Internal Auditors Trusted to Tell It Like It Is
The Internal Auditors’ Peer Group wrapped up its 2017 calendar with a solid day-and-a-half meeting in San Jose, California.
Members of the IAPG discussed a wide range of topics at the 2017 second-half meeting, among them a look at annual and quarterly risk assessments, acquisition integration, post-systems implementation audits, data protection and fraud risk assessments. Some of the key takeaways from these sessions included discussions on robotic process automation; complying with new realities and rules (in Europe and possibly on the way in the US) about data, particularly personal data; and how sidebar conversations about “what’s really going on” make auditors trusted confidantes to business leaders.
Is the ROI in RPA really there? Robotic process automation (RPA) is a hot topic in many treasuries and other departments across companies. The promise is that companies can eliminate human error risk on tasks that are repetitive and rules-based. But is this a case of fools rushing in? This was the view of one presenter at the meeting, who questioned the return one could get from implementing RPA. “If this was just coming into being perhaps five years ago, I could see this really catching on,” he said. But right now, companies have solved for the cost issue by outsourcing to lower-cost countries. “RPA is so hot that people want to implement it without thinking it through.” But the truth of the matter is, right now, highly educated, low cost workers in some countries can still get these mundane financial tasks done, i.e., basic back office transactions, far more cheaply. And another view: “We always have manual intervention in RPA software,” said one member. So it could be a while before RPA is truly an option.
Audit whispers. In presentations to the audit committee, several members said they often put, in addition to the main points of their audit reports, a sidebar of issues they’ve “heard” unofficially. In at least one instance, this has become more popular than the audit report itself. So IA can often find itself in the position of the company “truth tellers.” The ones with the sober view of certain projects or endeavors of the company that a CEO can appreciate. For instance, for very high sales goals in a tough environment, the head of sales will just say “we can do it!” But an auditor might say, “Yes, they might be able to; but it will be tough and perhaps IA will be looking closely at results to make sure there was no fraud.” The drawback to these side conversations is that they can be dangerous or misconstrued; people may use this format as a political device they can manipulate in their favor. They may have an axe to grind against a team or individual or even the company. Therefore, auditors who find themselves in this position must clarify the context of the information being given (this wasn’t an audit, etc.) and the receiver must be clear that this isn’t actionable intelligence; just information that bears watching.
Data scrubbing. Data in the cloud is growing exponentially, and so are the threats. And in Europe, new regulations are coming online in a couple years that will make data management that much more onerous.
While the cloud has made life easier for just about everyone and every business, it has had it downsides. For business, the cloud intensifies the third-party risk management to crisis levels. One cloud server can have thousands of connections to external entities, thereby increasing the risk. The problem is at this early stage of the technology, there are a lot of ambiguities: from minimal transparency to vague regulatory expectations. On top of this, the speed of change in technology has exceeded the capacity for companies to change. “Point-in-time assessments expire before re-evaluation,” noted one slide in the session presentation. This presenter’s recommendation was to “optimize levels of risk assessment effort by choosing your vendor-risk-management battles.”
Meanwhile, regulations are coming. In Europe, it’s the General Data Protection Regulation (GDPR) agreed upon by the European Parliament and Council in April 2016, which will replace an older version of the regs (Data Protection Directive 95/46/ec) in spring 2018. This will be the “primary law regulating how companies protect EU citizens' personal data.” While still not taken up in such a singular form in the US, a similar law in the US is expected; and many in the group are preparing, dedicating teams to address the somewhat burdensome privacy and data protection requirements. These include:
• Requiring the consent of subjects for data processing
• Anonymizing collected data to protect privacy
• Providing data breach notifications
• Safely handling the transfer of data across borders
• Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
• The GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.
For more than two decades, NeuGroup has led the way in peer knowledge exchange for treasury and finance professionals. With an unrivaled network of 18 invitation-only peer groups, NeuGroup facilitates over 30 face-to-face meetings to inform actions, transform practices, and enhance careers for more than 400 members from across treasury and finance functions, covering multiple industries and global regions. Visit www.Neugroup.com for more information about peer groups and www.iTreasurer.com for content and news.