Each year, Protiviti conducts its Internal Audit Capabilities and Needs Survey to assess current skill levels of internal audit executives and professionals, identify areas in need of improvement, and help to stimulate the sharing of leading practices throughout the profession. In this white paper, we describe the outlook of internal audit leaders within the financial services industry.
The results of this year’s Internal Audit Capabilities and Needs Survey show that, not surprisingly, cybersecurity represents a major focus for internal audit programs, but it is far from the only pressing issue on internal audit’s plate
2018 Compliance Risk Study for Financial Services explores the modular transformation that allows leaders to move at the pace of digital age. Read more.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
Evalueserve and McAfee conducted this study in 2011 to highlight how IT decision-makers view the challenges of risk and compliance management in a highly regulated and increasingly complex global business environment. The research investigates how organizations address both risk and compliance, which are so inextricably interrelated. Research was aimed to forward looking, revealing companies’ plans for refining and automating their programs in 2011 and beyond. Significant portions of IT budgets is being spent on risk and compliance management and the spending is only expected to grow in the future.
CAEs speak out: Cybersecurity seen as key threat to growthGrant Thornton LLP
In Grant Thornton LLP’s fifth annual survey of chief audit executives (CAEs), financial services CAEs revealed that they see considerable room for improvement when it comes to their risk management functions. Here are our findings.
The results of this year’s Internal Audit Capabilities and Needs Survey show that, not surprisingly, cybersecurity represents a major focus for internal audit programs, but it is far from the only pressing issue on internal audit’s plate
2018 Compliance Risk Study for Financial Services explores the modular transformation that allows leaders to move at the pace of digital age. Read more.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
Evalueserve and McAfee conducted this study in 2011 to highlight how IT decision-makers view the challenges of risk and compliance management in a highly regulated and increasingly complex global business environment. The research investigates how organizations address both risk and compliance, which are so inextricably interrelated. Research was aimed to forward looking, revealing companies’ plans for refining and automating their programs in 2011 and beyond. Significant portions of IT budgets is being spent on risk and compliance management and the spending is only expected to grow in the future.
CAEs speak out: Cybersecurity seen as key threat to growthGrant Thornton LLP
In Grant Thornton LLP’s fifth annual survey of chief audit executives (CAEs), financial services CAEs revealed that they see considerable room for improvement when it comes to their risk management functions. Here are our findings.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
Third-party Governance and Risk Management - 2018Deloitte UK
This report shows how Third-party Risk Management had continued to benefit from greater executive awareness in 2017 which have allowed organisations to tackle the topic with a renewed focus and investment. This is even more important due to amid prevalent threats of high profile business failure, illegal third-party actions, or regulatory action with punitive fines.
Cyber-criminals are assaulting every part of the enterprise. But not all cyber-attacks are created equal. In the minds of senior executives, the greatest danger of cyber-attacks is damage to the reputation of the firm with its customers.
Compliance at a Crossroads: One Step Forward, Two Steps Back?Accenture Insurance
Accenture’s 2016 Compliance Risk Study uncovered good and bad news for the compliance risk function.
On the plus side, demand on compliance is growing—both in scale and in complexity. But the increased need has been met with slowed growth in the compliance function’s stature. To keep pace with demand, the compliance function will need to change. But how? See our 2016 study for some starting points.
The role of audit committees continues to expand to keep pace with the modern business operating environment. In addition to responsibility for a company’s financial reporting and management, audit committees increasingly take an active role in an organization’s risk management strategy.
Audit committees can be instrumental in helping their organizations implement procedures to address the challenges they face. They can also assist with addressing internal and external audit findings or with exploring best practices for addressing areas of operations that may be vulnerable to disruption or extraordinary risks.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
Third-party Governance and Risk Management - 2018Deloitte UK
This report shows how Third-party Risk Management had continued to benefit from greater executive awareness in 2017 which have allowed organisations to tackle the topic with a renewed focus and investment. This is even more important due to amid prevalent threats of high profile business failure, illegal third-party actions, or regulatory action with punitive fines.
Cyber-criminals are assaulting every part of the enterprise. But not all cyber-attacks are created equal. In the minds of senior executives, the greatest danger of cyber-attacks is damage to the reputation of the firm with its customers.
Compliance at a Crossroads: One Step Forward, Two Steps Back?Accenture Insurance
Accenture’s 2016 Compliance Risk Study uncovered good and bad news for the compliance risk function.
On the plus side, demand on compliance is growing—both in scale and in complexity. But the increased need has been met with slowed growth in the compliance function’s stature. To keep pace with demand, the compliance function will need to change. But how? See our 2016 study for some starting points.
The role of audit committees continues to expand to keep pace with the modern business operating environment. In addition to responsibility for a company’s financial reporting and management, audit committees increasingly take an active role in an organization’s risk management strategy.
Audit committees can be instrumental in helping their organizations implement procedures to address the challenges they face. They can also assist with addressing internal and external audit findings or with exploring best practices for addressing areas of operations that may be vulnerable to disruption or extraordinary risks.
In less than 30 minutes, this Guide to Contract Management clarifies how to manage contracts. Follow practical steps to control contract risk and improve financial performance. The Guide provides specific recommendations about what contract data to track.
Learn about the 5 principles of contract management. These principles elevate contract management from an administrative burden to a vital risk management function.
Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...Optimus BT
Using the Document management, Collaborative and Self service features of SharePoint to implement a turn key procurement management business solution, that will streamline the procurement process, help you comply with regulations, enable you manage contracts, empower self service and participative procurement, aid in informed procurement decisions, in executing an effective procurement strategy and make your procurement function hassle free. Optimus BT is a leader in providing Procurement software and other turnkey solutions using SharePoint.
Top 10 Must Read Tips to Run a Successful Facebook Business PageVA Simple Services
Facebook Marketing is something that should be well planned and requires that you understand the platform to insure the success of your Business Page. Here are some tips to help you out!
12 steps to achieve excellence in debt collection and recoveryEXUS
The challenges Collection & Recovery departments face nowadays have forced them to become more inventive and efficient.
The 12 steps to achieve excellence in C&R embed business knowledge that EXUS has accumulated all these years through the cooperation with field experts.
Go through this presentation and evaluate how these “best practices” employed by top financial institutions in the world can be adopted by your organisation.
Accenture's 2019 study of compliance leaders finds the time for small actions has passed. See how the compliance function can keep pace amid rapid change.
Read more: https://www.accenture.com/pl-en/insights/financial-services/2019-compliance-risk-study-financial-services
Identify regulatory issues relevant to potential employers in the fi.pdffazalenterprises
Identify regulatory issues relevant to potential employers in the finance industry
Solution
1. There is an increased focus on both financial and nonfinancial regulatory reporting and the
recognition by firms that data must be mapped to authorized data sources. Adding to this focus
are growing regulatory concerns over counterparty credit risk and credit risk concentrations.
Financial institutions, especially the largest organizations employees, may be challenged to
create systems that are needed to adequately manage this risk, including the capabilities to
identify, aggregate, and monitor gross exposures across the consolidated institution and by
industry.
2. Employees are expressing particular concerns about the lack of progress in eliminating manual
processes and reconciliations, addressing data integrity issues, negotiating resource and other
constraints that impact accuracy and timeliness, and fixing weaknesses in data governance.
Leading firms are responding by developing a more holistic approach to financial and
nonfinancial data management that harnesses the use of data collection for risk management and
decision-making purposes in addition to regulatory compliance.
3. Capturing and analyzing vast amounts of data in real time remain massive challenges for the
financial services industry, as regulators continue to initiate civil and criminal investigations and
levy heavy fines on broker-dealers, investment banks, insurance companies, and retail and
commercial banks based on failures to completely and accurately report required information. In
addition ensuring compliance with federal and state laws prohibiting money laundering, financial
crime, insider trading, front running, and other market manipulations and misconduct remains
critically important.
4. Many compliance employees are revaluating their overall approach to privacy and compliance
within their organizations. This includes a focus on continuous improvements to data security, IT
infrastructures, enterprise provisioning, and scalable data management controls both locally and
globally.
5. Increasing cross-border regulatory policy divergences will require internationally active
financial firm’s employees to undertake more strategic and comprehensive assessments of their
regulatory policy risks. These challenges underscore the importance of developing a centralized
process for assessing current and potential future regulatory demands using advanced
governance, risk management, and compliance regulatory change tools.
6. Under current Enhanced Prudential Standards, financial institutions employees are required to
demonstrate their ability to develop internal stress testing scenarios for both capital and liquidity
that properly reflect and aggregate the full range of their business activities and exposures as
well as the effectiveness of their governance and internal control processes in both a business-as-
usual (BAU) scenario and a stressed environment..
Meningkatkan peran audit internal fungsi peran digital Dr. Zar Rdj
you can want focus on doing things in a digital way but if you don't have the support behind you ceo and board and really have then driving you to do what you do with focus on digital, you can beat you head against the wall an not get anywhere. i dont want underestimate how important senior leadership and board support is able to be able to do this and to be successfull at it
nancy J. Luquette
The ever increasing regulations and expansion of organisations across the globe into new markets exposed the organisations to greater regulatory and compliance risks. To Know More : https://www2.deloitte.com/in/en/pages/audit/articles/internal-audit.html
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
This presentation is my endeavor to bring to notice the new position that internal audit enjoys today in the corporate framework, expectations of the industry and emerging opportunities for the professionals.
In PKC Management Consulting Internal Audit Services play a critical role in assessing and reporting on an organization's internal control environment. Chat with Us
info@pkcindia.com
+91 91761 00095
Effect of Enterprise Risk Management on Sustainable Financial Performance of ...AJSERJournal
The paper is aimed at determining the effect of Enterprise Risk Management (ERM) on Sustainable
financial performance of deposit money banks in Nigeria. The specific objectives of the research is to determine the
effect of ERM on earning per share (EPS) and to ascertain the effect of ERM on Tobin Q. Descriptive research design
was adopted for the study considering the total population of all the twenty-one listed deposit money banks in Nigeria.
Data were gathered via secondary source from five (5) public annual reports of the listed deposit money banks for a
period of six years ranged from 2013-2018 and analysed using percentages and ratios. Multiple regressions was
employed in data analysis and testing the hypotheses; in determining if there is a significant effect of Enterprise Risk
Management on Earnings per Share and Tobin Q of listed deposit money banks in Nigeria. The study revealed that
there is a positive and significant relationship between ERM (Firms Size, Leverage) and sustainable financial
performance (TQ & EPS) of listed deposit money banks in Nigeria. Based on the findings, the study recommends that
financial institutions in Nigeria should employ robust Enterprise Risk Management Practices as these are likely to
greatly influence their financial performance in one way or the other and that Central Bank of Nigeria and other
regulators should endeavour to strengthen the enforcement of risk control mechanism to boost a robust bank
performance.
Cyber security or information technology security are the techniques of protecting computers, networks, programs and data from unauthorized access or attacks that are aimed for exploitation.
Similar to Top Internal Audit Priorities for Financial Services Organizations, 2016 (18)
Download our 2020 Sarbanes-Oxley Compliance survey to learn more about the state of SOX today, including how organizations are finding new approaches as they deal with the impact of COVID-19. http://ow.ly/wE1k50zSzj0
2018 Sarbanes-Oxley Compliance Survey - Are You Ready to Gear Up and Automate...jennyhollingworth
Benchmarking SOX Costs, Hours and Controls – The changes keep coming as SOX continues to make waves for organizations. Download our latest SOX Compliance survey for insights
Internal Audit Capabilities and Needs 2018 survey infographicjennyhollingworth
With digitalization, robotics and business transformation gaining more momentum in organizations every day, Protiviti's new Internal Audit Capabilities and Needs survey shows that internal audit needs to embrace analytics – and fast.
Protiviti Flash report details key developments from the first 100 days of the Trump administration, from a business perspective. For more information, go to http://ow.ly/NDPm30bjnfB
New Protiviti survey shows that banks have ample room for improvement in exceeding customer expectations, managing the customer experience and, perhaps more importantly, convincing consumers that they care about their complaints.
Digitization - What Does This Mean to Internal Audit?jennyhollingworth
Digitization is becoming an increasingly popular term for the usage of technology and digital advances, such as analytics, mobility, social media and smart devices, to radically improve the performance and/or reach of organizations.
Companies across industries are racing to migrate analog approaches to customers, products, services and operating models to an always-on, real-time and information-rich marketplace.
This presentation, originally from a webinar recorded on September 14, 2016, looks at:
What is digitization?
What risks are associated with digitization?
What can internal audit do to help its organization analyze and monitor the associated risks?
To hear the original webinar, please go to http://www.protiviti.com/en-US/Pages/Webinars.aspx
This whitepaper looks at the distinctions across the United States, the United Kingdom and Hong Kong, focusing on four areas: regulatory examination and enforcement, correspondent banking, information sharing, and AML technology.
Originally a webcast given by Protiviti expert Jim DeLoach, this presentation focuses on key changes in the COSO 2013 framework, with its implications for SOX compliance. This presentation is also available on the FEI website at
http://www.financialexecutives.org/eweb/upload/fei/events/replay/tc_131017/
Business Valuation Principles for EntrepreneursBen Wann
This insightful presentation is designed to equip entrepreneurs with the essential knowledge and tools needed to accurately value their businesses. Understanding business valuation is crucial for making informed decisions, whether you're seeking investment, planning to sell, or simply want to gauge your company's worth.
[Note: This is a partial preview. To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
Sustainability has become an increasingly critical topic as the world recognizes the need to protect our planet and its resources for future generations. Sustainability means meeting our current needs without compromising the ability of future generations to meet theirs. It involves long-term planning and consideration of the consequences of our actions. The goal is to create strategies that ensure the long-term viability of People, Planet, and Profit.
Leading companies such as Nike, Toyota, and Siemens are prioritizing sustainable innovation in their business models, setting an example for others to follow. In this Sustainability training presentation, you will learn key concepts, principles, and practices of sustainability applicable across industries. This training aims to create awareness and educate employees, senior executives, consultants, and other key stakeholders, including investors, policymakers, and supply chain partners, on the importance and implementation of sustainability.
LEARNING OBJECTIVES
1. Develop a comprehensive understanding of the fundamental principles and concepts that form the foundation of sustainability within corporate environments.
2. Explore the sustainability implementation model, focusing on effective measures and reporting strategies to track and communicate sustainability efforts.
3. Identify and define best practices and critical success factors essential for achieving sustainability goals within organizations.
CONTENTS
1. Introduction and Key Concepts of Sustainability
2. Principles and Practices of Sustainability
3. Measures and Reporting in Sustainability
4. Sustainability Implementation & Best Practices
To download the complete presentation, visit: https://www.oeconsulting.com.sg/training-presentations
LA HUG - Video Testimonials with Chynna Morgan - June 2024Lital Barkan
Have you ever heard that user-generated content or video testimonials can take your brand to the next level? We will explore how you can effectively use video testimonials to leverage and boost your sales, content strategy, and increase your CRM data.🤯
We will dig deeper into:
1. How to capture video testimonials that convert from your audience 🎥
2. How to leverage your testimonials to boost your sales 💲
3. How you can capture more CRM data to understand your audience better through video testimonials. 📊
The world of search engine optimization (SEO) is buzzing with discussions after Google confirmed that around 2,500 leaked internal documents related to its Search feature are indeed authentic. The revelation has sparked significant concerns within the SEO community. The leaked documents were initially reported by SEO experts Rand Fishkin and Mike King, igniting widespread analysis and discourse. For More Info:- https://news.arihantwebtech.com/search-disrupted-googles-leaked-documents-rock-the-seo-world/
Affordable Stationery Printing Services in Jaipur | Navpack n PrintNavpack & Print
Looking for professional printing services in Jaipur? Navpack n Print offers high-quality and affordable stationery printing for all your business needs. Stand out with custom stationery designs and fast turnaround times. Contact us today for a quote!
Unveiling the Secrets How Does Generative AI Work.pdfSam H
At its core, generative artificial intelligence relies on the concept of generative models, which serve as engines that churn out entirely new data resembling their training data. It is like a sculptor who has studied so many forms found in nature and then uses this knowledge to create sculptures from his imagination that have never been seen before anywhere else. If taken to cyberspace, gans work almost the same way.
VAT Registration Outlined In UAE: Benefits and Requirementsuae taxgpt
Vat Registration is a legal obligation for businesses meeting the threshold requirement, helping companies avoid fines and ramifications. Contact now!
https://viralsocialtrends.com/vat-registration-outlined-in-uae/
Memorandum Of Association Constitution of Company.pptseri bangash
www.seribangash.com
A Memorandum of Association (MOA) is a legal document that outlines the fundamental principles and objectives upon which a company operates. It serves as the company's charter or constitution and defines the scope of its activities. Here's a detailed note on the MOA:
Contents of Memorandum of Association:
Name Clause: This clause states the name of the company, which should end with words like "Limited" or "Ltd." for a public limited company and "Private Limited" or "Pvt. Ltd." for a private limited company.
https://seribangash.com/article-of-association-is-legal-doc-of-company/
Registered Office Clause: It specifies the location where the company's registered office is situated. This office is where all official communications and notices are sent.
Objective Clause: This clause delineates the main objectives for which the company is formed. It's important to define these objectives clearly, as the company cannot undertake activities beyond those mentioned in this clause.
www.seribangash.com
Liability Clause: It outlines the extent of liability of the company's members. In the case of companies limited by shares, the liability of members is limited to the amount unpaid on their shares. For companies limited by guarantee, members' liability is limited to the amount they undertake to contribute if the company is wound up.
https://seribangash.com/promotors-is-person-conceived-formation-company/
Capital Clause: This clause specifies the authorized capital of the company, i.e., the maximum amount of share capital the company is authorized to issue. It also mentions the division of this capital into shares and their respective nominal value.
Association Clause: It simply states that the subscribers wish to form a company and agree to become members of it, in accordance with the terms of the MOA.
Importance of Memorandum of Association:
Legal Requirement: The MOA is a legal requirement for the formation of a company. It must be filed with the Registrar of Companies during the incorporation process.
Constitutional Document: It serves as the company's constitutional document, defining its scope, powers, and limitations.
Protection of Members: It protects the interests of the company's members by clearly defining the objectives and limiting their liability.
External Communication: It provides clarity to external parties, such as investors, creditors, and regulatory authorities, regarding the company's objectives and powers.
https://seribangash.com/difference-public-and-private-company-law/
Binding Authority: The company and its members are bound by the provisions of the MOA. Any action taken beyond its scope may be considered ultra vires (beyond the powers) of the company and therefore void.
Amendment of MOA:
While the MOA lays down the company's fundamental principles, it is not entirely immutable. It can be amended, but only under specific circumstances and in compliance with legal procedures. Amendments typically require shareholder
Cracking the Workplace Discipline Code Main.pptxWorkforce Group
Cultivating and maintaining discipline within teams is a critical differentiator for successful organisations.
Forward-thinking leaders and business managers understand the impact that discipline has on organisational success. A disciplined workforce operates with clarity, focus, and a shared understanding of expectations, ultimately driving better results, optimising productivity, and facilitating seamless collaboration.
Although discipline is not a one-size-fits-all approach, it can help create a work environment that encourages personal growth and accountability rather than solely relying on punitive measures.
In this deck, you will learn the significance of workplace discipline for organisational success. You’ll also learn
• Four (4) workplace discipline methods you should consider
• The best and most practical approach to implementing workplace discipline.
• Three (3) key tips to maintain a disciplined workplace.
Improving profitability for small businessBen Wann
In this comprehensive presentation, we will explore strategies and practical tips for enhancing profitability in small businesses. Tailored to meet the unique challenges faced by small enterprises, this session covers various aspects that directly impact the bottom line. Attendees will learn how to optimize operational efficiency, manage expenses, and increase revenue through innovative marketing and customer engagement techniques.
Premium MEAN Stack Development Solutions for Modern BusinessesSynapseIndia
Stay ahead of the curve with our premium MEAN Stack Development Solutions. Our expert developers utilize MongoDB, Express.js, AngularJS, and Node.js to create modern and responsive web applications. Trust us for cutting-edge solutions that drive your business growth and success.
Know more: https://www.synapseindia.com/technology/mean-stack-development-company.html
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...BBPMedia1
Grote partijen zijn al een tijdje onderweg met retail media. Ondertussen worden in dit domein ook de kansen zichtbaar voor andere spelers in de markt. Maar met die kansen ontstaan ook vragen: Zelf retail media worden of erop adverteren? In welke fase van de funnel past het en hoe integreer je het in een mediaplan? Wat is nu precies het verschil met marketplaces en Programmatic ads? In dit half uur beslechten we de dilemma's en krijg je antwoorden op wanneer het voor jou tijd is om de volgende stap te zetten.
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
Top Internal Audit Priorities for Financial Services Organizations, 2016
1. Top Priorities for Internal Audit in
Financial Services Organizations
Discussing the Key Financial Services Industry Results from the
2016 Internal Audit Capabilities and Needs Survey
2.
3. 1Top Priorities for Internal Audit in Financial Services Organizations
Introduction
Each year, Protiviti conducts its Internal Audit Capabilities and Needs Survey
to assess current skill levels of internal audit executives and professionals,
identify areas in need of improvement, and help to stimulate the sharing of
leading practices throughout the profession. The 2016 report that follows
describes the outlook of internal audit leaders within the financial services
industry. For the first time in many years, this survey reflects the views of
internal audit professionals during a time when the global economy and
its financial system were recovering from the global financial crisis. The
risk landscape it paints therefore reflects people’s risk perceptions in a
newly evolving world.
The findings discussed in our paper are based on responses from nearly
300 chief audit executives (CAEs) and internal audit professionals in the U.S. financial services industry.
In the opinion of these respondents, cybersecurity represented the greatest area for internal audit functions
to address. We have devoted one entire section of this report to the increasing attention that cybersecurity
continues to garner. But this is far from the only area internal audit organizations seek to improve as they look
forward to the coming year. A few areas that organizations prioritized as particularly acute challenges include:
• Agile Risk Management
• Model Risk Management & Data Analytics
• Mobile Applications
Michael Thor is a Managing
Director with Protiviti and
leads the firm’s North American
Internal Audit practice.
4. 2 Top Priorities for Internal Audit in Financial Services Organizations
It is a near certainty that financial institutions will suffer cyber-related outages in the next few
years; the key issue is how they respond and recover.
Cybercrime Concerns Dominate
Chief among the issues identified this year is technology risk because of growing concerns about
cybercrime and the vulnerability of outdated systems to outages and attack. Escalation in the frequency
and sophistication of cyberattacks as well as the increased regulatory scrutiny around ensuring firms have
adequate cyber-risk programs in place have driven this risk to the top of the list.1
Exacerbating this is a
growing reliance on old and overly complicated IT systems, which are more susceptible to security breaches
and unpredictable outages that can cause disruption. A major challenge is that financial services firms are
playing catch-up in a technology environment that continues to evolve rapidly.
As financial institutions rely to an even greater extent on technology (see “Mobile Applications Challenge”
on page 3) they also need to be concerned with risks arising from third-party outsourcing and off-shoring
activities. Vendors’ different and possibly less stringent security standards could create the potential for data
loss or leakage. This increases the risk of a firm losing control of parts of its operations as supply chains get
longer and more complex.
As financial institutions grow even more reliant on digital technology, the severity of a potential cyber
breach increases exponentially. Cybersecurity has traditionally been the responsibility of the chief security
officer and/or the chief information officer; however, risk management and internal audit have a key role
to play in securing the organization by working closely with senior management to ensure cybersecurity is
embedded into the enterprise.
Agile Risk Management, Incorporating Risk Appetite and Risk Culture into the
Third Line of Defense
In the immediate aftermath of the financial crisis, financial institutions, especially banks, have invested a
great deal of time, energy and money on developing more robust risk management functions focused on
identifying and negating emerging risks. Although the perceived threat has fallen slightly, the responses
we received suggest still more needs to be done to meet both the demands of the modern environment
as well as the heightened expectations from regulators. Firms have recognized that they need to become
more efficient in managing risk, compliance and internal audit requirements. Dealing with the myriad
regulatory demands and changes in the operating environment requires firms to have agile and effective risk
management and compliance functions that operate more like business functions, providing value through
being agile, responsive and more forward-looking. Equally, firms need to maintain their focus on integrating
risk appetite and risk culture into their organizations to create a risk-aware environment that allows an agile
risk management philosophy to flourish. Even for those firms that have embraced the concept, integrating
and embedding risk culture into the entire enterprise is a constant challenge. A greater challenge for
internal audit is recognizing its role within an agile risk management philosophy and how it can assist in
reinforcing and independently testing both risk appetite and risk culture in the organization.
1
The 2015 annual report by the Financial Stability Oversight Council said that although U.S. banks and financial businesses have been
leaders in erecting barriers to hackers, cyberattacks still present a potential systemic danger, www.treasury.gov/initiatives/fsoc/studies-
reports/Documents/2015%20FSOC%20Annual%20Report.pdf.
5. 3Top Priorities for Internal Audit in Financial Services Organizations
Increasing reliance and complexity of models, especially in the area of stress testing, has driven
increased demand for resources with the knowledge and skills to address the risks associated with
the use of these same models.
Model Risk Management
Internal auditors have ranked model risk management one of the top areas where they need to improve
their technical knowledge – and for good reason. The internal audit function is tasked with verifying that
financial institutions have a comprehensive model risk management practice, which includes governance,
processes, policies, adherence to policies, and documentation.
Having internal audit staff with the competence and skillset to provide effective challenge to the first and
second line functions, using and providing oversight of the models, and overall model risk management
continue to be a challenge for financial institutions, especially those that do not have the scale to support an
in-house team of model professionals within the internal audit function.
As organizations continue to increase the use and complexity of models, and with increasing regulatory
focus on stress testing, already scarce modelling skillsets are in even greater demand.
Mobile is lauded for its ability to connect organizations with consumers but it brings its own
unique challenges and risks to the organization.
Mobile Applications Challenge
Continuing with the earlier technology trend, the survey shows a clear focus on auditing risks related
to the development, management, and use of mobile applications within financial services institutions.
Mobile banking and mobile payments are exploding in popularity as financial institutions are responding to
demands from their customers to offer more convenience through mobile channels. The speed of change,
the introduction of new third parties offering mobile services, as well as the myriad risks presented by
such brand new technology, are presenting a wave of new challenges for financial services firms, as well as
the internal audit functions that have to help the organization navigate the risks presented by these new
channels, processes and technologies.
The Changing Internal Audit Environment
Three years ago, the financial services industry results from the 2013 Internal Audit Capabilities and Needs
Survey showed that the focus of the entire industry was mainly on regulatory compliance – from stress test-
ing requirements to the broader concerns over compliance with the various regulations being issued under
the Dodd-Frank Act. Even though internal auditors are continuing to grapple with regulatory compliance, an
increasing focus is being placed on ensuring programs that have already been implemented, such as risk
appetite and risk culture, are being embedded into the organization as well as looking ahead to adopting a
more agile risk management function to help drive efficiency. The additional scrutiny regulators are placing
on firms’ cybersecurity controls is also reflected in cybersecurity being ranked third by internal auditors for
improving their technical skills. Respondents specifically called out the NIST Cybersecurity Framework as
an area for greater attention.
6. 4 Top Priorities for Internal Audit in Financial Services Organizations
Unlocking the Power of Data to Help Manage Risk
Finally, data analysis continues to be a topic that internal auditors across financial institutions wrestle
with. The industry agrees that data analysis holds great promise; however, how to effectively deploy
and utilize expanding data analysis capabilities to harness the power of advanced analytics remains a
challenge to most internal audit organizations. That said, the use of analytics by internal audit functions is
continuing to evolve, driven by internal audit functions’ desire to make informed decisions on data from
key risk indicators in the various lines of business to help them dedicate their audit hours and testing more
efficiently and effectively. The more advanced firms report that they are implementing the use of aids such
as visualization tools and continuous monitoring, accessing enterprisewide data, as well as running analytics,
to help them better understand where the biggest risks exist.
Impacts on Internal Audit
The role of internal audit – the third line of defense – is changing. Under the U.S. Office of the Comptroller
of the Currency (OCC) Heightened Standards for Large Financial Institutions,2
the role of internal audit is to
opine on the readiness and design of risk management systems’ corporate governance structures, including risk
culture and risk appetite. Financial institutions are also facing a changing risk landscape, as highlighted within
the topics above.
Internal audit functions face a growing list of priority areas for the next 12 months. The foremost of these
are addressed in the following pages, with separate chapters exploring the impact of cybersecurity, mobile
applications, model risk, and the challenge of integrating risk appetite and risk culture within an agile risk
management philosophy.
2016 Internal Audit Concerns
Further areas of concern that firms need to consider in developing their 2016 audit plans include:
• Development of dynamic risk assessment and audit planning
• Talent management and acquisition
• Reliance across the three lines of defense
• Assessing effective risk management
• Vendor management
• Communication with stakeholders
2
www.occ.treas.gov/news-issuances/news-releases/2014/nr-occ-2014-4a.pdf.
7. 5Top Priorities for Internal Audit in Financial Services Organizations
About the Internal Audit Capabilities and Needs Survey
This year the 2016 Internal Audit Capabilities and Needs Survey consisted of questions grouped into four
divisions: cybersecurity and the audit process, general technical knowledge, audit process knowledge,
and personal skills and capabilities. Respondents from U.S. financial services companies were also asked
to assess industry-specific skills.
The results, based on information provided by all respondents (who numbered more than 1,300),
are contained within the master report (available at www.protiviti.com/IASurvey). In addition to
the overall findings, Protiviti collected and analyzed specific data from respondents in a number of
different industries, including financial services. The intent of this report is to provide internal audit
executives and professionals in the financial services industry with more focused insights about the
unique issues within their domains.
8. 6 Top Priorities for Internal Audit in Financial Services Organizations
Everyone, from individuals to large businesses, is at high risk of cybercrime – identity theft, account
takeover, account cloning, fraudulent payments and/or transfers, the list goes on. But it is financial
institutions that are battling against cyber criminals on the frontline.
Cyber risk is recognized around the world as the foremost risk for most financial services firms, which for
the moment at least, remain liable for any losses. Financial institutions are also increasingly reliant on their
technology and systems infrastructure, with many banks’ growth strategies shifting to digital models. Such a
high degree of dependence on digital technology exponentially increases the risk, and the potential severity,
of cyberattacks for financial services firms.
General Technical Knowledge (top 10 areas)
“Need to Improve”
Rank
Areas Evaluated by Respondents
Competency
(5-pt. scale)
1 Agile risk and compliance 2.2
2 Internet of Things 2.7
3
(tie)
NIST Cybersecurity Framework 2.3
GTAG 16 – Data Analysis Technologies 2.7
5
(tie)
ISO 14000 (environmental management) 2.1
ISO 27000 (information security) 2.7
7 Mobile applications 2.3
8
(tie)
International Financial Reporting Standards (IFRS) 2.2
Country-specific enterprise risk management framework 2.9
10
(tie)
Assurance around outsourced service providers 2.6
2013 COSO Internal Control Framework – Evaluation of “Presence,
Functioning and Operating Together”
3.3
Cybersecurity and the Audit Process
An organization can have all of the audit controls, checks and balances in place, but if it
doesn’t know what it is trying to protect, its cybersecurity program is ultimately flawed.
– Cal Slemp, Managing Director
Cal Slemp is a Managing Director
with Protiviti’s IT Consulting practice.
James Armetta is a Managing Director
with Protiviti’s Internal Audit and Financial
Advisory practice.
9. 7Top Priorities for Internal Audit in Financial Services Organizations
Audit Process Knowledge (top 10 areas)
“Need to Improve”
Rank
Areas Evaluated by Respondents
Competency
(5-pt. scale)
1 Data analysis tools – statistical analysis 3.5
2 Auditing IT – program development 3.0
3 Auditing IT – security 3.1
4
(tie)
Auditing IT – continuity 3.2
Quality Assurance and Improvement Program (IIA Standard 1300) –
Ongoing Reviews (IIA Standard 1311)
3.2
6
(tie)
Operational auditing – effectiveness, efficiency and economy of
operations approach
3.2
Fraud – fraud detection/investigation 3.2
Assessing risk – emerging issues 2.2
9 Audit planning – process, location, transaction level 3.5
10 Operational auditing – risk-based approach 2.4
A flurry of high-profile breaches at banks, credit card and payment providers, as well as large retailers, has
succeeded in embedding the message that every firm will be the target of a cyberattack at some point. The
only unknown is when an attack will happen and if the firm is prepared for the counterattack with processes
in place to deal with the aftermath.
The growing importance of cybersecurity at financial services firms is evident in the financial services industry
findings from Protiviti’s 2016 Internal Audit Capabilities and Needs Survey. Many internal audit professionals at
financial services firms stated that key priorities for improvement include leveraging the NIST Cybersecurity
Framework3
as well as the Internet of Things. Understandably, respondents to the survey are also eager to
improve their capabilities with auditing IT security.
Most companies are beyond thinking that it is not a matter of if they are attacked, it’s when. “The executive
management and boards of most organizations recognize that it is probable, and perhaps inevitable, that
they will be compromised,” says Cal Slemp, a Managing Director with Protiviti and a leader with the firm’s
Security and Privacy practice. “This is the main driver for boards calling for more enhanced, robust incident
response plans that are tested through tabletop exercises to determine potential gaps in responding to attacks on
the key assets of their organizations. The real challenge is establishing enterprisewide security and breaking down
the silos that have traditionally addressed IT security requirements and controls with technology and limited
processes, if any. Many companies have adopted leading industry standards such as ISO 27001 or the NIST
Cybersecurity Framework to guide them in assessing the strength of their security programs. Organizational
governance needs to be established for these frameworks to be effective when organizations adopt them. This
approach will ensure it is integrated into the culture of the organization. Firms need to have that top-down
approach. The board should state that it knows breaches are inevitable but it needs to know when the firm has
been compromised and that it has a robust response plan in place.”
One of the most important aspects to any firm’s cybersecurity plan is identifying its key assets – the proverbial
crown jewels.4
“An organization can have all of the audit controls, checks and balances in place, but if it doesn’t
know what it is trying to protect, its cybersecurity program is ultimately flawed,” says Slemp. “Firms need to
identify what they are trying to protect, and then need to be able to detect when there is a potential compromise
or an attack on those key assets. And when they are compromised, firms must be able to respond effectively.”
3
See Protiviti’s Flash Report: Cybersecurity Framework: Where Do We Go From Here? www.protiviti.com/en-US/Documents/Regulatory-
Reports/Information-Technology/IT-FlashReport-NIST-Cybersecurity-Framework-Where-Do-We-Go-From-Here-022514-Protiviti.pdf.
4
See Protiviti’s Board Perspectives: Risk Oversight, Volume 1, Issue 66: “Managing Cyber Threats with Confidence,” www.protiviti.com/en-
US/Documents/Newsletters/Board-Perspectives/Board-Perspectives-Risk-Oversight-Issue66-Managing-Cyber-Threats-Protiviti.pdf.
10. 8 Top Priorities for Internal Audit in Financial Services Organizations
Having the right response plan in place is crucial to be able to mitigate the damage to the organization and
restore the business quickly. Many companies may have an incident response process in place but many do
not always have the appropriate personnel, tools and stakeholders on board to be able to respond effectively
to a breach.
“If a company is breached, it is not exclusively the responsibility of IT security to respond and recover,” says
Slemp. “Many stakeholders of the organization need to be involved, from legal to PR and communications. The
board of directors and executive management also need to be involved as well as the crisis management team –
the list goes on.”
Internal audit has a key role to play in ensuring the organization has an effective cybersecurity policy and
response process in place, preferably taking a proactive role in helping the firm to develop its cybersecurity
strategy and policy from the outset, then ensuring this strategy is maintained throughout the organization.
Cybersecurity risk must be formally integrated into the audit plan, while auditors need to ensure they have
the required knowledge to be able to evaluate the organization’s cybersecurity program against the NIST
Cybersecurity Framework.
The NIST framework is not a regulation and therefore is not a requirement for firms. In many cases, firms
already have many of the controls recommended by NIST but the degree of compliance varies between
organizations. Firms that conduct business with the U.S. government or with regulators are required to
demonstrate that they are following the framework and even though others may have a policy in place,
the maturity level may still need to be developed.
One area of concern for firms has been the cybersecurity risk posed by third parties such as vendors.
Financial institutions can spend millions securing their own infrastructure and systems from cyberattacks
but all too often the threat comes from within, from their own employees or from their suppliers, which
may not have such sophisticated defense systems.
Companies, including internal audit, need to evaluate the cyber risks associated with their vendors with the
same rigor they evaluate their own internal risks. Protiviti’s 2015 Vendor Risk Management Benchmark Study
showed that organizations are striving to make improvements in their third-party risk management programs
and have a better understanding of the nature of vendor threats. It also shows that boards are seeking
assurances from management that vendor risk is being assessed, managed and monitored appropriately,
especially if it relates to the loss or exposure of sensitive data through cyberattacks or other compromises.
The improvement in understanding of vendor risk may be due to the release of new regulatory guidance over
the past few years, including the NIST Cybersecurity Framework, as well as the 2013 update to ISO 27001.
The NIST framework is U.S.-centric – global banks often prefer an internationally recognized framework.
“Traditionally these banks have used ISO 27001,” says Slemp. “They are not abandoning that standard but
Protiviti is helping a lot of companies to leverage ISO and map it to the NIST control framework. Companies
that have embraced this culturally are more able to understand it.”
The NIST framework was first published three years ago, so it is not a new development and chief
information officers and chief security officers are familiar with it. It is new from an internal audit
perspective, however, and as such it may not have been automatically included in annual audit plans.
Companies that partner internal audit with IT and/or the security function to benefit from their guidance
and insight are often more successful in understanding and implementing the NIST framework.
11. 9Top Priorities for Internal Audit in Financial Services Organizations
Regulators Focus on Cybersecurity
The FFIEC published its findings in March 2015 from a joint assessment conducted by U.S. banking
agencies the year before to assess cybersecurity preparedness at more than 500 institutions. The paper
contains key observations and questions that chief executive officers and boards of directors need to consider
when assessing their institutions’ cybersecurity preparedness.5
This includes high-level guidance for firms to
take appropriate risk mitigation steps, including: conducting ongoing information security risk assessments;
performing security monitoring, prevention, and risk mitigation; protecting against unauthorized access;
implementing and testing controls around critical systems regularly; enhancing information security
awareness and training programs; and participating in industry information-sharing forums.
In June 2015, the FFIEC issued a Cybersecurity Assessment Tool for institutions to use to evaluate their
risks and cybersecurity preparedness, which OCC examiners will gradually incorporate into examinations
of national banks to benchmark and assess bank cybersecurity efforts.6
“The FFIEC’s Cybersecurity Assessment Tool was introduced with a mapping of its controls to those in the
NIST Cybersecurity Framework, and also supports a risk-based approach to determine the target maturity
level for an organization and whether the cybersecurity preparedness is aligned with its risk,” says Slemp.
“However, it is worth noting that the maturity levels start at a ‘baseline’ level that ties back to the FFIEC’s IT
Examination Handbook, so financial institutions should already operate at this level. Where there is additional
perceived risk, the bar is higher, so it will be interesting to see what the examiners’ expectations are for security
as they begin to assess organizations using the tool.”
The assessment tool incorporates concepts and principles contained in the FFIEC IT Examination
Handbook, regulatory guidance, applicable laws and regulations, FFIEC joint statements, and concepts
from well-known industry standards, such as the NIST Cybersecurity Framework.
There are two parts to the assessment: an inherent risk profile and cybersecurity maturity.
The inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and
complexity of the bank’s technologies and connections, delivery channels, products and services,
organizational characteristics, and external threats – notwithstanding the bank’s risk-mitigating controls.
Cybersecurity maturity is evaluated in five domains: cyber risk management and oversight, threat intelligence
and collaboration, cybersecurity controls, external dependency management, and cyber incident management
and resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and
innovative. A bank’s appropriate cybersecurity maturity levels depend on its inherent risk profile.
Internal audit needs to be in tune with these regulatory guidelines, market developments and any cyber issues
experienced by their peers to ensure they are prepared to handle those types of emerging risks.
With the OCC’s Heightened Standards, internal audit functions are expected to not only evaluate areas like
cybersecurity in terms of how the IT department is addressing it, but also opine on what the IT compliance
and/or IT risk functions are doing. Between the level of technical depth needed to look at the different
aspects of cybersecurity to the need to examine the practice of both the first and second lines of defense, the
bar has definitely been raised for financial services internal audit shops.
5
www.ffiec.gov/press/PDF/FFIEC_Cybersecurity_Assessment_Observations.pdf.
6
Understanding the FFIEC Cybersecurity Assessment Tool: An Internal Audit Perspective is available at www.protiviti.com/en-US/Documents/
White-Papers/Industries/FFIEC-cybersecurity-assessment-tool-IA-perspective-whitepaper-Protiviti.pdf.
12. 10 Top Priorities for Internal Audit in Financial Services Organizations
Impacts on Internal Audit
Chief audit executives and the internal audit function need to raise their awareness and knowledge of the
cybersecurity threat and relevant regulatory guidelines to be able to develop a robust cybersecurity strategy.
Below are cybersecurity action items for CAEs and internal audit to consider in their annual audit plans.
Action Items for Chief Audit Executives and Internal Audit Functions to Consider
1. Strategy and Policy: Work with management and the board to develop a cybersecurity strategy
and policy.
2. Cybersecurity Risk: Seek to have the organization become “very effective” in its ability to identify,
assess and mitigate cybersecurity risk to an acceptable level.
3. Cybersecurity Breach: Recognize the threat of a cybersecurity breach resulting from the actions of an
employee or business partner.
4. Board of Directors: Leverage board relationships to (a) heighten the board’s awareness and knowledge
of cybersecurity risk; and (b) ensure that the board remains highly engaged with cybersecurity matters
and is up-to-date on the changing nature and strategic importance of cybersecurity risk.
5. Audit Plan: Ensure cybersecurity risk is formally integrated into the audit universe and audit plan based
on the risk it represents to your organization.
6. Emerging Technology: Develop, and keep current, an understanding of how emerging technologies
and technological trends are affecting the company and its cybersecurity risk profile.
7. NIST Cybersecurity Framework: Evaluate the organization’s cybersecurity program against the
NIST Cybersecurity Framework, while recognizing that the framework does not go to the control level
and therefore may require additional valuations of ISO 27001 and 27002.
8. Preventative Capabilities: Recognize that with regard to cybersecurity, the strongest preventative
capabilities require a combination of human and technology security – a complementary blend of
education, awareness, vigilance and technology tools.
9. Clear Escalations Protocol: Make cybersecurity monitoring and cyber-incident response a top
management priority – a clear escalation protocol can help make the case for (and sustain) this priority.
10. Staffing Shortages: Address any IT/audit staffing and resource shortages, which represents a top
technology challenge in many organizations and can hamper efforts to address cybersecurity issues.
13. 11Top Priorities for Internal Audit in Financial Services Organizations
Improving Model Risk Management
The internal audit function is tasked with ensuring that financial institutions have a
complete model risk management practice, which includes governance, processes, policies,
adherence to policies, and documentation.
– Shaheen Dil, Ph.D., Managing Director
Charlie Anderson is a Managing Director
and Practice Leader for Model Risk Services
within Protiviti’s Data Management
Advanced Analytics Solutions practice.
Steve Lafrance is a Managing
Director with Protiviti’s Internal
Audit and Financial Advisory practice.
Shaheen Dil, Ph.D., is a Managing
Director with Protiviti and Global
Leader of the Data Management
Advanced Analytics Solutions practice.
Financial services industry internal auditors responding to Protiviti’s 2016 Internal Audit Capabilities and
Needs Survey have ranked model risk management (MRM) as a major area where they need to improve their
technical knowledge. And for good reason: The internal audit function is tasked with ensuring that banks
have a complete model risk management practice, which includes governance, processes, policies, adherence
to policies, and documentation.
Technical Knowledge – U.S. Financial Services Industry (top 10 areas)
“Need to Improve”
Rank
Areas Evaluated by Respondents
Competency
(5-pt. scale)
1
(tie)
Basel guidance on internal audit 2.9
Basel III 2.2
3 Model risk management 2.7
4 Volcker Rule 2.2
5 Dynamic risk assessment 3.2
6 Interest rate/market risk 2.7
7 CFPB examination readiness 2.7
8
(tie)
Federal Reserve Guidance on Internal Audit (SR 13-1) 3.0
Vendor management 3.4
10
(tie)
Regulatory Compliance – Holding Company (Reg W) 2.7
UDAAP 2.8
Reliance on 1st and 2nd line monitoring 3.4
14. 12 Top Priorities for Internal Audit in Financial Services Organizations
Although internal audit generally is well-equipped to perform these types of activities, the function
confronts several significant challenges, including access to the quantitative expertise required to evaluate
whether the model validations were conducted appropriately.
Basel III and the European Market Infrastructure Regulation (EMIR), along with guidance issued for U.S.
institutions by the Federal Reserve, Federal Deposit Insurance Corporation (FDIC) and Office of the
Comptroller of the Currency (OCC), are driving the need for significant changes in the model governance
infrastructures of affected financial institutions.7
This inevitably impacts the role of internal audit, since it
has to review the effectiveness of the model governance infrastructure.
Among other needs, these requirements mandate that institutions hold more risk capital, the definition of
which has narrowed. Additionally, this capital has to undergo periodic stress testing, which necessitates the
need for various additional models within institutions. These issues will still monopolize the attention of
affected financial institutions and their internal audit functions in 2016.
In the United States, regulatory bodies have been concentrating on model risk, model governance and stress
testing. Regulators have been heavily testing compliance with SR 11-7 and OCC 2011-12 “Supervisory Guidance
on Model Risk Management.” At the same time, regulators have been concentrating on Comprehensive Capital
Analysis and Review (CCAR)8
and Dodd-Frank Act Stress Test (DFAST)9
results.
The Federal Reserve evaluates the stress testing and capital planning processes of U.S. banking organizations
with assets greater than $10 billion through DFAST, and organizations with assets of $50 billion or more
through CCAR. Note that many organizations must comply with both. The Federal Reserve reviews and
assesses the results of both exercises on both a quantitative and qualitative basis.
These regulations require banks to create forward-looking projections of major balance sheet and income
statement items under hypothetical economic scenarios. The items being projected include credit losses as
well as Pre-Provision Net Revenues (PPNR). Some large banks are also required to conduct a Global Market
Shock exercise, involving large changes in values and identification of key counterparty vulnerabilities.
Producing such calculations is a complex undertaking, which calls for extensive governance and new processes.
Regulators have made it clear that data completeness and data quality are crucial, and banks are rapidly
building their data capabilities in order to be ready to produce the periodic DFAST and CCAR reports.
In addition, banks are working quickly to develop models that can be used to create the necessary
projections and calculations. The models are sophisticated and must be tested and shown to be capable of
producing suitable results.
As with other models, the CCAR/DFAST models must be developed, implemented, governed and validated
per SR 11-7 and OCC 2011-12 “Supervisory Guidance on Model Risk Management.” Each new model
must be separately validated prior to being used. Midsize banks may have dozens of new models for stress
testing purposes, and large banks may have hundreds.
7
For more comprehensive analysis on these changes, Protiviti has published several articles, including “Reducing Risk Through Model
Validation,” “Model Governance and Effective Risk Management” and “Building Confidence in ALLL Models – a Timely Practice”
(available at www.protiviti.com).
8
www.federalreserve.gov/bankinforeg/bcreg20130819a1.pdf.
9
www.federalreserve.gov/bankinforeg/srletters/sr1403.pdf.
15. 13Top Priorities for Internal Audit in Financial Services Organizations
10
For more comprehensive guidance on model risk management compliance challenges, see Shaheen Dil’s article, “Complying with the
New Supervisory Guidance on Model Risk,” in the February 2012 issue of The RMA Journal.
Size Makes a Difference
The model risk management challenges financial services companies and their internal audit functions face
generally vary by the size of the institution:
• Large institutions – The 20 or so largest U.S. banks already have varying degrees of mature model
governance infrastructure in place; their focus tends to be on upgrading the quality of their model
documentation and model validation processes. Although a number of large institutions have model
risk functions, most still have difficulty obtaining specialized skills and completing large model
building (or model validations) in a timely manner.
• Midsize institutions – These companies may face the most formidable model risk management
challenges. Many of these firms are just beginning to build their model risk infrastructure. This process
typically begins with a model risk oversight committee or the equivalent, consisting of members of
risk management, modelers and business owners. Internal audit frequently serves in a nonvoting
capacity on these committees. Since many of these efforts are starting from scratch, finding the talent
and specific skill sets necessary to fuel these efforts represents a major challenge for midsize financial
services institutions. “Many medium-size banks do not have the skills on board necessary to build or
validate models,” Dil observes. “For many midsize banks, it has been a struggle to embed these skills
and this capability into their cultures.”
• Small institutions – Few smaller banks can afford to hire full-time personnel with the skills necessary
to fulfill new model risk management requirements. Instead, these companies are competing for
external experts to come in and provide assistance.
Finally, there are several model risk management challenges all internal audit functions must contend
with, regardless of the size of their organizations. These include data quality and availability;
maintaining independence between model developers and model validators; and access to specific
technical (e.g., quantitative) expertise and talent.10
By addressing these challenges, internal audit functions will help management and boards of directors
understand the limitations of their models so they can make confident business decisions, which could
help advance business strategies and achieve regulatory compliance.
16. 14 Top Priorities for Internal Audit in Financial Services Organizations
Internal audit teams are challenged with having quantitative expertise to assess whether the models meet the
regulatory requirements. Significant needs include:
• Assessing the model governance program (under SR11-7/OCC 2011-12);
• Assessing each model validation for consistency with those rules;
• Assessing model development, implementation and use; and
• Assessing compliance with CCAR and DFAST regulations.
The banking organizations that are subject to either the Federal Reserve’s CCAR or DFAST exercise are
expected to have sound model risk management practices that are consistent with existing supervisory
guidance on model risk management.11
As such, model risk management practice extends beyond model
validation and requires input from the business and the second line of defense, while the internal audit
function reviews the effectiveness of the overall capital planning/CCAR process, including the relevant
models. Notably, while CCAR banks largely have established overarching model risk management
functions, DFAST banks tend to operate in more flexible ways, ranging from pockets of model validation
and model risk expertise in various risk functions and business lines, all the way to outsourcing the entire
function to external vendors.
Incorporating the regulatory expectations set forth in SR 11-7 into the banking organization’s stress testing
and capital planning exercise presents specific and unique challenges.
The nature and requirements of the stress testing and capital planning exercises necessitate participation,
collaboration, and transparency between all model risk stakeholders, including model developers, users,
validators, internal audit, and bank management and the board of directors, to manage model risk and apply
mitigating controls12
or overlays where applicable. These mitigating controls and overlays can be identified
or quantified by any model stakeholders during every stage of the stress testing and capital planning
exercises. For instance, if the strict timelines of the stress testing and capital planning exercise do not allow
the validation team to perform a validation of a complete set of models, the validation team should make the
validation results transparent to all stakeholders. This allows the other stakeholders to apply controls and
overlays to mitigate any model risk.
Although internal audit, as an independent oversight function, will not participate in such a process, it is
essential that such a process is understood in relation to model risk management.
Firms need to ensure they have sufficient skill sets in the internal audit team – as well as sufficient staffing
levels – to assess model risk components. The difficulty is compounded by the scarcity of qualified
resources. Some banks have started to staff quantitative expertise directly in their internal audit teams but
many are relying chiefly upon outside resources to assist the bank’s audit team.
11
SR 11-7 Supervisory Guidance on Model Risk Management.
12
Mitigating controls may include the following: (a) restriction of use, (b) limited scope validation.
17. 15Top Priorities for Internal Audit in Financial Services Organizations
Audit Process Knowledge – U.S. Financial Services Industry (top 10 areas)
“Need to Improve”
Rank
Areas Evaluated by Respondents
Competency
(5-pt. scale)
1 Current Expected Credit Loss (CECL) 2.2
2 Stress testing (CCAR/DFAST) 2.4
3 Derivatives and securities 2.4
4 Derivatives and hedging 2.4
5 Mergers and acquisitions due diligence 2.7
6
(tie)
Wholesale products 2.3
International regulation 2.2
Capital markets planning 2.4
9
(tie)
Other Than Temporary Impairment (OTTI) 2.6
Criticized asset management 2.4
Financial services industry internal auditors responding to Protiviti’s 2016 Internal Audit Capabilities and Needs
Survey, in a section specific to financial institutions, ranked the new Current Expected Credit Loss (CECL)
rules as the main area where they need to improve their audit process knowledge.
CECL is a proposed credit impairment accounting standard, which is expected to be adopted shortly. The new
standard is intended to address concerns that loss reserves were insufficient during the recent stress period.
The proposed CECL standard would require financial services institutions to generate forward-looking
and lifetime loss estimates to support their loss reserve decisions. Generating such estimates will entail
more sophisticated models, which in turn will require more historical data, incorporating more types of
information. The loss reserve estimation process would also involve multiple management judgements to be
made using sufficient supporting information. Furthermore, institutions would need to review and reclassify
their portfolios as required for the revised loss reserve standard and estimation models. Accommodating these
changes will entail significant changes in data governance, data sourcing, and related areas.
As institutions conform to the new accounting standard, internal audit would need to update the audit program
for the loss reserve process. The updated audit program should assess the quality of the collected data, the
consistency of asset classification, the information supporting management judgements, the accuracy of reserve
calculation and reporting, the robustness of the loss reserve model, and other areas.
For example, under the new accounting standard, it is expected that troubled debt restructuring (TDR) and
available-for-sale (AFS) assets will need to have reserves consistent with CECL methodology. Therefore,
internal audit would need to verify that the supporting systems have updated filters and codes as required to
assign these assets to CECL-conforming models. Under the proposed CECL methodology, institutions would
also need to determine the lifetime for each type of asset. Internal audit should also design controls and tests
to determine whether the lifetime estimation and methodology conform to the requirements and are correctly
applied to the loss reserve models.
Internal audit will also need to review several more areas that are not applicable to the current loss reserve
accounting rule, including: the long-term and possibly quantifiable economic and market scenarios applied to
the lifetime model; the decision of the supportive forecast window; and the support of the lifetime of different
types of assets.
18. 16 Top Priorities for Internal Audit in Financial Services Organizations
Impacts on Internal Audit
Internal audit has a key role to play in ensuring the organization has an effective model risk management
(MRM) policy in place, which should also be formally integrated into the annual audit plan.
Action Items for Chief Audit Executives and Internal Audit Functions to Consider in Their Annual
Audit Plans
1. Ensure MRM is included within the audit universe.
2. Review the overall MRM process governance, design, resources, and adequacy to manage risk within the
appetite and tolerances set by the board of directors.
3. Address the functional adequacy of models within the business processes the models are supporting
(e.g., the Allowance for Loan and Lease Losses (ALLL) validation).
4. Ensure the organization has the resources and capabilities, internally or externally, necessary to both
challenge the effectiveness of models and review a validation for adequacy.
5. Conduct regular model governance audits, and ensure audit tests of CCAR and audit conceptual soundness
review of models and adjustments/overlays are completed.
6. Evaluate data integrity controls and testing, and evaluate source data quality and data completeness.
7. Conduct audit review of policies for board and senior management governance over CCAR, as well as
audit testing of board and management committee meetings for credible challenge.
8. Review that all material risks are covered in stress testing and CCAR, and that all risks are modeled
appropriately.
19. 17Top Priorities for Internal Audit in Financial Services Organizations
Barbi Goldstein is a Managing
Director with Protiviti’s Internal
Audit and Financial Advisory practice.
Shaheen Dil, Ph.D., is a Managing
Director with Protiviti and Global
Leader of the Data Management
Advanced Analytics Solutions practice.
Survey respondents indicated that the number one area where they need to improve their audit process knowledge
is data analysis tools and statistical analysis. This interest in advanced analytics capabilities is being driven by several
factors, including:
• Internal audit’s increasing role in supporting regulatory compliance needs and monitoring, and a growing
need to apply continuous monitoring on a broader scale to increase efficiency and add value to the organi-
zation through better insights into risks.
• External guidance calling for internal audit departments to better leverage data analytics to increase sam-
ple size and analysis of information for the organization.
• A growing focus on data quality and data governance, driven by organizations’ growing reliance on big
data and big data tools, increasing the need for sophisticated data analysis within internal audit.
• Rapid adoption of data analytics in other functions and groups throughout the enterprise (enterprise risk
management, data governance, compliance), leading to a similar expectation for the internal audit function.
Protiviti developed a second quantitative benchmarking study in 2015 that was distributed to a select group of
the largest U.S. financial institutions.13
The study showed that internal audit functions were seeking to achieve
several strategic goals in data analytics, chiefly to: increase more robust testing, increase efficiency, achieve
continuous auditing, raise visibility of risk indicators, and meet the heightened expectations of regulators.
Dealing with Data Analysis Tools
[Internal auditors] are implementing the use of visualization tools and continuous
monitoring, they are accessing data without a traditional “request” of IT, and they are
running analytics to help them understand where the biggest risks exist.
– Barbi Goldstein, Managing Director
13
Changing Trends in Internal Audit and Advanced Analytics is available at www.protiviti.com/en-US/Documents/White-Papers/Industries/
Internal-Audit-Data-Analytics-whitepaper-Protiviti.pdf.
Charlie Anderson is a Managing Director
and Practice Leader for Model Risk Services
within Protiviti’s Data Management
Advanced Analytics Solutions practice.
20. 18 Top Priorities for Internal Audit in Financial Services Organizations
Audit Process Knowledge (top 10 areas)
“Need to Improve”
Rank
Areas Evaluated by Respondents
Competency
(5-pt. scale)
1 Data Analysis Tools – Statistical Analysis 3.5
2 Auditing IT – program development 3.0
3 Auditing IT – security 3.1
4
(tie)
Auditing IT – continuity 3.2
Quality Assurance and Improvement Program (IIA Standard 1300) –
Ongoing Reviews (IIA Standard 1311)
3.2
6
(tie)
Operational auditing – effectiveness, efficiency and economy of
operations approach
3.2
Fraud – fraud detection/investigation 3.2
Assessing risk – emerging issues 2.2
9 Audit planning – process, location, transaction level 3.5
10 Operational auditing – risk-based approach 2.4
It was clear from the benchmarking study that analytics is treated as a high priority for large financial institutions’
internal audit functions since the majority of participants reported an increase in demand for data analytics
within their audits. Most internal audit functions (87 percent) reported that they had a dedicated data analytics/
information management group within their function, while these groups indicated that they needed to ensure they
had immediate access to business data within their own data warehouse or similar environment. The survey also
showed that the vast majority of firms’ internal audit analytics functions are continuing to evolve toward a risk-based
approach with the goal of providing continuous monitoring to some degree to be able to plan individual audits,
monitor key risk indicators (KRIs) and support risk assessments. Continuous auditing is also being pushed out to
new areas within the enterprise since, at the moment, the survey showed that firms now only monitor areas where
there are known risk issues.
Although there is clearly more work to be done, the findings of this benchmarking study show that internal
auditors are committed to developing a forward-looking internal audit analytics capability that allows for deeper
business insights via the monitoring of KRIs, rather than just analyzing data in support of individual audits.
“The use of analytics by internal audit functions has definitely evolved and continues to do so,” says Protiviti
Managing Director Barbi Goldstein. “Historically, data analysis for internal auditors has consisted of performing
population testing in support of specific audits. Today, internal audit functions want to have a view of the business
lines’ key risk indicators based on current data and use that knowledge to make informed decisions about where
to dedicate their audit hours and testing. They are implementing the use of visualization tools and continuous
monitoring, they are accessing data without a traditional ‘request’ of IT, and they are running analytics to help
them understand where the biggest risks exist. This allows them to take a truly risk-based approach to creating
their audit plan.”
Building an internal audit analytics function requires time and more resources, however. The financial services
industry results from Protiviti’s 2016 Internal Audit Capabilities and Needs Survey show that larger financial
services firms intend to hire more data analytics specialists this year, but talent is scarce, which means firms
have been retaining outside help to support the internal audit team.
Chief audit executives and the internal audit function need to raise their awareness and knowledge of data
analytics tools to be able to improve efficiencies and capabilities by adding more advanced techniques, such
as continuous monitoring and other indicators.
21. 19Top Priorities for Internal Audit in Financial Services Organizations
Adopting Agile Risk and Compliance
Risk is moving away from being a control checker and referee, to an enabler of
business performance, driving a single approach for risk management and is fully taking
responsibility for improving the risk culture of the organization.
– Cory Gunderson, Managing Director
Cory Gunderson leads
Protiviti’s Global Financial
Services Industry practice.
Matthew Moore leads Protiviti’s
Risk Compliance practice.
Organizations are realizing that their risk and compliance capabilities need to be agile, flexible and nimble in
order to respond more efficiently to the changing operating environment.
General Technical Knowledge (top 10 areas)
“Need to Improve”
Rank
Areas Evaluated by Respondents
Competency
(5-pt. scale)
1 Agile risk and compliance 2.2
2 Internet of Things 2.7
3
(tie)
NIST Cybersecurity Framework 2.3
GTAG 16 – Data Analysis Technologies 2.7
5
(tie)
ISO 14000 (environmental management) 2.1
ISO 27000 (information security) 2.7
7 Mobile applications 2.3
8
(tie)
International Financial Reporting Standards (IFRS) 2.2
Country-specific enterprise risk management framework 2.9
10
(tie)
Assurance around outsourced service providers 2.6
2013 COSO Internal Control Framework – Evaluation of “Presence,
Functioning and Operating Together”
3.3
Managing risk and compliance has become increasingly complex and expensive for financial services organizations
post-financial crisis. The increased regulatory expectations, the ever-changing risk landscape and rise of inherent
risk represent a new and permanent operating paradigm for the industry. To adapt, firms are expending significant
time, money and resources to implement required changes and prioritize risk management and compliance.
22. 20 Top Priorities for Internal Audit in Financial Services Organizations
As costs continue to increase, it is becoming clear that the overly manual, reactive and siloed approach to risk
management and compliance is unsustainable.
“Many organizations are beginning to change their vision for risk management,” says Cory Gunderson, who
leads Protiviti’s Global Financial Services Industry practice. “Risk is moving away from being a control checker
and referee, to an enabler of business performance, driving a single approach for risk management and is fully
taking responsibility for improving the risk culture of the organization. Leading practices in risk management
suggest creating a mantra – a simple and repeatable slogan that can be repeated in frameworks, policies and
corporate messaging to help frame culture.”
Responding to Risk and Compliance Gaps Over the Years Has Left the Financial Services
Industry in an Unsustainable Situation
Growth and innovation
have been forced to take a
back seat given risk and
compliance challenges.
Large bank fines
have topped $100B
over the past five years.
Operating costs have
become unsustainable
as quick-fix solutions and
increasing headcount are
the norm to improve risk
management practices.
Inherent risk continues to
rise given the underlying
business complexity and
increased pace of change.
Unsustainable
Costs
Significant
Fines
$100B
Inherent
RiskGrowth and
Innovation
Risk and
Compliance
A better risk and compliance model is one that is technology-enabled, proactive, aligned across all three
lines of defense and embedded into business processes. Business, risk, compliance and internal audit groups
need to work within an integrated framework with clear accountabilities to create an aligned organization
that can make sound decisions, while also driving efficiencies. This is the solution we refer to as Agile Risk
Management, where internal audit has a major role to play in proving independent assurance. Firms are
becoming more aware of the benefits of adopting such a program, and agile risk and compliance was ranked
as the top area where internal auditors would like to improve their general technical knowledge, according to
Protiviti’s 2016 Top Priorities for Internal Audit in Financial Services Organizations survey.
23. 21Top Priorities for Internal Audit in Financial Services Organizations
What Is Protiviti’s Agile Risk Management Philosophy?
Protiviti Agile Risk Management Philosophy
Operational
Excellence
Risk
Management
Aligned
Organization
Customer
Satisfaction
At the foundation of the Agile Risk Management philosophy is the central premise that business management and
risk management should create a unified operating model with clear first, second and third line accountabilities.
• Agile Risk Management enables successful anticipation and response to a rapidly changing environment
resulting in informed executive decisions through an aligned organization, operational excellence and
customer satisfaction.
• An Aligned Organization of proactive collaboration and engagement is achieved by converging business
and risk processes, while risk and business acumen is enhanced throughout the organization.
• Operational Excellence is sustained by the successful execution of business strategy supported by efficient
processes, optimized technology and risk agility.
• Customer Satisfaction is improved by risk management and controls driving consistent customer experiences
and ensuring the needs of customers are considered in the design of processes, products and services.
Creating an organization that can respond to change more easily is central to the Agile Risk Management
concept. Forward-looking organizations have designed components of their business model to be more
configurable. Applying a more flexible business model allows firms to plug in new requirements and strategic
changes smoothly, eliminating the current model of approaching change on a piecemeal basis, which only
serves to increase costs and complexity.
24. 22 Top Priorities for Internal Audit in Financial Services Organizations
Bringing risk management and compliance closer to the first line and integrating them more fully with the business
creates a model that can automatically respond to changing business strategies as well as regulatory change.
Embedding agile risk management throughout the organization requires the front-line business units to still
be accountable for risks while also being supported in a proactive way by independent risk management. A
meaningful and well-understood risk appetite is used to make business decisions, while risk identification and
monitoring are integrated within business processes.
By more effectively aligning the business and the risk and compliance functions, firms benefit in a number
of different ways. They are able to leverage integrated and coordinated business, IT, risk and compliance
monitoring. The organization has agile risk skills and common tools and methodologies to act efficiently, while
reporting is used jointly to measure business goals and risk limits.
In all this, risk management enables the business, which leads to respected risk and compliance functions that add
value to the organization.
“Internal audit plays a critical role in agile risk management by providing independent assurance on the design
and effectiveness of risk management systems,” says Matthew Moore, who leads Protiviti’s Risk Compliance
practice. “This includes reinforcing the firm’s risk culture and holding front-line and risk management units
accountable for fulfilling their responsibilities within the agile risk management framework. Internal audit has
the unique perspective of being able to observe risk management activities across lines of defense and business
units, which allows it to add value by providing important feedback on the extent to which there is alignment
across the organization and the agile risk management philosophy is operating as intended.”
The time has come for proactive organizations to take the lead and adopt an agile risk management framework to
better meet the challenges of today’s customers, shareholders, employees, and the risk and regulatory environment.
25. 23Top Priorities for Internal Audit in Financial Services Organizations
Understanding and Integrating Risk Culture
When the leadership team takes audit findings seriously and immediately puts pressure on
the line of business where the issues were identified to resolve the problem, it tells you a
lot about the risk culture of that firm.
– Michael Brauneis, Managing Director
Risk culture remains a key concern for internal auditors. Although the subject is not specifically flagged in
the 2016 survey results, it was singled out as an area for auditors to improve their technical knowledge in
last year’s results. The concept of risk culture has been a hot topic for the industry and global regulatory
bodies in the wake of the global financial crisis, but it remains an enigma for many financial institutions.
Regulators around the world have been encouraging financial institutions to articulate and formalize their
risk culture. On July 8, 2015, the Basel Committee on Banking Supervision (BCBS) released a set of revised
guidelines for enhancing corporate governance at banks, which includes the importance of a sound risk
culture to drive risk management within a bank.14
The Financial Stability Board (FSB) also has been very
active in providing guidance to financial services firms on the subject of risk culture. In April 2014, the FSB
published Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing
Risk Culture, to assist firms in identifying the foundational elements that contribute to a sound risk culture, as
well as core practices and dynamics that may be indicators of the effectiveness of an enterprise’s risk culture.15
The FSB’s view is that the soundness of an institution’s risk culture is based on the extent to which it governs
its risk/reward decision-making process, successfully executes its agreed upon strategy within its defined risk
appetite on a day-to-day basis, and structures its compensation practices to take into consideration prospective
risks and risk outcomes that are already realized. The FSB recognizes that risk culture has to be embedded in
the overall corporate culture, which will evolve over time.
14
www.bis.org/bcbs/publ/d328.pdf.
15
Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture,
www.financialstabilityboard.org/2014/04/140407/.
James McDonald is a Managing
Director with Protiviti’s Risk
Compliance Solutions practice.
Dolores Atallo is a Managing
Director with Protiviti’s Risk
Compliance Solutions practice.
Michael Brauneis is a Managing
Director with Protiviti’s Risk
Compliance Solutions practice.
26. 24 Top Priorities for Internal Audit in Financial Services Organizations
In a survey conducted by Protiviti and the Risk Management Association (RMA) in 2013, only 37 percent of
respondents noted that they evaluated risk culture, while only 28 percent said that they believed risk culture
is fully integrated into their respective organizations.16
“Through internal employee surveys, some firms are trying to analyze today how their risk culture is being
embedded in the organization to see how well their employees understand the risk culture,” says Protiviti
Managing Director James McDonald. “The fact that firms need to do so shows it is a challenge. The CEO
can state that the company is going to do the right things and live within its risk appetite but that message
needs to be continually reinforced. Firms need to empower employees and provide them with examples of
what good behavior looks like, such as instances where an employee raises their hand and identifies an issue
early on, so the problem can be resolved before it becomes a larger issue.”
Another impediment to integrating risk culture can be pushback from employees who are resistant to change.
Firms often build incentive plans to reinforce risk culture that are focused on punishing bad behavior – taking
compensation from people who misbehave or break limits – rather than rewarding employees that are beacons
of good culture. That is a backward-looking behavior modification, more so than incentivizing proper future
behavior. “Those employees who raise their hands when they have an issue, with the issue then being debated
and escalated and addressed as appropriate, need to be rewarded,” adds McDonald.
Maintaining the consistency of risk culture messaging throughout the enterprise in all locations is a major
barrier to the effectiveness of risk culture in large financial services firms. Organizations can stage all-hands
town hall staff meetings to reinforce this messaging but it has to have the support of the board and executive
management, who need to work to ensure risk culture is integrated with the growth objectives and strategy
of the firm. Risk culture also needs to grow and change with the organization as it evolves, providing an
additional challenge for firms to maintain consistency in their risk culture messaging.
The BCBS guidelines on risk governance also recognize that compensation systems are a key component for
a financial institution to convey acceptable risk-taking behavior and reinforce its operating and risk culture.
It states that remuneration programs “should encourage a sound risk culture in which risk-taking behavior
is appropriate and which encourages employees to act in the interest of the company as a whole rather than
for themselves or only their business lines.”
16
Risk Culture: From Theory to Evolving Practice, RMA and Protiviti, 2013: www.protiviti.com/en-US/Documents/RMA-Journal-From-
Theory-to-Evolving-Practice.pdf.
27. 25Top Priorities for Internal Audit in Financial Services Organizations
Risk Culture is the Keystone
Culture is the keystone that holds things together, providing a source of strength or weakness for
the organization. An actionable risk culture helps balance the inevitable tension between (a) creating
enterprise value through the strategy and driving performance on the one hand, and (b) protecting
enterprise value through risk appetite and managing risk on the other hand. In effect, it balances the push
between strategy and risk appetite.
Source: Establishing and Nurturing an Effective Risk Culture – Enabling the Chief Risk Officer’s Success (Fourth in a Series)
(www.protiviti.com/cro-series).
PerformanceM
a
nagement
culture
RiskM
anagement
Business
Strategy
Risk
Appetite
Impacts on Internal Audit
Chief audit executives and the internal audit function have a pivotal role in fostering a strong risk culture,
which is the keystone of an organization’s risk management framework.
Compensation and incentive schemes are one obvious area for internal audit functions to review for their
alignment with the company’s intended risk culture but there are other areas that warrant internal audit’s
focus. Although the intangible nature of risk culture makes it difficult for firms to conduct specific standalone
audits to determine the level of cultural integration in the organization, several topics that internal audit
reviews in the daily course of business can provide insights into this area. Examples of these include evaluating
the percentage of known issues that were first identified by a business process owner (versus internal audit, a
regulatory agency, or another independent source) and the status of remediation of issues (issues that take too
long to address or are in “past due” status often are indicators of a firm’s risk culture).
28. 26 Top Priorities for Internal Audit in Financial Services Organizations
Internal audit certainly has a greater role to play in reinforcing risk culture within the organization. An
effective internal audit department could and should have a role in reporting risk culture, but few audit
functions at financial institutions currently have the capabilities to perform a standalone audit of risk culture.
Firms can, however, include risk culture aspects in their existing audit processes: “This is almost a continual
process where audit can pick up on where risk culture has been embedded particularly successfully or not at
all,” says Protiviti’s Director Mathew Perconte. “Internal audit can reinforce some of the firm’s risk culture
messaging through their existing audits.”
Under the OCC’s Heightened Standards, internal audit’s role is to opine on the readiness and design
of risk management systems, corporate governance structures and risk appetite statements. “If internal
auditors are truly acting as independent practitioners inside a firm, they can drive culture because they
are going to report issues that are outside of boundaries,” says Timothy Long, a Managing Director with
Protiviti’s Risk Compliance Solutions practice.
Indeed, a good measure of the risk culture of any firm is how audit findings are viewed in the organization
and how seriously their recommendations are taken. “When the leadership team takes audit findings
seriously and immediately puts pressure on the line of business where the issues were identified to resolve
the problem, it tells you a lot about the risk culture of that firm,” says Protiviti Managing Director Michael
Brauneis. “The same is true for firms where audit exceptions are not considered to be a significant problem
and where there are many repeat findings.”
Effective root cause analyses are key to this effort. Beyond simply identifying a control breakdown and
recommending an immediate fix, audit can go a step further in evaluating the origin of the breakdown
to consider whether a risk appetite breach or incentives problem (e.g., pressure to cut control corners in
order to speed cycle time) might have contributed to the issue. Encouraging process owners to confront
and respond to these considerations can help the organization’s thinking and actions on risk culture evolve
past tone at the top to become a more practical consideration in day-to-day business activities.
Weaving risk culture audits into existing audit plans could also help when seeking to align the firm to the
OCC’s Heightened Standards, which require firms to show they have a strong risk management framework,
an engaged board, a risk appetite framework and a strong risk culture. “Regulators are requiring firms to show
their assessments on how their company is aligned with the heightened standards,” says McDonald. “We are
being asked by audit departments how they can show this. Our response is that they should, throughout the
year, have a number of audits of lines of businesses and support functions to gauge how the company’s risk
framework, risk appetite and risk culture are being followed. Audit needs to assess how well they are aligned to
the OCC Heightened Standards and a big part of that is risk culture.”
29. 27Top Priorities for Internal Audit in Financial Services Organizations
Understanding and Integrating Risk Appetite
Most of the focus has been around setting a risk appetite statement at the board level
but at some point regulators are going to start pushing risk appetite down into the
individual lines of business, which is exactly where it needs to be.
– Timothy Long, Managing Director
Scott Jones is a Managing
Director with Protiviti’s
Internal Audit and Financial
Advisory practice.
Timothy Long is a Managing
Director with Protiviti’s Risk
Compliance Solutions practice.
A financial institution’s risk culture and its risk appetite are explicitly interlinked. Risk culture should inform a
bank’s risk appetite statement (RAS) and in turn the risk appetite statement should inform the bank’s risk culture.
Guidelines from regulators around the world state that formal written risk frameworks should be maintained
that cover all applicable risk categories, as well as any other material risk types to which an institution may
be exposed. Until now, driven by regulatory demands, the focus has been on establishing a high-level risk
appetite statement at the board level. However, firms need to push the risk appetite framework into the lines
of business (LOB) for it to achieve its ultimate goal of aligning the enterprise’s risks with the stakeholders’
priorities in the most effective and efficient manner. The highest levels of management, up to and including
the board of directors, must sponsor the initiative, but involvement of LOB leadership and independent risk
management are crucial to ensure that all stakeholders embrace the overall approach.
Many financial services regulators around the world have stated that driving a risk culture throughout
an organization, resulting in a shared understanding and compliance with the risk appetite, is equally as
important as having a written RAS. Especially in large organizations, consistency in understanding and
realizing risk appetite throughout business lines is critical, as stated by Thomas J. Curry, Comptroller of
the Currency, in a speech on May 8, 2014: “[Over] the years we found instances in which large, complex,
and highly interconnected banks allowed operational units to define risk appetite in terms of their own
needs and priorities. At best, this resulted in organizational confusion. At worst, it contributed to major
breakdowns in risk management. And for banks with such broad impact on the financial system and the
economy, that is simply unacceptable.”17
17
Remarks by Thomas J. Curry, Comptroller of the Currency, before RMA’s Governance, Compliance and Operational Risk Conference in
Cambridge, Massachusetts, May 8, 2014: www.occ.gov/news-issuances/speeches/2014/pub-speech-2014-69a.pdf.
Matthew Perconte is a Director
with Protiviti’s Risk Compliance
Solutions practice.
30. 28 Top Priorities for Internal Audit in Financial Services Organizations
Audit Process Knowledge (top 10 areas)
“Need to Improve”
Rank
Areas Evaluated by Respondents
Competency
(5-pt. scale)
1 Data analysis tools – statistical analysis 3.5
2 Auditing IT – program development 3.0
3 Auditing IT – security 3.1
4
(tie)
Auditing IT – continuity 3.2
Quality Assurance and Improvement Program (IIA Standard 1300) –
Ongoing Reviews (IIA Standard 1311)
3.2
6
(tie)
Operational auditing – effectiveness, efficiency and economy of
operations approach
3.2
Fraud – fraud detection/investigation 3.2
Assessing risk – emerging issues 2.2
9 Audit planning – process, location, transaction level 3.5
10 Operational auditing – risk-based approach 2.4
“Most of the focus has been around setting a risk appetite statement at the board level but at some point
regulators are going to start pushing risk appetite down into the individual lines of business, which is
exactly where it needs to be,” says Timothy Long, a Managing Director with Protiviti’s Risk Compliance
Solutions practice. “A risk appetite statement for a $100 billion bank written at the board level is almost
meaningless because the practices in the various divisions from real estate to mortgages are completely
unrelated and separate; they need their own framework, defense lines and understanding of their own risk
appetite. Until risk appetite statements are pushed down to the lines of business, they don’t add value.”
Integration of risk appetite was an area that internal auditors identified as requiring increased knowledge,
skills, and capabilities. Integrating risk appetite is a difficult task for the organization as a whole and one
which many internal audit functions are also struggling to determine their role in providing assurance to
management and the board.
According to the Financial Stability Board’s Principles for an Effective Risk Framework, published in November
2013,18
the RAS must include measurable, frequency-based, understandable and comparable metrics that
can be translated into risk limits applicable to business lines, legal entities and group levels, and linked to the
enterprisewide RAS. The RAS needs to include qualitative statements that articulate motivations for taking on
or avoiding certain types of risks, as well as a reasonable number of appropriately selected risk metrics. The
RAS then has to be supported by appropriate controls and stress tests. Putting the RAS into action requires
the creation of a risk appetite framework (RAF), which pushes the RAS down into the LOBs and the various
support functions. The RAF proposed by the FSB comprises key aspects for the internal audit function to
consider when auditing risk appetite.
Key components of the RAF are risk appetite metrics, enterprise key risk indicators (KRIs) and business unit
KRIs, which all have defined tolerances and thresholds that are monitored frequently.
18
Available at www.financialstabilityboard.org/wp-content/uploads/r_131118.pdf.
31. 29Top Priorities for Internal Audit in Financial Services Organizations
Risk appetite metrics cannot be developed by the board and senior management to be pushed down into the
LOBs since there is significant risk that the risk appetite measurement and management process will become
a check-the-box exercise. The development process needs to be collaborative among top management,
independent risk management and front-line units to avoid a disconnect at the front-line level.
“Risk appetite metrics are designed to measure risk across the enterprise, encompassing all LOBs, regions,
products and services,” says Matthew Perconte, Director at Protiviti. “Some LOBs are struggling with
designing these metrics, which need to evolve as the organization evolves. The creation of these metrics
could be one area where internal audit focuses efforts to ensure the risk department and the business
continually update and improve risk appetite metrics.”
To drive risk appetite effectively, organizations need to be consistent in promoting good risk culture with
ongoing education and dialogue. A well-operating risk management framework should enable an ongoing,
enterprisewide conversation about risk, while maintaining focus on how risk management objectives are achieved.
“Another area where internal audit can test to see if the RAS is being implemented properly throughout
the organization is by monitoring communication channels, such as town hall and staff meetings and LOB
committees, to check if the RAS is being discussed widely in the company rather than being limited to the
risk committees. LOBs need to show they are actively considering the risk appetite when making business
decisions. Another good test is whether the organization’s risk appetite is being discussed in mandatory
internal training at all levels,” adds Perconte.
Impacts on Internal Audit
Chief audit executives and the internal audit function need to first ensure that they fully understand the
firms’ risk appetite statement and framework. From such a solid grounding, the internal audit department
forms an integral part of the risk appetite framework by providing oversight to ensure the framework is
being embedded into the lines of business. Auditors need to ensure they audit the strategic planning process
to check if the three- and five-year plans are informed by the organization’s risk appetite and risk capacity.
This then needs to be linked to the company’s capital stress tests to show that in a stressed environment
the firm will have the capacity to keep its set risk appetite and be able to hold the correct amount of capital.
Regulators will be looking for that linkage.
Internal auditors almost need to become risk managers. They need to understand where risks are
being generated and how they are supposed to be controlled. They are required to opine on the
risk management systems the business has in place in order to control those risks. That is not what
internal audit has traditionally done and in a lot of cases they are not equipped to do it.
– Timothy Long, Managing Director
32. 30 Top Priorities for Internal Audit in Financial Services Organizations
The graphic below shows the key areas internal audit needs to consider when auditing risk appetite.
Key Aspects to Consider When Auditing Risk Appetite
The Financial Stability Board noted specific components of a strong risk appetite statement in the
November 2013 report entitled Principles for An Effective Risk Appetite Framework.
The RAS includes key background
information and assumptions that
informed the strategic and business
plans at the time they were approved.
The RAS includes qualitative
statements that articulate the
motivations for taking on or avoiding
certain types of risks and includes a
reasonable number of appropriately
selected risk metrics.
The RAS has strong
linkages with the short- and
long-term corporate strategy,
capital and financial plans.
Risk metrics are aligned to
the incentive compensation
plan and employees are
appropriately incented to
support prudent risk taking in
line with corporate goals.
The RAS allows the financial
institution to view the desired
risk profile under a variety of
scenarios.
The RAS expresses the
maximum level of risk
(material and overall) the
organization is willing to
operate within under normal
and stressed conditions.
The RAS includes
measurable, frequency-
based, understandable and
comparable risk metrics that
can be translated into risk
limits applicable to business
lines, legal entities and
group level, and linked to the
enterprisewide RAS.
The RAS clearly
establishes the type
and amount of risk
the organization is
prepared to accept in
pursuit of its strategic
objectives and
business plan.
The RAS is supported
by appropriate
controls and stress
tests.
Effective
Risk
Appetite
Statement
Informed
Qualitative
Linked to
Corporate
Goals
Defines
Risks
Supported
Material
Risk-Focused
Quantitative
Forward-
Looking
33. 31Top Priorities for Internal Audit in Financial Services Organizations
Coping With the Pace of Change in Mobile Applications
Firms need to design their programs and control structures around much faster cycle
times, which is where Agile software delivery and DevOps ... can help. Auditors need to
embrace the fact that continuous change is coming and they need to build their control
programs around it.
– Ed Page, Managing Director
Jason Goldberg is a Director with
Protiviti’s Business Performance
Improvement practice.
Ed Page leads Protiviti’s U.S.
Financial Services Industry IT
Consulting practice.
Mobile banking and mobile payments are growing in popularity as financial institutions are responding to
demand from their customers to offer more convenience and more products through mobile channels. Just
as smartphones are evolving, mobile payment technologies are being developed just as quickly, with many
different participants in a burgeoning ecosystem of traditional and non-traditional players, including the
likes of Apple, Samsung, Google, and PayPal, among others. The speed of change, the introduction of new
third parties as well as the myriad risks presented by such brand new technology are presenting a wave of
new challenges for financial services firms. It is unsurprising, therefore, that internal auditors in the financial
services industry have pinpointed mobile applications as an area where they need to improve their technical
knowledge in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey (mobile banking was ranked second
by internal auditors in the same survey conducted in 2015).
34. 32 Top Priorities for Internal Audit in Financial Services Organizations
General Technical Knowledge (top 10 areas)
“Need to Improve”
Rank
Areas Evaluated by Respondents
Competency
(5-pt. scale)
1 Agile risk and compliance 2.2
2 Internet of Things 2.7
3
(tie)
NIST Cybersecurity Framework 2.3
GTAG 16 – Data Analysis Technologies 2.7
5
(tie)
ISO 14000 (environmental management) 2.1
ISO 27000 (information security) 2.7
7 Mobile applications 2.3
8
(tie)
International Financial Reporting Standards (IFRS) 2.2
Country-specific enterprise risk management framework 2.9
10
(tie)
Assurance around outsourced service providers 2.6
2013 COSO Internal Control Framework – Evaluation of “Presence,
Functioning and Operating Together”
3.3
“New technologies are appearing at a very rapid pace,” says Ed Page, Managing Director and Leader of
Protiviti’s U.S. Financial Services Industry IT Consulting practice. “Keeping up with such a rapidly changing
environment is a challenge for everyone from risk managers to IT practitioners and auditors. That bleeds into
all kinds of change management and control considerations that we probably didn’t have to deal with before, at
least at the rate of change that exists now.”
The old model of branch-based banking, and even online services, was protected by the fact that financial
institutions owned the infrastructure on which those services were being provided. In the mobile world, there
are many more variables: the devices are owned by the customer; there are dozens of variations of smart
phones, with varying operating systems; and there has also been an influx of new third-party service providers,
which are offering services such as in-app payments or mobile wallets.
All of these different factors create a complex, disparate mobile environment. Page advises professionals in all
financial services departments to: “Embrace the pace of change and the fact that there are so many variables in
the environment as the new norm.”
Page adds, “Firms need to design their programs and control structures around much faster cycle times,
which is where Agile software delivery and DevOps, which is about continuous change management, can
help. Auditors need to embrace the fact that continuous change is coming and they need to build their control
programs around it.”
The traditional Waterfall method of delivering software is giving way to Agile software delivery methods. Controls
that IT auditors have become familiar with over time are largely based on a Waterfall methodology. To cope with
the rapidly changing environment of mobile banking and mobile payments, auditors need to adapt.
“Rather than fight this change, auditors need to become part of the team that develops the new software
services from the beginning, using the Agile method to ensure it is delivered in a method that still has the
necessary controls around it,” says Page.
There are many risks associated with mobile applications – security being the most obvious. Although the
cybersecurity regulatory framework is dealt with in other chapters of this paper, financial institutions that
are considering offering mobile payment services also have issues to consider around account provisioning,
data management, vendor management, and complex systems integration, as well as other operational and
reputational risks. The fragmented nature of the legacy technology and operations environment is only
compounded by the emerging technology overlay, making these challenges particularly acute.
35. 33Top Priorities for Internal Audit in Financial Services Organizations
Account Provisioning
The main risk of mobile applications for firms is around user authentication – making sure the user is who
they say they are. When using any type of mobile payment application – Apple Pay and LoopPay are just two
examples – the customer is required to provision their credit or debit card account onto their device. Banks have
experienced relatively high levels of fraud related to Apple Pay, specifically related to the organization of its
account provisioning system, where the issuer has been contacted to verify their identity and card information.
“This is where all of the fraud was occurring,” says Jason Goldberg, Director at Protiviti. “Fraudsters are
incredibly sophisticated. In cases where financial institutions were using personal data to verify an account
prior to provisioning, the fraudsters were socially engineering that information. Auditors need to think about
the user authentication process and account provisioning process to ensure they are doing all they can to
identify fraud. Auditors need to ask questions such as: What is the appropriate amount of time to allow users to
remain logged in without re-authentication. What levels of authentication should be required? Is there a need for
multi-factor authentication of a device?”
Firms also need to make use of intelligent monitoring of transactions and intelligent alerting, which is based
on all of the data they have related to account past behavior. Working with geo-location information with
mobile applications is one way to help reduce fraud as it can be used to match customers’ past transaction
history. Banks should be working with their core banking platform provider or third parties to look at all of the
data going through their networks.
There are additional challenges for firms now that the liability has shifted from the credit card issuers to the
weakest link in the transaction, which came into force in October 2015. There is an added complication in the
United States as it continues to transition from magnetic strip cards to EMV, or chip-and-pin enabled cards,
that pose a potential problem for retailers because the liability during a LoopPay transition shifts to them since
the technology bypasses the need for the customer to enter their pin number.
As well as the fraud liability issues, these payment services are relatively new technology with glitches that can
impact the consumer experience. These services are also not clearly understood by consumers or retailers, who
often blame the bank when payments fail, impacting their reputation.
Additionally, when the technology fails or there are issues with account provisioning, customers are
increasingly contacting their banks for technical support. Banks have to be prepared to train their customer
service teams or put in place new servicing teams that have more technical expertise.
With all of these new entrants into the payments space, financial institutions need to have robust vendor
management policies and procedures in place. Increasingly, firms are outsourcing mobile payment functions to
third parties and are also using core banking platforms that are also managed by third parties. These functions,
or modules, often don’t integrate well. Auditors need to take a close look at the end-to-end customer
experience on every path to make sure that it is controlled from module to module, and controlled in a way
that makes sense.
36. 34 Top Priorities for Internal Audit in Financial Services Organizations
Impacts on Internal Audit
Mobile applications and mobile banking will continue to evolve rapidly. Internal audit must ensure that it is
up-to-date with the latest technology which will be adopted by their organizations and that their firms are
considering all potential risk exposures.
Action Items Chief Audit Executives and Internal Audit Functions Need to Consider
1. Ensure mobile applications and banking are covered in the audit universe completely (all products/services,
platforms, vendors, etc.).
2. Ensure that third parties are addressed in vendor management policies and procedures.
3. Consider fraud risk related to mobile transactions within customer-facing processes (originations
and servicing).
4. Understand the security approach to having a mobile presence.
5. Consider the end-to-end process for servicing. Mobile is typically a gateway to other services and platforms.
6. Understand mobile application change management plans and controls.
7. Consider all applicable mobile platforms supported (iOS, Android, Windows, etc.) in audit plans.
8. If applicable, consider the controls necessary to support an Agile software delivery model.
9. Consider cross-platform service management, including third-party components.
10. Consider the firms’ liabilities, policies and procedures in relation to account provisioning on mobile devices.
37. 35Top Priorities for Internal Audit in Financial Services Organizations
In Closing
Chief audit executives and internal audit departments will continue to be challenged by regulatory
requirements and advances in technology that subject organizations to a continually changing risk profile.
As this paper has shown, the list of internal audit priorities for financial services firms continues to grow and
with it the need for internal auditors to improve their knowledge in key areas, specifically cybersecurity and
model risk.
Advances have been made by internal audit to connect more with the lines of business and management
as part of collaborative efforts to improve oversight and to help the organization understand its risks and
achieve its strategic objectives. Such collaboration improves communication between the three lines of
defense while also helping organizations become more efficient and work to optimize existing resources as
difficulties in hiring and retaining talent become ever more acute.
In light of the lack of talent, firms need to consider additional investment in technology-enabled auditing
approaches and tools to help them meet their growing list of priorities, especially since emerging
technologies will continue to be adopted by banks eager to remain competitive in a changing marketplace.
Through enhancing efficiencies, knowledge and effectiveness, internal audit functions will be able to focus
on improving their skills in order to assist organizations in their continued growth, while at the same time
ensuring internal audit becomes a key strategic partner in the broader enterprise.
38. 36 Top Priorities for Internal Audit in Financial Services Organizations
About Protiviti
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance,
technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune
1000®
and 35 percent of Fortune Global 500®
companies. Protiviti and our independently owned Member
Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with
smaller, growing companies, including those looking to go public, as well as with government agencies.
Ranked 57 on the 2016 Fortune 100 Best Companies to Work For®
list, Protiviti is a wholly owned subsidiary
of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the SP 500 index.
Contacts
Scott Jones
Managing Director, Internal
Audit and Financial Advisory
+1.213.327.1442
scott.jones@protiviti.com
Cal Slemp
Managing Director,
IT Consulting
+1.203.905.2926
cal.slemp@protiviti.com
Ed Page
Managing Director,
IT Consulting
+1.312.476.6093
ed.page@protiviti.com
Cory Gunderson
Managing Director,
Global Leader Financial
Services Industry
+1.212.708.6313
cory.gunderson@protiviti.com
Michael Thor
Managing Director,
Internal Audit and
Financial Advisory
+1.317.510.4685
mike.thor@protiviti.com
Barbi Goldstein
Managing Director,
Internal Audit and
Financial Advisory
+1.212.603.8351
barbi.goldstein@protiviti.com
Matthew Moore
Managing Director,
Risk Compliance
+1.704.972.9615
matthew.moore@protiviti.com
Timothy Long
Managing Director,
Risk Compliance
+1.212.399.8637
timothy.long@protiviti.com
Michael Brauneis
Managing Director,
Risk Compliance
+1.312.476.6327
michael.brauneis@protiviti.com
Matthew Perconte
Director, Risk Compliance
+1.312.476.6998
matthew.perconte@protiviti.com
James McDonald
Managing Director,
Risk Compliance
+1.704.998.0786
james.mcdonald@protiviti.com
Dolores Atallo
Managing Director,
Risk Compliance
+1.212.708.6323
dolores.atallo@protiviti.com
Shaheen Dil
Managing Director,
Data and Analytics
+1.212.603.8378
shaheen.dil@protiviti.com
Jason Goldberg
Director, Business Performance
Improvement
+1.212.471.9678
jason.goldberg@protiviti.com
Charlie Anderson
Managing Director,
Data and Analytics
+1.312.364.4922
charlie.anderson@protiviti.com