Fourth Quarter 2006 • Vol. 10 • No. 4
CSA Sentinel – CSA Center membership required for access.
Welcome to CSA Sentinel, The IIA's quarterly publication for control-self assessment (CSA) professionals. A benefit of membership in The IIA's CSA Center, this newsletter features articles on the latest thinking in CSA and risk, practical "how-to" advice, research, and news with the latest development updates. If you would like to learn more about becoming a CSA member, click here.
In This Issue
CSA Workshop Preparedness
A Practical Guide to Assessing Fraud Risk in Your Organization
Q&A With Dave Harmon
According to Mike
Quick Tips: Six Key Elements of an Effective Hotline
All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.
CSA Workshop Preparedness
Understanding the challenges that can affect workshops will help facilitators increase the potential for a successful self-assessment.
CHRIS CARTER, CIA, CCSA, CPA, CISA
It is important for companies to spend adequate time designing their assessment metrics to create reliable results. To illustrate this, think of a small car — maybe it's a compact car such as a BMW MINI; a smart automobile, which is even smaller; or a toy car (Figure 2). Regardless, all three fit the label "small car." As you can see from this example, confusion can result from not providing specific metrics around assessment criteria, such as likelihood and impact. For instance, specify whether the lowest level on your likelihood assessment scale represents no possibility of happening or 0 to 25 percent likelihood.
Similarly, there are two key metrics that should be detailed for impact, which are reputational and financial. The highest level on your impact assessment scale could include the following descriptions for reputation:
Financial metrics for this same level of impact are often a percentage of operating income that would represent a catastrophic loss to the company financially. It is extremely important to get these metrics right before moving forward.
Risk assessments are not a new concept for many corporations, but there is a particular challenge in assessing fraud risk versus other operational, financial, or compliance risks. Fraud is about people acting illegally in your organization — the people you pass in the hall, go to lunch with, and share a toast with at the annual holiday party — which poses a challenge. Assessing the probability of fraud occurring in your organization is equivalent to asking, "Do you believe that anyone you know could defraud the company?" Most people will reply, "No." Everyone knows that companies experience fraud, but it's difficult to imagine that the people we know could do it. Therefore, it is not surprising that at the conclusion of many fraud risk assessments, the picture looks overly optimistic with low likelihood and impact scores.
Tackling the fraud assessment challenge requires certain insights into human nature. First, identify which of the hundreds of fraud schemes could be perpetrated within your organization. To go broad, begin by running a risk assessment online that uses Web-based risk assessment software, such as that in Figure 3, to house the risks. At minimum, participants should be chosen from each of the company's business units or geographic locations including finance, internal auditing, sales, distribution, human resources, security, and internal legal council. It is important to offer participants anonymity so they can be candid.
Expect the results received to underestimate the magnitude of the impact and likelihood of each risk. If that's the case, why should companies bother conducting the online assessment if the results are not accurate? The answer is that while the results do not show how much risk the company currently faces, online assessments are a best practice that's accurate in prioritizing which risks need to be watched closely.
To go deep, assemble a team of fraud risk owners for a fraud assessment workshop. The workshop usually consists of a cross section of appropriate participants from the business units or geographic locations mentioned above. Load the top-ranked risks from the online risk assessment into a risk and control self-assessment (RCSA) software program, demonstrated in Figure 4. Present the participants with the results from the previous online risk assessment during the risk workshop.
Next, consider beginning with the person in the room with the greatest knowledge about the fraud risk to start a discussion on the impact followed by the likelihood of the risk occurring. The reason for discussing impact before likelihood is interesting. The human mind is good at creating associations between two different, but related concepts. Often, if people come to a conclusion about how likely a risk is to occur, they will translate the result onto the impact score. For example, a low score for likelihood often can result in the impact having a low score. Impact and likelihood ratings are separate questions, and there are many instances where likelihood can be low, but if the risk happened, the impact would be catastrophic.
After a candid discussion about the risk, participants could use anonymous voting techniques to score each risk systematically with the same criteria as the online assessment. Because the results generated by the RCSA software are anonymous, participants could communicate their honest opinion about fraud without being influenced by outside factors such as peer pressure, politics, scrutiny from their superiors, or influence from a dominant speaker in the meeting.
Auditors will find that the order of risks ranked in the online risk assessment and the order of risks ranked in the workshop are often similar. Typically, the difference is that the fraud risks from the workshop have received higher overall scores across both criteria and represent a more realistic view of where fraud can occur inside the organization.
A successful fraud risk assessment consists of several components:
After the assessment is complete, stand back from the results and ask yourself if they make sense. If they don't, keep reassessing the risks until you are confident that the picture on your X-Y heat map represents the company you are trying to protect.
California's Orange County Housing and Community Services Department provides affordable housing opportunities for renters and homebuyers; manages neighborhood revitalization efforts in unincorporated communities; and administers community services programs for special needs populations, including older adults, veterans, victims of domestic violence and hate crimes, unemployed workers, and the homeless.
I began working for Orange County in 1999 and took over the Housing and Community Development Department, which had undergone several leadership and organizational changes during previous years. I knew the department had been scrutinized heavily prior to my arrival, so I wanted to create a safe environment for people at all levels to discuss issues — both good and bad — to help me determine where I should focus my efforts. The department's main goal was to make sure an action plan was created to address the issues, as well as communicate with the staff to show we were following up on the things they shared with us.
I first learned about control self-assessment (CSA) from the director of internal auditing who began working for the county around the same time I did. Our first discussions about CSA mostly happened by chance. As the new directors with the county, we were discussing our departments and how things were going. Hearing about the issues and changes my department had undergone, the director of internal audit began explaining the CSA process to me. I thought the concept was tremendous and embraced it right away.
Shortly after learning about CSA, I asked internal auditing to conduct an assessment in my department. I discovered that a lot of people don't embrace this process and that most are afraid of it, but as the new person, it was easy for me to see the value in CSA. At that time, there were approximately 110 staff members in three divisions in my department. I had all the divisions go through a self-assessment, but based on conversations with internal auditing, we chose a broad representation of all classifications in the division. We also avoided having too many representatives from management so that other staff members felt safe in contributing honest opinions and feedback.
Approximately four years after my first experiences with CSA, the county's board of supervisors merged the Community Services Agency into mine and created the Housing and Community Services Department. This merger increased my three-division department to seven divisions with a total of 230 staff members. I once again used CSA to help me get up to speed as quickly as possible on the organizational issues within the new department, which helped me focus on merging two different organizational cultures.
From the start, I learned that CSA is a valuable tool to help focus on the most important issues first. The results of the self-assessment were mapped graphically, indicating the biggest red and green areas. Green areas indicate where there's a strong consensus that things are working and are well-aligned whereas red areas indicate the opposite. These results helped me triage the department by identifying the greatest discrepancies between our goals and professional standards for the organization and the reality as perceived by the staff. For example, we wanted a skilled, well-trained staff, and the CSA revealed whether the staff felt they had the necessary skills and training to do their job.
CSA was the perfect tool to help me figure out where the biggest problems in my department were. It also helped uncover the talent and commitment in the department and showed that many organizational obstacles had stifled these qualities. After the self-assessment, I was able to identify these obstacles fairly quickly and start taking proactive action to eliminate them, which allowed the department to blossom. Had we not been so successful with our first CSA effort, I don't think the board would have merged another department with us if they weren't pleased with the way we turned around the Housing and Community Development Department. CSA helped us do that much more quickly than we would have been able to do otherwise.
I also view CSA as an excellent tool to help communicate with staff that breaks down some of the hierarchies in the organization. I think by using CSA from the beginning, I was able to send the message that there's an opportunity at all levels to communicate in a safe environment.
I think one of the most important things to do prior to introducing CSA is to assure the manager having the self-assessment that CSA is an evaluation tool, not something to judge the manager against. In my opinion, you have to assure management that there won't be negative repercussions against them if the results show problems or issues needing to be addressed. If you don't, you’ll never get an honest reaction or feedback about what's going on within the department. So, I think that's one of the most important things to stress — that CSA is not an evaluation of the manager; it's an opportunity to hear from people in your department that normally don't speak up.
Also, position CSA as a communication tool. Some of the things that are raised as you explore them in a self-assessment sometimes don't turn out to be what you originally thought they were. If you took one of the CSA reports that I received and stopped there, you would have missed the boat completely. You have to follow up on the self-assessment and explore exactly what people mean when they say something is a problem. Don't just go by the words that were used on the report. The words are all structured and the questions are always the same. But if you don't dig a little deeper into what it is people really mean, you'll solve the wrong problem.
Therefore, CSA is a starting point, not a final document. CSA creates a fascinating opportunity to have a good discussion with your staff about what issues there are in the organization and what obstacles prevent them from functioning at their highest level. Don't just take the original document, though. Use it as the start of the conversation rather than the finish.
I think CSA is extremely valuable for everyone, but particularly a new manager. Even if you join a high-performing organization, CSA is an excellent way to let people know that you care about what they think and are willing to explore whether there are any issues that need to be addressed. If you're lucky enough to get "all green" as the graph would say, which means everyone is rowing in the same direction and understands their purpose, then that's great. That's valuable, too.
To directly answer your question, hotlines have a significant role to play with enterprise risk management (ERM) and the Committee of Sponsoring Organizations of the Treadway Committee (COSO) because they have control implications for components of COSO and span across the entire business enterprise.
Hotlines are hotter than ever before, and for good reason. According to the Association of Certified Fraud Examiners' 2006 Report to the Nation on Occupational Fraud and Abuse, "Occupational frauds are more likely to be detected by a tip than by other means such as internal audits, external audits, or internal controls." As you point out, hotlines are mandated for many companies to comply with the U.S. Sarbanes-Oxley Act of 2002. In fact, Sarbanes-Oxley compliance has undoubtedly been the primary driver by requiring a hotline for all publicly traded companies. In 2005, California even passed a similar requirement for nonprofit organizations. However, the philosophy of ERM and COSO makes a strong case for expanding hotline applications beyond merely complying with Sarbanes-Oxley at the lowest possible cost. For enlightened management, this expansion should not be a big jump to make. It just requires that hotlines be regarded as a key component of internal control rather than a statutory requirement.
The effective use of a hotline sends a clear message regarding management's intentions and expectations, which clearly figures into how employees view the organization's tone at the top. Keep in mind that the key word here is effective. Transparency and accountability are critical to how hotlines are viewed throughout an organization. Do people understand how the reporting works?For instance, do they believe hotlines are truly confidential and that there is accountability? One measure that strengthens how hotlines are perceived is when they are used in combination with a formal code of conduct, which helps clarify desirable versus unacceptable behavior.
Hotlines also can play an essential role in risk assessment when issues arise that otherwise might not get management's attention. This particularly could be true where there is a weak control environment. If you are embarking upon an ERM effort, you may find that sanitized hotline information is useful to expand what management views as their risk universe beyond financial management. Conversely, ERM and other risk assessment activities may give you insight into how to plan and organize your hotline's reporting to be more effective.
Additionally, hotlines are a significant enterprisewide control and monitoring activity. They are preventive in the sense that the threat of sanctions may deter inappropriate and fraudulent activities and are detective in that they monitor these activities for appropriate follow-up. Given these benefits, you may want to take a more critical look at what you have in place and consider whether enhancements are needed. This not only includes the nature of your service contract, but also your internal hotline's operating procedures.
I think it is important to look at hotlines within the larger context of an ethics program. Many organizations have a patchwork of activities such as implementing a hotline and adopting a code of ethics or conduct. However, standalone activities that are not integrated into a cohesive program do not really have a significant impact on what is perceived by employees as the tone at the top. To find out where your organization stands, ask yourself these questions:
I think you get my point. Hotlines are important with regards to Sarbanes-Oxley, as well as ERM and COSO. However, they are only one part of the larger picture of ethics.
I attended a recent fraud conference where there was, shockingly, much talk about fraud. Personally, I find it ironic that when we read or talk about fraud, it's always about what happened in this scheme or that scheme. The key message here is that it always seems to be after the fact. Many of us who are auditors — external or internal — say we do not audit for fraud. Rather, we audit an organization's internal controls and processes. In completing such a review, we make sure that reasonable and effective controls are in place to prevent fraud, but there is never absolute assurance. Yes, we may get lucky and discover fraud during a review, but not because of a planned audit review.
Well guess what? I am going to challenge this notion and say that we — auditors, fraud examiners, management, lawyers, controllers, or whomever — actually can audit for fraud in an effective and efficient manner. You probably are shaking your heads thinking, "Mike is really stretching the use of self-assessment. There is no way you can identify and audit specific frauds taking place in your organization by just sitting and talking around a table." Well, I want you to know that you can. In fact, one of this issue's feature articles, "A Practical Guide to Assessing Fraud Risk in Your Organization," discusses using self-assessment workshops to identify potential fraud.
In traditional risk and control self-assessments, we gather information and people to analyze what is taking place in the organization. We have them look at the business, as well as its objectives and processes, through interviews and workshops. In doing so, we develop an understanding and an enterprisewide view of what risks the organization faces, and analyze them to determine if and how they might impact our ability to achieve our various strategic and business objectives.These risks can have negative consequences, in which case we develop internal controls and processes that will mitigate them to an acceptable level for us to achieve our goals. In some cases, we find that the risks are extremely trivial and we are using entirely too many resources trying to control them. And, in other cases, we find that a risk is an exploitable business opportunity that when managed, properly, may provide new economic or social benefits to the organization.
Using the same techniques for risk and control self-assessment, you can identify fraud risks that threaten your organization. By analyzing the hundreds of fraud schemes that could affect their business, organizations can zero in on the most potentially damaging or probable frauds that can be or are taking place. These fraud schemes are determined by brainstorming potential fraudulent situations that are common to all organizations and those specifically attributed to your particular industry or organization.
To help you get started, here are two general examples that could be included in anyone's assessment:
An actual audit of potential or real fraud can now take place because you know where, when, why, and how it can be or is happening. Once you have your list of schemes, follow the same process you would use for other self-assessment reviews — you determine the probability and impact such schemes will have on your organization. If they rate high, start auditing to find out if it's too late or if you are just in time to stop it.
As you can see, there is no reason for any organization not to be proactive in auditing for fraud. A fraud self-assessment is a perfect tool to help you and your management team audit potential fraud loopholes in controls and processes long before they become reality and your company is talked about at the next fraud conference.
PRESIDENT AND CEO, ETHICSPOINT
There are more than 60 federal statutes, including the U.S. Sarbanes-Oxley Act of 2002, supporting or requiring a methodology for anonymous reporting and whistleblower protections. Against this regulatory backdrop, and further bolstered by Federal Sentencing Guidelines, ethics and compliance hotlines have become key components of enterprise risk management and a form of self-assessment because employees are reporting on and helping to evaluate an organization's culture. Studies such as the Association of Certified Fraud Examiners' 2006 Report to the Nation on Occupational Fraud and Abuse have indicated that hotlines are the most prevalent method of detecting fraud, and by extrapolation, other risk events that may impede an organization's strategic objectives.
Hotlines should not be viewed as simply a whistleblowing mechanism, but rather a means to identify and resolve sensitive issues, encourage compliance across multiple disciplines, and minimize financial, legal, and reputational risk. Today’s hotlines must provide a methodology for reports to be triaged and managed toward resolution in a manner that can be measured and audited. The following six key elements have emerged from organizations that use hotline systems as an indicator of the organization's health and as a catalyst to strengthen their cultural underpinnings.
Each organization is unique in its risk assessment and risk response strategies. Hotlines must be tailored accordingly. An example includes tailoring hotline incident categories to meet company-specific risk factors head-on. Multiple intake methods, including telephone- and Web-based reporting, should be provided to best match stakeholder communication preferences. Companies with global operations should consider localizing hotline communication into local languages and must take into account international data privacy standards.
Before rushing to implement a hotline, spend time in the planning phase to lay the groundwork for a successful system. It is essential to create an environment where employees, vendors, and customers understand the organization's commitment to ethics and compliance and are knowledgeable about the guidelines established for the way the organization does business. Awareness for the hotline must be established, and a culture of transparency encouraged, from the top down. Many organizations implement ongoing, multifaceted communications programs that not only introduce the hotline, but also position it within an overall program of compliance, ethics, and risk management.
Organizational readiness also means being prepared to handle hotline reports. For instance, who will review the reports and who will investigate? The ability to immediately assign reports based on skills or roles will eliminate bottlenecks and allow reports to be reviewed faster. Also consider how management is involved and determine the process for the escalation of issues.
Because a trusted hotline supports the tone at the top and a company's open-door policy, make sure the reporting system encompasses a wide range of risk and violation categories so that stakeholders don't feel as if management only wants to hear about a narrow set of issues. It also is critical to be able to handle complex issues that touch on multiple categories. For example, a suspected case of embezzlement could include the threat of violence and drug use. The ability to handle complex issues reinforces to stakeholders and those charged with review and resolution that the hotline is more than a "check-the-box" system —it is also an important resource that can handle the complexities of the real world.
Furthermore, it is critical to follow up immediately with hotline users, even those who've chosen to remain anonymous. Giving acknowledgement of receipt and updates on progress and resolution are instrumental in reinforcing the organization's commitment to transparency. An effective reporting system facilitates such interaction and makes it easy to probe for more information while maintaining anonymity and confidentiality (e.g., through the use of unique report password protections). This gives the organization better insight into the issue being raised and also can help identify frivolous or unsubstantiated reports.
This is where the rubber meets the road. Assuming you've laid the groundwork, your organization now should be prepared to handle reports. During report intake, make sure that issues are categorized correctly and that sufficient information is gathered using collaborative interviewing and data-gathering techniques. Assign issues for assessment to the right personnel using automatic assignments predetermined by the organization — when possible — to eliminate bottlenecks. Prepare for and know how to select the appropriate analysis approach, such as internal analysis, special investigations sometimes involving external agencies like the Securities Exchange Commission, or external investigations.
The hotline reporting environment should provide the statistics and analytics needed to understand more about the patterns of behavior and establish benchmarks for trending and review. This review should look for breakdowns of internal controls, geographical or departmental "hot spots," the need for additional training, or the need to adjust policy. This should include information received from hotline reports, in addition to information obtained through an organization's open door policy or through performance reviews, internal audits, or investigations. All of this data should be warehoused in a central location that can be reviewed to formulate an overall risk assessment review. This evolving data source then should be used to create a primary risk summary or as an ongoing comparison against the organization's established risk profile.
Additionally, tracking the outcome and post-corrective action for each incident provides the ability to review these actions so that your pending corrective actions are balanced and appropriate. This is critical when demonstrating that a system provides consistent and fair treatment for all types of reports. With the recent changes in the Federal Sentencing Guidelines, the ability to track resolution activity and steps taken to prevent future similar misconduct has never been more important.
Adopting the motto "what gets measured gets done" can help organizations remain focused on reviewing and improving the hotline process. Create a schedule for reviewing how the hotline is working, especially regarding communication, operational efficacy, and cultural assessment. Reviewing the process will help determine whether or not there is a need for additional training or new or updated policies within the organization.
Today's ethics and compliance incident awareness and hotline reporting systems should be much more than check-the-box solutions. Integrated Web- and telephony-based systems, coupled with powerful incident management and analytic tools, are proving instrumental in helping organizations manage enterprise risk. Fortunately, many organizations are already well down this road, reaping the benefits of consistent risk management, improved operational performance, reduced operational surprises, and transparent cultures.
If you have a "quick tip" that you'd like to share, please e-mail the editor.
Chief audit executives and internal auditors who want to learn more about managing and auditing IT vulnerabilities are in luck. The IIA recently released the sixth guide in its Global Technology Audit Guide (GTAG) series, Managing and Auditing IT Vulnerabilities. The 24-page guide was developed to help CAEs and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency, and illustrates the differences between high- and low-performing vulnerability management efforts.
To download the guide, visit The IIA's GTAG Web page, www.theiia.org/download.cfm?file=39632. (PDF, 574 KB)
To keep the internal audit community informed on the current status of The IIA's Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT), the GAIT core team recently published its first Status Report, which provides information on the state of GAIT, a letter from the GAIT team leader, experiences from organizations implementing GAIT, and "Ask Dr. GAIT" — a question and answer section through which the GAIT core team will respond to practical questions from users of the GAIT methodology.
"The GAIT status report is an effort to fulfill a long-recognized need to create a communications vehicle among the GAIT core team, The IIA, and the various constituencies who have expressed interest in the GAIT initiative," says Heriot Prentice, The IIA's director of technology practices. "We think this is important, because the GAIT core team has been working round-the-clock to finalize the GAIT methodologies and principles, as well as to create consensus between management and external auditors."
To read the full report, visit The IIA Web site, www.theiia.org/download.cfm?file=39892. (PDF, 1.2 MB) If you would like to provide feedback for the upcoming GAIT Status Report, contact Heriot Prentice at email@example.com. Inquiries to "Ask Dr. GAIT" can be sent to firstname.lastname@example.org.
To add your CSA course, seminar, conference, or event to the calendar, please forward all pertinent information to Editor Allison Cain via e-mail, email@example.com, or by fax, +1-407-937-1103.