It's been a busy year for internal audit. Below are the top 10, most read articles from MISTI's Internal Audit Insights for 2016:

1. Auditing Corporate Culture: A New Imperative

The emerging flavor of the month in regulatory circles is the “culture of compliance,” with recognition that corporate culture has a profound influence on how an organization conducts its business. A culture that consistently places ethical considerations and client interests at the center of business decisions helps protect employees as well as investors and the integrity of the markets. Conversely, significant cultural failures can impose substantial harm on companies themselves including fines, penalties, and loss of reputation. more...

2. Internal Auditors Under Pressure to Alter Reports

Just about every internal auditor will face an ethical dilemma or difficult situation at some point in their career. Among the toughest scenarios is when the CEO or other senior executive exerts pressures to suppress or change the results of an audit finding because it reflects poorly on management or some other aspect of the business. A new report indicates, however, that it's an all-too-common occurrence. more...

Keep reading...

In two separate actions this week, the SEC objected to language in severance agreements that encourage outgoing employees to keep quiet

By Joseph McCafferty

December 21, 2016

The Securities and Exchange Commission hit two separate companies this week with penalties for violating rules that prevent companies from asking outgoing employees in severance agreements to not bring concerns or other information to regulators as a condition of the agreement. The SEC has warned in the past that such language in separation agreement is a violation of whistleblower protections.

On Monday, the SEC announced that a technology company had agreed to pay a penalty of $180,000 to settle charges involving its severance agreements that impeded at least one former employee from communicating information to the SEC.

Keep reading...

Seminar will provide auditors will the skills to lead audits and direct an audit team to get results

December 21, 2016

Starting in January expect the gyms to be packed as many people look to make good on their New Year's resolution to get in shape and shed those few extra pounds they may have picked up during the holidays. It's also time to exercise those audit muscles and bulk up on the audit skills you need to advance in your career.

MIS Training Institute will provide an excellent chance to do just that early in the year with its seminar, Advanced Auditing for the In-Charge Auditor, which will take place from February 6-8 in San Francisco. The course, instructed by Kathleen Crawford, will provide attendees with all of the elements involved in leading risk-based audits from the unique perspective of the in-charge position.

Keep reading...

Report finds no drop in the number of companies using non-GAAP figures, but some minor adjustments in how they use them

By Joseph McCafferty

December 20, 2016

For more than a year, the SEC has been on something of a crusade against what it considers a swell in the misleading use of non-GAAP measures in financial reports. The agency not only issued comment letters to several companies questioning and criticizing their use of the figures, several agency officials disparaged the practice in a series of speeches, where they suggested that some companies are pushing the envelope on using non-GAAP measures in financial reports. The SEC was so miffed at how Valeant pharmaceuticals has used non-GAAP measures that it dinged the company twice through comment letters.

In May, the regulator attempted to influence how companies use the figures by issuing new guidance in the form of a Compliance & Disclosures Interpretations document that provided 39 questions and answers on what the SEC would consider acceptable and what it would take issue with. Using metrics in financial statements that aren't approved by Generally Accepted Accounting Principles (GAAP) isn't necessarily a violation of reporting rules, the guidance points out, but using them to mislead investors is a violation of the rules, the SEC warned.

Keep reading...

A conversation with Marius Bosman, IT audit director at Ball Corporation

Interview by Joseph McCafferty

December 19, 2016

Communicating top risks to the board and C-suite is always tricky since it's such a critical area of involvement by the highest levels of the organization. Communicating IT risks can be even more challenging since directors and top executives aren't always sophisticated in technology areas. Information security and risk professionals must be sure they communicate in a way that will convey an accurate assessment of the critical IT risks without using too much "techie talk," or IT jargon.

Cybersecurity is such a critical issue that it is on most board agendas and a top concern of the CEO. IT auditors have a role to play in helping establish what the key IT risks are and how the organization is doing at managing them. This is one area that directors and the executive team are sure to push back on and probe for any weaknesses in the risk assessment.

Keep reading...

North American companies lag their international peers when it comes to having the audit committee, rather than the CEO, evaluate the performance of the chief audit executive

By Joseph McCafferty

December 14, 2016

I wanted to call attention to an item that might have been a little lost in a recent report by the Institute of Internal Auditors Research Foundation. While the major findings of the report—that many internal auditors say they have faced pressure to alter audit findings—was well reported, one survey result was not: that companies in North America lag well behind their international peers when it comes to having the audit committee, rather than the CEO, evaluate the performance of the chief audit executive.

According to the CBOK report, Ethics and Pressure: Balancing the Internal Audit Profession, just 38 percent of North American chief audit executive respondents said they were evaluated by the audit committee, board, or supervisory committee, compared to 61 percent who said their performance was evaluated by the CEO, president, or other senior executive. Those figures are well below the global average of about 50/50, and the lowest of any region.

Keep reading...

A former IT staffer at Expedia was recently charged with trading on non-public information. Could it happen at your company?

By Joseph McCafferty

December 14, 2016

It's a nightmare scenario for any public company: An IT staffer gets a hold of senior executives' passwords, accesses sensitive non-public information on things like upcoming earnings reports, new products, or potential deals, and trades on it, enriching himself at the expense of company shareholders.

Just such a nightmare recently played out at online travel-booking company Expedia. Last week the Securities and Exchange Commission announced insider trading charges against a San Francisco-based information technology specialist who allegedly hacked senior executives at Expedia and illegally traded on company secrets.

Keep reading...

We all know that the CEO and top senior executives shape the ethical climate for the company, but can you audit those activities?

An interview with Joel F. Kramer

December 13, 2016

Through their words and actions, the board and C-suite set the tone and shape the ethical culture that pervades the organization. If the rank and file perceive the CEO as someone who cuts corners or ignores ethical issues, it sends a message that skirting the rules is acceptable, even if the written policies forbid it. If senior management seems to always do the right thing, it creates a model that others are likely to follow and may do more to create an ethical culture than any amount of training and policy writing could ever do.

So how can internal audit assess something that seems so difficult to quantify? In the latest edition of our video series "MISTI on Audit," Joel F. Kramer, vice president of audit curriculum at MIS Training Institute, looks at some of the ways internal audit can get at assessing "tone at the top."

Keep reading...

Live webinar will help internal auditors get a handle on where to focus IT assessment type activities for 2017

December 13, 2016

2016 was a wild year. It featured an election that was as bizarre as it was unpredictable; Britain voting to leave the EU; the loss of entertainment and sports icons like Prince, David Bowie, and Mohammed Ali; the Pokémon Go phenomenon; a major banking scandal at Wells Fargo; and the many high-profile hacks and data breaches at such organizations as Verizon, LinkedIn, the Democratic National Committee, and even the FBI.

2017 looks to be just as unpredictable, as businesses await the direction President-elect Trump will take, especially how much he will follow through on his promises to roll back business regulation and red tape. The fast pace of technological change is only expected to increase as well, offering new opportunities and plenty of threats.

Keep reading...

Where should we be on the spectrum between unlimited spending on cybersecurity and doing nothing at all?

By Joseph McCafferty

December 7, 2016

Many companies are struggling with how much risk to take, if any, when it comes to cybersecurity. Some are spending vast sums on security measures to protect their data, and yet they still have hacks and breaches. It's enough to make those responsible for information security at such companies want to throw up their hands and say, "we give up."

It doesn't have to be that way, says Norman Marks, a risk-management expert and former chief audit executive at several large companies. During a keynote address at the IT Audit and Controls conference taking place in New Orleans this week, Marks attempted to answer the question: "How much cyber-risk should I take?" The answer, says Marks, is different for every company, of course. Yet he says many companies haven't answered this question for themselves or they may be going about finding the answer the wrong way.

Keep reading...

Hiring and retaining top IT audit talent has never been harder, but hiring mistakes can only complicate the issue

By Joseph McCafferty

December 7, 2016

IT auditors are in high demand these days. Recruiters and competitors are looking to snatch high-quality talent with the right set of skills and background.

That means it's more important than ever to have a robust recruiting and retention program for IT audit to keep star performers from leaving for other jobs. It's also important to hire the right candidates and communicate with them well so that the organization and the IT auditors they hire are both on the same page. Johnathan Ngah, a principle at Synergy EnterPrize LLC, a staffing company that specializes in IT auditor recruitment says that a poor recruiting process can leads to problems later on. "If you miss on the front end of the hiring process, you need a lot of luck to make it up on the back end."

Keep reading...

A conversation with Sheryl Austin, a director of information security and risk management at Johnson & Johnson on pre-implementation audits

Interview by Joseph McCafferty

December 6, 2016

Among the top responsibilities of IT auditors is auditing software and application development projects. As those projects have moved at some companies from a waterfall style, where each phase has a distinct beginning and end, to agile, where projects are done in sprints that cross through all development phases, IT auditors have had to adapt.

We recently sat down with Sheryl Austin, a director of information security at Johnson & Johnson, at the IT Audit and Controls conference taking place this week in New Orleans to talk about pre-implementation audits, the difference between waterfall and agile, and the unique challenges that the agile method of development projects brings to IT audit.

Keep reading...

After years of stagnation, companies may be finally ready to put more funding behind the internal audit function, says a recent study

By Joseph McCafferty

November 30, 2016

Budgeting trends across Corporate America tend to look a lot like the undulating waistline of a yo-yo dieter.

During recessions and cyclical downturns, companies cut, cut, cut as they try to hit their suddenly overly optimistic projections. And then in leaner times they appropriate more resources to projects as they work to gain back market share and fuel growth.

Keep reading...

We examine trends in reporting lines for chief audit executives, as more report to CEOs and board directors

An interview with Joel F. Kramer

November 30, 2016

Reporting lines have always been complicated and tricky for chief audit executives and internal audit directors. In the past, when they have reported to the chief financial officer or chief legal officer, conflicts of interest could arise as internal audit scrutinized the finances. Internal audit directors could easily find themselves at odds with their own bosses.

Now, more internal audit leaders report to the CEO, but as internal audit looks to audit such areas as culture or "tone at the top," those conflicts haven't gone away. And there is always the possibility that internal audit finds impropriety at the highest levels during an audit. For now, the solution in many cases has been for the CAE to have duel reporting lines, administratively to the CEO and functionally to the chair of the board's audit committee.

Keep reading...

Expect the SEC to focus more on rolling back regulation and less on enforcing securities laws under a Trump administration

By Joseph McCafferty

November 30, 2016

Like at most government agencies under the executive branch, change is coming to the Securities and Exchange Commission, as it prepares the transition to the Trump Administration. Companies are preparing for the transition too, although what they can expect may be hard to determine.

What will the SEC look like under President-Elect Trump? Securities lawyers say it's tougher to predict than a usual transition between the political parties, since Trump doesn't have a political history to go by. "It's very hard to say exactly what his priorities will be, since he doesn't have the track record as a political figure," says Eric Chaffee, a law professor at the University of Toledo College of Law, who specializes in securities law. "He's had support from a wide variety of people with different interests," he says.

Keep reading...

During the Risk Management Summit attendees will use game play to gain a better understanding of probability and uncertainty and how they affect risk-taking

November 29, 2016

All risk management in some ways involves taking calculated gambles. But how well do we understand the probabilities of adverse events? How much about potential outcomes is known or unknown? And do we really understand the size of the bets we are making?

At the Risk Management Summit taking place in New Orleans on December 8, Pete Lindstrom, research director of International Data Corp. (IDC), will lead attendees through a game of placing bets and decision-making with uncertainty. Risk management often involves predicting the future, but many biases and tendencies can often get in the way of success.

Keep reading...

A conversation with Anne DeTraglia, director of internal audit at United Airlines, on staffing the internal audit department

PODCAST

Interview by Joseph McCafferty

November 23, 2016

Many companies are having a difficult time finding qualified staffers for the internal audit department or keeping their star performers from moving on to take other offers or to other departments. Meanwhile, the complexion of the typical internal audit department is starting to change. CPAs with backgrounds in finance and accounting and Big Four experience are giving way to internal auditors who've worked as risk managers, fraud specialists, data scientists, technologists, and in other disciplines.

For internal audit directors and leaders, getting the right mix of skills in the department can be a tricky undertaking. Not only are data analytics and cybersecurity capabilities gaining in importance, but internal auditors must continue to demonstrate critical thinking, communicate well, and navigate complex situations with diplomacy as they take on new responsibilities and take internal audit into new areas, such as auditing corporate culture.

Keep reading...

As President-Elect Trump weighs questions about nepotism in his future administration, companies need to take heed on the practice as well

By Joseph McCafferty

November 23, 2016

While the soon-to-be-empowered Trump administration grapples with the issue of what roles, if any, Donald Trump's grown children—Ivanka, Eric, and Donald Jr.—or his son-in-law Jared Kushner should or could play in the White House, the issue of nepotism is coming front and center in business circles as well.

Federal law prohibits officeholders, including the president, from appointing family members to positions at the agencies where they hold sway over hiring decisions. The code reads: "A public official may not appoint, employ, promote, advance, or advocate for appointment, employment, promotion, or advancement, in or to a civilian position in the agency in which he is serving or over which he exercises jurisdiction or control any individual who is a relative of the public official." The law was signed by President Lyndon Johnson in 1967, who was unhappy about the appointment by John F. Kennedy of his brother, Robert Kennedy, to the post of attorney general in the prior administration.

Keep reading...

ITAC could provide the spark for acquiring needed cybersecurity skills, knowledge, and tools

November 22, 2016

A new survey out from the Institute of Internal Auditors finds that many internal audit departments either outsource cybersecurity audits, or worse, they don't do them at all. What's more, when asked why they don't do them, the top reasons provided by respondents were that their internal audit departments lack the skills and knowledge necessary to provide audit services related to cybersecurity or that they lack the proper tools to conduct such audits.

While it's hard to imagine a company that doesn't feel the need to conduct cybersecurity audits, it's understandable that internal audit may feel lacking in cybersecurity competency. We all know that good IT auditors are a rare find, and it's also pretty clear from the volume of cybersecurity breaches—big and small—that lots of companies haven't quite figured it out yet, even if they are conducting cybersecurity audits.

Keep reading...

New survey finds that many internal audit departments are lagging behind on auditing cybersecurity

By Joseph McCafferty

November 21, 2016

Internal audit departments appear to be falling behind on their ability to provide assurance that cybersecurity controls are in place and that cyber-risk is being managed.

The fact that internal audit is struggling on cybersecurity—along with the organization as a whole—may be painfully obvious from the level of successful cyber-attacks and other data-security breaches at large organizations in recent months, but new survey results indicate that internal audit is failing to bring the same rigor and expertise to cybersecurity as it brings to areas like financial reporting and compliance.

Keep reading...

Event Search

Download Catalog Dark Blue 300x58

Subscribe to Newsletter LightBlue 2 300x58

Register Cloud Security eSummit 300x58

MIS|TI Tweets

ACL MISTI Grey 300x58

Please choose your region

Submit
Select a Region
United States
United Kingdom/Ireland
Africa
Americas
Asia-Pacific
Europe
Middle East

By continuing to use misti.com you will be agreeing to the website Terms and Conditions, the Privacy Policy, and the Use of cookies while using the website.