Technical and Insight
Bring your own lawyer!
The landscape around bring your own device (BYoD) is both complex and constantly evolving. Jay Abbott shares some trains of thought to focus thoughts on how it might impact on your company.

The landscape around bring your own device (BYoD) is both complex and constantly evolving. Jay Abbott shares some trains of thought to focus thoughts on how it might impact on your company. 

I recently spoke about ByoD (bring your own device) and the numerous issues surrounding it at an ACCA networking event (A recording of this event will be available shortly on ACCA's Internal Audit Hub). One of the areas covered was in relation to the potential legal issues surrounding the subject. 

I’ll start by stating, for the record, that I am not a lawyer, nor do I possess any form of legal training!

That said, the issues are not difficult to work out and there are plenty of sources of information on the subject.

The issue of privacy
Privacy has to be one of the main issues in relation to BYoD, but when I say privacy we have to think of it from two perspectives. First, the perspective of the employer who wishes to keep its data private, and then the perspective of the employee, who also wants to keep their personal data private. Clearly these are obviously aligned values that should allow both parties to achieve their goals with little or no impact on the other?

Unfortunately not as these requirements do actually conflict.

The employee wants privacy in general, including from their employer. This unfortunately creates a bit of an issue in relation to how the employer can go about protecting its privacy. For the employer to protect its privacy it needs to know what’s happening on the device that holds its data and that, more often than not, exposes the employee’s sensitive data to the employer. 

This exposure opens up the employer to potential legal issues in relation to how it acts upon the data it observes. For instance, what if the employee was conducting illegal or illicit activities from the device and the employer noticed? If it acts upon the information it could be in breach of privacy law and/or employment law. So let's assume the employer has no visibility on the device and the employee can do whatever they so desire with the data. Clearly that’s just not an option, but unfortunately, it’s not far from the truth of many organisations that have ByoD deployed ad hoc with no formal approach or strategy. 

Typical scenario
Privacy is the tip of the iceberg though and some interesting scenarios exist that are set to test the current legal landscape. Let’s take a look at a typical scenario for ByoD use. 

Joe works for Global Corp and has opted into their shiny new BYoD programme as he does not want a personal and business phone in his pocket. Joe has signed a policy stating that any company data on his device may be deleted in the event of a security issue.

To be fair to Joe, although a little concerned that he did not truly understand the company’s ability to differentiate between his data and theirs, he assumed that IT knew what they were doing.

As well as his smartphone, Joe decided to add his tablet to the equation as that tends to be the device that is most used at home and saves having to get the work laptop out and booted up to look at a spreadsheet. Joe’s wife Jessica also uses Joe's tablet when Joe’s not at home to write her life’s work, a romantic novel, and to generally surf the net.

There are any number of issues to consider in the above scenario, but let’s focus on the one of legend. In the legend Global Corp, for whatever reason, initiates a remote device wipe of all of Joe's devices that they see connected to their systems.

Joe is the sole user of his smartphone and signed a policy stating that this was a possible outcome, but to be fair to him, he thought that his holiday snaps were out of scope so was a little upset when the device was essentially factory reset!

The tablet, however, creates an interesting issue. It was not just Joe’s. It was also Jessica’s and more importantly it contained the only copy of her life’s work!

So the question is, given that Jessica did not sign up to a remote data wipe, can she sue Global Corp for damages? As I mentioned before, I’m not a lawyer so I don’t know if she could or could not, but the scenario serves the purpose of outlining the intricacies of BYoD use and how the end user who you think is signing up to your policy may not be the only device user who should be signed up.

A number of other questions exist in this scenario such as, did Joe have the right to add the tablet? Did Global Corp adequately protect themselves in the policy? Did IT have the right tools to properly enforce and control the technology? Had all parties received sufficient training, awareness and guidance on what was acceptable, expected and impactful in the use of the programme? 

The cloud
Another common situation to be mindful of is the cloud. If an employee has an iPhone and joins your BYoD programme, what happens when they plug their iPhone back into their home computer? Typically, iTunes will complete a full backup of the device. Unless you are doing BYoD properly you just allowed the corporate data on that device to be copied to a personal computer, and worse, it’s likely that it was also copied to iCloud at the same time. 

So is that data in the EU or is it in China? Do you know? What if that employee had been emailed a list of customer names and addresses? Clearly this situation is going to create some serious data protection headaches with the Information Commissioner! 

In the end with BYoD issues, aside from the right technology solutions to minimise the issues and put in place adequate control, the only thing that is going to protect all parties involved is a good, well written, reasoned policy – backed up by a solid educational programme that clearly articulates the intricacies at play to all parties. 

Of course, once you have invested in and written your policy, everything will be just fine, right? 

Pace of change
Not exactly! The biggest observation I made while looking into the legal issues with BYoD was the pace of change. Advice on what is and is not a good approach is moving and changing rapidly. As an example, a couple of years ago advice was to make your policies loose and broad, but these have been tested legally and have not fared well, so now the opposite is true. Advice is to make them highly specific and very tight. 

Precedent being set
As fast as the advice changes, precedent is being set. A recent ruling in the California Court of Appeal has created an interesting new issue. Specifically, the Court of Appeal in Cochran v. Schwan's Home Service stated:

‘We hold that when employees must use their personal cellphones for work-related calls, Labor Code section 2802 requires the employer to reimburse them. Whether the employees have cellphone plans with unlimited minutes or limited minutes, the reimbursement owed is a reasonable percentage of their cellphone bills.’

The interesting feature of this ruling is that if an employee uses their personal device you are legally required to repay them, which in the context of a cellphone and a phone call is pretty obvious but what about data usage?

How do you know what you are paying for? How do you differentiate between an employee that is highly productive and running up genuine large data bills vs the one who is using his data to watch Netflix? Do you have the right technology in play to know the difference? How do you know that the use by the employee is just theirs and not the whole family's?

This is just one example of how precedent could require you to rewrite your policies and deploy new technology to prevent a significant financial impact to the organisation, and I am sure there will be others.

The legal aspects of the BYoD conversation are complicated and with limited precedent so make sure you get proper advice and remember, just letting the C-Suite have their email on their iPhones sounds simple but could have some seriously far-reaching consequences.

Jay Abbott – managing director, Advanced Security Consulting Limited

Sources

  • CESG / CPNI BYOD Guidance: Executive Summary
  • Network World Technology, the law, and you: BYOD
  • CIO How BYOD Puts Everyone at Risk
  • CIO Court Ruling Could Bring Down BYOD
  • ICO BYOD Guidance

 

Threats to audit objectivity – and how to manage them
This CPD article discusses the myriad threats to audit objectivity – from corporate pressure to office politics. How can you effectively manage these? 

Reading this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units. 

Extraordinary Circumstances: The Journey of a Corporate Whistleblower is the account by Cynthia Cooper, the ex-vice president of internal audit for WorldCom, of the discovery and investigation by her team of large-scale financial statement fraud perpetrated by senior executives. 

It reads more like a John Grisham thriller than a book about internal auditing. It is a story about courage: sticking to professional standards despite fears for personal safety: refusing to be deflected by management obstruction or requests for delay; working late at night and behind closed doors; coping with everyday stress, such as confrontations in the canteen or difficult phone calls when at the hairdressers.  Ultimately, it is a story about blowing the whistle on one of the largest accounting frauds in history. 

Times have changed – WorldCom filed for bankruptcy in 2002 following the exposure of the $11bn fraud. Governance and auditing standards are now more robust and – learning the lessons of the financial crisis – there is a sharper focus on corporate culture, conduct and business ethics. Is the background to Cooper’s story – one of widespread pressure from managers seeking to influence the work of internal auditors – still relevant today?   

Fraught with tension
The answer is a resounding 'yes'. A recent report from the Institute of Internal Auditors – The Politics of Internal Auditing – reveals that internal audits are typically fraught with tension and that many auditors are working under inappropriate pressure. For example, managers will try to influence auditors into omitting or modifying conclusions that they regard as damaging or into ignoring high-risk areas of the operation. The report classifies this as political pressure, something that the authors describe as 'extensive and pervasive'. It constitutes a threat to internal audit independence and objectivity. 

This article reviews the main findings of the report and then considers the implications for internal auditors from two perspectives: 

  • from that of the advice provided in the report – around those situations where it is possible for internal auditors to navigate corporate politics successfully and while remaining influential and continuing to get their message across
  • from advice provided by ACCA – which helps internal auditors handle unusual and difficult situations where they are pressed to do something they consider unethical.


The report addresses political pressure on chief audit executives (CAEs) and their internal audit departments. It is based on a survey of almost 500 North American CAEs, together with interviews with heads of audit around the world and focus group sessions. The feedback shows CAEs coming under pressure in two significant areas: the scope of internal audit work and the wording of internal audit reports.  

According to the research findings: 

  • nearly 55% of the CAEs surveyed report being directed to omit or modify an important audit finding at least once (with 17% indicating this had happened to them three or more times). 71% of these note the pressure was due to a concern that the report would reflect badly on key operating management
  • 49% report being instructed not to perform audit work in a high-risk area, usually by an executive in the organisation
  • nearly 32% report being directed to work in low-risk areas so that an executive could investigate or retaliate against another individual
  • CAEs with impeccable service records in both the private and public sector lost their jobs or were encouraged to take other positions or early retirement for challenging management on political issues.


The report sets out the various forms of political pressure. Some are overt, including physical threats or threats of being fired, while others are more subtle, including cuts in internal audit staff and budgets. Most importantly, the research shows the extent to which heads of internal audit and their departments come under pressure from corporate management – not a commonplace event perhaps, but one that happens surprisingly often nevertheless.   

Managing political pressure
Sometimes it is relatively easy to handle management interference. For example, it might be possible to resolve pressure in the form of an instruction to change an audit finding through a discussion between the head of internal audit and the executive concerned. Effective communication remains a key audit skill. Of course, such a discussion is made easier if the internal audit department has built up its relationships in advance and can explain why it matters to the organisation as a whole to report the finding accurately. 

Not all political pressure is so straightforward to deal with and there will be governance implications if internal audit objectivity is compromised. It is vital therefore that audit committees are effective, that their members understand the issue of political pressure and make clear their support for an objective and properly resourced internal audit function. 

The report states that political pressure always exists in organisations. It can be managed and mitigated (though never eliminated) if best practices are in place: a competent CAE; a sound internal audit function; a clear understanding of the business; conclusions based on factual evidence; and respectful relationships with executives and the board. 

There are a number of lessons coming out of the research that internal auditors can learn from, including: 

  • two of the most important factors in managing political pressure are building strong relationships and becoming outstanding communicators. An effective head of internal audit will develop trusted relationships with executives and members of the audit committee based on personal interaction. Effective communication will convey the results of internal audit work clearly and objectively. Combined, these factors give assurance that senior management and the board understand the role of internal audit and that its work must be objective in order to add value to the business
  • business acumen is required too and internal auditors need to demonstrate that they have a sound knowledge of the business and its strategies. The most effective CAEs convey audit findings from management’s perspective, rather than a narrower internal audit perspective
  • professional competence is essential if internal auditors are to handle the pressures of the job successfully. Feedback in the report emphasises the importance of thorough audit work and analysis, objective and accurate conclusions and an understanding of the effect of the audit findings on the organisation. If stakeholders have confidence in the quality of the audit work, this will help to resolve any disputes with the operational managers whose work is being audited
  • in addition to technical skills, internal auditors need to develop their emotional intelligence too. There is sometimes a fine line between inappropriate political pressure and disagreements arising from the different points of view taken by various stakeholders. From time to time senior executives are likely to dispute audit findings or express displeasure at the scope of an audit. Working through such difficult situations comes with the job. Internal auditors need to be politically astute and sensitive to the organisation’s culture in order to navigate this type of pressure.


Ethical dilemmas
Internal auditing involves making judgement calls and in some situations there is no straightforward resolution. It may be easy to rationalise under pressure but this can be dangerous, especially if it results in compromises over objectivity and honesty - personal reputation can be lost very quickly. One important point in the IIA’s report is that internal auditors should identify the circumstances where they need to stand their ground. A key question is: how should they respond when asked to do something that they consider to be unethical or in breach of their standards? 

One option is to blow the whistle. The CAEs interviewed in the report preferred to go through internal channels rather than to inform the authorities. What they really wanted was effective governance in their organisation, not exposure in the press or third party investigations. So, the quality of whistleblowing hotlines is crucial here. 

Fundamental principles
The primary reference point for internal auditors confronted by an ethical dilemma is the appropriate code of professional conduct. For ACCA members this is the ACCA Code of Ethics and Conduct. 

The Code sets out five fundamental principles, with which compliance is mandatory: 

  • integrity
  • objectivity
  • professional competence and due care
  • confidentiality
  • professional behaviour. 


It considers the application of these principles within a conceptual framework which acknowledges that the principles may be threatened by a broad range of circumstances, thereby assisting members to identify, evaluate and respond to them.  One of the threats identified is intimidation - particularly relevant here - described as when a professional accountant is deterred from acting objectively because of actual or perceived pressures, including attempts to exercise undue influence over him or her. 

Identified threats must be eliminated or reduced to an acceptable level so that compliance with the fundamental principles is not compromised. Where this is not possible, the guidance in the Code is clear: the accountant must decline or discontinue the service involved or resign from the engagement or the employing organisation. 

Unfortunately, sometimes internal auditors have to be prepared to leave their position if their professional ethics are being compromised or disregarded. Courage is required in these situations.

Cynthia Cooper’s conclusion at the end of her book about the WorldCom saga provides essential and cautionary guidance for internal auditors today: 'In many ways this story is about human nature, about people and choices. It shows how power and money can change people and how easy it is to rationalise, give in to fear and cave under pressure and intimidation.'

Steve Giles - independent consultant, speaker and author 

References 

  • Cooper, C: Extraordinary Circumstances: The Journey of a Corporate Whistleblower (New Jersey: John Wiley & Sons Inc., 2008)
  • Rittenberg, L and Miller, P: The Politics of Internal Auditing (The IIA Research Foundation, 2015)
  • ACCA Rulebook, Section 3: Code of Ethics and Conduct (ACCA 2015)
Cybersecurity – what are the boardroom implications?
Boards should ensure they have sufficient cybersecurity information and expertise to ask the right questions of management, writes Dan Swanson.

Boards should ensure they have sufficient cybersecurity information and expertise to ask the right questions of management, writes Dan Swanson. 

Safeguarding assets has been an important objective of all organisations for centuries. In today’s digital age, however, what does safeguarding your assets really mean? Who is responsible for it? And how is ‘protection’ actually achieved? Just as important, what threats, risks, and challenges does cybersecurity add to the organisation’s already many responsibilities? 

‘Although the risks presented by technology are not new to the corporate arena, the dynamic nature of cybersecurity presents a unique challenge to companies and boards. The increasingly fast pace of technological changes creates many targets, and makes defense systems more complex and more difficult to manage and control.’ (Cybersecurity: Boardroom Implications – a 2014 NACD paper).

Who is responsible for information asset protection?
While chief information security officers and chief financial officers are important players regarding information asset protection and security, they are not the true ‘guardians’ of the organisation’s critical informational assets. For example, in hospitals, CFOs are not responsible for safeguarding patient records; at insurance companies, they are not the guardians of policyholder records. In the pharmaceutical or technology sectors, the company’s crown jewels (its intellectual property) are not the direct responsibility of the CFO or the CISO. 

All of these forms of data have associated expenses and are used to generate revenues (billings, annual fees, royalties), for which the CISO has ultimate security oversight. The CISO in turn must ensure the integrity of the chain of custody by enforcing rules applicable to key managers and other authorised personnel in their roles as the day-to-day ‘guardians’. In short, internal control is affected by people at every level of an organisation. In fact, many managers are more directly responsible for day-to-day asset protection than the CISO or CFO. 

What are the implications?
Addressing the following questions will help determine key implications of how to protect your digital assets, ensure cybersecurity is appropriately considered, and what actions to take: 

  • will an organisation’s information security management system become critical to the safeguarding of the CFO’s financial records? Will those systems emerge as the main means of safeguarding an organisation’s assets?
  • will CFOs and finance staff need to understand and implement informational asset protection measures to be effective in their roles of supporting the guardians of the organisation’s assets?
  • will we need more guidance on the definition, classification, and protection of information assets?
  • will CISOs need to work more closely with and educate the finance function (and all operating departments, really) about how to best implement a sustainable information protection and security programme?
  • should the organisation establish a data management function and data governance policy, standards, and procedures? Both the function and governance could be headed by a senior manager reporting to the chief operating officer or chief executive officer. What role(s) should the chief information officer take in information protection?
  • will the board and CEO need to provide more in the way of expectations?
  • will internal audit and external audit spend more resources on evaluating the protection of all of an organisation’s assets, physical and digital? The internal audit function in particular needs to think more strategically about enterprise-wide security and ensure that enterprise-wide risk management is a guiding theme for prioritising the organisation’s efforts.


The bottom-line: top management must implement an information security management programme that truly safeguards all assets of the organisation, and also addresses the many risks, threats and challenges involved with cybersecurity. 

Cyber Risk Oversight, a publication of the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance, takes the position that directors should ask questions. (The executive summary is free, but the detailed questions are in appendices that are only free to members). 

The publication presents five key principles to consider: 

1)   directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue
2)   directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances
3)   boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda
4)   directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget
5)   board management discussion of cyber-risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.


Are all your organisation’s assets appropriately protected in the digital age? I recommend making this a regular topic of discussion at your management committee meetings, and also put it on the board agenda on a regular basis. An effective tone at the top starts with top management and the board taking action to implement appropriate security controls. 

Finally, the board should ensure it has sufficient information and expertise to ask the right questions of management at regularly scheduled board meetings. They should demand both internal audit and risk management assistance in assessing cyber-risk and the adequacy of management’s programmes for managing it. The CEO should ensure the executive management team provides appropriate and ongoing attention to this critically important subject. 

Given the breadth of the topic this month I’ve included a series of leading resources and concise articles to provide further information, context, and other studies’ recommendations to this very comprehensive and complex subject. 

Dan Swanson – president, Dan Swanson and Associates  


Recommended Resources:
 

1. Cybersecurity: Boardroom Implications
Cybersecurity has become an urgent concern for companies—regardless of size or industry. Data breaches and other cyber threats pose significant competitive, reputational, and litigation risks and require increasingly costly investments in detection and mitigation. 

Cyber criminals are stealing up to a terabyte of data each day, resulting in global losses in the hundreds of billions of dollars. In just four years, the average annualised cost of cybercrime to an organisation has risen 78%. Further, the average time required to detect and respond to a cyber attack has increased by nearly 130%.  

To help board members address this critical topic, the National Association of Corporate Directors (NACD), Protiviti, and Dentons organised a series of roundtable discussions across the country. The meetings convened three diverse groups of directors with experts in the field of cybersecurity. The purpose of the discussions was to address how cybersecurity is currently challenging boards, frame the key issues of which directors should be aware, and pinpoint areas necessitating guidance with future discussions. 

Cyber threats take many forms, and the response to those threats is unquestionably a management-level responsibility. As such, the roundtable discussions focused on implications for the boardroom: how directors can effectively oversee cybersecurity risk, the necessary processes and policies to protect sensitive networks, systems, and data from unauthorised access or attack, and the potential for financial and legal problems created by cyber threats. 

2. Information Security Governance (The IIA’s Global Technology Audit Guide) 
Information is a significant component of most organisations’ competitive strategy either by the direct collection, management, and interpretation of business information or the retention of information for day-to-day business processing. Some of the more obvious results of IS failures include reputational damage, placing the organisation at a competitive disadvantage, and contractual noncompliance. These impacts should not be underestimated. 

This GTAG will provide a thought process to assist the CAE in incorporating an audit of information security governance (ISG) into the audit plan, focusing on whether the organisation’s ISG activity delivers the correct behaviours, practices, and execution of IS. GTAG 15: Information Security Governance will assist efforts to: 

  • define ISG
  • help internal auditors understand the right questions to ask and know what documentation is required
  • describe the internal audit activity’s (IAA) role in ISG. 


3. Cyber-Risk Oversight Handbook
In the past 20 years, the nature of corporate asset value has changed significantly, shifting away from the physical and toward the virtual. One recent study found that 80% of the total value of the Fortune 500 now consists of intellectual property (IP) and other intangibles. Along with the rapidly expanding ‘digitisation’ of corporate assets, there has been a corresponding digitisation of corporate risk. Accordingly, policymakers, regulators, shareholders, and the public are more attuned to corporate cybersecurity risks than ever before. Organisations are at risk from the loss of IP and trading algorithms, destroyed or altered data, declining public confidence, harm to reputation, disruption to critical infrastructure, and new legal and regulatory sanctions. Each of these risks can adversely affect competitive positioning, stock price, and shareholder value. 

Leading companies view cyber-risks in the same way they do other critical risks – in terms of a risk-reward trade off. This is especially challenging in the cyber arena for two reasons. First, the complexity of cyber threats has grown dramatically. Corporations now face increasingly sophisticated events that outstrip traditional defences. As the complexity of these attacks increases, so does the risk they pose to corporations. As noted above, the potential effects of a data breach are expanding well beyond information loss to include significant damage in other areas. Second, competitive pressures to deploy increasingly cost-effective business technologies often affect resource investment calculations. These two competing pressures on corporate staff and business leaders mean that conscientious and comprehensive oversight at the board level is essential. 

NACD, in conjunction with AIG and the Internet Security Alliance, has identified five steps all corporate boards should consider as they seek to enhance their oversight of cyber risks. 


Suggested reading: 
1. Board Oversight of Cyber-Risks

2. How Much Security Is Enough?

3. Taming Information Technology Risk (NACD)

4. Cybersecurity: Five Essential 'Truths'

5. Executive Order -- Improving Critical Infrastructure Cybersecurity

6. Answering your cybersecurity questions


 

Leadership – how to become a head of assurance
What leadership qualities and characteristics do organisations look for in a head of assurance, asks Guy Stacey.

What leadership qualities and characteristics do organisations look for in a head of assurance, asks Guy Stacey. 

In the first of two articles looking at internal audit leadership, an executive search consultant outlines what is required to be a head of assurance. Next time, we will get the perspective of a head of internal audit. 

The majority of FTSE 100 companies in the industrial and commercial sectors currently operate a combined risk and internal audit model. This is very different from financial services and other highly regulated industries where these functions are separated, while the not for profit and public sector space is different again. 

The challenge in this article therefore is not to regurgitate generalities or create a broad ‘wish list’ of a dozen key competencies required for these roles. Often when I see these lists they define a combination of abilities that are impossible to obtain in any one individual and some may in fact be incompatible. 

When we additionally consider the maturity level and status of different organisations’ enterprise risk management, audit and internal controls functions, even defining the best fit ‘assurance’ solution is complex. In the context of individual corporations it quickly becomes obvious that there is no ‘one solution fits all’ scenario. 

Consistent themes
Are there any consistent themes that we should consider when trying to identify the key competencies and skills required for these roles? 

When considering recent recruitment in the FTSE 100 outside financial services I believe there is a recurring focus. Executive boards are increasingly expecting a genuinely strategic vision from the head of assurance: this means the ability to interact as equals with the board and ‘talk their language’. 

I suspect many current leaders in both the risk and internal audit space would dismiss this comment, arguing that they have been fulfilling that role for many years. However, the facts suggest that is not the perception of the executives and audit committees who are recruiting for these roles. 

In the last 18-24 months a number of high profile FTSE 100 companies including Vodafone, Compass, GSK and Unilever have appointed internal candidates without specialist assurance backgrounds. In these instances the individual’s ability to operate at the executive level and their broader understanding of the business's ‘risks’ were the key attraction, while the technical assurance skills could be supplemented by more specialist junior team members. 

Perhaps more interesting, however, is the list of external appointments. These include the appointments of Big 4 external audit partners at Tesco and Centrica and Big 4 consulting partners at G4s and Smith & Nephew. There have also been a number of appointments of Big 4 directors/salaried partners in slightly lower profile roles. The theme amongst these external appointments appears to be the view that the required skill sets are not available within the existing population of FTSE 100 heads of assurance. 

Trend implications
What are the implications of this trend going forward? Depending on your default mentality, the optimists would say that it is extremely encouraging that main boards finally understand the value of assurance functions, particularly risk management, and its status will continue to rise in importance. 

For the pessimists, and particularly those already operating in the assurance profession, it does suggest that both practitioners and the representative institutes need to look very carefully at their current positioning and also make sure the education they advocate and provide is aligned with the current market expectations. 

Skills and competencies
I appreciate that the concept of ‘the strategic partner’ that we are describing still lacks a clear definition in terms of the skills and competencies that clients are prioritising. 

Without defaulting to a list of clichéd corporate speak such as gravitas, impact, vision, etc it will remain a very difficult concept to define. What is clear, however, is that organisations are increasing interested in individuals' ‘fluid learning’ capabilities and their ability to react to the unprecedented speed and scale of change that corporations now face. 

Employers are interested in how the individual analyses new challenges, interprets situations, the strategic drivers behind the actions they implement and most importantly, how they articulate their solutions. Previous assurance experience or ‘crystallised learning’ gained from similar situations no longer appears to be enough to ensure individuals are selected for these roles. 

Gaining this strategic skill set
Where and how do you acquire this ‘strategic’ skill set? Looking at these recent appointments it would appear that companies are seeking practical experience of operating at this level coupled with advanced interpersonal skills rather than academic qualifications such as an MBA. 

This experience could come from the job rotation where historically we saw heads of assurance holding line management roles in other areas of the business during their careers. We are also increasingly seeing more lateral movement of partners and directors, not just out of the Big 4 firms, but back into the firms, so individuals might consider this consultancy option which has the potential to broaden the perspective of the firm's partner group as well of as these individuals. 

Finally, I was reminded by a senior candidate that individuals have a responsibility to proactively educate the executive and audit committee in this area to develop their role rather than being caught out when expectations change.   

As a closing comment I would re-emphasise that the diversity in how these roles are interpreted by organisations means there are still many exceptions to the scenario I have outlined above. However, I do perceive that the firms I have mentioned could just be the early adoptors who are at the vanguard of the evolution of the assurance role. 

Guy Stacey has been working as an executive search consultant specialising in this area of the market for the past 20 years and is a director at IAC Search Limited and Internal Audit Connections Limited.

Why business process improvement matters to internal auditors
Mark Taylor de-mystifies business process improvement, explains its relevance to internal auditors and identifies some ‘quick wins’ to take away.

Mark Taylor de-mystifies business process improvement, explains its relevance to internal auditors and identifies some ‘quick wins’ to take away. 

What’s it all about?
Business process improvement – looking for ways to improve efficiency, effectiveness and/or control in the way things are done. Simple really... 

OK, let’s get over the stereotypes
Business process improvement consulting and internal audit: two not-so-distant cousins eyeing each other suspiciously across the room at an awkward family party. Catching the occasional glimpse of the other doing something similar – or Heaven forbid – the same as ‘what we do’. That’s how it feels sometimes, right? 

Both camps are correct that the two disciplines are closely related. In fact, in my experience, one person’s business process improvement is often another’s value-added internal audit… 

Business process improvement: what are we actually talking about?
Much of the work I do for clients comes under this banner. So, what do we actually do? Business process improvement projects generally proceed broadly like this: 

1.  Some symptoms of underperformance are identified within a business process
In terms of ‘back-office’ business process improvement, typical processes which might be subject to review would include purchase to pay, sales order to cash, stock management, record to report and payroll. Generally, some symptoms of process failure or underperformance are recognised by management or by a third party looking at the organisation. For example, a typical scenario in a sales order to cash cycle would be an unexpectedly high volume and value of credit notes issued to customers. 

2. 
A scoping exercise is undertaken to understand the parameters of the project
In this stage, the team performing the review would sit with management to confirm the exact elements of the process within scope, who needs to be involved in the review and what data/information needs to be collected to support the exercise. In our sales order to cash example, the scope may be, quite literally, the receipt of the sales order from the customer through to the posting of cash receipts and all steps in between. 

3.  The ‘current state’ process is mapped end-to-end
The in-scope process is then mapped end-to-end following a series of interviews and/or workshops with key participants and stakeholders in the process. Extracting the right information from these interviews/workshops is a key part of the process. You can certainly learn techniques in the classroom which help but, although it is obvious to say it, straightforward experience of doing it is critical. At its most basic, when interviewing, you are trying to understand the chronology of a process and all its strengths and weaknesses – allowing the interviewee enough latitude to venture into valuable related detail but without going off at a tangent from the focus of the review. 

4.  Data is collected
In reality, this step is generally performed in parallel with Step 3 above. Data that may provide insight into the process is collected and analysed. Again, using the sales order to cash example, it would be typical to request a download of all credit notes issued (including customer name, date, amount, invoice reference – and, hopefully, reason code). 

5.  Benchmarking and analysis
In this stage, we analyse the process mapping (which we will, by now, have been validated with management) and supporting data in order to establish where the improvement opportunities lie. As part of this stage, we will compare our findings against suitable qualitative and quantitative benchmarks to get a sense of how this process compares to others we have seen. Armed with this input, we will apply our analytical skills in order to generate ideas for improvement. 

6.  Recommendations/options
Following on from stage 5, we will formulate specific recommendations for action. In some cases, we may present several options to management in respect of how they may take things forward depending on budget, appetite for change etc. These options will typically be presented outlining costs and projected benefits. It is also common for the recommendations to be presented according to our view on prioritisation, ie high/medium/low or other suitable scale. Often the recommendations will include redesigned ‘future state’ process maps. 

7.  Action planning
This final stage will often take the form of a workshop with management to review the recommendations/options and agree an action plan to take forward. 

Relevant?
Of course. The seven steps above will appear remarkably similar to conducting an internal audit. Acquiring the capability to apply an ‘improvement’ rather than, or as well as, an ‘assurance’ angle to a review exercise, can only make for a more rounded internal auditor. 

Quick wins?
The good news is that much of the skill-set to perform effective business process improvement work is common to the work that internal auditors perform: interviewing people to extract information, analysing data, formulating recommendations based on experience etc. With the right guidance, an experienced internal auditor can make the transition to business process improvement work without extensive retraining. 

So, what’s the key? Much of it is about a shift in emphasis. Frequently, business process improvement is about doing things more efficiently to reduce time taken and eliminate cost. Internal audit usually has a different primary perspective: assessing the design and operational effectiveness of controls. It is not such a huge leap to consider whether there are too many or duplicated controls, potential opportunities for increased automation within processes; or the chance to strip out unnecessary layers of governance. 

Relatively short training courses in Lean or Lean Sigma can rapidly set you on the path to adding specific process improvement skills, although, as ever, there is no substitute for hands-on practical experience. 

Business process improvement: a key part of every internal auditor’s toolkit
In short, developing the capability to perform business process improvement work will make an internal auditor more versatile and valuable to their employer or clients. Advising on driving efficiency and efficiency, as well as improving control, is a more compelling proposition. It may not be what every project demands, but it will be relevant in many scenarios. 

Mark Taylor – head of consulting for corporate markets, RSM 

About Mark
Mark is a partner focused on helping clients to improve performance in their business processes and manage organisational change. He works with a wide spectrum of organisations – ranging from SMEs to large, listed multinationals but with a particular focus on the middle market. Mark also has considerable experience of providing internal audit services to clients.

Data analytics for internal auditors
Mark Smith explains how data analytics can transform your internal audit function.

Mark Smith explains how data analytics can transform your internal audit function. 

Traditional internal audit methodologies have served their purpose well for decades. However, as the business landscape for most organisations becomes increasingly complex, there is now a drive to leverage data analytics techniques to identify risks and bring insights into the organisation. 

While it is management's responsibility to ensure that risks are appropriately mitigated, internal audit can make full use of data analytics to focus on areas or transactions where controls do not exist or are not operating effectively. 

What is data analytics?
It is fundamental to understand what analytics is: it is not a technology, it is a concept. It refers to the use of certain technologies (eg data mining tools like IDEA and ACL), skill sets and processes for the exploration, evaluation and investigation of business operations. 

Data analytics is the process by which insights are extracted from operational, finance and other forms of electronic data, internal or external to the organisation. The insights can be historical, real-time or predictive and also be risk-focused. 

Why has the use of data analytics increased within internal audit?
There are several factors for why data analytics is on the rise within internal audit functions. First, there is the explosion of data volumes in recent years, both structured (financial data) and unstructured (emails and Word documents). Second, the traditional and manual internal audit processes have limitations – for example, they heavily rely on sampling, and so only give limited views on exceptions, control weaknesses or risks. 

Today's organisations have complex IT and financial system environments, meaning it is critical to carry out a deep dive into the organisation's data, and look at the whole population instead of using samples which might not uncover all the risks. 

Another factor is the increasing expectation of stakeholders and the need for internal audit to be 'cutting edge' in its approach and keep up with technology. Some of the key challenges for internal audit include becoming more efficient, more effective in identifying and responding to risk, and providing more meaningful insight. This is where data analytics really can make a difference. 

So where can data analytics transform the internal audit process?
Many internal audit departments are now using data analytics in areas such as expenditures, payroll and accounts payable. These areas are highly transactional and policy driven, and can provide opportunities for cost recovery. On the revenue side, billing data can be mined for checking the accuracy of an organisation's billing against contracts and pinpointing errors or unusual trends. 

Sampling is a fundamental part of any audit work, with many ways to sample. Using analytics tools like IDEA or ACL, statistical sampling becomes very easy. This allows the scope to be set, providing defensible and valuable insights when results are extrapolated against the population. 

Let's look at some of usual and simplest areas where data analytics can transform an internal audit:

Accounts payable
Controls over supplier data such as access controls, modifying bank details and authorising payments are often key risk areas to focus on. Using data analytics can identify users with access to supplier data and identify any segregation of duty conflicts, whereas transactional data can be interrogated to identify potential fraud, duplicate payments and identifying further control limitations. Outlined below are some key analytics which can be performed in this area: 

  • search for duplicate invoices and payments
  • confirm key suppliers, identify one-time suppliers, and suppliers set up with no transactions
  • check the bank account details in the supplier master file to employee bank account records, looking for potential fraudulent activity/dummy suppliers
  • search for invoices with no corresponding purchase order
  • search for unapproved purchase orders
  • search for multiple invoices at or just under approval cut-off levels.


Payroll and employee expenses
Hunting for ghost employees, falsified wage claims and tampered-with time sheets are all key areas where data analysis can add value. Data analysis can also bring value by enabling review of electronic time entry records for compliance with existing policies, procedures and employment regulations. Some of the key analytics are likely to be:  

  • search for ghost employees by looking for duplicate National Insurance numbers, addresses or bank account details held on the employee master file
  • search of payments made to employees after they have left
  • search for unapproved time entry records
  • analyse monthly/weekly payroll looking at the hours worked, level of overtime
  • search expense claims at or just under approval cut-off levels.

 
Sales processes
For invoicing or revenue stream audits, the related IT systems can be complex and the data volumes very large, for example at a telecoms or utilities organisation. Data analytics can be very useful in checking the accuracy of the customer billing. Any billing errors can be pinpointed much more easily and quickly, and can be quantified across the population. 

With accounts receivable, various analytics can be performed around searching for duplicate or missing invoices, unmatched receipts and bad debts, all of which can highlight weaknesses in the credit control process. 

Inventory
Given the huge size of some inventories, data analytics can be used to conduct inventory audits. It can be used to identify potentially obsolete or slow-moving inventory, and provide insights into the profile of the inventory. 

Key financial controls
Using data analytics to test key financial controls can give high levels of assurance to verify appropriate segregation of duties and other access controls such as the ability to approve or post journals. Furthermore, the whole general ledger transactions population can be quickly reviewed, and some valuable insights obtained into when a journal is posted and by whom, the volume and value of journals. 

In summary, there are many easy wins if internal audit embraces data analytics. It can really transform an audit by drilling down and testing whole populations of data, and provides valuable insights to an organisation's risks and processes. In truth, it is the only way forward for internal audit departments to look credible in the 21st century. 

Mark Smith – senior manager, Business Risk Services team, Grant Thornton

NEWS
Politics and parties
What did ACCA learn from attending this year's party political conferences?
Another year, another conference season, this year to sunny Brighton for Labour, and the Northern Powerhouse, Manchester for the Conservatives. As the mix of politicians, journalists, business representatives and the lobby headed off, several of ACCA’s team were there to represent our member and student views.

Rosalind Goates, public affairs manager, summarises ACCA's visits to Brighton and Manchester in a blog post Politics and parties - ACCA at the party conferences
What do members value?
We recently asked some members what they value most from their ACCA membership. Find out what they had to say in this video.
We recently took the opportunity to ask members to talk about what they value most from their membership. The answers are revealed in this three minute video and include: 

  • the value of having the letters ACCA or FCCA after their names
  • our networking, CPD and Professional Courses events
  • online courses, webinars and technical advice
  • our new website and social media channels.

Benefits of ACCA membership



Get a job, post a job
We are excited to announce the re-launch of our newly designed ACCA Careers website!

We are excited to announce the re-launch of our newly designed ACCA Careers website! We have listened to the feedback from our students, affiliates and members and are constantly working to improve your online experience. The new ACCA Careers website has enhanced features and benefits, giving you access to the largest and fastest-growing global job board for aspiring and experienced ACCA finance professionals. 

Boost your career by creating your unique account. Once you have access, complete your account profile and upload your CV – this will make your profile more searchable for recruiters and employers, as well as supporting your career aspirations. 

Your success is our mission. Whether an ACCA member, affiliate or student, we’re by your side throughout your career. We’ll make sure you’re connected to the resources, education and employment networks you need so that you remain in demand. 

Get the most out of ACCA Careers and create your account today.

CPD
Internal audit conference 2016
Save the date for our flagship 2016 conference!

Plan ahead to attend ACCA UK's Internal Audit Conference 2016.  

ACCA UK’s 2016 annual Internal Audit Conference will take place on Thursday 19 May at the Amba Hotel Marble Arch, London.

If you would like to register your interest then please send an email to our Professional Courses team.

 

 

IFRS webinars
Kaplan IFRS webinars offer an engaging and interactive approach to learning.

The Kaplan IFRS webinar programme offers an engaging and interactive approach to addressing the challenges of optimising the timing of revenue recognition and dealing with off-balance sheet items.

Kaplan is offering three for the price of two on all live and recorded webinars, using the discount code A342*.

How can these webinars benefit you?

  • learn interactively from the comfort of your own home without having to travel
  • brush up your skills and refresh your knowledge in these essential areas
  • the 3 for 2 offer will provide substantial savings for you
  • contribute towards your annual CPD requirements.


Future webinars include:

Group therapy – are you one of us? 
20 November (12.00 – 14.00 or 16.00 – 18.00 GMT)

IFRS – all you need to know
15 December (12.00 – 14.00 or 16.00 – 18.00 GMT)

Cost details
Live webinar: (90 minutes + 30 minutes for questions): 30 GBP (exc VAT)
Post-event recording: 25 GBP (exc VAT)


Bite-size briefings

The global recovery – is it drowning in a sea of debt?
2 December (12.30 – 13.30 GMT)

Cost details
Live webinar: 15 GBP (exc VAT)
Post-event recording: 10 GBP (exc VAT)

To see the full programme and to register for any webinar click here 

Remember to claim your third webinar for free using the discount code A342. If you miss any of the live webinars then you can still purchase the post-event recording. 

*The 3 for 2 offer applies to all live and recorded sessions. The cheapest webinar is free. The 3 for 2 offer must be taken at time of booking with the correct discount code and all webinars must be booked in the same transaction.

Financial management essentials from BPP
BPP's new 5, 10 and 20 course packs provide essential guidance on financial management.

These new 5, 10 and 20 course packs have been specifically designed to provide you with essential guidance and knowledge on financial management, and to develop the skills needed to carry out your day-to-day job with an aim to enhance your employability for the future. 


Financial management essentials 5 course pack

Financial management essentials 10 course pack

Financial management essentials 20 course pack

RESOURCES
Internal audit hub – a new resource for ACCA members
ACCA’s new hub for members working in internal audit has many benefits.

ACCA’s new hub for members working in internal audit has many benefits. 

The internal audit hub provides resources for those wishing to learn about internal audit, improve their technique, undertake CPD, and it can help with internal audit trainees. 

It contains a section called ‘learning about internal audit’ and its aim is to supplement the International Standards for the Professional Practice of Internal Auditing with articles and guides that are easy to read and outline what internal auditing is like in practice and the pitfalls that often arise. 

This resource – which is broken down further into sections for beginners, the management team, and the audit committee – can help you learn about internal audit or improve your technique, provide you with CPD, or assist in the training of a staff member on internal audit. 

The hub also has podcasts of events that our Internal Audit Network has held as well as further sections on ‘auditing specific risks’ and ‘auditing in different industries’. 

Access this new resource now

 

Guide to assurance reporting

Our latest internal audit practitioner guide focuses on assurance reporting.


Our latest internal audit practitioner guide focuses on assurance reporting. 

ACCA UK has produced a series of Internal Audit Practitioner Guides which can be found in our internal audit hub. These guides are easy to read and outline what internal auditing is like in practice and the pitfalls that often arise. 

Our latest guide covers Assurance Reporting

Email Software by Newsweaver