Over this past school year, I have researched and wrote extensively on the Internal Audit Function's role in Governance, Risk Management, and Compliance. This manuscript is my official submission to the Institute of Internal Auditor's Esther R. Sawyer Research Competition. I hope any knowledge gained from this paper will benefit industry professionals in the future.
The Importance of Trust for Developing Tomorrow’s Information Security Leader...Ed Yuwono
Information Security failures are attributed to deficiencies in current leadership styles resulting in negative publicity and loss of revenue for the organisation. Concepts of transformational leadership may be applied to improve an organisation’s security posture. Transformational leadership provides information security leaders with appropriate guidance enabling the organisation to focus on delivery while employees adopt secure practices. To augment the exploration of leadership, this paper will focus on the aspect of trust which underpins several areas of leadership and the importance trust has for the development of future information security leaders.
Brennan, Niamh [2006] Boards of Directors and Firm Performance: Is there an E...Prof Niamh M. Brennan
Reflecting investor expectations, most prior corporate governance research attempts to find a relationship between boards of directors and firm performance. This paper critically examines the premise on which this research is based. An expectations gap approach is applied for the first time to implicit expectations which assume a relationship between firm performance and company boards. An expectations gap has two elements: A reasonableness gap and a performance gap. Seven aspects of boards are identified as leading to a reasonableness gap. Five aspects of boards are identified as leading to a performance gap. The paper concludes by suggesting avenues for empirically testing some of the concepts discussed in this paper.
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013drewz lin
The document discusses how the era of big data security analytics has arrived. It outlines obstacles that are impeding security maturity like an increasingly hazardous threat landscape, demands to secure new technologies, and a shortage of security skills. Legacy security tools are also no longer adequate to deal with these challenges. The era of big data security analytics requires continuous monitoring and data analysis for real-time awareness and data-driven security decisions in large organizations.
2013 q1 McKinsey quarterly - Putting time to workAhmed Al Bilal
This document discusses time management challenges at organizations and provides potential solutions. It begins by noting that a McKinsey survey found just 9% of senior executives were highly satisfied with their time management and about a third were dissatisfied. It then argues that the roots of this issue go beyond individual time management and require organizational solutions such as time budgets, better organizational design, tools, and incentives. Several articles in the document explore how senior leaders can better prioritize efforts to align their organizations and boost productivity through improved time management, social media skills, and increasing the meaningfulness of work. The document aims to help executives address challenges of limited time in leading their organizations effectively.
Stringent corporate governance, and accountability reforms, that
followed the corporate failures of the past, have dramatically
changed today's business environment - placing great responsibility
on the management and demanding seamless operations.
Organizations across the globe are constantly being challenged to
navigate through a proliferation of new standards and expectations
in a way that supports performance objectives, sustains
value, and protects the organization's brand. Whether we like it or
not, all corporations have to comply with regulations and at the
same time establish their credibility with investors, other stakeholders,
and the broader public. All these factors, brought together,
have fuelled the convergence of distinct, yet entwined
disciplines of the Governance, Risk, and Compliance (GRC).
This document provides feedback on COSO's Enterprise Risk Management exposure draft from members of the Institute of Risk Management's Special Interest Group in Enterprise Risk Management for Banking and Financial Services.
The feedback addresses three key areas: 1) general comments welcoming the comprehensive nature of the draft but recommending more detail on some topics like risk aggregation, 2) conceptual discussions seeking clarification on uncertainty, likelihood, and key risk indicators, and 3) inclusion of "The New Global Conduct Risk Paradigm" which presents an interpretation of how to effectively implement enterprise risk management to include conduct risk. The feedback aims to strengthen the exposure draft's guidance on integrating risk management.
This document is a dissertation submitted by Mohit Kumar to Leeds University Business School in partial fulfillment of an MSc in Finance and Investment. The dissertation examines the impact of managerial ownership on firm performance during a financial crisis using a sample of 180 UK firms from 2009-2011. The dissertation includes an abstract, acknowledgements, table of contents, literature review on the relationship between ownership structure and firm performance, research methods and methodology, findings and conclusions.
The Importance of Trust for Developing Tomorrow’s Information Security Leader...Ed Yuwono
Information Security failures are attributed to deficiencies in current leadership styles resulting in negative publicity and loss of revenue for the organisation. Concepts of transformational leadership may be applied to improve an organisation’s security posture. Transformational leadership provides information security leaders with appropriate guidance enabling the organisation to focus on delivery while employees adopt secure practices. To augment the exploration of leadership, this paper will focus on the aspect of trust which underpins several areas of leadership and the importance trust has for the development of future information security leaders.
Brennan, Niamh [2006] Boards of Directors and Firm Performance: Is there an E...Prof Niamh M. Brennan
Reflecting investor expectations, most prior corporate governance research attempts to find a relationship between boards of directors and firm performance. This paper critically examines the premise on which this research is based. An expectations gap approach is applied for the first time to implicit expectations which assume a relationship between firm performance and company boards. An expectations gap has two elements: A reasonableness gap and a performance gap. Seven aspects of boards are identified as leading to a reasonableness gap. Five aspects of boards are identified as leading to a performance gap. The paper concludes by suggesting avenues for empirically testing some of the concepts discussed in this paper.
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013drewz lin
The document discusses how the era of big data security analytics has arrived. It outlines obstacles that are impeding security maturity like an increasingly hazardous threat landscape, demands to secure new technologies, and a shortage of security skills. Legacy security tools are also no longer adequate to deal with these challenges. The era of big data security analytics requires continuous monitoring and data analysis for real-time awareness and data-driven security decisions in large organizations.
2013 q1 McKinsey quarterly - Putting time to workAhmed Al Bilal
This document discusses time management challenges at organizations and provides potential solutions. It begins by noting that a McKinsey survey found just 9% of senior executives were highly satisfied with their time management and about a third were dissatisfied. It then argues that the roots of this issue go beyond individual time management and require organizational solutions such as time budgets, better organizational design, tools, and incentives. Several articles in the document explore how senior leaders can better prioritize efforts to align their organizations and boost productivity through improved time management, social media skills, and increasing the meaningfulness of work. The document aims to help executives address challenges of limited time in leading their organizations effectively.
Stringent corporate governance, and accountability reforms, that
followed the corporate failures of the past, have dramatically
changed today's business environment - placing great responsibility
on the management and demanding seamless operations.
Organizations across the globe are constantly being challenged to
navigate through a proliferation of new standards and expectations
in a way that supports performance objectives, sustains
value, and protects the organization's brand. Whether we like it or
not, all corporations have to comply with regulations and at the
same time establish their credibility with investors, other stakeholders,
and the broader public. All these factors, brought together,
have fuelled the convergence of distinct, yet entwined
disciplines of the Governance, Risk, and Compliance (GRC).
This document provides feedback on COSO's Enterprise Risk Management exposure draft from members of the Institute of Risk Management's Special Interest Group in Enterprise Risk Management for Banking and Financial Services.
The feedback addresses three key areas: 1) general comments welcoming the comprehensive nature of the draft but recommending more detail on some topics like risk aggregation, 2) conceptual discussions seeking clarification on uncertainty, likelihood, and key risk indicators, and 3) inclusion of "The New Global Conduct Risk Paradigm" which presents an interpretation of how to effectively implement enterprise risk management to include conduct risk. The feedback aims to strengthen the exposure draft's guidance on integrating risk management.
This document is a dissertation submitted by Mohit Kumar to Leeds University Business School in partial fulfillment of an MSc in Finance and Investment. The dissertation examines the impact of managerial ownership on firm performance during a financial crisis using a sample of 180 UK firms from 2009-2011. The dissertation includes an abstract, acknowledgements, table of contents, literature review on the relationship between ownership structure and firm performance, research methods and methodology, findings and conclusions.
The 2015 survey uncovers the latest issues organizations are facing as they respond to risks, assess the effectiveness of their risk mitigation activities and gain a deeper understanding of what they are doing to address cybersecurity.
This document discusses organizational units (OUs) in Active Directory and different types of group structures. It provides information on basic managerial groups and OU reports that can be generated from AD Manager Plus. These reports include all OUs, empty OUs, recently created/modified OUs, and OUs linked to group policy objects. The document concludes that Active Directory provides an infrastructure for collaboration between organizations when designing delegation of administration, and that a single forest design with a single IT organization can enable maximum collaboration with least management cost.
Research Methods Assignment - The Relationship among board of director charac...Amany Hamza
This report attempts to critically analyse the research paper:
Dunn, P., & Sainty, B. (2009) The relationship among board of director characteristics, corporate social performance and corporate financial performance, International Journal of Managerial, Finance, Vol. 5 No. 4, 2009 pp. 407-423
Corporate social-and-financial-performance-an-extended-stakeholder-theory-and...Jan Ahmed
This document summarizes a research article that empirically analyzes the relationship between corporate social performance (CSP) and corporate financial performance (CFP). The study extends stakeholder theory by considering stakeholder heterogeneity and incorporating insights from prospect theory. It analyzes a panel dataset of S&P 500 companies from 1997-2002 that includes disaggregated measures of CSP. The study finds that a reputation for CSP is more strongly related to CFP for secondary stakeholders than primary stakeholders. It also finds that the negative impact of bad CSP on CFP is larger than the positive impact of good CSP, due to prospect theory's concept of losses looming larger than gains. The study contributes to research by taking a more nuanced view of how different
SEO Ranking Factors – Rank Correlation 2013 for Google USAconkor
Top highlights of 2013:
1. Keyword domains and keyword links have lost relevanceRanking-Faktoren: Verlierer
2. Brands are the exception to many rules
3. Social signals continue to correlate very well with better rankings
4. Good content is always important: it comes to quality!
5. The number of backlinks remains immensely important
6. On-page technology remains one of the basics
SERP & SEO RANKING FACTORS 2013 - SOCIAL SIGNALS IMPACTS QUANTIFIEDHelena Ronstroso
An amazing study composed since January on millions of bits of data showing the impact of social signals in regards to SERP's & SEO. What makes it amazing is that it's broken down into one simple chart, so you don't even have to read it if you don't want.
This document summarizes seven commonly held myths about boards of directors that are not supported by empirical evidence. The myths discussed include: 1) an independent chairman always provides better oversight; 2) staggered boards always harm shareholders; 3) directors meeting independence standards are truly independent; 4) interlocked directorships reduce governance quality; 5) CEOs make the best directors; 6) directors face significant liability risks; and 7) company failure is always the board's fault. The document reviews relevant research studies for each myth and finds mixed or inconclusive evidence regarding their impact. It concludes that more attention should be paid to the board process rather than just its structural features in evaluating governance quality.
- The document discusses new ISO standards issued in 2009 related to risk management: ISO 31000 on risk management principles and guidelines, ISO Guide 73 on risk management vocabulary, and ISO/IEC 31010 on risk assessment techniques.
- It provides an overview of key aspects of ISO 31000, including that it takes a principles-based rather than performance-based approach and requires organizations to formalize risk management processes.
- It also summarizes seven innovations introduced by the ISO 31000 series according to an expert in the field.
Governance and risk in information technology.pdfbkbk37
This document discusses applying a governance, risk, and compliance (GRC) framework to an IT project at Al Dhafer Hospital. It instructs the reader to:
1) Convert survey questions into Google forms for distribution
2) Follow case studies and apply their methods from an attached paper on GRC strategic alignment
3) Interview three people from different positions at the hospital to get their views on GRC practices and challenges
13 Top GRC Tools for an Integrated Governance, Risk and Compliance StrategyQuekelsBaro
Integrate business governance, risk, and compliance control using these top 13 GRC tools. Lower business costs, collaborate and meet compliance mandates.
2017 coso-erm-integrating-with-strategy-and-performance-executive-summaryVALUES & SENSE
This document provides an executive summary of an updated framework for enterprise risk management published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in June 2017. The updated framework emphasizes integrating enterprise risk management with strategy and performance. It highlights how considering risk can increase opportunities and improve outcomes. Organizations that effectively apply enterprise risk management can benefit from increased opportunities, improved performance and reduced variability, better resource allocation, and enhanced resilience. The framework is intended to help both management and boards oversee risk and optimize strategy.
Due to the current instability in the business world, organizations should be able to anticipate changes and have coherent responses at hand to effective manage risks, create value, build good relations, increase profit and improve competitive positioning.
A report titled Exploring Strategic Risk issued in 2013 for Forbes Insights by Deloitte, contains some very important conclusions for the business community. 300 executives from around the world were interviewed for the study, in an attempt to find out their vision of the risk strategy and current changes and analysing how organizations should face these new challenges.
Sometimes it is difficult to link risks to a specific financial impact and not all data are pertinent to the evaluation of emerging risks. That's why companies have to be aware of internal risks and manage them well in order to be able to manage external risks and invest into strategic assets such as human capital, clients and innovation.
This insight explains the case of the financial services as the sector that less trust generates due to its short-sightedness, lack of values and lack of professional education that resulted in corruption and bad practices, which compromised the financial sector.
The report A Crisis of Culture: Valuing Ethics and Knowledge in Financial Services examines the role of integrity and knowledge in restoring culture in the financial services industry. The conclusions appear in the full version of this document.
The financial industry is just one example in the wider panorama. Lack of values is widespread and creates significant risks. Bad practices trigger problems such as loss of profit, loss of reputation and even loss of shareholders, clients and employees.
The crisis, as well as the arrival of new technologies, urges companies to maintain their good practices and emphasize aspects as ethics, leadership, commitment, performance, transparency and sustainability.
The digital revolution and social networks encourage companies to be more transparent: companies meet their promises and obligations, deliver a coherent dialogue and improve the relationship with their stakeholders.
Application of values raises the possibility of good results and profits for companies through improvement of their reputation and business as well as optimization of resources. This certainly creates competitive advantages, establishes a strong cultural connection and improves employees’ motivation.
Before taking any decision, an institution should keep in mind the fact that it needs implicit and explicit public approval. Good business management implies risk management, creating a climate of trust, good will, credibility, social commitment and empathy between stakeholders and the company.
This document discusses risk management in the corporate sector and the role of corporate governance. It makes three key points:
1) Corporate governance is important for managing and reducing risk in organizations, as good governance can help firms avoid risks that could damage them. Managing risk effectively allows firms to maximize profits and maintain a healthy environment.
2) There are newer and more complex risks emerging for corporate boards to oversee, such as reputational risk from a lack of transparent reporting and cybersecurity risks from increased technology usage. Boards must understand the risks companies face to make strategic decisions.
3) Effective risk management involves identifying, assessing, and prioritizing all potential risks. While eliminating all risk is impossible, corporate boards
Audits have changed their traditional focus from cost control towards a global strategy of risk management, governance, value creation, and organizational culture. Auditing is a representative element of corporate culture because it defines how companies think and act, but manage decisions are the true reflection of how a company thinks and acts. Thus, this area expands its importance thanks to its direct participation in risk management and value creation.
Building-world-class-ethics-and-compliance-programs.pdfL. S.
This document discusses the key ingredients of a world-class ethics and compliance program. It identifies five key ingredients: Tone at the top, corporate culture, compliance risk assessments, the Chief Compliance Officer, and testing and monitoring. For tone at the top, it emphasizes that the board, CEO, and CCO play critical roles in setting the expectations and values that instill a culture of integrity throughout the organization. Corporate culture involves initiatives that contribute to an ethical and compliant culture. Compliance risk assessments identify and address the most significant risks facing the organization. The CCO oversees management of compliance risks on a daily basis. Testing and monitoring helps ensure controls are effective through implementation, testing, auditing and monitoring on a regular basis
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESSRobin Beregovska
This document discusses risk analysis and its importance for business success. It begins by defining risk and explaining the history and evolution of risk management. The main points are:
1) Risk analysis identifies and analyzes issues that could jeopardize a business or project's success. It allows companies to assess risks and determine the best choices.
2) Conducting risk analysis provides several benefits like easier risk identification, higher quality decision-making data, improved communication, and more accurate budgeting.
3) While subjective and improbable risks are criticisms, overall risk analysis is a crucial process that helps companies achieve their objectives and minimize negative impacts.
This document discusses several key theories related to organizational behavior:
- Open system theory views an organization as a system with inputs, transformations, outputs, boundaries, and feedback. It focuses on how an organization interacts with its environment.
- The six-box model is an effective diagnostic tool that examines an organization's strategy, structure, rewards, relationships, leadership, and processes. It can help identify strengths, weaknesses, and improvement opportunities.
- Organizational culture and structure greatly impact performance. A supportive culture with employee affiliation leads to higher retention, while appropriate structure is needed for efficiency. Cross-functional teams can boost creativity but also conflict if not managed properly.
The document discusses standards that must be followed by Wright Aircraft Corp to enable an effective information security program, noting that compliance is mandatory though deviation is possible with approval. The standards define minimum baseline procedures, practices, and configurations for systems and related topics to provide a single reference point during various stages of development and contracting. However, the standards do not provide detailed instructions for how to meet the company's policies.
This document discusses establishing the context for an organizational risk management program. It recommends defining objectives, metrics, and how the program supports business goals. Risk managers are under increased pressure to formalize processes given new scrutiny from boards and executives. The document also stresses the importance of understanding an organization's internal and external contexts to ensure risk management programs fit their environments and add value.
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxmadlynplamondon
DISUSSION-1
RE: Chapter 15: Embedding ERM into Strategic Planning at the City of Edmonton
COLLAPSE
Top of Form
The two strategic processes
The two strategic processes which are tightly connected to ERM in the current scenario of Edmonton City ERM implementation are:
Results based budgeting and Performance measurement.
Results based budgeting (RBB):
ERM helps organizations to allocate the resources based on the requirement for completing the tasks and to produce the desired output. The RBB assists to determine the funding allocation requirements which are mandatory to fulfill the strategic objectives of organization. This budget formulation is performed based on predefined objectives such as priority, resource availability and expected results etc. here the expected results represents the desired outputs which organization expects to meet its strategic goals. In simple words the Results-based budgeting is about emphasizing performance and accountability.
Performance measurement:
The continuous performance measurement helps organizations to drive the progress in risk mitigation and it provides insights where additional attention is required. The Key performance indicators (KPIs) can be used to measure the effectiveness of risk management activities. The Performance measurement in ERM sends the list of desired outcomes to RBB and receives list of prioritized programs and costs to ensure ERM works at its full potential (Fraser, J., Simkins, B. J., & Narvaez, K., 2015).
Two criteria’s must be balanced in a successful ERM model
The two criteria are model power and user-friendliness. The powerful model can provide large amount of information and lets the organization to compare the results and risks, effectiveness’ of current program and impact of future initiatives. The user friendliness program helps to easily add information, add new features and easy to understand by the user with simple steps. The user friendliness also includes if needed some unnecessary steps could also be removed without losing model robustness (Fraser, J., Simkins, B. J., & Narvaez, K., 2015).
Thank you
References
Fraser, J., Simkins, B. J., & Narvaez, K. (2015). Implementing enterprise risk management: Case studies and best practices. Hoboken: Wiley.
Bottom of Form
DISCUSSION-2
1. What the other strategic processes are closely tied to ERM?
The strategic processes may have success strategy which is linked to the command of risk and organization understanding. The selection of strategy is an exercise of high-stakes. Approx. 80% of the underperformer may against the industry who have lost their wat over the prior 10 years because of blunder who are strategic and the business and strategy magazine. It may blame on failure on operations errors and the external event or compliance fault.
2. What are three kinds of risks are identified within the city of Edmonton?
There may be three risks which may involve avoidance or risk termination, tolerance or acceptance of ...
The 2015 survey uncovers the latest issues organizations are facing as they respond to risks, assess the effectiveness of their risk mitigation activities and gain a deeper understanding of what they are doing to address cybersecurity.
This document discusses organizational units (OUs) in Active Directory and different types of group structures. It provides information on basic managerial groups and OU reports that can be generated from AD Manager Plus. These reports include all OUs, empty OUs, recently created/modified OUs, and OUs linked to group policy objects. The document concludes that Active Directory provides an infrastructure for collaboration between organizations when designing delegation of administration, and that a single forest design with a single IT organization can enable maximum collaboration with least management cost.
Research Methods Assignment - The Relationship among board of director charac...Amany Hamza
This report attempts to critically analyse the research paper:
Dunn, P., & Sainty, B. (2009) The relationship among board of director characteristics, corporate social performance and corporate financial performance, International Journal of Managerial, Finance, Vol. 5 No. 4, 2009 pp. 407-423
Corporate social-and-financial-performance-an-extended-stakeholder-theory-and...Jan Ahmed
This document summarizes a research article that empirically analyzes the relationship between corporate social performance (CSP) and corporate financial performance (CFP). The study extends stakeholder theory by considering stakeholder heterogeneity and incorporating insights from prospect theory. It analyzes a panel dataset of S&P 500 companies from 1997-2002 that includes disaggregated measures of CSP. The study finds that a reputation for CSP is more strongly related to CFP for secondary stakeholders than primary stakeholders. It also finds that the negative impact of bad CSP on CFP is larger than the positive impact of good CSP, due to prospect theory's concept of losses looming larger than gains. The study contributes to research by taking a more nuanced view of how different
SEO Ranking Factors – Rank Correlation 2013 for Google USAconkor
Top highlights of 2013:
1. Keyword domains and keyword links have lost relevanceRanking-Faktoren: Verlierer
2. Brands are the exception to many rules
3. Social signals continue to correlate very well with better rankings
4. Good content is always important: it comes to quality!
5. The number of backlinks remains immensely important
6. On-page technology remains one of the basics
SERP & SEO RANKING FACTORS 2013 - SOCIAL SIGNALS IMPACTS QUANTIFIEDHelena Ronstroso
An amazing study composed since January on millions of bits of data showing the impact of social signals in regards to SERP's & SEO. What makes it amazing is that it's broken down into one simple chart, so you don't even have to read it if you don't want.
This document summarizes seven commonly held myths about boards of directors that are not supported by empirical evidence. The myths discussed include: 1) an independent chairman always provides better oversight; 2) staggered boards always harm shareholders; 3) directors meeting independence standards are truly independent; 4) interlocked directorships reduce governance quality; 5) CEOs make the best directors; 6) directors face significant liability risks; and 7) company failure is always the board's fault. The document reviews relevant research studies for each myth and finds mixed or inconclusive evidence regarding their impact. It concludes that more attention should be paid to the board process rather than just its structural features in evaluating governance quality.
- The document discusses new ISO standards issued in 2009 related to risk management: ISO 31000 on risk management principles and guidelines, ISO Guide 73 on risk management vocabulary, and ISO/IEC 31010 on risk assessment techniques.
- It provides an overview of key aspects of ISO 31000, including that it takes a principles-based rather than performance-based approach and requires organizations to formalize risk management processes.
- It also summarizes seven innovations introduced by the ISO 31000 series according to an expert in the field.
Governance and risk in information technology.pdfbkbk37
This document discusses applying a governance, risk, and compliance (GRC) framework to an IT project at Al Dhafer Hospital. It instructs the reader to:
1) Convert survey questions into Google forms for distribution
2) Follow case studies and apply their methods from an attached paper on GRC strategic alignment
3) Interview three people from different positions at the hospital to get their views on GRC practices and challenges
13 Top GRC Tools for an Integrated Governance, Risk and Compliance StrategyQuekelsBaro
Integrate business governance, risk, and compliance control using these top 13 GRC tools. Lower business costs, collaborate and meet compliance mandates.
2017 coso-erm-integrating-with-strategy-and-performance-executive-summaryVALUES & SENSE
This document provides an executive summary of an updated framework for enterprise risk management published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in June 2017. The updated framework emphasizes integrating enterprise risk management with strategy and performance. It highlights how considering risk can increase opportunities and improve outcomes. Organizations that effectively apply enterprise risk management can benefit from increased opportunities, improved performance and reduced variability, better resource allocation, and enhanced resilience. The framework is intended to help both management and boards oversee risk and optimize strategy.
Due to the current instability in the business world, organizations should be able to anticipate changes and have coherent responses at hand to effective manage risks, create value, build good relations, increase profit and improve competitive positioning.
A report titled Exploring Strategic Risk issued in 2013 for Forbes Insights by Deloitte, contains some very important conclusions for the business community. 300 executives from around the world were interviewed for the study, in an attempt to find out their vision of the risk strategy and current changes and analysing how organizations should face these new challenges.
Sometimes it is difficult to link risks to a specific financial impact and not all data are pertinent to the evaluation of emerging risks. That's why companies have to be aware of internal risks and manage them well in order to be able to manage external risks and invest into strategic assets such as human capital, clients and innovation.
This insight explains the case of the financial services as the sector that less trust generates due to its short-sightedness, lack of values and lack of professional education that resulted in corruption and bad practices, which compromised the financial sector.
The report A Crisis of Culture: Valuing Ethics and Knowledge in Financial Services examines the role of integrity and knowledge in restoring culture in the financial services industry. The conclusions appear in the full version of this document.
The financial industry is just one example in the wider panorama. Lack of values is widespread and creates significant risks. Bad practices trigger problems such as loss of profit, loss of reputation and even loss of shareholders, clients and employees.
The crisis, as well as the arrival of new technologies, urges companies to maintain their good practices and emphasize aspects as ethics, leadership, commitment, performance, transparency and sustainability.
The digital revolution and social networks encourage companies to be more transparent: companies meet their promises and obligations, deliver a coherent dialogue and improve the relationship with their stakeholders.
Application of values raises the possibility of good results and profits for companies through improvement of their reputation and business as well as optimization of resources. This certainly creates competitive advantages, establishes a strong cultural connection and improves employees’ motivation.
Before taking any decision, an institution should keep in mind the fact that it needs implicit and explicit public approval. Good business management implies risk management, creating a climate of trust, good will, credibility, social commitment and empathy between stakeholders and the company.
This document discusses risk management in the corporate sector and the role of corporate governance. It makes three key points:
1) Corporate governance is important for managing and reducing risk in organizations, as good governance can help firms avoid risks that could damage them. Managing risk effectively allows firms to maximize profits and maintain a healthy environment.
2) There are newer and more complex risks emerging for corporate boards to oversee, such as reputational risk from a lack of transparent reporting and cybersecurity risks from increased technology usage. Boards must understand the risks companies face to make strategic decisions.
3) Effective risk management involves identifying, assessing, and prioritizing all potential risks. While eliminating all risk is impossible, corporate boards
Audits have changed their traditional focus from cost control towards a global strategy of risk management, governance, value creation, and organizational culture. Auditing is a representative element of corporate culture because it defines how companies think and act, but manage decisions are the true reflection of how a company thinks and acts. Thus, this area expands its importance thanks to its direct participation in risk management and value creation.
Building-world-class-ethics-and-compliance-programs.pdfL. S.
This document discusses the key ingredients of a world-class ethics and compliance program. It identifies five key ingredients: Tone at the top, corporate culture, compliance risk assessments, the Chief Compliance Officer, and testing and monitoring. For tone at the top, it emphasizes that the board, CEO, and CCO play critical roles in setting the expectations and values that instill a culture of integrity throughout the organization. Corporate culture involves initiatives that contribute to an ethical and compliant culture. Compliance risk assessments identify and address the most significant risks facing the organization. The CCO oversees management of compliance risks on a daily basis. Testing and monitoring helps ensure controls are effective through implementation, testing, auditing and monitoring on a regular basis
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESSRobin Beregovska
This document discusses risk analysis and its importance for business success. It begins by defining risk and explaining the history and evolution of risk management. The main points are:
1) Risk analysis identifies and analyzes issues that could jeopardize a business or project's success. It allows companies to assess risks and determine the best choices.
2) Conducting risk analysis provides several benefits like easier risk identification, higher quality decision-making data, improved communication, and more accurate budgeting.
3) While subjective and improbable risks are criticisms, overall risk analysis is a crucial process that helps companies achieve their objectives and minimize negative impacts.
This document discusses several key theories related to organizational behavior:
- Open system theory views an organization as a system with inputs, transformations, outputs, boundaries, and feedback. It focuses on how an organization interacts with its environment.
- The six-box model is an effective diagnostic tool that examines an organization's strategy, structure, rewards, relationships, leadership, and processes. It can help identify strengths, weaknesses, and improvement opportunities.
- Organizational culture and structure greatly impact performance. A supportive culture with employee affiliation leads to higher retention, while appropriate structure is needed for efficiency. Cross-functional teams can boost creativity but also conflict if not managed properly.
The document discusses standards that must be followed by Wright Aircraft Corp to enable an effective information security program, noting that compliance is mandatory though deviation is possible with approval. The standards define minimum baseline procedures, practices, and configurations for systems and related topics to provide a single reference point during various stages of development and contracting. However, the standards do not provide detailed instructions for how to meet the company's policies.
This document discusses establishing the context for an organizational risk management program. It recommends defining objectives, metrics, and how the program supports business goals. Risk managers are under increased pressure to formalize processes given new scrutiny from boards and executives. The document also stresses the importance of understanding an organization's internal and external contexts to ensure risk management programs fit their environments and add value.
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxmadlynplamondon
DISUSSION-1
RE: Chapter 15: Embedding ERM into Strategic Planning at the City of Edmonton
COLLAPSE
Top of Form
The two strategic processes
The two strategic processes which are tightly connected to ERM in the current scenario of Edmonton City ERM implementation are:
Results based budgeting and Performance measurement.
Results based budgeting (RBB):
ERM helps organizations to allocate the resources based on the requirement for completing the tasks and to produce the desired output. The RBB assists to determine the funding allocation requirements which are mandatory to fulfill the strategic objectives of organization. This budget formulation is performed based on predefined objectives such as priority, resource availability and expected results etc. here the expected results represents the desired outputs which organization expects to meet its strategic goals. In simple words the Results-based budgeting is about emphasizing performance and accountability.
Performance measurement:
The continuous performance measurement helps organizations to drive the progress in risk mitigation and it provides insights where additional attention is required. The Key performance indicators (KPIs) can be used to measure the effectiveness of risk management activities. The Performance measurement in ERM sends the list of desired outcomes to RBB and receives list of prioritized programs and costs to ensure ERM works at its full potential (Fraser, J., Simkins, B. J., & Narvaez, K., 2015).
Two criteria’s must be balanced in a successful ERM model
The two criteria are model power and user-friendliness. The powerful model can provide large amount of information and lets the organization to compare the results and risks, effectiveness’ of current program and impact of future initiatives. The user friendliness program helps to easily add information, add new features and easy to understand by the user with simple steps. The user friendliness also includes if needed some unnecessary steps could also be removed without losing model robustness (Fraser, J., Simkins, B. J., & Narvaez, K., 2015).
Thank you
References
Fraser, J., Simkins, B. J., & Narvaez, K. (2015). Implementing enterprise risk management: Case studies and best practices. Hoboken: Wiley.
Bottom of Form
DISCUSSION-2
1. What the other strategic processes are closely tied to ERM?
The strategic processes may have success strategy which is linked to the command of risk and organization understanding. The selection of strategy is an exercise of high-stakes. Approx. 80% of the underperformer may against the industry who have lost their wat over the prior 10 years because of blunder who are strategic and the business and strategy magazine. It may blame on failure on operations errors and the external event or compliance fault.
2. What are three kinds of risks are identified within the city of Edmonton?
There may be three risks which may involve avoidance or risk termination, tolerance or acceptance of ...
The document provides a framework for developing and implementing a corporate sustainability strategy plan. It begins by discussing surveys that found awareness of sustainability's importance is growing among executives, but there is lack of consensus on what matters and how to measure its impact. The plan's goals are to help the company be recognized as accountable, assure capital market access, outperform on sustainability returns, and build reputation. The proposed framework involves 6 phases: 1) creating a sustainability culture, 2) mapping strategy areas, 3) benchmarking governance and finance standards, 4) assessing issues, 5) setting strategies and goals, and 6) an action plan. Benchmarking to standards like the Equator Principles and Dow Jones Sustainability Index can help lower costs
This document discusses the value of governance, risk, and compliance (GRC) initiatives for organizations. It notes that increased regulations, data security risks, and a competitive environment are driving organizations to better manage their data and risks through GRC programs. However, implementing GRC solutions can be challenging due to their technical nature and perceiving them only as reactive compliance tools. The document aims to show GRC as strategic, enterprise-wide initiatives that integrate compliance, risk management, and other business functions to provide long-term business advantages beyond just meeting regulations.
This document discusses the value of governance, risk, and compliance (GRC) initiatives for organizations. It notes that increased regulations, data security risks, and a competitive environment are driving organizations to better manage their data and risks through GRC programs. However, implementing GRC solutions can be challenging due to their technical nature and perceiving them only as reactive compliance tools. The document aims to show GRC as strategic, enterprise-wide initiatives that integrate compliance, risk management, and other business functions to provide long-term business advantages beyond just meeting regulations.
Discussion1Explaining the results of Efficient Frontier Analysis.docxmadlynplamondon
The document discusses efficient frontier analysis and its uses in strategic risk management. It explains that efficient frontier analysis uses modern portfolio theory to help organizations optimize their risk portfolios by finding the combination of risks that provides the highest expected return for a given level of risk. This allows organizations to make better decisions about managing and insuring different types of risks. The document also provides a sample case study showing how efficient frontier analysis can be applied to evaluate different options for managing earthquake exposure, workers' compensation insurance, and general liability insurance risks.
Audit Reporting For Going-Concern Uncertainty A Research SynthesisChristina Bauer
This research synthesis reviews literature on auditors issuing modified audit opinions (GCOs) for going-concern uncertainty. It identifies three areas of research: 1) determinants of GCOs including client, auditor, and environmental factors, 2) accuracy of GCOs in predicting bankruptcy, and 3) consequences of GCOs for clients and auditors. The synthesis analyzes data on overall GCO rates in the US from 2000-2010, finding rates increased after major corporate failures but have since remained steady. Most GCOs are issued to smaller companies, and 60% of bankruptcies were preceded by a GCO.
2021 Global Study of Organisation Resilience in times of disruption, by ODTI & University of Groningen Masters’ Program finds that ‘Resilience in times of Disruption is both Predictable & Actionable’. The study covered the period of January 2020 to June 2021 a critical Global Disruption caused by the Covid-19 Pandemic.
The study participants came from many Industries, Geographies and Size of Organisation and the detailed report includes breakdowns and some interesting findings. You can access the full report on this link. https://bit.ly/orgresilience2021
Similar to Esther R. Sawyer Research Manuscript - Final (20)
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Tastemy Pandit
Know what your zodiac sign says about your taste in food! Explore how the 12 zodiac signs influence your culinary preferences with insights from MyPandit. Dive into astrology and flavors!
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesHolger Mueller
Holger Mueller of Constellation Research shares his key takeaways from SAP's Sapphire confernece, held in Orlando, June 3rd till 5th 2024, in the Orange Convention Center.
B2B payments are rapidly changing. Find out the 5 key questions you need to be asking yourself to be sure you are mastering B2B payments today. Learn more at www.BlueSnap.com.
[To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
This PowerPoint compilation offers a comprehensive overview of 20 leading innovation management frameworks and methodologies, selected for their broad applicability across various industries and organizational contexts. These frameworks are valuable resources for a wide range of users, including business professionals, educators, and consultants.
Each framework is presented with visually engaging diagrams and templates, ensuring the content is both informative and appealing. While this compilation is thorough, please note that the slides are intended as supplementary resources and may not be sufficient for standalone instructional purposes.
This compilation is ideal for anyone looking to enhance their understanding of innovation management and drive meaningful change within their organization. Whether you aim to improve product development processes, enhance customer experiences, or drive digital transformation, these frameworks offer valuable insights and tools to help you achieve your goals.
INCLUDED FRAMEWORKS/MODELS:
1. Stanford’s Design Thinking
2. IDEO’s Human-Centered Design
3. Strategyzer’s Business Model Innovation
4. Lean Startup Methodology
5. Agile Innovation Framework
6. Doblin’s Ten Types of Innovation
7. McKinsey’s Three Horizons of Growth
8. Customer Journey Map
9. Christensen’s Disruptive Innovation Theory
10. Blue Ocean Strategy
11. Strategyn’s Jobs-To-Be-Done (JTBD) Framework with Job Map
12. Design Sprint Framework
13. The Double Diamond
14. Lean Six Sigma DMAIC
15. TRIZ Problem-Solving Framework
16. Edward de Bono’s Six Thinking Hats
17. Stage-Gate Model
18. Toyota’s Six Steps of Kaizen
19. Microsoft’s Digital Transformation Framework
20. Design for Six Sigma (DFSS)
To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations
SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA MATKA FAST RESULT MILAN RATAN RAJDHANI MAIN BAZAR MATKA FAST TIPS RESULT MATKA CHART JODI CHART PANEL CHART FREE FIX GAME SATTAMATKA ! MATKA MOBI SATTA 143 spboss.in TOP NO1 RESULT FULL RATE MATKA ONLINE GAME PLAY BY APP SPBOSS
Storytelling is an incredibly valuable tool to share data and information. To get the most impact from stories there are a number of key ingredients. These are based on science and human nature. Using these elements in a story you can deliver information impactfully, ensure action and drive change.
The 10 Most Influential Leaders Guiding Corporate Evolution, 2024.pdfthesiliconleaders
In the recent edition, The 10 Most Influential Leaders Guiding Corporate Evolution, 2024, The Silicon Leaders magazine gladly features Dejan Štancer, President of the Global Chamber of Business Leaders (GCBL), along with other leaders.
❼❷⓿❺❻❷❽❷❼❽ Dpboss Matka Result Satta Matka Guessing Satta Fix jodi Kalyan Final ank Satta Matka Dpbos Final ank Satta Matta Matka 143 Kalyan Matka Guessing Final Matka Final ank Today Matka 420 Satta Batta Satta 143 Kalyan Chart Main Bazar Chart vip Matka Guessing Dpboss 143 Guessing Kalyan night
Building Your Employer Brand with Social MediaLuanWise
Presented at The Global HR Summit, 6th June 2024
In this keynote, Luan Wise will provide invaluable insights to elevate your employer brand on social media platforms including LinkedIn, Facebook, Instagram, X (formerly Twitter) and TikTok. You'll learn how compelling content can authentically showcase your company culture, values, and employee experiences to support your talent acquisition and retention objectives. Additionally, you'll understand the power of employee advocacy to amplify reach and engagement – helping to position your organization as an employer of choice in today's competitive talent landscape.
The Genesis of BriansClub.cm Famous Dark WEb PlatformSabaaSudozai
BriansClub.cm, a famous platform on the dark web, has become one of the most infamous carding marketplaces, specializing in the sale of stolen credit card data.
Top mailing list providers in the USA.pptxJeremyPeirce1
Discover the top mailing list providers in the USA, offering targeted lists, segmentation, and analytics to optimize your marketing campaigns and drive engagement.
Navigating the world of forex trading can be challenging, especially for beginners. To help you make an informed decision, we have comprehensively compared the best forex brokers in India for 2024. This article, reviewed by Top Forex Brokers Review, will cover featured award winners, the best forex brokers, featured offers, the best copy trading platforms, the best forex brokers for beginners, the best MetaTrader brokers, and recently updated reviews. We will focus on FP Markets, Black Bull, EightCap, IC Markets, and Octa.
Industrial Tech SW: Category Renewal and CreationChristian Dahlen
Every industrial revolution has created a new set of categories and a new set of players.
Multiple new technologies have emerged, but Samsara and C3.ai are only two companies which have gone public so far.
Manufacturing startups constitute the largest pipeline share of unicorns and IPO candidates in the SF Bay Area, and software startups dominate in Germany.
3 Simple Steps To Buy Verified Payoneer Account In 2024SEOSMMEARTH
Buy Verified Payoneer Account: Quick and Secure Way to Receive Payments
Buy Verified Payoneer Account With 100% secure documents, [ USA, UK, CA ]. Are you looking for a reliable and safe way to receive payments online? Then you need buy verified Payoneer account ! Payoneer is a global payment platform that allows businesses and individuals to send and receive money in over 200 countries.
If You Want To More Information just Contact Now:
Skype: SEOSMMEARTH
Telegram: @seosmmearth
Gmail: seosmmearth@gmail.com
At Techbox Square, in Singapore, we're not just creative web designers and developers, we're the driving force behind your brand identity. Contact us today.
1. 2017 Esther R. Sawyer Research Award Manuscript
On recognizing Internal Audit’s role in GRC
Submitted to:
The Institute of Internal Auditors
Submitted by:
Andrew John Hagen
March 1, 2017
Essay Topic:
GRC has evolved rapidly in recent years and Internal Audit has taken notice.
What are the appropriate roles of Internal Audit in GRC and how does internal auditing
best support those GRC efforts?
As GRC continuesto evolve, which ways do you see internal auditing evolving furtherto
keep with this trend and continue to effectively communicate to stakeholders?
2. 1
Contents
Acknowledgements......................................................................................................................... 2
Introduction......................................................................................................................................3
Understandingthe GRCFramework ................................................................................................ 4
InternalAudit’s Role in the GRC Framework.....................................................................................7
Governance and the InternalAudit Function ................................................................................... 8
Risk Management and the Internal Audit Function.........................................................................11
Compliance and the Internal Audit Function...................................................................................13
Moving Forward: Areas of Focus inthe Future of InternalAuditing ................................................15
Analytics.....................................................................................................................................15
Cybersecurity Vulnerabilities ......................................................................................................16
Conclusion......................................................................................................................................17
3. 2
Acknowledgements
The LSU FloresMBA Program and the LSU CenterforInternalAuditing havemade a profoundimpact
onmy development as botha student and professionalover the last twoyears. The knowledge acquired
fromparticipating in these programsis the sole reason whyI am able to officially submit thisessay tothe
InstituteofInternal Auditors.I wouldliketo thankthe followingindividuals fortheirtremendoussupport,
guidance, and motivation during my time as a Graduate student at Louisiana State University:
Glenn E. Sumners, DBA, CIA, CFE, Director, Louisiana State University Center for Internal Auditing
Destin Harcus, CPA, Manager, Deloitte Advisory
Dana Hart, Director, Louisiana State University Flores MBA Program
Seth M. Thibodaux, Associate Director, Louisiana State University Flores MBA Program
My experiencesin interactingwithand learningfromthese individuals have helped shapethe workinthis
manuscript.I hopeany knowledge gained from the followingpages will benefit industryprofessionals in
the future.
4. 3
Introduction
Inrecentdecades the businessenvironment hasexperienced a numberofunprecedentedissues,
surprises, and negative events that have increased organizations’ focus on Governance, Risk
Management, andCompliance(GRC) initiatives.Theseoccurrenceshavedramaticallyincreased theroles
and responsibilities ofthe Internal AuditFunction withinthe organization.Events suchas the collapse of
Enron, the British Petroleum (BP) Oil Spill, the 2008 Financial Crisis, and the British Exit from the
European Union, have shaken the industrial, financial, and environmental grounds with which these
disasters were built upon. Over the years, incidents such as these have led directly to legislation which
renewed the importance of governance, risk management, and compliance functions throughout the
world.Asthe global businessenvironment grew, sotoo did the regulatory environment whichproduced
federal workplaceregulations, accountingstandards,andfinancialreformsintended to shield the public,
environment, and economy from similar future disasters. Coupled with the expansion in technology,
regulations abound and gave rise to the emergence of new-age organizational exposures that include
butare notlimited tocybersecurity,intellectual property, andbusinesscontinuityrisks.Toaddress these
risks and other issues facing organizations worldwide, many board of directors have chosen to
implement an overarching framework known as ‘GRC’ that aims to integrate, validate, and optimize a
firm’s governance, risk management, and compliance processes.
InanefforttorecognizeInternalAudit’srole inan organization’sGovernance,RiskManagement,
and ComplianceFunctions,thismanuscriptwill begin by attempting to fully explain the GRCFramework
from the ground up. This explanation will showcase how the GRC Framework is established, what the
framework looks like in action, and the particular benefits the GRC Framework can provide to an
organization. Next, this manuscriptwill define and assess Internal Audit’s organizational role within the
GRC Framework as a whole. With Internal Audit’s organizational role established, we will dive deeper
into understanding each individual function of GRC and Internal Audit’s appropriate role in support of
those functions. Throughout the following pages, readers will be provided with images and depictions
that aim to better enhance their understanding of the Internal Audit Function and the GRC Framework
in its entirety. To conclude, this research paper will address two key areas, analytics and cybersecurity
vulnerabilities, that the Internal Audit Function must focus on moving forward if it is to continue to
effectively provide value to stakeholders throughout the organization.
5. 4
Understanding the GRC Framework
In its Maturity Model for an Integrated GRC, the Open Compliance and Ethics Group (OCEG)
formally defines the GRC Framework as a holistic system of people, processes, and technology that
enable an organization to: 1
Understandand prioritize stakeholder expectations.
Set business objectivesthat are congruentwith the organization’s values and risks.
Optimize their risk profile and protectvalues.
Operate within relevant legal, contractual,internal, social, and ethical boundaries.
Providerelevant, reliable, and timely informationto appropriate stakeholders.
As organizations become more forward-thinking, the GRC Framework serves as a well-
coordinated approach to maintaining all of the functions and capabilities necessary to support optimal
organizational performance. Carole Switzer,President ofthe OCEG,supportsthisnotion and states that
the integrated GRC Framework “has the potential to provide organizations with a uniform view of
information so as to align risk management with objectives in order to reduce complexity and harness
technology for optimal performance.”2
Figure 1 depicts the GRC Framework illustrated by Strategic
Finance magazine.3
1 A Maturity Model for Integrated GRC (Rep.). (2016). Phoenix, AZ: OCEG.
2 I. (2010, August). What GRCCouldMean to You Organization. Tone at the Top, (48).
3 Frigo, M. L., & Anderson, R. J. (2009, February). A Strategic FrameworkforGovernance, Risk, and Compliance. Strategic Finance.
6. 5
Figure1: The GRC Framework
Establishing the GRC Framework begins when an organization’s Board of Directors and Senior
Management Team implement the firm’sEnterpriseRiskPolicyand Appetite.Thispolicy,approvedbythe
Board of Directors, represents the organization’s strategic approach to managing risk, in part, by
determining the appropriate risk appetite of the firm.The Enterprise Risk Policyalso establishes the role
ofeach Governance,Risk, andCompliance Functionacrosstheorganization, represented by the vertical
columns in Figure 1. In addition to establishing each function’s role, an organization’s Enterprise Risk
Policydefines the overall goal of value creation as well as the expectations forthe working relationships
and sharing of knowledge amongst employees across the organization. While each function serves a
unique role to the organization, the GRC Framework calls to combine these functions with the shared
goal of managing risks through integration. The horizontal rows depicted at the bottom of the
framework represent the common elements that are intended to be leveraged across each function in
order to improve the overall efficiency and effectiveness of the organization’s governance, risk,
compliance efforts. Those elements include the sharing of risk assessments, the identification of
emerging risks facing the organization, and the monitoring of key risk indicators (KRIs).
7. 6
With noGRC Frameworkin place many organizations face the threat of becoming fragmented,
vulnerable, and silo’d. When an organization becomes silo’d, “groups or departments within that
organization operate inside a vacuum with little functional access to other groups, or little
communicationwiththem.”4
The leads todelays inthe communicationofimportantissuesand decisions
facingthe organization.Asa result, many functionscanonlyreactto situations as they occurratherthan
anticipate these issues proactively. This canstagnate the organization,hinder its growth,and eviscerate
its value creation. Figure 2 illustrates in greater detail the issues an organization encounters when
departments aresilo’d andthe GRCFrameworkisabsent.Asshown,withholdingfromanintegratedGRC
approach leads organizations into pitfalls that harm the stakeholder’s value and prohibits the
organization from achieving its optimal performance.5
However, if adopted and appropriately aligned with the organization the GRC Framework can
help ensure controls operate effectively, resources are used efficiently, and risks are addressed as
intended. Figure 3 illustrates this by depicting an organization with the GRC Framework in place. This
organization experiences streamlined processes, integrated data-sharing, and a common dialogue
throughout the entire enterprise. As a result of these benefits, the organization as a whole experiences
4 Gettier, L. (2014, March 11). BreakingDown WorkplaceSilos. Retrieved December 1, 2016, from
http://www.ceoinstitute.com/resources/ceos-desk/blog-article/breaking-down-workplace-silos/
5 I. (2010, August). What GRCCouldMean to You Organization. Tone at the Top, (48).
Figure2: Pitfalls of a anorganizationwithout GRC
8. 7
lower cost associated with the management of their controls. Most importantly, however, is the
assurance provided to the board and senior management that the entire system of internal control is
effective and high-performing.
Internal Audit’s Role in the GRC Framework
As a primary component of the GRC Framework, the Internal Audit Function is uniquely
positioned to support an integrated, proactive organizational environment that strives to achieve
optimal performance.In this position it is easy to recognize the immense responsibilities of the Internal
Audit Function in each individual field of Governance, Risk Management, and Compliance. Yet in order
understandtheInternal AuditFunction’spositioninguidingandsupportingtheGRCFramework, therole
of the Internal Audit Function must first be acknowledged. The Institute of Internal Auditor’s
International Professional Practices Framework (IPPF) defines Internal Auditing as:
Figure3: An OrganizationwithGRC
9. 8
An independent, objective assurance and consulting activity designed to add value and improve an
organization’s operations.6
As an independent and objective function of the organization, two essential ways in which the
Internal AuditFunction providesvalue to an enterprise is by(1) providingobjectiveassurance that major
business risks are being managed appropriately and (2) assuring that the enterprise-wide risk
management and internal controlframework is operating effectively.7
The Institute ofInternal Auditors
(IIA) view theInternal AuditFunctioninthese roles as “helping an organizationaccomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control,andgovernanceprocesses.” Giventhe propersupport,theInternal Auditfunction
can also aim to analyze and interpret information to help management identify the major business
challenges facingthe firm. Furtherresponsibilities ofInternal AuditFunction withinthe GRCFramework
include the following: 8
Assisting in the development of an enterprise-wide risk management (ERM) strategy.
Making recommendations on systems and processes.
Offering best practice advice and implementation assistance.
The Internal Audit Function should also look to quantify potential areas of cost savings for the
organization and balance the goal of establishing adequate organizational controls with the goal of
creating efficient and effective operations. Recognizing and understanding these responsibilities prove
the Internal Audit Function serves as a key component in the continuous effort to bridge the gaps
between an organization’s Governance, Risk Management, and Compliance Functions.
Governance and the Internal Audit Function
Sir AdrianCadbury, contributingauthortothe1992 CommissionReportonCorporateGovernance,
oncestated that governanceis “concernedwithholdingthe balance between economic and social goals
and between individual and communal goals.” Governance, therefore, is not only set up to encourage
the efficient useofresourcesbutalso necessitates accountabilityforthe stewardshipof thoseresources.
6 Instituteof Internal Auditors(IIA). Definition ofInternal Auditing.InternationalProfessional PracticesFramework. Retrieved December 1,
2016.
7 Instituteof Internal Auditors(IIA). 2004. The Role ofInternalAuditingin Enterprise-wide Risk Management (November). AltamonteSprings, FL:
TheInstituteof Internal Auditors.
8 Internal Audit: FromCorporate Policeman toStrategic Partnerin GRC Success [PDF]. (2009,August). Jefferson Wells, Inc.
10. 9
As Sir Cadbury explained, “The aim is to align as nearly as possible the interests of all individuals,
corporations,and society.9
Establishing and maintaining a culture ofsound governanceshould be a top
priority for all Board of Directors, especially when considering the potential harm an organization can
experience for failing to do so. Infact, whensurveyed onthis matter, nine in ten business leaders stated
that they believe culture to be important to a robust andactionable governanceframework.10
Failing to
establish a culture of effective governance is a serious threat that can bring down seemingly even the
most prominent of institutions. As an example, consider the origination of the 2008 Financial Crisis. In
wake of the global recession, there remains a justifiable and persuasive argument that the economic
failures of major U.S. financial institutions brewed from shortfalls in corporate governance. Jefferson
Wells’ positionpaper titled “Internal Audit:FromCorporatePolicemantoStrategicPartnerinGRCSuccess”
suggests that at a simplistic level, management deployed overly complex financial products that
hindered effectivesupervisoryandgovernancecontrols.Inadditionto thedubiousandunethicalpractice
of approvingloans with a high probability ofdefault, this lead the United States to experience its worst
economic downturn since the Great Depression.
Toeffectively governanorganization, BoardofDirectors shouldbeheld tothree legal standards:
Duty ofCare, Duty ofLoyalty, and Duty ofObedience. AccordingtoTheBridgespanGroup,DutyofCare
describes the level ofcompetence that is expectedof a board member. It is expressed as the care that a
reasonably prudentpersonwouldexercise in the same position andundersimilar circumstances. Dutyof
Loyalty is the Board of Director’s standard of faithfulness. It asserts that a board member should never
useinformationobtained fromhisorher positionin the organizationforpersonalgain.Instead,the board
member must act inthe best interest ofthe organization.Finally, DutyofObedience requires that board
members be faithfulto anorganization’smission. Bydoingso, theyare notpermitted toact ina waythat
is inconsistent with the central goals of the organization. 11
To reduce the possibility of infringing upon the duties owed to an organization’s stakeholders,
the Board of Directors should work with Senior Management and the Internal Audit Function to: (1)
establish ethical codesand policies, (2) decreasevulnerability to fraudand misconduct,(3) createsound
9 Sir Adrian Cadbury, UK, Commission Report: CorporateGovernance1992
10 Corporate Governance: The Tonefrom the Top (p. 3, Publication). (2015). GrantThornton.
11 What AretheLegal Responsibilitiesof Nonprofit Boards? Retrieved December 01, 2016,from
https://www.bridgespan.org/insights/library/boards/legal-responsibilities-nonprofit-boards
11. 10
upwardfeedbackchannels,(4) regularly communicateculturalvalues and behaviors toevery member of
the organization, and (5) demonstrate integrity and advocate corporate responsibility.
Oftentimes, Senior Management and the Board of Directors will call upon the Internal Audit
Function to help provide assurance that risks are appropriately identified and monitored and
organizational processes are effectively controlled. The IIA’s Performance Standard 2110 expands on
this roleandstates that theInternal AuditFunction mustassessandmakeappropriaterecommendations
for improving the governance process of an organization in its accomplishment of the following
objectives:12
Promoting appropriate ethics and values within the organization.
Ensuring effective organizational performance management and accountability.
Effectively communicatingriskandcontrolinformation toappropriate areas ofthe organization.
Coordinating and communicatinginformation among the board, internal and external auditors,
and management.
More recently, governance has expanded to also include management’s crucial role in setting the
“tone at the top”, or rather, the organization’s commitment towards openness, honesty, integrity, and
ethical behavior.13
This expansion requires that the Internal Audit Function be mindful of potential
conflictwithmanagement when assessing the effectiveness ofthe organization’s governanceprocesses
while simultaneously reporting to the AuditCommittee of the Board ofDirectors regarding the “tone at
the top”. To adhere to this responsibility, the Internal Audit Function should,at least annually, carry out
an assessment regarding the overall effectiveness of the GRC Framework in the organization. Upon
completion, theresults of thisassessment shouldbe communicateddirectly tothe organization’s board.
The Internal Audit Function shouldalso workto ensure the organization’s internal control framework is
operating effectively by assessing, evaluating, and reporting on the enterprise’s:
Boardcomposition regarding skills, experience, independence,etc.
Auditcommittee activity and involvement in risk oversight
Legislative and Regulatory requirement compliance
Businessconductandethics
12 PracticeAdvisory 2110: GovernanceDefinition, Instituteof Internal Auditors
13 BoiseStateUniversity. (2016). InternalControlsand Tone attheTop. InternalAudit.BoiseState.edu. Retrieved December 1, 2016.
12. 11
Organizational accountingpractices
Risk Management and the Internal Audit Function
Althoughan organization’s Board ofDirectors has ultimate responsibility for ensuring that risks
are managed appropriately, in practice,this responsibility is often delegated to the senior management
team. One popular framework seen across organizations today is the Committee of Sponsoring
Organization’s (COSO) Enterprise-wide Risk Management (ERM) Framework.Defined as “a structured,
consistent, and continuous process across the organization,” ERM is utilized in “identifying, assessing,
and deciding on responses to opportunities and threats that affect the achievement of organizational
objectives.”14
Following the release of the ERM Framework, many audit professionals debated the role
the Internal Audit Function should assume in the risk management process. COSO’s ERM Framework
directed the Internal Audit Function to “assist management and the board of directors by examining,
evaluating, and reporting on the adequacy and effectiveness of the organization’s enterprise risk
management” (COSO 2004). According to John Hall, recipient of the IIA’s 2007 Esther R. Sawyer
Research Award, this shift of internal audit from a traditional monitoring and assurance role to one of
consulting and general oversight of the entire risk management process, was not wholeheartedly
embraced nor was it fully understood.15
Some organizations instructed internal audit departments to
assume ownership over business risks while others restrained the Internal Audit Function to a strict
monitoring role.
In response to this incertitude, the IIA released the position paper “TheRoleof Internal Auditing
in Enterprise-wideRiskManagement.” Thispositionpaper suggestedparticular ways forinternal auditors
tomaintain the objectivityandindependencerequiredby theIIA’sprofessionalstandardswhileproviding
assurance and consulting services (IIA 2004). More importantly, this paper clarified which roles the
InternalAuditFunction shouldandshouldnotbeinvolvedin throughouttheERMProcess.TheIIA divided
these roles intothree key areas: (1) coreinternalaudit roles inregard toERM,(2) legitimate internal audit
roles withsafeguards,and(3) rolesinternalaudit shouldnotundertakeduetoindependenceimpairment.
14 Committeeof Sponsoring Organizations(COSO) (2004), EnterpriseRiskManagement –Integrated Framework, New York, COSO
15 Hall, J. (2007). InternalAuditingandERM:FittingIn andAddingValue. Manuscript, TheUniversity of Texasat Dallas, Dallas, Tx.
13. 12
The IIA organized this information into a graphic, shown below, which is commonly referred to as the
“ERM Fan”9
.
Figure4: The ERM Fan
Within the ERM Framework, the core role of the Internal Audit Function is to provide objective
assurance to the board relating to the effectiveness of risk management (IIA 2004). By doing so, the
Internal AuditFunction,inbothits assuranceandconsultingroles, can provetobe a valuable contributor
in the management ofan organization’srisks. It is important to note the key factorsto take into account
whendetermining internal audit’s role in ERM are (1) whetherthe activity raises any threats to the audit
function’s independence and objectivity and (2) whether it is likely to improve the organization’s GRC
processes(IIA 2004).FromFigure4,theactivities onthe left side ofthe ERM Fanare assurance activities
that internal audit, operating in accordancewiththe InternationalStandardsfortheProfessional Practice
of Internal Auditing, can and should perform. These activities include, among other responsibilities,
providing assurancethat risks are correctly evaluated andreviewed. The middle section of the ERM Fan
represents the legitimate consulting roles that the Internal Audit Function may assume in ERM with
safeguards in place. Some of these consulting roles include but are not limited to (IIA 2004):
Championing the establishment of ERM in the organization.
Making available to management the tools and techniquesusedby internal audit to analyze risk
and controls.
14. 13
Promoting the development of a common language and understanding throughout the
organization.
Activities listed in this section of the ERM Fan typically require enhanced safeguards to be in place
when the Internal Audit Function is engaged so that objectivity and independence can be maintained.
Notwithstanding, it is unlikely that the Internal Audit Function will be prepared to engage in the
consultingactivities listed in themiddle sectionoftheERM Fanunlesstherisk-based assurancefunctions
to the left of the ERM Fan are put in place first (IIA 2004). To the far right of the ERM Fan are the roles
whichtheInternalAuditFunction shouldnotundertake.Ifassumed, theserolescanseverelycompromise
the independence and objectivity requirements set forth in the IIA’s Professional Standards (IIA 2004).
Compliance and the Internal Audit Function
The International ComplianceAssociation(ICA) describes‘compliance’asthe ability toact according
toan order,setofrules, orrequest.More specifically,it is themeans bywhichanorganizationproactively
ensures that regulatory and business requirements are met. The ICA asserts an organization’s
compliance function typically operates at two varying levels:
Level 1 – Ensuring compliance with external rules that are imposed upon the organization as a
whole (i.e. Regulatory requirements)
Level 2 – Ensuring compliance with the internal systems of control that are imposed to achieve
compliance with Level 1
To understand Internal Audit’s role in support of the Compliance Function, it is important to
recognize that these functions serve distinct organizational roles. Internal Audit’s objective is
fundamentally assurance – looking at the past and present to provide assurance that all activates are
being carried out according to written policies and procedures. On the other hand, the Compliance
Function’s objective is fundamentally operational. This function is concerned with ensuring that all
activities carried out by the organization are in compliance with the prevailing regulatory requirements.
Therefore, as a component of management, the Compliance Function is positioned to serve as a valid
contributor in the effort to achieve optimal organizational performance.
Nevertheless, as a major part of the internal control environment, the Compliance Function should
be subjected to independent audits along with the Governance and Risk Management Functions of an
organization. To ensure the activities of the Compliance Function are subjected to an independent
15. 14
review, the Basel Committee on Banking Supervision specifically mandates the Compliance and Internal
Auditfunctionsbeseparated.19
Thus foreffective coordinationof activities between these twofunctions
to occur,itis essential the Internal Auditand Compliance Functionsleverage a commonlanguage ofrisk
and control. This will allow the functions to adequately provide transparency in their reporting to
management and the board. Since both functions are focused on helping the organization achieve
effective corporategovernanceandmanagement ofrisks, best practicesshouldbe adopted,shared, and
implemented.
One best practice shared between both functions is reporting functionally to the organization’s
Board of Directors. The Internal Audit Function accomplishes this role in its relationship with the Audit
committee of the Board of Directors, while the Compliance Function reports, respectively, to an
established compliance committee. This reporting relationship provides each function with the
necessary authority to effectively address their responsibilities. Both functions should also be granted
accesstothe entire organization, providedthe board’s permission. Inorderto ensureunbiased reporting
results, compliance and audit professionals must have open access to all records and personnel of the
organization. This role is traditionally established in the board-approved charter. The ability and
authority to conduct independent investigations is yet another example of the shared responsibilities
between each function. In many cases, compliance and internal audit collaborate to conduct
investigations. Depending upon the nature of the investigation, either function may work on their own
or in collaboration with other functions of an organization (e.g.: human resources, legal, informational
technology,etc.). One of the most important roles of each function,however, is the undertaking of risk
assessments. These assessments involve the application ofa methodical processforidentifying key risks
that organization faces. Aseach functionworks to assess the level of an organization’s governance,risk
management, and overall control, conducting risk assessments will help each function prioritize the
resourcesneeded to effectively address the most important issues. Forsake of clarity, risk assessments
conductedbythe Compliance Functionare primarily focusedonregulatory matters. On the other hand,
risk assessments managed by the Internal Audit Function are traditionally focused around internal
controlmatters. Due to the natural overlap experienced in these assessments, coordination of planning
efforts should greatly improve risk assessment results, thereby benefiting both functions and the
organization.
16. 15
Moving Forward: Areas of Focus in the Future of Internal Auditing
In any organization, there are numerous areas where the Internal Audit Function’s objectivity,
perspective, and skills can provide value to stakeholders. With roles and responsibilities spanning
throughout an organization’s Governance, Risk Management, and Compliance Functions, it is clear to
see the Internal Audit Function has the potential to profoundly impact the efforts to achieve
organization’s objectives. Nevertheless, firms are continuously innovating and growing, resulting in
constant change and new ventures for the Internal Audit Function to recognize. To avoid becoming
irrelevant internal audit mustevolve into a more future-orientedanddynamic function.This belief stems
from a study conducted by Deloitte Touche Tohmatsu Limited, which surveyed more than 1,200 Chief
Audit Executives in 29 countries across eight industries.16
In the study Terry Hatherell, Global Internal
Audit Leader for Deloitte, states “Inless than a generation, the business world has been transformed in
terms ofmethods,markets, technologies,regulations,andrisk. Theresults ofthesurveyindicate internal
audit mustevolvein specific waysinorderto meet thoseneeds.”Movingforwardthisraises the question,
“Where can Internal Audit have the most impact and influence?” While the specific course of action
largely dependsoneachInternal AuditFunction’sparticularcircumstance,impactandinfluencetypically
increases when Internal Audit attends to the areas of greatest risk, importance, and concern to key
organizational stakeholders. With this in mind, two areas of focus for the Internal Audit Function to
consideron its path forwardinclude: (1) theuse of analytics in conductingauditsand (2) the assessment
of an organization’s cybersecurity vulnerabilities.
Analytics
Analyticsholdseriouspowerandpotential to transformtheInternalAuditFunctionandthevalue
it provides to anorganization. Key examples of areas whereanalytics canbe applied includeinformation
technology cost containment and execution risks related to capital projects and organizational
transformations.17
Despite obstacles to implementation, suchas shortage of skilled talent, data quality,
and date availability issues, the cost and complexity of analytical tools have drastically fallen while their
value to the Internal Audit Function has skyrocketed. Analytics also provides the opportunity to boost
16
Hatherell, T. (2016). Evolution orIrrelevance?Internal Audit ata crossroads (Rep.). Deloitte.
17 The ChangingRole of Internal Audit: MovingAway from Traditional Audits (Rep.). (2015). Deloitte.
17. 16
efficiency and effectiveness in a range of audit activities. This enables the Internal Audit Function to
provide foresight into risks and areas of interest for stakeholders. Leading audit functions have only
beguntouse data visualization tools suchasheat maps,bubble charts,andinteractive graphicstoreport
on audit results as well as to derive insights from analytics. Alternatively, predictive analytics, an
increasingly popularformofadvancedanalytics,enable theInternal AuditFunction toprovideaforward-
looking analysis of possible control breakdowns an organization can face. According to Deloitte’s 2017
Internal Audit Insights: High Impact Areas of Focus, organizations should attempt to “home-grow” their
analytical talent, but co-sourcing may help to get enterprise beyond basic analysis to more advanced
analytic techniques. Nonetheless, if utilized correctly, the power of analytics can provide great value to
both the organization and the Internal Audit Function.
Cybersecurity Vulnerabilities
Assessing cybersecurity vulnerabilities are an additional area of emphasis for internal audit
functions moving forward. The rise of the sophisticated cyber-criminal has become one of the fastest
growing security threats facing organizations to date. Consider, for example, the recent cyber-security
breaches of large corporations such as Sony, Target, Yahoo, Home Depot, and Ebay. These breaches
have put millions of people in harm’s way. The landscape of today’s cyber-crimes feature “malware
exploits” than can routinely evade traditional security controls.18
With this understanding, it is clear to
see that responding reactively to these threats are no longer sufficient to deal effectively with this level
of ingenuity. As a result, boards have begun to seek out the Internal Audit Function’s independent,
objective,and comprehensive assessment ofcybersecurity risks facingthe organization. Legislative and
RegulatoryAgenciesare also seen drivingthis trend. TheCyber-SecuritySystemsand RisksReportingAct,
proposedto the U.S. Congresson April 26th
,2016,couldexpandSOX reporting requirements to include
cybersecurity systems and risks. Proposals such as this reflect the widespread recognition that
cybersecurity protection is critical to organizational performance and value.
To supportthisevolving trend, the InternalAudit Functionshouldworktostrengthen their plans
and capabilities accordingly. Given the shortfall of cyber auditing skills in the marketplace, audit
functions should look to co-source respective responsibilities to help maintain effective cyber-security
capabilities. Due to the high impact and varied level of risks associated with cybersecurity (including
18 Internal Audit Insights: High-Impact areasoffocus (pp. 6-8, Rep.). (2016). Deloitte.
18. 17
brand, relationship, and reputational risks), the Internal Audit Function should begin to conduct
independent andobjective reviews oftheir cybersecurityfunctionsin the near-term. InternalAudit must
also define a cyber-auditing approach that meets the needs of both the industry and organizational
standards.Finally, the audit planshouldprioritize theprocessesand capabilities tobe audited anddefine
methods of related internal audits. Only then can the Internal Audit Function gather the appropriate
resources (i.e. people, skills, tools, etc.) needed to effectively execute on those plans.
Conclusion
In the absence of an integrated GRC Framework– one that provides transparent and accurate
information on which to base risk-intelligent decisions – organizations can be significantly constrained.
Asan independent andobjective function ofthe organization,Internal Auditoffersthe most value when
it identifies risks and provides objective assurancethat those risks are being managed appropriately. To
provide this value the Internal Audit Function should be independent of, but closely aligned with, an
organization’sGovernance,Risk Management, andCompliance Functions. InsupportoftheGovernance
Function, Internal Audit should work to ensure that an organization’s ethical codes and cultural values
are appropriately communicated to all stakeholders. Management’s commitment to ethical behavior
(i.e. “Tone at the Top”) should also be assessed and reported on, at least annually. Within the Risk
Management Function, Internal Audit should aim to align itself as closely as possible with the roles
established by the IIA and depicted in ERM Fan. In doing so, the Internal Audit Function can remain
independent and objective while providing value-enhancing service to the organization. To ensure
consent with applicable rules and regulations, it is imperative that Internal Audit establish a common
language with the Compliance Function. Establishing this language allows both functions the
opportunityto identify risks facing an organization, report on the effective of controls that are in place,
and advise the business on appropriate action when necessary. If an organization chooses to adopt the
GRC Framework in response to the complex business environment, stakeholders can rest assured that
the enterprise’s functionsare integrated and high-performing. Only then does an immense opportunity
exist forthe Internal AuditFunctiontoimproveanorganization’s risk coverage,businessoperations, and
competitive advantage. Moving forward the Internal Audit Function should begin to focus more time,
energy, and resources on identifying emerging trends, such as cybersecurity vulnerabilities, that could
represent areas ripe for risk assessment. Finally, with the power and proper use of data analytics, the