We all know that the CEO and top senior executives shape the ethical climate for the company, but can you audit those activities?

An interview with Joel F. Kramer

December 13, 2016

Through their words and actions, the board and C-suite set the tone and shape the ethical culture that pervades the organization. If the rank and file perceive the CEO as someone who cuts corners or ignores ethical issues, it sends a message that skirting the rules is acceptable, even if the written policies forbid it. If senior management seems to always do the right thing, it creates a model that others are likely to follow and may do more to create an ethical culture than any amount of training and policy writing could ever do.

So how can internal audit assess something that seems so difficult to quantify? In the latest edition of our video series "MISTI on Audit," Joel F. Kramer, vice president of audit curriculum at MIS Training Institute, looks at some of the ways internal audit can get at assessing "tone at the top."

Keep reading...

Live webinar will help internal auditors get a handle on where to focus IT assessment type activities for 2017

December 13, 2016

2016 was a wild year. It featured an election that was as bizarre as it was unpredictable; Britain voting to leave the EU; the loss of entertainment and sports icons like Prince, David Bowie, and Mohammed Ali; the Pokémon Go phenomenon; a major banking scandal at Wells Fargo; and the many high-profile hacks and data breaches at such organizations as Verizon, LinkedIn, the Democratic National Committee, and even the FBI.

2017 looks to be just as unpredictable, as businesses await the direction President-elect Trump will take, especially how much he will follow through on his promises to roll back business regulation and red tape. The fast pace of technological change is only expected to increase as well, offering new opportunities and plenty of threats.

Keep reading...

Where should we be on the spectrum between unlimited spending on cybersecurity and doing nothing at all?

By Joseph McCafferty

December 7, 2016

Many companies are struggling with how much risk to take, if any, when it comes to cybersecurity. Some are spending vast sums on security measures to protect their data, and yet they still have hacks and breaches. It's enough to make those responsible for information security at such companies want to throw up their hands and say, "we give up."

It doesn't have to be that way, says Norman Marks, a risk-management expert and former chief audit executive at several large companies. During a keynote address at the IT Audit and Controls conference taking place in New Orleans this week, Marks attempted to answer the question: "How much cyber-risk should I take?" The answer, says Marks, is different for every company, of course. Yet he says many companies haven't answered this question for themselves or they may be going about finding the answer the wrong way.

Keep reading...

Hiring and retaining top IT audit talent has never been harder, but hiring mistakes can only complicate the issue

By Joseph McCafferty

December 7, 2016

IT auditors are in high demand these days. Recruiters and competitors are looking to snatch high-quality talent with the right set of skills and background.

That means it's more important than ever to have a robust recruiting and retention program for IT audit to keep star performers from leaving for other jobs. It's also important to hire the right candidates and communicate with them well so that the organization and the IT auditors they hire are both on the same page. Johnathan Ngah, a principle at Synergy EnterPrize LLC, a staffing company that specializes in IT auditor recruitment says that a poor recruiting process can leads to problems later on. "If you miss on the front end of the hiring process, you need a lot of luck to make it up on the back end."

Keep reading...

A conversation with Sheryl Austin, a director of information security and risk management at Johnson & Johnson on pre-implementation audits

Interview by Joseph McCafferty

December 6, 2016

Among the top responsibilities of IT auditors is auditing software and application development projects. As those projects have moved at some companies from a waterfall style, where each phase has a distinct beginning and end, to agile, where projects are done in sprints that cross through all development phases, IT auditors have had to adapt.

We recently sat down with Sheryl Austin, a director of information security at Johnson & Johnson, at the IT Audit and Controls conference taking place this week in New Orleans to talk about pre-implementation audits, the difference between waterfall and agile, and the unique challenges that the agile method of development projects brings to IT audit.

Keep reading...

After years of stagnation, companies may be finally ready to put more funding behind the internal audit function, says a recent study

By Joseph McCafferty

November 30, 2016

Budgeting trends across Corporate America tend to look a lot like the undulating waistline of a yo-yo dieter.

During recessions and cyclical downturns, companies cut, cut, cut as they try to hit their suddenly overly optimistic projections. And then in leaner times they appropriate more resources to projects as they work to gain back market share and fuel growth.

Keep reading...

We examine trends in reporting lines for chief audit executives, as more report to CEOs and board directors

An interview with Joel F. Kramer

November 30, 2016

Reporting lines have always been complicated and tricky for chief audit executives and internal audit directors. In the past, when they have reported to the chief financial officer or chief legal officer, conflicts of interest could arise as internal audit scrutinized the finances. Internal audit directors could easily find themselves at odds with their own bosses.

Now, more internal audit leaders report to the CEO, but as internal audit looks to audit such areas as culture or "tone at the top," those conflicts haven't gone away. And there is always the possibility that internal audit finds impropriety at the highest levels during an audit. For now, the solution in many cases has been for the CAE to have duel reporting lines, administratively to the CEO and functionally to the chair of the board's audit committee.

Keep reading...

Expect the SEC to focus more on rolling back regulation and less on enforcing securities laws under a Trump administration

By Joseph McCafferty

November 30, 2016

Like at most government agencies under the executive branch, change is coming to the Securities and Exchange Commission, as it prepares the transition to the Trump Administration. Companies are preparing for the transition too, although what they can expect may be hard to determine.

What will the SEC look like under President-Elect Trump? Securities lawyers say it's tougher to predict than a usual transition between the political parties, since Trump doesn't have a political history to go by. "It's very hard to say exactly what his priorities will be, since he doesn't have the track record as a political figure," says Eric Chaffee, a law professor at the University of Toledo College of Law, who specializes in securities law. "He's had support from a wide variety of people with different interests," he says.

Keep reading...

During the Risk Management Summit attendees will use game play to gain a better understanding of probability and uncertainty and how they affect risk-taking

November 29, 2016

All risk management in some ways involves taking calculated gambles. But how well do we understand the probabilities of adverse events? How much about potential outcomes is known or unknown? And do we really understand the size of the bets we are making?

At the Risk Management Summit taking place in New Orleans on December 8, Pete Lindstrom, research director of International Data Corp. (IDC), will lead attendees through a game of placing bets and decision-making with uncertainty. Risk management often involves predicting the future, but many biases and tendencies can often get in the way of success.

Keep reading...

A conversation with Anne DeTraglia, director of internal audit at United Airlines, on staffing the internal audit department

PODCAST

Interview by Joseph McCafferty

November 23, 2016

Many companies are having a difficult time finding qualified staffers for the internal audit department or keeping their star performers from moving on to take other offers or to other departments. Meanwhile, the complexion of the typical internal audit department is starting to change. CPAs with backgrounds in finance and accounting and Big Four experience are giving way to internal auditors who've worked as risk managers, fraud specialists, data scientists, technologists, and in other disciplines.

For internal audit directors and leaders, getting the right mix of skills in the department can be a tricky undertaking. Not only are data analytics and cybersecurity capabilities gaining in importance, but internal auditors must continue to demonstrate critical thinking, communicate well, and navigate complex situations with diplomacy as they take on new responsibilities and take internal audit into new areas, such as auditing corporate culture.

Keep reading...

As President-Elect Trump weighs questions about nepotism in his future administration, companies need to take heed on the practice as well

By Joseph McCafferty

November 23, 2016

While the soon-to-be-empowered Trump administration grapples with the issue of what roles, if any, Donald Trump's grown children—Ivanka, Eric, and Donald Jr.—or his son-in-law Jared Kushner should or could play in the White House, the issue of nepotism is coming front and center in business circles as well.

Federal law prohibits officeholders, including the president, from appointing family members to positions at the agencies where they hold sway over hiring decisions. The code reads: "A public official may not appoint, employ, promote, advance, or advocate for appointment, employment, promotion, or advancement, in or to a civilian position in the agency in which he is serving or over which he exercises jurisdiction or control any individual who is a relative of the public official." The law was signed by President Lyndon Johnson in 1967, who was unhappy about the appointment by John F. Kennedy of his brother, Robert Kennedy, to the post of attorney general in the prior administration.

Keep reading...

ITAC could provide the spark for acquiring needed cybersecurity skills, knowledge, and tools

November 22, 2016

A new survey out from the Institute of Internal Auditors finds that many internal audit departments either outsource cybersecurity audits, or worse, they don't do them at all. What's more, when asked why they don't do them, the top reasons provided by respondents were that their internal audit departments lack the skills and knowledge necessary to provide audit services related to cybersecurity or that they lack the proper tools to conduct such audits.

While it's hard to imagine a company that doesn't feel the need to conduct cybersecurity audits, it's understandable that internal audit may feel lacking in cybersecurity competency. We all know that good IT auditors are a rare find, and it's also pretty clear from the volume of cybersecurity breaches—big and small—that lots of companies haven't quite figured it out yet, even if they are conducting cybersecurity audits.

Keep reading...

New survey finds that many internal audit departments are lagging behind on auditing cybersecurity

By Joseph McCafferty

November 21, 2016

Internal audit departments appear to be falling behind on their ability to provide assurance that cybersecurity controls are in place and that cyber-risk is being managed.

The fact that internal audit is struggling on cybersecurity—along with the organization as a whole—may be painfully obvious from the level of successful cyber-attacks and other data-security breaches at large organizations in recent months, but new survey results indicate that internal audit is failing to bring the same rigor and expertise to cybersecurity as it brings to areas like financial reporting and compliance.

Keep reading...

A new survey finds that data overload is affecting the financial reporting process

By Joseph McCafferty

November 16, 2016

Financial Executives are straining to keep up as the increasing volume and pace of data clouds their ability to provide meaningful insights to boards quickly and accurately. Certainly, internal audit executives and those involved in the reporting process are likely feeling just as frazzled, as they work to make sense of the endless streams of data and pluck the meaningful fragments from the meaningless noise.

According to a new report by EY Financial Accounting and Advisory Services, 66 percent of CFO (or those that head the financial reporting function) respondents worldwide say they are struggling to process the increased amount of data and that it is having a significant impact on the effectiveness of corporate reporting, up from 57 percent who said data overload was a financial reporting problem in 2015.

Keep reading...

Webinar will instruct internal audit executives on acquiring and enhancing effective leadership techniques

November 16, 2016

Unless you are a department of one, every chief audit executive or senior internal auditor must lead others to accomplish the objectives of the internal audit department. Good leaders inspire and influence others. They are able to organize a group of people to accomplish common goals and share in success.

A leader is someone who others follow, who guides and directs the team, and someone who can multiply outcomes by acting through and with others. A leader, then, is someone who can accomplish more and with higher satisfaction levels then someone who tries to do everything alone.

Keep reading...

How creative and unconventional audit analytics can help you take your audits to the next level

By Yves Froude

November 15, 2016

It's 4:00 p.m. on a Friday afternoon and you are already thinking about your weekend plans, when your manager walks into your office with "a simple request": "We just need to come up with some data analytics tests to find out about ... that thing they mentioned in the board meeting today."

That "thing" is usually the latest hot topic and could range among a variety of sensitive matters, from weeding out travel abuse to finding out if executives share passwords, whether contractors are overbilling the company, or even if anti-money laundering measures are effective.

Keep reading...

An expanded view of integrated auditing means combining internal audit with all of the second lines of defense

An interview with Joel F. Kramer

November 11, 2016

Integrated auditing isn't a new idea. Organizations have tried to bring together specialized audit areas, such as finance, operations, and IT audit, and others for a long time. They realize that leveraging these areas into a single audit can not only make the audit process more efficient, but the crossover and sharing of knowledge can provide better insights into the key risks of the function or process being audited. Now, companies are pushing further into integrated auditing to integrate more of the second lines of defense, including such areas as risk management, fraud, and compliance.

In the latest edition of our video series "MISTI on Audit," Joel F. Kramer, vice president of audit curriculum at MIS Training Institute, talks about the benefits of integrated auditing, how he sees it evolving, and some of the challenges along the way to achieving fully integrated audits.

Keep reading...

With lots of variations and often duel reporting lines, CAEs must serve many masters

By Joseph McCafferty

November 9, 2016

To whom should the chief audit executive report? That question has perplexed companies for decades. Once an underling of the finance or legal departments, many companies have made the CAE a direct report to the CEO. That structure gives internal audit more clout, but it doesn't solve the problem of the need for internal audit leaders to have complete independence to elevate concerns directly to the board. The result is a muddy, duel-reporting structure that can pull internal audit executives in different directions and create plenty of angst.

A recent study, released last month by the Internal Audit Foundation—the research unit of the Institute of Internal Auditors—finds that reporting structures for chief audit executives still vary widely from company to company and region to region. Nearly half (49 percent) of the CAEs survived said they report to the CEO on an administrative basis; more than a quarter (26 percent) report directly to the audit committee chair or in some way to the board of directors; another 15 percent report to the chief financial officer; and 10 percent to the lead counsel or other executive.

Keep reading...

IT audit experts from such companies as Dropbox, Juniper Networks, Lockheed Martin, and others to address audit conference

November 9, 2016

Top risk and technology experts will give talks on such topics as establishing trust in the cloud and managing cyber-risk next month at the top conference for IT auditors.

The keynote addresses are set for the IT Audit & Controls (ITAC) conference taking place in New Orleans next month on December 6-8. Among the speakers that will provide IT auditors with insights on emerging technology and their related risks are executives from Dropbox, Juniper Networks, Ball Corp., and others.

Keep reading...

A conversation with Michael Gallagher, managing director of CBIZ Risk & Advisory Services

Interview By Joseph McCafferty

November 4, 2016

Not all organizations are good at managing risk in a holistic way. It's easy for business units or functions that address risks to be guarded about their risk-management efforts or to reproduce what other parts of the company are already doing. These risk silos can cause problems for companies, not only because they duplicate risk-management efforts, but because key strategic risks can go unaddressed or siloed thinking may be preventing the company from meeting its goals.

We recently caught up with Michael Gallagher, managing director at CBIZ Risk & Advisory Services, to talk about how these risk silos can crop up at companies, the dangers they present, and how organizations can dismantle them and manage risk in a more holistic way.

Keep reading...

Event Search

Download Catalog Dark Blue 300x58

Subscribe to Newsletter LightBlue 2 300x58

ACV17 300x58

MIS|TI Tweets

ACL MISTI Grey 300x58

Please choose your region

Submit
Select a Region
United States
United Kingdom/Ireland
Africa
Americas
Asia-Pacific
Europe
Middle East

By continuing to use misti.com you will be agreeing to the website Terms and Conditions, the Privacy Policy, and the Use of cookies while using the website.