CAEs speak out: Cybersecurity seen as key threat to growth June 19, 2015 Share Download Subscribe RFP [Download the PDF] Introduction In Grant Thornton LLP’s fifth annual survey of chief audit executives (CAEs), financial services CAEs revealed that they see considerable room for improvement when it comes to their risk management functions.1 Although they operate in a heavily regulated industry and are highly attuned to managing risk, almost two-thirds of financial services CAEs indicated that their risk management functions would benefit from enhancements. In addition, almost one-quarter of respondents said their risk framework is either ineffectively used or has yet to be implemented. Only 15% of CAEs report being fully satisfied with their framework, saying it is rigorously enforced and used comprehensively (Figure 1). Not surprisingly, in light of numerous high-profile and reputation-damaging data breaches, financial services CAEs are especially concerned about data privacy and security. This area ranked highest (71%) among issues that could have the most significant impact on their organizations’ growth strategies, a notable increase from 48% in the 2014 survey. Participants from the largest entities — those with managed assets of over $50 billion — are even more concerned with privacy, with 74% of those respondents ranking it as the biggest threat to future growth. When asked what type of risk assessments their departments are conducting, 66% of financial services CAEs named data security as the top area, although enterprise-wide risk assessments continue to represent the most prevalent type, as reported by 75% of respondents. Other top responses included technology (63%) and fraud risk assessments (63%). Given the industry’s strong ties to data security, these findings are not surprising, according to Jack Katz, global leader and national managing partner in Grant Thornton's Financial Services practice. “For the financial services industry, cybersecurity is a critical risk that must be addressed on an enterprise basis, as the threat of cybercrime raises not only operational and regulatory risks but significant reputational risk exposure as well,” says Katz. The increasing use of mobile technology and third-party relationships further amplifies the data security risks facing the industry, notes Katz. “Financial services companies have focused their technology strategies largely on customer service and convenience, which have increased their cybersecurity exposure. At the same time, as firms have become more and more technologically interconnected to various vendors and other third parties, extended data supply chains have expanded their vulnerability to cybercrime.” As anxiety about cybersecurity has risen, concerns about regulatory risks have lessened somewhat, with 38% of CAEs citing this area as having a significant impact on growth, compared to 51% last year. Nonetheless, regulatory risks were still the second-highest concern as ranked by respondents. Risks related to third parties and vendors came in third, up to 34% from 22% in 2014. Rounding out the highest-concern risk areas were execution of strategy (30%) and business continuity. Managing the compliance burden Although the financial services industry continues to face the challenges of a fluid and uncertain regulatory environment, our survey suggests that the effort dedicated to compliance has not risen. Thirty percent of CAEs, compared to 54% last year, reported that meeting compliance requirements constitutes up to 25% of their workload. Moreover, 67% said this does not represent an increased effort over last year. That said, while the rate of increase in cost may be slowing, the industry is still dealing with significant compliance costs. Optimizing those costs, therefore, remains a priority. Again this year, CAEs said that regulatory requirements add costs and distract the internal audit function from other activities. Increased costs remain the biggest impact of regulations, according to 72% of respondents, while the inability to devote resources to higher-value activities was cited by 42%. On the other hand, 38% said regulation had improved governance and the rigor of testing (Figure 2). When it comes to meeting regulatory requirements, financial services CAEs report that an ongoing challenge facing their organizations is a dearth of talent and lack of alignment among processes, operations and technology. “Meeting compliance obligations remains a pain point for companies in a variety of sectors,” explains Warren Stippich, partner and Grant Thornton national Governance, Risk and Compliance practice leader. “There are continued compliance requirements in highly regulated industries, such as financial services, combined with more scrutiny from the PCAOB [Public Company Accounting Oversight Board] regarding the work that is done around internal controls. With finite budgets and resource constraints, internal auditors must look toward optimizing all aspects of the work they do, including compliance activities,” Stippich says. One-to-many takes root One path to optimizing compliance is the one-to-many approach, which allows companies to test once but report on multiple regulatory requirements while remediating any regulatory gaps. This lets organizations streamline compliance testing, meet more regulatory requirements, and provide a sustainable framework for long-term compliance management without repeating the same testing activities for different mandates. An example would be testing logical security and using those test results to satisfy multiple regulatory requirements, such as those associated with the Sarbanes-Oxley Act, the Payment Card Industry Data Security Standard and the International Organization for Standardization. Two-thirds of financial services CAEs said their organizations have had success with a one-to-many approach. Furthermore, 18% said they can potentially apply the principles to up to 75% of their testing, and 41% said they can use the approach for up to 50% of their testing (Figure 3). Technology usage: A mixed bag CAEs in the financial services industry and in our overall survey indicated that they’re eager to improve the efficiency of the internal audit function, ranking this as their top goal for the coming year. However, some see limited value in implementing or updating governance, risk and compliance (GRC) tools. The following are responses from audit executives in the financial services industry: More than half (54%) said that investing in GRC technology is one way they are enhancing or are planning to enhance their approach to risk management (Figure 4). Only 10% disagreed with the assertion that their organizations effectively use GRC-specific technology. This is down from 23% last year, suggesting that CAEs are pleased with the progress made in this area. In addition, 45% agreed that their organizations are effectively leveraging a GRC tool, up from 36% last year. CAEs whose departments use GRC technology indicated that they’re using it primarily for internal audit function management and administration, followed by centralized management and reporting of audit plans and results, enterprise-wide risk management, and other compliance or regulatory testing (Figure 5). Despite some positive signs regarding GRC technology, 90% of respondents, up from 84% last year, said they don’t plan to implement a GRC tool in the next 12 months, which could suggest that some CAEs see limited value in implementing or updating the technology. Nonusers cited the cost and time required to deploy the technology as the top implementation challenge, followed by the difficulty of maintaining and supporting the technology. As these findings suggest, even if the benefits are considerable, some organizations, especially smaller ones, may find that they either cannot marshal the resources needed to adopt GRC technology, or they cannot realize an adequate return on investment. Some have found that spreadsheets are equally efficient and more cost-effective for their purposes. Data analytics: An aid to risk management Usage of data analytics to enhance the internal audit function also seems to be mixed. Consider the following: More than half (53%) of financial services CAEs said they are not using data analytics or business intelligence tools to enhance the internal audit function, up from 39% last year. Slightly less than half (47%) of respondents said they are using data analytics, down from 61% in the 2014 survey. Users of data analytics cited a more efficient internal audit process as the top benefit, which is consistent with the goal of optimizing compliance monitoring activities. Other benefits included the ability to quickly identify patterns, trends and relationships; and greater population testing coverage (Figure 6). “Although many large financial institutions, in particular, rely on advanced analytics, there are opportunities to do more,” says Nigel Smith, national Financial Services Advisory practice leader. “Effective use of advanced analytics can enable financial organizations to gain added benefits from the data they’re gathering and assembling as they comply with new regulations. Using advanced analytics, they can leverage those data assets to anticipate emerging risks and make more appropriate riskmitigation decisions.” Priorities, priorities As financial services CAEs look ahead, they’re focused on priorities — not just their own as internal audit professionals but also those of various stakeholders. Asked about the areas in which they are most frequently asked to deliver value, CAEs identified the following: (1) mitigating risk, (2) identifying improvement opportunities and (3) stronger compliance efforts in other areas. The priorities of financial services CAEs are not that out of alignment with those of their stakeholders. Without existing constraints, they identified the following as areas where they believe they could add the most value: (1) identifying improvement opportunities, (2) increasing efficiency and (3) mitigating risk/stronger corporate governance. Talent, compliance optimization key to delivering value Asked about barriers to delivering the greatest value, 51% of financial services CAEs cited talent quality or capacity, followed by budget constraints (Figure 7). The ability to attract talented internal auditors, in particular, is a significant challenge, but one that CAEs may be able to address by using a different approach. “With the internal audit function requiring a greater range of skills and more nontraditional types of skills — such as information technology expertise — CAEs may need to focus more on recruiting professionals with skills in these high-priority areas and complement that with co-sourcing arrangements,” says Smith. “For instance, by recruiting auditors who have an IT background, CAEs can enhance their department’s ability to understand and address cybersecurity risks.” In addition, the ongoing quest for greater efficiency can be addressed by taking the necessary steps to optimize compliance activities. This may include improving visibility into financial controls, better allocation of compliance resources (including talent and skill considerations), and greater responsiveness to regulatory demands and remediation needs. If CAEs can help their organizations develop a sustainable process for long-term compliance management, internal auditors should be able to increase their focus on facilitating the value-added operational improvements they view as a priority and strength. “It’s important that compliance optimization improvements be made in a way that makes them flexible and sustainable over the long term,” notes Smith. “The greatest successes occur when organizations view risk management and compliance effectiveness as a strategic necessity for the business, rather than just reacting to the latest regulatory challenges with tactical, manually intensive solutions.” 1 The survey was administered online from November to December 2014. A total of 114 internal audit professionals in the financial services industry responded, representing a range of public and private companies of all sizes across the United States. Respondents perform internal audit functions under varying titles, including CAE, vice president and director; however, for the purpose of this survey, we will refer to all respondents as CAEs. Visit grantthornton.com/caesurvey for more information.