Happy End of Summer, everybody! We thought we’d kick things off today with a little data privacy discussion. There have been several high-profile data privacy breaches in recent years – both the large-scale oops-we-accidentally-shared-your-Social-Security-numbers kind and smaller-scale episodes that happen when a laptop is lost or stolen or a rogue employee gets nosy. (By the way, if you are data privacy freaks like we are, eat your heart out at PrivacyRights.org’s chronological listing of data privacy breaches).

We aren’t keeping nearly so official a tally ourselves, but between cellphone records, passport files and now student loan records, President Obama’s privacy is getting breached all over the place.

Here’s the thing. The breaches are all coming from companies who have a duty to protect the personal information they collect. And the consequences for failing to do so can be very steep. Yet another reason why considering risks related to data privacy is a crucial part of assessing a business’s overall risk exposure. Got that?

Speaking of risks, fraud is a biggie. One of the biggest, actually. We just happen to have some new information on how big, courtesy of a survey we conducted in our recent webcast on How To Detect and Prevent Fraud Using CCM (handily archived online, should you wish to check it out).

Nearly 80% of those on the webcast reported that their organization has experienced fraud or conducted a fraud investigation in the past two years and just over 70% reported that they have updated controls or their controls testing approach in the past 12 months to better address fraud.

What are you doing in your organization to protect against fraud? Weigh in in the comments with suggestions, tips and lessons learned, why don’t you?

We’ve talked a bit before about what the Foreign Corrupt Practices Act (FCPA) means for businesses in terms of compliance demands and reporting requirements (and we’ve linked before to InfoSecIsland, which has been following this closely). Their latest, a piece by Michael Voklov, is well worth the read – a look at why reactive plans around FCPA aren’t going to satisfy the DOJ, should it come digging around with FCPA concerns on its mind. A far better plan, Voklov points out, would be a continuous controls monitoring system that can demonstrate a company’s commitment from the outset to FCPA compliance.

As he explains:
“Continuous controls monitoring programs are a powerful tool to assist companies in their ongoing FCPA compliance program.

More specifically,

• Continuous controls can lower audit costs by eliminating manual sampling.
• Continuous controls monitoring can improve financial governance by increasing the reliability of transactional controls and the effectiveness of anti-corruption controls.
• Continuous controls monitoring can improve actual operational performance by monitoring key financial processes.
• Continuous controls monitoring can be used to verify the pre-employment background check performed on an employee; the quality of the FCPA compliance training an employee receives after hire and then to review and record an employee’s annual acknowledgement of FCPA compliance.

There is no question that proactive compliance strategies are a must but now more and more companies are employing continuous monitoring techniques as they seek to avoid the attention of enforcement agencies and any FCPA issues.”
Well said. Seriously.

In other CCM news, we came across an interesting blog post from Corporate Compliance Insights that does a great job of talking about the power of CCM to drive business performance beyond compliance and governance concerns – to increase efficiency and help the bottom line. How about you check it out, and then weigh in in the comments on your own CCM experiences?

We’ve talked a good bit lately about risk. Okay, more than a good bit. But we stand behind that focus, because seriously, risk is tremendously important for businesses to assess, account for and mitigate.

But the big news today has to do with how companies assess risks related to the audit process – and then account for it for their shareholders. Tammy Whitehouse at Compliance Week has the must-read on the PCAOB’s proposed standards, which still need SEC approval before becoming the law of the land.

As she explains,

“The eight standards (Auditing Standards No. 8 through 15) try to take a comprehensive view of “audit risk”—the chance that auditors might miss some weakness in the client’s financial statements. They address everything from defining audit risk to outlining an auditor’s responsibility to consider it to considering materiality while performing an audit to evaluating audit evidence with risk in mind and much more.”

The biggest changes coming?

“Clarence Ebersole, a partner with Crowe Horwath, says the standards contain some other changes worth noting: a new emphasis on assessing the risk of fraud; a greater focus on how auditors should perform “walkthroughs” as part of the audit process, where auditors walk through a process or a transaction to better understand how internal controls are operating; and a greater focus on testing controls in a current year rather than testing controls on a rotational basis.”

The good news is that several industry followers are saying that many companies are already accounting for most of the risks being laid out here – meaning that the proposed guidance will mean much more in terms of risk documentation than the way audits are being conducted. Since documenting processes is generally a good bit less expensive than having to overhaul them, this is probably a good thing. Still, perhaps now might be a good time to remind everyone how much help automated controls can lend documenting things like this?

In not-really-related but we-couldn’t-really-help-ourselves news, you know all the previous The Other Guys? Totally buying the lede! As far as we know, not one has yet highlighted what is by FAR the most outstanding part of that movie (sorry, Samuel Jackson, The Rock, Will Ferrell and Mark Wahlberg). Will Ferrell’s character? A forensic accountant! Who breaks his case wide open not by cracking skulls, but by going over financial records and SEC filings. You can practically smell the 10-Ks. Our people!

You know we at Audit Trail love to have fun. But the latest from Gartner’s French Caldwell, who knows governance, risk and compliance as well as just about anyone, is no joke.

In a post on the five characteristics of good enterprise risk management, he (succinctly) makes several points worth remembering. We’ve said much the same thing ourselves – that single point-in-time snapshots of risk (or transactions or the general ledger or any critical business function, for that matter) cannot compare in value to ongoing risk monitoring across an operation.

Here are his five characteristics of a good risk management program, unabridged:

1. Risks are derived from business goals and objectives
2. A framework guides a common approach across the enterprise
3. Risks, including IT risks, are communicated in terms of their impact on the business
4. There is operational support for risk management and accountable ownership of risks
5. There is a business process approach to risk management technology

We couldn’t agree more. Regulations such as the new proxy disclosure rules that went into effect at the beginning of this year are forcing boards to not only take risk seriously but to publicly disclose what they are doing about it. Annual risk assessments are simply not enough and Caldwell’s advice to move to make risk management an ongoing, integrated part of day-to-day business processes makes a lot of sense. The sooner organizations come to understand risk as something impacting organizations across functions, rather than the sole purview of the risk specialists in the c-suite and the odd control freak, the better for all of us.

So, CFO has a kind of alarming/kind of millennial nostalgia-inducing piece up today on a risk we pretty much guarantee that lots of businesses haven’t yet accounted for. It seems that the unique numbers on one kind of interweb protocol dealie (IPv4, for the detail people reading) are running out, so they need a new protocol deal (IPv6, and your guess is as good as ours on why nobody’s talking about IPv5). Only 4 doesn’t really talk to 6, and – you know what, you should probably read the piece for a coherent technical explanation.

The gist is that 2011 is likely to bring some real communications issues for Web sites, and that means companies need to start planning now for how to make sure all their systems are go for a transition, lest they risk outages or inconvenience for customers.

It’s another reminder of just how many risks confront the varied functions of a business every day – and why it’s so vital that the folks in charge of those functions, whom we fervently hope are tracking their little fiefdoms carefully – come together regularly to talk about their risks with other stakeholders in their operation. That way they can agree on controls to implement, and just what needs to be monitored, and how to respond if or when something goes haywire.

Speaking of widely varying risks, spending lots of money on basically nothing is a kind of nightmare scenario for any business. Probably even more so if you happen to be operating a city government whose mayor ordered you 7 months ago to get a tight grip on controls and prevent wasteful spending. So finding out that you’ve been spending an unnecessary $2 million in health premiums for deceased former employees has got to be quite a blow. Especially since that is exactly the sort of risk that automated controls help operations to account for.

Whoo boy. CNBC has some pretty disheartening video up this week that illustrates the findings of a recent GAO report that found some 1500 instances of people collecting Social Security disability benefits while continuing work – and not just in any old job, but in the public sector. Not that the working while collecting disability benefits isn’t hugely problematic on its own, but doing so while working for, say, TSA? Wow, that takes some serious chutzpah. And it is NOT cool. The GAO report is being criticized by some for not recommending steps for fixing the problem, so we’re happy to help out. Without pretending to be the experts on government management, how about a good old fashioned audit that compares disability rolls to, we don’t know, something like tax returns. Wouldn’t that show pretty quickly who’s gaming the system? And, you know, stealing?

It’s such a shame, the two steps forward, one foot back-ness of it all. Seems like yesterday we were singing the praises of Uncle Sam’s super-cool devotion to continuous monitoring at various government institutions, and then we read about totally obvious, totally preventable, completely embarrassing fraud at another.

In an age where automation enables such efficient means of monitoring all kinds of information, there’s really no excuse for stories like these. And in an age of soaring deficits with no real end in sight, letting this kind of thing slip by is something none of us can afford.

As the thermometer keeps creeping up, we’re sure you, our dear readers, can only think of one thing – isn’t IIA GRC coming up soon? Well, you’re right, it is indeed, and without giving anything away, we have it on good authority that some pretty cool things are going to be happening there. For a preview take a look at some of the key themes from the IIA GAM conference that took place last spring.

But already folks are talking about all things internal audit, and Norman Marks, who is downright prolific on the subject, has got some interesting reading for folks psyching themselves up for Palm Beach. The bits about internal auditors becoming obsolete or irrelevant might be a little hyperbolic, but the importance he cites for embracing technologies that enable top-down risk assessments are spot-on. And he makes a great point, in our humble opinion, on the opportunity waiting for internal auditors to make themselves risk management heroes within their organizations, insisting on bringing varied functions together to identify organizational risks and acting as an advocate to boards and the C-suite for the technologies that can truly transform how a business approaches risk identification and mitigation.

Definitely some food for thought while we bide our time until we’re all together in Florida.

So, anybody remember how we were just talking about robbing risk to pay receivables? Well, maybe it’s because we’ve got receivables on the brain, but this headline from Compliance Week (“New Accounting Rules Thwart Selling Receivables for Cash” if your browser won’t do that cool hovering link reader thing) jumped out at us. Anybody in charge of books should read the whole thing (and then the source material, since you really can’t be too careful on these things), but the gist for lay-peeps is that yet another creative way for businesses to get unfun financial data off the books has gone by the wayside.

Here’s hoping for your sakes, dear readers, that accounting for this latest guidance (and man does there ever seem to be a lot of new guidance on all sorts of things coming out these days), is something that comes easily to you. If you’re automating your controls, you (in conjunction with the relevant functions in your business) should be able to incorporate it into your controls framework and hold tight unless or until you see an exception. Those of you with manual controls . . . well, we’re going to level with you and say it won’t be that easy. Also, call us if you want to talk automation and continuous monitoring strategies.

Speaking of monitoring, the rumbling about expected guidance on continuous monitoring from the National Institute on Standards and Technology (NIST) is ongoing, and the latest from Bruce Brody, writing for FierceGovernmentIT, is a really useful rundown of the state of things and the potential for CCM in this sector. It’s something we’re following closely, and if you share our interest, you’d probably enjoy our upcoming webcast on CCM for federal agencies (see what we did there?)

If you haven’t checked out CFO’s piece by David McCann on the campaign by internal auditors (via the Institute of Internal Auditors, or IIA) to end (okay, manage) the scourge of spreadsheets, you should.

As the piece points out, those spreadsheets that every Tom, Dick and Mary has on his or her office desktop to track whatever it is they track – they’re not the easiest things in the world to track themselves. But come auditing time, IIA needs to make sure their data is accounted for.

“User-developed applications, or UDAs, are subject to a high level of data-integrity risk because there may not be adequate controls over validating their output or making changes to them, the IIA points out. There is also confidentiality risk, because a UDA and its data typically are easy to transmit outside the company via e-mail. And there is a risk that some UDAs will not be available for audit, because they may be stored on end users’ hard drives or even portable flash drives and thus not captured in a periodic network backup by the IT department.”

We’ve talked before about the inherent issues in using spreadsheets to track critical information – and since you know us, you shouldn’t be surprised to hear we also talked about the vast superiority of automated solutions to relying on spreadsheets, which have all the weaknesses that the IIA points out in its article.

Of course, for all those weaknesses, steering away from spreadsheets isn’t going to reduce risk all on its own. When it comes to monitoring financial systems, it’s just as important to implement proper controls, so that real business risks are flagged when they can be addressed without causing harm. That takes collaboration at the front-end from multiple functions to identify what controls make sense – and cross-application capabilities to ensure they’re implemented effectively. We wouldn’t call it rocket science, but it’s a long way past Access for Dummies.

Finally (and really, kudos on the self restraint that allowed us to leave this bit until the end), a very illuminating piece from Mike Vizard at IT Business Edge on the trend for businesses to offer SaaS via cloud computing. As the piece illustrates very well, using our very own Approva One On Demand as an example, this approach offers some real advantages to businesses and consumers looking for ways to increase efficiency and manage costs. If there’s anything we love more than efficiency and cost-savings (okay, and control), we can’t think of it just now.

If you’re anything like us, you love to kick off a week with sobering, kind of depressing reading, right? Right?

Then this will be right up your alley. Courtesy of David Katz at CFO, you can wallow to your little heart’s desire in this grim exploration of the pretty questionable trend wherein companies looking to manage costs decide to save their pennies by cutting risk management spending. For serious.

So, yeah. On the heels of the worst financial crisis since our grandparents could do cartwheels, which we think most people would agree had roots in some colossal risk management failures, budgets need cutting, and saving on insurance and risk management suddenly seems like a good idea?

So. Here’s hoping that the just-passed financial reform does all it’s Supposed To (and not what it is Feared To), and that we won’t all come to regret not spending when we could on risk and insurance.

In the meantime, if you are utterly depressed reading this, first, good, because it means you’re paying attention. If you want some cheerier news, we refer you to the momentum behind solutions that can help companies to better understand and visualize risk, and to address weak points in their business before they create big expensive messes.