Recently, the world’s largest ongoing study of the internal audit profession—the Global Internal Audit Common Body of Knowledge (CBOK)—was completed by the Institute of Internal Auditors (IIA) and Protiviti to ascertain expectations from key stakeholders regarding internal audit performance at organizations of varying operational models and sizes. The study sought input from members of audit committees all over the world about their expectations of the internal auditor’s role in the organization. We think all directors will find the results of the study applicable to their work in the coming year and beyond.
Below are six imperatives for internal auditors from the CBOK study based on feedback from audit committee members.
1. Focus more on strategic risks. According to the CBOK study, two out of three board members believe internal audit should have a more active role in evaluating the organization’s strategic risks. Study respondents indicated that internal audit should focus on strategic risks (as well as operational, financial and compliance risks) during audit projects (86 percent) and periodically evaluate and communicate key risks to the board and executive management (76 percent). Accordingly, chief audit executives (CAE) must focus their function sufficiently on the bigger picture to think more strategically when evaluating risks, proposing risk-based audit plans, and formulating audit findings. By understanding the organization’s business objectives and strategy, and identifying risks that create barriers to the organization achieving its objectives and executing its strategy successfully, the CAE increases internal audit’s value proposition.
2. Think beyond the scope. The call for internal auditors to think strategically leads to another challenge: thinking beyond the scope of the audit plan. Thinking beyond scope means, for example, that the auditor should:
“Connect the dots” when considering enterprisewide implications of the findings of multiple audits, particularly findings with significant business model underpinnings;
Broaden the focus on operations, compliance, and nonfinancial reporting issues; and
Watch for patterns or signs indicating a deteriorating risk culture.
By focusing more broadly on the implications of audit findings, and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical, and harder-hitting recommendations aligned with what directors are seeking.
3. Add more value through consulting. In today’s era of slower economic growth, a high premium is placed on operational effectiveness and efficiency. The CBOK study respondents picked up on this point, as 73 percent of respondents recommended that internal audit advise on business process improvements. For example, consulting activities by internal audit can result in: strengthening of the lines of defense that make risk management work; more effective collaboration with other independent functions focused on managing risk and compliance; improvements in the control structure, including greater use of automated controls; and suggestions for improving and streamlining compliance. These study findings underscore the benefit of investing in consulting services that will strengthen business processes.
4. Facilitate effective, high-quality communication. Board members generally rate internal audit’s communication at a high level of confidence. For example, a large majority of directors give high scores for the quality (83 percent) and frequency (81 percent) of internal audit’s communication. That’s good news and a great foundation on which to build the board’s satisfaction with the internal auditor’s role.
5. Elevate stature and perspective. Intentionally positioning the CAE and internal audit within the organization is vitally important to their ability to meet elevated expectations. Access and perspective have always been keys to positioning. Access has typically been attained through direct reporting to the audit committee, as well as to the C-suite. But beyond these reporting lines, the study reports that two out of three board members rank the CAE’s participation in board settings beyond the traditional audit committee meetings as an effective strategy for broadening the CAE’s perspective. The board settings that are relevant in this context must be defined by directors to fit the organization’s specific needs. However the goal is defined, increased access to and more frequent interaction with the board broadens the CAE’s perspective of the organization and elevates the stature and visibility of the internal audit function within it. It also enables the CAE to establish relationships with directors, understand their views on addressing competing audit priorities, and earn the right to be viewed as a valued source of insight for the board.
6. Align with stakeholder expectations. In most organizations, not all stakeholders see eye to eye or want the same value from internal audit. This reality creates a significant challenge for CAEs tasked with building consensus among stakeholders. While directors may not expect their company’s CAE to address all of the above imperatives, they should initially and periodically assess whether internal audit is doing what matters based on previously-established imperatives. The CAE bears the brunt of the responsibility for addressing this challenge by articulating the value that a top-down, risk-based audit plan contributes to each facet of the organization, and by providing an assurance and advisory perspective that the board, executive management, and other stakeholders can understand.
Following are some suggested questions that directors may consider based on the risks inherent in the entity’s operations.
Does the board periodically evaluate the scope of internal audit’s activities and discuss whether modifications are needed in view of changes in company operations and the business environment? Is the board getting the insights it needs?
Does internal audit provide adequate attention to strategic risk issues, including barriers to the organization’s execution of the strategy?
Does internal audit have an appropriate mix of consulting and assurance activities?
Does internal audit have the stature and access necessary to maximize its effectiveness?
Jim DeLoach is managing director with Protiviti, a global consulting firm.
According to a study by Ocean Tomo LLC, Intellectual Property (IP) accounts for as much as 84 percent of the market value of S&P 500 companies. With so much value at stake, companies often look to an IP audit to inform corporate directors, executives, and legal counsel about the status of the company’s IP and to educate these decision makers on strategies to improve protection, maintenance, and enforcement efforts against infringers.
Let’s examine what’s involved in an IP audit and how one could strengthen the governance of your enterprise.
What Is an IP Audit?
The two most common types of IP audits are an IP inventory audit and a comprehensive IP audit. The purpose of an IP inventory audit is to identify the IP assets of a company: patents, trademarks, copyrightable works, and trade secrets. The resulting list of assets is crucial because it may reveal IP that is outdated, underutilized, or that no longer has value. Companies may undergo an IP inventory audit prior to a merger or other corporate transaction, or simply when leadership wants an updated IP status report.
The comprehensive IP audit begins with the compilation of IP assets, but the real purpose is to review and analyze how the company utilizes its IP. Effective IP management requires careful attention to protecting, maintaining, and enforcing IP, and the comprehensive IP audit can be a powerful tool in this regard.
IP protection involves securing rights, and how this is done depends on the type of IP.
• Trademark protection derives from use in the marketplace, and those rights can be enhanced upon registration at the U.S. Patent and Trademark Office (PTO).
• Copyright protection exists when an original work of expression is fixed in a tangible form, e.g., a contemporaneous speech is not protected but an audio recording of it is. Similar to trademarks, copyright protection can be enhanced through government registration (via the U.S. Copyright Office).
• Patent rights exist only upon registration with the PTO.
• Trade secret protection exists once the company has taken reasonable measures to safeguard the secrecy of information that gives it economic advantage, such as the formula to Coca-Cola.
The comprehensive IP audit can reveal gaps in protection and candidates for enhanced protection (e.g., trademarks or copyrightable works that the company uses but has not registered with the PTO or the U.S. Copyright Office). Also, if the company holds valuable trade secrets, the comprehensive IP audit helps determine whether the company has closely guarded them via employee nondisclosure agreements or other internal protocols.
The comprehensive IP audit will also reveal whether the company is meeting its periodic registration renewal deadlines, or, more formally, performing sound IP maintenance practices. It should also reveal whether the company is using its IP consistently and correctly (e.g., using a trademark as an adjective to describe a product or service rather than using it as the product name itself). In the case of trade secrets, the comprehensive IP audit should cover whether the company continues to adhere to whatever confidentiality protocols it used to establish trade secret protection in the first place.
A comprehensive IP audit can also help guide IP enforcement efforts. Effective IP enforcement includes policing against misuse and infringements and taking appropriate measures to stop violations.
A Comprehensive Report to Guide the Future
The comprehensive IP audit results in a written report that accompanies the list of IP. A good report will contain best practices and advice on ways the company can enhance, strengthen, and better protect the IP. This report acts as a roadmap for an effective long-term IP management strategy, and it can help the company proactively get in front of issues, implement changes in its IP policies and procedures, prioritize the company’s IP needs, and, importantly, budget for all of the above. This makes IP management more cost effective in the long term rather than waiting to put out fires when issues inevitably arise, and it is a positive risk management practice for boards to add to their oversight duties.
The written report can also provide insight into potential liabilities caused by the company’s current practices. Liability can occur for several reasons. For instance, a company can be held liable if it uses another’s IP without permission or beyond what may be permitted in a license agreement. Another common scenario that exposes a company to liability is if the company is not properly protecting itself when it allows users to post content to the company’s website. The audit report can highlight these issues and offer recommendations to curb and correct these behaviors.
Any time is a good time for a company to conduct an IP audit, especially if one has never been conducted or especially if new leadership has taken over and new strategies are being implemented. Preparing for an initial public offering, undergoing a merger or acquisition, or implementing a corporate restructuring are all prime situations that warrant an IP audit. An IP audit is a prudent next step in making sure that the company is doing everything it can to protect its valuable assets.
Adam W. Sikich, Esq. is senior counsel at Dunner Law PLLC in Washington, DC. Sikich specializes in all aspects of counseling in the areas of trademark, copyright, trade secrets, and licensing. He can be reached at firstname.lastname@example.org.
The U.S. Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). In 2013, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated its Internal Control—Integrated Framework, which was first released in 1992. This revised framework meets the SEC’s criteria for suitability and many companies have accordingly transitioned to this updated version. However, in addition to supporting the evaluation of IFCR, the framework offers other important lessons to boards of directors on the relevance of internal control to their risk oversight.
The control environment is vital to preserving an organization’s reputation and brand image. Since the release of the COSO framework, there have been a number of corporate scandals related to operational, compliance and reporting issues. These companies likely lacked a strong control environment in the areas that contributed to the crisis.
The control environment lays the foundation for a strong culture around the organization’s internal control system. It consists of the policies, standards, processes and structures that provide the basis for carrying out effective internal control across the organization. Through their actions, decisions, and communications, the board and senior management establish the organization’s tone regarding the importance of internal control. Management reinforces expectations at the various levels of the organization in an effort to ensure alignment of the tone in the middle with the tone at the top.
According to the COSO framework, the control environment comprises the
organization’s commitment to integrity and ethical values;
oversight provided by the board in carrying out its governance responsibilities;
organizational structure and assignment of authority and responsibility;
process for attracting, developing, and retaining competent people; and
rigor around performance measures, incentives, and rewards to drive accountability for performance.
Without a supportive boardroom culture and effective support from executive and operating management for internal control, the organization is susceptible to embarrassing control breakdowns that could tarnish its reputation and brand image. This issue is likely a contributing factor at the companies that have been hit recently with headline-grabbing scandals.
The control environment applies to outsourced processes. Organizations typically extend their activities beyond their four walls through strategic partnerships and relationships. The blurred lines of responsibility between the entity’s internal control system and those of outsourced service providers create a need for more rigorous controls over communication between all parties involved. For example, information obtained from outsourced service providers that manage business processes on behalf of the entity, and other external parties on which the entity depends for processing its information, should be subject to the same internal control expectations as information processed internally.
The point is clear: management retains responsibility for controls over outsourced activities. Therefore, these processes should be included in the scope of any evaluation of internal control over operations, compliance, and reporting, to the extent a top-down, risk-based approach determines they are relevant. Controls supporting the organization’s ability to rely on information processed by external parties include:
Vendor due diligence;
Inclusion of right-to-audit clauses in service agreements;
Exercise of right-to-audit clauses;
Obtaining an independent assessment over the service provider’s controls that is sufficiently focused on relevant control objectives (e.g., a service organization controls report); and
Effective input and output controls over information submitted to and received from the service provider.
The potential for fraud should be considered explicitly when conducting periodic risk assessments. Ongoing risk assessments are an integral part of a top-down, risk-based approach to ensuring effective internal control. In these assessments, directors should ensure that management evaluates the potential for fraudulent financial and nonfinancial reporting (e.g., internal control reports, sustainability reports and reports to regulators), misappropriation of assets, and illegal acts. In addition, the potential for third-party fraud is a relevant issue for many organizations. As the COSO Framework points out, fraud risk factors include the possibility of management bias in applying accounting principles; the extent of estimates and judgments in reporting; fraud schemes common to the industry; geographical areas where the organization operates; performance incentives that potentially motivate fraudulent behavior; potential for manipulation of information in sensitive financial and nonfinancial areas; entering into unusual or complex transactions; existence or creation of complex organizational structures that potentially obscure the underlying economics of transactions; and vulnerability to management override of established controls relating to operations, compliance and reporting.
There are important lessons learned in Section 404 compliance. Investors take reporting fairness for granted; however, when public companies restate previously issued financial statements for errors in the application of accounting principles or oversight or misuse of important facts, investors notice. The bottom line is that the markets take quality public reporting at face value. Once a company loses the investing public’s confidence in its reporting, it’s tough to earn it back.
Section 404 compliance is important in the United States because material weaknesses in ICFR provide investors early warning signs of financial reporting issues. We have gleaned many lessons in our work successfully transitioning numerous companies to the 2013 COSO framework. The most important of these lessons is that a top-down, risk-based approach is vital to Section 404 compliance. Some companies forgot to apply this approach when setting the scope and objectives for using the updated framework; as a result, they went overboard with their controls testing and documentation. We can’t stress strongly enough that the 2013 COSO Framework did not change the essence of and need for a top-down, risk-based approach to comply with Section 404.
Other lessons include:
Meet with your external auditor early and often to ensure that the company is fully aligned with the auditor on the appropriate process for transitioning to the updated framework.
Establish an effective and relevant mapping approach to link established key controls to the principles outlined in the COSO framework by leveraging the points of focus provided by the framework; start with existing controls documentation, and consider the nature of the framework’s components.
Manage the level of depth when testing indirect controls (often referred to as entity-level controls) by focusing on the specific objectives germane to ICFR; for example, for the indirect control emphasizing background checks, management should scope the application of this activity to the appropriate people designated with financial reporting responsibilities rather than all employees throughout the organization (unless management wishes to expand scope beyond financial reporting).
Focus on understanding and documenting control precision by understanding the control’s track record in detecting and correcting errors and omissions to support an assertion that the control effectively meets the prescribed level of precision.
Evaluate the completeness and accuracy of information produced by the entity to support the execution of key controls; the Public Company Accounting Oversight Board inspection reports are driving auditors to place more audit emphasis on validating system reports, queries and spreadsheets.
Applying the 2013 COSO framework to operational, compliance and other reporting objectives is virgin territory. In applying the updated COSO framework, most organizations have limited their focus to ICFR. Some organizations even believe that the framework was designed exclusively for Section 404 compliance. Such is not the case. There are benefits to using the framework for other objectives relating to operations, compliance, and other reporting. However, these efforts should be segregated from Section 404 compliance. Progressive organizations are applying the COSO Framework to other areas, such as sustainability reporting, regulatory compliance and controls over federal grants, to name a few.
Questions for Boards
The board may want to consider asking the following questions, based on the risks inherent in the entity’s operations:
Have directors paid close attention to whether the organization’s control environment is functioning effectively?
Does the organization periodically consider fraud risk in its risk assessments? Is the board satisfied that the risk of third-party fraud is reduced to an acceptable level?
Does the company’s process for complying with Section 404 apply a top-down, risk-based approach, and is the process cost-effective?
Has management considered applying the COSO framework to improve internal control in areas other than financial reporting?
Jim DeLoach is a managing director with Protiviti, a global consulting firm.