ZenGRC

Simply Powerful GRC

Financial Services

Internal Controls: What Are They & Why You Should Care

· ·

what are internal controls

Internal controls act as the protective armor for an organization. Much the way that Tony Stark’s Iron Man suits protect him from the dangers inherent in battling supervillains, internal controls protect your business from the risks that can compromise an information technology environment.  

Understanding the Importance of Internal Controls & What They Are

What is a system of internal controls?

A system of internal controls protects your organization from financial, strategic, and reputational risks. In auditing and accounting terms, internal controls assure that your business basics remain operationally effective and efficient.

These processes protect your organization by providing the reliable financial reporting required by various regulations and industry standards that track investment, capital, and credit risks. For example, section 404 of the Sarbanes-Oxley Act of 2002 (SOX), intended to protect investors, requires annual proof that companies accurately report their financials, prove that their procedures effectively prevent fraud, and show that they have addressed any uncertainty such as stocks.

Why are objectives the first step to creating internal controls?

The first step to establishing protective armor lies in defining the risks you are guarding against. Until your company understands how it wants to position itself, it will remain unable to set appropriate objectives and mitigate the inherent risks.

For example, if Iron Man fights Dr. Strange, he needs something to stand up to his powerful magic. However, when fighting against Hulk, his armor needs to withstand the green rage monster’s strength.

Determining business objectives drives the risks your organization faces the same way. If you want to enter the healthcare services space, you need to think about the risks to electronic personal health information (ePHI). An organization that wants to engage in the healthcare arena must explore the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
If the organization wants to enter the financial industry, then management needs to look at the standards and regulations that govern banks to ensure they provide the appropriate controls.

Once your organization knows its objectives, it can move forward to defining the risks.

How does risk management depend on internal controls?

Once your company defines its objectives and goals, it can begin to identify the risks tied to those strategic decisions.
The core values of governance, risk, and compliance (GRC) focus on addressing risks so that your organization can comply with standards or regulations, while continuously monitoring to ensure the processes work. Controls are the specific measures put in place within those processes. For example, physical access risks differ from system intrusion risks. Both require controls, but physical access risk controls limit people with system access, while system intrusion controls include measures like firewalls and encryption.

Effective corporate risk management requires a structure to support the procedures that protect resources and assets.

What are the five internal controls?

When creating a system of internal controls, organizations should utilize available guidance. The COSO Framework identifies five types of internal control and offers definitions to help companies.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) convened expert auditor and accountant organizations to develop resources that would deter fraud. In 2013, the commission updated the COSO Framework and its five interrelated components.

Control Environment

Internal audit and enterprise risk management professionals define this as the standards, infrastructure, and processes that form the basis of the internal control system. These foundational structures establish the expectations for and importance of integrity within the company’s corporate culture. Management and Directors evidence their values through operating styles and organizational structure.

For example, formalizing segregation of duties shows that management not only acts appropriately but holds itself accountable.

Risk Assessment

Assessing risks means not only identifying them but also creating appropriate preventative strategies to mitigate them. To appropriately define risks, an organization must  look both internally and externally. If your organization outsourced work to vendors, then you need to be protecting against the threats they pose. When an organization limits its exposure and creates an inventory that addresses risk and any exemptions made, it develops a strategy to manage threats to the achievement of objectives.

Control Activities

Internal policies, procedures, and mechanisms are examples of control activities. These actions are the manifestations of the organization’s risk management strategies.  They can work to identify, prevent, or monitor risks; control activities must be embedded throughout a program’s life cycle. 
Not only does an organization need to act, but it also must document its control activities to demonstrate its management of risks.

Information and Communication

Communication underpins the entire GRC program.  Management and the Board of Directors communicate expectations to an organization’s employees. Staff must share information upward, so that reviews of risks and policy formulation processes inform corporate decision-making. During the monitoring phase, internally-generated reports provide timely information to external auditors and other stakeholders. As information is gathered and disseminated, it must flow up, down, and across the organization.

Monitoring

Monitoring internal controls ensures that control activities have been embedded within normal operations. Ongoing measurement, evaluation, and audits are necessary to regularly update the Board of Directors by providing reports and reviews.  Controlling risk is an iterative process, and to continuously improve controls, an organization must evaluate control effectiveness and learn from its own implementation efforts.

How do you design internal controls?

When designing controls, your company needs to determine how business processes relate to the integration of financial reporting and your information systems.

Organizations need to establish procedures regarding the initiation, recording, processing, correcting, transferring, and reporting of electronic and cash transactions. Then, these processes should be coordinated with your financial statements’ information.

Moreover, control design needs to explain how your information systems record events and conditions outside the financial statement realm.  For example, a breach impacts your financial performance because the losses affect your income and reserves. Thus, you need controls that document your breach responses.

Finally, when designing internal controls, your company needs to review the financial reporting process and the way you record non-standard transactions. While the internal control design process focuses on financial reporting and financial controls, organizations need to remember that modern-day solutions involve both software and hardware. Unlike the days of hand-written ledgers, modern businesses use digital tools to track their general ledger information, which is how internal control design connects to your IT environment.

What does an internal control audit require?

The Public Company Accounting Oversight Board (PCAOB) defines the standard of review for internal controls in Auditing Standard No. 5 (AS5) An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements. Since your auditor is likely a certified public accountant (CPA), understanding the terms and concepts within AS5 can help you be prepared.
The Section 404 audit will require you to provide documentation proving the coordination of internal control audit with your current financial statement audit. Auditors want proof of the evaluation process. Gathering this documentation in advance can ease the process during the audit itself. Moreover, you can streamline the audit process by communicating early and often with your external auditor. The documentation needed to demonstrate to an auditor reasonable assurance of compliance sometimes feels overwhelming.

How does automation ease the pain of internal control development and monitoring?

Between risk assessments, procedures, reporting, and communication, paperwork is the one thing that all internal control designs share. Small companies may begin working with spreadsheets to try to track their controls, but as they scale their business, their internal and external stakeholders increase in number. Thus, budgeting for a sleeker solution can save time and money long term.

More people interacting with the controls leads to potential errors when you use the confined authorization of shared documents. SaaS solutions like ZenGRC offer individual access controls, which means that your administrator can set appropriate authorizations for reviewing and editing to keep your information protected.

Additionally, with ZenGRC, you can create easy-to-read reports that give your Board of Directors the insights they need to monitor the control environment appropriately. Managing reports in one place makes your audit committee’s job easier and contributes to a better outcome when the external auditor interviews your Board.

Finally, by using a SaaS platform like ZenGRC, you can quickly gather your documentation to provide your internal and external auditors the information needed to review your control systems. With all the information housed in a single cloud-based repository, you can manage your audit requests more efficiently and cost-effectively. When your IT department spends less time gathering audit trail documents, they spend more time protecting you from threats.

Organizations need controls to protect them from threats, but they also need the supplementary systems to help them prove that they correctly assembled their armor. For more information about how ZenGRC can help your organization be Iron Man, schedule a demo today.

5 Compliance Lessons Learned from the Equifax Breach

· ·

lessons learned from the Equifax breach

As consumers reel from news of another major identity theft incident, businesses look for lessons learned from the Equifax breach. According to CNBC, 143 million consumers affected by the breach. The irony is lost on no one: the  data breach that will lead to identity theft was perpetrated against the company responsible for helping monitor identity theft. Five main compliance lessons learned from the Equifax breach should help companies regroup.  
 

Lesson 1: Use the Buddy System Wisely

 
Since the breach, everyone has been pointing fingers. First, Equifax pointed fingers at Apache. Then Apache pointed right back at Equifax.
 
Equifax argues that the Apache vulnerability was in the code for years. Apache points out that there’s a difference between known vulnerabilities and zero-day exploits. Even if the vulnerability existed for nine years, Apache may not have known about it and therefore may not be liable for the risk.
 
Imagine that Equifax and Apache Struts are in a Kindergarten classroom together. They both want to build with the classroom LEGO blocks. Apache Struts starts the foundation of the house but unknowingly leaves a weakness in one of the walls. Equifax builds on top of that and when the blocks come tumbling down, Equifax doesn’t want to clean up before playtime is over.
 
Regardless of who caused the mess, it needs to be cleaned up because walking across a floor covered in LEGO bricks is going to hurt.
 
Working with vendors means trusting them and doing your due diligence. Unfortunately, even with due diligence, vulnerabilities can exist.
 

Lesson 2: Patch, Patch, and Patch Again

 
Equifax argues that it was breached in May 2017, but there are two sets of code that could be involved. One was fixed in March 2017 and the other was announced only in September 2017.
 
If it turns out that the exploited code comes from the March 2017 vulnerability that Apache fixed, Equifax is going to be in the same boat as many others before it. An unpatched vulnerability led to a breach that could have been prevented.

Lesson 3: Don’t Let Your Business Card End Your Business

 
With hundreds of patches being released each month, businesses feel they’re set up for failure. The more software you use, the greater your risk of missing an important security update.
 
Managing this risk means understanding what needs to be done immediately and what can wait. The malicious attackers used a back door to gain entry to the Equifax information.
 
Consumer websites pose greater risks than most businesses recognize. While most organizations see them as digital business cards, hackers see them as entryways. Non-ecommerce websites are the perfect access point to an organization’s database precisely because they seem innocuous. Since many companies have not required a security audit on their website, they do not appropriately calculate the risk their corporate website might open themselves up to.
 
When engaging in risk rating your assets, it’s important to look at even the most unsuspecting areas. If you would lock the windows on the second floor of your house because they still pose a risk of robbery, then lock down that corporate website, too.
 

Lesson 4: Insurance is Not Invulnerability

 
Why is Equifax trying to point fingers at Apache Struts and vice versa? Because this breach is going to be expensive. So very expensive.
 
Equifax has already noted that despite carrying cyber-insurance, they aren’t sure if their property and business interruption coverage will be able to compensate those affected. Moreover, given the litigious nature of society, lawsuits have already started trickling in.
 
Carrying cyber-insurance can help defray the costs of a breach. Protecting your business with cyber insurance is becoming a necessity, but you also need to recognize the limitations of that coverage.
 

Lesson 5: Documentation of Compliance Can Save Your Business

 
One of the most important lessons learned from the Equifax breach is that compliance starts and ends with strong documentation. As Equifax scrambles to hire a forensic firm and locate the cause of the breach, documentation is going to be key to determining their liability. Being able to trace processes and controls can save an organization from going bankrupt or from incurring reputational damage that could end the business.
 
In the current climate, businesses will be breached. Being able to prove that you not only followed best practices but also constantly monitored your landscape may help mitigate liability.
 
In larger organizations, the documentation is harder to consolidate. With information spread across departments that use different applications, having a single source of truth can be the difference between keeping your databases safe and being an Equifax by removing compliance gaps.
 
Automation not only consolidates data, but it creates accountability. When organizations can show that they were working hard to protect their consumers, they gain the trust that allows them to continue to do business.
 
For more information about how automation can help you protect your organization, read our eBook, “eBook: Insider’s Guide to Compliance: How To Get Compliant and Stay Agile.”

How Digital Transformation Really Drives GRC

· ·

digital transformation

Like most technology startups, we welcome digital transformation of the business world. It opens new markets, lets you forge closer bonds to customers and business partners, increases profits, accelerates sales cycles. Wonderful stuff, and we mean that.

For compliance and risk professionals, however, the digital revolution brings challenges unlike any you’ve faced before.

The easy analysis is to say that all the benefits mentioned above also bring new risks—ones that can strike unexpectedly. New markets bring new corruption or money-laundering risks; new business partners bring new data security risks. That’s all true.
But unless you want to keep reacting to new risks, frantically whacking them down every time they crop up, compliance officers need to ponder this new risk and compliance landscape more deeply. What really changes during digital transformation? How can you build a sustainable compliance strategy in that world?
Well, we know that digital transformation changes two things at a company: the assets it owns, and the processes it uses.

For example, according to financial research firm Calcbench, intangible assets (intellectual property, trademarks, goodwill, and so forth) accounted for 9.6 percent of all assets on the balance sheets of the S&P 500 in 2011. Five years later, the figure was 11.15 percent—and that’s only for the large, stable businesses of the S&P 500. For younger, smaller firms, the percentage can be much higher.

That tells us that as this transformation continues, more of a company’s value will be determined by what it knows (data collection and analytics capability), and what others know about it (reputation). That’s a world apart from the value determined by the cash and goods a company possesses.

So if creating and preserving value is what the board worries about (pro tip: it is), then for risk and compliance managers, the future will be about how to help the company protect its proprietary knowledge and its reputation.
Easy enough so far. When we add the future of digital processes, however, the situation gets more tricky.

Visibility for All

On one level, digital processes are fantastic: they enhance that collection and analysis of data we mentioned above. Everything the company does can be labeled, logged, saved, retrieved, and analyzed, all at a moment’s notice.

On another level, however, that same advantage that digital processes bring—enhanced visibility into operations—can be turned against the company’s other objective of protecting value and reputation. Why? Because all the power of that enhanced transparency is available to anyone, inside the company or out, who knows the proper way to ask for it.

This is more than saying, “Don’t let hackers steal your data.” In today’s highly interconnected business world, with many third parties acting as part of your extended enterprise, the goal is to govern how your data is used. The strength of your governance processes will become enormously important.
For example, the ability to perform due diligence on third parties, and to produce that homework on demand, will be invaluable. Maybe regulators will want to see that work as they investigate a money-laundering rumor; maybe social media activists will want to see it as they talk up a human-trafficking scandal in your supply chain.

Regardless, success will hinge on your ability to demonstrate that your business processes are grounded in strong ethical values and that they work. If they work, your digital assets are protected; if they’re ethical, your reputation is protected.
One practical example of this is the Corporate Human Rights Benchmark, a project supported by institutional investors that takes data disclosed by large businesses (that is, transparency) and uses it to pressure those businesses into improving their conduct. Another is United Airlines: the company stumbled into a social media snafu recently when it barred two girls from boarding a flight while wearing leggings. That decision was in compliance with company policy (no leggings for people flying on United employee guest passes), but the ensuing outcry underlines the importance of clear policy, good judgment, and when to grant exceptions or stand firm.

Will surprises still come? Absolutely. But strong, effective GRC builds a company’s resiliency to weather the storm—and that will be the most important key to the success of all.

Tips For Compliance Related Planning Project Management

· ·

drawing of rocket

“All things are created twice: first mentally, then physically.  The key to creativity is to begin with the end in mind, with a vision and a blueprint of the desired result.” – Stephen Covey

In my last post, we covered the essentials of planning a compliance project.  Simply put, a compliance project without a solid plan is not unlike a house without a solid foundation.  No matter how much frill and filibuster you put into your project, sooner or later, the lack of a solid base will catch up with you, and you’ll end up with a lot of rubble and probably even more explaining to do.

Crossing the Line: Leaving the Relative Safety of the Planning Phase

When you cross that line from planning into the execution stage of your compliance project, you’re making a statement.  You’re stating that you’re ready to embark on the journey, that you’ve got your resources lined up, and a solid plan to get to the finish line.  Move to execution too early, and you risk failure.  Move too late and you risk budget overages, milestone delays, and resource loss.  Crossing into the green light of “all systems go” is a career move, and the success of your compliance project hinges on this decision.

When you move your project from planning to execution, there’s not always a clear demarcation point.  I suppose, in the ‘eating the elephant’ scenario we visited in my last post, this might be when you stop scratching your plans into the dirt, and take off running after the elephant.  In the review of an anti-money laundering (AML) compliance program, for example, this would be when you shift your focus from confirming resources and determining the review’s scope and objectives to deploying your resources.  At this point, you would be progressing into activities like assessing the adequacy and effectiveness of ongoing AML training programs and the existence and maintenance of AML compliance policies and procedures.   

At this point though, whether you’re chasing an elephant, building a house, or crossing the line into your compliance project’s execution stage, you’ll want to have confidence in your project plan and a set of steps designed and ready for when contingencies, at least the most likely ones, emerge. For example, how will you adjust your project if you lose a key resource to another company initiative or, worse, to turnover?  What will you do if you find that the data you’ve received through the company’s reporting tools is inadequate for the testing you have designed?  

Communicate – After All, You’re All in This Together

Communication is key here.  What I’ve found most effective, on my projects, is to have a project kickoff meeting with your project team, review the results of your planning process, and devise the best way to announce these details to your project audience.  This project team meeting, in a worst-case scenario, might result in identifying a dropped ball, or some risk that has not yet been mitigated. In a best-case scenario, though, you’ll be streamlining the entirety of your planning process into an executive-level announcement that communicates the project’s scope, timeline, and team in a way that captures all the expertise, diligence, and thought you have invested into the project.

This announcement officially introduces your compliance project to your organization and extends beyond the people who you contacted in planning your project.  It’s also another small win, indicating that your project is progressing.  Whether it comes in the form of a letter sent by email, or a slide deck shown in an opening meeting, this announcement should include:

  • PROJECT NAME:  The name of your compliance project acts as a sort of brand. When you use the name of your project in your communications, people will associate the project with its goal with you, and the project team.  Its success becomes your success.
  • TEAM DETAILS:  Identify the team assigned to your project.  For smaller projects, this can mean identifying one person who oversees the entire project.  Announcements for larger projects may also include the entire team, or just second-level team members assigned to the project’s key parts.
  • PROJECT TIMELINE:  Every project needs an end date.  When will you be out of their hair?  Include a quick sentence or two telling your audience when they can expect the project to be complete, and when they will see the results.  Include other important dates, as they pertain to your project.

When the Rubber Meets the Road – Doing the Project

Throughout the execution phase, you’ll be doing the project.  Maybe that means analyzing transactions for potential noncompliance events, testing red flags identified through that analysis, interviewing compliance process stakeholders, all three, or something else entirely. In the review of an AML compliance program, for example, you would be assessing the adequacy of the company’s compliance policies and procedures, the existence and effectiveness of the risk-based customer identification program, and procedures around SAR filings, among other control activities and elements.  Whatever the requirements for your project, there are common components that any well-managed compliance project will have:

  • Project Tracking (External) – If you’re going to spend time on the aesthetics of your compliance project reporting, this is a good place to start.  This tracking will report progress to your stakeholders, on the status of project deliverables, and budget-to-actual comparisons related to time and money invested in your project. When you are deciding which KPIs to include in your project management reporting, there are standard KPIs, applying to almost all kinds of projects that you should consider.  These include variance reporting around costs, resources, and scheduling, reporting around deliverables achieved and overdue, and the percentage of budgeted time/cost invested to date.   
  • Project Reporting (Internal) – Internal project reporting should be easy to follow, and should flow naturally into the deliverables identified in your external reporting.  Internal reporting  tends to be more detailed than external reporting, and often is built of sub-deliverables that link directly to the deliverables included in your external reporting.  For example, if you are reporting a list of overdue deliverables to your external reporting recipients, the internal reporting team may want to see that list broken out into an aging of those tasks or a listing of the teams responsible for each.
  • Project Issues Tracker – What’s not going so well?  Is there functionality that can’t be implemented?  Did the testing for a potential noncompliance item fail?  Did someone notice a bug in your automation of a compliance report?  Keep a list of these issues as they come up, and prioritize which ones need to be fixed ASAP, and which can remain pending until your compliance project is delivered.
  • Regular meetings to review status and findings – All the planning in the world won’t help your compliance project succeed if you don’t provide regular updates to your stakeholders.  With the milestones and budgets you created during your planning phase, you can now provide status updates showing progress against these targets, and show completion of the smaller subtasks you’ve detailed on your project plan.  This is where your small wins will really shine.

There’s a lot of variety in the nature of the compliance projects we come across during our careers.  Because this post provides guidance that can be applied to almost all projects, regardless of style or scope, best practices for the execution of compliance projects are going to take many forms.  There is one theme, however, that emerges in the list of ‘must haves’ for any compliance project – the need to develop and retain evidence showing that a project’s actual work was executed, and that it was executed well.  The form that evidence takes depends on your project, and the type of work it required.  Most compliance projects require at the very least these execution components:

  • Testing – Did your execution phase include some testing, to show client acceptance of your project, that the functionality of your new system will work as you planned it would, or that you made the best effort possible to scan a list of transactions for compliance?   With testing, it’s important to include key details such as: what was tested, how the items tested were selected (sampling methodology), what was the source of your testing documentation, what were the results, and what do they mean (conclusion).
  • Interviews – Who was interviewed, when, and what did they say?  What were the findings coming out of these discussions, and what is the conclusion?
  • Data Analysis – Did you analyze the entire population?  If you used samples, how were those selected?  What were the dates included in testing?  What were the findings, and how do you conclude on these?

Whether the objective of your compliance project is to improve PCI compliance, enhance your AML program’s KYC procedures, or something else entirely, you’ll need solid execution built on strong planning to get there.  In the end, though, as Dr. Covey said, if you design your execution stage well, and all activities play a role in the end you seek to accomplish, you’ll be at a much lower risk to waste valuable time and resources on deliverables that have no purpose. Project execution will flow much more smoothly, and you’ll have the tools developed and available that will help keep you on time and within budget.  And, with a project progressing smoothly and on schedule, you, your project team, and your stakeholders will all rest easier, knowing that your project will deliver its goals effectively, efficiently, and on time.

Check back soon for the third and final installment in the Project Management series, when we will discuss strategies for successfully closing a project.

The Cyber Regulations are Coming. Get Your 2017 Budget Ready Now.

· ·

Read the news and chances are you’ll see yet another report of a major cybersecurity breach. Big brands and small companies alike, none are immune. So it came as little surprise to see a recent article in Fortune reporting on new cybersecurity regulations for companies in the financial industry from the State of New York.

In essence the rules will hold financial firms accountable for preventing cyberattacks by requiring them to encrypt sensitive data and appoint CISOs. What’s more,  they require senior executives to sign off on cyber-compliance. The rules go into effect in 2017. And while they apply only to financial firms licensed by the State of New York, given the sheer number of financial companies in the state, the new regulations will make a big impact.

Several things really struck me about this story. First, most current infosec regulations today relate to open standards managed by industry associations. Think of PCI or SOC2 or ISO. Those regulations aren’t mandated by a government agency. Even NIST or FedRAMP relate to contracts companies have with the government—so they are really more about contract compliance rather than government-mandated compliance.  I would expect that additional state and federal government entities will follow New York’s lead and we’ll see a big jump in the number of national and international regulations related to cybersecurity.

For those of us in the compliance industry, more and more complexity is the new normal. How do we—both as an industry and as infosecurity practitioners at organizations—even begin to manage this? And how do companies remain healthy and innovative under the weight of all this compliance complexity?

If you manage information security for your company, what do these new regulations mean for you?

Regulatory requirements are no longer just the domain of the compliance and risk team. These are C-level and Board-level issues. Companies will pay a steep cost for non-compliance. Your day-to-day job may be focused on protecting your company’s infrastructure in order to prevent a breach. But with these new regulations on the horizon, you need to start speaking the language of the CEO and Board on these issues. New York’s new cyber regulations are a catalyst for thinking more strategically about information security and compliance.

More complexity is coming and you need to be prepared. Are you managing your compliance program with a mess of spreadsheets? The more regulations you need to comply with, the more untenable your spreadsheet management becomes. Now’s the time to start investigating solutions for automating compliance and audit-related tasks and workflows.

Urgency is the watchword of the day. If the New York cyber regulations proceed unaltered, they will go into effect January 2017, and companies will have a mere six months to comply. That’s not much time. And it means infosec managers need to communicate to upper management now—right away THIS yearto factor these new requirements into the 2017 budget.  The clock is ticking to get your house in order before the end of Q2 2017, or risk not just a cyber breach (which is bad enough), but also falling out of compliance with the State of New York.

Here at ZenGRC, we’ll be watching these new regulations closely and we’re here to answer any questions you may have. Don’t hesitate to contact us at engage@zengrc.com.