionally, we like to talk about inherent risk. The challenge is that a risk assessment is typically based on the perspectives of management, and getting management to understand the difference between inherent and residual risks, and divorce themselves from their knowledge of the control environment to answer in an inherent way, is too difficult. In other words, once a manager knows all of the controls that have been implemented to mitigate a risk, it is very difficult for that manager to step back and try to think philosophically about that risk and all of the things that are inherently risky about it, because that risk has already been addressed. So, I like to go in and talk about both the risks and the strength of the control environment, and then I can conduct audits from there.

Q: As you perform continuous risk assessments and note changes, do you issue a new risk assessment report with each change or just one annual report for the audit committee?

David: As you progress from performing annual risk assessments to performing assessments quarterly, or even continuously, you are not re-issuing risk assessment reports, but you might have a heat map or some other dashboard or indicator that is updated as the risk landscape changes. You’ll present risks to the audit committee based on that heat map – this is not really a report but more of an update, or a summarized updated view of risks. By the time you get to a true continuous risk monitoring model, there would no longer be a need for an annual report, because risks are being assessed and reported in real time.

Given the rapid and accelerating pace of change in data management, security and infrastructure, IT audit will continue to be a hot topic and one we will be monitoring closely, revisiting our survey results and webinars for more insights. In the meantime, feel free to share your experiences in the comment section below.

Arriving at Internal Audit’s Tipping Point Amid Business Transformation

Protiviti just released its 2016 Internal Audit Capabilities and Needs Survey, the 10th year we have conducted this insightful study on internal audit priorities and trends. We’ll cover many aspects of this study and the results in future blog posts. For now, I invite you to view our video and infographic, and visit our website to learn more and read our report.

 

 

 

 

Internal Auditing Around the World – Insights From This Year’s Edition

Brian Christensen - Protiviti PHX 2012_Low ResBy Brian Christensen
Leader of Protiviti’s Internal Audit and Financial Advisory practice

 

 

 

Now, more than at any time in history, internal auditors are viewed by audit committees and management less as police and more as trusted advisers, strategic partners and consultants. Partly due to the fallout from the 2008 financial crisis, the position is valued more than ever before. Management now looks to leverage internal audit as a strategic resource, recognizing that internal auditors’ broad and deep perspective of operations, risks and potential opportunities can help inform business decision-making.

In its latest edition of the annual Internal Auditing Around the World, Protiviti takes a look at the state of global internal audit practice. We find that many internal audit departments, along with their organizations, are in the midst of significant change and transformation – a period of reinvention. Internal audit teams are rising to the call to become strategic partners to the business – a role many have been working to achieve for years – while remaining careful not to compromise their independence and objectivity.

Here are some of the highlights from this year’s edition, according to top practitioners:

On continuous improvement:

Auditing is about driving improvement and enhancement for the good of all shareholders,” said David Barry, director of internal audit for the Australian wealth management company AMP Limited. “Our aim is to make risk management less nebulous and easier to manage.”

On strategic advice and consulting:

I think acting as a consultant to the business is the new frontier for the internal auditor,” said Marco Petracchini, senior vice president and director of internal audit for Eni, a multinational integrated energy company. “(We) have very broad knowledge of processes and risk so we can make a tremendous contribution to our colleagues beyond normal audit activities.”

On the importance of embracing change:

I strongly believe that if we, as auditors, do not evolve and change, we will soon become obsolete,” said Harsh Mohan, senior vice president of audit, compliance and risk for Etihad Airways. “Ninety percent of the job I did ten years ago has been automated.”

On becoming an alarm bell for high risks:

We had to change the mindset and behavior within internal audit,” said Peter Sneyers, chief auditor for Euroclear, one of the world’s largest providers of domestic and cross-border settlement services for bond, equity, exchange-traded funds and mutual fund transactions. “We had to ask more ‘so what’ questions, to focus on impacts and consequences, and to understand that we are not paid by the number of issues we find, but by the value we create.”

On building a culture of excellence:

We cannot just think we understand the business; we have to know that we do,” said Stephen Frimpong, vice president of internal audit at Kimberly-Clark. “We have to shape the audit plan to make sure we deliver impact and drive results.”

Starting to see a pattern here?

High performers set high standards and are not afraid to change. They hold themselves accountable to those standards with metrics and outcomes judged not by volume, but by the value created for the organization.

These are exciting times to be an internal auditor. The profession continues to rise to the ever-expanding demands created by the complexities of managing risks, monitoring controls, improving corporate governance and capitalizing on opportunities in international markets, and in our highly popular Internal Auditing Around the World series we will continue to track its growth and evolution. This series should be of great interest to internal audit professionals, as well as CEOs, CFOs and boards of directors worldwide.

From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions

Infographic-2015-IA-Capabilities-Needs-Survey-ProtivitiToday Protiviti released another exceptional piece of research: our 9th annual Internal Audit Capabilities and Needs Survey. This year, we took a close look at the role internal audit can and should play in helping their organizations manage cybersecurity and cyberthreats, giving the organization greater confidence in managing this ever-changing threat.

In future blog posts, we’ll be covering key takeaways from this research and offering guidance for CAEs and internal audit professionals. For now, I encourage you to view our video and infographic here, and visit www.protiviti.com/IAsurvey, where you can download a complimentary copy of our research report.

Jim

 

 

 

 

Assessing the Top Priorities for Today’s Internal Audit Functions

Protiviti’s research train keeps on rolling! Today we released the results of our latest Internal Audit Capabilities and Needs Survey. We’ve been conducting research to identify internal audit priorities and trends for eight years and have been very pleased with the response we continue to receive from the market. In looking at the major findings in our 2014 study, I expect this year will be no different. And kudos are due to our survey participants; they are the real “stars,” for without them studies of this nature would not be possible.

Infographic - 2014 Internal Audit Capabilities and Needs Survey

Infographic – 2014 Internal Audit Capabilities and Needs Survey

Internal audit functions today must anticipate and respond to a constant stream of new challenges – many of which deliver uncertain and still unfolding risk implications, from emerging technologies and new auditing standards to rapidly evolving business conditions. For example, in nearly every company over the past 12 months, the use of mobile and social media apps has presented new challenges, many of which are still emerging. Organizations’ growing reliance on cloud computing and data, in general, poses similarly complex challenges. Yet, these issues represent only a portion of those crowding internal audit’s 2014 priority list.

Our findings show that:

  • Social media, mobile applications, cloud computing and security (specifically with regard to the NIST Cybersecurity Framework) are critical areas of concern – Social media applications and related risks are top priorities for internal auditors to address, as are risks surrounding mobile applications, cloud computing and security.
  • CAATs and data analysis remain on center stage – As indicated in past years of our study, internal auditors plan to strengthen their knowledge of computer-assisted auditing tools, and continuous auditing and monitoring techniques.
  • Fraud management efforts focus more on technology as well as prevention – Auditors are concentrating more time and attention on fraud prevention and detection in increasingly automated business environments and workplaces.
  • “We have to keep pace with a raft of regulatory, rules-making and standards changes” – The updated COSO Internal Control – Integrated Framework represents a major change for internal audit, with significant implications for many financial, risk management and compliance activities. However, strengthening knowledge of the new COSO framework ranks as a lower priority compared to other critical rules-making changes internal auditors are digesting, including new Standards from The IIA and the new NIST Cybersecurity Framework.
  • Internal auditors want to take their collaboration with business partners to a new level – Internal audit’s longstanding desire to improve collaboration with the rest of the business has intensified, as is evident in the priority that CAEs and respondents place on communicating, and even marketing, the expertise and value that internal audit provides to the rest of the enterprise.

For more information and to download a copy of our full report, visit www.protiviti.com/IAsurvey. And I also encourage you to watch our short video: