Occasionally I write guest posts about compliance and governance topics elsewhere on the Web. Three of those posts have recently gone live, one about third-party risk management and two others about the proper love and care of SOX compliance programs. If you just can’t get enough of me, here is a run-down of where to find them.
Group-level accountability for third-party risk
Over at Compliance Matters, the in-house blog of NAVEX Global, I posted a few thoughts about the difficulty of establishing one structure to oversee third-party risk.
I’ve noted this challenge before: that while compliance officers and other colleagues in central management see third-party risk as a reputation or compliance threat, business operations leaders (that is, the people dealing with third parties) see the issue as an operational risk. The key observation:
What’s really happened is that third-party risks have transformed. Where once upon a time they were disparate operational risks that could be managed locally, today they have evolved into compliance and reputation risks that demand senior executives’ attention… The critical question is whether your other business procedures, processes and controls have kept pace with this transformation. If they haven’t, then employees out in the operating units don’t feel the same urgency for good third-party oversight that senior executives do.
The full post is available to all over on the NAVEX website.
How to Improve SOX Efficiency in 2017
On the Workiva blog, I recently had one post examining the findings from its 2016 State of the SOX Market survey released earlier this year.
The top priority for SOX compliance managers next year is to improve efficiency—which is increasingly difficult to do, especially for larger enterprises with mature SOX compliance functions. Still, the Workiva survey drops a few hints about where to look: cybersecurity and risk management.
Two-thirds of survey respondents said less than 25 percent of their control testing related to cybersecurity or IT controls. And while 86 percent said internal audit is involved in SOX compliance somehow, most of the time internal audit does not help with risk assessment or scoping the SOX audit… Consider all those statistics altogether: increased importance, but relatively little attention or collaboration. Places like that are where efficiencies can be found.
The State of the SOX Market survey itself is must-read material for SOX compliance managers. My full post is well worth reading too, of course.
The Conceptual Shift Coming to Audit Technology
Separately on the Workiva blog, I also looked at the results of a separate survey from AuditNet exploring how well audit technology meets internal audit needs. Surprising exactly nobody, a large majority of audit leaders said their technology doesn’t meet all their needs.
The survey’s single largest lesson was that most audit teams use standard desktop technology (spreadsheets, word documents, flowcharts) to do mostly standard audit work of collecting evidence, planning audits, documentation, and so forth.
What’s lacking, I said, is stronger technology that can meet modern risk management and audit challenges:
So internal audit in the future will be more about studying and observing business processes; then determining when and why those processes fluctuate outside your comfort zone. All of that activity will (ideally) also be connected to your internal control or risk management system… That conceptual shift will help to drive the internal auditor up the value chain, to be an adviser on risks and business process improvement.
I’m grateful to NAVEX and Workiva for the opportunity to reach their respective audiences. Both blogs have numerous smart people sharing smart observations about governance, risk, and compliance, and are worth bookmarking.