Category Archives: Internal Audit

52% of executives said their company will increase security spending over the next year

Lokcpick 101
Image by SerialK via Flickr

According to the 2011 Global State of Information Security Survey (conducted by PricewaterhouseCoopers in conjunction with CIO and CSO magazines), out of 12,800 executives from 135 countries, 52% said their company will increase security spending over the next year. Yet many executives said their company’s business partners (52%) and suppliers (50%) have been weakened by economic conditions, a substantial increase from 43% and 42%, respectively, in 2009.

Security executives said their companies also have been impacted by spending restraints, often resulting in the stalling or degradation of some fundamental security capabilities such as conducting personnel background checks and the use of vulnerability scanning tools. Additionally, 47% of respondents said their organization had reduced security-related funding for capital expenditures and 46% said their company had reduced security-related operating expenditures.

The top factors driving information security spending this year are economic conditions (reported by 49% of respondents), business continuity and disaster recovery (40%), company reputation (35%), internal policy compliance (34%) and regulatory compliance (33%).

The only spending driver to show substantial increases this year is “client requirement,” the study found. Client requirement moved up from the bottom of the list in 2007 to near parity with the top-ranking legal/regulatory environment. The rise of client requirement demonstrates the continuing strategic importance and integration of the security department to the business.

Not surprisingly, due to the cost-cutting initiatives taken by most global actors, the 2011 Global State of Information Security Survey also found a significant shift in the ongoing evolution of the CISO’s reporting channel, which has moved away from the CIO in favor of the company’s senior business decision-makers such as the CFO and the CEO.

Risks of social networking and a new role for insurance

The 2011 Global State of Information Security Survey revealed that many companies are unprepared to deal with the potential risks of social networking and other Web 2.0 applications: 60% of respondents said their organization has yet to implement security technologies supporting Web 2.0 exchanges such as social networks, blogs or wikis, according to the survey.

Additionally, 77% of respondents said their organization has not established security policies that address the use of social networks or Web 2.0 technologies. This lack of action on social networking and Web 2.0 technologies can expose organizations to a variety of risks, including loss or leakage of information, damage to the company’s reputation, illegal downloading of pirated material, and identity theft.

The survey also found that many companies are using an additional tool (insurance) to protect the organization from theft or misuse of assets such as sensitive data or customer records: 46% of respondents said their organization has an insurance policy. Additionally, 17% of respondents said their company has made a claim and 13% said their company has collected on a claim.

In Europe, the focus on information security is far more muted, the survey found. Europe now trails other regions in maturity across many security capabilities. Like North America, Europe continues to suffer poor visibility into security events and, as a result, may be unaware of the true impact of events on the business. While 68% of European respondents say their organizations place a high level of importance on protecting sensitive customer information, the responses from other global regions are higher, including Asia (80%), North America (80%), and South America (76%).

Industry specific highlights and further regional information are available here

Advertisements

Internal Audit changing expectations: from a controls-focused approach to a risk-centric mindset

Rapid change is quickly transforming the practice of internal audit raising significant issues for audit leaders and their chief stakeholders. As I highlighted in the article “Internal Audit Changing Expectations,” written for the “Financial Audit” Journal (published in April 2009), there is a clear gap between the current focus of many internal audit functions and where they need to set their sights in order to deliver greater value to their stakeholders.

Since the passage of the Sarbanes-Oxley Act (2002), internal audit groups have been concentrating on financial and compliance risks, traditional areas of focus where their confidence levels are typically high. Consequently, to address the rising expectations of their chief stakeholders, internal audit groups tend to sharpen their focus on strategic, operational, and business risks.

Within the article I concluded that, throughout the next years, the value of controls-focused approach is expected to diminish as internal audit tends to adopt a risk-centric mindset. Study results indicate that five identifiable trends – globalization, changes in risk management, advances in technology, talent and organizational issues and changing internal audit roles – will have the greatest impact on internal audit in the coming years.

You may find bellow a PDF copy of the article (Romanian version with English abstract):
“Internal Audit Changing Expectations,” Financial Audit Magazine No.4(52), Chamber of Financial Auditors of Romania, Bucharest, April 2009, 26-34

Profit and liquidity management

The slogan in the window "Come In, Let's ...
Image via Wikipedia

The collapse of Northern Rock proves that profitability is no defence against liquidity risk: the company made profits in the quarter before it disappeared. Following a significant fall in market liquidity, Northern Rock was unable to meet its payment obligations.

Only a few voices raised liquidity risk issues until now and, even if the regulators did monitor banks’ liquidity management, they rarely raised serious challenges. During this financial crisis, risks tended to repeatedly transform from one type to another and companies face the challenge of placing greater emphasis on developing an integrated view of risk management across all types of risk.

The new economic perspectives bring significant challenges: while funding can still be found, it is only available for short periods and at high costs. Therefore, this is a good time for any company to perform a liquidity stress test such as the following 3 steps approach:

    1) Identify liquidity risk drivers:

  • erosion in value of liquid assets,
  • additional collateral requirements,
  • evaporation of funding,
  • withdrawal of deposits (if the case);
    2) Design stress scenarios (and probabilities):

  • emerging markets crisis,
  • systemic shock in main centres of business,
  • market risk,
  • operational risk,
  • ratings downgrade,
  • country / industry specific scenarios;
    3) Model stress tests:

  • quantify liquidity outflows in all scenarios for each risk driver,
  • identify cash inflows to mitigate liquidity shortfalls identified,
  • determine net liquidity position under each scenario.

Times of crisis are perfect opportunities to refocus on fundamentals: you can show that you truly understand your businesses and its potential risks with an integrated risk management perspective.

Intelligent Benchmarking

“Intelligent Benchmarking” is an article I wrote for the “Business Week” Journal in February 2009. The article provides some tips & tricks on how to perform a successful benchmarking process namely:

  • correctly identify your necessities,
  • explore the hidden parts of statistics,
  • identify the optimum benchmarking frequency,
  • heal yourself from the “we can’t do it” syndrome,
  • involve your people within the process.

You may find below a PDF copy (Romanian version only):
“Intelligent Benchmarking,” Business Week Journal No.122, McGraw-Hill Publishing, Bucharest, 24 February 2009

The impact of Sarbanes-Oxley Act on Romanian companies

“The impact of Sarbanes-Oxley Act on Romanian companies” is an article written for the “Financial Audit” Journal in July 2008. The article evaluates the benefits of the Sarbanes-Oxley Act for shareholders by studying the lobbying behaviour of investors and corporate insiders to affect the final implemented rules under the Act.

All over the world, regulatory pressures have overshadowed the risk management function for the past few years and we may see a high impact on Romanian companies as well. SOX compliance brings high regulation costs as well as competitive benefits such as improved ability to prevent, quickly detect, correct, and escalate critical risk issues, reduced cost of risk management by improved sharing of risk information and integration of existing risk management functions.

However, SOX compliance not only refers to financial side of corporations, but also to the IT departments considering the corporations’ electronic records and access rights. The lack of controls over spreadsheets has been a contributing factor in financial reporting errors at a number of companies. In this article, you may find examples to highlight the importance of understanding how spreadsheets are used in a company’s financial reporting process and evaluating the controls over spreadsheets as part of the company’s overall Section 404 process.

You may find bellow a PDF copy of the article (Romanian version with English abstract):
“The Impact of Sarbanes-Oxley Act on Romanian companies,” Financial Audit Magazine No.7(43), Chamber of Financial Auditors of Romania, Bucharest, July 2008, 12-18