2017 Technologies Driving GRC Change

By Scott Wisniewski, Managing Director
GRC Tech Advisory Solutions

 

 

 

Digital transformation was probably one of 2016’s top buzzwords, meaning many different things to different analysts, journalists and vendors. For me, it represents real and significant investments in modernizing IT infrastructures, including those that support GRC activities and processes.

Consider the trends we’re immersed in. Enterprises are adopting cloud and mobile technologies at an extraordinary rate in the hopes of driving greater productivity and collaboration, and organizations of all sizes are launching data initiatives involving the collecting and analyzing of massive amounts of data in order to drive better business decisions and improve customer experience. At the same time, the rapidly evolving regulatory environment, such as the EU’s impending Global Data Protection Regulation (GDPR), is putting pressure on legal, compliance, security and IT departments to invest in a range of new data initiatives, consulting services and technologies.

In response to the trends, organizations are rethinking their GRC infrastructures, hoping to gain a much broader and deeper understanding of risk drivers and the bigger GRC picture. Further, to make GRC work effectively in increasingly complex and highly distributed organizations, GRC leaders recognize they must embed GRC into the everyday activities of the business.

The combined impact of all these activities will make 2017 the year that GRC practitioners will:

  • Acknowledge that effective GRC cannot be achieved via a single technology or application. Instead it will depend on a new, complete architecture. A single GRC application today may expose operational risk, but it cannot develop and present the type of complete GRC picture that regulators and boards are now demanding. Developing such a picture requires the combination of traditional GRC applications and new tools to:
    • Extract data from internal systems, such as information security and ERP
    • Consume external content, such as regulatory content feeds
    • Incorporate performance metrics, such as sales and financial results
    • Collect and consolidate market and credit risks as well as the risks identified by business intelligence tools and other analytics

With all these new tools in place, organizations will finally be able to build new presentation layers that provide a complete – and far more useful – picture of their GRC profile.

  • Take advantage of increased information sharing and collaboration to improve governance. As part of their digital transformations, many enterprises are focused on developing new and more effective ways to share information and collaborate. The ability to manage and track this activity will enable GRC programs to incorporate affirmative governance components, such as corporate culture and business achievements. It will also enable the embedding of GRC program elements, such as activities assigned to Line 1 business owners, into the enterprise applications they access every day, encouraging them to more consistently follow governance best practices as they engage in their daily activities.
  • Improve risk decision-making by using data analytics. Thanks to an array of new technologies – in-memory computing, visualization tools, mobile reporting services, etc. – organizations can now rapidly aggregate and analyze huge volumes of data from systems across the enterprise. Data scientists are also developing new methodologies and business rules to aggregate and optimize data for analytics more effectively. As a result, organizations will finally be able to automate many GRC tasks, such as risk scoring assessments, thereby automatically exposing potential risk hot spots that previously went undetected until the damage was done.

I have never been more optimistic about the evolution of GRC. As assurance professionals, lines of business and IT work together to implement new strategies and new supporting technologies, we will transform GRC from mere operational risk management to a function that can protect organizations while actually helping them to be more successful.

Embracing Analytics in Auditing: New Protiviti Survey Takes a Look

In a digital world, the time for internal audit functions to embrace analytics is now. This is the most significant takeaway from Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, released today. The results show that chief audit executives and internal audit professionals increasingly are leveraging analytics in the audit process, as well as for a host of continuous auditing and monitoring activities.

Learn more by watching our video below. For more information and our full report, visit www.protiviti.com/IASurvey.

Digital Transformation, Data Governance, and Internal Audit

Ari Sagett

By Ari Sagett, Managing Director
Internal Audit and Financial Advisory

 

 

Digital advances, such as big data analytics, mobility and smart connected devices are radically changing not just business processes, but entire operations. Companies across industries are racing to migrate analog approaches to customer interactions, products, services and operating models to an automated, always-on, real-time and information-rich marketplace. For internal audit, this means that IT risk is no longer limited to the traditional audit focus areas, but now spans the breadth of a firm’s operations (including areas that may not have been featured prominently in internal audit’s annual audit plan). And as companies store and process higher volumes of data in support of these automated routines, data governance remains critical.

Accordingly, internal audit departments need to consider the elevated risks this wave of digitization and automation may bring to day-to-day enterprise operations. Take customer service, for example. If routines are automated and customer service representatives now have lots of personally identifiable information on customers stored on workstations and network servers, then the risk profile of that department is elevated, and internal audit should evaluate controls to ensure that these potentially lower priority business functions are being considered and addressed in the context of technology risk.

We explored these challenges in our September 14th webinar, Digitization: What Does This Mean for Internal Audit. A recorded version is available on our website. More than 1,000 practitioners logged in for the live broadcast, which isn’t surprising considering that technology and data concerns topped the list of internal audit priorities in our 2016 Internal Audit Capabilities and Needs Survey.

Big data has also given rise to new, or emerging, risks. Cybercriminals are working both inside and outside of companies to capitalize on the massive and growing universe of valuable personal and private information. Regulators are promulgating policy and guidelines governing the security and privacy of the expanding universe of valuable and sensitive data. New technology-driven competitors are changing the competitive landscape. And older companies are trying to become more agile and innovative, replacing in-house data centers with cloud infrastructure.

As organizations embark on the digital transformation journey, it is incumbent upon the internal audit function to work with operational managers, risk managers, senior executives and the board to provide assurance that organizations continue to have the right controls, data governance, and compliance practices in place. In some cases, the internal audit function may serve a valuable role in educating stakeholders about the nuances of digitization and the associated risks.

Of course, all of these new responsibilities are over and above the traditional core functions, which cannot be neglected. Chief audit executives should ask themselves the following questions:

  • Does the current internal audit plan consider digitization risks?
  • Does IT leadership have a solid understanding of potential control impacts associated with digitization?
  • Does the audit team understand digitization?
  • Do our auditors have the right skills to effectively evaluate digitization risks and controls?
  • Does the internal audit function understand the impacts that digitization may have on data privacy, cybersecurity and other regulatory compliance obligations?

There is no doubt that by embracing digitization, organizations can maximize opportunities and drive competitive advantage. By providing assurance over the organizational risks posed by digitization, the internal audit department can give senior management and the board the information and confidence they need to embrace the digital future.

Is your internal audit team ready for the digital transformation? Share your thoughts in the comment section below.

Internal Audit and the Internet of Things

Jordan Reed MD HoustonBy Jordan Reed, Managing Director
Internal Audit and Financial Advisory

 

 

Depending on whom you ask, the business disruptor known as the Internet of Things (IoT) is either the launch pad for an indispensable digital future, or a Pandora’s box of unfathomable risks that have only begun to present themselves. Either way, that’s a lot to lay on a technology trend that only 13 percent of consumers had even heard of, as recently as 2014.

As with most disruptive change that has come before, the IoT poses both opportunities and threats. The internal audit function, as the line of defense tasked with scanning the horizon to ensure that emerging risks are known and accounted for in strategic plans and control frameworks, must now consider both the industry implications and the specific organizational challenges.

Small wonder it ranks among the top five priorities in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey. Judging by the packed house for our June 1 webinar on this topic, a number of you agree. We crammed a lot into that hour, and I’ll only be able to whet your appetite here. But here’s a taste, and some questions to take back to your organization.

To be clear, IoT is the term used to describe the online exchange of data gathered from uniquely identifiable objects, animals and people, without human-to-human, or human-to-computer, interaction.

This is the world of wearable technology — fitness trackers, heart monitors, insulin pumps, and other “smart” devices, like remote home thermostats. It exists primarily in the cloud, and also includes engine sensors, diagnostic controls and transdermal, and even ingestible, medical devices.

Risks, of course, include personal privacy, data security, system integrity and more. Conversely, companies face the risk of failing to adapt to a fundamental shift in the competitive environment. But there are also opportunities for risk mitigation through advances in predictive analytics and continuous auditing.

The archived version of the webinar offers a rich and informative discussion, with many good questions from our audience, who felt the content was timely and pertinent. In the meantime, here are some questions for internal auditors to take back to their organizations:

  • How is IoT deployed in our organization today? Who owns IoT or the respective components of IoT?
  • Have we considered the risks associated with our IoT presence? How have those risks been quantified and controlled?
  • Do we know what data is collected, stored, and analyzed? Have we assessed potential legal, privacy and security implications?
  • Do we have contingency plans for internet-connected “things” that are hijacked or modified for unintended purposes?
  • To what extent are third parties acting on our behalf? Do we have the right processes and SLAs in place to appropriately monitor those third parties?
  • What role does IoT play in our current strategy as an organization? How are we measuring the achievement related to any goals associated with strategic objectives?
  • What is the risk of not considering or further leveraging IoT possibilities? Are we using data analytics to its full potential?

This risk is clear and present. Disruptive innovations that once may have taken a decade or more to transform an industry are now occurring much faster. To stay ahead of the disruption curve, internal audit must quickly discern the vital signs of change and the related implications to the business model of their organization.

The IoT and the related risks will continue to evolve and we will continue to track those risks and developments here on our blog and in upcoming publications, so check here and on our website often.

Global Instability, Cybersecurity on the Minds of Manufacturing and Distribution Industry Executives

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the manufacturing and distribution industry.

 

Sharon Lindstrom

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

 

 

 

Not surprisingly, economic conditions and financial market volatility top the list of manufacturing and distribution concerns for 2016, and the degree of concern is higher than in prior years. Manufacturers, to a greater extent than many other industries, depend on global sourcing so it’s no wonder that manufacturing executives would be more concerned than usual, given the widespread and growing uncertainty about the financial stability of key U.S. trading partners around the world on whom U.S. manufacturers depend for everything, from polymers and resins to product assembly.

In addition to supply chain concerns, manufacturers worry about sales. Global instability makes it harder to predict where production and inventory will go. Top of mind at the moment: the concerns over Great Britain’s withdrawal from the European Union, as well as economic turmoil in China and Brazil.

Cyberthreats surged into the top five risks for manufacturers for the first time this year. We interpret that as a growing concern for critical systems and infrastructure that we haven’t seen previously in this sector. The concern is indicative of a growing awareness by directors and executives of the vulnerability of networked devices in an increasingly connected global economy with increasingly sophisticated data harvesting and analytic tools.

Unlike, say, retailers, who might be primarily concerned with protecting customer data, manufacturers are primarily concerned with protecting trade secrets and the integrity of networked production equipment. Within manufacturing IT, we’re seeing more focus on security architecture, specifically related to robotics and embedded technology communicating machine-to-machine via the Internet of Things.

Given these changes, it is perhaps not surprising that manufacturers cited recruiting and retaining top talent as one of their top 5 concerns. There is an increased demand for accurate and timely analytics with which to counter market uncertainty – and personnel capable of extracting actionable intelligence from the overwhelming and growing amount of available data. Automated manufacturers are also aware that they need a higher level of cybersecurity expertise to thwart potential disruption and maintain a competitive edge.

Finally, regulatory risk appears in the top five again, as it has for three years in a row. Manufacturers have a significant and fairly consistent compliance burden when it comes to occupational, environmental, health and safety requirements. More recent concerns have included ethically sourced materials and labor. Regulatory challenges change over time, of course, but history suggests that compliance with regulations will remain a fundamental performance concern for executives and directors.

You can read the key findings and additional commentary in our manufacturing-specific report, which you can access here. The entire survey is available here.

Relationships and Risks: A Closer Look at the CBOK Survey

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.

 

 

Brian ChristensenBy Brian Christensen
Global Leader, Internal Audit and Financial Advisory

 

 

 

I recently had the honor of hosting a webinar with The Institute of Internal Auditors on the 2016 CBOK Stakeholders Study and the evolving role of internal auditors beyond traditional financial assurance. This year’s survey was unique in that it was the first time The IIA partnered with Protiviti on this global study, which included significant input from stakeholders comprised of C-suite executives and board members.

To celebrate Internal Audit Awareness Month, I thought it would be appropriate to take a deep dive into the North American survey results, with additional reports to be released later this year. This installment looks at the overall findings discussed in the April 6th webinar. Subsequent posts will explore some of the more nuanced aspects of the study, focusing not so much on gaps, but on what internal auditors can do to meet, manage or exceed stakeholder expectations.

In the webinar we addressed the four key observations that emerged from the North American results:

  • Internal audit does many things well that could be considered foundational elements of assurance work.
  • There are opportunities for internal audit departments to add value to their organizations by spending more time focusing on risk identification and management, in addition to assurance work.
  • Internal audit should focus more on strategic risks – but exactly what the stakeholders mean by that is less than clear or consistent.
  • Increased demands on internal audit will require CAEs to prioritize competing expectations. Managing these conflicts requires strong relationship and communication skills.

Stakeholders gave internal auditors high marks on the basics, with 80 percent agreeing that their auditors are producing quality work, reliable results, useful recommendations and timely communication.

The question then becomes: What more can audit departments do to ensure that they continue to respond to the emerging needs of their organizations as seen by senior management and the board of directors?

In the study, stakeholders responded that they were most likely to seek advice from the internal audit department to identify known and emerging risks, facilitate and monitor risk management, and develop appropriate risk management frameworks. These results suggest that internal audit and the CAE are perceived as a reservoir of knowledge and insight to be tapped and deployed to improve risk culture and risk management capabilities and inform senior management and the board of up-and-coming risks.

More than half of stakeholder respondents said they want internal audit to be more active in assessing and evaluating strategic risks. However, they expressed low interest in internal audit involvement in new products and initiatives, and in new systems and technologies. This is an interesting finding. I believe that what stakeholders expect of internal audit is to not be distracted by technological novelties and focus instead on specific tools that facilitate the work that matters. Data analytics is increasingly such tool – there is a growing desire to see data utilized to provide relevant and current information about risk. Strategic insights often come from connecting dots to draw new insights. Data analytics can facilitate that.

With stakeholder expectations rising, the questions for internal auditors revolve around priorities: How can internal audit best manage potential jurisdictional and resource conflicts, while also managing stakeholder expectations? The top response from stakeholders, perhaps not surprisingly, was: Talk to us.

Communication is key, and stakeholders are looking to CAEs to initiate and cultivate strong relationships and open lines of communication with executive management and the board of directors to ensure alignment of priorities. Clearly, soft skills should be a priority.

For many of us in the profession, none of this is new, of course. It is instructive, however, to hear it directly from stakeholders.

In my upcoming posts, I will tackle the other key themes of the stakeholder study: moving beyond assurance to address the needs of boards and management, demonstrating understanding of strategic risks, and developing soft skills and relationships. Meanwhile, to access the discussion, click here and sign in to view the archived version of the webinar.

Data Analytics in Internal Audit: An Imperative That Can’t Wait

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.

 

Kyle Furtis

By Kyle Furtis
Managing Director, 
Internal Audit and Financial Advisory practice

 

 

 

Data analytics is a hot topic for internal audit departments. In our most recent Internal Audit Capabilities and Needs survey, data analytics figured among the top ten priorities for internal audit professionals, and CAEs ranked big data and business intelligence their number one priority. When we concluded that internal audit has arrived at a tipping point, it’s fair to say that data analytics is one of the items sure to cause the precipitous changes in how we, as internal auditors, do our work.

The profession is aware that businesses are now more data-driven than ever before, and that not utilizing this data can be detrimental to the proper evaluation of risks and controls and, more importantly, meeting stakeholder expectations. Even so, many internal audit departments are still struggling to come up with a formal methodology for integrating data analytics into their work. A formal data analytics program has a mission and a purpose. It also specifies how data is to be identified, acquired and analyzed to determine potential breakdowns of selected controls. But how do you begin?

One recommendation, based on observing successful data analytics programs within internal audit, is to start in areas where you’re comfortable with the data – whether it’s account reconciliations, journal entries, payables, fixed assets, payroll, human resources or threshold/limit controls. It’s easy to test data based on information you’re comfortable with. Just start in an area where enhanced visibility into the underlying data can add value to internal audit findings.

An interesting example of how to begin came from one internal audit shop I worked with. One of the required steps in each audit was for auditors to explain why they didn’t analyze data when performing testing of internal controls. The auditor’s manager and the director of internal audit were also required to sign off on the explanation. The idea was that inserting that step into the audit program forces auditors to think about data in advance of the audit, knowing that they have to answer that question. They couldn’t just give a flip answer, such as “We didn’t have the time,” or “This type of audit is not conducive to data analysis.” It really forces the internal audit staff to think about the risks, the data behind the risks, and whether some data analysis is appropriate.

For those already thinking ahead in this manner, I suggest below a high-level road map that outlines what data analytics may look like in a few years, and how to get there:

  • In Year 1, define your objectives for data analytics and set the basics: Train staff, identify tools, access and normalize data. You may need to prove the value of data analytics through strategies such as pilot and proof-of-concept programs.
  • In Year 2, identify opportunities to fully embed data analytics in internal audit. Define the data-access model, establish key performance indicators (KPIs), and integrate ad hoc analysis.
  • In Year 3 (and perhaps beyond), fully embed data analytics, broadening its use within the organization, and move toward data governance.
  • Next, engage in continuous analytics, fully integrating the analytics program and establishing standard reporting practices. Enable access to analytics reports throughout the enterprise and increase the level of data governance.
  • Finally, introduce predictive analytics. This would be a new frontier for internal auditors, as predictive analytics is not 100 percent accurate, and, as auditors, we’re used to high precision and accuracy when we analyze data – but it will yield interesting results that you can use for discussion.

Incorporating data analytics into internal audit won’t happen overnight. It’s a multistage process, with components introduced over the course of several years. As with everything, the most important step is the first one – so get started on defining your objectives now. By following the road map outlined here, the benefits of more efficient and effective audits will not be too far down the road.