Assessing the Expectations of Internal Audit Stakeholders at The IIA GAM Conference

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.


Panel Session at the 2017 IIA GAM Conference:
Stakeholder Expectations (Updates from CBOK Stakeholder Studies)

Today at The IIA 2017 GAM Conference, Brian Christensen, Executive Vice President, Global Internal Audit for Protiviti, participated in a panel discussion before more than 1,000 conference attendees, on the expectations of internal audit stakeholders and how internal audit can continue to improve its performance. The panel was moderated by Paul Sobel, Vice President and Chief Audit Executive, Georgia-Pacific LLC. Panelists were Angela Witzany, Chair, IIA Board of Directors and Head of Internal Audit at Sparkassen Versicherung AG; Larry Harrington, Vice President, Internal Audit at Raytheon Company; and Brian Christensen, Executive Vice President, Global Internal Audit at Protiviti.

Following are some highlights from Brian’s comments:

  • Are we in the so-called “golden age” of internal audit? Membership in The IIA is at an all-time high. Conferences and programs are near capacity. As internal auditors, we are part of the conversation in the boardroom and management circles. And internal audit has been rated one of the 10 best professions to start a career. But, it’s important to ask, what can we do better? How do we remain relevant and serve our constituents better? Answering these questions was the goal of the 2016 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study.
  • Stakeholders agree that internal audit is focused on the most significant areas in their organizations. Internal audit is keeping up with changes in the business and is communicating well with management and the board.
  • Internal audit needs to further leverage its positive reputation for quality in other areas of the business where it can add value.
  • Management and the board want internal audit to “move beyond its comfort zone” to help organizations bring internal audit perspective on strategic initiatives and changes – digitalization, cybersecurity, Internet of Things and more. Change is all around us. In light of these many changes, what are new and emerging risks that organizations need to understand and manage? Internal audit can and is expected to provide information and insights to board members and management on these new risks.

Brian also offered some calls to action:

  • As internal auditors, we need to rise up to the expectations of our stakeholders. We’ve been told we’re doing a great job, but we can do more, and our stakeholders want us to do more.
  • We need to break out of historical thinking and approaches. We’ve earned a solid reputation – we now need to build on it.
  • We need to focus on and embrace the four C’s – Culture, Compliance, Competitiveness, Cybersecurity.
  • We need to ask ourselves: Where do we want to be in five years? In 10 years? How do we continue our “golden age”? The answer: Take on bold ideas and new concepts.
  • Finally, we need to own the discourse to fulfill the expectations of our stakeholders.

We have a great opportunity – not just for ourselves, but to create a path for those behind us. Stakeholders have given us a road map to success. Let’s fulfill our destiny and continue our golden age.

Listen to Brian Christensen summarize the highlights:

Share on Twitter

From Tiny Tech to Populism: Latest Issue of PreView Scans the Global Risk Horizon

jason-dailyBy Jason Daily, Director
Risk and Compliance




Imagine a DNA-programmed nanoparticle capable of hacking cancer cells, a plankton-sized carbon tube that can remove pollutants from water, or food packaging that changes color in the presence of dangerous bacteria. Nanotechnology, with a market predicted to reach almost $13 billion by 2021, has the potential to change the world, and every industry — from healthcare to the military — has a stake in its advances.

Use of Nanomaterials by Industry

With that potential, of course, comes risk. Nanotech may be applied in controversial ways — such as surveillance, or weapons capable of attacking people, plants or livestock at the molecular level. The technology is not visible to the naked eye, raising concern among some, who worry that self-replicating nanobots could destroy the planet if not properly controlled.

Nanotech is only one of the macro-level trends we’re watching as part of Protiviti’s ongoing PreView global risk series. We evaluate emerging risks according to the five global risk categories established by the World Economic Forum. In the January edition, in addition to nanotechnology, we consider the risk of a global water crisis and the “morality” of thinking machines, and we look ahead at the risk of marching populism and what cybersecurity means on a national and global scale.

WEF Global Risk Categories

The flip side of risk is opportunity. While governments and industries grapple with the shortage of fresh, clean water, particularly in developing countries, opportunities for water applications of nanotechnologies abound. As artificial intelligence increasingly replaces humans in making key decisions, opportunities to improve the underlying algorithms can translate into market share and increased profits for the early movers. And finally, with cyber the new warfare, governments and companies have an opportunity to stake a claim in the cybersecurity space by designing products, as well as policies, that protect both digital assets and societal freedoms.

Several of the topics in our current issue are a continuation from previous issues. This trend will continue, as the risks we are keeping an eye on evolve over time and their implications change, sometimes quickly. Whether continuing or newly emerging, such as populism, all of these risks are fascinating to follow, and imperative to take into consideration in mapping long-term business strategies. That’s probably one reason why our PreView series is among our most popular publications.

I encourage you to both read and share our latest issue with your board and executives, to spark discussion and help ensure these emerging risks are part of risk discussions. And, we encourage a discussion here as well. Tell us what you think in the comments.

New Evaluation Tool Enables Boards to Assess and Improve Their Risk Oversight

Jim DeLoach

By Jim DeLoach, Managing Director




Prudent risk-taking is essential to the success of organizations seeking market opportunities and executing aggressive growth strategies. Boards of directors have a growing role in overseeing risk in the companies they govern. In fact, risk oversight is an integral part of a board’s responsibility to ensure the company’s risk profile is aligned with its strategy. Yet according to a NACD study, only three of 10 directors have sufficient knowledge and understanding of their board’s emerging risks.

Identifying and understanding emerging risks is critical, as directors know that disorder and disruption are no longer the exception but the norm. Resilient organizations are the ones that are most likely to survive and thrive in this changing world, and boards play a key role in fostering resiliency in the companies they serve. Investors and regulators are recognizing the importance of boards taking an active approach to risk oversight and applying leading risk oversight practices. Every board has an opportunity to disclose beyond the boilerplate in the proxy statement.

Because it is imperative that directors stay educated about new and emerging risks, we believe that boards should evaluate the effectiveness of their risk oversight practices from time to time. This evaluation is made more effective when it is accompanied by an effective process and insights that provide directors assurance that the evaluation exercise is sufficient and sound. That’s why Protiviti is excited to collaborate with The Board Institute (TBI) in developing the TBI Protiviti Board Risk Oversight Meter to boards desiring to enhance and improve their risk oversight process.

The TBI Protiviti Board Risk Oversight Meter is a recent addition to The Board Institute’s suite of world-class, validated tools. It is unique in that it offers a flexible, cost-effective method for boards to self-evaluate their risk oversight in an objective, participatory exercise. Participants, who include directors and others chosen by the board, can provide input regarding the board’s processes using a web-based tool which saves time and simplifies the usual logistics to conducting board self-evaluations. It also allows participants to contribute their responses according to their own schedules.

Using the information gathered, the tool generates results in a robust, insightful and actionable report that highlights not only the board’s strengths in overseeing risk, but also the areas where the board can improve its practices. In this regard, the report includes quantitative and qualitative information, as well as anonymous commentary that provides further color and context to the results. Additionally, the report benchmarks against best practices and validates the quality of risk oversight considering the expectations of key constituencies in the marketplace. The overlay of best practices and market information enables directors’ confidence, by making it possible for them to come up to speed quickly and improve their risk oversight continuously in these rapidly changing times.

What I like most about the TBI Protiviti Board Risk Oversight Meter is that it not only supports a board best practice (i.e., periodically self-evaluate the board’s effectiveness), but mirrors how boards execute that practice. Having assisted boards with their self-assessment exercise, I particularly like how the tool can facilitate dialogue among directors as to where, how and why to improve their risk oversight process. That is what you look for in a tool of this nature in the board space. And because assessments can be repeated, the oversight process can be refreshed continually to stay current with a dynamic business environment.

Are you focused on improving risk oversight at your company? Engage in a dialog with us. To learn more, click here.

Digital Transformation, Data Governance, and Internal Audit

Ari Sagett

By Ari Sagett, Managing Director
Internal Audit and Financial Advisory



Digital advances, such as big data analytics, mobility and smart connected devices are radically changing not just business processes, but entire operations. Companies across industries are racing to migrate analog approaches to customer interactions, products, services and operating models to an automated, always-on, real-time and information-rich marketplace. For internal audit, this means that IT risk is no longer limited to the traditional audit focus areas, but now spans the breadth of a firm’s operations (including areas that may not have been featured prominently in internal audit’s annual audit plan). And as companies store and process higher volumes of data in support of these automated routines, data governance remains critical.

Accordingly, internal audit departments need to consider the elevated risks this wave of digitization and automation may bring to day-to-day enterprise operations. Take customer service, for example. If routines are automated and customer service representatives now have lots of personally identifiable information on customers stored on workstations and network servers, then the risk profile of that department is elevated, and internal audit should evaluate controls to ensure that these potentially lower priority business functions are being considered and addressed in the context of technology risk.

We explored these challenges in our September 14th webinar, Digitization: What Does This Mean for Internal Audit. A recorded version is available on our website. More than 1,000 practitioners logged in for the live broadcast, which isn’t surprising considering that technology and data concerns topped the list of internal audit priorities in our 2016 Internal Audit Capabilities and Needs Survey.

Big data has also given rise to new, or emerging, risks. Cybercriminals are working both inside and outside of companies to capitalize on the massive and growing universe of valuable personal and private information. Regulators are promulgating policy and guidelines governing the security and privacy of the expanding universe of valuable and sensitive data. New technology-driven competitors are changing the competitive landscape. And older companies are trying to become more agile and innovative, replacing in-house data centers with cloud infrastructure.

As organizations embark on the digital transformation journey, it is incumbent upon the internal audit function to work with operational managers, risk managers, senior executives and the board to provide assurance that organizations continue to have the right controls, data governance, and compliance practices in place. In some cases, the internal audit function may serve a valuable role in educating stakeholders about the nuances of digitization and the associated risks.

Of course, all of these new responsibilities are over and above the traditional core functions, which cannot be neglected. Chief audit executives should ask themselves the following questions:

  • Does the current internal audit plan consider digitization risks?
  • Does IT leadership have a solid understanding of potential control impacts associated with digitization?
  • Does the audit team understand digitization?
  • Do our auditors have the right skills to effectively evaluate digitization risks and controls?
  • Does the internal audit function understand the impacts that digitization may have on data privacy, cybersecurity and other regulatory compliance obligations?

There is no doubt that by embracing digitization, organizations can maximize opportunities and drive competitive advantage. By providing assurance over the organizational risks posed by digitization, the internal audit department can give senior management and the board the information and confidence they need to embrace the digital future.

Is your internal audit team ready for the digital transformation? Share your thoughts in the comment section below.

FSI CBOK Study: Effective Assurance Alone Is No Guarantee of Internal Audit Success

mike-thorBy Mike Thor, Managing Director
Leader of Protiviti’s North American Internal Audit practice



This year the internal audit agenda for the financial services industry is more than a little crowded. Global macroeconomic uncertainty, rock-bottom interest rates, soaring regulatory expectations, cybersecurity threats and attacks, legacy information technology (IT) systems, fintech, blockchain and other disruptive innovations — and that’s before we even get to fulfilling the core mission of delivering effective assurance.

The message of the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study is clear: Assurance alone is no longer enough. Assurance remains at the core of the internal audit function — value-added work for stakeholders cannot detract from that. But survey respondents, which included executives and board members who work closely with internal auditors, indicated they want more. Specifically:

  • Consulting on business process improvements
  • Alerting operational management to emerging issues and changing regulatory and risk scenarios
  • Facilitating and monitoring effective risk management practices by operational management
  • Detecting shifts in the organization’s implicit risk appetite
  • Identifying known and emerging risk areas

More than 70 percent of board members and executives believe internal audit should take a more active role in assessing and evaluating strategic risks. This is a mandate for chief audit executives and internal auditors to think more strategically when evaluating risks and ensuring their audit plans are sufficiently risk based.

Implicit in all of these value-added functions is the importance of maintaining objectivity. Such consulting approaches a fine line that regulators tend to review closely. And, of course, all of that is in addition to assurance, which remains internal audit’s primary objective. The good news is that respondents gave internal audit high marks for assurance activities, and especially for establishing audit plans to assess areas or topics that are significant and highly relevant to the organization and consistent with organizational goals. There were five assurance areas, however, that respondents agreed could use improvement, including:

  • Effectively validating that executive management promotes appropriate ethics and values within the organization
  • Communicating which risks or activities of the organization are not covered by the internal audit plan
  • Assessing the adequacy and effectiveness of governance
  • Demonstrating sufficient knowledge of key IT risks and controls in performing audit engagements, and
  • Demonstrating sufficient knowledge of fraud and corruption to identify red flags indicating possible fraud or corruption when planning and conducting audit engagements

Looking ahead, executives and directors said they are increasingly turning to internal audit for advice on business process improvements and see opportunities for auditors to add even more value through data analysis and so-called “soft” skills, including change management and facilitating interdepartmental communication.

For more detailed analysis and survey results, you can download the report here.

From Pandemics to Drones to Planning for Resource Scarcity: Protiviti Scans the Emerging Risks Landscape in the Latest Edition of PreView

As the world turns its eyes to the Olympics in Rio de Janeiro, athletes and visitors alike are being warned to take precautions against the Zika virus – a flu-like strain that comes with the added risk of crippling birth defects. The situation is so serious that health authorities are urging women in South America to avoid becoming pregnant for a year or more – a demographic anomaly with far-reaching economic implications down the road. Previous pandemics – swine flu, Ebola, SARS, cholera and MERS – have wreaked economic havoc. And the National Science Foundation predicts five new emerging pandemic diseases annually.

Viral outbreaks and their global consequences represent only one of the macro-level trends we’re watching as part of Protiviti’s ongoing PreView global risk series. We evaluate these emerging risks according to the five global risk categories established by the World Economic Forum.

In our most recent issue, in addition to Zika, we examine several other emerging trends – the opportunities and risks of commercial drones, the growing volatility of natural resources, the future of autonomous vehicles, blockchain – the break-through technology pioneered by Bitcoin, and global internet accessibility. Here are the highlights:

  • Aerial drones have expanded far beyond surveillance to include crop monitoring, oil and gas exploration, retail delivery, and real estate and insurance appraisals. Key considerations: regulation, privacy and safety. Read more.
  • Blockchain, the super-secure cryptocurrency technology, has emerged from the shadows of its Bitcoin origins and is being tested in applications ranging from the automated processing of property titles to password-free interbank transactions. Recently, a blockchain platform called Waves raised $2 million in the first 24 hours of a crowdfunding campaign. Yet, cryptocurrency is still not widely accepted, or well understood. A judge in Miami recently threw out felony charges against a web designer accused of laundering $1,500 in bitcoin. The judge threw out the case because he asserted that bitcoin is not real money. Our advice: Stay tuned.
  • Autonomous vehicles are still in the development phase, with Google and Tesla projects dominating the headlines, and Apple said to be close to announcing their own self-driving vehicle. While the bugs are being worked out, researchers predict self-driving cars will be the norm by 2050 – a prospect with far-reaching effects on everything from law enforcement staffing to road construction, public transportation and commercial trucking. As more vehicles become automated, accidents are expected to decrease. Insurers, pay attention.
  • Natural resources – Oil, gold, coal, rare earth elements, and water – are experiencing increasing price volatility as scarcity competes with demand, speculation and new technologies to increase uncertainty. This uncertainty poses risks to a wide range of industries, from financial services to transportation, energy, agriculture, technology and the military.
  • Internet access is the ticket to ride in a connected economy, and expanding internet access is a global priority for just about everyone who wants to reach customers beyond the digital “old world” (Europe, North America, and parts of Asia-Pacific). Increasing the online audience in the developing world presents exciting new opportunities for companies that may not currently have a way to reach these markets. Facebook and Google are the leaders in internet outreach programs – but they are not the only ones. Key hurdles: availability, affordability, readiness, and relevance of the expanding internet to the new market.

The topics summarized above offer much food for thought and discussion with your boards and strategic teams as you and they look forward. Here’s a sampling of our topics looking ahead:

  • Brexit – A developing story, with multiple risk implications. In a future publication, we will look more deeply at the economic, financial and political risks resulting from this decision.
  • Artificial intelligence, also known as machine learning, is progressing at a pace that is exciting to some and concerning to others. Pairing machine learning with quantum computing could have effects we can’t even fathom yet, which is why billions of dollars are being invested to mitigate the risk of a “cyberpocalypse.”
  • Talent retention is critical to organizations’ ability to execute growth and innovation strategies, but finding and keeping people with the requisite knowledge, skills and core values is becoming increasingly difficult. Building executive “bench strength” by grooming – and holding onto – strong-performing managers is easier said than done. Millennials continue to be a mystery for hiring managers, but their attitudes will be shaping the job market in the decades to come.

We invite you to continue the discussion, in the comment section below, and in your boardrooms and executive meetings. We welcome and value your input.

Going Beyond Assurance

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.


Brian ChristensenBy Brian Christensen
Global Leader, Internal Audit and Financial Advisory




In my last post, I gave a high-level summary of the North American results of the The IIA’s 2016 CBOK Stakeholder Study, as presented in an April 6th webinar I hosted. This installment looks beyond the traditional role of assurance to explore ways internal audit departments can effectively serve as strategic advisers to senior management and the board of directors and help identify new and emerging risks.

Every day in the media there’s news of some new or emerging risk, such as new digital advances, changing demographics and geopolitical events. COSO will be releasing an enterprise risk management (ERM) standard in June, which makes it timely for us to ask, “How does an organization look at enterprise risk? How does risk manifest itself within the organization?”

I see an opportunity for internal auditors to facilitate that discussion and monitor for new risks and advise on how they should be managed. This role is clearly within the realm of the internal auditor’s scope and influence, as laid out by The IIA in its definition of internal auditing. It makes sense because the internal auditor is a person who has a broader view of risk than anyone in the organization. Internal audit is one of the few functions that’s not siloed and has a view across all the pillars within the enterprise, from IT to operations and finance. So the opportunity is right there in front of the profession.

Identifying corporate risks and applying risk management frameworks is an important role for internal audit to play because it establishes the nomenclature by which companies communicate about risk and sets the foundational elements of internal control and effective risk management. We, as internal audit professionals, can help provide a common language and a process to assist and guide the organization, both its business leaders and the board, around this conversation.

Looking at the feedback from the CBOK survey, I see a clear acknowledgment that we can, and are, in fact, expected to do just that.

Every audit committee that I sit in and board members I talk to want to have the discussion about the internal auditor’s role in identifying known and emerging risks. It’s not satisfactory just to go through the basic blocking and tackling. We need to be asking: What don’t we know? What are the emerging risks? Which of these risks should we be addressing?

Some of the hot topics in recent weeks have been major merger announcements in the hotel and airline industries. Is there a space for internal audit in those types of transitions? I think the answer is a resounding “yes.” Boards are hungry to understand how the risks change during major transformations. Because of the direct reporting relationships of internal auditors to the boards of directors, we can help be that liaison to report and provide insightful risk information going forward.

We often talk about the value of internal audit’s work. We all recognize that it’s not enough in this day and age to just go through the motions, check the boxes, and declare the job done. We need to explore and understand: How do we help our business improve? We need to be involved in enterprise projects, a large ERP implementation, for example, from the beginning in order to identify risk and ensure it is managed proactively – not come in at the end to assess it. We should be providing consultative services around the control environment – not taking management responsibility, but providing real-time feedback on important initiatives for the organization that managers on the firing line can use. It’s an exciting blueprint for the internal audit profession, and we are invited to take an elevated, strategic role in it that I find highly appealing.

So what kind of auditor does it take to play this role, and how can this auditor demonstrate the strategic risk savvy that’s required for it? It’s a question I’ll attempt to answer here next week. I’d love to hear your opinion in the comments, as well.