Competing priorities: Are CAE and audit committee priorities in sync?

Rebalancing priorities by optimizing compliance activities
part of the 2015 Governance, Risk and Compliance Survey [download the PDF]

Internal auditors have to maintain a delicate balance. They want to deliver the operational audits that lead to greater organizational efficiencies. But with many companies mired in compliance initiatives, audit committee members indicated that operational auditing focused on improvement opportunities is not a top priority for them.

The steady stream of regulations and stepped-up enforcement actions by the SEC, Federal Reserve, PCAOB and other regulatory bodies may be contributing to an increased focus on financial controls and other compliance activities by audit committees. Hence the desire to see internal audit focus, first and foremost, on these areas as top priorities.

Internal auditors have the opportunity to lead their organizations toward better alignment of priorities by optimizing their activities and thereby freeing up limited resources to meet both audit committee and CAE objectives. In today’s environment, a key component of this effort focuses on optimizing compliance, a term that refers to an integrated approach to efficiently and effectively identifying risks and testing controls in a way that allows organizations to achieve greater comfort with less effort. Optimization allows organizations to streamline compliance testing and provide a sustainable framework for long-term compliance management.

“The focus and goal for internal auditors seeking to rebalance priorities should be addressing regulatory and other compliance requirements reliably and efficiently, which means directing limited resources from simply achieving short-term compliance goals to figuring out where and how less effort can be used to get greater results,” Stippich says. “In essence, compliance should become a focal point for understanding resource use.”
Benefits of internal audit and compliance optimization:
• True responsiveness to regulatory requirements and remediation demands (actual process change, not simple policy enactment)
• Integration of risk identification and monitoring (e.g., ERM), predictive analytics, internal audit and forensic disciplines, allowing focus on the delivery of principles and objectives
• Improved visibility and optimization for the allocation of compliance resources
• Decreased reporting cycles
• Integration of both financial and operational data into a unified regulatory reporting framework
• Consideration of how GRC technology can assist in optimizing coverage and efficiencies
• Actively seeking ways the company can enhance its first and second lines of defense to create greater surety that internal controls, processes and activities are functioning as designed1

Path to optimization

The path to optimizing compliance activities requires an integrated approach that brings together a mix of strategies, tactics and tools that allow internal audit to get the most out of compliance activities, which, in turn, enables a focus on more value-added activities, such as operational audits. Based on the survey results, we see opportunities for CAEs to enhance the financial controls and compliance effort. We recommend the following actions:
  • Leverage control testing across multiple compliance areas in a “one-to-many” approach
  • Use GRC technology and data analytics for more automated, continual, proactive and predictive control monitoring and reporting activities
  • Implement the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework
  • Leverage an enterprise-wide view of risks and controls
  • Understand potential enhanced first and second lines of defense control activities2

A 'one-to-many' approach
One path to optimization is a one-to-many approach, which is to test once but report on multiple compliance requirements while remediating any regulatory gaps. This allows organizations to streamline some of their compliance testing, meet more regulatory requirements and provide a sustainable framework for long-term compliance management without repeating the same testing activities over and over again in a short period of time, in the same areas, but for different mandates.

This one-to-many approach should allow companies to reduce redundancies and to focus on delivering objectives, not simply reporting on compliance. An example would be testing logical security and using those results to satisfy multiple regulatory requirements, such as those associated with SOX, the Payment Card Industry Data Security Standard, and the International Organization for Standardization.

We see much greater cross-collaboration between those charged with monitoring and oversight and a reduced burden on the auditees.
Although only 44% of CAEs say they’ve found ways to implement this approach to control testing, those who have embraced a “test once, apply many times” method appear to be using it effectively: 86% said they can potentially apply one-to-many principles to up to 50% of their control testing, and 14% said they can potentially apply the principles to up to 75% of their testing.  According to a global financial services CAE who is using a one-to-many approach, “We see much greater cross-collaboration between those charged with monitoring and oversight and a reduced burden on the auditees.” (See Figure 6.)
Figure 6
acknowledges that one-to-many can be difficult to implement. Internal auditors and others involved in compliance efforts often remain locked into a silo approach to control testing and reporting. “One-to-many involves thinking holistically about all of the compliance areas and mandates facing an organization across geographies, business units and so on. It’s a clear path to efficiency gains, albeit not always an easy one,” he says.

Technology usage: GRC and data analytics
Internal audit departments seem eager to improve the efficiency of the internal audit function. CAEs again ranked this as the top goal for their departments in the coming year. (See Figure 7.) Still, many internal audit departments do not seem to be adopting enabling technologies to the degree that might be expected.

Figure 7Just over one-fourth (28%) of CAEs said their organizations are using a GRC/internal audit-specific technology tool, while 73% said they weren’t. These results closely parallel the previous year’s findings. Yet, more respondents said they believe their organization effectively leverages GRC-specific technology: 32% agreed with this statement, compared to 22% last year.

CAEs whose departments are using GRC technology indicated that they’re using it primarily for internal audit function management and administration (62%), centralized management and reporting of audit plans and results (39%), enterprise-wide risk management (35%) and SOX testing (34%). Nonusers cited the cost and time required to deploy the technology as the primary implementation challenge, followed by the cost of seat licenses and poor fit with requirements, which were the same challenges cited in last year’s survey.

“Even when the benefits are considerable, any new technology still requires budgets, expertise and time to implement — all difficult resources to marshal,” says Shawn Stewart, partner and West region GRC leader. “Some organizations simply can’t get the return on investment to work in their favor. Depending on the size of the organization and other factors, companies may find that spreadsheets are equally efficient and more cost-effective.”

Slightly less than half (47%) of respondents said they’re using data analytics or business intelligence tools to enhance the internal audit function. Those who are using these tools cited a more efficient internal audit process as the payoff, which is consistent with the goal of optimizing compliance monitoring activities. Other benefits cited also support optimization efforts, including the ability to quickly identify patterns, trends and relationships to detect these irregularities early to reduce cost to the organization; improving the strategic value of the internal audit function; and increased risk monitoring. (See Figure 8.)
Figure 8
Applying the COSO Integrated Framework
Updated guidance on internal controls from COSO furthers the goal of optimizing compliance by improving the function’s ability to evaluate and improve the internal control environment, resulting in a more robust risk management process. The new framework, known as Internal Control – Integrated Framework (COSO 2013), sets forth 17 principles, each of which must be present and functioning in an organization for it to have effective internal control. Among the critical areas receiving expanded guidance from COSO are cyberrisk and fraud risk assessment.

“For companies that may not have formally documented processes and controls designed to address fraud risk systematically, adopting COSO 2013 can jump-start a broad and far-reaching program of necessary fraud risk prevention,” says Michael Rose, partner and Northeast region GRC leader.3

Although COSO expected the new guidelines to be implemented by year-end 2014, the transition process is still underway for some organizations. (See Figure 9.) More than half of CAEs surveyed (54%) said their organizations had transitioned or were working on adopting the new framework or that their existing controls were already in agreement with the new guidance. One-fourth of respondents said they have no plans to transition to the new framework in the next year. It’s worth noting, however, that 84% of the public companies surveyed have either transitioned to the new framework or are in the process.

Figure 9An enterprise-wide view of risks and controls
The updated COSO guidance dovetails nicely with the priorities of CAEs and audit committee members, who indicated that an increased focus on risk management was their mutual top priority. Their other priorities in terms of enhanced risk management were also mostly in sync, with both parties citing integrating with operations and business strategy and having better analytics/risk- modeling as top priorities. (See Figure10.)

Figure 10

Furthering the importance of enterprise-wide risk assessment and risk management, COSO announced in late 2014 a project to update the 2004 Enterprise Risk Management – Integrated Framework. COSO realizes that business has become more complex in the past 11 years, stakeholder views have changed and globalization has increased. “Without an enterprise-wide view of risks, an organization is really limiting itself in managing risks and optimizing related compliance,” says Bailey Jordan, partner and Southeast region GRC leader, who has recently been appointed to be part of the COSO ERM Integrated Framework Update Advisory Group.

Not surprisingly, both CAEs and audit committee members also acknowledged increased concerns about data privacy and security, including cyberrisks, an area that is addressed with the new COSO framework. In fact, both groups ranked cyberrisk as the top concern among a list of numerous risks, including fraud, cloud computing, third-party risks and strategy execution, among others.

Asked what steps their board has taken to oversee data privacy and security risks, audit committee members cited: requesting regular assessments and reporting from management (69%); reviewing policies, procedures and controls related to data security (64%); and ensuring ongoing monitoring and testing (49%). (See Figure 11.)

Figure 11As for the types of risk assessments being conducted by internal auditors, fraud risk ranked first (69%), up 8% from last year; followed by enterprise-wide risk (65%) and data security risk (61%). Again, these are all areas addressed in COSO 2013, suggesting that its adoption can broaden and enhance an organization’s risk management efforts and, by extension, further optimize the internal audit effort. (See Figure 12.)

Understanding ‘Three Lines of Defense’
The Three Lines of Defense model advanced by the Institute of Internal Auditors provides a simple and effective way to enhance communications on risk management and control by clarifying essential roles and duties.4  In this way, it is another tool for furthering the goals of enhancing risk management and optimizing compliance.

Figure 12With senior management and audit committees collectively responsible and accountable for governance structures, the Three Lines of Defense model delineates more specific responsibility: the first line of defense being the operational managers who own and manage transaction cycle activities and related risks, the second being the oversight of the activities and risks by risk management and compliance functions, and the third line of defense being the internal audit department.

“By implementing the Three Lines of Defense model, risk management responsibilities are shared and strengthened,” says Priya Sarjoo, principal and Central region GRC leader. “This allows internal audit to optimize its efforts by focusing on how it can best deliver value-added benefits to stakeholders as an independent risk assurance group.”

1  “The Three Lines of Defense in Effective Risk Management and Control,” The Institute of Internal Auditors Position Paper, January 2013.
2  Ibid.
3  Read “COSO 2013 framework boosts fraud risk assessment and prevention” to learn more.
4  “The Three Lines of Defense in Effective Risk Management and Control,” The Institute of Internal Auditors Position Paper, January 2013. 

Back to page 1: GRC Survey overview
Continue to page 3: Alignment is key, About the survey