CyberseCurity - IIA Indonesiaiia-indonesia.org/wp-content/uploads/Majalah-IA-Agustus-2015.compressed.pdf · CyberseCurity Boards are turning to internal audit for assurance on the

CyberseCurity Boards are turning to internal audit for

assurance on the organization's ability to detect and prevent data breaches.

te

ch

no

lo

gy

au

gu

st

20

15In

te

rn

al

au

dIt

or

august 2015 INtERNaLauDItOR.ORg

the auditor's Role in Protecting Customer Data

the People, Processes, and technology of Data analytics

a New Framework: Enhanced guidance for the Profession

IIa global Chairman Harrington: Invest in Yourself

The Unique Alternative to the Big Four®Audit | Tax | Advisory | Risk | Performance

Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. © 2016 Crowe Horwath LLP RISK-16010-012B

Crowe Cybersecurity Services

Have You Seen the Headlines Lately? Given the numerous news worthy security breaches

occurring recently, CEOs should be asking important

questions about their company’s current cybersecurity

capabilities, gaps, and requirements.

The Crowe Horwath LLP security and privacy team

can help organizations incorporate a proactive

program to mitigate cybersecurity risks that

may strengthen the confidentiality, integrity,

and availability of organizational assets.

Visit www.crowehorwath.com/cyber to access

Six Questions CEOs Should Ask Their IT

Teams About Cybersecurity. For additional

information on cybersecurity, please

contact Raj Chaudhary at 312.899.7008

or [email protected].

RISK-16010-012B IIA Cybersecurity Ad.indd 1 6/16/2015 1:37:02 PM

Does this sound familiar? ■■ You spend most of your day managing spreadsheets, shared drives and email.

■■ You’d rather add value for your organization by showcasing material improvement and risk mitigation opportunities – not chasing after tick marks in e-documents.

■■ You’d love to easily report on strategic risks, recommendations, and remediation statuses – anytime senior management or the board asks.

■■ You’d feel much more confident if your recommendations and findings can be backed by quantifiable, data-based evidence.

Your audit management tool should do much more than manage workpapersACL GRC is the only solution that integrates robust data analytics with easy-to-use, cloud-based audit management software.

Turn Analysis into Actionable Results - Anytime, Anywhere.Watch the video on acl.com/a-better-way to see how it works in less than 2 minutes.

Audit Management

& Data Analysis Software

© 2

014

Erns

t & Y

oung

LLP

. All

Righ

ts R

eser

ved.

ED

Non

e. Can you see what’s coming?Change is inevitable. And it can happen in the blink of an eye. EY’s Internal Audit Services can work with you to prepare for what you can see … and what you can’t. Our insights and innovative mindset can help you make the most of your opportunities with the least amount of risk.

To find out more, visit ey.com.audit.

FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org

F E A T U R E S

AUGUST 2015 VOLUME LXXII: IV

T E C H N O L O G Y

26 COVER | The Cybersecurity Imperative To help organizations lock down security, inter-nal auditors must raise their skills and under-stand the latest threats. BY TIM MCCOLLUM

32 Protecting Customer Data With per-sonal information at risk, internal auditors must provide assurance for the many facets that make up data security. BY MICHAEL LEVY

39 Gauge Your Analytics By addressing peo-ple, processes, and technology, internal audit can ensure a successful data analytics initiative.BY DAVID CODERRE

53 A New Framework for a New Age The IIA’s updated International Professional Practices Framework helps guide auditors through change and ever-growing challenges. BY JANE SEAGO

58 Invest in Yourself New IIA Global Chairman of the Board Larry Harrington says internal auditors have the opportunity to create positive change in a world that is evolving at lightning speed.

65 5 Steps to Marketing Your Audit Department Developing a value proposition will help internal audit better understand and communicate its worth. BY J. MICHAEL JACKA

DOWNLOAD the Ia app on the App Store and on Google Play!

Incisive: A New Approach to SpreadsheetsNew: Embrace spreadsheets

New: Know your spreadsheets are risk free New: Collaborate with a spreadsheet audit trail

Unmatched Visibility • Exceptional Control • Ease of Use

Learn more about spreadsheet risk management at incisive.com

300 Santana Row, Suite 200, San Jose, CA 95128408.660.3090 | www.incisive.com©2015 Incisive Software Corporation. All rights reserved.

Internal Auditor ISSN 0020-5745 is published in February, April, June, August, October, and December. Yearly subscription rates: $75 in the United States and Canada, and $99 outside North America. No refunds on cancellations. Editorial and advertising office: 247 Maitland Ave., Altamonte Springs, FL 32701-4201, U.S.A. Copyright © 2015 The Institute of Internal Auditors Inc. Change of address notices and subscriptions should be directed to IIA Customer Service, +1-407-937-1111. Periodicals postage paid in Altamonte Springs, Fla., and additional offices. POSTMASTER: Please send form 3579 to: Internal Auditor, 247 Maitland Ave., Altamonte Springs, FL 32701-4201, U.S.A. CANADA POST INTERNATIONAL: Publications Mail (Canadian Distribution) Sales Agreement number: 545880; GST registration number: R124590001. Opinions expressed in Internal Auditor may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by authors’ employers or the editor of this journal. Internal Auditor does not attest to the originality of authors’ content.

O N L I N E InternalAuditor.org

D E P A R T M E N T S

Framework for Effective-ness Take a guided video tour of The IIA’s updated International Professional Practices Framework.

The Phantom Employee Art Stewart discusses the case of a government official who enabled a former subordinate to keep getting paid long after he had stopped working for the agency.

The Next Generation of Cyber Experts Your next IT audit hire may still be in high school — a look at new initia-tives to train today’s youth for tomorrow’s IT security battles.

Chairman’s Video Watch The IIA’s 2015-2016 global chair, Larry Harrington, discuss his theme for the upcoming year, “Invest in Yourself.”

PRACTICES

11 Update Auditors fall short on cybersecurity; risk oversight lags behind rising threats; and executives hold the key to an ethical corpo-rate culture.

17 ITAudit The consolidated approach: Audit once and use for many.

20 Risk Watch CAEs can enhance the audit committee’s ability to manage uncertainty.

23 Fraud Findings Skim-ming birth and death certifi-cate fees proves lucrative for a county clerk.

7 Editor’s Note

9 Reader Forum

INSIGHTS

71 Governance Perspectives Why did some companies fail to gain value from COSO 2013?

75 The Mind of Jacka Many practitioners still cling to age-old thinking about the profession.

77 Eye on Business A reflec-tion on COSO’s 30-year history.

80 In My Opinion Audit managers may be inadvertently driving away top talent.

AuguST 2015 VOLuME LxxII: IV

RESouRCES46 Directory of Software Products•

Learn more about the ACGA at acga.theiia.org. Follow us on Twitter @IIA_acga!

The American Center for Government AuditingThe Premier Resource for Public Sector Auditors

2015

-501

1

Infl uential. Impactful. Indispensable.

Public sector auditors have unique needs. From budget constraints to political and public pressures, government auditors face a variety of challenges every day. The American Center for Government Auditing (ACGA) provides public sector audit professionals with timely and relevant resources including:

• Industry News

• Guidance and Resources

• Networking Opportunities

• Thought Leadership and Research

• Training and Career Development

• Plus all the benefi ts of IIA Membership

“As a public sector internal audit director, meeting multiple stakeholders’ expectations is a unique challenge for me. The ACGA is there to support government auditors by providing unique solutions to unique situations. Through the ACGA, we can tell our story and positively infl uence the public sector audit community.”

Steve Goodson, CIA, CGAP, CCSA, CRMA, CISA, CLEA

IIA Member Since 1990

2015-5011 ACGA-FP August IA Ad.indd 1 6/23/15 2:27 PM

Editor’s Note

august 2015 7Internal audItor

David Salierno

Are You CYber LiterAte?

As organizations adopt new approaches to information management and access, internal audit departments face increasingly complex challenges in helping address the related risks. In fact, a new report from The IIA’s Global Internal Audit CBOK research, Navigating Technology’s Top Risks: Inter-

nal Audit’s Role, identifies several of those risk areas, including IT governance, use of mobile devices, and social media. It also highlights the importance of increased inter-nal audit awareness of these areas, and of strengthening IT audit capabilities.

These two priorities are stressed as well in this month’s cover story, “The Cybersecurity Imperative” (page 26). The rising number of cyberattacks against well-known companies — and the changing nature and source of those attacks — has gotten the board’s attention. Boards now want to know what the risks are to their organization, how it is protecting cyber assets, and whether it is capable of stopping attacks. In many cases, they’re turning to the internal audit function for assurance. If auditors are going to provide that assurance, says author Tim McCollum, they’ll need to increase their awareness of the latest threats and ensure they have the right skills.

Similarly, “Protecting Customer Data” (page 32), by Michael Levy, discusses the role auditors must play in ensuring data privacy. Levy examines internal audit’s involvement in terms of risk assessment, governance, and security benchmarking, as well as training. He says auditors can leverage guidance material and other resources to help familiarize themselves with these areas and perform data security audits.

Organizational IT risks, however, are only part of the technology learning curve many auditors face. Practitioners may also struggle to stay abreast of technology spe-cific to the profession, some of which has become essential to their work. As author Dave Coderre says of data analytics, the technology is “no longer a nice-to-have, but a requirement” (see “Gauge Your Analytics” on page 39). In discussing the “people” side of analytics, Coderre’s feature emphasizes the importance of having the right technical skills in the audit department, as well as business process knowledge.

The need for technology expertise — in both audit tools and organizational IT — will only increase. Cyberattacks are on the rise, privacy is becoming more and more difficult to protect, and the volume and complexity of data internal auditors must analyze continues to grow. All of these factors point to the importance of awareness and education. In fact, IIA Global Chairman Larry Harrington’s theme for the coming year, “Invest in Yourself” (page 58), centers on that very notion. He stresses the importance of skill-building and lifelong learning — even if it requires an investment of one’s own time and money. The message seems especially apt for technology, where change and the need to adapt are an organizational constant.

2015-5012

Learn more about how the Center can support your needs and join by Aug. 31 for 20% or more off the standard membership rate. Please visit www.theiia.org/cae or contact us directly at [email protected] / +1-407-937-1111.

More than 700 chief audit executives worldwide benefit from the Audit Executive Center’s thought leadership, benchmarking studies, tools, networking opportunities, and more.

• A robust members-only website, featuring a growing Knowledge Center of nearly 950 pieces of thought leadership and more than 1,200 tools, templates, and planning resources.

• Exclusive peer-to-peer knowledge sharing opportunities, including roundtables, networking events, and exclusive webinars with CPE eligibility.

• E-bulletins, news publications, and weekly alerts geared specifically for CAEs.

• New Blog! Anderson on CAE Acumen: Douglas Anderson, former CAE at Dow Chemical addresses topics and issues that CAEs encounter with a focus on how the CAE needs to view and manage today’s internal audit challenges.

The Center keeps CAEs empowered, connected, and relevant — and better equipped to handle today’s changing demands.

Supporting the Changing Demands of Today’s CAE.

2015-5012 CAE-CAE Services Aug IA Ad.indd 1 6/26/15 11:05 AM

Reader Forum

AUGUST 2015 9INTERNAL AUDITOR

is to “lie low,” avoid auditing diffi cult areas, and collect their paycheck? Para-doxically, these CAEs may be getting great feedback because they are so aligned with management that they have lost their independence on the really important/sensitive issues.

JAMES PATERSON comments on Patricia Miller and Larry Rittenberg’s “Internal Audit in the Crosshairs” (June 2015).

Realize Your PotentialI took the time to read Mike Joyce’s arti-cle, “Make Your Mark,” and thoroughly enjoyed it. It is so true that the outside world forgets we are people, too. As my company now transitions from Blue Cross of Northeastern Pennsylvania to Highmark, I do not know what my future holds. However, I will refl ect on Joyce’s words and try to “realize my full potential and make my mark.”

CHERYL WOLOSKI comments on Mike Joyce’s “Make Your Mark” (June 2015).

Easy TargetsSmall charities and nonprofi t organiza-tions are hit frequently because they don’t have strong internal control struc-tures and possess limited staff. Typically,

the executive director and senior staff are implicitly trusted by the board and have suffi cient means to steal funds without detection. Perhaps the charities should be doing a better job of hiring in the fi rst place and training board mem-bers and staff on basic internal controls.

PHIL CASKANETTE comments on Art Stewart’s “Robbing the Poor” (InternalAuditor.org, May 2015).

The Problem With GovernanceFor very real reasons, executive manage-ment tends to keep the strategic vision closely held until that strategy becomes executable. That means there are fewer eyes looking at the strategy and even less oversight. So while auditors can and do look at risk management and compli-ance, we rarely have a chance to review the key aspects of governance. And from what does get reviewed — organizational charts, department and committee char-ters, policies, and procedures — there is little value to be added. Until that gap can be bridged , governance will con-tinue to be the silent partner of GRC.

RICHARD FOWLER comments on the Marks on Governance blog post, “Trends in GRC.”

Organizational PoliticsI agree that being proactive is key, but I also feel strongly that this is a much more problematic issue for the profes-sion than many think. This concern is reinforced by the high number of CAEs who have identifi ed political pressures — and I suspect that’s only the half of it — as well as by several of the authors’ case studies in which less than positive outcomes were the result.

I think a challenge for the profes-sion is fi guring out how to support CAEs who are facing these chal-lenges — do we have enough in the way of ethics panels/support networks? And by the same token, what are we doing, as a profession, to tackle the problem of CAEs who feel the only survival strategy

WE WANT TO HEAR FROM YOU! Let us know what you think of this issue.Reach us via email at [email protected]. Letters may be edited for clarity and length.

EDITOR IN CHIEF

Anne Millage

MANAGING EDITOR

David Salierno

ASSOCIATE MANAGINGEDITOR

Tim McCollum

SENIOR EDITOR

Shannon Steffee

ART DIRECTION

Yacinski Design, LLC

PRODUCTION MANAGER

Gretchen Gorfi ne

CONTACT INFORMATIONADVERTISING

[email protected]+1-407-937-1109; fax +1-407-937-1101

SUBSCRIPTIONS, CHANGE OF ADDRESS, MISSING ISSUES

[email protected]+1-407-937-1111; fax +1-407-937-1101

EDITORIALDavid Salierno, [email protected]+1-407-937-1233; fax +1-407-937-1101

PERMISSIONS AND [email protected]+1-407-937-1232; fax +1-407-937-1101

WRITER’S GUIDELINES

InternalAuditor.org (click on “Writer’s Guidelines”)

Authorization to photocopy is granted to users registered with the Copyright Clearance Center (CCC) Transactional Reporting Service, provided that the current fee is paid directly to CCC, 222 Rosewood Dr., Danvers, MA 01923 USA; phone: +1-508-750-8400. Internal Auditor cannot accept responsibility for claims made by its advertisers, although staff would like to hear from readers who have concerns regarding advertisements that appear.

Robert Venczel, CIA, CRMA, CISA

Curtis Verschoor, CIA, CPA, CFE

David Weiss, CIA

Scott White, CIA, CFSA, CRMA

IIA PRESIDENT AND CEORichard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA

IIA CHAIRMAN OF THE BOARDLarry Harrington, CIA, CRMA, QIAL, CPA

Sandra Kasahara, CIA, CPA

Eila Koivu, CIA, CCSA, CISA, CFE

Robert Kuling, CIA, CRMA, CQA

Michael Levy, CRMA, CISA, CISSP

Merek Lipson, CIA

Thomas Luccock, CIA, CPA

Michael Marinaccio, CIA

Norman Marks, CPA, CRMA

Alyssa G. Martin, CPA

Dennis McGuffi e, CPA

Stephen Minder, CIA

Kenneth Mory, CIA, CPA, CISA, CRMA

Jack Murray, Jr., CBA, CRP

Hans Nieuwlands, CIA, RA, CCSA, CGAP

Michael Plumly, CIA, CPA

Jeffrey Ridley, CIA, FCIS, FIIA

Marshall Romney, PHD, CPA, CFE

James Roth, PHD, CIA, CCSA

Katherine Shamai, CIA, CA, CFE, CRMA

Debora Shelton, CIA, CRMA

Laura Soileau, CIA, CRMA

Jerry Strawser, PHD, CPA Glenn Sumners, DBA, CIA, CPA, CRMA

Sonia Thomas, CRMA

Stephen Tiley, CIA

CONTRIBUTING EDITORSMark Brinkley, CIA, CFSA, CRMA

John Hall, CPA

J. Michael Jacka, CIA, CPCU, CFE, CPA

Steve Mar, CFSA, CISA

James Roth, PHD, CIA, CCSA, CRMA

Paul J. Sobel, CIA, QIAL, CRMA

Laura Soileau, CIA, CRMA

EDITORIAL ADVISORY BOARDDennis Applegate, CIA, CPA, CMA, CFE

Lal Balkaran, CIA, CGA, FCIS, FCMA

Mark Brinkley, CIA, CFSA, CRMA

Adil Buhariwalla, CIA, CRMA, CFE, FCA

Daniel J. Clemens, CIA

David Coderre, CPM

Michael Cox, FIIA(NZ), AT

Dominic Daher, JD, LLM

James Fox, CIA, CFE

Peter Francis, CIA

Michael Garvey, CIA

Nancy Haig, CIA, CFE, CCSA, CRMA

Daniel Helming, CIA, CPA

J. Michael Jacka, CIA, CPCU, CFE, CPA

Keith E. Johnson, CIA

AUGUST 2015VOLUME LXXI I : IV

PUBLISHED BY THE INSTITUTE OF INTERNAL

AUDITORS INC.

Audit Management Software

Trusted by Companies, Governments and Individuals Worldwide.

+1 847 418 3898www.mkinsight.com

CUSTOMERS 25 users

25,000+ users

2006 2015

REPLACEMENT OF TRADITIONAL SYSTEMS 0 70+

countries

VERSION 2.0 10.0

OUTBOUND SALES CALLS 0 0

How has MKinsight™ become the fastest growing

Audit Management Software worldwide without making

a single outbound sales call?

For the latest audit-related headlines follow us on twitter @iaMag_iia

Update

august 2015 11Internal audItor

Risk oversight is lacking… Executive action is key to building risk culture… IT threats in the financial sector… Cybersecurity protections are immature.

Source: Crowd Research Partners, Insider Threat Spotlight Report

ThreaT From WiThinA survey of IT security professionals highlights insider threats facing organizations.

More than one-third of internal auditors worldwide say their orga-nization faces “extensive” risk of a data breach that would be harmful

to its brand, according to The IIA Research Foundation’s Global Internal Audit Com-mon Body of Knowledge (CBOK) report, Navigating Technology’s Top Risks: Internal Audit’s Role. Another 59 percent of respon-dents rate the risk of such a breach as “mini-mal” to “moderate.”

Despite this perceived threat, the report shows that more than one out of four audi-tors at the largest organizations — those with

100,001 employees or more — describe the level of cybersecurity-related activity in their department as “minimal” or “none.” In small and medium-sized organiza-tions — between 500 and 10,000 employ-ees — almost half of the participants report these same levels of activity. Moreover, only 14 percent of those in small and medium-sized organizations reported extensive cyber-security activity, compared to 42 percent for the largest organizations.

Among other IT risks, the CBOK study also identifies systems development projects as a top area for internal audit’s

A recent survey finds internal auditors may not be devoting sufficient attention to the risk of data breaches.

audiTors Fall shorT on CyberseCuriTy

38%

estimate remediation costs

reach up to US$500,000 per attack.

47%

say their organization has

the controls necessary to prevent insider attacks.

62%

say insider attacks are much more

difficult to detect than external attacks.

62%

report that insider threats have

become more frequent in the last 12 months.

59%

say privileged users pose the

biggest insider threat.

twitter.com/grantthorntonus

linkd.in/grantthorntonus

youtube.com/grantthorntonus

ADVERTISEMENT

There’s a disconnect between audit committee members and CAEs when prioritizing audit risks. Audit committee members rate financial and compliance highly, while CAEs focus on compliance and operational risks. Data shows other areas where the two groups are out of sync.

What’s your priority?

Competing priorities:Are CAE and audit committee priorities in sync?

Compliance risks

Operational risks

Financial risks

Strategic risks

1

2

3

4

Financial risks

Compliance risks

Operational risks

Strategic risks

1

2

3

4

CAEs: Audit committees:

“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are not a worldwide partnership. Services are delivered by the member firms. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. Please see grantthornton.com for further details.

So the question is: How can they become more aligned?In the 2015 Governance, Risk and Compliance Survey, we recommend various strategies and tactics to help CAEs gain efficiencies and derive more value from their organizations’ compliance efforts. Ultimately, they’ll optimize the internal audit process and free up limited resources to meet both audit committee and CAE objectives.

More insights at grantthornton.com/grcsurvey

150612_AUD_CAE_IA_Advertorial_(C8x10 875)_150618B.indd 1 6/18/2015 1:05:07 PM

august 2015 13Internal audItor

Risk supervision is lagging behind rising threats, especially in the U.S.

Management action is key to creating an ethics culture.

The differences extend to who is respon-sible for risk oversight. At non-U.S. orga-nizations, more than 60 percent of boards are asking senior executives to be involved in risk oversight, compared to 39 percent of U.S. boards. Additionally, over 70 percent of non-U.S. boards have assigned risk oversight to one of their committees — usually audit or risk — compared with 46 percent of U.S. organizations. —T. MccolluM

Where Is The oversIghT?

Risk oversight processes are still lacking, according to the Global State of Enterprise Risk Oversight report from North Carolina State University’s

Enterprise Risk Management (ERM) Initia-tive and the Chartered Global Management Accountant designation. And U.S. organiza-tions are lagging behind their global coun-terparts, notes the report, which is based on surveys of 1,300 executives worldwide.

About one-third of non-U.S. respon-dents say their organization has complete ERM in place, compared to 24 percent of U.S. respondents. Globally, only 25 percent say risk management oversight in their orga-nization is mature or robust, with respon-dents in Europe (33 percent) most likely to describe their oversight in those terms.

attention. Over the next two to three years, more than 60 percent of respondents say they expect audit activity in this area to increase. Survey participants also cite expo-sures associated with their organization’s use of predictive data analytics, with more than one-fourth indicating that reliability of big data, in particular, presents an exten-sive risk.

A separate CBOK report, Staying a Step Ahead, points to internal audit’s own use of

A 15%

IncreAse In AnxIeTy levels

was found among financial managers presented

with negative consequences for poor performance,

making them

2x+ More lIkely

To behAve uneThIcAlly.

A neArly

50%

IncreAse In creATIvITy And

InnovATIonoccurred when positive outcomes for success

were highlighted.

“Regulators and financial services leaders can change behavior within companies by increasing emphasis on the positive outcomes of good performance,” says Darren Wardley, people and change director and

behavioral science specialist at PricewaterhouseCoopers.

Source: PricewaterhouseCoopers and London Business School, Why You Can’t Scare Bankers Into Doing the Right Thing

data analytics. It reveals that nearly half of internal audit departments either use analyt-ics tools minimally or don’t use them at all. Another 19 percent say they use this technol-ogy extensively.

The CBOK research underlying these reports includes more than 14,500 responses across 166 countries, comprising practitio-ners at the CAE, director, manager, and staff levels. Both technology reports are scheduled for release in mid-August. —d. sAlIerno

ExECUTIvE ChaMPIonS

Tone at the top matters in establishing an ethical corporate culture — but executive action matters more, according to the 2015 Ethics &

Compliance Effectiveness Report from New York-based ethics advisory firm LRN. One of the most significant indicators of an ethical culture is when senior executives raise ethics and compliance issues in staff

meetings and operational reviews, notes the report, which examines how 250 organiza-tions use 20 separate performance metrics.

The 11 percent of responding organiza-tions in which executives often raised such issues scored much higher on LRN’s Program Effectiveness Index than the organizations whose executives rarely or never brought up these issues, which comprise 64 percent of

2015-1181

The IIA congratulates all 68 award winners. It is their dedication to their profession and understanding of the benefi ts and importance of certifi cation that has led each to achieve these honors.

The IIA also recognizes the Certifi cate of Excellence (Next 10 Highest Scoring Individuals) and Certifi cate of Honor (Next 50 Highest Scoring Individuals) recipients:

Certifi cate of Excellence*:Katharina Winns, CIA Germany

Alexander Rudyk, CIA Switzerland

Benjamin Wolfgram, CIA USA

James Moynihan, CIA USA

Eleanor Dayton, CIA USA

Ara Chalabyan CIA, CRMA Armenia

Stephen Roach, CIA USA

Megan Clair, CIA Canada

Daniel Ramsier, CIA USA

Mark Ulanowicz, CIA USA

William S. Smith Award – Gold (Highest Scoring Candidate)Jepson Fuller, CIA USA

A.J. Hans Spoel Award – Silver (2nd Highest Scoring Candidate)Joy Larisey, CIA USA

Kurt Riedener Award – Bronze (3rd Highest Scoring Candidate)Brian Lair, CIA USA

Dr. Glenn E. Sumners Award – Student (Highest Scoring Student Candidate)Michael Easterday, CIA, CRMA USA

Certifi cate of Honor*:David Downing, CIA USA

Devin McDonald, CIA USA

Jonathan Barks, CIA Canada

Lynna Leatherman, CIA USA

Clarissa Diedrichs, CIA Canada

Eric Burt, CIA USA

Gregory Heitkamp, CIA USA

Stephan Maslo, CIA Canada

Thomas Bishop, CIA Canada

Joel Jantzen, CIA USA

Hui Zhang, CIA Switzerland

D. Ryan Jeannette, CIA USA

Mary Campagnolo, CIA USA

Jobina San Antonio, CIA Philippines

Christopher Leon, CIA USA

Muhammad Yasir, CIA UAE

Charles Roedel, CIA USA

Peter Gentles, CIA Canada

Sven Richtering, CIA Germany

Huijuan Raeanne Lee, CIA Singapore

Yanyi Adeline Ho, CIA Singapore

Abigail Patupat, CIA Philippines

John Tedrow, CIA USA

William Davis, CIA USA

Patricia Paquette, CIA USA

Xiaoying Hou, CIA USA

James Stonebraker, CIA USA

Laura Tatem, CIA, CGAP USA

William Curry, CIA USA

Nikolaus Hartlieb, CIA Austria

Angelo Bryant Licup, CIA Philippines

Steffen Kirchmer, CIA Germany

Leisa Pulliam, CIA USA

Lynn Ranf, CIA USA

Melissa Polak, CIA Canada

Debasis Goswami, CIA UAE

Jay Davis, CIA USA

Alison Tulak, CIA USA

Kimberly Schroeder, CIA USA

Todd Waldman, CIA USA

Robert Magistrado, CIA Australia

Evan Carhart, CIA USA

Spencer Starley, CIA USA

Sachin Shinde, CIA India

Michael Marcucci, CIA USA

Lauri Tuomaala, CIA Finland

Darice Goodridge, CIA, CRMA USA

Heather Scott, CIA, CRMA USA

Yaser Abdulla, CIA, CFSA Bahrain

Julie K. Anderson, CIA, CFSA USA

Join with us in congratulating the following individuals for highest achievement on specialty certifi cation exams.

Certifi cation in Control Self-Assessment® (CCSA®)Daniele Rusconi, CIA, CCSA Italy

Certifi ed Financial Services Auditor® (CFSA®)Joe Wilson, CIA, CFSA, CCSA USA

Certifi ed Government Audit Professional® (CGAP®)Lesley Sisk, CGAP USA

Certifi cation in Risk Management Assurance® (CRMA®) Jessica Bolding, CIA, CCSA, CRMA USA

The IIA Congratulates the 2012 Certifi ed Internal Auditor® (CIA®)* Award Winners!

* Awards are based on individual performance on the core CIA exam parts 1, 2, and 3. With year-round testing, award recipients must pass each segment of the exam on their fi rst attempt within one year of beginning the testing process.

The IIA Congratulates the 2014 Certifi ed Internal Auditor® (CIA®)* Award Winners!

2015-1181 CERT-Award WInner August Ia Ad.indd 1 6/29/15 11:56 AM

august 2015 15Internal audItor

the responses. Sixty-four per-cent of organizations with these “superstar” executives make it a priority to connect ethics and compliance policy to day-to-day operations, compared to 34 percent of other organizations.

Those organizations also are more likely to have made corporate values part of their code of conduct (64 percent), and their employees tend to consult the code when they encounter an ethical dilemma (63 percent). Such organizations have higher overall compliance outcomes (82 percent) than other respondents (53 percent). “Successful ethics and com-pliance programs prioritize culture and values and oper-ate within companies that do the same,” says Wayne Brody, a member of LRN’s Ethics and Compliance Advisory Services Practice.

Although executive involvement contributed to greater integration between ethics programs and the organization, the study notes that an organization’s overall ethics and compli-ance orientation creates buy-in throughout the busi-ness — particularly from middle management.

One finding that sur-prised researchers was that organizations where the general counsel was also the chief ethics and compliance officer had more effective ethics and compliance pro-grams than organizations where the top ethics execu-tive was a separate post.—T. MccolluM

Organizations that focus too much on preventing cyberattacks put themselves at greater risk.

the biggest organizations still feel unpre-pared for the threats they are facing.”

Two pieces of data stand out, the report notes. The first is that organizations are pri-oritizing protection over detection despite the fact that prevention is unable to stop today’s cyberattacks. Second, organizations’ biggest weakness is measuring, assessing, and mitigating cyberrisk, which makes it difficult to prioritize security activity.

In assessing the maturity of their cybersecurity programs against the U.S. National Institute of Standards and Tech-nology Cybersecurity Framework, nearly 75 percent of respondents say their organi-zation has significant risk exposure. Just 20 percent indicate they have mature security strategies. —S. STeffee

The MaTuriTy ThreaT

When it comes to an organiza-tion’s cybersecurity maturity, size doesn’t matter, according to RSA’s inaugural Cyber-

security Poverty Index, which surveyed more than 400 security professionals in 61 countries about their cybersecurity programs. Eighty-three percent of respon-dents from organizations with 10,000 or more employees say their risk and security practices are not mature.

“Enterprises continue to pour vast amounts of money into next generation firewalls, anti-virus, and advanced mal-ware protection in the hopes of stopping advanced threats,” says Amit Yoran, presi-dent of RSA in Bedford, Mass. “Despite investment in these areas, however, even

Risk ReadyCiti’s Cae of technology, Joanne Coulson, works closely with the information security function to assess emerging iT threats to the financial giant.

What IT risks are you most concerned about? Cyber-threats, data, and legacy technology are our current areas of focus. Cybersecurity is a hot topic within Citi and with our regulators globally, so our focus on cybersecurity is around how the company gathers threat intelligence and responds to that information, as well as how it reacts to incidents. The data governance coverage is targeted to maintaining the quality and integrity of data. Finally, we maintain a view on how the legacy technology and systems are being controlled.

How is Citi’s internal audit department addressing the increasing number of sophisticated attacks? Citi Inter-

nal Audit has a strong base of knowledgeable IT auditors with extensive technology expertise. That said, we recognize the difficulty in maintaining the same level of expertise as the attack-ers, or even security professionals. Therefore, we maintain close contact with the Citi Infor-mation Security Office and the processes that they operate to identify threats and respond to them proactively. We assess those processes for effectiveness, rather than trying to identify all of the emerging risks ourselves.

Practices/UpdateVISIT InternalAuditor.org to read an extended interview with Joanne Coulson.

>> Easily access historical audits to inform future work

>> Drive quality throughout the audit process>> Reduce wasted effort and duplication of input>> Utilize the latest proven Microsoft technologies

for operation over unstable networks>> Safeguard company assets through stronger

corporate governance

And that’s not all!Automate your audit testing with Pentana Analytics. Results can be easily viewed offline wherever your audits may take you.

Fast. Precise. Competitive. Take control of your audit data with a full suite of audit management and data analytics tools.

To find out more visit:Stand 214, IIA's GRC Conference, August 17 – 19, 2015

Improve your audit and accelerate your data analytics

Enterprise GRC Solutions

Online, offline… anywhere in the world with comprehensive global audit and risk management software.

www.ideagenplc.com/pentana Enquiries: [email protected] Call: +1 (202) 888 3560

ITAudit

Send ITAudIT ArTIcle IdeAS to Steve Mar at [email protected]

august 2015 17Internal audItor

Internal auditors can use the CAP approach to cut the number of external compliance audits.

by CArlos PelAez edIted by steve MAr

Consolidated audit Programs

organizations con-tend with a long list of regulations, laws, and requirements

that subject them to lots of external audits for compli-ance. Internal audit depart-ments will overlay their own operational audits around the financial reporting process, project assurance, and other areas. Because of internal auditors’ role in scheduling such reviews and exchanging information with external auditors, they can help rein in the inefficiencies of back-to-back external audits.

One way internal audit departments can manage requirements and competing purposes is using a consoli-dated audit program (CAP) that provides audit efficiency and helps manage audit risk. A CAP weaves together multiple audits across many domains through detailed control mapping, audit plan development, and scope synchronization. Audit once and use for many is the basic principle of this approach.

Appropriate use of technol-ogy helps make the large number of requirements and controls more manageable.

governance needsBefore going out with a request for proposal for multiple consolidated com-pliance audits, internal audit should prime the organiza-tion to create a structure that is capable of using the CAP approach. This approach will require buy-in from all key stakeholders, including those who sign off on compliance reports and the control own-ers responsible for perform-ing the controls.

Early in the process, internal audit should iden-tify those control owners through a mapping exercise. Specifically, auditors should be aware of the precise ori-gin of the control for each domain, as well as the higher risk controls that are com-mon across one or more domains, because a failure of a common control would impact multiple compliance

domains. Because access control, change manage-ment, logging, backups, and other IT processes cut across so many audits, the IT por-tion is often the area that receives the greatest number of repetitive audits.

A key aspect in this mapping is selecting one compliance domain to be the anchor for the process. In all multi-compliance audits, the various standards compete for attention, and it helps to have a structure with a clear leader.

Once the compliance audits begin, internal audit should be the central point of contact between the exter-nal auditor and the control owner. This can save time because the internal audi-tor is screening requests for both evidence and interviews before they reach the control owner. Internal audit should have a reporting dotted line, or a direct line, to the com-pliance manager to provide an escalation point when things get difficult. Finally, internal audit should control

Your Solution to EffectiveInternal Audit, Compliance and ERM

A flexible and fully integrated web-based solution for Enterprise Risk Management, Audit

Management, Resource scheduling, Work Papers, Questionnaires, Issue Tracking and extensive

KPI/MI reporting. Web interface works with PC, laptop, iPad and other smart devices enabling the

whole organization to participate in the issue management and assurance processes.

Over 350 standard reports, charts, dashboards and scorecards are provided. The system includes

an end-user reporting tool and configurable KPI/MI options.

Proactively alerts and prompts all stakeholders with the key information required to objectively

assess the effectiveness of the assurance framework.

Integrateda single integrated yet modular relational database

Intuitiveeasy to use system which evolves and grows with you

Individualconfigured and customized to meet your organization and users’ exact needs

Innovative improving your methodology, efficiency, delivery and profile

www.magiquegalileo.com1-866-657-1627 (USA) * +44 (0)20 7002 1370 (UK) * +61 (0)2 8003 3641 (Aus)

august 2015 19Internal audItor

Practices/ITAuditTo commenT on this article, email the author at [email protected]

Organizations that undertake the CAP approach can save up to 10,000 hours.

Identify Audit OverlapsOnce internal audit has identified the eligible compliance domains, it should review the overlap of controls. This review should identify the common controls and consider the tim-ing of those controls. For example, if a risk assessment should be performed annually, the control should occur when other domains can benefit from its timing.

All compliance domains must be mapped back to the controls required by each standard and harmonized controls should be rolled into the mapping. Harmonized controls are important because they are abstract enough to fit multiple compliance domains, but specific enough to be readable by control owners. The mapping should be detailed in a way that the source language can be traced to the harmonized control

relationship. The overlap between com-pliance areas is usually between 8 percent and 24 percent, with most common controls coming from the IT area.

Sequence AuditsThe CAP approach will require accu-rately identifying the time line required

by each compliance domain and the reporting period. These need to be aligned as closely as possible to obtain maximum benefits. First, internal audit should evaluate each domain to understand whether it requires testing at a point in time, such as PCI DSS and Service Organization Control (SOC) Type I, or over a period of time such as the U.S. Health Insurance Portability and Accountability Act and SOC Type II. Not all compliance areas will test the full populations annually. For example, the U.S. Federal Risk and Authorization Manage-ment Program requires that an external auditor test all controls in year one to form the baseline, but only a subset of those controls — focused on monitoring the baseline — must be tested in subsequent years.

Saving Time and MoneyCompleting each stage in the CAP process can prepare the organization to reduce inefficiencies from multiple external audits. Investing 200 to 300 hours to develop the CAP can enable the organization to prepare for a single external auditor, as well as clarify requirements that can be documented in a bid process to ensure that it gets the best auditor capable of maxi-mizing time savings. Organizations that undertake the CAP approach can save between 1,000 and 10,000 hours annually because the compliance auditors will use less of the organiza-tion’s time, which could save them as much as US$500,000.

carlos Pelaez, cisa, Prince2, is a National Practice

Leader at Coalfire Systems Inc. in Los Angeles.

the pace of the CAP approach because it is closely attuned to the culture of the organization and can match the CAP objectives with the organization’s readiness.

Mapping ControlsThe actual CAP begins by working with control owners to map controls, often aided by technology. For example, an appropriately formatted spreadsheet with the original cita-tion from each domain can be mapped to controls, and vice versa. This data set may contain hundreds, if not thousands, of rows. It should label the IT controls that impact more than one domain. The IT controls form the foundation for many domains, and getting those organized can enable the process to go by quickly. This output also is key to explaining

to stakeholders why the controls are required and provides supplemental information about where any common con-trols came from and what each domain may require.

However, this mapping exercise can drown organizations in a sea of documents, standards, rules, laws, and mismatched formatting that is prone to human error. The task should not be outsourced or conducted by someone who lacks knowledge of the organization — it needs to be a core exercise that obtains buy-in from the organization and forms the foundation of the CAP approach. When using existing IT frameworks, organizations should dedicate a minimum of three months to this endeavor. Some software tools can provide extracts across domains and ideally identify the common controls.

Aligning the Examination WindowsCAP builds on the control mapping by identifying the over-arching examination windows for each domain to align these as much as possible. Internal audit should consider the time period of examination (e.g., six months, 12 months, or rolling three-year periods), the sample sizes dictated by each domain, due dates for the compliance reports, and the type of credentials required to perform each audit. For example, ISO 27001 restricts how much of its audit output can be re-used by other audit teams, and the Payment Card Indus-try Data Security Standard (PCI DSS) prohibits work that is not performed by someone with the Qualified Security Assessor credential. Internal audit departments should treat CAP as they would any other audit plan.

Risk Watch

Send RiSk Watch aRticle ideaS to Paul Sobel at [email protected]

august 201520 Internal audItor

By AlyssA G. MArtin edited By PAul soBel

internal audit can help members manage emerging risks arising from constant change.

The AudiT CommiTTee in An unCerTAin world

uncertainty has always accompanied business opera-tions. It cannot be

avoided; it must be faced. Management and boards should openly recognize that the pace of change has increased and become more interconnected and global in nature, with the audit com-mittee playing an active role in risk oversight.

Every organization is unique, causing internal and external risk categories to manifest through differ-ent risk events. Knowing the relevant risk categories and drilling into the specific events that could occur and influence an organization’s success is imperative. The CAE needs to be a consul-tant to the audit committee, helping it with its oversight role. In addition, the inter-nal audit function and the organization’s senior lead-ers should work together to evaluate vulnerabilities linked to strategic objectives.

The Velocity of ChangeAs business changes and emerging risk becomes more relevant, risk management becomes a shared, routine process. Increasing reliance on Internet technology makes cybersecurity a crucial risk. Businesses with global customers or vendors must pay attention to geopolitical factors abroad, while other organizations face exposures within their home nations.

The potential for a “black swan” event, a dev-astating event that no one could have foreseen, exists as well. For example, the earthquake and subsequent tsunami Japan experienced in 2011 wreaked havoc on global supply chains with-out warning. Attempting to identify such possibilities is unfeasible and beyond the scope of effective risk man-agement practices.

Such events illustrate the impact and velocity of change, as do disruptive innovative technologies.

While such disruption quickly makes some products and business models obso-lete, it also presents opportu-nities for organizations that acknowledge and embrace change. That’s what makes the audit committee’s risk oversight role so important.

No business can totally mitigate every risk it faces, but every business must focus on the vulnerabilities that present the greatest exposure. Risk management is a multifaceted function that manages acceptance and avoidance of risk against the necessary actions to operate the business for success and growth, and to meet strategic objectives. Every business needs to regard risk management as an ongoing conversation whose importance requires participation by an organi-zation’s audit committee and other board members, with the CAE and internal audit function serving increasingly important roles.

august 2015 21Internal audItor

To commenT on this article, email the author at [email protected]

Enterprise Risk FrameworksA variety of frameworks provide guidance for assessing and managing risk. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management–Integrated Framework is widely used by organi-zations in many industries. The International Organization for Standardization’s ISO 31000–Risk Management Prin-ciples and Guidelines is recognized worldwide.

In addition to these frameworks, The Corporate Execu-tive Board monitors reported risks from the largest U.S. corporations. Such resources enable an organization to take a continual, systemic risk management approach. In turn, an organization can define its risk profile, which provides an understanding of the organization’s approach toward risk (see “Considerations Affecting Risk Profile” on this page).

While the internal audit function may facilitate identi-fication of the risk profile and recognition of risk reduction activities, risk management should be owned by the organiza-tion’s CEO and leadership team. The CAE can educate board members on risk management practices, relevant emerging risks, and alignment with the strategic business objectives. Understanding the risk profile can aid members in identifying expertise or skills gaps within the board that may impede its ability to provide guidance on managing emerging risks.

The Audit Committee’s Risk Oversight RoleThe audit committee exercises oversight for crucial corpo-rate governance matters, including financial and compliance issues. The importance of risk awareness highlights why audit committee members also need to make risk an ongoing topic of discussion at board meetings throughout the year.

Initially, audit committee members should meet with and question the CEO, chief financial officer, chief operating offi-cer, CAE, chief risk officer, controller, general counsel, direc-tor of financial reporting, IT director, and other key leaders. Insights gleaned from such interactions give committee mem-bers with risk oversight responsibilities firsthand knowledge of exposures facing the organization and help the committee engage other board members at the strategic and risk awareness levels. The knowledge gained from heightened risk awareness enables the audit committee, board, and management to more effectively address uncertainty and strategic objectives.

The internal audit function complements those efforts by assessing risks related to those strategic objectives. With industry-specific knowledge and understanding of analytics and other measurement or predictive tools, the internal audit function also can recommend and monitor controls that enhance efficiency, risk recognition, and responsiveness.

Building a Competitive AdvantageMonitoring the risks that emerge from change and uncer-tainty enables CAEs to advise the board and audit committee on exercising the risk oversight that is crucial to good corpo-rate governance. This enhanced risk awareness can more fully prepare the organization to recognize and respond to emerg-ing vulnerabilities before they become crises as well as to capitalize on opportunities that accompany change. In that sense, enhanced responsiveness to change can give an organi-zation a competitive advantage that enables it to thrive.

alyssa G. marTin, cPa, is the partner-in-charge of Risk

Advisory Services and executive partner for Weaver in Dallas.

exisTinG risk Profile

risk caPaciTy

risk Tolerance

aTTiTudes Toward risk

de

Te

rm

ina

Tio

n o

f

ris

k P

ro

fil

e

Considerations affeCting risk Profile

the current level of risks across the entity and across various categories.

the amount of risk that the entity is able to support in pursuit of its objectives.

acceptable level of variation an entity is willing to accept regarding the pursuit of its objectives.

the attitudes toward growth, risk, and return.

Fraud Findings

Send Fraud FindingS article ideaS to John Hall at [email protected]

23Internal audItoraugust 2015

By Linda Kapp + Gordon HesLop edited By JoHn HaLL

poor controls and no segregation of duties allow a records clerk to pocket fees related to birth and death certificates.

A MAtter of Life And deAth

tina Graham had worked as a records clerk in the county clerk’s office for two

years. She was primarily responsible for processing applications for birth and death certificates. When the office’s senior clerk left for another job, Graham’s subsequent promotion to the position provided the oppor-tunity that she needed to embezzle nearly US$10,000 in fees paid for copies of birth and death certificates.

To obtain a copy of either a birth or a death cer-tificate, individuals would complete and submit an application and a processing and copy fee. The payment was supposed to be receipted at the time the application was processed. The receipts were written in duplicate form, with the original going to the person submit-ting the application and the duplicate left in the receipt book as support for the payment received. Receipts were summarized weekly or

more often if a large number of payments had been col-lected. A summary sheet of the payments was prepared and taken to the Treasurer’s Office, along with the cash and checks to be deposited in the bank. The Treasurer’s Office did not normally verify receipt numbers when accepting the deposits.

The county clerk’s office was small, had little or no segregation of duties, and had lax internal con-trols. This combination allowed Graham to easily void receipts and keep cash fees paid by customers. In some cases, Graham would write receipts for customers, give them a copy for their records, void the receipt copy — leaving it intact in the receipt book — and pocket the money. In other instances, she would write receipts for customers, give them a copy for their records, and then shred or otherwise destroy the original and keep the money. Sometimes she pocketed the money without

preparing a receipt at all. In these cases, she also destroyed the birth or death certificate application so it wouldn’t be as obvious that the money was missing.

Because of poor per-formance on the job unre-lated to the then-unknown embezzlement, Graham was eventually demoted to recep-tionist after having served as the senior clerk for only six months. While she no longer had primary responsibility for processing applications and receipting payments, she did occasionally do so while the new senior clerk, Molly Roper, was on lunch break or out sick. Again, this opportunity gave her access to cash. One day, upon returning from lunch, Roper noticed a birth certificate application on Graham’s desk. When she returned to her office, Roper expected to see a receipt for the money that would have been paid when the application was accepted. The receipt book was on her desk, but there

Practices/Fraud Findings

August 201524 Internal audItor

To commenT on this article, email the author at [email protected]

Following the investigation, Jameson put new proce-dures in place to provide better control over funds related to birth and death certificate applications and payments. The first change involved switching from a duplicate to triplicate receipt book. As before, the original was to be given to the applicant, the second copy was to stay intact in the receipt book, and the third copy was to be taken with the deposit to the treasurer’s office. The treasurer’s office was required to check the beginning number to the previous day’s ending number and verify that all receipts were received in sequence and that none were missing. The deposits were required to be made daily so that no cash was on hand in the county clerk’s office for more than a day. Also, Jameson modified the birth and death certificate applications to include a place to write the related receipt number, which would reduce the chance of an application being processed without a receipt. In addi-tion, a second clerk was made responsible for reconciling the receipts and applications that the other clerk processed, and then preparing the deposit to be taken to the treasurer’s office. On an intermittent basis, Jameson would reconcile the applications to the receipt book and then to the deposits. In addition, she reviewed the receipt book weekly to ensure there were no missing receipts and that all voids were sub-stantiated. Finally, Jameson rotated the duties of the two clerks on occasion.

Lessons Learned Ʌ The use of prenumbered applications and receipts, and

procedures to check for missing numbers, will make it more obvious when receipts have been destroyed. Any missing numbers should be investigated immediately as they may indicate fraud.

Ʌ Staff duties should be rotated on occasion to ensure fraud is more difficult to carry out and conceal.

Ʌ Accounting documents should be linked to source docu-ments so that it is more obvious when items are missing.

Ʌ Deposits should be made daily to decrease the likeli-hood of money being lost or stolen.

Ʌ Cash handling procedures such as receipting and depos-its should be segregated and reconciled to each other daily. Segregation of duties would require collusion for fraud to occur. Daily reconciliations make it more obvious if receipts are not being deposited or are being deposited for less than intended.

linda Kapp, edd, cpa, is a manager at McClanahan & Holmes

LLP in Paris, Texas. Gordon Heslop, dBa, llB(Hons), cia, cma, is an

associate professor, professional track, in the department of

accounting at Texas A&M University–Commerce.

was not a new receipt written in it. Roper then checked the cash drawer but found no additional money in it. Thinking Graham had not had time to write the receipt, she took the receipt book to her to complete the process. Receipts were supposed to be written while applicants were still in the office, and a copy was supposed to be given to them. Graham explained that the woman completing the application said her husband had cancer and could not work and they were barely getting by, so she let the woman submit the applica-tion without a payment. While Roper sympathized with the situation, she knew it was not their right to accept applica-tions without payment. She returned to her office and called Barbara Jameson, the county clerk and her boss, who was at a training event.

When Jameson returned to the office the next day she discussed the situation with Roper and then asked Graham about it. Jameson and Roper then played the tape from the office surveillance camera. Fortunately, the tape included both video and audio. In reviewing the tape, they noticed that the woman who Graham claimed she had not charged actually did hand her cash with her application. In addition, it was clear from the audio that she never mentioned anyone having cancer and not being able to pay. In addition to the suspicions generated from the missing payment, the review of the video made Jameson consider the possibility that this might not be a one-time situation. Graham was again called into Jameson’s office where she denied any wrongdo-ing. When Jameson told her that they had the tape, Graham refused to discuss the issue further. She was immediately put on suspension without pay while the county auditor and Jameson investigated. The investigation revealed the multiple ways Graham embezzled from the office and how she altered or destroyed the source documents:1. Receipts were never written for some cash payments

although applications were processed, which was veri-fied by checking all the applications and reviewing the receipt book for the applicant’s related payment.

2. Receipts were written for cash payments and then later voided even though the applications were processed, which also was verified by checking the applications and comparing them to the receipt book. Most of the receipts that had been marked “void” had related appli-cations that had, in fact, been processed.

3. Receipts were written for cash payments but then later destroyed or removed from the receipt book. The tim-ing of previous and subsequent receipts as reconciled to applications supported this finding.

During the investigation, Graham resigned from her posi-tion. She was later indicted and ordered to pay restitution in lieu of jail time.

Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 4200

Upgrade to TeamMate by October 31, 2015 and receive free implementation services, one free year of TeamMate use, or

free TeamCloud setup.* Limitations apply

Learn more at www.TeamMateSolutions.com/RescueMe

Has your audit solution left you

high and dry?

Has your audit solution left you

high and dry?

26 august 2015Internal audItor

T

27Internal audItor

To help organizations lock down security, internal auditors must raise their skills and understand the latest threats.

the cybersecurity ImperatIve

hey were warned. Computer hackers, nations, organized criminals, and mali-cious employees were after their data — using malware, email phishing, social engineering, and old-school hacking. But whenever an organization fell victim, the response of their peers often was, “It couldn’t happen here.”

Then the biggest prey began to fall — the Target breach in December 2013, then Home Depot, JPMorgan Chase, Sony, Anthem, the U.S. Internal Revenue Service, and U.S. Office of Personnel Management. Now cybersecurity has the attention of corporate boards. Now directors want to know whether the business’ data and digital assets are protected, what the threats are, and whether the orga-nization can respond. “Virtually any organization can be hacked by a determined adversary,” says Eddie Schwartz, chief operating officer of cybersecurity firm

WhiteOps in New York and chairman of ISACA’s Cybersecurity Task Force. “These attacks have reaf-firmed to directors and C-level executives that cybersecurity has to be top-of-mind for themselves and for their people.”

But the answers to the board members’ questions may not be what they want to hear: It’s not a matter of whether the organization has had a breach; it’s a matter of when and whether it was detected in time. Information security research firm Ponemon Institute reports that the mean time for large organizations to detect a security breach is 206 days, while information security firm Trustwave says up to 71 percent of incidents go undetected. Equally troubling, less than half of IT professionals and IT auditors surveyed recently by ISACA and RSA Conference are confident their organization could detect and respond to a serious breach.

In many organizations, boards and senior executives are turning to internal audit for assurance about the strength of their cybersecurity defense and response capabilities to protect against financial, operational, and reputational damage. If internal audit is going to meet this need, auditors will need to

Ttim McCollum

Technology

PhoTo IllUSTRATIon: SeAn yATeS / yAcInSKI DeSIgn

august 201528 Internal audItor

the cybersecurity imperative

quickly get up to speed on the latest threats and raise their cybersecurity skills.

The Board Is askIng QuesTIonsThis year for the first time, cybersecu-rity broke into the top 10 risk priorities of respondents to Aon’s Global Risk Management Survey, coming in ninth. Travelers Business Risk Index ranks it No. 2. Small wonder then that 80 per-cent of public company board members report their board discusses cyberse-curity at most or all board meetings, according to a recent survey by New York Stock Exchange Governance Ser-vices and security vendor Veracode.

Such discussions have been a regular part of the board agenda at Huntington Ingalls Industries since the company spun off from defense contractor Northrop Grumman Corp. in 2011, says Scott Stabler, vice president of internal audit for the Newport News, Va.-based company. Because the bulk of its busi-ness is government defense contracting, the company has long been concerned with ensuring tight control over data, information systems, and access. “It’s something that’s central to the way we think about the business,” he explains.

These days the board is asking Stabler and the company’s IT leaders how the cybersecurity threat is evolving and what is being done to protect data, respond to the latest threats, and ensure the company’s ability to continue to do business. More recently, as Huntington Ingalls has expanded beyond its two shipyards into environmental and energy markets, management has been consid-ering how to come up with a common organizationwide approach to cyberse-curity in a more diverse operating envi-ronment and tailor market-appropriate cybersecurity solutions for each business. “The board wants to understand how our audit program gets at these issues,” Stabler says. “They ask about what kinds of things we find as we do our audit and what kinds of recommendations and

corrective actions we are putting into play with our counterparts in IT.”

Michael Corey, U.S. internal technology audit services leader at Price-waterhouseCoopers (PwC) in San Fran-cisco, says in today’s risk environment, board members should be asking their organization’s executives, IT leaders, and internal auditors three basic questions: What is the organization’s risk? What is it doing about that risk? And, is it doing enough? “Most of the boards that we interact with are trying to understand one of those three questions,” he says.

The organization’s cyberrisk profile drives resource allocation decisions (see “The Cost of Cybersecurity” on this

page). “Ultimately what boards, audit committees, and executive management teams are faced with is understanding what the risk profile is and determining how many resources they’re going to allo-cate to manage those risks,” he explains.

The National Association of Corporate Directors’ (NACD’s) 2014 handbook, Cyber-risk Oversight, dis-cusses five principles that should guide boards’ cyberrisk discussions. Chief among these is treating cybersecurity as an enterprisewide risk, rather than an IT risk. Additional principles cover the legal implications of cyberrisks, seeking advice from cybersecurity experts, establishing a cyberrisk management framework,

The CosT of CyberseCuriTy

As with all risk considerations, the cyberrisk discussion ultimately must address costs. how much should the organization invest in cybersecurity controls and other measures? how much will a seri-

ous breach cost the organization? organizations often struggle to deter-mine whether the cost of cybersecurity is worth the investment.

Consider sony. in a 2007 interview with CIO Magazine, the sony Pic-tures’ executive director of information security at that time said, “i will not invest us$10 million to avoid a possible us$1 million loss.” sony now estimates that the financial cost of investigating and remedying last year’s breach so far is us$15 million, according to a March 30 Fortune article.

Not surprisingly, organizations are expected to spend us$76.9 bil-lion on cybersecurity this year worldwide, up from us$71.1 billion in 2014, according to research firm Gartner. however, in its latest Global state of information security survey, PricewaterhouseCoopers (PwC) reports that cybersecurity budgets decreased 4 percent in 2014, with companies with less than us$100 million in revenues spending 20 percent less than in 2013.

Meanwhile, Ponemon institute’s 2015 Cost of Data breach study puts the average cost of an information security breach at a large company at us$154 per record. A similar study by Verizon, however, estimates the cost at just 58 u.s. cents per record.

one trend PwC’s Michael Corey sees is a move away from investing in preventing incidents and toward quicker detection. in today’s threat envi-ronment, prevention can be like “putting another deadbolt lock on a screen door,” he says. some of the headline-making breaches weren’t detected for as long as 15 months. “if you can identify the threat actor in your envi-ronment and shut it down in a short period of time, it doesn’t give that threat actor time to learn about the information flow and where it resides,” he says. “They’re significantly hampered in their ability to extract value.”

august 2015 29Internal audItor

The top causes of cybersecurity breaches in 2014 were cybercriminals, nonmalicious insiders, and hackers, according to ISACA and RSA Conference’s 2015 State of Cybersecurity survey.

and discussions with management about which risks to avoid, mitigate, or trans-fer. A 2014 IIA/ISACA research report, Cybersecurity: What the Board of Direc-tors Needs to Ask, uses the NACD’s cyberrisk principles as the basis for board inquiries about cyberrisk (see “Six Ques-tions From the Board” on page 31).

A Common LAnguAgeJust because boards are asking questions about cybersecurity doesn’t mean they are getting the information they seek or understanding the answers they receive. In a recent Raytheon survey, 78 percent of information security officers say their board hasn’t been briefed about cyberse-curity in the past 12 months. And just 62 percent of C-level executives of large U.S. companies surveyed by Tripwire consider their board to be “cybersecu-rity literate,” with 32 percent saying the board has a good understanding of information security issues.

But knowledge gaps work both ways, says David Meltzer, chief research officer at Tripwire, based in Port-land, Ore. “Most boards and C-level executives would say they are cyberse-curity literate today, and they probably wouldn’t have said that five years ago,” he explains. “But if you ask that question at the risk level — ‘How much do the IT professionals know about risk and gover-nance?’ — it may not be as much.”

Bridging those gaps is difficult because there is no generally accepted cybersecurity framework, Meltzer says. Instead the board, management, IT, information security, and internal audit may all have their own points of reference. Meltzer and other security experts recommend establishing a com-mon framework that enables everyone in the organization to speak the same language about cyberrisk. Among the many frameworks are the U.S. National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework, the International Organization for

Standardization’s ISO 27001, and ISACA’s COBIT. Organizations may also be subject to specific cyberse-curity requirements included in the U.S. Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standard, and similar industry regulations or standards.

Late last year, Travis Finstad and his internal audit team at Zions Ban-corporation in Salt Lake City used the NIST Cybersecurity Framework to perform an organizationwide cyberse-curity health check. The auditors rated the company’s maturity in each of the framework’s five domains on a five-point scale, noting what security con-trols were in place and whether there were any opportunities for improve-ment. Finstad, Zion’s senior vice president and director of internal audit, shared their report with the board, management, and the IT department. The health check and a common framework helped the board and man-agement have a common understand-ing of the organization’s cybersecurity risk landscape, strategy, and controls. “Cybersecurity is a business risk,” Fin-stad says. “Once an incident happens, then it’s about how you are going to respond and communicate with the public and your customers. These are things you want to have discussed and practiced before an event occurs.”

The framework also provides a basis for working with the information secu-rity team. “Having a framework gives them a way to measure their progress, and it gives us a way to comment on it,” he says. “Just as the hackers are con-stantly evolving with their methods and technology, we need to do the same.”

getting At CyberriskAs the NACD guidance recommends, organizations increasingly are treating cybersecurity as an enterprisewide risk. Pervez Bamji, vice president and general auditor at technology company Pitney

“The board wants to understand how our audit program gets at [cybersecurity] issues.”

Scott Stabler

“Cybersecurity is a business risk — once an incident happens, then it’s about how you are going to respond.”

Travis Finstad

august 201530 Internal audItor

the cybersecurity imperative

Bowes in Stamford, Conn., says cyber-security is firmly part of its enterprise risk management program and internal audit universe. “There is no audit or review that you do in this day and age that is not security related,” he explains.

Like many boards, Pitney Bowes’ directors are concerned with protecting the company’s data (see “Protecting Cus-tomer Data” on page 32). Its internal auditors start by looking at cyberrisk at an organizational level. They conduct an inventory of the company’s data assets to determine what data needs to be protected and how it is currently being protected. Another consideration is who the data must be protected from — both outside and inside the company. From there, auditors review policies and pro-cedures over data and how the organiza-tion monitors compliance with them. Another general concern is how the company educates employees about data security, an area where many organiza-tions fall short. Next, they drill down to the specific technical details such as whether the organization is updating patches, performing reviews of firewalls and data centers, and reviewing the secu-rity that third parties have in place.

This detailed approach requires ongoing collaboration and discussions with the IT and information security functions. “You can’t work without hav-ing a close relationship,” Bamji says. “That’s not to say we don’t have differ-ent points of view now and then. But we can learn from them and they can learn from us.”

That collaboration needs to extend to cybersecurity stakeholders throughout the organization. At Huntington Ingalls cybersecurity involves information secu-rity, human resources, and compliance personnel. “IT alone is not going to solve the cyber riddle,” Stabler says.

Another good practice is bench-marking cybersecurity against other organizations in the same industry or that are of the same size. Industries such

as energy, financial services, and technol-ogy have information sharing and analy-sis centers where companies can share information about the latest information security threats and benchmark their practices against others. Moreover, the U.S. government has announced plans to create centers that encourage companies to share threat and breach information with the government in hopes of improv-ing cybersecurity nationally. “There’s a lot of interest in hearing what other orga-nizations are doing and ultimately using that information to better protect U.S. companies,” says PwC’s Corey, who par-ticipated in discussions about the centers at the RSA Conference in April.

Meltzer suggests another tactic: war-gaming. When a breach happens to another company, internal auditors and cybersecurity professionals should perform simulations to see how those attacks succeeded, whether a similar attack could happen to their organiza-tion, what it would have cost the orga-nization, and whether the organization would have responded differently. “That can give you some concrete information that the board understands,” he says.

Facing the talent ShortageOne issue CAEs are talking about with their peers is how challenging it is to hire and retain auditors with cybersecu-rity knowledge. “When I go to industry forums, I hear the moaning of the damned as people describe the search to find those experts,” Stabler says.

That’s a problem they share with IT executives. There are an estimated 600,000 unfilled information security jobs worldwide. Nearly half of the respondents to the ISACA/RSA Confer-ence Security survey say 25 percent or fewer of candidates for information secu-rity jobs are highly qualified for those positions, and job openings can remain unfilled for as long as six months.

Stabler suspects he’ll be testing the waters soon, while Finstad says he’s always

To commenT on this article,

email the author at

tim.mccollum @theiia.org

“There’s no audit or review that you do in this day and age that is not security related.”

Pervez Bamji

august 2015 31Internal audItor

on the lookout for IT audit talent at Zions. Recruiting qualified IT auditors is less of a worry for Bamji at Pitney Bowes, because candidates often are attracted to working at technology companies.

While there is a shortage of can-didates with advanced security skills, one of the biggest shortcomings of security professionals is business skills, Schwartz notes. This can make it hard

for IT security personnel to communi-cate technical issues to the board and management. “There’s often a percep-tion that there’s not a relationship between what really matters to business leaders and C-level executives and what constitutes success in the technical IT realm,” he says.

Enlisting the communication function to help translate can be of value, as the internal audit and IT functions at Pitney Bowes have done. But Schwartz says this is an area where internal audit can build a bridge between organizational leaders and the IT function. To do this, internal audit will need to find and enhance its cyber-security knowledge.

Training and Certification Internal audit functions can obtain cyber-security training through webinars, seminars, and conferences. Cybersecu-rity is among the training auditors at Huntington Ingalls must pursue as part of their annual continuing education, which helps the department supple-ment the expertise of its one IT special-ist. Pitney Bowes has the luxury of five IT auditors, but Bamji is now consid-ering having all of his team members pursue IT certifications.

Recruit Cybersecurity Specialists Internal audit departments that lack IT auditors can gain expertise by hiring cybersecurity experts and then training them in internal audit. In some cases, they may bring in experts from their organization’s IT function on a rota-tional basis, as Stabler is considering doing at his company.

Outsourcing/cosourcing Similarly, internal audit departments can bring in expertise from outside firms. This can enable them to benefit from economies of scale, as the outside advisers often possess knowledge about current threats and control strategies

culled from working with other clients, Schwartz says. Organizations may assign some pieces of cybersecurity audits such as operational aspects to outside experts, while keeping more sensitive aspects in-house.

Automate Much of the informa-tion security audit process can be very manual, involving going through logs and gathering information for analysis. Increased use of audit analytics and other technologies can streamline the work and time involved, enabling auditors to focus on their analysis, Meltzer says.

Making it top of MindWith security breaches becoming more common and striking bigger targets, it’s easy to think the public will become desensitized to them and the reputational risk might be diminished. “The Target breach made big news,” Meltzer says. “But will the 50th retailer to have millions of records breached still be big news?”

That still leaves the financial and operational damage from losing data and remedying security breaches. But Meltzer is optimistic that more organizations will begin to tie their cybersecurity programs to real risks and implement more effective security con-trols. This may enable them to detect breaches more quickly before the dam-age is done and perhaps even prevent future attacks.

Internal audit’s readiness to advise and provide assurance on cybersecurity isn’t likely to abate. The cyberthreats are coming from all sides, and the attackers only have to be successful once. “Don’t let down your guard,” Bamji says. “Cybersecurity has to become second nature — and not just for technology audits, but with every-thing we do.”

Tim mCCOllum is Internal Auditor’s

associate managing editor.

SIx QueStIonS From the BoArd

the joint IIA/ISACA research report, Cyber-security: What the Board

of directors needs to Ask, uses the nACd’s Cyber-risk over-sight guide as a starting point for determining what boards should be asking management and internal audit. Author Sajay rai, Ceo of Securely Yours, lists six questions:

» does the organization use a cybersecurity framework?

» What are the organization’s top five cybersecurity risks?

» how are employees made aware of their role in cyber-security?

» does the organization con-sider external and internal threats when planning cyber-security program activities?

» how does the organization manage information secu-rity governance?

» In the event of a serious breach, has manage-ment developed a robust response protocol?

In August, the IIA and ISACA will release a new research report, the Cyber-resilient enterprise: What the Board of directors needs to Ask.

ViSiT internalAuditor.org’s “The Next Generation of Cyber Experts” to learn how today’s youth are being trained to fight tomorrow’s iT security battles.

This is The slug line

august 201532 Internal audItor

august 2015 33Internal audItor

ore than 750 million personally identifiable records in the U.S. have been breached in the last 10 years, with more than 80 million records compromised in 2015 alone, according to the Privacy Rights Clearinghouse, a research and advocacy orga-nization in San Diego. These incidents span a wide range of types, including malicious hacking, payment card fraud, and physical loss of assets. Customer data is defined as any data that contains personally identifiable information about a cus-tomer such as medical records, Social Security numbers, bank and credit card information, and driver’s license information.

Organizations have an inherent obligation to protect customer data. Although regulations and guidelines have been

established for organizations to follow to mitigate compliance risk, the amount of breaches indicates they need to be doing more (see “Key Regulations and Guidelines” on page 35). This is an opportunity for internal auditors to help their organization understand, identify, and mitigate the potential risks from both internal and external sources.

OrganizatiOnal DefenseOrganizations and their employees store more and more data on a wide range of media, including mobile devices and cloud-based applications. The multiple systems that may be involved increase the risk of a customer data breach. To protect data, controls and other measures need to be in place that address both internal and external threats.

Protecting customer data

MWith personal information at risk, internal auditors must provide assurance for the many facets that make up data security.

Michael levy

Technology

PhoTo IllUSTRATIon: SeAn yATeS / yAcInSKI DeSIgn

AUGUST 201534 INTERNAL AUDITOR

PROTECTING CUSTOMER DATA

scalability and ease of use of cloud solu-tions make them an attractive choice to implement. In moving to a cloud-based solution, data security needs to be central to the decision-making process. Organizations must understand the risks that having customer data in the cloud creates and require cloud vendors to adhere to at least the same standards and level of security that are in place for the organization’s own systems. By being involved in the decision-making process from the outset, internal audit can help ensure appropriate controls are in place.

Mobile Devices As businesses and consumers expand their use of smart-phones, tablets, and other mobile devices to get work done and stay

connected, data security becomes para-mount. Organizations that distribute devices to their employees are able to retain control over the data to ensure its security. Organizations that have bring your own device (BYOD) policies can lower their device costs and give employees more fl exibility, but ensuring data is secure is a challenge. Without the use of specialized tools, a lost or stolen device could compromise cus-tomer data. To mitigate the risk, many organizations with BYOD policies use software that prevents data from being stored on devices.

Data Logs Organizations need to establish data logging policies around key servers and fi rewalls to have the ability to research security issues that arise. If a breach occurs, they need to understand the source and scale of the

Training and Education Protect-ing customer data is not just an IT responsibility. Business leaders need to understand the specifi c business risks and ensure that everyone in the orga-nization is trained to take appropriate actions to protect their customers’ data.

Data Encryption Implementing encryption protocols is fundamental in protecting customer data. Organizations need to defi ne sensitive data and then encrypt it to ensure it is safeguarded. Encryption at the individual user level can ensure that customer data is pro-tected. Periodically, organizations should reevaluate their encryption policies to identify necessary changes timely. More-over, they should evaluate the type of

encryption in place to ensure it still pro-tects against the latest vulnerabilities. For example, the Data Encryption Standard (DES) that was developed in the 1970s is no longer considered secure and has been replaced by Triple DES and the Advanced Encryption Standard.

Data Loss Prevention (DLP) Orga-nizations that house large quantities of customer data need to consider the use of DLP tools. These tools allow the IT function to automate and help prevent data loss that may come from internal and external vulnerabilities. Moreover, the tools can evaluate data in motion and disallow accidental disclosures based on pre-established policies.

Cloud Risk In recent years cloud tech-nologies have become central to many organizations’ operating strategies. The

Organizations must understand the risks that having customer data in the cloud creates.

TO COMMENT on this article,

EMAIL the author at michael.

[email protected]

august 2015 35Internal audItor

34% of auditors say there is an extensive risk that a data breach would affect their business’ brand, notes The IIA Research Foundation report, Navigating Technology’s Top Risks: Internal Audit’s Role.

Key Regulations and guidelines

a variety of regulations and frameworks are used to govern data protection and privacy. these include industry best practices that organizations should consider in developing their data protection strategy.

Government and Industry reGulatIonsEuropean Union (EU) Labor and Privacy Regulations While they vary widely in scope, eu labor and privacy rules focus on an organization’s ability to monitor individuals’ information and protect their “right to be forgotten.” organizations must ensure that data retention poli-cies are in place so that an individual’s information can be removed upon request.

Heath Insurance Portability and Accountability Act (HIPAA) HiPaa defines patient pri-vacy and security in the health-care industry. HiPaa holds health-care providers accountable for protecting specific types of patient data they collect. the HiPaa security rule also estab-lishes specific steps that need to be taken to maintain physical security, technical safeguards, access, and confidentiality for patients.

The Health Information Technology for Economic and Clinical Health Act (HITECH) HiteCH was established in 2009 to provide regulation to improve health-care quality, safety, and efficiency. as part of the act, electronic health records are regulated to ensure that elec-tronic data interchanges are secure to protect patient information.

Payment Card Industry Data Security Standard (PCI DSS) PCi dss is intended to ensure that all organizations that process and store credit card data do so in a secure environment. this standard requires testing and validation to attest to compliance.

U.K. Information Commissioner’s Office Data Protection Principles the u.K. established this independent authority to uphold information privacy rights. the data Protection Principles ensure that data is processed and stored fairly, for the appropriate purpose, and is retained for the appropriate period of time. specific attributes give individuals the right to access their information, object to data, and claim compensation for damages.

FrameworksNational Institute of Standards and Technology Cybersecurity Framework this frame-work lays out key cybersecurity standards that need to be considered by u.s. organizations to anticipate and defend against cyberattacks. the framework has become an important step in standardizing cybersecurity principles in the u.s. and provides best practices globally.

COBIT isaCa established the CoBit framework in 1996 to formalize it management and gov-ernance across organizations. the most recent version, CoBit 5, provides it control objectives that data security practitioners can use to create and streamline processes and assist in pro-tecting customer data.

in addition to these frameworks, the iia’s Global Technology Audit Guide 15: Information Secu-rity Governance, provides guidance on auditing data security. additionally, the 2013 update to the Committee of sponsoring organizations of the treadway Commission’s (Coso’s) Internal Control–Integrated Framework can be applied to data security.

2015-5031

For complete details, visit www.LearnCIA.com/cia-now

August is the perfect time to start your CIA and save up to US$289! During August, The IIA is making it even easier to get started on your CIA certification. Take advantage of these two limited-time offers.

PREPARE TO PASS THE CIA

®

EXAMPERFECT TIME. PERFECT PLACE.

IIA members save an additional US$100 on The IIA’s CIA Learning System with member pricing. Take advantage of August savings now!

Choose your perfect place to study with flexible study options. Do you prefer to study on your own, when and where your schedule allows? Or do you prefer the extra guidance and structure of a live or virtual classroom? The IIA’s CIA Learning System offers mobile-optimized self-study tools and facilitator-led CIA review courses. The choice is yours!

CIA EXAM APPLICATION FEE WAIVER

SAVE UP TO US$200

THE IIA’S CIA LEARNING SYSTEM®

SAVE 10%

2015_IIA_IA_June_ad_8x10_875_2015-5031.indd 1 6/16/15 1:13 PM

AUGUST 2015 37INTERNAL AUDITOR

incident. Logs are a way to identify the issue quickly and cost-effectively.

INTERNAL AUDIT’S ROLEIn addition to attesting that the organi-zation has put these control measures in place, internal audit should review other aspects of data security.

Risk Assessment Performing a risk assessment can help auditors understand the specifi c risks surrounding customer data and the technology used to access and store it. Management stakeholders within the business and IT organizations often are able to quickly identify the “pain points” in the process, which can enable internal audit to tailor its proce-dures to focus on the priority areas fi rst.

Governance Strategy One of the fi rst questions internal auditors should ask before proceeding with any proj-ect is whether the organization has a governance strategy to support the protection of customer data. This strategy document should outline the key locations where customer data is stored, the nature of the data, and who is responsible for maintaining it.

IT Security Benchmarking Assess-ment Recent high-profi le data breaches have led many organizations to implement safeguards to mitigate the risk of suffering the same fate. Internal audit can add value by bench-marking current data security prac-tices against industry standards and an established framework such as the National Institute of Standards and Technology Cybersecurity Framework.

This benchmarking can enable audi-tors to identify gaps where the orga-nization falls short of standards and assist the organization in developing a road map to address risk and improve data security processes.

Data Classifi cation Policy Data clas-sifi cation is the process of identifying and classifying what constitutes sensi-tive information within an organiza-tion and defi ning requirements for accessing and handling data based on the established classifi cation. Under-standing how customer data is classi-fi ed and restricting access will assist in protecting the data. Internal auditors should assess and test this policy to validate that it is applied uniformly

across the organization. Auditors also should ensure that the policy identifi es all customer data and aligns with man-agement’s risk tolerance.

Training and Education If the organization does not have a robust training program to educate employ-ees about what customer data is and the steps that need to be taken to safeguard it, internal audit can recom-mend ways to establish such training. This training can take on many forms, including a traditional classroom setting, a security awareness month contest, and Web-based learning. The topics that should be covered may depend on the organization’s business environment. Some specifi c topics to consider include physical security, device security, passwords, phishing, hoaxes, and malware.

Key Owners If it has not been spelled out in the organizational governance strategy, internal audit should confi rm that the organization has identifi ed its various data owners to establish accountability. Auditors should evaluate the list of owners and validate that all have a suffi cient amount of competence and authority. In addition, they should work with management to understand each owner’s role and to validate that owners are periodically performing pro-cesses to safeguard their data.

Regulatory Compliance Unless it is addressed by another function within the organization, the annual internal audit program should verify that the organization is in compliance with all

regulations, which may vary by indus-try and country. Regulatory bodies are taking greater interest in data security, which may result in more compliance steps for organizations.

Working Across the BusinessInternal audit can make a great contri-bution to protecting customer data in their organization. By working across the business, internal audit can connect the dots among proposed and current strategies, the fundamental themes of regulation, and what each func-tion must do to comply. It is in this role that internal audit can become a trusted adviser to the business and help safeguard the organization.

MICHAEL LEVY, CRMA, CISA, CISSP, is

an internal audit manager with Burlington

Stores Inc. in Burlington, N.J.

Regulatory bodies are taking greater interest in data security, which may result in more compliance steps.

PROTECTING CUSTOMER DATA

2015-1007

The IIA offers two programs to help fi ll the pipeline with “internal audit-ready” graduates to enter the business arena: The Internal Audit Academic Awareness Program and the Internal Auditing Education Partnership (IAEP).

Our efforts are made possible through the Internal Auditing Academic Advancement Fund (IAAAF). Since 2006, the IAAAF awarded more than $1.3

million in grants to universities around the globe to fund teaching assistants, curriculum development, and scholarships for IAEP students.

Help us continue to develop internal audit-ready students and provide them with a rewarding career path.

Support The Internal Auditing Academic Advancement Fund today!

www.theiia.org/Academic

From Classrooms to Boardrooms: Academic Relations Helps Prepare Students for a Career in Internal Auditing

2015-1007 AR-Academic Relations August IA Ad_2.indd 1 6/29/15 2:01 PM

ong a staple of internal audit, data analytics is no longer a nice-to-have, but a requirement. Internal auditors now have the ability to gain insights from, and test correlations with, a vast array of information on the Internet, which can be as diverse as competitor information, regulatory filings, and conversa-tions on social media. Data analytics provide internal auditors with the potential to deliver oversight, insight, and foresight.

Analytics can help auditors examine the audit entity from a data-driven perspective (what does the data reveal about the audit entity?), drive understanding of the risks (what is hap-

pening?), and generate insight (why is it happening?). It also provides auditors with the ability to perform prescriptive analytics to develop recommendations to address issues, as well as predictive tools to look at what will happen and help to prepare for it. And yet, study after study has shown that the data analytics

L

technology

By addressing people, processes, and technology, internal audit can ensure a successful data analytics initiative.

GauGe your analytics

David Coderre

39Internal auDItorPHOTO ILLUSTRATION: SEAN YATES / YACINSKI DESIGN

AUGUST 201540 INTERNAL AUDITOR

capabilities of internal audit functions consistently fall below what is desired and even what is required.

The implementation and improve-ment of data analytics are the most signifi cant challenges for audit depart-ments. Fifty-two percent of respondents identify the advancement of their data analytics capabilities as a high or very high priority for 2015, while an addi-tional 35 percent rate it as a moderate priority, according to the Corporate Executive Board Audit Leadership Council’s 2015 Audit Department Challenges and Priorities.

The key to ensuring that data analytics has the best chance of success lies in managing the people, processes, and technology aspects of the initiative.

The three are integral to any effort to develop data analytics and must be con-sidered both separately and as a whole.

PEOPLEWhen it comes to people, there are several questions to address. Should each audit team be responsible for developing its own analytics capabili-ties or should there be a data analytics function that supports the audit teams? Can the department afford to have one or more people dedicated to data analyt-ics, particularly if it’s a small internal audit function? Audit functions seeking to develop an analytics capability have a better chance of success if they create a separate analytics function, even if it is one person who has responsibility to support the audit teams in the analysis requirements. Support includes identify-ing data sources, obtaining and verifying

audit and accounting fi rm in Alexan-dria, Va., there are basically two skills necessary to execute analytics: 1) busi-ness knowledge to defi ne what analyses should be run and to be able to follow up on results; and 2) the technical skill set to obtain, cleanse, massage, and produce analysis results from the data. (See “IT Skills Needed in an Analytics Function” on page 41).

The size of the analytics function will depend on the size of the audit function overall, as well as the analyses to be performed and the types of tech-nical expertise and experience that are available in the audit organization. If responsibility is assigned to a single per-son, he or she must be, at a minimum, the equivalent of audit team leader

level and must have data extraction and analysis and audit experience. This will mean hiring someone with the required skills if they do not exist in-house. As the use of data analytics increases, the analytics function can grow, adding junior levels, a career path, and mobil-ity to the function.

The analytics function will offer a single point of contact for all technology-related requests and ensure that requests from management and team members are addressed timely. Members of this group must be visible to all auditors and knowledgeable of, and responsive to, their specifi c needs. At the same time, the analytics func-tion must be proactive in recognizing opportunities for the application of data analysis and in marketing existing and new applications of technology. A common pitfall is restricting analysis

the integrity of the required data, and assisting in performing the analysis. As audit functions move along the data analytics maturity curve, audit teams can take more responsibility for data analysis, and the analytics function will shift to providing complex analysis and verifying the integrity of the analysis per-formed by the audit teams.

With this approach, the next question should address the level and experience of the person that should be part of the analytics function. A related question is: Should an auditor be taught programming (data extraction and analysis) or should a programmer be taught to audit? Failures in this area have one thing in common — manage-ment did not assign the right person

or people to the task. “The greatest success is usually achieved when there is a specialized analytics function with responsibilities dealing with the techni-cal aspects of the audit analytics pro-cess,” says John Verver, global director of analytics strategy at Denver-based High Water Advisors. Too often, a junior programmer with limited or no audit experience — addressing only the IT aspects of the job — is assigned to develop the analytics function. Given the nature of the task — dealing with business process owners, system programmers, and audit team lead-ers — the analytics function must be staffed at the appropriate level and with the necessary experience. The biggest hurdle is having the business process knowledge to identify the types of analytics to run. According to David Cotton, chairman of Cotton & Co., an

The analytics function will offer a single point of contact for all technology-related requests.

GAUGE YOUR ANALYTICS

AUGUST 2015 41INTERNAL AUDITOR

controls, risks, and business processes), the audit phase (testing controls, drill-ing down into the risks, and assessing the effectiveness of the business pro-cess), and the reporting phase. Cotton adds, “Identifying business processes, IT systems, data sources, and potential analytics should be discussed and con-sidered not only during planning, but also throughout the engagement.”

“Key in obtaining buy-in is to include auditors in identifying areas or tests that the analytics group will assist in developing for the audit,” says Pembrook. Initially, it will be important to highlight success stories and educate managers and team leaders about what is possible. Improving on the traditional audit approach of sampling, auditors can benefi t from the implementation of data analytics to allow for more precise identifi cation of control defi ciencies, noncompliance with policies and proce-dures, and areas of high risk. Pembrook says these same analytics could then be used to ensure appropriate management follow-up has occurred by elevating the identifi ed defi ciencies or implementing continuous auditing procedures in areas of higher risk.

While analytics can produce sig-nifi cant benefi ts, the inappropriate

to the traditional audit box. “Data analytics can be used for more than simple sampling or the audit of fi nan-cial statement amounts,” says Chris Pembrook, senior manager at Crawford & Associates in Oklahoma City. “It can be implemented into operational programs, grants and contributions, compliance, fraud prevention and detection, and other areas, as well.”

For example, in an audit of the readiness of a U.S. Army unit for deployment on a combat mission, an audit program included interviews with soldiers and commanders at various lev-els to ask about readiness. The analytics specialist suggested using data analysis to determine whether all the troops had received the necessary training (e.g., nuclear biological warfare and hand-to-hand combat), if all the necessary equip-ment (e.g., tanks and personnel carriers) was operational, and if the unit had the full complement of soldiers at all levels and occupations (e.g., private, sergeant, demolitions experts, mechanics, and combat forces). The results provided the team leader with questions that focused on the gaps in the unit’s capabilities and produced more relevant audit results than simply asking if the unit was ready.

PROCESSESData analytics needs to be fully inte-grated into the internal audit process. Ensuring that data analytics are embed-ded in the audit process will require support from all levels, starting with the CAE. Management will have to reinforce the use of analytics, the data analytics function will have to market its services, team leaders will have to be challenged by management, and team members will have to employ analytics. The CAE should establish goals for the implementation and use of data analyt-ics, and these should be communicated to the entire audit team. It should be clear that data analytics will support the audit planning processes (examining the

IT SKILLS NEEDED IN AN ANALYTICS FUNCTIONIn addition to internal auditing, critical thinking, problem solving, and business acumen, the analytics function should have other IT skills:

» Understanding of data concepts (data elements, record types, database types, and data fi le formats).

» Understanding of logical and physical database structures. » The ability to communicate effectively with IT and related functions to

achieve effi cient data acquisition and analysis. » Ability to perform ad hoc data analysis as required to meet specifi c

audit objectives. » Ability to design, build, and maintain well-documented, ongoing

automated data analysis routines. » Ability to provide consultative assistance to others who are involved in

applying analytics.

TO COMMENT on this article,

EMAIL the author at

[email protected]

Only 10% of internal audit professionals globally studied computer science or IT, according to The IIA Research Foundation’s CBOK report, Staying a Step Ahead: Internal Audit’s Use of Technology.

2015ALL STARCONFERENCEOct. 19-21 / Hollywood, FL

Spotlight on Achieving Auditing ExcellenceNow in its 11th year, the All Star Conference offers you more by featuring The IIA’s highest rated presenters from the past year of conferences, as evaluated by attendees.

Go beyond processes and controls to explore the essential role internal audit can play within the organization by identifying enterprisewide business efficiencies, providing strategic approaches that improve business performance, and provoking insights that focus on the risks that matter.

Don’t miss “the best of the best” at the Diplomat Resort & Spa in Hollywood, Fla., this fall. Register today at www.theiia.org/goto/AllStar. IIA Members, register early to save US$200!

www.theiia.org/goto/AllStar

2015-5032

Choose from 32 concurrent sessions in 4 educational tracks and earn up to 18 CPE credits (earn even more with a pre-conference workshop):

• Regulatory & Compliance Governance

• Cyber, Social, & Technology Innovation

• Trends in Risk Management & Fraud Detection

• Leadership Strategies & Resource Management

Celebrating 11 years of the best of the best!

2015-5032 CON-2015 All Star August Ia Ad.indd 1 6/26/15 4:01 PM

AUGUST 2015 43INTERNAL AUDITOR

introduction of technology can also have serious negative consequences. In many audit organizations, credibility is a valued, but fragile, commodity. Internal audit must continually dem-onstrate the value and utility of its work by producing high-quality, timely audits in areas of high risk. The incor-rect use of technology and data analysis could produce erroneous conclusions and damage the credibility of the audit organization with its clients. It also could make any subsequent attempt to use analytics more diffi cult.

The successful use of technology-enabled audit tools and techniques can enhance the credibility of the audit organization and provide an improved level of service. For example, with data

analytics, internal audit can consider not only control weaknesses, but also opportunities to streamline business processes, maximize the organization’s use of technology, and focus senior management on the areas of highest risk. Thus, rather than simply con-fi rming that physical inventory levels match what is recorded in the system, inventory audits also should examine the effi ciency of the inventory man-agement system and the adequacy of the IT controls. One such inventory audit identifi ed a failure to confi gure automatic reorder functionality that resulted in inventory clerks having to manually process reorder requests. It also identifi ed obsolete inventory that was taking up valuable warehouse space and causing delays in getting parts to equipment that needed critical repairs. Finally, it identifi ed economic

reorder quantities that had not been updated to refl ect current usage and purchase requirements.

Recommendations included the enhancement of the system’s reporting capabilities to support the identifi cation and removal of obso-lete inventory, and the reconfi guring of economic reorder quantities and automatic reordering functionality, which resulted in signifi cant improve-ments to the inventory management system. Rather than simply counting and confi rming the number of items in inventory, the inclusion of IT audit objectives resulted in recommenda-tions that reduced storage require-ments and inventory management costs that improved the management

of information to support decision-making. This, in turn, contributed to increased effi ciencies in the inventory systems. The audit saved the organiza-tion hundreds of millions of dollars and was more valuable than an audit telling management that 14 widgets were missing.

TECHNOLOGYThe most important questions sur-rounding technology are whether audit software should be purchased and what the cost will be. To answer these ques-tions, internal audit needs to under-stand what analytics are already in place before embarking on efforts to develop its own analysis routines. “The existence of data warehouses and business intel-ligence (BI) tools should be investigated before deciding whether to invest in independent analytics,” says Norman

Marks, a San Jose, Calif.-based former CAE at major global corporations and InternalAuditor.org blogger. The organi-zation may already be producing reports that can be adapted for audit use. Audi-tors should obtain read-only access to application systems and the ability to run standard reports and access and use data warehouse and BI tools. If addi-tional analytical capabilities are required, Microsoft Excel and Access can be use-ful in some circumstances, though with some limitations (such as the absence of an audit log and the inability to access certain types of fi les).

“As analytics become an integral part of the audit process and more complex, the need for a more robust software package to support data

analytics increases,” Cotton explains. In practice, the use of specialized audit analysis software has distinct advan-tages — particularly in terms of log-ging, repeatability of tests and effi cient test design, working with large data sets, and dealing with complex data manipulation. Verver adds, “The cost of audit software is usually signifi cantly less than the investment in resources and skills required for a successful audit analytics program.” Management needs to put this in perspective and be will-ing to invest in the initiative.

“Any analytics initiative must quickly demonstrate a return on invest-ment (ROI),” Marks says. Therefore, management should start with a tar-geted, ad hoc analytics program that will yield immediate benefi ts in terms of acceptance, ROI, and the develop-ment of the analytics function. At the

The organization may alreadybe producing reports that can be adapted for audit use.

GAUGE YOUR ANALYTICS

IDEA is a registered trademark of CaseWare International Inc.

casewareanalytics.com | [email protected]

Seren DagdevirenCPA, CIA

Internal Audit ManagerIvanhoé Cambridge

Canada

ivanhoecambridge.com

“The Managers in the Finance department were pleasantly surprised at the power and capacity of IDEA®, so much so that they explored using the tool. The software has created a reputation for itself within our organization and helped me to become more of a trusted advisor to the business, which is always my ultimate goal.”

IIA Magazine - Full Page Ad - June Issue.indd 1 4/22/2015 8:40:30 AM

august 2015 45Internal audItor

2015-5030

*Exclusions may apply. Please visit the CIA website for more information.

Drive Your Career Forward

Apply Today and Save up to US$200Drive your career forward and save up to US$200.* From August 1-30, The IIA is waiving the CIA® application fee.

Visit www.theiia.org/goto/cia for more information.

2015-5030 CERT-App Fee Waiver HP Aug Ia Ad Updates_FNL.indd 1 6/23/15 12:45 PM

same time, it should be clear that the initial steps are not sufficient for a robust analytics capability and that a strategy will need to be developed to improve and deploy analytic capabili-ties across the organization. The CAE should ensure that there is a plan to take action and measure results accu-rately. The organization, systems, and processes that support the analysis of the data must be able to take action with the insights that are generated.

SuStainable SucceSSOrganizations should expect that an individual with strong data analysis skills, armed with software and some training, will be able to drive a success-ful audit analytics program on his or her own. “Sustainable success in the use of audit analytics also requires leadership,

strategic and tactical goal setting, audit process knowledge, team coordination, integration, and good project manage-ment,” Verver adds. The skills required to remain effective in an increasingly technologically complex world must be developed, nurtured, and supported. In addition, to efficiently and effectively implement and use data analysis by all auditors with a variety of computer skills, the organization needs to develop a standard, user-friendly, integrated environment; provide specialized train-ing and IT support; and provide ongo-ing encouragement.

Effective analytics requires an initial investment of time and a com-mitment to follow up on results. Early analytics may produce a large volume of results — including false posi-tives — and will need to be honed and

evaluated to ensure results are man-ageable, reliable, and can be followed up on. Because analytics take time to implement and be fully effective, Cotton says the “CAE must manage expectations of senior management as well as the internal audit function and ensure that responsibility for analytics is assigned to a champion.”

The question should not be “Should we embark on developing ana-lytic capabilities?” but “How soon can we start?” Adequately addressing the people, process, and technology aspects of the initiative will increase the likeli-hood of success.

DaviD CoDerre, aCDa, is an instructor

at the University of Ottawa Telfer School

of Management, and president of CAATS

in Ontario.

gauge your analytics

Directory ofSoftware ProductS

august 201546 Internal audItor

A d v e r t i s i n g s u p p l e m e n t A d v e r t i s i n g s u p p l e m e n t

EntErprisE GrC by thomson rEutErs. Connected audit, risk, and compliance software with integrated regulatory intelligence, built to meet the needs of internal audit, internal controls, compliance, and risk management. This comprehensive audit management software includes risk assessment, planning, scheduling, documentation, preparation, review, report generation, and issue tracking with flexible deployment options: on-premises, hosted, or SaaS. Website: http://risk.thomsonreuters.com/audit.

intElEx Audits mAnAGEmEnt softwArE. With over 1 million users worldwide, Intelex’s Audits Management Software streamlines internal audit-related activities, data, and processes. Easily schedule audits, track results, automate, and assign follow-up actions and view real-time reports and dashboards of your audit data, all from within one user-friendly, Web-based application. Try it free now! Phone: +1-877-932-3747; website: www.intelex.com; email: [email protected]; link: http://bit.ly/1SiTpe7.

mAGiquE GAlilEo Audit systEm is a comprehensive and fully integrated audit management, workpaper, and issue tracking system that can be tailored to the precise needs of internal audit, investigations, or compliance departments. It includes extensive standard custom reporting facilities, personalized dashboards, and email alerts. Phone: +1-866-657-1627 (U.S. toll free), U.K. +44 (0) 207 002 1370, Australia +61 415 564 255; website: www.mag-iquegalileo.com.

mEtriCstrEAm is the market leader in enterprisewide Governance, Risk, Compliance (GRC), and Audit Solutions for global corporations and has consistently been rated as best-in-class by independent analysts. The MetricStream GRC suite includes solutions for internal audit, risk management, regulatory compliance management, quality, supplier governance, and IT GRC. Phone: +1-650-620-2955; website: www.metricstream.com; email: [email protected].

Account reconciliation

rECwisE — strEAmlininG ACCount rEConCiliAtions. RecWise improves the month-end account reconciliation process. Ensures management can assess progress and report on key issues often not captured in a manual process. Bring compliance into the equation and benefit from having a central repository for your reconciliations. Seamlessly integrate with your ERP and set reconciliations to auto- complete. Website: www.RecWise.com; email: [email protected].

Audit management ACl GrC is a powerful, easy-to-use audit management solution that offers a flexible way to manage the process of assessing risk as well as planning and organizing projects. And it’s delivered in the cloud, making it accessible from anywhere, anytime — even on your mobile device. Phone: +1-888-669-4225 (U.S. toll free); website: www.acl.com; email: [email protected].

Auditol is a comprehensive, browser-based audit management sys-tem designed by internal auditors. Each feature provides workable solutions for challenges facing audit professionals. AuditOL delivers multidimensional advantages by providing comprehensive support for the audit function. Modules include Audit and Fraud Case Man-agement, GRC, SOX, Internal Controls, Analytics, and QAR sup-port. Phone: +1-217-520-2092, +1-952-240-7077; website: www.YCNGroup.com; email: [email protected], [email protected].

Auditor AssistAnt. The McGladrey Auditor Assistant is a completely integrated audit management system that helps you conduct, review, and manage your audits more efficiently. Fully configurable features include an engagement portal/dashboard, detailed personalized risk assessment, risk-based audit planning, resource scheduling, automated workpapers, review/supervision, ad-hoc & template reports, issue tracking, and time reporting. Phone: +1-847-413-6385; website: www.mcgladrey.com/audito-rassistant; email: [email protected].

AutoAudit® by thomson rEutErs. Thomson Reuters AutoAudit takes the paperwork out of workpapers. Built on the Windows platform, the software is easy to install and easy to use with functionality for risk assessment, planning, scheduling, workpapers, reporting, issue tracking, and administration. AutoAudit is simply the most complete way to manage an audit department. Website: http://risk.thomsonreuters.com/audit.

ACL™ GRCExperience audit management in a whole new way

AUGUST 2015 47INTERNAL AUDITOR

DIR

EC

TO

RY

OF

SO

FT

WA

RE

PR

OD

UC

TS

A D V E R T I S I N G S U P P L E M E N T A D V E R T I S I N G S U P P L E M E N T

MKINSIGHT™ AUDIT MANAGEMENT SOFTWARE. Fully Con-fi gurable, off-the-shelf Audit Management System, trusted by Govern-ments and Companies worldwide. Available as a License Purchase or Subscription Service, MKinsight™ provides: Risk-based Annual Plan-ning, Scheduling, Audit Management, Performance Reporting, Elec-tronic Working Papers, Recommendation Tracking, Comprehensive Reporting, Time & Expenses Recording, CSA, Enterprise Risk Man-agement, Questionnaires & Surveys. Contact Morgan Kai Ltd. Phone: +1-847-418-3898; email: [email protected].

PENTANA BY IDEAGEN. Pentana is the result of 25 years of experi-ence in supplying systems that enable audit productivity, compliance, and excellent management information. Comprising audit best practice, risk library content, easy deployment, and a modern user interface for on and offl ine working, Pentana has an unrivalled pedigree in audit and risk management. See the Ideagen website for details of our other GRC software products. Phone: +1-804-363-2194; website: www.ideagenplc.com/pentana; email: [email protected].

POLICYIQ, a fl exible, affordable, Web-based GRC tool, helps to bring automation to processes (certifi cations, assessments, questionnaires, etc.) and to more effi ciently manage a wide range of GRC initiatives (risk, compliance, audit, policies, and more)! Integrity is paramount: your sales rep will see your implementation through completion (average of 4-6 weeks)! Phone: +1-866-753-1231 (U.S. toll free); website: www.policyIQ.com; email: [email protected].

PROTIVITI GOVERNANCE PORTAL. Partner with Protiviti, recog-nized by leading analysts for both consulting and our GRC software — the Governance Portal. The Governance Portal drives departmental effi -ciencies in a cost-effective manner; enhancing GRC initiatives related to audit management, compliance management, policy management, risk management, and IT governance. Phone: +1-312-476-6050; website: www.protiviti.com/grc-software; email: [email protected].

TEAMMATE’S ecosystem of solutions provides you with the confi dence required to manage all aspects of risk identifi cation and assessment, electronic working paper creation and management, controls framework management, and data analysis. Solutions include: TeamMate AM, audit management; TeamMate CM, controls management; and TeamMate Analytics, data analysis. Website: www.TeamMateSolutions.com.

Automated Workpapers ACL GRC is a powerful, easy-to-use audit management solution that offers a fl exible way to manage the process of assessing risk as well as planning and organizing projects. And it’s delivered in the cloud, mak-ing it accessible from anywhere, anytime — even on your mobile device. Phone: +1-888-669-4225 (U.S. toll free); website: www.acl.com; email: [email protected].

AUDITOL is a comprehensive, browser-based audit management system designed by internal auditors. Each feature provides workable solu-tions for challenges facing audit professionals. AuditOL delivers multidi-mensional advantages by providing comprehensive support for the audit function. Modules include Audit and Fraud Case Management, GRC, SOX, Internal Controls, Analytics, and QAR support. Phone: +1-217-520-2092, +1-952-240-7077; website: www.YCNGroup.com; email: [email protected], [email protected].

AUDITOR ASSISTANT. The McGladrey Auditor Assistant is a com-pletely integrated audit management system that helps you conduct, review, and manage your audits more effi ciently. Fully confi gurable features include an engagement portal/dashboard, detailed personalized risk assessment, risk-based audit planning, resource scheduling, auto-mated workpapers, review/supervision, ad-hoc & template reports, issue tracking, and time reporting. Phone: +1-847-413-6385; website: www.mcgladrey.com/auditorassistant; email: [email protected].

AUTOAUDIT® BY THOMSON REUTERS. Thomson Reuters Auto-Audit takes the paperwork out of workpapers. Built on the Windows platform, the software is easy to install and easy to use with functional-ity for risk assessment, planning, scheduling, workpapers, reporting, issue tracking, and administration. AutoAudit is simply the most com-plete way to manage an audit department. Website: http://risk.thom-sonreuters.com/audit.

ENTERPRISE GRC BY THOMSON REUTERS. Connected audit, risk, and compliance software with integrated regulatory intelligence, built to meet the needs of internal audit, internal controls, compliance, and risk management. This comprehensive audit management soft-ware includes risk assessment, planning, scheduling, documentation, preparation, review, report generation, and issue tracking with fl exible deployment options: on-premises, hosted, or SaaS. Website: http://risk.thomsonreuters.com/audit.

MAGIQUE GALILEO AUDIT SYSTEM is a comprehensive and fully integrated audit management, workpaper, and issue tracking system that can be tailored to the precise needs of internal audit, investigations, or compliance departments. It includes extensive standard custom reporting facilities, personalized dashboards, and email alerts. Phone: +1-866-657-1627 (U.S. toll free), U.K. +44 (0) 207 002 1370, Australia +61 415 564 255; website: www.mag-iquegalileo.com.

METRICSTREAM is the market leader in enterprisewide Gover-nance, Risk, Compliance (GRC), and Audit Solutions for global corporations and has consistently been rated as best-in-class by independent analysts. The MetricStream GRC suite includes solu-tions for internal audit, risk management, regulatory compliance management, quality, supplier governance, and IT GRC. Phone: +1-650-620-2955; website: www.metricstream.com; email: [email protected].

MKINSIGHT™ AUDIT MANAGEMENT SOFTWARE. Fully Con-fi gurable, off-the-shelf Audit Management System, trusted by Gov-ernments and Companies worldwide. Available as a License Purchase or Subscription Service, MKinsight™ provides: Risk-based Annual Planning, Scheduling, Audit Management, Performance Reporting,

The world’s fastest growing Audit Management Software

Trusted by Companies, Governments and Individuals Worldwide!Trusted by Companies, Governments and Individuals Worldwide!Trusted by Companies, Governments and Individuals Worldwide!+1 847 418 3898 · www.mkinsight.com

© 2015 Protiviti Inc. An EOE M/F/D/V. PRO-0615

Enhancing GRC initiatives by driving departmental effi ciencies in a cost effective manner

protiviti.com/GRC-Software

Auditor AssistantIncrease productivity, e� ciency and standardization throughout your audit process

www.mcgladrey.com/auditorassistantwww.mcgladrey.com/riskadvisory

august 201548 Internal audItor

A d v e r t i s i n g s u p p l e m e n tA d v e r t i s i n g s u p p l e m e n t

Dir

ec

to

ry

of

So

ft

wa

re

Pr

oD

uc

tS

dab:ExportEr. Extracting data from SAP® has never been easier. The dab:Exporter allows for high volume extractions with minimum to no impact on the SAP® system. Use the extracted data inside ACL® or the data mining tool of your liking using the SQL® database target format. More info? Website: www.dab-europe.com; email: [email protected].

dab:FastForwards. Need ready-made data analytic solutions to analyze SAP® data? Then the dab:FastForwards are what you need. Implement them for 1 specific test of complete business cycles, for ad hoc use, or as Continuous solution (including dashboard); with over 170 analytics available, the choice is yours. More info? Website: www.dab-europe.com; email: [email protected].

MEtrICstrEaM is the market leader in enterprisewide Governance, Risk, Compliance (GRC), and Audit Solutions for global corporations and has consistently been rated as best-in-class by independent analysts. The MetricStream GRC suite includes solutions for internal audit, risk management, regulatory compliance management, quality, supplier governance, and IT GRC. Phone: +1-650-620-2955; website: www.metricstream.com; email: [email protected].

MKInsIght™ audIt ManagEMEnt soFtwarE. Fully Con-figurable, off-the-shelf Audit Management System, trusted by Govern-ments and Companies worldwide. Available as a License Purchase or Subscription Service, MKinsight™ provides: Risk-based Annual Plan-ning, Scheduling, Audit Management, Performance Reporting, Elec-tronic Working Papers, Recommendation Tracking, Comprehensive Reporting, Time & Expenses Recording, CSA, Enterprise Risk Man-agement, Questionnaires & Surveys. Contact Morgan Kai Ltd. Phone: +1-847-418-3898; email: [email protected].

pEntana by IdEagEn. Pentana is the result of 25 years of experi-ence in supplying systems that enable audit productivity, compliance, and excellent management information. Comprising audit best practice, risk library content, easy deployment, and a modern user interface for on and offline working, Pentana has an unrivalled pedigree in audit and risk management. See the Ideagen website for details of our other GRC software products. Phone: +1-804-363-2194; website: www.ideagenplc.com/pentana, email: [email protected].

rECwIsE — strEaMlInIng aCCount rEConCIlIatIons. RecWise improves the month-end account reconciliation process. Ensures management can assess progress and report on key issues often not captured in a manual process. Bring compliance into the equation and benefit from having a central repository for your reconciliations. Seamlessly integrate with your ERP and set reconciliations to auto- complete. Website: www.RecWise.com; email: [email protected].

Control self-assessment

aCl is the only software provider to integrate industry-leading data analytics into a comprehensive risk assessment, audit management, workpapers, issue tracking, and remediation workflow with powerful visualization reports. Enhance your work quality and focus on high-risk areas instead of low-value tasks with modern software, designed for the way you work. Phone: +1-888-669-4225 (U.S. toll free); website: www.acl.com; email: [email protected].

autoaudIt® by thoMson rEutErs. Thomson Reuters Auto-Audit takes the paperwork out of workpapers. Built on the Windows platform, the software is easy to install and easy to use with functional-ity for risk assessment, planning, scheduling, workpapers, reporting, issue tracking, and administration. AutoAudit is simply the most complete way to manage an audit department. Website: http://risk.thomsonreuters.com/audit.

EntErprIsE grC by thoMson rEutErs. Connected audit, risk, and compliance software with integrated regulatory intelligence, built to meet the needs of internal audit, internal controls, compli-

Electronic Working Papers, Recommendation Tracking, Comprehen-sive Reporting, Time & Expenses Recording, CSA, Enterprise Risk Management, Questionnaires & Surveys. Contact Morgan Kai Ltd. Phone: +1-847-418-3898; email: [email protected].

pEntana by IdEagEn. Pentana is the result of 25 years of experi-ence in supplying systems that enable audit productivity, compliance, and excellent management information. Comprising audit best practice, risk library content, easy deployment, and a modern user interface for on and offline working, Pentana has an unrivalled pedigree in audit and risk management. See the Ideagen website for details of our other GRC software products. Phone: +1-804-363-2194, website: www.ideagenplc.com/pentana, email: [email protected].

polICyIQ, a flexible, affordable, Web-based GRC tool, helps to bring automation to processes (certifications, assessments, questionnaires, etc.) and to more efficiently manage a wide range of GRC initiatives (risk, compliance, audit, policies, and more)! Integrity is paramount: your sales rep will see your implementation through completion (average of 4-6 weeks)! Phone: +1-866-753-1231 (U.S. toll free); website: www.policyIQ.com; email: [email protected].

protIvItI govErnanCE portal. Partner with Protiviti, recog-nized by leading analysts for both consulting and our GRC soft-ware — the Governance Portal. The Governance Portal drives departmental efficiencies in a cost-effective manner; enhancing GRC initiatives related to audit management, compliance management, policy management, risk management, and IT governance. Phone: +1-312-476-6050; website: www.protiviti.com/grc-software; email: [email protected].

tEaMMatE’s ecosystem of solutions provides you with the confi-dence required to manage all aspects of risk identification and assess-ment, electronic working paper creation and management, controls framework management, and data analysis. Solutions include: TeamMate AM, audit management; TeamMate CM, controls man-agement; and TeamMate Analytics, data analysis. Website: www.TeamMateSolutions.com.

Continuous Monitoring/auditing

aCl is the only software provider to integrate industry-leading data analytics into a comprehensive risk assessment, audit management, workpapers, issue tracking, and remediation workflow with powerful visualization reports. Enhance your work quality and focus on high-risk areas instead of low-value tasks with modern software, designed for the way you work. Phone: +1-888-669-4225 (U.S. toll free); website: www.acl.com; email: [email protected].

CasEwarE analytICs MonItor. Ensure prompt resolution and compliance within one platform. Monitor by CaseWare Analyt-ics provides immediate alerts and a visual overview of the business. Outliers across multiple systems are automatically detected providing a better understanding of risks and control breakdowns. Insights gained improve business processes and prevent losses with verified recommen-dations. Phone: +1-800-265-4332, Ext. 2423 (U.S. toll free); website: www.casewareanalytics.com; email: [email protected].

AUGUST 2015 49INTERNAL AUDITOR

DIR

EC

TO

RY

OF

SO

FT

WA

RE

PR

OD

UC

TS

A D V E R T I S I N G S U P P L E M E N TA D V E R T I S I N G S U P P L E M E N T

ARBUTUS AUDIT ANALYTICS. Technology for teams that see strong analytics as a key factor in their success. Arbutus clients have experienced how much easier and more cost-effective it is to implement and use both desktop and centralized analytics. Compatibility with other audit analysis tools makes switching both low risk and low cost. Phone: +1-877-333-6336 (U.S. toll free); website: www.ArbutusSoft-ware.com; email: [email protected].

AUDITOL is a comprehensive, browser-based audit management sys-tem designed by internal auditors. Each feature provides workable solutions for challenges facing audit professionals. AuditOL delivers multidimensional advantages by providing comprehensive support for the audit function. Modules include Audit and Fraud Case Man-agement, GRC, SOX, Internal Controls, Analytics, and QAR sup-port. Phone: +1-217-520-2092, +1-952-240-7077; website: www.YCNGroup.com; email: [email protected], [email protected].

CASEWARE ANALYTICS IDEA. IDEA® is a leading data analysis solution used by over 400,000 professionals worldwide. Embedded analytic intelligence goes beyond data discovery and brings deeper understanding to areas of interest by fl agging potential business risks. The new user interface, with visualization dashboards, guides analysis with ease. Phone: +1-800-265-4332, Ext. 2423 (U.S. toll free); website: www.casewareanalytics.com; email: [email protected].

DAB:EXPORTER. Extracting data from SAP® has never been easier. The dab:Exporter allows for high volume extractions with minimum to no impact on the SAP® system. Use the extracted data inside ACL® or the data mining tool of your liking using the SQL® database target format. More info? Website: www.dab-europe.com; email: [email protected].

DAB:FASTFORWARDS. Need ready-made data analytic solutions to analyze SAP® data? Then the dab:FastForwards are what you need. Implement them for 1 specifi c test of complete business cycles, for ad hoc use or as Continuous solution (including dashboard); with over 170 analytics available the choice is yours. More info? Website: www.dab-europe.com; email: [email protected].

FISCAL CHECKUP. Online Vendor Management software tool that provides fi nancial reports to assist companies in evaluating potential vendors to ensure they are fi nancially able to fulfi ll their contractual obligations. Vendor pays US$495 to generate reports that help them improve their fi nancial performance and sends a report to the requesting company. Phone: +1-844-8FISCAL (U.S. toll free); website: www.FiscalCheckUp.com; email: [email protected].

INCISIVE. Incisive provides award-winning, innovative software solu-tions for spreadsheet management, tracking, and risk analysis. Our software enables enterprise organizations and end users to confi dently

ance, and risk management. This comprehensive audit management software includes risk assessment, planning, scheduling, documenta-tion, preparation, review, report generation, and issue tracking with fl exible deployment options: on-premises, hosted, or SaaS. Website: http://risk.thomsonreuters.com/audit.

MAGIQUE GALILEO ENTERPRISE RISK MANAGEMENT SYSTEM is a fl exible, integrated Web system to assist organizations to quantify, assess, analyze, and report risks. In addition to the risk and control register, Magique includes questionnaires, action tracking, incident recording, appetite and KRIs, and trends. Extensive reporting options, dashboards, and alerts. Phone: +1-866-657-1627 (U.S. toll free), U.K. +44 (0) 207 002 1370, Australia +61 415 564 255; website: www.magiquegalileo.com.

MKINSIGHT™ AUDIT MANAGEMENT SOFTWARE. Fully Con-fi gurable, off-the-shelf Audit Management System, trusted by Govern-ments and Companies worldwide. Available as a License Purchase or Subscription Service, MKinsight™ provides: Risk-based Annual Plan-ning, Scheduling, Audit Management, Performance Reporting, Elec-tronic Working Papers, Recommendation Tracking, Comprehensive Reporting, Time & Expenses Recording, CSA, Enterprise Risk Man-agement, Questionnaires & Surveys. Contact Morgan Kai Ltd. Phone: +1-847-418-3898; email: [email protected].

POLICYIQ, a fl exible, affordable, Web-based GRC tool, helps to bring automation to processes (certifi cations, assessments, questionnaires, etc.) and to more effi ciently manage a wide range of GRC initiatives (risk, compliance, audit, policies, and more)! Integrity is paramount: your sales rep will see your implementation through completion (average of 4-6 weeks)! Phone: +1-866-753-1231 (U.S. toll free); website: www.policyIQ.com; email: [email protected].

PROTIVITI GOVERNANCE PORTAL. Partner with Protiviti, recog-nized by leading analysts for both consulting and our GRC software — the Governance Portal. The Governance Portal drives departmental effi ciencies in a cost-effective manner; enhancing GRC initiatives related to audit man-agement, compliance management, policy management, risk management, and IT governance. Phone: +1-312-476-6050; website: www.protiviti.com/grc-software; email: [email protected].

Data Analytics

ACL is the only software provider to integrate industry-leading data ana-lytics into a comprehensive risk assessment, audit management, workpa-pers, issue tracking, and remediation workfl ow with powerful visualization reports. Enhance your work quality and focus on high-risk areas instead of low-value tasks with modern software, designed for the way you work. Phone: +1-888-669-4225 (U.S. toll free); website: www.acl.com; email: [email protected].

ACTIVEDATA is a Microsoft Excel add-in that turns Excel into a pow-erful audit analytics platform. Designed for non-technical auditors and accounting professionals, ActiveData delivers a comprehensive set of features at a fraction of the cost of existing data analytics solutions. Try it out for yourself. It takes less than a minute to download and install the free, fully functional 30-day trial from our website. Phone: +1-613-569-4675; website: www.informationactive.com; email: [email protected].

Cloud-based software & risk analytics that help you stand out

august 201550 Internal audItor

A d v e r t i s i n g s u p p l e m e n tA d v e r t i s i n g s u p p l e m e n t

Dir

ec

to

ry

of

So

ft

wa

re

Pr

oD

uc

tS

TeamMate AM, audit management; TeamMate CM, controls man-agement; and TeamMate Analytics, data analysis. Website: www.TeamMateSolutions.com.

GRC

ACL is the only software provider to integrate industry-leading data analytics into a comprehensive risk assessment, audit management, workpapers, issue tracking, and remediation workflow with powerful visualization reports. Enhance your work quality and focus on high-risk areas instead of low-value tasks with modern software, designed for the way you work. Phone: +1-888-669-4225 (U.S. toll free); website: www.acl.com; email: [email protected].

AuditOL is a comprehensive, browser-based audit management system designed by internal auditors. Each feature provides work-able solutions for challenges facing audit professionals. AuditOL delivers multidimensional advantages by providing comprehensive support for the audit function. Modules include Audit and Fraud Case Management, GRC, SOX, Internal Controls, Analytics, and QAR support. Phone: +1-217-520-2092, +1-952-240-7077; web-site: www.YCNGroup.com; email: [email protected], [email protected].

BWise, a Nasdaq company, is a global leader in Enterprise Gover-nance, Risk Management, and Compliance (GRC) software. The end-to-end solutions support an organization’s ability to understand, track, measure, and manage key organizational risks. BWise sales, service, and support offices around the globe provide for the GRC needs of hun-dreds of leading companies worldwide. For more information: Phone: +1-212-584-2260; website: www.bwise.com; email: [email protected].

enteRpRiseGRCBythOmsOnReuteRs.Connected audit, risk, and compliance software with integrated regulatory intelligence, built to meet the needs of internal audit, internal controls, compliance, and risk management. This comprehensive audit management soft-ware includes risk assessment, planning, scheduling, documentation, preparation, review, report generation, and issue tracking with flexible deployment options: on-premises, hosted, or SaaS. Website: http://risk.thomsonreuters.com/audit.

inteLexAuditsmAnAGementsOftWARe. With over 1 mil-lion users worldwide, Intelex’s Audits Management Software stream-lines internal audit-related activities, data, and processes. Easily schedule audits, track results, automate and assign follow up actions, and view real-time reports and dashboards of your audit data all from within one user-friendly, Web-based application. Try it free now! Phone: +1-877-932-3747 (U.S. toll free); website: www.intelex.com; email: [email protected]; link: http://bit.ly/1SiTpe7.

metRiCstReAm is the market leader in enterprisewide Governance, Risk, Compliance (GRC), and Audit Solutions for global corporations and has consistently been rated as best-in-class by independent analysts. The MetricStream GRC suite includes solutions for internal audit, risk management, regulatory compliance management, quality, supplier governance, and IT GRC. Phone: +1-650-620-2955; website: www.metricstream.com; email: [email protected].

pentAnAByideAGen.Pentana is the result of 25 years of experi-ence in supplying systems that enable audit productivity, compliance, and excellent management information. Comprising audit best practice, risk library content, easy deployment, and a modern user interface for on and offline working, Pentana has an unrivalled pedigree in audit and risk management. See the Ideagen website for details of our other GRC software products. Phone: +1-804-363-2194; website: www.ideagenplc.com/pentana; email: [email protected].

analyze spreadsheet data, highlighting risks to help detect fraud, and avoid liability, while ensuring compliance with corporate policies. Phone: +1-408-660-3090; website: www.incisive.com; email: [email protected].

infOZOOmAuditAnALytiCssOftWARe is a unique data visualization solution, with over 100,000 users worldwide. Developed by the same organization that created MP3, InfoZoom offers internal auditors the ability to see patterns in data without scripting. Contact SoftLake Solutions to help you to visually identify patterns and find that “needle in a haystack.” Phone: Steven Pesklo, +1-612-360-0813; website: www.softlakesolutions.com; email: [email protected].

teAmmAte’s ecosystem of solutions provides you with the confidence required to manage all aspects of risk identification and assessment, electronic working paper creation and management, controls framework management, and data analysis. Solutions include: TeamMate AM, audit management; TeamMate CM, controls management; and TeamMate Analytics, data analysis. Website: www.TeamMateSolutions.com.

frauddetection/prevention

ACL is the only software provider to integrate industry-leading data analytics into a comprehensive risk assessment, audit management, workpapers, issue tracking, and remediation workflow with powerful visualization reports. Enhance your work quality and focus on high-risk areas instead of low-value tasks with modern software, designed for the way you work. Phone: +1-888-669-4225 (U.S. toll free); website: www.acl.com; email: [email protected].

ACtiVedAtA is a Microsoft Excel add-in that turns Excel into a pow-erful audit analytics platform. Designed for non-technical auditors and accounting professionals, ActiveData delivers a comprehensive set of features at a fraction of the cost of existing data analytics solutions. Try it out for yourself. It takes less than a minute to download and install the free, fully functional 30-day trial from our website. Phone: +1-613-569-4675; website: www.informationactive.com; email: [email protected].

ARButusfRAudAnALytiCs. Technology for teams that see strong analytics as a key factor in their success. Arbutus clients have experienced how much easier and more cost-effective it is to implement and use both desktop and centralized analytics. Compatibility with other audit analysis tools makes switching both low risk and low cost. Phone: +1-877-333-6336 (U.S. toll free); website: www.ArbutusSoft-ware.com; email: [email protected].

AuditOL is a comprehensive, browser-based audit management sys-tem designed by internal auditors. Each feature provides workable solutions for challenges facing audit professionals. AuditOL delivers multidimensional advantages by providing comprehensive support for the audit function. Modules include Audit and Fraud Case Man-agement, GRC, SOX, Internal Controls, Analytics, and QAR sup-port. Phone: +1-217-520-2092, +1-217-520-2092; website: www.YCNGroup.com; email: [email protected], [email protected].

CAseWAReAnALytiCsideA. IDEA® is a leading data analysis solution used by over 400,000 professionals worldwide. Embedded analytic intelligence goes beyond data discovery and brings deeper understanding to areas of interest by flagging potential business risks. The new user interface, with visualization dashboards, guides analysis with ease. Phone: +1-800-265-4332, Ext. 2423 (U.S. toll free); website: www.casewareanalytics.com; email: [email protected].

pROtiVitiGOVeRnAnCepORtAL. Partner with Protiviti, recog-nized by leading analysts for both consulting and our GRC soft-ware — the Governance Portal. The Governance Portal drives departmental efficiencies in a cost-effective manner; enhancing GRC initiatives related to audit management, compliance management, policy management, risk management, and IT governance. Phone: +1-312-476-6050; website: www.protiviti.com/grc-software; email: [email protected].

teAmmAte’s ecosystem of solutions provides you with the confi-dence required to manage all aspects of risk identification and assess-ment, electronic working paper creation and management, controls framework management, and data analysis. Solutions include:

august 2015 51Internal audItor

Dir

ec

to

ry

of

So

ft

wa

re

Pr

oD

uc

tS

A d v e r t i s i n g s u p p l e m e n tA d v e r t i s i n g s u p p l e m e n t

Protiviti Governance Portal. Partner with Protiviti, recog-nized by leading analysts for both consulting and our GRC soft-ware — the Governance Portal. The Governance Portal drives departmental efficiencies in a cost-effective manner; enhancing GRC initiatives related to audit management, compliance management, policy management, risk management, and IT governance. Phone: +1-312-476-6050; website: www.protiviti.com/grc-software; email: [email protected].

recWise — streamlininG account reconciliations. RecWise improves the month-end account reconciliation process. Ensures management can assess progress and report on key issues often not captured in a manual process. Bring compliance into the equation and benefit from having a central repository for your rec-onciliations. Seamlessly integrate with your ERP and set reconcilia-tions to autocomplete. Website: www.RecWise.com; email: [email protected].

internal control evaluation

acl is the only software provider to integrate industry-leading data analytics into a comprehensive risk assessment, audit management, workpapers, issue tracking, and remediation workflow with powerful visualization reports. Enhance your work quality and focus on high-risk areas instead of low-value tasks with modern software, designed for the way you work. Phone: +1-888-669-4225 (U.S. toll free); website: www.acl.com; email: [email protected].

auditor assistant. The McGladrey Auditor Assistant is a com-pletely integrated audit management system that helps you conduct, review, and manage your audits more efficiently. Fully configurable features include an engagement portal/dashboard, detailed personalized risk assessment, risk-based audit planning, resource scheduling, auto-mated workpapers, review/supervision, ad-hoc & template reports, issue tracking, and time reporting. Phone: +1-847-413-6385; website: www.mcgladrey.com/auditorassistant; email: [email protected].

autoaudit® by thomson reuters. Thomson Reuters Auto-Audit takes the paperwork out of workpapers. Built on the Windows platform, the software is easy to install and easy to use with functional-ity for risk assessment, planning, scheduling, workpapers, reporting, issue tracking, and administration. AutoAudit is simply the most com-plete way to manage an audit department. Website: http://risk.thom-sonreuters.com/audit.

enterPrise Grc by thomson reuters. Connected audit, risk, and compliance software with integrated regulatory intelligence, built to meet the needs of internal audit, internal controls, compli-ance, and risk management. This comprehensive audit management software includes risk assessment, planning, scheduling, documenta-tion, preparation, review, report generation, and issue tracking with flexible deployment options: on-premises, hosted, or SaaS. Learn more at http://risk.thomsonreuters.com/audit.

metricstream is the market leader in enterprisewide Governance, Risk, Compliance (GRC), and Audit Solutions for global corporations and has consistently been rated as best-in-class by independent analysts. The MetricStream GRC suite includes solutions for internal audit, risk management, regulatory compliance management, quality, supplier governance, and IT GRC. Phone: +1-650-620-2955; website: www.metricstream.com; email: [email protected].

mKinsiGht™ audit manaGement softWare. Fully Con-figurable, off-the-shelf Audit Management System, trusted by Govern-ments and Companies worldwide. Available as a License Purchase or Subscription Service, MKinsight™ provides: Risk-based Annual Plan-ning, Scheduling, Audit Management, Performance Reporting, Elec-tronic Working Papers, Recommendation Tracking, Comprehensive Reporting, Time & Expenses Recording, CSA, Enterprise Risk Man-agement, Questionnaires & Surveys. Contact Morgan Kai Ltd. Phone: +1-847-418-3898; email: [email protected].

Protiviti Governance Portal. Partner with Protiviti, recog-nized by leading analysts for both consulting and our GRC soft-ware — the Governance Portal. The Governance Portal drives

departmental efficiencies in a cost-effective manner; enhancing GRC initiatives related to audit management, compliance management, policy management, risk management, and IT governance. Phone: +1-312-476-6050; website: www.protiviti.com/grc-software; email: [email protected].

teammate’s ecosystem of solutions provides you with the confidence required to manage all aspects of risk identification and assessment, electronic working paper creation and management, controls framework management, and data analysis. Solutions include: TeamMate AM, audit management; TeamMate CM, controls management; and TeamMate Analytics, data analysis. Website: www.TeamMateSolutions.com.

risk analysis/management

acl is the only software provider to integrate industry-leading data analytics into a comprehensive risk assessment, audit management, workpapers, issue tracking, and remediation workflow with powerful visualization reports. Enhance your work quality and focus on high-risk areas instead of low-value tasks with modern software, designed for the way you work. Phone: +1-888-669-4225 (U.S. toll free); website: www.acl.com; email: [email protected].

auditol is a comprehensive, browser-based audit management system designed by internal auditors. Each feature provides work-able solutions for challenges facing audit professionals. AuditOL delivers multidimensional advantages by providing comprehensive support for the audit function. Modules include Audit and Fraud Case Management, GRC, SOX, Internal Controls, Analytics, and QAR support. Phone: +1-217-520-2092, +1-952-240-7077; web-site: www.YCNGroup.com; email: [email protected], [email protected].

intelex audits manaGement softWare With over 1 mil-lion users worldwide, Intelex’s Audits Management Software stream-lines internal audit-related activities, data, and processes. Easily schedule audits, track results, automate and assign follow up actions, and view real-time reports and dashboards of your audit data all from within one user-friendly, Web-based application. Try it free now! Phone: +1-877-932-3747; website: www.intelex.com; email: [email protected]; link: http://bit.ly/1SiTpe7.

maGique Galileo enterPrise risK manaGement system is a flexible, integrated Web system to assist organizations to quantify, assess, analyze, and report risks. In addition to the risk and control register, Magique includes questionnaires, action tracking, incident recording, appetite and KRIs, and trends. Extensive reporting options, dashboards, and alerts. Phone: +1-866-657-1627 (U.S. toll free), U.K. +44 (0) 207 002 1370, Australia +61 415 564 255; website: www.magiquegalileo.com.

metricstream is the market leader in enterprisewide Governance, Risk, Compliance (GRC), and Audit Solutions for global corporations and has consistently been rated as best-in-class by independent analysts. The MetricStream GRC suite includes solutions for internal audit, risk management, regulatory compliance management, quality, supplier governance, and IT GRC. Phone: +1-650-620-2955; website: www.metricstream.com; email: [email protected].

august 201552 Internal audItor

A d v e r t i s i n g s u p p l e m e n t

Dir

ec

to

ry

of

So

ft

wa

re

Pr

oD

uc

tS

IncIsIve. Incisive provides award-winning, innovative software solu-tions for spreadsheet management, tracking, and risk analysis. Our software enables enterprise organizations and end users to confidently analyze spreadsheet data, highlighting risks to help detect fraud and avoid liability, while ensuring compliance with corporate policies. Phone: +1-408-660-3090; website: www.incisive.com; email: [email protected].

MeTRIcsTReAM is the market leader in enterprisewide Governance, Risk, Compliance (GRC), and Audit Solutions for global corporations and has consistently been rated as best-in-class by independent analysts. The MetricStream GRC suite includes solutions for internal audit, risk management, regulatory compliance management, quality, supplier governance, and IT GRC. Phone: +1-650-620-2955; website: www.metricstream.com; email: [email protected].

MKInsIghT™ AudIT MAnAgeMenT sofTwARe. Fully Con-figurable, off-the-shelf Audit Management System, trusted by Govern-ments and Companies worldwide. Available as a License Purchase or Subscription Service, MKinsight™ provides: Risk-based Annual Plan-ning, Scheduling, Audit Management, Performance Reporting, Elec-tronic Working Papers, Recommendation Tracking, Comprehensive Reporting, Time & Expenses Recording, CSA, Enterprise Risk Man-agement, Questionnaires & Surveys. Contact Morgan Kai Ltd. Phone: +1-847-418-3898; email: [email protected].

PenTAnA by IdeAgen. Pentana is the result of 25 years of experi-ence in supplying systems that enable audit productivity, compliance, and excellent management information. Comprising audit best practice, risk library content, easy deployment, and a modern user interface for on and offline working, Pentana has an unrivalled pedigree in audit and risk management. See the Ideagen website for details of our other GRC software products. Phone: +1-804-363-2194, website: www.ideagenplc.com/pentana; email: [email protected].

PolIcyIQ, a flexible, affordable, Web-based GRC tool, helps to bring automation to processes (certifications, assessments, questionnaires, etc.) and to more efficiently manage a wide range of GRC initiatives (risk, compliance, audit, policies, and more)! Integrity is paramount: your sales rep will see your implementation through completion (average of 4-6 weeks)! Phone: +1-866-753-1231 (U.S. toll free); website: www.policyIQ.com; email: [email protected].

PRoTIvITI goveRnAnce PoRTAl. Partner with Protiviti, recog-nized by leading analysts for both consulting and our GRC soft-ware — the Governance Portal. The Governance Portal drives departmental efficiencies in a cost-effective manner; enhancing GRC initiatives related to audit management, compliance management, policy management, risk management, and IT governance. Phone: +1-312-476-6050; website: www.protiviti.com/grc-software; email: [email protected].

RecwIse — sTReAMlInIng AccounT ReconcIlIATIons. RecWise improves the month-end account reconciliation process. Ensures management can assess progress and report on key issues often not captured in a manual process. Bring compliance into the equation and benefit from having a central repository for your reconciliations. Seamlessly integrate with your ERP and set reconciliations to auto- complete. Website: www.RecWise.com; email: [email protected].

TeAMMATe’s ecosystem of solutions provides you with the confi-dence required to manage all aspects of risk identification and assess-ment, electronic working paper creation and management, controls framework management, and data analysis. Solutions include: TeamMate AM, audit management; TeamMate CM, controls man-agement; and TeamMate Analytics, data analysis. Website: www.TeamMateSolutions.com.

MKInsIghT™ AudIT MAnAgeMenT sofTwARe. Fully Con-figurable, off-the-shelf Audit Management System, trusted by Governments and Companies worldwide. Available as a License Purchase or Subscription Service, MKinsight™ provides: Risk-based Annual Planning, Scheduling, Audit Management, Performance Reporting, Electronic Working Papers, Recommendation Track-ing, Comprehensive Reporting, Time & Expenses Recording, CSA, Enterprise Risk Management, Questionnaires & Surveys. Contact Morgan Kai Ltd. Phone: +1-847-418-3898; email: [email protected].

PenTAnA by IdeAgen. Pentana is the result of 25 years of experi-ence in supplying systems that enable audit productivity, compliance, and excellent management information. Comprising audit best practice, risk library content, easy deployment, and a modern user interface for on and offline working, Pentana has an unrivalled pedigree in audit and risk management. See the Ideagen website for details of our other GRC software products. Phone: +1-804-363-2194; website: www.ideagenplc.com/pentana; email: [email protected].

PolIcyIQ, a flexible, affordable, Web-based GRC tool, helps to bring automation to processes (certifications, assessments, questionnaires, etc.) and to more efficiently manage a wide range of GRC initiatives (risk, compliance, audit, policies, and more)! Integrity is paramount: your sales rep will see your implementation through completion (average of 4-6 weeks)! Phone: +1-866-753-1231 (U.S. toll free); website: www.policyIQ.com; email: [email protected].

PRoTIvITI goveRnAnce PoRTAl. Partner with Protiviti, recog-nized by leading analysts for both consulting and our GRC soft-ware — the Governance Portal. The Governance Portal drives departmental efficiencies in a cost-effective manner; enhancing GRC initiatives related to audit management, compliance management, policy management, risk management, and IT governance. Phone: +1-312-476-6050; website: www.protiviti.com/grc-software; email: [email protected].

RecwIse — sTReAMlInIng AccounT ReconcIlIATIons. RecWise improves the month-end account reconciliation process. Ensures management can assess progress and report on key issues often not captured in a manual process. Bring compliance into the equation and benefit from having a central repository for your reconciliations. Seamlessly integrate with your ERP and set reconciliations to auto- complete. Website: www.RecWise.com; email: [email protected].

sarbanes-oxley/compliance Management

Acl is the only software provider to integrate industry-leading data analytics into a comprehensive risk assessment, audit management, workpapers, issue tracking, and remediation workflow with powerful visualization reports. Enhance your work quality and focus on high-risk areas instead of low-value tasks with modern software, designed for the way you work. Phone: +1-888-669-4225 (U.S. toll free); website: www.acl.com; email: [email protected].

AudITol is a comprehensive, browser-based audit management system designed by internal auditors. Each feature provides work-able solutions for challenges facing audit professionals. AuditOL delivers multidimensional advantages by providing comprehensive support for the audit function. Modules include Audit and Fraud Case Management, GRC, SOX, Internal Controls, Analytics, and QAR support. Phone: +1-217-520-2092, +1-952-240-7077; web-site: www.YCNGroup.com; email: [email protected], [email protected].

enTeRPRIse gRc by ThoMson ReuTeRs. Connected audit, risk, and compliance software with integrated regulatory intelligence, built to meet the needs of internal audit, internal controls, compliance, and risk management. This comprehensive audit management soft-ware includes risk assessment, planning, scheduling, documentation, preparation, review, report generation, and issue tracking with flexible deployment options: on-premises, hosted, or SaaS. Website: http://risk.thomsonreuters.com/audit.

foR AddITIonAl AdveRTIsIng InfoRMATIonE-mail: [email protected]: +1-407-937-1109Fax: +1-407-937-1101

august 2015 53Internal audItor

his is it. This is where it all starts. “This” is the Mis-sion Statement for the internal audit profession recently approved by The IIA’s Global Board of Directors as a criti-cal component of The Institute’s newly enhanced Interna-tional Professional Practices Framework (IPPF).

“I love the IIA definition of internal auditing; it’s very inspirational, well worded, and an integral part of the IPPF — but we wanted to add something a bit more suc-cinct,” says Bob Hirth, current chair of The Committee of Sponsoring Organizations of the Treadway Commission and senior managing director at Protiviti in San Francisco, who served as chair of the IPPF Relook Task Force. “It

The updated IPPF helps guide auditors through change and ever-growing challenges.

By Jane Seago

ProFessIonal PracTIce

A New Frameworkfor a New Age

T“To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”

august 201554 Internal audItor

a new framework for a new age

doesn’t take away from the definition, but it gives us something memorable we can rely on every day as it guides us in our efforts.”

The definition of the profession, long a part of the IPPF, focuses on what internal audit is; the Mission State-ment reflects what the profession strives to accomplish. And that distinction, expressed in 16 words, drives the activi-ties and objectives for the IPPF revision and enhancement project.

Why a Relook? The impetus for the project arose when several IIA leaders were discuss-ing the many changes that financial regulators were attaching to the work of internal auditors. These changes, plus others forthcoming, were consid-ered likely to increase the pressure on boards to more specifically understand the important role internal auditing plays in overall good governance.

While acknowledgement of these changes started the conversation,

Core PrinCiPles for the Professional PraCtiCe of internal auditing

» demonstrates integrity. » demonstrates competence and due professional care. » is objective and free from undue influence (independent). » aligns with the strategies, objectives, and risks of the organization. » is appropriately positioned and adequately resourced. » demonstrates quality and continuous improvement. » Communicates effectively. » Provides risk-based assurance. » is insightful, proactive, and future-focused. » Promotes organizational improvement.

other factors also indicated that the time had come for a new look at the guidance. Anton van Wyk, partner with PricewaterhouseCoopers LLP in Sunninghill, South Africa, and immediate past chairman of The IIA’s Global Board of Directors, explains: “The role of internal audit and the risk landscape in which we work have evolved significantly since 1999, the last time we revised the IPPF. Our guidance must meet new expectations for our profession and enable practi-tioners to be courageous and forward-looking in their work.”

Angela Witzany, head of Internal Audit for Sparkassen Versicherung AG, VIG, in Vienna, and senior vice chair of The IIA’s Global Board of Directors, agrees. “We knew that, if we were to remain relevant as a profession, now was the time for the project. Increased and enhanced stakeholder expecta-tions, together with the evolving role of the internal audit function, were the driving forces to make the change.”

Members of the profession at large also were in favor of revisiting the guid-ance framework. A survey of internal auditors from 90 countries shows that, when presented with the proposed changes, 85 percent of respondents “support” or “completely support” them. With that vote of confidence and a host of useful suggestions, the

The impetus arose when several IIA leaders discussed changes that regulators were attaching to audit work.

august 2015 55Internal audItor

80% of internal auditors worldwide say they believe or strongly believe that the new IPPF Mission correctly captures what internal audit aspires to accomplish, according to a 2014 IIA survey.

task force and staff revised the draft recommendations document and pre-sented the results to the Global Board of Directors, which approved them in March 2015. The road map for the enhancement of the IPPF was set.

Mandatory Guidance, core PrinciPles In its new form, the IPPF still consists of two layers of guidance, albeit slightly renamed. The Mandatory Guidance retains that title; the Strongly Recom-mended Guidance is now referred toas Recommended.

Mandatory Guidance continues to include the International Standards for the Professional Practice of Internal Auditing (Standards), the Definition of Internal Auditing, and the Code of Ethics. However, it also contains a new component: the Core Principles for the Professional Practice of Inter-nal Auditing (see page 54). Because the addition of the Core Principles may ultimately affect the Standards, The IIA’s Standards Board is con-ducting a gap analysis to determine whether new or revised standards are needed to better support the indi-vidual principles.

Overall, the Principles are perhaps the most obvious change to the IPPF. The task force agreed that an effort to articulate them plainly and succinctly was paramount to the project.

Hirth points to the first three principles and emphasizes the task force’s belief that, in the end, everyone benefits when individuals perform at their peak. “Of course, we want everyone to understand our firm and unwavering commitment to integrity, competence, and independence — all crucial to our effectiveness,” he says. But in terms of integrity and inde-pendence, Hirth adds, there may be instances where internal auditors are asked to avoid auditing a high-risk area or to inappropriately omit or modify a

specific finding. “We have to stand our ground and stay the course,” he says. “The Principles give us great guidance on how to be effective and, if we follow them, tailored to each organization, we will be.”

Task force member Jenitha John, CAE at FirstRand Bank in Johan-nesburg, says the Principles serve a valuable purpose in orienting internal audit within the enterprise. “Position-ing of internal audit in an organiza-tion is key if we are to demand the respect and relevance that the func-tion deserves,” she says. “If the ‘tone at the top’ understands our value, then this will filter to the ‘tune in the middle’ and the ‘song at the bot-tom.’” She further emphasizes that, as reflected in the Principles, internal auditing must demonstrate that its approach aligns with the organiza-tion’s objectives, and it must direct audit efforts at the risks that matter most to the organization. “Our rel-evance is determined by how well we manage and respond to stakeholder expectations,” she adds.

The Principles also enhance the business-focused value of internal audit. Beatrice Ki-Zerbo, director of research for IFACI (IIA–France) and member of the IPPF Relook Task Force, adds, “These principles were implicit in the existing framework. They stress the distinctive role of internal audit as a dynamic tool antic-ipating governing bodies’ legitimate expectations, and an integral part of the organization and its ecosystem.”

While the Principles provide a strong basis for the Standards and the other portions of the IPPF in guid-ing and shaping the profession, they also serve a valuable externally facing function. “Audit committees will not read the IPPF,” notes Debi Roth, IIA director, Standards and Guidance. “The Principles and the Mission are an easy way to communicate with

“We knew that, if we were to remain relevant as a profession, now was the time for the project.”

Angela Witzany

“Our guidance must ... enable practitioners to be courageous and forward-looking in their work.”

Anton van Wyk

august 201556 Internal audItor

a new framework for a new age

stakeholders, in language they will understand, exactly what internal audit seeks to accomplish.”

Recommended GuidanceThe framework’s Recommended Guidance has undergone additional changes. In its revised form, this guid-ance segment now consists of three separate components.

Implementation Guidance The Practice Advisories are being transi-tioned over the next 18 months and will be called Implementation Guid-ance to underscore their purpose of helping internal auditors implement the Standards. Eventually, every indi-vidual standard may, over time, be supported with an implementation guide. John points out that the shift in naming and content reflects “a view to enhancing future materials to ensure consistency in the internal audit practices around the world. Implementation Guidance is a stron-ger term; it reinforces standardization and alignment in our thinking as a global profession.”

Each implementation guide will discuss the work required to fulfill the specific standard, address the imple-mentation itself (approaches and issues to take into consideration), and conclude with suggestions on how to demonstrate conformance after implementation. For example, in the new guide on governance — Imple-mentation Guide 2110: Gover-nance — the “Getting Started” section suggests referring to the Standards glossary and governance frameworks and models to gain an understanding of governance and typical governance processes; the implementation sec-tion outlines the number of different capacities in which internal auditors can assess and recommend ways to improve governance practices; and the final section, on demonstrating

conformance with the Standards, describes different ways to evidence that conformance.

Supplemental Guidance The exist-ing Practice Guides and Global Tech-nology Audit Guides are now part of the Supplemental Guidance layer. Supplemental Guidance is intended to be more specific in nature than other guidance documents, address-ing topical areas and sector-specific issues, as well as detailed processes and procedures. “These guidance volumes will contribute to increased reliance on internal audit,” Ki-Zerbo says. Explaining the significance of these volumes, she compares a busi-ness to a ship on turbulent seas. “Decision makers are like skippers in the midst of a storm,” she says. “They need robust and precise informa-tion. Generic approaches are useful to develop good reflexes but concrete insight depends on in-depth analy-sis — the Supplemental Guidance will provide that.”

Position Papers The IIA will continue to issue Position Papers — which help readers under-stand the significance of governance, risk, or control issues as they pertain to internal audit — but they will no longer be part of the IPPF. The rea-son for this change is that Position Papers have been focused primarily as internal audit stakeholder communi-cations not necessarily aimed at the internal audit practitioner — hence their removal from the IPPF. The existing Position Papers will be reviewed to differentiate between guidance-related and advocacy con-tent. Both will be retained, in their own respective settings.

a BetteR toolHow do these enhancements benefit internal audit professionals? Hirth

“The new IPPF elements of the Mission and the Principles will help clarify ... the role of internal audit”

Hal Garyn

“Our relevance is determined by how well we manage and respond to stakeholder expectations.”

Jenitha John

august 2015 57Internal audItor

points to several ways. “The succinct Mission Statement will guide us every day, the foundational Principles will allow for appropriate flexibility given the wide range of internal audit activi-ties we have around the world, and the updated content structure will offer guidance at various levels of necessity,” he says.

There is broad agreement among members of the task force that the new IPPF will be especially helpful in explaining what internal audit is and what it does for the organization. “I was an internal auditor for 20 years and invariably, when I would tell someone what I did for a living, they assumed I was going to talk to them about their taxes,” Roth laughs. Hal Garyn, The IIA’s vice president of Professional Practices, agrees that prac-titioners have traditionally struggled with articulating the definition and contribution of internal audit suc-cinctly. “The new IPPF elements of the Mission and the Principles will help clarify to boards, executives, pro-fessionals, and practitioners the role of internal audit,” he says.

IIA President and CEO Richard Chambers sums up the benefits in terms of how the job is done and how it is perceived. “To carry out their responsibilities well, internal auditors must rely on the standards guiding the profession and have confidence that those standards reflect how the profession is being practiced,” he says. “The enhancements to the IPPF are designed to strengthen internal audit’s position as an invaluable partner in business success.”

Next stepsThe Mission Statement and Principles went into effect in July, and two new implementation guides — Implementa-tion Guide 1000: Purpose, Authority, and Responsibility; and Implementa-tion Guide 2110: Governance — were

released at the same time. These vol-umes are free to IIA members via The Institute’s website.

As time goes on, new and revised publications will be issued on an ongoing basis. Garyn says practitio-ners should watch for “continued exposures of new and revised stan-dards to support the Principles and quarterly issuance of the new Imple-mentation Guidance replacing exist-ing Practice Advisories.” The existing Practice Advisories remain valid and in effect until they are sunset with the

publication of a replacement imple-mentation guide. Also upcoming: a renewed focus on both IT and finan-cial services guidance.

Hirth applauds the work done to date, but also notes the spirit that drove the project. “What’s really foundationally important about this IPPF enhancement is that the leader-ship of The IIA asked the task force to challenge the status quo of our organization, with no restrictions,” he explains. Any profession that wishes to remain viable must be willing to scrutinize itself and evolve. It cannot isolate its most fundamental precepts from regular review; nor can it be reluctant to change when needed. The new IPPF aims to provide inter-nal audit practitioners the tools they need to “enhance and protect orga-nizational value” in an ever-changing business environment.

Jane Seago is a business and technical

writer in Tulsa, Okla.

As time goes on, new and revised IPPF publications will be issued on an ongoing basis.

To commenT on this article,

email the author at jane.

[email protected]

ViSiT our mobile app + inTernalaudiTor.org to watch a video overview of the newly enhanced international professional practices Framework.

August 201558 Internal audItor

GLOBAL CHAIRMAN OF THE BOARD

CPhotographs by Rick Friedman

EOs, nonexecutive directors, and business managers understand that keeping abreast of the powerful forces shaping the world is critical. They need people who have the ability to anticipate the impact of new technologies and the effects of globalization and geopolitical change on their strategies, operations, and customers. They need people who can act as change agents in their organi-zations, and people who can help businesses thrive — not just survive — in this fast-paced environment.

Despite the need for organizational transformation, most organizations have not increased their investment in learning to make these changes possible. Worse yet, many individuals have not stepped into this void and made their own investment in learning to become the catalysts of change. Organizations need such catalysts because not anticipating and acting on constantly develop-ing and emerging risks can be catastrophic. How many more examples like Blackberry do we need to be convinced?

The good news is internal auditors can play a pivotal role in meeting these challenges and transforming their organizations. Auditors cut across all of the

New IIA Global Chairman of the Board LARRy HARRINGTON says internal auditors have the opportunity to create positive change in a world that is evolving at lightning speed.

Invest Yourself

August 2015 59Internal audItor

August 201560 Internal audItor

INVEST IN YOURSELF

business’ operations. They look at processes end-to-end, understand what is happening in the different regions and business groups, and provide unique insight to the board and execu-tive team to help anticipate risk and its primary, secondary, and tertiary effects. Looking forward at how these influences impact and shape corporate strategies, communicating the internal audit perspective to the board, and having the resources and skills to help manage the organization’s response to such risk is of essential value. Under-stood from this perspective, internal audit is an engine for innovation and business improvement.

But we are only as good as people think our profession is, thus we must work both on our competencies and our brand. That is why the theme for my

year as global chairman of the board is “Invest in Yourself.”

Work on Your BrandIn my experience, people achieve the most if they think of themselves as a brand and invest in improving and promoting that brand. This perspec-tive can help them understand how to develop and project the right executive image, focus on the competencies they need, and seek out and participate in the training, education, and peer net-works to support their progress. Internal auditors must master the skills that will make them indispensable, and whether their organizations provide them with the resources or the time to do so, they must be willing to invest their own time and money to achieve that goal (see “My Personal Brand” on page 61).

Yet studies show auditors do not always step up to the plate. In The IIA Research Foundation’s recent Common Body of Knowledge (CBOK) global survey of the profession, this is evident in the fact that too many audit depart-ments do not consult with stakeholders in audit planning, execution, and evalu-ation. Too few link their auditing to the business’ strategic objectives. And many fail to audit those areas — such as cyber-risk and social media — at the top of the corporate worry list. These failings erode internal audit’s credibility and damage the profession’s brand. Auditors must develop or cosource skills to audit those high-risk areas with authority.

Take The InITIaTIve Some departments may not have the status within their organizations to

An Investment In YouInternal auditors can invest in themselves through:

» Deeper understanding of, and conformance with, the International Standards for the Professional Practice of Internal Auditing.

» Learning and development opportunities. » Certification and qualification. » Research and educational products. » networking and relationship building at conferences. » Advocating and communicating the value of the internal audit

profession. » volunteering in local chapters, institutes, and committees. » Contributing to academic and educational programs through

donations.

To commenT on this article, email the author at [email protected]

August 2015 61Internal audItor

“CAEs must have the courage to discuss with management and the board what executive support and financial resources they need to address critical risks.”

My Personal Brand

Invest in yourself” dates back to around 1990 when I became Cae at the insurance company, aetna. I started collaborating with people in human resources,

sales, and other areas outside of internal audit and listening to the challenges they faced within their busi-nesses. It struck me that to really help the people I was auditing, I would need to learn much more about these functions. Gaining this knowledge also would help me build my personal brand and that of my team.

at that time, I came across a book by the motiva-tional speaker anthony robbins, Awaken the Giant Within. I read the book and then began investing my own money to take several of robbins’ programs. The book aligned with my thinking about seeing myself as a brand and building personal strategic, financial, and business plans based on my aspirations. What I really liked about robbins’ approach was that he focused not just on what I might want to become, but also on how to get me out of my comfort zone.

I later organized a three-day program with robbins’ company for my 140-person internal audit team at aetna. on the last day, the theme from the movie rocky blasted from the auditorium’s sound system as the team gathered in circles to karate chop their way through single wooden boards. The tension built as first one, and then another chopped their way to success. When it was my turn, the motivator said that because I was the leader, I had to smash through two boards, rather than a single board. If you have the right music playing in your head, you can achieve anything, the coach told me.

I was scared of failure but, at the same time, inspired by the coach’s words of encouragement. I successfully smashed the boards. What I took away from the experi-

ence was that coaches can help you have truly breakthrough thinking if you welcome them, listen to what they say, and execute.

shortly after, the Ceo of aetna requested I transfer to the role of vice president of Human resources to transform the function, making it leaner and more efficient. after that assignment, I was asked to take on another troubleshooting role in the business’ Health operations department. I then returned to my passion of internal auditing, leveraging my aetna experi-ences to a successful internal audit leadership role at raytheon.

I was proud to be able to use my internal audit skills to transform these businesses. Thinking outside the box, leaning outside the organization, and working with people to create positive change for both them person-ally and for the business came directly out of the personal investment I’d made in my career as an internal auditor and has been critical to my suc-cess since returning to internal audit.

operate at the highest level. Others may lack the resources and skills to meet the increasing demands of regulatory com-pliance in addition to anticipating the shifting risks emerging from the techno-logical landscape. But CAEs must have the courage to discuss with manage-ment and the board what executive sup-port and financial resources they need to address critical risks. While these conversations may be difficult, they are crucial for organizations to understand how well internal audit is equipped to fulfill its mission and its potential.

Unfortunately, organizations are struggling to fill high-paying internal audit posts because they cannot find people with the right skills and atti-tude. In part, this situation has come about because too many internal audit departments underinvest in the skills and proficiencies that can take their staff to the next level. Globally, six in 10 audit departments’ training and development programs are poorly implemented. The CBOK survey shows deficiencies in training auditors to understand their industry sectors,

“

August 2015

INVEST IN YOURSELF

Leveraging the Profession gLobaLLy

While the iia has been successful in advocating the internal audit message to government, regulators, businesses, and many other stakeholders, the institute wants to increase its focus on its 180,000 global members. Currently, approxi-

mately 20 percent of the membership actively engages with its training, networking, and career-building initiatives. We want to persuade this group to invest more in itself, and we want to reach the 80 percent who are less active, or not participating at all.

We can think about the profession, about raising the image and brand of internal audit, but it has to be personal. We need to motivate, engage, and inspire all of the iia’s members

to think positively about their role, what they provide to their organizations, and about themselves as audi-tors. the process of thinking about how to reach out in this direction started at an iia global Council meeting in China in april. now, we need iia leaders in each of the north american chapters and institutes around the globe — about 267 groups — to brainstorm and create strategies for best reaching the 80 percent and to freely share those ideas that are successful.

one strand of this strategy is to roll out the iia’s Career Map around the globe. the program allows

auditors to self-assess their competencies against a set created by the iia at their level, and create a gap plan and a learning plan to help them get to the next level. another is to increase the variety of support available. for example, the iia has created a new risk exchange forum. the institute is going to be an even greater resource for internal auditors looking to leverage each other.

further, the iia is working to enable institutes to work together more efficiently (the same with chapters). at present, several institutes may be working on the same problem at the same time around the globe, but they do not always collaborate. the iia is planning to enhance its virtual tools in this area so that institutes can work together to produce a common solution to issues that can then be customized to suit local regulatory or cultural conditions. We are trying to leverage the profession globally in terms of best practice, without saying one size fits all. We want to cut out duplication, but also produce better solutions to serve members by bringing together the best minds from around the world to address these problems.

Visit our mobile app + internalauditor.org to see a video of larry Harrington discussing his chairman’s theme, “invest in Yourself.”

August 2015 63Internal audItor

“Internal auditors who are lifelong learners, who build the right personal and professional brand, can become indispensable to their organizations and enjoy a career in which they make a real difference.”

improve their leadership and com-munication skills, and, in some cases, learn basic audit techniques.

In addition, most individual audi-tors have not increased their personal investments in learning, as CBOK shows most internal auditors only invest 40 or fewer hours in training — the same as 10 years ago. Has the pace at which the world is changing really not altered since then? Can anyone today remain indispensable to their organiza-tions, their profession, or themselves with just 40 hours of training a year?

I believe the answer is “no,” which is why my theme of “invest in yourself” is so important today. Internal auditors who are lifelong learners, who build the right personal and professional brand, can become indispensable to their organizations and enjoy a career in which they can make a real difference. To help support this approach, The IIA is strengthening its suite of tools and peer-group networks so that it can bet-ter fulfill its role as the primary resource for helping internal auditors achieve their career ambitions and for helping their organizations flourish (see “Lever-aging the Profession Globally” on page 62). As well as taking full advantage of these tools, internal auditors also will need to take the initiative to seek out career coaching and read business books

on leadership and motivation. Internal auditors who embark down this path will be energized by the results.

Proof of ConCePtEleven years ago, the global defense and security company Raytheon hired me to insource a previously outsourced audit department. The first thing I did was establish a simple vision for internal audit: Create positive change with a sense of urgency. Internal audit could clearly communicate this vision to every prospective team member and to everyone in the business; it became a benchmark for our success.

The process of building a positive brand with the right skills, knowledge, and credibility to help management and the board deal with the complex global risks our industry and business faced started with investment in the internal audit department. We strove to create an environment where every internal auditor felt recognized, rewarded, and challenged. We gave team members the support to stretch themselves and suc-ceed. We ensured that staff learned com-munication skills, went to leadership programs, interacted with senior man-agement at an early stage in their careers, and traveled to the company’s overseas operations. We set up quarterly reward and recognition systems. We increased our investment in training, too. We required everyone to pass the CIA exam, and when they succeeded, they received an immediate pay increase. We provide our auditors with about 200 hours of annual training and ask them to match that with their own time. We only hired team members who understood the personal commitment to creating posi-tive change with a sense of urgency. The proof of concept is reflected in the num-ber of audits requested by customers, the customer feedback on the quality of audit work, and the success in people moving from internal audit to the busi-ness and vice versa.

We also encourage internal auditors to participate in companywide initia-tives, such as the Diversity and Inclu-sion program. People in the broader business meet our team members as regular employees first, auditors second. This has helped break down the nega-tive misconceptions those outside the profession can have about auditors. It also has educated our auditors about the challenges other parts of the business face, and has given them leadership and training opportunities outside of their internal audit work. These activities have helped create the impression in the busi-ness that internal audit is the best place in the organization to work. There is a waiting list of internal candidates who want to join internal audit, and many of our staff are promoted to posts elsewhere in the business.

Make a DifferenCeThe ability of Raytheon’s internal audit team to meet today’s challenges is based on the personal investment and commitment each team member has made in his or her own career. During my year as chair, I ask every internal auditor to make a commit-ment to improve those aspects of their skills, competencies, or qualifications where they think they can make the most difference to themselves and their organizations. I ask team lead-ers to improve the environment and opportunities for their internal audit staff. I ask every internal auditor to take action by investing in their pro-fession and The IIA’s ongoing, global efforts to advance internal audit’s value. And I ask people to write to me and tell me about their best efforts and successes. By each of us working hard to improve our personal brands, we can help transform the profession.

Larry Harrington, Cia, CrMa,

QiaL, CPa, is vice president of Internal

Audit for Raytheon Co. in Waltham, Mass.

AP-NT-RAS-ALL-0615

When you trust the advice you’re getting, you know your next move is the right move.

That’s what you can expect from McGladrey—a strategic partner that provides customized ERP security and controls solutions for any phase of your ERP life cycle. Leveraging our functional understanding of

ERP packages and GRC tools, we have developed comprehensive strategies to evaluate security and controls to uncover potential risks.

We work with you to develop a customized solution that meets your unique requirements, needs and budget, empowering you in future decision-making. That’s the power of being understood.

For more information, contact McGladrey at 800.274.3978.

Power comes from being understood.®

ERP security and control risk is too important tobe left up to chance.

Is your advisor helpingto limit your exposure?

5 arketing the internal audit depart-ment can have an important impact on the department’s success by delivering the message that internal audit is a partner with the business and a source of great value to all its clients. While some audit depart-ments think marketing is nothing more than handing out brochures at the opening meetings, others have

taken a more robust approach, embedding the concepts of marketing in many aspects of their interactions with clients. But the one thing missing in most marketing approaches is a definitive statement of why customers should turn to internal audit. The development of a value proposition will fill that gap, provide a foundation for articulating that value, and ensure everyone in the department delivers a consistent mes-sage in all situations.

What is a Value ProPosition?Value propositions are statements of how the goods or ser-vices delivered by an organization or function will resonate with target customers. They are created after analyzing the goods or services being sold, the customers who are being served, and the competitive marketplace, resulting in a clear statement about why an individual or organization would

The process of developing a value proposition will help internal audit better understand and communicate its worth.

J. Michael Jacka

M

steps tomarketing your audit department

markeTing inTernal audiT

August 2015 65Internal audItor

August 201566 Internal audItor

5 steps to marketing your audit department

are looking for. This approach helps internal audit better understand the business’ perspective, and begins the aligning of internal audit services with the client’s needs.

When doing this analysis, remem-ber that internal audit’s clients do not work with the department because of the service provided, but rather because of the outcome of that service. Internal audit often thinks in terms of the assurance its clients need. How-ever, executives and board members might say they are looking to ensure the organization’s strategic objectives are being achieved, assurance providers might say they are looking for mitiga-tion of risks in their area of specializa-tion, and regulators might say they are looking to protect the public. Couch-ing client needs in the clients’ terms helps align internal audit’s services with the clients’ actual needs.

These are just some ideas of what internal audit’s clients may perceive as value. The real answers will only be discovered by holding discussions with as many of internal audit’s clients as possible — discussions about what they value and what they need. Internal audit may face the challenge of getting clients to think beyond their precon-ceived notions about internal audit. To understand those clients’ needs, internal audit must get clients thinking beyond the restrictions they may be placing on the department.

As this analysis is completed, internal audit should identify its target clients — those that will receive the primary benefits of internal audit’s services. For example, while important to the work internal audit does, the organization’s customers are seldom a target client for the department. Nonetheless, all work ultimately affects them, so the organization’s cus-tomers cannot be forgotten. Similarly, no potential client should ever be entirely dismissed.

benefit from buying or using a product, service, or solution.

Many audit departments have considered the value they provide, but few have taken the steps necessary to craft a message for their stakehold-ers that can be consistently delivered by everyone in the department. Accordingly, the message, when it is actually delivered, is often unfocused and disjointed.

The internal audit department can better articulate that value through the development of a value proposi-tion. In addition, the process enables

the department to learn more about the services it provides and the clients it serves.

1 Know Your Customers It all begins by identifying internal audit’s potential clients. Executives, the board, the audit commit-

tee, and organizational management quickly come to mind, but the depart-ment also needs to recognize the many other people from within the orga-nization who rely on or use internal audit’s work — departments such as compliance, risk management, qual-ity assurance, and legal. In addition, potential external clients — such as regulators, external auditors, and even the organization’s customers — also should be included.

Next, determine what these clients need, what problems they are trying to solve, and what improvements they

Internal audit may face the challenge of getting clients to think beyond their preconceived notions.

august 2015 67Internal audItor

Marketing internal audit internally ranks in the top 5 priorities for CAEs and internal audit professionals, according to Protiviti’s 2015 Internal Audit Capabilities and Needs Survey.

may need to change. It also will lay the foundation for the message to be deliv-ered to the clients.

3 Know Your Competitors Internal audit departments seldom think in terms of “competitors.” However, auditors need to recognize

that others — inside and outside the organization — provide similar services and are, effectively, competitors. Internal audit should identify those competitors to understand what differentiates inter-nal audit’s services and articulate if and why internal audit is a better solution.

None of this is meant to suggest that internal audit does not also part-ner with these people, working closely toward mutual goals. But, in analyz-ing how to better meet client needs, internal audit has to understand where others might provide similar services, and determine whether and how internal audit can excel in providing those services.

As noted, there are two sources of competitors: those that are internal to the organization and those that are external. Internally, almost everyone within the organization might be con-sidered a potential competitor because every department can provide some type of consulting service. Assurance providers in particular — such as com-pliance, risk management, and quality assurance — are potential competitors because their responsibilities include providing assurance to the board, execu-tive management, and other leaders within the organization — a role similar to internal audit’s.

From the external perspective, internal audit faces competition from several sources — the most impactful being external auditors and outside consultants. These groups have their expertise and are instrumental to the success of the organization. But internal

2 Know what You Deliver The evaluation of clients may also provide internal audit its first recognition of the broad range of

services that it delivers. Good internal audit departments do more than just complete audits. They have a wide range of options available that add value to their clients. An approach used by one group was to focus on how the audit department would respond to various identified risks. Its selection of responses included conducting an assur-ance review, performing process analy-sis, completing a consulting project, providing training, and conducting data research. The auditors also recognized that, for some risks, they would rely on assurance provided by others, ignore the risk, or work together with others in an integrated assurance approach. By iden-tifying the various responses, they better understood the services they provided and could tailor their response to match client needs.

Once the internal audit depart-ment has identified the various services it offers, it should evaluate how well these match what the client needs, which should include these questions:

Ʌ Is the result of the service what cli-ents want and, if not, how might the service need to change?

Ʌ Do the clients understand what they need?

Ʌ Do clients understand the value received when unrecognized needs are met?

Ʌ Overall, does the service provide the client value identified in the previous step?

Ʌ Is additional education necessary? Ʌ What are the benefits to the client

of engaging internal audit?From this analysis, the department can begin ensuring alignment between client needs and existing services, and further identify areas where provided services

audit must recognize where the value provided by external competitors ends and internal audit’s value might begin.

As each competitor is identified, its strengths and weaknesses should be analyzed. This will help internal audit identify areas it needs to strengthen, as well as recognize services it no longer should be supplying. It will also allow internal audit to identify areas where unsuspected value might be provided.

The purpose of the internal audit profession is not to be all things to everyone; it is to provide those services that deliver the most value. But internal audit also should want to ensure all niches of expertise have been identified. And this is where the department will begin to understand what differentiates it from its competitors.

4 Know whY You are the solution The value proposition is based on the intersec-tion of what internal

audit’s clients need (resonance) and what the department provides better than its competitors (differentiation). Without resonance, the client will not see the ser-vices as important enough to be consid-ered. Without differentiation, the client believes it can do without the service or find a cheaper solution.

Resonance and differentiation define why internal audit is the best solution for those clients. For most internal auditors, clients are looking for ways they can better achieve their objec-tives and assurance that the processes in place help achieve those objectives. Internal audit’s assurance and consulting work is a solution for this need — reso-nance. Differentiation for internal audit includes independence and objectiv-ity; the department’s understanding of the business; the relationships internal audit has developed with key stakehold-ers; and the understanding of risk, risk

Revenew provides the only comprehensive “procure-to-pay” audit solution in the marketplace today. Our Contract Compliance Audits – self-funded and backed by a Performance Guarantee – yield tangible results with impactful process improvements. We are proud to say that every one of our clients is available to tell you that we deliver what we promise. Review case studies and see what our clients have to say at www.revenew.net/promise.

WE WILL LOWER YOUR

RISKPROFILE

Our promise.

RECOVERIESOur guarantee.

GENERATE HARD DOLLAR

WE WILL

2974_RVNW_IIA-Ad.indd 1 4/9/15 10:28 AM

august 2015 69Internal audItor

assessment, and the balancing of risks through appropriate mitigation. These differentiators allow internal audit to stand out from the competition.

Recognition of resonance and dif-ferentiation begins in earlier steps, and the process of bringing it all together may not take much time — the infor-mation and the understanding are already there. However, this portion of the value proposition should not be ignored. It is the bridge between under-standing and articulating.

5 Know How to ExprEss Your ValuE The trickiest part is developing the actual value proposition and how it will be marketed to clients.

The process involves taking all the infor-mation that has been gathered — the clients, the services, the competitors, the resonances, the differentiators — and pulling it together into a format that allows all to understand why internal audit is the correct solution.

Several approaches can be used. One audit department had success by holding brainstorming sessions with the entire audit department. This included walking through the process described earlier, and then developing potential value propositions. This information was then brought together, and internal audit leadership used it to develop the final value proposition.

Another way to kick-start the discussion is to use a fill-in-the-blank approach. “For [target clients] who are dissatisfied with [current alternatives] our service is a [service] that provides [key problem-solving capability] unlike [the alternative].” This might result in the rough statement, “For execu-tives who are dissatisfied with internal reviews that provide information but no solutions, our product is a compre-hensive analysis of processes completed in conjunction with the process-owner

that provides impact-focused solutions built in conjunction with the process owner unlike external reviews that just point out the flaws.” This is far from a finished product, but it provides a solid starting point based on information gathered in previous steps.

There are also many formats for the final value proposition. A generally used approach is to start with a heading-like statement — one short, easy-to-remem-ber sentence — that focuses on the end benefit of the service. This is followed with subheadings — two to four sen-tences explaining what is offered, which

clients will benefit, and why the service is useful. The final section is composed of two or more paragraphs that provide additional detail that fleshes out the pre-vious headings.

Throughout the process, it may be evident that marketing is not an expertise that resides within the inter-nal audit department. However, most departments work within organizations that have a marketing department they can turn to for help — specifically in developing the value proposition, but often in the entire process itself. In addition, it is an opportunity to build a stronger relationship with a depart-ment that is often not a part of internal audit’s scope.

tHEn wHat?Development of the value proposition is not the final chapter of the story. Everyone within the department must understand what the statement says, what it means, and how he or she can

deliver it. Best practice is to have a marketing strategy — an approach to how everyone within internal audit should use the value proposition in every aspect of his or her work. This should include how it will be incor-porated in audits, meetings, conversa-tions, social activities, and every touch point internal auditors have with their clients. It is not about spouting the statement at every opportunity; it is about understanding and believing the statement to the point where it is naturally infused throughout the audit process.

Today, with the increased focus on governance, risk, and compliance, many internal audit departments find the services they provided now being handled by other departments within the organization. In many situ-ations, these may be the appropriate responses. However, for internal audit departments that want to maintain their status within the organization, they must understand their value and be able to articulate that value to all potential clients.

A proactive approach, including the development of a value proposition, will not only stave off these problems, but will also instill pride in the mem-bers of the internal audit function, rein-forcing that they are valued members of the organization’s leadership team.

J. Michael Jacka, cia, cPcU, cFe,

cPa, is cofounder and chief creative pilot

for Flying Pig Audit, Consulting, and Train-

ing Services in Phoenix.

To coMMenT on this article, eMail the author at [email protected]

Departments that want to maintain their status within the organization must understand their value.

MetricStream

Unmanaged risk can topple the delicate balance of your organization

Align audit to the right set of business risks

Improve relevance, credibility and transparency of audits

Ensure optimal resource utilization and effectiveness

Simplify compliance with embedded regulatory content & standards

Drive efficiency & collaboration with an integrated audit system

Email: [email protected]

Risk-Intelligent AuditsNavigate business risks & opportunities with

MetricStream’s audit management solution helps organizations:

Call Us: +1-650-620-2955

Governance Perspectives

Read moRe on GoveRnance visit the “marks on Governance” blog at Internalauditor.org/norman-marks

august 2015 71Internal audItor

By AndreA dorsey edited By MArk Brinkley

organizations miss out on adding value when they practice “check the box” compliance.

COSO 2013: The PaTh FOrward

With all the white papers, webi-nars, guidance, and consultants

ready to assist, why did some companies still fail to gain value from the 2014 transi-tion to The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 Internal Control–Integrated Framework?

First, far too many com-panies appear to have treated it as another “check the box” exercise required for U.S. Sarbanes-Oxley Act of 2002 Section 404 compliance. The level of effort to remedy identified gaps to the frame-work was in line with the typical response to Sarbanes-Oxley — do the minimum to get by and justify coverage of a principle. But this meant that many did not consider the real purpose of the prin-ciples in the new framework. And for these organizations, the level of effort required to make the transition generally bore a high number of defi-ciencies and a greater lift for

remediation, driving up the cost of compliance.

Next, the timing of COSO 2013 was unfortu-nate, coming at a time when the focus on documenta-tion detail was significantly increasing because of the somewhat negative results that appeared in the external auditor U.S. Public Com-pany Accounting Oversight Board (PCAOB) inspection reports. Sarbanes-Oxley requirements were already increasing with a focus on management review controls and information produced by each entity; the COSO 2013 transition just added another item to companies’ already full plates.

Finally, guidance from some external auditors that the transition wasn’t required in 2014 created confusion in the marketplace. COSO, itself, stated that it no longer supports the 1992 frame-work. As reported by Audit Analytics, a strong majority of organizations adopted the revised framework on time,

with a handful of early adopt-ers. The Sarbanes-Oxley Sec-tion 404b reporting through April 28, 2015, identified an adoption rate of 83 percent. But that means that 17 per-cent of organizations did not make the transition. This is a strong indicator that the guidance was unclear. The mixed signals likely caused organizations to take a tem-pered approach to the transi-tion, focusing primarily on the points considered signifi-cant by their auditors.

There is still time in 2015 to make up for last year’s missed opportunities. COSO 2013 is an oppor-tunity for management to take a fresh look at internal controls and for organizations to dig deeper and consider a broader range of information when evaluating the internal control structure.

Two key lessons often prove to be of value to orga-nizations implementing COSO 2013. First, many companies did not have a formal fraud risk assessment

2015-5023

You know you have a great internal audit team. Are they perfect? No. But they are there for you — day in, day out. When challenges arise, they have your back.

And now is your opportunity to have theirs. Thank them for their hard work and show them that you are as committed to their professional development as they are. Because let’s face it — when your team shines, you shine.

Are you ready to shine?

Contact us today and let us help develop your plan to enhance your team’s performance through in-house training. Our consultants will work with you to understand your business, your people, and the learning outcomes you want to achieve.

+1-407-937-1388 ■ [email protected] ■ www.theiia.org/onsite

You’re only as good as your team.

Many Fortune 500 companies count on The IIA’s On-site Training to develop their team’s skills. Join them today!

2015-5023 TRN-OnSite Thank Your Team April IA Ad.indd 1 2/26/15 4:41 PM

AUGUST 2015 73INTERNAL AUDITOR

Insights/Governance PerspectivesTO COMMENT on this article, EMAIL the author at [email protected]

process, and, second, many had not considered the implica-tions of service organizations to the extent required by COSO 2013. Suffi ciently addressing these areas to fully meet the prin-ciples can provide value beyond Sarbanes-Oxley compliance.

Conduct a substantive fraud risk assessment. In the past, many organizations integrated fraud risk into the evalu-ation of other controls. Today, per COSO, the adequacy of anti-fraud controls is specifi cally assessed as part of the evalu-ation of the control activities related to identifi ed fraud risks. Companies that identify a gap related to the fraud risk assess-ment and work to implement a robust assessment take away an increased focus on potential fraud scenarios specifi c to their organizations. Many companies have implemented new processes, including facilitated sessions with management, that allow executives to consider fraud in new ways. The fraud risk assessment also has raised management’s awareness of opportunities for fraud outside its areas of responsibility.

Take a broader view of outsourced processes. The blurred line of responsibility between an entity’s internal control system and that of an outsourced provider creates

a need for more rigorous controls over communication between parties. Previously, many companies looked to contracts, service-level agreements, and service organization reports as their approach to managing service organizations. However, those who fully consider the COSO framework in this area realize there may be additional gaps. Specifi cally, they need to focus on the service providers’ processes and tone at the top. Implementing these additional areas of focus can increase visibility into the vendor’s performance and internal control structure.

As guidance from the PCAOB and external auditors evolves and the new “normal” for Sarbanes-Oxley Section 404 compliance is established, it is clear that COSO 2013 is the path forward. Those now implementing the frame-work, or those who simply checked the box in 2014, should consider the value of placing additional focus in select areas. For those who drive their efforts in the right areas, the cost of compliance will be tempered with the value gained from increasing management control awareness.

ANDREA DORSEY, CIA, is an associate director with Protiviti

Inc. in Overland Park, Kan.

SuperStrategies 2015A U D I T B E S T P R A C T I C E S C O N F E R E N C E & E X P O

NOVEMBER 3-5, 2015 | PLANET HOLLYWOOD RESORT & CASINO | LAS VEGAS, NV | WORKSHOPS NOVEMBER 5 & 6

Let’s work together to better the internal audit profession.

WWW.MISTI .COM/SUPERSTRATEGIES

Registerby 8/21 for the

best rates!

A S S O C I A T I O N S P O N S O R

Do you suffer from a lack of specialized healthcare internal audit knowledge and resources? We have the remedy ... AHIA membershipThe Association of Healthcare Internal Auditors (AHIA) is a well-established and rapidly growing network of experienced healthcare internal audit professionals who come together to share tools, knowledge and insight on how to assess and evaluate risk within a complex and dynamic healthcare environment. Through our highly regarded annual conference and other educational events, online tools, professional guidance and networking, and award-winning publication, New Perspectives, AHIA helps elevate and advance the internal audit function to be an authoritative voice and strategic partner within healthcare.

AHIA membership offers:• High-quality, year round EDUCATION opportunities with:

• Over 20 CPE credits offered through our complimentary webinar series

• Dozens of additional CPE credits, at incredible discounted member rates delivered through:

• Annual Conference

• Regional Seminars

• Webinars

• CAE/Audit Roundtables

• Tech Talk

• EHR Auditor User Group (currently focusing on the Epic system)• Valuable NETWORK of subject matter leadership, focused on Revenue Cycle, Compliance, IT/Security, Clinical Quality/Specialty, Health

Plan Knowledge and General Audit Management; reachable through interactive online collaboration vehicles and in person events

• Reference and Benchmarking RESOURCES, including an award winning peer-reviewed New Perspectives Journal, an online reference library and more

Join AHIA as a new member by October 1, 2015 using special access code IIA20152, and you will receive a $25.00 AHIA gift certificate* valid for use on the purchase of webinars, regional seminars, Annual Conference registration or membership dues renewal.

Complimentary issue of AHIA’s New Perspectives Journal: Contact us at [email protected] to request your complimentary issue of our award-winning journal and sample one of our many membership benefits. Reference code IIANP2 in your correspondence.

*Offer valid through October 1, 2015 and is non-transferrable. Offer not valid for existing member renewals. Gift certificate not redeemable for cash.

Visit www.ahia.org for more information and contact us at [email protected] or 888-ASK-AHIA with questions.

SPECIAL OFFERS!

august 2015 75Internal audItor

By J. Michael Jacka

Read Mike Jacka’s blog visit internalauditor.org/mike-jacka

Insights/The Mind of JackaTo commenT on this article, email the author at [email protected]

Many internal auditors are still clinging to outmoded, gotcha-style auditing.

ObsOlete thinking

purview. He said that we helped the organization best by ensuring compliance with laws, regulations, and procedures, and that any other activities were a waste of time.

I met an auditor who did not want to talk to people. He believed that the ability to review docu-mentation online, share all necessary documents elec-tronically, and use email for communication meant we did not need to waste our time on person-to-person interaction.

Of course, most of my encounters with prac-titioners have not been nearly this bad. I have met auditors who keep current with internal audit trends and practices; who attend conferences, seminars, meetings, and online train-ing; who see how internal audit has grown; and who recognize the profession’s increasing potential. But I have also met auditors who still think in terms of auditees, who still have the “gotcha” mentality, who still think we work crouched over desks wearing green eyeshades while scribbling out reports with quill and

I met an auditor who pre-ferred the term auditee. She asked me, “Why does everyone keep

calling them customers?” I explained that the term better represented the relationships we strive to build — using the word customer helps emphasize that we work together to build stronger operations and organizations. I also pointed out that client was actually the preferred descriptor, though she was unwilling to accept it. She then said, “We are doing an audit of their operations; we are the auditors and they are the auditees.”

I met two auditors who thought their job was to find errors and mistakes. They explained that the purpose of their audits was to find what the client was doing wrong. I tried to clarify: “You don’t literally write that as the purpose in the audit report, do you?” They insisted that they did.

I met an auditor who did not want to do anything beyond compliance work. He failed to see how areas such as risk identification and process improvement fell within internal audit’s

papyrus, and who still bayo-net the wounded.

Meeting these individu-als reminds me that some practitioners are still living in the past. Accordingly, we need to be cautious when making assumptions about other auditors and the effect they may have had on our profession. We also need to talk constantly about the value we can provide because we never know what messages were delivered in the past.

I once heard someone say that, when you see a group of people who claim to be pushing a train for-ward, make sure the train isn’t just dragging them along. The profession-als around you are either driving the train or being dragged along by it. Make sure you know which is which and how these indi-viduals may be affecting the relationships you have within the department and within the organization.

J. michael Jacka,

cia, cPcU, cFe, cPa, is

cofounder and chief creative

pilot for Flying Pig Audit,

Consulting, and Training

Services in Phoenix.

Take the Lead. Effective Business Resilience is more than a thorough response to unexpected events. It’s taking the lead, preparing more effectively than the competition, and responding before your competitors. Creating a culture of increased resilience by integrating best practices and stress testing internal controls ensures your internal audit function can assist in shielding your organization from threats, protect the continuity of your operation, and keep you one step ahead.

Will you lead or follow after a disaster?

Contact Cliff Trollope, National Business Resilience Lead at 416.515.3851 or [email protected]

Eye on Business

Read moRe on today’s business issues follow @iamag_iia on twitter

august 2015 77Internal audItor

The organization celebrates 30 years of improving business through its thought leadership and integrated frameworks.

Happy anniversary, COsO!

RichaRd F. chambeRsCOSO Board Member,President and CEO, The IIA

RobeRt b. hiRth JR. COSO Chairman andSenior Managing Director, Protiviti

Why was the committee of sponsoring organizations of the treadway commission (coso) formed?hiRth COSO was formed in 1985 in response to sev-eral instances of fraudulent financial reporting by U.S. stock exchange-listed com-panies. COSO went on to form the Treadway Commis-sion, led by Jim Treadway, a former U.S. Securities and Exchange Commission commissioner, to determine the cause of this fraudulent reporting and what to do about it. In addition to his findings, Treadway recom-mended that COSO develop integrated guidance on inter-nal controls. In response, COSO hired Coopers & Lybrand to develop guid-ance, which resulted in the 1992 Internal Control–Integrated Framework. chambeRs The formation of COSO is an extraordi-nary example of the business community recognizing the

need for improvement and devising an internal control framework that has proven to be an invaluable tool to thousands of organiza-tions over the past 30 years. COSO’s internal control framework is a testament to what can be accomplished when the business commu-nity and industry organiza-tions pool their collective knowledge and resources. The joint efforts of The IIA, the American Accounting Association, the American Institute of Certified Pub-lic Accountants, Financial Executives International, and the Institute of Management Accountants not only pro-duced the groundbreaking, globally recognized 1992 and 2013 internal control frame-works, but also the 2004 Enterprise Risk Management–Integrated Framework.

What has coso meant to internal auditing?chambeRs COSO’s two frameworks provide internal

auditors worldwide a com-mon structure and approach when providing assurance to key stakeholders on internal control and risk manage-ment. COSO also provides significant thought leadership on internal control, enterprise risk management (ERM), and fraud deterrence, consis-tent with its mission to pro-vide guidance to the global marketplace, inclusive of all internal audit practitioners. hiRth COSO’s definitive guidance and overall evalu-ation framework design for effective internal control and ERM has provided significant structure, terminology, and guidance to assist internal auditors around the globe. The COSO frameworks have helped to create a common vocabulary and understand-ing of these two topics so that internal auditors can be more effective in applying them at their organizations. A key word here, of course, is “effective.” This means not just existence but effective

| TOP 10 co-sourcing services

sunera.com | 813.402.1208 | [email protected]

Security Assessments

IT Audits

Custom Analytics Scripting

Operational Audits

ERP Integration Reviews

0102

03

0807

0605

04

1009

Vulnerability Assessments

SOX Testing

Privacy Assessments

PCI Gap Analyses

HIPAA Compliance Reviews

Today’s business and technology

risks are more complex than ever,

so we’re here to help with your

co-sourcing needs. This Top 10 list

illustrates our clients most requested

services. Talk to us about your needs

and see how we can help you.

August 2015 79Internal audItor

To commenT on this article, email the editor at [email protected]

Insights/Eye on Business

operation so that the objectives of ERM and internal control are met and organizational value is protected or enhanced.

Where has coSo had the biggest impact?HiRTH Today, every U.S. listed company except one — Brit-ish Petroleum, which uses the Turnbull framework — uses the 1992 or 2013 COSO internal control framework to comply with Section 404 of the U.S. Sarbanes-Oxley Act of 2002. In addition, the U.S. Office of the Inspector General recently reissued its Green Book Guidance on internal control and adopted the COSO 2013 framework as part of this update. COSO clearly has had a big impact on internal control over financial reporting. The framework has been translated into seven major languages, and China, Japan, South Korea, and India have all mentioned or used aspects of the COSO frame-work in their respective financial reporting related regulations.

With respect to ERM, studies have shown that the COSO ERM framework is one of the two most commonly used ERM frameworks in the world — the other being ISO 31000 — with about 50 percent of global market share.cHamBeRS I can’t imagine a major business issue that hasn’t been affected by COSO in some way — primarily because of the widespread acceptance of the internal control and ERM frameworks. The internal control framework, for example, has become almost synonymous with regulated assessment and assertions on controls over financial reporting in the U.S. as a response to Sarbanes-Oxley.

Why did coSo decide to update the eRm framework? cHamBeRS The nature of business risk is evolving in com-plexity and speed. Consistent with its mission, COSO must provide an ERM framework that reflects and responds to that evolution. Consequently, an update to COSO’s Enterprise Risk Management–Integrated Framework was announced in 2014 and currently is in process. The update is designed to address the key challenges presented by an increasingly complex busi-ness environment and to help organizations worldwide attain better value from their ERM programs.HiRTH In October, we announced our intention to deter-mine through a broad stakeholder survey whether the ERM framework should be revised, and what should stay the same. We received a fantastic level of response from people around the world, giving us some great comments on potential areas for change and improvement, as well as strong feelings about what should not change. Since then, we have formed our advisory committee and appointed official observers. Our principal author, PricewaterhouseCoopers, has completed sev-eral rounds of research, and we have held two advisory coun-cil meetings in New York and Chicago. Our project plan contemplates issuing our public exposure draft later in 2015.

What has been the impact of the 2013 Internal Control–Integrated Framework?HiRTH So far the COSO board is very pleased with the results of the 2013 revised framework. Feedback from around the world has been overwhelmingly positive. People and organiza-tions seem to like the principles-based structure and the Points of Focus, as well as the updated wording and context. Approxi-mately 75 percent of all companies subject to Sarbanes-Oxley with fiscal years ending Dec. 31 have transitioned to the 2013 framework, and a large majority of the comments from those companies have been that the transition to the 2013 frame-work was not significant in terms of effort but that it did iden-tify some impactful areas for improvement in internal control over financial reporting. Many organizations are now looking at how they can expand the use of the 2013 framework in areas such as nonfinancial reporting, operations, and compliance. We also expect several countries that have mentioned COSO in their respective financial reporting regulations to consider changes as a result of issuance of the revised framework.cHamBeRS That question may be a bit premature. COSO ended its support of the 1992 internal control framework at the end of 2014, which was just a little more than six months ago. But the COSO board has received positive feedback from many organizations that have made the transition. It is our hope that all our 1992 framework users make the transition and apply the new framework, not just to financial reporting, but to other aspects of their organizations as well, including all internal and external reporting, compliance, and operations.

What are the next steps for coSo?cHamBeRS We are eager to move forward with our ERM integrated framework update and subsequently roll out the updated framework globally. Also, we are constantly look-ing for opportunities to offer new thought leadership such as our white paper on the interrelationship between the COSO internal control framework and the Three Lines of Defense model. COSO will continue to monitor financial report-ing and other aspects of organizational operations. With the growing changes in business complexity and dynamics, COSO may see the need to create additional frameworks.HiRTH There’s always “next steps” for COSO. After the ERM framework revision is released, some issues we will tackle include: making sure the ERM framework is translated into other major languages and that it is widely explained, pro-moted, and marketed through presentations globally; develop-ing additional thought papers to support both the internal control and ERM frameworks; and considering developing additional frameworks. We will continue to challenge ourselves to ensure we are meeting our mission around thought leader-ship for internal control, ERM, and fraud deterrence.

Read moRe opinions on the pRofession visit our blogs at internalauditor.org

august 201580 Internal audItor

Insights/In My OpinionTo commenT on this article, email the author at [email protected]

By NNeNNaya C. aNyaeBosi

Peak audit performance hinges on keeping staff motivated and focusing on retention.

Are You Driving AwAY TAlenT?

effective talent manage-ment is essential to keeping up with the high demands placed

on today’s audit functions. And while attracting the right people and assembling an effective team are key to that effort, equally impor-tant is the retention of those individuals. According to a survey last year by human resources software company BambooHR, a top reason employees cite for whether they stay with a company or leave is how they’re treated by management. Yet some audit managers may overlook this factor’s importance to main-taining a motivated, produc-tive team — in fact, they may actually be driving staff mem-bers away by committing key retention mistakes.

One critical error man-agers can make is failing to understand staff members’ strengths and weaknesses. Some auditors, for example, may be especially proficient in Microsoft Excel or flow-charting, even though they weren’t hired with those skills in mind. Or, a generalist, non-IT auditor may possess data analytics skills. Taking full account of the team’s portfolio of competencies and

recognizing all employee skills and assets is key not only to leveraging them for the benefit of the organization, but also to making auditors feel valued and appreciated as members of the team.

Management style is also important to retention, though unfortunately some managers adopt a style that relies on negative behav-ior — namely fear and intimi-dation. Managing by way of direct or implied threats and intentionally eliciting dis-tressing emotions is counter-productive. Those who work within a culture of intimi-dation will never give their best — their creativity will be stifled, their commitment will wane, and they will feel disempowered. Instead, man-agers need to encourage staff and use positive management techniques that work best for each team member.

Another negative approach, autocratic manage-ment style, or relying on uni-lateral decision-making, also does little to engender staff loyalty and retention. Con-stantly reminding staff who’s in charge and pointing out that any deviation from fol-lowing management directives constitutes insubordination

does not elicit quality work or commitment. Managers should listen to staff mem-bers’ ideas and opinions, mak-ing sure that communication is a two-way street.

Lastly, ineffective man-gers often value deadlines and targets above all else. Emphasizing quantity over quality and then blaming staff for poor or inadequate performance is a recipe for team failure. Quality of work must be high on a man-ager’s list of priorities, and expectations of staff must be reasonable. Measuring and reviewing “outcome” should receive just as much atten-tion as gauging “output.”

When the audit function is not performing at its best, its value to the organization is compromised. Peak per-formance hinges on keeping staff motivated and retaining top talent. Managers who recognize this and treat staff with retention in mind reap the benefits of an engaged, productive, and highly moti-vated audit team.

nnennaya c. anyaebosi,

cia, cPa, cFe, cGaP, is a

special projects auditor at

Metropolitan Atlanta Rapid

Transit Authority.

www.theiia.org/fsac

2015

-100

8

Introducing The Financial Services Audit CenterInfl uential, Impactful, and Indispensable Resources

Auditors in banking, investments, insurance, and other enterprises

engaged in wealth management and protection must be both

innovative and strategic to address the risks facing their organizations.

The Financial Services Audit Center is designed to provide

practitioners with cutting-edge resources to stay current on this

ever-evolving industry.

Explore the Financial Services Audit Center today!

Open access period ends October 2015.

Introducing The Financial Services Audit CenterInfl uential, Impactful, and Indispensable ResourcesAuditors in banking, investments, insurance, and other enterprises

engaged in wealth management and protection must be both

innovative and strategic to address the risks facing their organizations.

The Financial Services Audit Center is designed to provide

practitioners with cutting-edge resources to stay current on this

ever-evolving industry.

Explore the Financial Services Audit Center today!

Open access period ends October 2015.

“The Financial Services Audit Center

is designed to be a one-stop shop for

all fi nancial services auditors. The

Center provides internal audit research,

resources, and regulatory guidance in

one location to help fi nancial services

auditors stay current on regulatory

issues and other information specifi c

to the highly-regulated fi nancial

services industry.”

Jennifer F. Burke

Partner, Crowe Horwath

Member, IIA Financial Services

Advisory Board

2015-1008 FSAC-Centers August Ia Ad.indd 1 6/23/15 2:22 PM

Changes in today’s business environment and the associated risks are only accelerating.

Internal auditing requires commitment and a framework of clearly articulated principles, leading-practice standards, and timely guidance that not only acknowledge but also anticipate these changes.

For internal audit to keep up with an ever-changing environment, the International Professional Practices Framework (IPPF) must evolve to effectively support the profession and meet the many challenges ahead — a changing risk landscape, growing stakeholder expectations, and increasing legislative and regulatory demands for improved governance, risk management, and internal control.

The Framework for Internal Audit Effectiveness: The New IPPF

Learn more about the new IPPF, the new Mission and Principles, and what additional enhancements lie ahead.www.theiia.org/goto/IPPF

2015-1120

2015-1120 GUI-IPPF Aug IA Ad.indd 1 6/25/15 9:46 AM