Tuesday, February 3, 2015

IT Audit Operational Risk & Unease

Don’t die of shock here, but audit committees are still overworked and unsure how to handle new risks confronting Corporate America.

So says the 2015 edition of the KPMG Audit Committee Survey, whose findings sound strikingly similar to the 2014 report one year ago. Audit committees are confident in the support they get from compliance officers about financial reporting and regulatory risks, very confident in their own abilities to digest all that information, and lost in the woods with cyber-security.

Let’s start with the good news on financial reporting. On all major tasks within that broad category—assessing adequacy of financial controls, evaluating the external auditor, reviewing financial filings, and the like—a large percentage of audit committee members said they spend the right amount of time on those issues, and don’t expect to need more time on them in 2015. Almost all survey respondents (98 percent) rate their oversight of financial reporting and disclosure issues as either “highly effective” or “generally effective.”

All that fits. Nobody relishes the joy of Sarbanes-Oxley compliance, but like it or not, SOX has instilled a discipline and attention to financial control over the last 10 years. These high marks on financial reporting are essentially unchanged from last year, and they’re likely to stay high in the future. SOX compliance is a lot like going to the gym: you feel awful the first time you do it, but over time you gain strength and get healthy. The same thing is happening here.

Now, on to the bad news—because lots of it falls squarely onto the compliance officer’s shoulders.

Boards are a lot less confident about their oversight of operational risks, cyber-security, and the overall pace of technology change; they want to spend more time on all those issues in 2015. Only 36 percent rated their relationship with the chief compliance officer as “excellent,” although another 24 percent rated it as “good but issues arise periodically” and only 10 percent said it needs improvement. Forty percent say the job is getting increasingly difficult to manage given the time they have; 8 percent say they already don’t have enough time to fulfill their role.

All that fits, too. All those points of data feed into one master problem: that operational risks are growing too complicated. Compliance officers struggle to impose controls over them, and audit committees struggle to understand how all those operational risks affect a company’s ability to act strategically.

Cyber-security is an easy example. Fifty-five percent of audit committee members want to spend more time on that issue in 2015, and 41 percent say the quality of information they receive about cyber-security risks needs improvement. No surprise there, right?

Look more closely at other, related questions. At the same time so many audit committee members worry about cyber-security, even more survey respondents (61 percent) said the want to spend more time on internal controls for operational risk, and 50 percent want to spend more time understanding the pace of technology change.

All these concerns are one in the same. Rapid technology change (say, storing customer data in the cloud) short-circuits your operational controls (keeping customer data under the company’s watchful eye) which then causes a cyber-security risk (your data gets stolen from the cloud provider). Or to put it another way, technology is changing faster than a compliance officer’s ability to build controls, policies, and procedures around it. Hence you face more risks, and almost all of those risks involve the security of your data. 

Building a system of effective internal control over operational risk clearly is in the chief compliance officer’s realm of responsibility. It requires someone who knows the regulatory requirements and the business risks that face your company, and how to create policies and procedures to address them. That’s what a chief compliance officer does. And with close help from the internal audit team, you then test those policies and procedures to be sure they work to keep operational risks in check.

That’s all at a theoretical level, however—in practice, operational risks are so diverse, and so fluid, that building adequate internal controls for them is incredibly difficult. All financial reports follow the same basic structure, so financial reporting risks are generally similar from one company to the next. Operational risks differ from one company to the next, and regulators only care that you docomply with their regulations, not how you achieve compliance.

Which all means that internal control for operational risks is going to be a long, hard slog, with plenty of improvisation and trial-and-error along the way. No wonder audit committees want more time to consider them. 

This post originally appeared in the Feb. 2 edition of Compliance Week.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.