Many other countries responded by creating their own versions of SOX. For example, on April 7, 2003, the Canadian government passed Bill 198, which essentially accomplishes the same thing as SOX – in fact, it’s frequently referred to as the Canadian SOX (C-SOX). This bill came out as a result of corporate scandals that shook investor confidence. It increased scrutiny of corporate governance amid growing concern about auditor independence and the disclosure of internal controls over financial reporting, a PricewaterhouseCoopers report notes.

The Provincial Government of Ontario introduced the bill in a piece of legislation called “Keeping the Promise for a Strong Economy Act,” and it was approved on December 9, 2002. In reality, the bill dealt broadly with a number of different government operation procedures and only a small part dealt with financial reporting.

The Three Regulations For Bill 198

Shortly after the bill was passed, Canadian securities commissions issued three additional regulations for companies and auditors to talk about: Multilateral Instrument (MI) 52-108, MI 52-109 and MI 52-110.

1. MI 52-108: This bill requires securities issuers to use the services of auditors who participate in the Canadian Public Accountability Board’s independent oversight program.

2. MI 52-109: Under this regulation, chief executive officers and chief financial officers would need to verify their filings (both annual and interim) are accurate representations of their company’s current financial status. MI 52-109 is similar to basic components of SOX 404 and requires companies to disclose policy and develop procedures for collection, capturing, evaluation and disclosing information.

3. MI 52-110: Finally, this bill regulates the role of audit committees in any business or organization that issues securities.

What Should Canadian Companies Do to Comply With C-SOX?

Canadian businesses must comply with C-SOX. Much like the American SOX Act, Bill 198 requires companies both big and small to spend a great deal of money on compliance with the legislation. That being said, there are certain steps they can take to help them develop procedures and policies necessary for meeting the stipulations of the bill.

“Well-designed, documented and monitored disclosure controls and procedures and internal controls over financial reports, including all relevant policies, procedures and operating principles at significant locations” are necessities, the PwC report notes.

PwC also advocates an internal control infrastructure that “facilitates communication, reporting, training, incident identification and issues management, enables ongoing monitoring of the system of internal control and completion of applicable control procedures and ultimately provides management with confidence that internal control structure is effective and can be evaluated and tested on an ongoing basis.”

For companies considering going public, compliance may seem like a pain at first, but costs will eventually decline as reporting standards and internal controls are established.

But while this practice may alleviate some tedious or arduous functions and enable the business to excel at what it does best, it also opens companies up to various risks through the actions of these third-party vendors. This is especially the case when it comes to large corporations dealing with multiple vendors or suppliers.

Bigger companies are inherently more complex, and managing a multitude of supplier and vendor relationships adds even more volatility that needs to be tracked. Different departments may conduct communications with vendors through a variety of means, which makes it difficult to identify potential risks. In many situations, there is little accountability for the management of these relationships and the subsequent risks they can have.

Risks Associated With Vendors and Suppliers

Suppliers and vendors are effective for outsourcing the day-to-day nitty gritty details of a time-consuming process or activity. But ultimately, the company that hires these vendors is still responsible for what they do and key stakeholders must make sure vendors are meeting all the compliance requirements that their business is accountable for.

There are several risks associated with the vendor-company relationship, the Consumer Compliance Outlook notes. While that isn’t to say these partnerships are always risky, corporations still need to be aware of these issues any time they enter into a new partnership.

     1. Legal Risk: Compliance standards have grown more complex over the years, with many companies spending more money to ensure they don’t fall on the wrong side of the law. This is particularly the case in some heavily regulated industries, such as financial services.

When various tasks are assigned to third-party vendors and suppliers, it is paramount to ensure whatever business practices they follow don’t end up getting the company in trouble. Contractual obligations are another issue that could cause potential legal risks for a business.

     2. Reputational or Brand Risk: When companies outsource any part of production, they are essentially putting their brand and reputation in the hands of another company. If the supplier or vendor breaks compliance and consumer laws or practices other bad habits, it’s likely to affect perception of the company as well.

Just note the issues Apple has had with its Taiwanese supplier, Foxconn. The awful work conditions at the manufacturer have cost Apple some bad publicity, and now the Cupertino, California-based electronics giant is reanalyzing its entire supply chain to ensure future incidents don’t occur.

      3. Operational Risk: Finally, there are substantial operational risks associated with using third-party vendors. If companies are looking to save money, they may opt to use a vendor that isn’t very expensive. Of course, this could lead to lower-quality work as well, hindering company performance and negatively impacting end-line customers.

For example, if a company hires an accountant who is overworked and booked with other clients, this could lead to missed details. This will have a trickledown effect on the company that hired him, giving them bad information and perhaps leading to unwise operational decisions being made.

Supplier and vendor risks usually occur because of key relationship mismanagement faults. Inconsistent cataloging, sloppy recording of communications and details, the challenges of doing business across time zones and business units, lack of security and inconsistent testing are all pitfalls that can lead to risks becoming meaningful threats to a company, KRAA Security notes.

Assessing the Vendor/Supplier Relationship

To that end, it’s crucial to perform risk assessments on these outside organizations to mitigate any potential threats. Prevention is key, and in that respect, due diligence can be leveraged as a means to nip these non-productive relationships in the bud.

Risk assessment needs to be considered as a continuous process when dealing with third-party vendors, not something performed once and then forgotten about. In that regard, a well-documented vendor risk management model can help ensure key issues are being addressed.

“[Companies] that outsource a service or product must adopt appropriate controls, policies and procedures, and oversight to mitigate outsourcing risks effectively,” the Consumer Compliance Outlook report notes. “Institutions should focus on five key areas for effective risk mitigation: vendor selection, vendor contract, vendor management and monitoring, human resource management and contingency planning.”

     1. Vendor Selection: Due diligence is paramount to avoiding issues in the first place. Companies should be sure to carefully research a supplier or vendor before signing on with them, asking relevant questions and requesting references when suitable.

     2. Contracts: Determining the contract is also important. Companies should know what they want out of a partnership and contracts should help them achieve those goals. Contracts also protect the company against future legal threats.

     3. Vendor Management: After a contract has been signed, don’t just forget about a deal. Monitoring a business relationship is important to ensure success and further mitigate risks.

     4. Human Resources Management: Operational risk is a very real concern to many management teams and turning over key functions can create a distracting situation. HR can help alleviate any of these issues.

     5. Contingency Planning: Sometimes, things don’t go through as expected. An effective backup plan will help mitigate any risks from outsourcing efforts not working out.

Companies can also employ an unbiased, objective template to evaluate these relationships. A numerical scale can help objectively evaluate various criteria and link different elements together. This is paramount to successful analysis of these outsourcing initiatives and determining whether they are meeting goals while minimizing risks.

Internal audits exist for the purpose of providing an objective evaluation of a company’s processes and procedures. Senior management understands this – that is why they order internal audits to be conducted and would rather have these committees tell them what is being done wrong so the corrections can be made.

However, expectations have evolved. “In rapidly changing and increasingly complex business and regulatory environments the internal audit function has evolved from corporate cop to that of a savvy in-house consulting service that not only reports problems, but that also gives constructive suggestions to line managers about how to improve the performance of the business,” explains Christopher McRostie, CEO of the Institute of Internal Auditors in Australia.

Management Expectations of Auditors

Generally speaking, senior management wants internal auditors to identify noncompliant business practices, understand the company, avoid being too production-oriented, prioritize activities and coordination and speak up when others will not. Senior management is looking for auditors to tell them whether business activities are in line with regulatory and legislative standards, and if they aren’t, these stakeholders want to know so the appropriate changes can be carried out.

For auditors, a sense of urgency is always a positive trait from the perspective of upper management – audits should be done promptly so as to maximize the relevancy of the information. However, it’s also paramount that their work be accurate and their integrity and credibility must be unshakable. To ensure they are hitting these needs, QFinance suggests auditors survey senior management to determine how well the internal audit activity is being performed.

The Importance of Establishing Communications

Communication is also important. Auditors need to be able to relay the progress of their evaluation to key stakeholders while also being mindful of business perspectives. The relationship should be built on cooperation, collaboration and mutual respect for all parties involved. Structured relationship programs are frequently useful to ensure conversations are happening appropriately.

For example, a three-tier stakeholder relationship program could include quarterly contact with senior managers (ranging from CFOs to risk officers), half-yearly contact with business leaders not working in the corporate headquarters and annual contact with other important figures that may not be directly involved with the auditing process (marketing managers, for instance).

While most auditors concern themselves primarily with their own activities to ensure policies and procedures are evaluated in a timely place, it’s also crucial to remember that they aren’t the only ones with full plates at a corporation. Upper management is also frequently busy, which makes it difficult to plan such communication schedules. This is why established discussion times are so pivotal – they help organize all the relevant stakeholders at once, ensuring no one’s time is wasted.

“Some larger agencies establish audit liaison officers or champions across their business lines or regional
offices as contact points for the internal audit activity,” the QFinance report adds. “These people can also facilitate audit planning and the conduct of audits, and provide periodic updates on the status of previous audit recommendations.”

Delivering Value

Open communication is a nice thing to have when dealing with auditors, but ultimately, senior management wants results. Auditing can cost a lot of money, and so these key stakeholders want to get the most value out of the resources spent. As a report from the office of the Auditor General of Canada explains, times are changing. Those in management no longer want mere reporting of control deficiencies – they want to be involved, as they feel this maximizes value.

“Audits are becoming more cost-effective by being ‘risk-driven,’” the whitepaper notes. “In many organizations, risk assessment is a continuous process that enables audit management to make ‘smarter’ decisions about where to spend scarce audit dollars. Increasingly sophisticated risk-assessment techniques are helping auditors determine where the areas of greatest risk lie in the organization.”

One such way of doing this is by engaging key stakeholders in the development of the internal audit plan. From the perspective of management, this ensures the course of action is relevant and consistent with the company’s current risk profile.

Auditors should provide senior management with feedback on the adequacy of risk management, governance and internal controls. Stakeholders no longer simply want results – they want an in-depth analysis of the audits to help them better identify systemic issues with the corporate culture of their organizations.

To this end, setting “themes” for the various audits conducted as a part of the plan can be helpful. QFinance suggests that this approach encourages high-level reporting to senior management, helping auditors to better deliver value through their audit plans.

Some key strategies for auditors looking to provide better value to upper management include: Aligning activities to organizational goals and objectives, understanding the business and the impact of developments on an organization’s risks, consulting effectively with senior management and staff to contribute ideas on an ongoing basis, elevating the focus of their activities to broader risk management, providing broader information with deeper insight into emerging GRC risks and delivering what was originally promised.

Meeting Expectations

Ultimately, it is the capability of an internal audit team to meet the expectations set forth by upper management that determines the credibility, trust and respect it earns within an organization. Regularly produced staff profiles that note the skills, experiences and qualifications of internal auditors can help keep management at ease and establish credence with key stakeholders.

“At a time in our history when there is a global shortage of professional internal audit practitioners, coupled with a broader internal audit charter, it is imperative to position the internal audit activity as an employer of choice,” QFinance adds. “To attract the right people, use the results of the periodic external quality assessment reviews to differentiate your internal audit activity from others.”

The role of the internal audit in the mind of senior management has changed over the years. By managing expectations, establishing communication, delivering value and ensuring credibility, internal audit teams will be better able to meet the rapidly changing perceptions of important stakeholders.

Foreign companies and SOX

For a number of years, foreign entities enjoyed a number of benefits by becoming a public company in the United States. As a report from Morrison & Foerster notes, some of these advantages include: Increased visibility and prestige, ready access to the U.S. capital markets (which are still among the largest in the world), the ability to attract and reward key talent acquisitions by offering stock in the company’s growth and the power to send credible signals to the market that the organization will protect minority shareholder interests.

SOX has a wide-reaching jurisdiction, and any company with a dual listing on a U.S. exchange that has 500 or more U.S.-based shareholders needs to make itself compliant. Understandably, a number of foreign companies were frustrated when they discovered SOX would affect them as well as American organizations. Many delisted and went private as a result – back in 2006, a study conducted by Mazars found 17 percent of European companies considered the option.

However, several key advantages of being a public company in the U.S. still exist. This fact has encouraged a number of companies to comply with SOX standards rather than part ways. The same Mazars poll noted that 43 percent of European countries believed the benefits of SOX outweigh its costs, while that number skyrockets among Asian and Latin American firms, with 72 and 81 percent of respondents agreeing with that notion, respectively.

Complying with Section 302 and 404

Before SOX, most companies already had hundreds or even thousands of documented controls in place. However, the reporting and evaluation of these controls is what SOX revolutionized – now companies must ensure that compliance work is being performed on a consistent and continual basis, with the results of these tests reported through annual or quarterly documentation.

“Although almost all Sarbanes-Oxley programs have been structured around using the COSO framework, too few businesses have really used the monitoring component of this internal control framework,” Adrian Giles, a senior partner at venture specialists Venesis, explains. “Many are too focused on the detailed control activity and the level of detail documented for both the design and operational effectiveness of those controls. Far greater value could be achieved if they increased the focus upon monitoring transactions for control compliance.”

Section 302, one of the key sections of SOX, requires chief executive officers and chief financial officers to both sign off on documentation and certify that financial statements are accurate based on these controls and are true measures of a company’s standings. Previously, companies only needed the word of the auditor in charge.

Section 404 was another landmark component of the bill, which also requires both executive management and auditors to report on the adequacy of the controls set in place. Again, this forced many companies to change how they managed controls in an effort to reach compliance.

Foreign companies need to consider SOX compliance just as much as any American company. While meeting these standards will cost money, the benefits largely outweigh the negatives and can create real advantages for international organizations looking to develop credibility in the marketplace.

Our customers and partners at the BPS Resolver 2012 Eastern User Group.

I thought I would write a quick note to thank all of our customers and partners that came out and participated in our recent BPS Resolver user group here in Toronto. The event was a great success. It was a packed house and everyone really got engaged in the presentations and conversations that transpired over the course of the day.

In hindsight, maybe we should have even made it two days as it felt like we were just getting going by the end of it. This is what happens when you get a group of really smart and dedicated GRC practitioners together.

As technology advances, and collaboration migrates more and more to the web and online forums, there are a few things that I sincerely hope do not go away. A live User Group is at or near the top of that list. There is nothing better than hearing customers sharing ideas and collaborating in person about the work they do and how software plays a part in it. Our customers educated each other, challenged each other and everyone benefitted.

New relationships are formed at these events. We learn more about what really matters to our customers than we ever could through phone calls, surveys or online forums (which certainly all have their place as well!). Our customers see possibilities they had not considered. I don’t know what the final count was in terms of the ideas we generated during the session. The number does not really matter. What I do know is that the quality of the ideas was first class and our product and development teams have some great new challenges ahead.

Thanks again to everyone who organized and participated in this. I can’t wait for the next one!

-Steve

As Kreitner Management notes, a group is defined as “two or more freely interacting individuals who share a common identity and purpose.” There are two different types of groups – one that organizes to satisfy esteem needs, such as friends or clubs, and one that organizes to achieve something productive and contribute to the success of a bigger goal. The latter is the type of group most auditors will be managing.

Managing the politics of a group comes down to observing the four steps of group development. First is orientation, the point at which most people are uncertain about things. Then comes conflict and change, when roles are defined. Next is cohesion, the point where a consensus on leadership and structure is reached. The final stage is acceptance, when a trusted member is leading the conversation and member expectations are more realistic.

When audit committees first start holding regular meetings, it’s quite likely they will face some initial hesitance from people who don’t quite understand what the auditor’s role is within the company and may not agree with their suggestions. The key is understanding that the pursuit of self-interest is a real political challenge within companies – Kreitner notes that 45 percent of employees believe politics detract from organizational goals.

However, that doesn’t have to be the case and in fact, 61 percent of respondents also noted that internal politics helped them to advance their careers. The best way of minimizing conflict is by setting up an environment that is open and trustful, rewarding performance results rather than personalities. Auditors should suggest goals that can improve both the individual and the organization through meaningful work and also welcome broader perspectives when dealing with groups of people.

It all stems from the top, so audit executives and upper management should make it a point to demonstrate that meetings occur to benefit the group, not individual careers.

The GRC Cloud 6.1 Release is focused on improving existing features based on your feedback. We’ve
been listening to all the suggestions you have provided via Support and Client Service! Of course, we try
to accommodate as much of your feedback as possible and will continue to do so in future releases.
Please keep all the great feedback and suggestions coming our way!

Please click here to view the release notes for GRC Cloud 6.1

Changing expectations

Key stakeholders want more visibility of what their companies are doing and a clearer picture of their performance. They want to know more about internal audits and to understand what is being evaluated at any given moment and why. This means the expectations of audit committees are rising – rather than simply providing compliance and financial guidance, these groups are expected to manage operational and strategic risks as well.

As RSM McGladrey noted in a recent whitepaper, new regulations are driving companies to take on different auditing practices. This is further driving change to auditing priorities, changing the focus to entire risk profiles and the impact of major events on that profile.

Now, every department of an organization needs to be an active part of a company's audit program. This is the only way audit committees will be able meet these changing expectations and evaluate emerging areas of significant risk. In that regard, auditors are frequently key individuals within a company – they have knowledge of the organization's operations, strategic plans, business activities, current risks, exposures and controls.

Stakeholders are also demanding more accountability on the behalf of their audit committees – they want to know precisely what specific individuals are up to at any given moment. Business moves at the speed of light and if upper management can't tell which processes are working or which risks could have the biggest impact, they can't make the correct business decisions. In response, they are demanding faster audit cycles, improved communication, faster resolution of issues and increased relevancy.

Optimization of technology

The current business climate is technology-driven – modern companies can use computers, video conferencing, cutting-edge software and other gadgets to conduct business deals and run their companies more quickly than ever before. A separate RSM McGladrey report noted the perception of IT importance has risen over the past few years and has grown increasingly important to the strategic objectives of most companies.

However, management realizes there is an inherent risk of using this technology and that audit committees are key to developing the necessary controls to address IT needs. This presents a new challenge to a significant number of committees – they don't have many IT auditors compared to the number of financial and operational auditors. As a result, many committees will need to staff up, train IT auditors or be forced to co-source the solution.

Regardless, security breaches, poor implementation and other unplanned events can pose serious financial risk to a company, so it's crucial IT is integrated into modern audit plans.

Globalization

Finally, globalization is also changing how companies are run. Regardless of whether companies operate on a global scale, the growth of countries such as Brazil, Russia, India and China can have a huge impact on business.

Political strife and financial transparency are two big risks that can affect any company reliant on foreign goods and services, regardless of whether they are close business partners with another country or simply source components from there. On-site visits can be leveraged as a means to help buoy audit programs and can further mitigate any risks.

The stakeholder meeting is a paramount part of the auditing process. Through these planned discussions, auditing committees can get a better grasp of company objectives, derive input from key stakeholders and set up their programs in more detail.

That being said, auditors need to know how to properly facilitate these meetings – by practicing these skills, committees will be able to get the most out of the discussions. A skilled facilitator will essentially guide other group members to share ideas, opinions, experiences and their various expertise in a way that enables assembly attendees to come up with a meaningful, effective and agreeable action plan.

Facilitation is important because it helps audit leaders streamline meetings. It reduces the level of burden placed on participants, enables higher levels of planning, thinking and participation and develops the relationship between upper management and the audit team. Moreover, facilitation helps auditors discover the wisdom of those involved – it encourages the combination of creative thinking and analytical reasoning, while ensuring a high level of commitment.

First, facilitators must understand why a meeting is being called and convey that reason to participants. Committees are effective means to make decisions, share information, plan necessary work and audit programs, help others understand certain processes, create buy-in and solve problems.

There is a certain flow to meetings – every get-together follows the same basic progression, starting with opening, where auditors make their case and note their strategies; moving to discussion, which enables key stakeholders to inject their input and insight; and finishing with the conclusion, where the audit committee develops a plan with upper management's direction in mind.

The ideal facilitator will balance their focus between three core functions throughout meetings: Results, or achieving a meaningful solution; relationships, or ensuring everyone feels involved; and process, following the correct steps to arrive at the conclusion. Every meeting should be outcome-based – there needs to be progress and a clear direction afterwards. At the same time, it's pivotal the facilitator is able to listen and observe the group, while preventing and managing conflict as it arises.

It's up to the facilitator to make everyone feel comfortable at meetings. If people don't feel at ease, they will be hesitant to contribute. Meeting leaders can break down these barriers by getting to know the participants, observing their body language to inform engagement tactics, thanking them when they contribute and ensuring? they understand what is being discussed.

A common trap that many audit committees fall into is not encouraging participation. An assembly serves little purpose if only a handful of attendees are actively contributing. There are a variety of techniques auditors can use to facilitate discussion – visual aids make complex concepts easier to digest and understand, encouraging silent members to speak up enhances comfortability in a non-combative way, dividing participants into smaller groups makes sharing ideas less intimidating and open-ended questions improve response rates.

No matter what, it's crucial that participants realize there is no definitive outcome to a meeting – risk management and audit programs are complex, and it's okay to agree to disagree. If there is dissension, facilitators can mitigate it by listening and observing. When someone disagrees, it's pivotal meeting leaders show their understanding by rephrasing responses, summarizing objections or writing them down.

Facilitating conversation is a core responsibility of moderators and group leaders, but it's also important that meetings are guided along a path. They shouldn't get stuck in the opening phase, or get bogged down in discussion. While straying from the agenda is acceptable – and often times, inevitable – facilitators need to keep things progressing forward. Remind participants of deadlines, review criteria, poll the group to come to conclusions and then review these decisions to ensure quality steps are being taken.

When it comes time to bring a meeting to conclusion, it's important facilitators follow the proper steps. The ideal conclusion should identify the next course of action, adjourn on a positive note and then evaluate the outcome of the meeting. Identifying the next step can be done by completing an action plan and updating progress calendars. Then, thank participants for their perseverance and hard work – this will ensure they feel like a valued part of the company. Finally, perform a group evaluation and debrief afterwards.

The key for successful audit meetings is always taking the positive, even when discussing serious changes that need to be made to the company. Look at strategies for prevention rather than intervention and view attendees as supporters, not adversaries.

Most audit committee meetings occur three or four times per year, generally before the end of a quarter so that auditors can update key stakeholders with recent developments and new risk assessments. However, this varies from company to company – some may opt to hold fewer meetings, while others may choose to have them more often. Frequency largely depends on the business conditions of the given company and what it is trying to achieve with its audit program.

Audit committee meetings are designed to address and evaluate internal control, risk management and other core duties and responsibilities. To that end, these formal meetings are frequently seen as being among the most crucial auditing activities. However, auditors shouldn't view them as their only opportunities to engage senior management – as KPMG explains, committees should maintain communication on a continual basis with people who are core to the company's governance.

The chairman of the audit committee should be responsible for the meeting's agenda and also needs to ensure that any and all supporting materials are ready for the ensuing discussion. All parties involved with the meeting should receive these materials well in advance, ensuring they are allowed adequate time to read, review and prepare.

Time is an important factor when planning a meeting. Everyone is busy trying to ensure a company runs at maximum capacity, but there is frequently a lot to discuss. The audit committee should be given the required amount of time to go over the topics they plan to bring up, and if this is impractical, they should schedule a meeting at a different time while discussing key issues informally in advance.

Depending on the time of year, different subjects could be discussed by the committee – it's crucial to address relevant topics in a timely fashion. For example, January or February is a good time to establish the number of meetings in the forthcoming year or the agendas and attendees required. On the other end of the spectrum, July and August are better times to review half-year financial statements or make recommendations based on evaluations.

With risk assessment, however, ROI can be more difficult to manage. Rather than assessing ROI by money earned, companies evaluate it by money saved. Risk management ROI is best described by analyst Elaine M. Hall as "the ratio of savings to cost that indicates the value of performing risk management."

This cost-benefit analysis makes up the core of risk management ROI. The cost of a successful program is the total expenditure of resources on various risk assessment and control programs. If a risk management process is spread over a variety of programs, then the ROI can be measured in time saved, with the savings stemming from the time, money and staff not spent on these programs.

Resources invested into risk management aren't necessarily exclusive to money, either, and that's an important distinction to make. Management meetings, the cost of reporting risk information, the necessary staff to develop and execute risk action plans – these are all finite company resources and need to be taken into account when trying to determine ROI.

While determining ROI for risk assessment is different than other business processes, the objective remains the same: To convey to project managers that an investment was well worth the time and resources it monopolized. Without ROI data for risk projects, senior managers would be forced to rely on program managers and their word. While deception would not be an issue for most companies, it's frequently difficult to assess something as complex as risk management using only perception.

In fact, ROI can actually build trust within a company. Trust will eventually erode over time. However, if audit committees can show their work has tangible benefits, then companies will be more likely to support their decisions. This is why ROI is so pivotal to both successful companies and audit plans.

"The business case for risk management is based on cost-benefit analysis. Cumulating the cost of risk management is a simple task. However, quantifying the benefit can be difficult due to uncertainty inherent in risk," Hall concludes.

The way internal audits are being conducted is changing. Many internal audit leaders currently use some variation of a control-focused approach. However, new market conditions are favoring the adoption of risk-centric mindsets and only by making the necessary adjustments can companies remain key players in the field of risk management.

In the coming years, there are five major trends that will impact internal audits: Globalization, or the pursuit of international growth; changes in internal audit roles in relation to the implementation of new technology; new priorities in risk management, such as the growing importance of risk identification; talent and organizational issues; and technological advancement. Taking these five things into account is crucial when developing a strong internal audit plan.

Developing an audit plan to mitigate today’s risks

The audit plan is crucial as a means to systematically analyze risk. Risk is defined as any variable event that would hinder a company’s ability to achieve its established business goals and objectives.

Auditors can start the risk assessment process by evaluating the risk universe, or all the potential events and threats that are applicable to an organization, regardless of probability or extent of impact. This assessment should stem across all business units, operations and processes. The auditor also must understand the company’s business model in relation to the industry of which it’s a part.

In the early stages of developing an audit plan, it’s paramount that those leading the project have open dialog with stakeholders to ensure they have an understanding of the audit universe, business goals and all the risk events that could impede the achievement of these objectives.

Once auditors have a clear view of the company, its end goals and the inherent risks, they need to begin to consider the likelihood of these risks occurring. This will help in the development of a risk profile, which should identify specific business units, processes and activities that present the highest risks to a company and should be easy to understand from the perspective of upper management.

For the first year of operations, it’s frequently difficult to create a meaningful and accurate internal audit plan – companies won’t have a baseline by which control activities can be evaluated. With that in mind, many auditors develop risk assessment and audit plans derived from inherent risk levels, noting global trends that may affect a company, such as political, technological, legal, national and economic climate changes.

There are also inherent internal risks that need to be accounted for. For example, changes in operating systems and policies, development and launch of new products and services, transitioning into new markets, management changes and expansion into foreign countries all present risks that could impact a company’s business goals.

After a company has been operating for some time, a baseline knowledge of internal controls will begin to develop, necessitating periodic risk assessment. These evaluations will determine how reliable and effective the controls are in mitigating the likelihood of risks occurring. Based on these assessments, risks could be reclassified to improve the effectiveness and impact of an internal control.

No control should be immune from evaluation, even key controls that are thought to be effective. What worked at one time may fall into obsolescence depending on how both internal and external conditions have changed over the course of operation. Testing these key controls ensures they are still doing their job and is crucial to establishing an effective audit plan.

“The results of this risk-assessment process will enable you to develop alternative internal audit plans to address a variety of risks across your organization,” the PwC research explains. “An effective audit plan provides a systematic means to assign risks into high, moderate and low categories.”

After assessing risks, audit leaders need to work with the associated committee and senior management to establish a hierarchy of organizational risks. This will help them determine the skill sets needed to address these high-priority risks and better meet the needs of relevant stakeholders.

“Care must be taken to avoid a misalignment between the technical competencies necessary to execute the audit plan and the skill sets resident in the new function. Remember – audit to the risk, not just to available skill sets,” PwC urges.

Developing an audit plan is only a start – audit leaders need to focus on tactical execution as well. Establish current and multi-year budgets that will provide sufficient resources for internal auditors to deliver the audit plan. Launch fieldwork as soon as possible to begin conducting audits, rather than waiting to staff up or develop infrastructure. Revisit stakeholder value drivers and assess necessary skill sets. Acquire infrastructure, methodology and technologies that improve the efficiency and consistency of the audit process. Establish communication protocols to improve dialog between executive management and internal audit functions. Finally, be sure to measure and demonstrate results to relevant stakeholders.

An audit plan is only as good as those carrying it out, so it’s crucial that auditors follow through on their promises to the company.

As a recent report from PricewaterhouseCoopers notes, the Asia Pacific region is being forced to develop more mature auditing practices as it begins to globalize and deal with more companies in the United States and Europe.

Many Asia Pacific companies operate on a 20th-century internal audit model that takes a controls-focused approach. However, the value of this plan will diminish given conditions of the global economy, and companies based out of the region will have two options: Continue leveraging these models and risk obsolescence or adopt a risk-centric approach and create a new value proposition.

However, internal auditors are faced with several key challenges as they look to strengthen their practices. For example, a number of companies have a weak internal audit function that exists solely to perform low-value activities, such as watching bank reconciliations or double-checking expense reports. Others face cultural challenges, such as the bad habit of watering down reports to avoid upsetting or embarrassing their companies.

Mindsets in the region are slowly changing, though. A full 68 percent of respondents to PwC’s research believe the role of the chief audit executive will increase over the next five years, enabling companies to rise to and overcome these obstacles. In the United States, only 10 percent of respondents said the same, illustrating the commitment to change.

Notable differences exist in trends affecting internal audits between the Western world and Asia Pacific. While auditors from both regions do agree that risk management, corporate governance and ethics and compliance are core focuses, 60 percent of American auditors believe technology will be an important topic. On the other hand, 62 percent and 52 percent of Asia Pacific businesses believe new regulations and globalization will be crucial trends to observe, respectively.

China Briefing was similarly quick to note that many Asian companies are criticized for only meeting compliance regulations and standards. In response, many of these countries – such as China – are in the process of developing a tighter regulatory framework that will force auditing practices to mature.

Different personalities are crucial to making the right assessments

The act of decision making can defined as choosing one alternative over all the others. This process implies there are multiple ways to accomplish a goal, and that one of these options was chosen because it is the most viable method of achieving success. However, a person’s own values, desires and lifestyle all color their decision-making capabilities, which can radically affect how a company chooses the right alternative.

The key is picking personalities that will fit together in a way that makes for the best decision-making process in the boardroom. Companies rely on these executives to chart the best path, but this course of action will differ based on the thought process of the specific executive – both for better and for worse. There is no ideal way of determining which threats are going to have the biggest impact on a company or which strategies will allow businesses to successfully avoid them. There are frequently multiple solutions to the same problem, and different people will have better answers depending on the scenario.

For example, people with low risk aversion – those who are more apt to be innovative and adventurous – may provide better solutions when a company is financially sound. On the other hand, executives with high risk aversion – people who are more worried about committing errors – may be better situated for making decisions when money and resources are tight.

Scholars have devised a number of decision-making models that detail these different thought processes. Executives who make decisions by realizing a problem, establishing and evaluating a plan, devising and implementing alternatives and then monitoring their progress fall under the rational planning model. This model is a multi-step process that aims to implement policies that will follow a logical path from problem identification to solution. The aim is to clearly recognize an issue through a group-based decision, develop multiple solutions to this problem and enact the one that perceivably leads to the best results.

The rational model succeeds by accounting for every possible variable and assumption, and in order to work, needs people with considerable knowledge of their field. There are other potential drawbacks to this decision-making model as well – for example, it requires a great deal of time to observe all the different solutions.

On the other hand, there is the behavioral or administrative decision-making model. Sometimes, executives can arrive at the correct solution with little regard for logic – they make choices based on instinct. This model assumes that managers have incomplete or imperfect information on a given scenario, are confident in their unconscious reflexes and habits, realize they have limits to how rational they can be and tend to choose the first applicable solution.

A company that is almost wholly aggressive and forward-thinking may not consider risk identification and could end up breaking compliance standards or not seeing a threat that may have been obvious with a conservative thinker. Conversely, a company consisting of entirely analytical personality types might not be able to see the benefits of taking alternative and innovative approaches.

Businesses need to accept that people – particularly executives and leaders – will not always agree with each others' strategies and solutions. Managers should be able to appreciate that each person tackles issues with their own strategies and embrace others for their unique strengths.

The chemistry between CEOs and CFOs

The dynamic between CEOs and CFOs is perhaps the most important within a company. These two positions hold a tremendous amount of power within a corporation, which is why it's pivotal that they complement each other's strengths and weaknesses.

Recent research from Deloitte notes there are four primary personality types among CEOs and CFOs: Guardian, one who tends to be meticulous and detail-oriented; Driver, one who is frequently competitive, determined and decisive; Pioneer, an individual that is creative and adventurous; and Integrator, someone who is diplomatic and considers all implications.

According to the research, approximately half of CFOs now perceive themselves as being Drivers. Meanwhile, approximately one-third (30 percent) said they consider themselves Guardians, 11 percent are Integrators and 10 percent are Pioneers. When asked to describe their CEO counterparts, 34 percent said they were Drivers, 33 percent said Pioneers, 22 percent said Guardians and 11 percent said Integrators.

Different personality types complement decision making in various ways, and the relationship between the CEO and CFO benefits when certain personality pairings come to fruition. However, there are specific pairings that occurred more often than not, which Deloitte did not expect. For example, CEO Pioneer/CFO Driver was the most common, although the company anticipated CEO Driver/CFO Driver, CEO Guardian/CFO Driver and CEO Driver/CFO Guardian to be just as popular.

"The data suggests under prevailing business conditions having a Driver in the relationship is important. Nearly three-fourths of all observed CEO/CFO pairings involved at least one Driver – an interesting finding given that only 42 percent of these executives are drivers," the Deloitte report notes. "It may be that Drivers are the most versatile when it comes to amicable pairings – pairing relatively well with all styles including their own or Drivers are just essential to drive execution as part of the CEO-CFO pairing."

Given the current economic conditions and the huge number of standards that businesses are being forced to comply with, the decision-making process has become more difficult than ever before. However, it's also crucial that corporations make the right decisions, and to do that, they need a good pairing of different personalities in the boardroom and throughout the company.

The Finance Commission wants to ensure that taxpayers' money is being maximized through the service. Swan Boats has reported an average gross income of $460,000 annually over the past three years, with $20,000 going to the city, CBS Local reports.

Matthew Cahill, executive director of the Finance Commission, notes that while the vendor has shared some information, he wants more details about operating costs before renewing the contract.

"The Parks Department informed us that, though the vendor has provided some figures, they have not provided a full audit nor does the Parks Department have the time to personally undertake the task. This is unacceptable," Cahill said in a letter to the mayor.

Cahill noted that he does not have an issue with Swan Boats, but rather the way the Parks Department has handled the contract in the past.

For many cities, finances have been tight, and by conducting regular audits, they are better able to manage their funds.

Citing a report from the Corporate Executive Board, he noted that in cases of 50 percent declines in market capitalization in a single year, 80 percent of these decreases were tied to strategic and operational risks. No company wants to lose that much value over the course of the year, and ERM can help mitigate those threats and prevent these losses.

"ERM is a continuous process that seeks to identify, analyze, mitigate and monitor potential events that create uncertainty to the achievement of a company’s objectives. An effective, integrated ERM program can help an organization identify and take action on risks that may be affecting the achievement of its core strategic objectives," Flom explained.

A proper risk management program needs to take a number of threats into account, from cyber security to manpower concerns.

Risk-based security technology will enable businesses and IT managers to better understand what's going on in their work environment and define possible threats in advance. An effective solution allows organizations to respond in real-time to potentially damaging cyber threats and prioritize what needs to be fixed.

Arthur Coviello, executive chairman of RSA, noted that cyber threats are always changing, which emphasizes the importance of up-to-date risk assessments.

"The types of attacks have also changed, as last year was the first time there were so many 'steppingstone' attacks," said Coviello, referring to incidents where an organization was breached to steal information that could be used to launch a more complex and potentially more rewarding attack.

Only approximately 24 percent of risk identification funds go to identifying non-financial risks, according to new research from Celent.

Companies need to carefully manage their money as they emerge from the economic recession, and they can't devote all their resources. Therefore, executives are prioritizing on the threats they think will have the greatest impact on their business: financial risks. Nearly two-thirds of investments (65 percent) will go to financial risk management (market, credit, counterparty risk) whereas only 24 percent will go to nonfinancial risk (crime, fraud, collateral management, compliance).

"Despite hard-pressed investment conditions, risk and regulatory delivery programs are expected to receive sustained spending due to the mandatory drivers to 'fix a broken financial system,' and to sharpen systemic risk management at firm and industry levels," says Cubillas Ding, research director at Celent and author of the report.

The sheer number of new regulations, however, suggests companies may want to pay at least some heed to nonfinancial risk.

There are several risks financial institutions need to consider, according the news source, ranging from a strong dollar, weak capital markets and regulatory pressures. Designing a risk management approach RMA that can help banks understand what it means if parts of their portfolio are impacted by the situation in Europe is crucial.

"A frequent refrain of RMA is that the foundation for strong enterprise risk management is the institution's risk appetite. Having a well-defined risk appetite that is understood by everyone in the organization is a crucial risk management practice that will help mitigate your risk from this or any other crisis," American Banker adds.

Regulatory issues such as FATCA may further complicate things for domestic bankers.

The former employee used her MATC credit card for a variety of purchases unrelated to her job, including a car, a wedding trip, multiple computers, home furnishings and other personal items totaling more than $250,000. James Williams, the organization's vice president of finance, first arrived at MATC in July 2010 and was shocked an audit hadn't been conducted in nearly a decade, which led to the review.

Williams decided the procurement department would be ideal for the first audit, the Milwaukee Journal Sentinel Online reported.

"There were reasons to focus in on that area," Williams said, declining to elaborate, although he did note that he wasn't suspecting any fraud. "She abused her position."

Financial fraud isn't the only thing audits can help schools detect – for example, several New York schools were recently discovered to be graduating unqualified students.

Less than one-third of respondents observe the basic responsibilities of cyber governance, ZDNet reports. For example, a slim 23 percent regularly review top-level privacy policies and IT security risks. Meanwhile, only 28 percent said they review and approve budgets for programs that would support IT security and privacy.

Chief information officers and chief security officers say it's a matter of stressing the importance of cyber programs to higher-ups. Many explained it's difficult to get the necessary attention for these policies and as a result, they are working with less-than-adequate budgets.

"There is hence a gap because boards and senior executives still don't understand that privacy and IT risks are part of enterprise risk management," noted Jody Westby, CEO of global risk and an adjunct distinguished fellow at Carnegie Mellon CyLab.

The World Wide Web has expedited the pace of the global business climate, so it's crucial that companies update their risk management policies to deal with these new threats.

This is where the internal auditor and risk professional come into play. They need to provide corporations with a map that will not only help plot a course of action, but also one that accounts for all the various contingencies they may face. This is especially crucial in 2012, as business conditions are growing even more turbulent and uncontrollable due to increased regulations and financial instability.

"[Internal auditors] help ensure that business leaders understand the risks and uncertainties, have sufficient business insight and intelligence and are backed up by solid organizations, processes and people," the Institute of Internal Auditors recently noted.

Keeping to the soldier analogy, it's also crucial that risk professionals are armed with up-to-date weaponry. Better internal audit software can make their job that much easier.

However, the source also suggests companies not focus on the minutiae, which may not add a lot of value to ERM programs.

"Focus on risks through a risk assessment process based on sound principles – looking at risks in terms of the 'velocity' of their impact, the persistence of their effects and the organization's readiness to deal with the risk, among other things – and be sure to involve all stakeholders," Business Insurance adds.

Companies should be sure to revisit the corporate environment frequently to determine if subtle changes are impacting how they do business.

Many corporations believe ERM is at a turning point. Business Finance magazine recently noted that many board and senior executives believe ERM is important and are demanding more information about their risk management policies. They want to avoid situations that could jeopardize companies as they recover from the economic recession and view ERM as crucial to achieving that goal.

Gotham Schools reports that the department's internal auditor found 60 high schools with peculiar graduation rates. While nearly 10,000 students graduated in 2010, approximately 300 did not have the grades or credits necessary to acquire their diplomas.

For example, Landmark High School had 35 students that graduated without the necessary credits. Pablo Neruda Academy had similar figures.

"Students who graduated without sufficient credits won't have their diplomas revoked," the news source notes. "And schools won't have their graduation rates revised to reflect the audited numbers, either, except potentially where the city found schools had purged students from their rolls without confirming that they had enrolled elsewhere."

In education systems, internal audit software can be used for other purposes as well. For example, Vermont schools recently discovered more than $400,000 missing after a recent audit.

Most recently, Black Castle Development Holdings acquired A-Shine, a company Black Castle thinks will eventually be an industry leader in the glass-polishing industry. With that in the bag, Black Castle is performing an internal audit and filing Form 10, which will assist the firm on its way to becoming a fully reporting company.

To expedite the process, Black Castle CEO Jeff Holroyd said the company hired a public accounting firm as well.

"We firmly believe that our shareholders need to see our company from the inside out. Audited financials are the best way for our investors to make (sound) financial decisions to invest in the company," Holroyd explained.

Many shareholders, burned by the economic recession, are looking for greater transparency in the companies they invest in, which has led a number of businesses to adopt new policies.

At its annual shareholder meeting, the Cupertino, California-based company's chief executive officer Tim Cook told investors it would adopt a new policy that dictates a majority of shareholders are needed to elect new directors. Cook also said the company would look for new ways to invest its money, a response to shareholder complaints that Apple held on to too much cash, Bloomberg Businessweek reports.

"This is setting the stage for a much more open dialogue with investors," Anne Simpson, head of corporate governance for the California Public Employees' Retirement System, told the news source. "Apple is entering a new phase. Rethinking capital distribution, its global footprint and corporate governance is something 10 years ago that it wouldn't have had to consider."

Many companies previously thought the investment in governance, risk and compliance (GRC) software wasn't worth the value they got out of it. However, shareholders are increasingly demanding transparency from companies, making corporate governance a greater priority.

A suspected wire transfer fraud at the Washington South Supervisory Union last fall kicked off the investigation. The ensuing audit discovered 25 cases of embezzlement, four of which exceeded $40,000 while two rose above $100,000. At the close of the review, 16 thefts were reported and seven have resulted in criminal cases.

"For a small state, the frequency of incidents involving fraud, embezzlement or theft in our schools is alarming," Tom Salmon, the state's auditor, told the news source. "While it is a credit to many of our school systems that they have reported no known instances of theft, it is clear that glaring weaknesses in controls over cash, accountability and security continue in many others."

Committees using internal audit software can uncover such scandals and deficiencies. For example, Kennesaw State University in Georgia discovered inefficiencies with its K-Cash program through an audit.

The airline already cut routes and is redeploying aircraft in an effort to make better use of its limited capital. Efficiency is at the core of Air Mauritius' cost-cutting efforts, and the airline may release 500 staff members to further streamline operations.

"The number of employees per seat is one to one," which is twice the ratio of larger airlines, Air Mauritius vice president Donald Payen told the news source. "We must interpret these figures with caution as large airlines have economies of scale which we don't have. Our manpower audit will tell us what relates to scale and what does not."

Air Mauritius announced losses of approximately $28 million last year, which encouraged the company to revise its operational policies. The company hopes to return to profit by March 2014.

Pinnacle Airlines, another major travel provider, was recently criticized for its approach to restructuring after it cut employee wages but continued to pay executives high bonuses.

Sessions throughout the day will focus on the following 3 key User Group objectives:

1. Product Feedback

We’ll introduce the upcoming features and functionality for each of our products.  As well, you’ll hear firsthand from each of the Product Owners what their vision is for the Product. This will also include a forum for clients and users to provide feedback on the existing product and help prioritize and suggest upcoming features.

2. Shared Client Experiences

We want to enable our clients to share their experiences and uses of BPS Resolver products so that you can achieve the greatest ROI on your products. Hopefully, you’ll learn new tricks and best practices from others just like you. 

3. Education

We’ll provide best practice insights from experts in the GRC industry.

To register to attend, please fill out the form below:

 Please Note: All fields must be completed to register.  Each attendee must register individually.

The 2012 Eastern User Group is now full! We are no longer accepting additional registrants.

Please note that we will be hosting a Western BPS Resolver User Group in Q3, 2012 for those that cannot make the trip to Toronto. 

If you would like to share your experiences at a future user group or have a suggestion for an educational topic that would be pertinent, please let us know and we’d be happy to evaluate it for a future user group! 

Treasurer Arsene Letourneau was quick to tell the Press Republican that no money was missing from village coffers and that for grant-funded community development projects, the Rouses Point needs to spend its own money first. The grants come later, which may explain some of the missing budget. As Letourneau noted, some projects can take six or seven years to complete.

"We borrowed money from (our) one checking account with all the funds in it, and I just used that," Letourneau told the news source. As many as 13 different community projects were taking place during the time of the audit, he added.

When it comes to streamlining operations and maximizing efficiency, internal audits can help identify poor and redundant procedures. Having up-to-date internal audit software is crucial to that goal.

"It's critical to identify and mitigate risk in energy companies," Jody Allred, advisory services partner at Weaver, told Smart Business Online. "But auditors also have the ability to offer objective advice, create operating efficiencies and resolve myriad issues, if they’re empowered to execute that charter." 

As Allred explains, preventing loss is important to any company. However, in the energy industry, it can mean the difference between success and failure as companies require substantial capital investment. For example, an energy company requires approximately 10 to 12 times the capital investment of similar size companies in other industries, he asserts.

To that end, enterprise risk management software can help make a difficult task such as threat analysis easier to accomplish.

As the Institute of Internal Auditors recently noted, there are two sure-fire ways of measuring the effects of a successful audit. First, a successful report will frequently lead to a committee being asked to brief the members on the last report. Chief audit executives frequently attend these meetings, but if the whole team is invited, that generally means the report discovered something noteworthy.

Second, an audit is sure to be a success if it discovers a major flaw or unrecognized risk.

"When an internal audit unearths a serious problem or stops a major problem from occurring, you know you have made a difference," the news source adds. "Addressing a serious risk might not enhance revenues, but on occasion, an internal audit recommendation can even save a life – and an internal audit that does this is an automatic home run in any book."

Internal audits will frequently discover a number of ways for organizations to make more money. For example, the New York Racing Association recently discovered sloppy internal practices were costing millions of dollars in revenue.

Several experts within the industry agree with the report, noting that ERM is at a "turning point." A seminar, featuring ERM professionals from Deloitte and SAP, will note which activities drive ERM value given the new uses for the process and identify the killer risks every company needs to look out for.

"Enterprise risk management may be at a turning point. Many studies show that Boards and senior executives believe it is important and want more information about risk management generally," Business Finance magazine reports. "Other studies show an expectation gap;  stakeholders are not satisfied with progress to date and with the results of existing ERM initiatives. Something has to give."

The key to successful and sustainable ERM is deciding upon which areas to focus resources and implementation strategy.

The audit covered the time period between May and October 2011, the Davidson County Dispatch reports. The objective of the audit was to gather and evaluate any evidence about how the Davidson County Clerk complied with laws, regulations and policies and the extent to which assets and resources were being allocated.

"I welcomed the Notice of Audit, as it gives us the opportunity to be reassured that we are operating within the law and guidelines set out by the Legislature and the Administrative Office of the Courts," the clerk of superior court Brian Shipwash said. "I am very proud of my staff that excels in their knowledge … every day to ensure we remain in full compliance as we serve the citizens of Davidson County."

Of course, internal audits don't always turn out well. For example, a recent West Palm Beach audit discovered so much corruption that an audit committee member quit.

Executives previously did not believe risk management was a strategic necessity that could be used to identify threats to financial performance. However, this is no longer the case, with the study suggesting the top performing companies were using ERM for precisely this purpose and leveraging solutions to enhance and embed risk strategy.

"Moving an organization from being risk-averse to risk-ready requires executives who lead by example and tone-from-the-top support. For maximum benefit, regular and open communication with all stakeholders, third-party assurance and the leveraging of technology are required," the report notes.

The key is knowing which tools can be leveraged in which situations. The savvy company will get the maximum use out of its software solutions, using the right program to solve the correct problem.

According to the news source, enterprise risk management software could be the answer. Better risk management technology and policies in areas that have too many controls can help prioritize threats based on their likelihood and impact. This will help calibrate ERM framework to better focus on critical risks while improving cost efficiency.

"ERM is a practical approach to allow managers to perform their duties more effectively and efficiently. It is premised on first establishing how much risk an organization is willing to accept – the risk appetite. That's followed by devising a strategy to strike a balance between the costs and benefits of processes within the risk appetite," the Federal Times notes.

For example, a recent Defense Department testimony suggests travel policies were virtually unusable because there are more than 2,000 pages of documentation regulating how travel should be handled.

ERM software puts all risk management activities into a single place, helping companies better organize the complex and time-consuming threat assessment process. Likewise, ERM software makes risk management easier to digest by rolling up different data points into intuitive spreadsheets and reporting tools.

"Spreadsheets, by nature, can only manage risk from a historical perspective…" the news source adds. "ERM software provides the structure to prioritize and manage risk from a historical and forward looking perspective with capabilities to identify emerging and systemic risks and track trends over time."

Shareholders are looking to make sound investments, and by that note, a company that practices better risk identification will be a more attractive buy. For this reason, many organizations have begun to make risk management a part of their corporate culture from the ground up.

A slew of questions in regards to Mayor Greg Davis' spending habits have led aldermen to question how funds are being used. Alderman Ricky Jobes plans to create a committee to facilitate the audit, he announced on Tuesday night after more than 200 citizens demanded accountability from Davis, the Commercial Appeal reports.

"The internal audit will take it one step deeper than our annual external audit," Alderman Ronnie Hale said, as quoted by the news source. "We want to see if there is room for improvement in the city departments and maybe some changes that can be made to save the city money."

Jobes will turn to the state and other officials to help further expedite the review process.

Sometimes internal audits can help cities discover where funds are being misappropriated or not being maximized. For example, a recent audit of Waukesha County Clerk's offices in Wisconsin found more than $27,000 worth of dog licenses weren't being collected.

The research, compiled by IMD business school, suggests that voluntarily adopting transparent and compliant corporate governance procedures can lead to better market prices. New regulations are being designed to prevent further economic breakdowns, and investors are looking for companies that want to comply with these regulations to ensure future profits.

"It's generally assumed good governance has to be imposed or recommended from the outside because the costs are greater than the benefits," professor Artura Bris, an author of the study, noted. "Our study demonstrates this isn't necessarily the case – in fact, the voluntary adoption is rewarded almost immediately by the markets."

Still, some companies aren't inclined to practice these policies. For example, Facebook has been criticized as of late for its proposed corporate governance policies. A number of industry analysts and investment firms say founder Mark Zuckerberg will retain too much control of the company after the IPO.

The review came up with nine different recommendations to help the county improve the way internal operations are conducted. Waukesha County Clerk Kath Nickoloaus, who runs the office, has been under fire for other reasons and the new audit likely won't win her any additional favors, the Waukesha Patch reports.

"Internal Audit has discussed the findings and recommendations with the Waukesha County Clerk's Office management and they are generally in agreement with the findings and recommendations," the source quotes a memo from Lori Schubert, internal audit manager for the county, as saying. "Management's responses to each recommendation are incorporated into the body of this report."

Proper and regular use of internal audit software is key to helping organizations – regardless of whether they are governmental or commercial – identify poor policies in advance.

Moreover, risk has an impact across all levels of a company. For example, board members shape strategy and risk decisions, executive management influences how their teams evaluate and treat risks and risk practitioners are behind core management programs.

"The presentation of risk or 'framing' leads to biases which are powerful, even amongst technical experts. Risk descriptions phrased in positive language lead to an underestimation of risk. Perception of risk is often not economically rational; and those managing risks should be aware of this," Marks notes, citing a report from Lloyd's.

Many risk analysts believe that corporations need to reevaluate their threat assessment policies. While some companies previously thought risk management was a needless expense, it has grown increasingly more important over the past few years, especially the new regulations many industries are facing.

OCTA internal auditor Jane Sutter stated in her report that state workers are only allowed to utilize computers that are provided by their agencies due to security risks. The contractors who purchased laptops already had desktops in their field offices so the transaction should not have been approved.

"In addition, Athalye [Consulting Engineering Services of Lake Forest] purchased a desktop computer for the OCTA project manager's use in the field office. Final ownership of this equipment is unclear and the agreement does not indicate disposition of furniture, computers and equipment," Voice of OC reports, citing the audit.

Cities frequently use internal audit software to discover misappropriations of funds, but they don't always come up with negative results. Several cities have found their spending strategies are on pace with projections through internal reviews.

Speaking to the Business Standard, Kapur notes that many companies are striving to be more transparent in their actions in an effort to win back investor trust and to comply with new regulatory standards set by government bodies. However, some firms have traditionally viewed risk management as being an unnecessary cost, which needs to change to accomplish modern business goals.

"Enterprise risk management (ERM) systems will soon become the norm for most companies," he told the news source. "ERM systems can help companies by providing an enterprise wide view of risk, improving information for decision making, reducing unwanted and costly surprises, rationalizing the cost of risk management and contributing to long term value creation and protection."

This is particularly the case for financial institutions, with risk expert Michael Cohn suggesting that small banks and other FIs integrate new policies relating to risk identification from the bottom up.

CLICK HERE to view the  GRC Cloud 6.0 Release Webinar

CLICK HERE to view the GRC Cloud 6.0 Release Webinar slide deck.

CLICK HERE to view the GRC Cloud 6.0 Release Notes.

CLICK HERE to view the GRC Cloud Workflow Overview presentation.

GRC Cloud 6 introduces a new way for people to work together on your GRC program. The new configurable workflow engine enables you to completely and efficiently manage your Risk and Compliance processes.

Keeping track of the status of all work within your GRC programs through enhanced reporting. By introducing automated workflows to your GRC Cloud site you can solve many issues that trouble GRC professionals.

• Ensuring people know the work they are responsible to complete—and their deadlines—with automated messaging and outstanding task views.
• Achieving greater enterprise-wide buy-in by simplifying tasks and reducing training and oversight requirements.
• Ensuring people in the program follow the correct business processes
• Ensuring the proper hand offs happen at the right time.

GRC Cloud’s workflow builder enables you to build business processes where information is entered by different people in a pre-defined sequence. Each person’s view of the item is tailored to provide just the information they need at that time to complete their task. As each task is completed the next person in the workflow is alerted by e-mail they have work to do. The home page dashboard also advises each user of their current tasks. Other managers who need to know an item’s status can also receive customized alerts.

CLICK HERE to view the  GRC Cloud 6.0 Release Webinar

CLICK HERE to view the GRC Cloud 6.0 Release Webinar slide deck.

CLICK HERE to view the GRC Cloud 6.0 Release Notes.

CLICK HERE to view the GRC Cloud Workflow Overview presentation.

Drawing on his experience advising banks and credit unions, Cohn offered some advice for integrating better risk management strategies, explaining that robust programs enable businesses to become stronger and improve their bottom lines.

"Adopting and practicing ERM is a requirement today for community-based financial institutions that want to remain viable," says Cohn. "Practicing enterprise risk management, especially when structured in a bottom-up approach, will change the DNA of an institution in a positive way and make it more successful today and into the future."

Several new regulations have been passed that affect financial institutions. For that reason, risk management has become even more crucial over the past few years.

The college suspended two employees at the Prince Philip Drive campus daycare center at St. John after an internal audit discovered financial problems at the organization. The two workers were previously on suspension while the investigation unfolded; they have now been fired and police were called to settle the matter.

"At this point we felt that there is enough evidence from the … audit to move from suspension to termination," John Hutchings, CNA's vice-president of finance and administration, told the news source.

"College of the North Atlantic is committed as an effective steward of public and, in this case, parental funds," Hutchings added.

Officials from the school were quick to note the matter was strictly financial and had no bearing on the quality of programming or services offered by the daycare center.

Regular reviews and effective use of internal audit software can help companies avoid financial losses due to malicious employees – a threat many analysts believe is growing due to the rough economic climate.

However, the review did suggest the government agency let its lack of expertise in environmental issues get in the way of planning. The audit criticized the State Department for not considering alternate routes for the Alberta-to-Texas pipeline. The project, which was started back in 2008, has progressed slowly because the agency hasn't been open to receiving help from other more experienced organizations.

"The new report on the environmental review process was issued by the State Department Inspector General's office, and conducted at the request of several members of Congress," the news source notes. "The Inspector General's report punctured arguments by long-time critics that the State Department’s review was tilted in favor of TransCanada, and that its staff built cozy relationships with TransCanada lobbyists."

The Keystone XL pipeline is a transportation system designed to shift oil from sands in northeastern Alberta, Canada, to a variety of destinations in the United States, including Texas, Oklahoma and Illinois.

FACTA was originally signed to help American tax authorities monitor foreign financial accounts held by American taxpayers. The Internal Revenue Service would withhold a 30 percent tax on U.S. sources of income if FFIs didn't comply with the act, Tax News notes. However, compliance meant some FFIs would have to pay up to $100 million.

New draft regulations were recently put in place to ease the apprehensiveness, but some critics are skeptical.

"FATCA will still cost the industry much more than it is likely to raise for the IRS. Plus, the introduction of bilateral FATCA agreements between countries will add more complexity into the mix for the biggest global financial institutions. The bottom line is FATCA continues to present a major challenge to the industry at a difficult time …" Adrian Harkin, global FATCA leader at KPMG, told the news source.

Domestic banks have faced similar hardships as the federal government looks to avoid scenarios that would lead to another economic collapse.

First, auditors should consider sharing the reports as they are in progress. Most of the push back from internal audits comes from the shock of seeing the full review at once. Regular communications and sharing different drafts can help generate a more positive reaction, regardless of the results.

The organization also recommends eliminating multiple levels of review.

"Multiple levels of review within the internal audit department are often a major contributor to delays in audit reporting. Streamlining the review process and reducing the number of reviewers can be very effective in speeding up the reporting process," the IIA suggests.

Lengthy audit processes can send the wrong impression to corporations and stockholders, leading to feelings of distrust. For that reason, it's paramount that auditors keep the lines of communication open and continue to work with companies through the review process.

The Risk and Insurance Management Society recent named some key considerations to the growing threat of data risk. First, data risks may have any number of implications to corporations' risk identification strategies. Second, unifying internal functions can create efficiencies and protect findings. Third, managing data well gives companies an advantage over competitors that do not.

Data theft is a very real threat, with RIMS noting a recent Symantec report "which finds that the average organizational cost of a data breach was $7.2 million, or $214 per compromised record."

Companies still trying to rebound from the economic recession can't afford to gamble on data risk and should be sure to update their risk assessment policies to accommodate these threats.

The scathing internal audit cites bureaucracy, insufficient cost controls and a lack of consistent leadership among other faults. At the core of the matter is the Ground Zero rebuilding project which has run significantly over budget. The review urges the Port Authority to change compensation, overtime controls and health insurance contributions.

"This record of historic failure must be reversed," Governor Andrew Cuomo said in a statement. "Steps have already been taken in the last two years, but much more must be done to restore the Port Authority to a responsible, highly transparent, well-managed organization focused on its core mission of maintaining … shared transportation infrastructure."

The audit was commissioned by the Port Authority last summer after the Hudson River tolls were hiked to generate more revenue and illustrates the need of internal audit software to prevent such issues.

Several media outlets have criticized the slow development of the Ground Zero rebuilding project, specifically the lack of any fixed completion dates.

How are risk managers in the energy market expected to identify these threats before they manifest themselves? This is a question that many companies are asking themselves, according to Risk.net. The scale of unrest in some of the biggest energy-producing companies will continue to climb and make this issue even more prominent in the future.

"Geopolitics has long exerted an influence on oil and gas prices due to the fact that physical production is often located in politically unstable countries," the news source suggests. "But the scale of the instability in recent years has been the key factor in pushing it to the forefront of risks companies need to address."

Moreover, American energy companies must also deal with the Dodd-Frank Act, which added another layer of compliance issues to their risk management procedures.

Courion's survey found the top risks included potential loss of sensitive data, blows to corporate reputation, theft of intellectual property and revenue gaps. However, it noted that while many IT managers were quick to point out security holes, few were being proactive in preventing them – only 12 percent bothered to do regular risk reviews.

"They’re not focused on identifying new or growing areas of access risk from internal users abusing privileges. With internal and external threats to data multiplying quickly, such infrequent reviews aren’t keeping pace with the growth of user access risk levels," the survey suggests.

The research highlights a critical mistake that many corporations suffer: not creating a risk-aware culture. Every section of a business needs to do its fair share of risk prevention to truly enjoy success.

Auditors need a strong control environment that is confident in the recommendations made. Management needs to be comfortable in admitting that everything may not be optimal in the way the company is currently run. Moreover, the board and top executives must also be able to make their expectations known for those conducting the reviews.

"The value of the internal audit activity is in its ability to provide objective assurance and insight on the effectiveness and efficiency of governance, risk management and internal control processes," IIARF vice president Margie Bastolla explained.

Perhaps above all, however, is the importance of having a team of competent auditors to begin with. To maximize insight, businesses need to employ updated internal audit software and have a team of workers that have the technical wherewithal to complete their job.

Impending financial crises and banks' risk strategies in response to them were the subject of conversation at the recent GCC Risk Management Symposium, held in Doha, Qatar. Several banks reported large numbers of non-performing loans, which put them in a vulnerable situation. In this situation, prevention is better than a cure, and well-planned risk management strategies are the solution.

"Apart from the demands of regulators, recent experience should also be a catalyst for helping banks appreciate the business benefits of putting in place a better infrastructure that will enable them to manage enterprise risk more effectively," Charles Stewart, senior director of Moody's Analytics, told attendees of the conference.

Several federal policies, such as the Dodd-Frank act, were also put in place to prevent future meltdowns. However, this also raises several compliance issues for financial institutions.

As The Wall Street Journal reports, Northwest & Ethical Investments – RIM's top shareholder – urged the mobile company to review its policies last year. The publication found that the unusual management structure may be to blame for some of the corporation's recent failures and suggests they split the roles.

"While the Committee is comfortable that our lead director has performed the appropriate governance functions expected of that position up to the present, the Committee recommends that RIM should separate the roles of chair and CEO and amend the board mandate accordingly," the Journal quotes the review as saying.

Of course, the report is largely moot as co-CEOs Jim Balsillie and Mike Lazaridis stepped down anyways at the end of January due to the recent struggles of the company. Many critics agree that stricter corporate governance could have prevented RIM's recent fall from grace.

The nine-page audit was released to the Missouri News-Leader last week, and discovered the band program's practices and procedures were not followed properly in regards to the fall 2010 and spring 2011 terms. While no funds were missing, there were a number of areas where the organization lost out on opportunities.

"In 2010-2011, the program failed to charge all members of the Pride Marching Band the band activities fees of $335. The fees… cover the cost of the band camp, including housing, meals, clothing and travel," the source notes. "If correctly assessed, the fees would have raised $93,600. Instead, the university collected $88,240."

For educational institutions, improper procedures can cost thousands of dollars. For example, a recent audit of Georgia-based Kennesaw State University found weak protocols cost the university nearly $70,000.

According to the Committee of Sponsoring Organizations of the Treadway Commission – a group of five private sector companies aimed to provide leadership guidance – corporations must consider its risk appetite while it decides which goals to pursue. This is a three step process, which involves developing risk appetite, communicating it and then monitoring and updating it, the COSO report notes.

"As an organization decides on its objectives and its approach to achieving strategic goals, it should consider the risks involved, and its appetite for such risks, as a basis
for making those important decisions," the committee suggests.

To that end, it may be worth the time to reconsider risk management programs. The start of a new year presents new challenges, and more efficient risk assessment software can help better identify potential issues in advance.

Financial stress, operation change in organizations and the ever-looming threat of a double-dip recession may change how some people perceive their employers and jobs, making them more likely to engage in fraudulent behaviors. This translates into major risks for financial institutions, KPMG suggests

"It's highly likely that fraud, especially the internal threat, is going to continue to increase as economic pressures increase over the coming year," Hitesh Patel, a partner at KPMG, told the news source. "The possibility of a double-dip recession is likely to put further strain on households, driving more people to turn to fraud … to make ends meet."

With many companies just now beginning to recover from the 2008 recession, it's crucial they monitor internal activities. Fraud could further damage their relationships with investors and shareholders, not to mention their bottom lines.

However, PricewaterhouseCooper's Indian chairman Deepak Kappor recently noted that fraud affects a variety of departments within a company and that auditors should not be forced to shoulder all the blame. There are at least four pillars of corporate governance, and each plays a special role in ensuring a company is being run efficiently.

"First, there is management and the promoters, there are independent directors, then there are internal auditors and then come the outside auditors," he told the Economic Times. "The management would have to first follow good corporate practices … and it needs to be made sure that internal auditors do not report to the management or promoters, but to an audit committee."

The strict department-style setup of many corporations frequently doesn't facilitate collaboration as well as it should, which makes the job of internal auditors that much more challenging.

Reports of bedbugs in Stonequist Aparments were the first sign that something may be wrong with the authority's financial budget and practices. There are several other concerns as well, including salary, compensation, travel and business expenses, as well as claims of nepotism, Mayor Scott Johnson told the Times Union.

Al Calluci, a city resident and a critic of the authority, was also included into the organization's seven-member board.

"Quite honestly, I don't know what the oversight has been. Absolutely, the state has to be involved," Calluci told the news source, referencing the U.S. Department of Housing and Urban Development.

HUD is a cabinet department formed in 1965 for the explicit purpose of developing and executing policies to support housing in metropolises. It is supposed to prevent buildings and properties under its control from becoming decrepit and uninhabitable.

The two-year review will cover all financial transactions, while transactions between shareholders from the past three years will be audited as a part of the initiative. The financial audit is tentatively scheduled to be completed within the first quarter, which will enable the company to complete a Form S-1 filing with the SEC.

"Bringing integrity and confidence in our financial reporting and financial processes is a critical action our company must take," said David McGee, CEO of Ronn Motor Company. "We believe the team we've assembled will conduct this audit process in a professional and efficient manner and further positions us toward being a 'Reporting Company' – a key objective for us."

The review should improve corporate governance and establish greater confidence among shareholders. After the economic collapse, many companies lost the trust of their investors, so performing audits and enhancing governance can help organizations reconnect with these individuals.

According to a recent survey conducted by Zurich Financial Services Group, approximately two-thirds of the executives surveyed said risk identification has become paramount over the past three years. Despite the growing importance of risk assessment, only one in 10 thought their management was effective in the creation of a risk-aware culture.

Additionally, many respondents believed it was crucial to link risk information to strategic decision making, but only 14 percent said their companies actually did that in an effective manner.

"There is no doubt that in today's challenging environment customers, shareholders and employees expect clear commitment to comprehensive and forward-looking risk management from top management and board," said Axel Lehmann, chief risk officer at Zurich.

IndustryWeek recently suggested assigning a corporate "risk champion." This individual would work toward achieving better risk awareness throughout the company and getting each department to work together to create a comprehensive risk strategy.

As IndustryWeek notes, various studies show the inefficiency of which risk governance is carried out. Seven percent of company revenue is devoted to risk identification and governance, but few firms work together to tackle these key issues and the matter tends to get pushed to the lowest levels of the organization.

David Young, senior vice president of insurance firm Willis, suggests appointing risk champions who will take control of the issue.

"Ignorance has never been a defense of the law. You should have known," Young told the news source.

Conversely, however, businesses shouldn't relegate all the responsibility on a certain person – there is a difference between having an individual take care of risk assessment and a person who will motivate others to address it. The risk champion should rally everyone else together to tackle the issue.

Firms with senior management and boards that do not support compliance will be under the most pressure from the SEC, director Carlo di Florio explained at the recent 2012 Compliance Outreach Program National Seminar. Board members, chief risk officers, management, internal auditors and business unit leaders all need to contribute to ensure their companies are adhering to compliance standards.

"[By] engaging senior management and the board at various points in the examination process, our goal is to elevate the role of compliance," AdvisorOne quotes di Florio as saying. "Strong risk identification controls, including a solid compliance program, are a key responsibility of everyone in a regulated entity, but the right culture and tone at the top are especially the responsibility of senior management and the board."

The management of risk and compliance has become even more crucial as treasurers and financial officers investigate new means of returning to the black.

Data is the primary obstacle in that regard. Though some progress has been made to improve operational loss data, issues such as completeness, collection thresholds, dates and natural scarcity still prevent operational risk assessments from being as cut-and-dry as many financial institutions would like.

"For several important operational risk types, the lag that exists between a macroeconomic event and the losses can be many years, well beyond the scope of the exercise proposed by the regulators. One example is litigation losses (mostly under the ‘clients, products and business practices' risk type)," Cruz writes tor Risk.net.

With that in mind, transparency can also help ease relationships with investors. Corporations shouldn't try to hide risks or downplay them. Being straightforward is the best way to bolster confidence.

As RiskCenter notes, however, embarking on new objectives such as globalization opens corporations up to new risk. Some are obvious – like the tip of an iceberg – while others are less so – like the submerged core of the iceberg. Being able to perform risk identification for both types of dangers is crucial.

"While every business prepares elaborately for perceptible issues, few businesses take the initiative to develop an awareness and sensitivity to all that lies below, hidden from view, and waiting to cause chaos," the news source explains. "People don't know what they don't know. Worse yet, no one can plan for something that has never been anticipated."

In that regard, it's crucial that corporations use the most up-to-date risk workshop software to help prepare for all the possible scenarios.

The improvements would cost approximately $40 million to carry out and create approximately 400 to 600 yearlong jobs, the Bend Bulletin reports. Once the improvements are done, they would save local schools nearly $4 million a year. Moreover, the state would be able to pay for most of the renovations through low-interest loans.

However, school boards are skeptical of the savings, especially when considering the fact that planned improvements would require them to take on additional debt in a rocky economic climate.

"Quite frankly, it didn’t tell us anything more than we already knew," Gary Heldt, an engineer for Eugene School District, told the news source in regards to the recent audit.

With more organizations looking to save money, internal audit software can be a valuable asset. Running these reviews regularly can help determine how various policies and procedures may affect the bottom line.

"Effective enterprise risk management hinges on other dimensions as well, including organizational culture, behavior, ethics and change management … all the squishy, human stuff that defies convenient categorization in COSO cubes and other traditional risk management frameworks," business expert Eric Krell explains.

In the past few years, the corporations that have succumbed are the ones with limited views of risk indicators and management. Organizations such as MF Global were unable to survive because they didn't innovate with their risk management strategies and subsequent changes to their assessment programs didn't provide adequate results.

Financial officers need to arm themselves with the tools to properly manage their policies. Risk assessment software is paramount to this process.

Interim city manager Dan Stanley recently conducted an audit to determine where all the funding went. As it turns out, none of the health insurance funds were misappropriated, as some outraged workers had assumed. The report will be made available to the city council in the beginning of February.

"I will be sending that out to the council early next week," The Topeka Capital-Journal reports Stanley as saying. "But, in short, it was found that no funds were misappropriated from the fund for any other purpose than health insurance/fund-related expenses."

Several measures were taken to prevent the bottoming out of the fund, such as a one-time emergency infusion of $1 million earlier this year.

Internal audits can help organizations figure out where they went wrong and avoid making those mistakes again in the future. These reviews should be performed regularly and with the most up-to-date internal audit software.

The organization was asked to reassess its current legal and financial status after it received an eviction notice by its current landlord, the Inman Park United Methodist Church.

"There have been a number of missed monthly payments and we finally decided to work with a lawyer," Rev. Matt Nelson told GA Voice on Thursday. "A [letter] of demand for payment and notice of default … was initially served on Jan. 12."

In December, YouthPride board chairman Jordan Myers announced the company needed $40,000 to get current on debts or else it would face closure within 60 days. Now, the organization is being audited to determine whether it can continue to stay open and at least continue offering its services to troubled youth.

An internal audit task force can be leveraged to identify financial issues long beforehand, provided it is equipped with proper internal audit software.

While the city isn't ready to discuss the specifics of the audit yet, the summary was carried out by an internal audit branch of Metro Vancouver, which recently made moves to improve the water quality system. The audit was not required by law, with auditors stressing the inquiry was performed as a means to show the city's commitment to the plan.

"The new system is based on Ontario’s water standards that were passed as a result of the 2000 Walkerton tragedy when the Ontario town’s water supply was contaminated by E. coli bacteria and seven people died. It is also similar to management systems from the International Standards Organization," the Vancouver Courier reports.

When corporations and other organizations discuss new policies, it's always wise to have them reviewed for potential deficiencies. Through proper use of internal audit software, companies can double-check the efficiency of these new procedures.

According to the audit, CardioComm Solutions has well implemented management reviews, resource planning processes and corrective action loops. In conclusion, all the requirements of applicable ISO standards and Canadian regulatory requirement have been fulfilled and the firm's quality systems are well-established.

"This is excellent news for CardioComm Solutions," stated Etienne Grima, CardioComm Solutions' CEO, "especially in light of the rally in our stock price and brisk trading. The recent market response provides a clear signal that our shareholders … understand the significance of the FDA's permission to sell the HeartCheck with our GEMS software."

The medical industry is full of various regulations, so organizations need to stay on top of their policies and procedures to ensure they don't take any missteps.

The 2012 AFP Risk Management Survey asked chief financial officers, corporate treasurers and other key executives about the risks that impacted their earnings the most, and they all named the ones that are likely to cause the most uncertainty. Now, these companies are looking to risk identification to help mitigate these factors.

"Uncertainty is here to stay," said Jim Kaitz, AFP's president and CEO. "One way organizations can take control of rising uncertainty in their earnings is by adopting a new mindset and making more risk-adjusted decisions.  The ones that do this effectively will have a competitive advantage."

Risk assessment software is a key tool for businesses looking to prevent these issues from becoming a problem in the first place.

New standards were put into effect that clarified the troubled debt restructurings. A number of TDR disclosures related to credit quality and allowance for credit losses were made effective for the first time during this time frame. Additional disclosures about the items measured at fair value, namely more sensitive information, were also provided.

"New guidance clarifies which types of costs incurred by insurance companies can be capitalized (DAC) in the acquisition of new and renewal contracts," the report notes. "The FASB continues to re-debate issues on how financial instruments are classified and measured and is working with the IASB to come to a global answer for how to calculate credit losses at financial institutions."

It's crucial for corporations to keep up-to-date on any new standards within their industry so they can operate at maximum efficiency.

While the core of their job – providing independent assurance of function – remains unchanged, many internal auditors are now working more closely with businesses to make their reports more relevant to these companies. The news source cites internal audit's increasing focus on accessing the effectiveness of risk management processes as evidence of this.

"For many audit departments the use of analytic technology progresses from ad hoc testing of transactions in support of a given audit objective, through to automated control testing routines and then evolving to regularly scheduled continuous auditing. This increases the efficiency and effectiveness of the audit process and also provides timely identification of errors, fraud and control weaknesses," Business Finance Magazine notes.

Corporations may want to consider upgrading their internal audit software to keep up with the changing responsibility of the position if they want to maximize efficiency.

The improvements cover a variety of different policies. Beginning with the 2012 annual meeting, shareholders will be able to vote on executive compensation. The corporation's existing majority voting policy has also been modified to clarify that resignation delivered by a director who receives more "withhold" votes than "for" votes will be accepted. Stock options will no longer be provided to independent directors either.

"The changes adopted today underscore that the Board continues to be responsive to, and is fully aligned with, shareholder interests," said Magna Chairman Michael Harris. "Since the completion of the plan of arrangement in August 2010, the Board has implemented a number of enhancements to its corporate governance practices while continuing to emphasize the key operating principles."

After the economic recession, many shareholders lost faith in their companies. GRC software may help organizations employ better corporate governance policies and win their confidence back.

According to its 2012 Supplier Progress report, the company will be performing "rigorous audits" with a panel of independent experts in order to assess the working standards at suppliers, manufacturers and assemblers. If these working condition standards are not met, the iPod maker will cease relationships with the offender.

"We continue to expand our program to reach deeper into our supply base, and this year we also added more detailed and specialized audits to address safety and environmental concerns," the Apple report states.

Foxconn, a supplier of Apple products, was lambasted in late 2010 when 18 workers attempted suicide by jumping off the roof of its Taiwain factory because of poor working conditions. The incident gained international attention and spawned several documentaries critical of Apple and the other brands that were clients of Foxconn.

The new audit ostracizes the NYRA for not making changes outlined in two previous internal audits after the organization emerged from bankruptcy. If it weren't for the new Resorts World New York, the NYRA would have a deficit of nearly $20 million from its racing operations this year, nearly double from its $11.5 million deficit last year.

"NYRA may have even less incentive to be attentive to cost savings initiatives as its financial condition improves with the influx of VLT (video lottery terminal) revenues," the news source notes, citing the report. 2012 net revenue for 2012 is expected to increase by $48 million due to new gaming operations.

With many organizations looking to add new streams of revenue this year, its crucial they don't let other practices fall by the wayside. There are always ways to lose out on potential revenue so companies should make use of internal audit software to ensure they aren't letting anything slip through their fingers.

Carnival, the parent company of Costa Concordia, said the tragedy has forced the corporation to question its procedures, despite the safety record over the past few years. The review is being carried out by Captain James Hunn, a retired U.S. Navy Captain. The Health, Environment, Safety & Security Committee is also looking into new emergency response training and procedures.

"This tragedy has called into question our company's safety and emergency response procedures and practices," said Micky Arison, chairman and CEO of Carnival Corporation. "While I have every confidence in the safety of our vessels and the professionalism of our crews, this review will evaluate all practices and procedures to make sure that this kind of accident doesn't happen again."

Corporations should aim to conduct reviews and audits before crises happen to avoid them becoming issues in the first place.

For example, OmniTouch recently developed a wearable multitouch solution that can be broadcast and interacted with on any solid surface. Executives could display keyboards on an airplane tray table to write documents and emails or use the systems to take notes on pamphlets and material they are reading in their hands.

As the Internal Institute of Auditors explains, it's crucial that corporations develop policies to manage the use of new technology before they become potential risks.

"Is your organization taking advantage of the new technology to improve its products and services, the efficiency of business processes, and the quality of risk and performance information that drives business decisions?" the website asks. "Are your risk management and internal audit proactively engaged as advisors … to help pilot management?"

With the new year underway, this is the perfect time for corporations to reconsider risk indicators, governance and other critical policy matters.

According to the review, Catango Corporation, the owner and operator of the horse stable, owes the department upward of $100,000 in penalties for allowing unauthorized horses to stay for free. The audit, which examined the two-year period between July1, 2007 and June 30, 2009, found other violations were made as well.

"Among the horses that are allowed to stay at the stable for free are those owned by Ashley Nicoll-Holzer. Ms. Holzer is the wife of stable operator Rusty Holzer and a Canadian Olympic rider. Other horses, including those owned by Parks and those used for lessons, also stay for free," the Riverdale Press reports.

Rather than paying the penalties outright, the organization was allowed to make capital improvements, starting with the repaving of the parking lot and driveway leading to the Equestrian Center.

It's crucial that organizations take a look at their policies often to avoid getting themselves into potential legal trouble.

Should real-time trading be taken care of in-house, IID could save approximately $9 million per year. To hire a fulltime in-house staff that is able to achieve the same effect, it would cost only $810,000. Some of its contracts are currently handled by Coral Energy, a subsidiary of Shell Oil, the Imperial Valley Press reports.

"This is great," Matt Dessert, vice president of the IID board, told the news source. "It's going to create jobs in Imperial County that are now being outsourced to Coral, and it's going to save us at least $5 million (conservative total saving totals minus new expenses)."

At a time when many companies are focused on conserving money, internal audit software can be crucial to identifying trouble areas and potential savings.

Some firms are very incompetent, and PwC suggests they should be more innovative and agile when seeking out risk indicators. By updating archaic practices and integrating new technological solutions, they would be better able to identify potential risks to their well being, such as tsunamis or oil spills.

"The risk landscape is changing, and established risk management approaches need to be updated to keep pace," Richard Sykes, a partner at PwC's governance, risk and compliance division, told BDaily. "Many organizations currently have the wrong focus. They major on financial and operational risks and crucially regard risk and strategy as separate rather than seeing risk-taking as a key source of value creation."

Implementing new policies and updated technology, such as risk assessment software, is crucial to achieving up-to-date risk management processes.

Conducted in June, the internal audit focused on MLGW's Plus-1 program, which encouraged customers to donate $1 dollar through their utility bills. The money was used to benefit the Metropolitan Inter-Faith Association, which distributes the funds to people who struggle to pay their utility bills as a result of recent unemployment.

"Records showed that payments to MIFA were sometimes made months after the money arrived at MLGW, and that multiple months were paid at one time. Managers agreed they needed to make the payments faster," the news source notes. "No one area or person was assigned to monitor the program and no formalized procedures were in place."

This instance highlights the importance of utilizing internal audit software to discover policies that are not being carried out efficiently. Once identified, corporations can then make the necessary judgments, as MLGW did.

Travel and resort fees were covered by AmeriBen/IEC Group, the organization which is in charge of processing employee benefit claims for the county. Every six months, administrators were offered travel for two people with free meals and three nights of lodging.

"The trio contended they didn't violate the county's gift policy because training was involved," the news source notes. "But auditors said the appearance of conflict with a vendor may be just as damaging to the county’s reputation as an actual conflict."

Among AmeriBen/IEC Group's other clients are several American-Indian tribes and the Tucson Unified School District.

Earning the trust of investors and other supporters is crucial, which makes gaffs such as this one potentially damaging. Internal audit software can help organizations identify these policy violations in advance.

In November, Olympus came clean after admitting it had used approximately $1.7 billion to cover losses made in the 90s and that the company's accounting practices were "not appropriate," making it one of the largest and longest-running corporate coverups in Japanese history.

Ernst & Young hasn't found any problems so far with the auditor's examination of accounts at Olympus. However, the organization was quick to note that its final report – which was scheduled for release in February – may be delayed even further due to the ongoing police investigation.

"The camera maker will decide whether to sue its corporate and accounting auditors by Jan. 17, the deadline for filing a lawsuit," Bloomberg Businessweek reports.

The lack of transparency has had a major impact on the corporation's stock, which plunged 59 percent last year as the scandal was first uncovered. This highlights the importance of transparency when dealing with accounting issues and using GRC software to prevent such issues from arising.

Financial Executives International recently released a new paper that touched on this subject, offering some advice for companies trying to stay ahead of the game. It's crucial that corporations understand and evaluate the facts of transactions, determine the boundaries and consider relevant accounting guidance.

"Having a robust process to make good accounting judgments is the responsibility of management," the paper notes. "However, that process should include steps to assess transactions to determine which are significant and warrant additional consideration compared to those that are more typical and are addressed through a company's routine internal control processes."

The modern business climate also requires corporations to be more observant of risk indicators, as they could quickly turn into major problems.

Bruce Blasnik, a member of the auditing team that performed the review at the end of 2011, cited lack of management at the sewage treatment plan as being the most serious level of risk. The issue was brought up to the board multiple times over the course of fiscal 2010 and 2011, but little was done to correct it.

"Material weakness – we don't take that term lightly," Blasnik told the news source. "And it wasn't just one error or one problem that we noted. It was a number of errors that accumulated throughout the audit process and generally caused us to conclude that there's a lack of oversight and lack of accountability in the organization."

Deficiencies such as material weakness can lead to a high level of financial risk. Organizations need to have an internal audit software program in place to avoid these potential issues.

As the news source notes, when forward-looking statements are issued alongside potential risk indicators and factors, they can reasonably come to the conclusion that a company is being truthful and honest. It's all about transparency – by being up front with investors, corporations can command their respect.

"Risk factors deserve particular attention these days because good disclosure that is the product of a careful process also can facilitate easier access to rocky … capital markets. In uncertain times, increasingly risk-averse investment banks give greater scrutiny to … reports that may not have received intense outside scrutiny since a company's IPO," CFO.com explains.

Risk assessment software can help businesses better identify these various factors and aid a corporation's quest for greater transparency.

Unsurprisingly, many experts in the field are experimenting with altogether new strategies for measuring risk. Vikram Prandit, for example, recently suggested an alternative way for banks to better assess risk that involves having regulators create a benchmark portfolio that would require all financial institutions to measure against that.

"Institutions would be required to produce, on a quarterly basis for that benchmark portfolio, a hypothetical loan/loss reserve level, value at risk, stress-test results and risk-weighted assets," Prandit writes for the news source. "Right now these measures are run only against an institution’s actual portfolio and only a limited number of the results are disclosed."

Poor risk identification strategies can lead to the demise of a company, which is what happened to Wisconsin-based Legacy Bank. A recent report from the Federal Reserve suggests company practices were corrupt in a number of ways, from misleading customers to poor bookkeeping.

After the economic collapse caused many investors' confidence to waver, auditors are now squarely in charge of restoring that trust. Audit quality is paramount to achieving that goal, the Public Company Accounting Oversight Board chairman James Doty explained at the conference.

"We are experiencing extraordinarily challenging times, [with] change driven by external events and circumstances as well as change inside the profession. [The] financial audit is the linchpin for restoring confidence," Doty said, as relayed by a Deloitte report.

Other speakers urged auditors to strengthen their oversight capabilities and performance over the course of the next 12 months.

One of the many ways corporations may be able to accomplish this goal is by implementing and enhancing their use of internal audit software to better evaluate company policies and procedures.

Pinnacle Airlines is in the middle of a restructure that has affected a number of its employees – former managers even asked unions to take 5 percent wage cuts. However, the corporation's top five executives earned more than $4 million combined last year, approximately 35 percent of the company's $12.7 million in net income.

Eleanor Bloxham, CEO of the Corporate Governance Alliance, believes the managers are being paid way too much, especially considering what the company is going through.

"It was way out of line to what the company was able to generate (in profits), and it's way out of line because apparently that wasn't an anomaly in terms of performance. The company was moving into trouble," she told the news source. "Why would you reward at that level when it doesn't sound like they were turning the company around?"

Governance, risk and compliance (GRC) software is crucial to helping corporations identify potentially dangerous practices, such as outrageous compensation policies.

BusinessInsider recently noted three major companies, for example, that are all displaying high risk indicators in terms of corporate governance. Cablevision Systems Corporation, Hudson City Bancorp and the Charles Schwab Corporation. According to the analysis, each has a "high concern" rating in terms of compensation risk, audit risk and shareholder rights risk.

"For a look at how companies are being run, look to their corporate governance policies. These policies represent how the company’s board operates, how the company is audited, how the board exerts control over management and how shareholder rights are protected," the news source urges.

Identifying potential risks in advance is crucial to preventing them from manifesting in corporate policies. Governance, risk and compliance (GRC) software can manage these obstacles.

The audit suggests the party actually had tens of thousands of dollars less than it was supposed to. An amendment of the party's actual financial standings was submitted to the Federal Elections Commission and state Board of Elections.

"I'm glad we were able to recognize these discrepancies and resolve them quickly," he told the Providence Journal. "We worked swiftly and diligently to correct our reports. We can now move forward looking to the future of the party and Rhode Island."

Zaccaria attributes the mistake to human errors dating back to 2002 and insists the issues will be fixed moving forward. No money was illegally spent, he reasserts.

The discovery was announced during Zaccaria's first meeting as head of the state party. He was elected last December.

Conducting in-house reviews is crucial so that small errors don't go on to become larger mistakes. Internal audit software is a vital tool to discover bookkeeping mistakes.

The scathing review deemed the organization's oversight, internal controls and policy guidance by the institution's board of directors were critically deficient, the Milwaukee-Wisconsin Journal Sentinel reports. Legacy was heavily concentrated in commercial real estate loans, which proved to be a volatile and unprofitable market over the past few years as the economy collapsed.

For example, one bank executive hid the delinquent status of a loan from a customer in order to push for a renewal.

"Deficient oversight and weak internal controls were also evidenced by a lack of accurate financial information," the news source explains, citing the report. "Following the resignation of the bank's chief financial officer in September 2010, … numerous errors in the bank's financial information [were discovered], requiring regulatory report re-filings."

Because the economy is still on the mend, it's crucial that organizations pay special attention to risk indicators and develop plans to navigate these potential obstacles.

Speaking with CBC News, Mayor Dennis O'Keefe confirmed an internal audit had been launched in December after officials saw a rash of low-value purchase orders that couldn't be explained by the budget. No disciplinary action has been taken against employees yet, but the individual may be released if the investigation concludes the purchase orders were used for personal gain.

"They will conclude their investigation, I would hope, within the next two weeks so that we can get a resolution to this," O'Keefe told the news source. "Because we need to get a resolution to this, one way or the other, as quickly as possible."

Audited employees aren't always guilty, however. For example, a recent audit found Timothy Wanamaker, a city official of Alexandria, Virginia, was innocent of embezzlement claims.

Copetas was found to be in violation of federal law for providing students employed by the admissions department with scholarships. Additionally, she granted scholarships to a great-niece and great-nephew without citing her blatant conflict of interest and removing herself from the decision-making process, The Western Front reports.

The admissions director was fired by the educational institution three days before the internal audit was published. Copetas has since wrote a response letter to Eileen Coughlin, the vice president for enrollment and student services and Copetas' former supervisor, to dispute the decision, saying other schools in the state have taken less harsh action against larger offenders.

A recent audit elsewhere in the country found the Jefferson County Public Schools' administration was guilty of favoritism while hiring personnel. The audit suggested the school board be completely overhauled.

This mindset is a mistake, however, and auditors need to steer clear of making these assumptions. As Richard Chambers – the president and CEO of the Institute of Internal Auditors – explains, the market is constantly changing and what may have previously been a sound practice may quickly get a corporation into trouble during a new year.

"Following the risks seems so obvious to most internal auditors that it shouldn't even require a New Year's resolution to get it done," Chambers writes on his IIA blog. "Unfortunately, though, repeating last year's audits without considering this year's risks may not yield much value for our stakeholders."

It's crucial financial executives consider the risks their companies currently face when leveraging their internal audit software to assure they aren't committing any mistakes.

Speaking with PropertyCasualty360, the executive notes the importance of responsively identifying trends and emerging risks. East says that technology enables corporations to create, publish and distribute more data, facilitating the discovery of new trends. Conversely, however, it can also be overwhelming.

"The emerging generation of risk professionals is in many ways more connected and engaged in viewing risk management with a broad view and not narrowly limited by the purchase of insurance," he concludes. "This gives us the chance to pass the torch to a cohort prepared for the risks of the future."

Risk management software can help corporations master the tempo of 21st century business practices. Successfully leveraging these tools is key to achieving that mastery.

A state agency monitoring the Klamath County Mental Health Department found several deficiencies regarding billing after the organization was flagged due to non-licensed practitioners conducting patient evaluations. The Office of Payment Accuracy and Recovery was not pleased by the results and the department was forced to repay approximately $91,000 in non-compliant Medicaid bills.

To prevent the issue from reoccurring, Klamath County Mental Health Department has purchased an electronic health records system that will make the process of billing patients more fool-proof.

"The software won't allow us to bill out unless we've done everything correctly," Mental Health Department director Amanda Bunger told the website last week.

Companies looking to avoid compliance issues and ensure they are performing up to par should consider integrating audit software. These software solutions can lead to better results and help companies avoid paying penalties.

The report suggests the employees clocked in for 300 hours they didn't work and would then cover for each other when questioned. While the audit suggested they be fired, the three employees were only punished.

"The investigation was completed in mid-December, while the department already was coping with the departure of its eighth director in eight years, internal accusations of racial discrimination and reverse discrimination, and an ongoing probe of a house construction project that could leave the city on the hook to the federal government for $4.1 million," the Palm Beach Post reports.

Audits are crucial to determining how cities are performing and whether they are being operated properly. Internal audit software can help organizations identify potential problems and deal with them promptly.

It's crucial that companies are transparent with their business operations. With both Olympus and MF Global, boards were frequently timid when critically analyzing off-balance-sheet transactions or deal performance and executives were charged with being secretive. This led to a breach of trust among shareholders.

"Transparency means few, if any, off-balance-sheet transactions, no covering up or minimization of risk warnings, and a free, consistent flow of information from executives to the board, and the board, auditors, and attorneys should have the latitude to question suspect activities," Park explains.

GRC software can play a vital role in helping companies to identify issues before they become troublesome, preventing situations that could lead to shareholder dissatisfaction.

Ira Millstein, a corporate governance expert at Weil, Gotshal & Manges, suggests now is the perfect time to rebuild that relationship among shareholders. Tough economic conditions, slow job growth and political strife have created clouds of doubt over companies heads and if companies are on the path to recovery, they need to show that to dissidents.

"We felt that it was important for all corporations – not just the financial sector – to think about building trust," Millstein told Law.com's Corporate Counsel. "This requires effective disclosure of board decisions and policies, and concerted efforts at shareholder relations and communications, both areas where boards often could focus more attention."

Companies looking to get the edge should also consider GRC software to ensure they are running their businesses efficiently and appropriately.

The internal audit was performed as a part of normal business routines, KCBD reports. While the findings led to the resignation of Bruce, UMC officials refused to comment whether Bruce was the one embezzling funds or whether he was just a player involved with the process.

"In his position at marketing, [Bruce] had financial responsibility for advertisement, marketing, community support, a couple of departments like chaplain services, volunteer services, Seniors Are Special … several things reported to him," added Mark Funderburk, executive vice president of UMC.

By leveraging internal audit software, UMC was able to identify the embezzlement scheme before it was blown out of proportion. If the issue was left unchecked, it could have impacted the organization's relationship with the public taxpayers, who account for a significant amount of UMC's funding.

The committee appointed to perform the review is scheduled to have a final report ready before the end of the month on January 31. The panel was formed in July after shareholders put the pressure on executives to analyze the appropriateness of how the company is being run.

Several media outlets have reported that the results of the report may lead to Jim Balsillie and Mike Lazaridis being replaced and having the co-chairman and chief executive roles split into different positions, with an independent director taking over the chairmanship. This highlights how important GRC software is to ensuring a company is being run appropriately.

The Globe and Mail points to the resignation of Jim Balsillie as the catalyst for RIM's misfortunes. Balsillie was responsible for backdating stock options and RIM never appointed a new executive that could challenge the company's CEOs.

Skyworks Solutions originally brought the allegations to the table in connection with an arbitration proceeding in the Delaware Court of Chancery. AnalogicTech's accounting treatment of certain revenue for transactions conducted through the three-month period ending on June 30, 2011 was called into question.

"The Audit Committee, in consultation with independent outside legal counsel, has completed an internal investigation of these allegations, has found no improper conduct by AnalogicTech's officers, and has concluded that the company's accounting practices with respect to revenue recognition for the three months ended June 30, 2011 were appropriate in all respects," AnalogicTech said in a statement.

Internal audit software can be used to help confirm or deny any allegations made either by different sections in the company or through external business partners or clients.

Women's apparel retailer Talbots recently launched its own P-Card initiative, and to manage spending, the company is using audit software. Irene Connoly, a Talbots associate, told Pymnts.com that auditing the accounts will be crucial to ensuring the success of the program.

"We are now piloting some operational expenses that are high-volume, low-dollar. We’re going to pilot those and try to [learn] from that to figure out how to keep the control over… but they’re expenses because they are high-volume, low-dollar, and sometimes, they’re painful," Connoly explained. "We've got internal audit, accounts payable, procurement, IT, and now, the bank [involved.]"

Talbots has experienced a number of financial troubles over the past few years, so incorporating audit software may help the company get its accounts straightened out.

Investors expect companies to return value to shareholders and are able to grow financially stronger. A successful company is one that constantly and consistently raises their payouts because they are the ones increasing their own expectations.

However, ethical corporate governance is also paramount. A number of companies in the past have tried to mask financial weakness by raising dividends by using their own capital rather that bolstering growth. Well-managed companies will have strong and ethical corporate governance and avoid such practices.

"Companies demonstrating shareholder and customer-centric attributes perform well in turbulent markets, in part because of the loyalty they engender, and that is rewarded through a continuing stream of dividend payments," the news source explains. "Such a commitment is wired into management’s DNA and is the guiding principle of their mission."

Governance, risk management and compliance (GRC) software is crucial to helping corporations achieve ethical corporate governance.

The biggest obstacle preventing better risk identification is the siloed approach that many financial institutions use, Bank Info Security explains. For example, different departments of an organization might be in charge of managing separate liabilities, such as credit, market and operational risk. However, there may be some overlap, which necessitates open communication between departments.

"You really have to communicate broadly throughout the organization," DeMarco told the news source. "Risk-management professionals need to be able to identify and assess risks and communicate those risks to business line managers up the corporate ladder so that risks are managed across the enterprise."

Communication, however, is only one part of the solution. Up-to-date risk assessment software may also help financial institutions ensure they are following any new regulations, such as the Dodd-Frank Act passed last year.

"We are very concerned about what it will mean for the liquidity of the market," Maria Pope, CFO at Portland General Electric, explained. "In terms of overall risk management, we are looking at how we manage the entire power supply operations area and doing extensive benchmarking with other utilities. We also have a fairly robust enterprise risk management program."

As a result, risk is becoming a focus point for many of these energy companies, with every key executive looking to identify and rate potential risks. Automated systems and risk management software are expected to become mainstays at utility providers if they don't already have systems in place.

Several major utility companies are already facing audits to determine whether they are complying with regulations. For example, National Grid recently missed the deadline of its audit, which does not bode well for the company.

Wanamaker was recently found guilty of embezzlement during his time at the city of Buffalo, New York, which prompted an internal audit after he was released from his position at Alexandria City Hall. The report, however, found that Wanamaker did not have the clout to collect funds as the deputy director of General Services at his new position.

"Wanamaker … pleaded guilty to a felony charge of stealing government funds from the city of Buffalo between 2004 and 2008 while serving in a variety of top posts," the Alexandria Times notes. "He tendered his resignation about 48 hours after revealing he had stolen roughly $30,000 in municipal and federal funds."

His position in Alexandria didn't involve traveling, unlike his post in Buffalo, which would have made it difficult to acquire funds.

Discovering corporate gaffs is paramount to running a successful organization. Internal audit software may put organizations in a better position to find these fiscal holes before they amount to a significant amount of lost money.

According to state controller John Chiang, the city's internal controls – or the lack thereof – could potentially lead to waste or malfeasance. The situation is so bad that Chiang compared Montebello to Bell, another California city that has become synonymous with corruption and mismanagement.

"While the roots of Montebello's problems are different from Bell's, they both share the common trouble of having little or, at times, no accountability in their spending of public dollars," Chiang told the news source.

Although no criminal wrongdoing was found, Chiang urges the city to revise its fiscal policies to get back on the right path. 

Not all American cities are struggling with management issues. For example, a recent audit suggests the Louisiana city of Slidell is operating with zero deficiencies.

The root of the problems stem to Rex Millsaps, a previous mayor of the city. There were several unapproved expenditures, an absence of written controls concerning transactions, assets and compliance, and just poor organizational measures in place while he held office from September 2006 to December 2010.

"This is the most important city operational event in the last 30 years," said City Councilman Tony Powell, who called for the report done by the Atlanta-based accounting firm Moore Stephens Tiller. "It goes to the heart of protecting the city's interest."

The audit tackled nine key areas of concern for the city, ranging from the construction of Lawrenceville's $10 million police station to $582,000 in paving and curb improvements. The city paid $20,000 for the review.

This instance further highlights the importance of conducting regular internal audits to prevent such gross mismanagement. By leveraging internal audit software, companies can more effectively avoid years of mismanagement and waste.

More than 80 senior-level auditors attended the seminar, including Sundaresan Rajeswar, a board member of the IIA, and Glenn Rhea, an account director at Qatar. Rajeswar spoke about a new program at the IIA that will help auditors discover risk indicators more effectively.

Meanwhile, Rhea spoke of the growing challenges facing the internal audit community, including new regulatory obligations that businesses need to address and the demand for more advanced GRC software.

"In addition, [Rhea] highlighted the need for greater collaboration between audit and compliance as part of the GRC lifecycle, in order to help meet some of these challenges more effectively and, ultimately, to improve risk assessment results," the news source recounts.

The Dodd-Frank Act, enacted in 2010 by President Barack Obama to prevent another economic collapse, is just one of the many new regulatory reforms businesses must contend with.

A letter sent prior to the holiday break requested the audit due to the lack of a master plan to oversee new renovations and redevelopment at the station, the Washington Times reports. Union Station Redevelopment was created nearly 30 years ago in 1982 and currently oversees Union Station's operations.

"We thought it was about time, frankly, with 90,000 people [daily] coming through the facility … and with huge changes under way," Delegate Eleanor Norton told the news source. "It's a gorgeous facility, and the federal government was right to put money into it. We better find out now if this corporation can support itself in the long term."

So far, the organization has done an effective job managing the site. In 2010, it had a total revenue of $10.3 million with total expenses of $6 million. It ended the fiscal year with total assets worth $33.9 million.

During a recent Globe Street webinar, the news source was consistently asked the same question by brokers: "I'm concerned my property may not pass Probably Maximum Loss Seismic Risk Assessments, which banks do not have a seismic policy?"

This means lenders without a seismic risk indicator policy may be taking on significant loss opportunities in the current economic climate.

"High risk properties are not screened out by Seismic PMLs," Globe Street notes. "And, more subtly, brokers know that they can take potentially more risky deals to these lenders."

Similarly, there are several other risk indicators that property lenders need to incorporate into their management policies if they don't want to end up on the wrong end of the deal. With foreclosures and land prices still at rock bottom, it's ideal to address these issues sooner rather than later.

According to Don Roose, president of U.S. Commodities in West Des Moines, Iowa, there are several potential developments that could affect American farmers. For example, the economic troubles in the European Union could lead to a further decline for feed products, which is a staple of Iowa produce. Land prices have also risen, which means agriculture firms may need to adjust their product prices upward.

"[Still,] we’ve taken a lot of the risk premium out of the market as world production has bounced back," Roose adds. Weather problems in South America may further fuel opportunities for American growers.

Agriculture manufacturers face other issues as well. For example, many government agencies have taken note of consumer demand for greater transparency in the production of goods, which is leading some growers to use few chemicals or genetically modified organisms.

The audit revealed a violation of the airport's original quitclaim deed in addition to mismanagement by the region's Airport Economic Development department. The county entered into a 25-year lease with Evergreen Maintenance Center in 1982. However, the travel center's quitclaim deed says it can't make exclusive deals for right of use.

"There is significant documentation to substantiate the FAA (Federal Aviation Administration) believes Pinal County has violated these deed restrictions," the Office of Internal Audit report states.

"We are (short) some lease money; we are taking steps to rectify the situation, and I am hopeful that Evergreen will recognize the strength of the lease agreement and will make it right," Pinal County District 3 supervisor David Snider told the news source.

For businesses, internal audit software can help discover mismanagement in advance before it has the chance to significantly affect the bottom line.

"If the world is a riskier place than you thought, then you hold more of the lower risk asset, which turned out was Treasuries. Clearly the low level of yields we are looking at is a form of risk aversion," Fisher explains. "The high bond prices/low yields reflect a lot of investors' anxiety about the world and they want to hold a lower-risk asset."

Fisher was also supportive Dodd-Frank directive as it will get more over-the-counter interest rate producing into clearinghouses. This move may push interest rate products into new structures that are better able to adjust to the current economic climate.

Risk management has become even more crucial as corporate treasurers strive to take on higher yields. A new survey from JP Morgan Asset Management suggests new treasurer strategies may be significantly more risky as they look to improve the results of their companies.

The Globe and Mail assert this is in part due to poor corporate governance. Tracing back the issue to 2007, the news source points to the forced resignation of Jim Balsillie as the catalyst. Balsillie was in charge of backdating stock options and a new executive that could challenge RIM's CEOs was never appointed.

"When investors began clamoring for a board shake-up last spring, the board struck up a committee that will not present its findings until the end of January, an eternity in tech time. In the interim, Goldman Sachs began evaluating the company as a takeover target," the Globe and Mail reports.

As of October, RIM occupied only 17.2 percent of the American smartphone market compared to Google's 46.3 percent and Apple's 28.1 percent. Better use of enterprise compliance software could have perhaps helped the mobile tech company avoid this fate.

A 53-page audit was recently presented to members of the Cleveland Board of Public Utilities. The report will enable board members to create even better policies during an upcoming meeting scheduled for January 26.

"The audit went well," Mark Lay, who was behind the audit, told the board.

"He said the auditing team netted no disagreements with management on the numbers or on how they are presented. Ken Webb serves as the longtime manager of the CU Accounting Division," the news source notes.

According to the report, there were no deficiencies in internal control disclosed during the audit of financial statements, no instances of noncompliance material to the financial statements of the Board of Public Utilities of the city of Cleveland and no significant deficiencies in internal control over major federal award programs.

Another regional utility provider – National Grid – has delayed the completion of its audit, perhaps suggesting it may not be as well off as Cleveland Utilities.

The $1.76 million study, performed by Overland Consulting of Leawood, Kansas, was originally slated to be finished by September 30 and a final report was due at the end of November. However, the Public Service Commission, the organization receiving the report, says the audit is still in progress.

"Under the terms of the audit contract, neither Overland nor National Grid is allowed to comment on the audit before its completion, except to confirm that it is under way," the news source notes. However, PSC spokeswoman Anne Dalton did explain that it's a "comprehensive study" that will be done "when it's done."

The audit was originally ordered in 2010 after commission staff member discovered a number of inconsistencies and irregularities.

National Grid is a U.K.-based utility provider, with major electric and natural gas operations throughout New York and New England. Its U.S. headquarters is based out of Boston, Massachusetts.

State law dictates that all governments must audit their finances on a yearly basis to ensure there are no discrepancies. Fortunately, Slidell's leaders had little to worry about, as the audit – performed by accountant Jim Tonglet and his firm – found nothing wrong.

"Our report found no deficiencies," Tonglet told the city council. "You have been good stewards of the city’s resources … The bleeding has stopped."

As the news source notes, the city's tax revenue had been slipping after Hurricane Katrina and the 2008 economic recession, but the government has managed to get its financials straightened out over the past year. To date, Slidell has more than $150 million in assets to deal with.

Internal audit software can help organizations better identify potential risk issues and prevent major losses from happening in the first place.

The pair of audits, which were filed with the Peoria County Supervisor of Assessment's Office, uncovered $848,000 worth of losses last year and $678,000 in 2009. The leak also cost $400,000 in 2008 and 2007. Clifton Gunderson, one of the accounting firms, seriously doubts the ability of the team to recover from the losses.

Club management, however, remains optimistic. President Rocky Vonachen told press the team would be financially stable in years to come, explaining the losses were only natural given the weak national economy. Speaking with the Peoria Journal-Star, Vonachen noted next season marks the 10th anniversary of the new stadium, which should bring higher attendance.

In the down economy, organizations should always be leveraging internal audit software to identify risk indicators and prevent these losses from occurring.

Trayport associate James Davies notes that many energy firms are not fully prepared for the storm of regulatory changes slated to hit over the coming months. This is particularly the case in Europe, with new rules such as the European Market Infrastructure Regulation, which sets mandatory clearing and reporting requirements for over-the-counter derivatives.

Davies also noted the Dodd-Frank Act in the United States, saying it "will impact trading, clearing and reporting, and also sets position limits on certain commodities – although these rules are subject to a legal challenge by the International Swaps and Derivatives Association and Securities Industry and Financial Markets Association."

The Dodd-Franck Act is affecting a number of different sectors, ranging from energy firms to major financial institutions. The act was enacted in 2010 by President Barack Obama in an attempt to prevent another financial meltdown.

As BankTech notes, however, complying with these seemingly always-moving compliance targets doesn't need to be something to dread. In many cases, implementation of new technology can help financial institutions actually become more efficient.

While the news source is quick to note the complexity and ambiguity of newly published legislation, allocating some funding for risk management software may be a wise investment in the long run.

"We are fairly confident that money is being set aside in budgets for regulatory initiatives for when they do go into effect," Michael Versace, global risk research director for IDC Financial Insights, added.

Meanwhile, the Federal Reserve Board recently issued a new multi-faceted proposal that may reinforce regulation and supervision of bank holding companies through measures designed to bolster risk management, stress testing and credit exposure.

David Landsittel, the chairman of the COSO, explained the key concepts in the modernized framework are timeless, retaining the core definition of internal control. Changes, however, were deemed necessary to keep up with the new-age business and operating environment.

"The update should allow organizations to more effectively utilize the framework to develop and maintain systems of internal control in support of their long-term success," Landsittel said. "Effective internal control allows organizations to adapt to a changing business landscape, and obtain confidence that controls mitigate risks to acceptable levels. This is key for the long-term success of any organization."

Observing risk indicators and developing solutions to minimize them is crucial in the current business environment, especially as more companies are looking to improve revenue – despite the potential threats.

The 70-page report, conducted by two outside experts over the course of the summer, notes that several administrators were being overpaid based on current marketplace values, in addition to the hiring fiascoes.

"We see this report as a start of a conversation that the superintendent will need to have with the school board and the community in Jefferson County about the future of the central-office staffing," said the report’s co-author, Fenwick English, a professor of educational leadership at the University of North Carolina at Chapel Hill.

Overall, the report suggests recasting 31 positions throughout the JCPS board to lend better support to the 155 schools in the region. Auditors also found an additional five jobs that were unnecessary.

Whether it's a school or a major corporation, conducting internal audits can help find wasteful practices before they become a greater issue. Organizations should consider upgrading their internal audit software to prevent any deficiencies.

The first measure is risk-based capital and leverage requirements, which would be implemented in two phases. Phase one requires firms to develop annual capital plans, conduct stress tests and maintain adequate capital. The second would implement a risk-based capital surcharge based on the framework and methodology developed by the Basel Committee on Banking Supervision.

Additionally, the liquidity requirements "would be implemented in multiple phases. First, institutions would be subject to qualitative liquidity risk-management standards generally based on the interagency liquidity risk-management guidance issued in March 2010," the organization noted. These standards would require companies to conduct internal liquidity stress tests and set internal quantitative limits to manage liquidity risk."

The Federal Reserve has implemented a number of policy changes over the course of the year to modify regulatory practices since the passing of the Dodd-Frank Wall Street Reform and Consumer Protection Act.

Three-quarters of respondents (75.62 percent) said the plan to keep employment level over the next 12 months, while 16.34 percent intend to ramp up new hiring significantly over the same time period. Overall, only 6.65 percent of companies believe they will cut back on their existing workforces.

"The results come on the tail end of a positive year for privately held businesses, which saw average sales growth of over 6 percent, an increase from 4.5 percent in 2010, and -5 percent in 2009. Similarly, private businesses’ average net profit margin is at a 10-year high of 6.4 percent in 2011, after hitting a low of 4.2 percent in 2009, and climbing to just over 5 percent in 2010," the news source added.

With corporations hiring more accountants, it's equally crucial they upgrade their internal audit software, as it will help their larger workforce perform their jobs more efficiently.

However, as CreditUnionTimes suggests, quality of risk assessment is a crucial component. Inadequate procedures could prevent an organization from crafting an effective security and technology strategy, leading to potential losses.

"Overall risk to the organization/entity is the sum of all of the risks described in their risk catalog which represents the portfolio of relevant risks. Following this process can help your organization to build appropriate controls," the news source notes.

Organizations should develop a threat catalog that describes applicable risks and then determine the relevance as well as each impact a threat could have. Any vulnerabilities and inherent risks should be addressed in advance as well.

A disciplined approach will help companies discover risk indicators in advance, enabling them to avoid any potential threats before they become a serious problem.

Such a change could dramatically impact the relationship between external and internal auditors, how external auditors collaborate with internal auditors to maximize efficiency and how audits are generally planned and performed, the IIA argues. IIA president and CEO Richard F. Chambers also cited research conducted by the group, which suggested most auditors disagree with the proposal.

"It's not clear whether mandatory audit firm rotation will enhance auditor independence, objectivity and professional skepticism when considering the cost/benefit trade-offs," he explained.

Other disadvantages of a mandatory rotation include increased costs to the company, loss of knowledge during the transition and erosion of overall audit quality.

Despite what changes may happen regarding external audit firms, corporations should continue to use updated internal audit software to produce the most accurate reports.

The CVB board stopped its audit early on Monday evening as not all members had copies of the report. Audits for fiscal years 2009 and 2010 are now complete, while the 2011 report is still in progress. So far, Treasurer Bart Wise has discovered $19,700 in undocumented expenses – $14,000 of which had no receipts and another $5,700 which had no receipts or explanation of expenditures.

The majority of expenses came from previous executive director James Tsismanakis, who used funds for credit card purchases. Wise has implemented changes to prevent this from happening again in the future, explaining expenditures are now paid primarily with checks.

The Columbus, Mississippi Dispatch notes the board discussion was ripe with animosity between the various members, who were upset with the missing money.

Internal audit software, when used often, can help avoid situations such as these, enabling companies to find misappropriated funds before they can build up.

Richard Chambers, the president and CEO of the IIA and a member of several other accounting groups, admits that sometimes audits should be made public. For example, government auditors are necessary to maintain public trust in federal institutions.

However, when audits become public, it puts increased pressure on the corporation being inspected. Chambers recounts several occasions when he was asked not to look at specific areas because the company in question knew there were several problems but didn't want them appearing on public record.

"I recognize that internal auditors are often champions for transparency, but I believe that if our reports were distributed widely to stockholders, the press and other outside parties, over time our relationships with management might erode and our ability to add value would diminish," he explained.

This highlights both the importance of external and internal audits. To keep track of such deficiencies, it's crucial that companies use internal audit software.

BCG surveyed a number of advisers from big-name financial institutions in response to an SEC study that looked at three options for improving investment advisor examinations. One of the suggested proposals was the establishment of a self-regulatory organization that would examine all SEC-registered investment advisers.

"Among its key findings, Boston Consulting concluded that funding an enhanced SEC oversight program would cost $240 million to $270 million a year, while a FINRA SRO would cost $550 million to $610 million, and an entirely new SRO would cost $610 million to $670 million per year," Financial Planning reports, citing the BCG research.

Protecting investors has traditionally been a key goal of financial advisers, and the SEC proposal would further see that objective is carried out.

The deposit theft was the most egregious of the findings. Two employees at Kiroli Park were forging fake receipts and cashing checks for lodge rentals for themselves. Nearly $60,000 was taken from customers who were looking to rent the lodge or other picnic areas around the park.

"This had been ongoing for a period of time longer than the fiscal year ending June, 30, 2011," the news source states, quoting the report. The employees were terminated and arrested for felony theft in January 2011.

The report also noted deficiencies involving the handling of cash from customers at locations outside of town, such as the local recreation center and the convention center.

Better internal audit software may have helped the state department find the employees stealing the $60,000 much quicker instead of taking nearly a year. Given the rocky economy, finding these deficiencies in advance can be crucial for corporations.

Take, for example, Raymond James Financial – the firm had a client running a Ponzi scheme. After the situation was discovered and the client was brought to court, advisers from the firm faced fines for not reporting the instance and public rebuke.

Traditionally, financial advisers weren't always called upon to uncover fraudulent activities – sanctions were infrequently levied against the financial firms behind the offender. However, the passing of the USA Patriot Act, Bank Secrecy Act and other regulations has placed a greater emphasis on watchdog duties over the past two years.

"This is part of the maturing of anti-money laundering regulation," added Aaron Fox, managing director of IPSA International.

GRC software can help advisers better identify potentially fraudulent activities, enabling them to avoid any legal or brand repercussions.

According to the source, it may be a mistake to ignore KRIs and the outcomes of these processes. Current models produce a value-at-risk figure that doesn't bear much connection to the companies it is supposed to be applicable to. They just know to avoid having large losses that could affect that number.

"This is different to market and credit risk models. In market risk, for example, if an exposure to a particular instrument or market is deemed higher than management wants it to be, traders will hedge the position away or simply reduce it by selling assets," the news source suggests.

When developing a risk identification policy, it's crucial to consider a variety of factors. The most effective way to manage risk is by knowing how these different elements may affect the bottom line.

The Hollywood company was in the process of preparing for its upcoming initial public offering when recently appointed CEO Paul Byles suggested getting an audit from a third-party company, Squar, Milner, Peterson, Miranda & Williamson. Byles had worked with the firm before and opted to go with it instead of a local auditor because of his past experience.

However, Square Milner came to the conclusion that Hollywood Studios International had been mismanaged over the past two years, with several bookkeeping procedures drawing red flags from the firm. As a result, Byles pulled out from the company and withheld his future investments until the mismanagement issues were addressed.

After hearing the results, Hollywood Studios International claims it was set-up, and the audit was done improperly. If Hollywood Studios International had used internal audit software for risk identification, the whole situation may have been nipped in the bud.

Internal audit budgets and resources allocated to conducting them are beginning to stabilize after years of fighting for resources to accurate monitor processes and procedures, GovInfoSecurity notes. In 2012, many internal audit organizations will also be able to staff up for the first time in several years.

With more budget devoted to audits, the report suggests that strategic risks will be the new critical priority.

"Studies show that strategic risks present the greatest threats to shareholder value, an area that internal auditors frequently overlook," the news source explains. "Only 57 percent include strategic risk assessments in their annual risk assessment."

Additionally, more than half of internal audit groups said risk identification will see renewed attention. Perhaps with greater budgets, these departments should upgrade their internal audit software to better evaluate their corporations.

Auxiliary services include vending machines, copy and print services, culinary and hospital facilities as well as parking and transportation. KSU vice president of operations Dr. Randy Hinds took his position at the end of 2010 and asked for an audit to be conducted due to what he perceived to be as "loose protocols."

"The University’s K-Cash program allows KSU faculty, staff and students to access nine terminal locations throughout the campus where they can deposit money into machines to create fund balances on their KSU ID cards," the report states. "Eight machines accept cash only, and one machine accepts both cash and credit card deposits."

Internal audit software can help companies determine where they are losing revenue, which is especially crucial considering the turbulent economic situation.

Debbie Fletcher, a principal at Deloitte, explains that federal leaders have traditionally faced and managed risks. These challenges have become more complex and frequent as of late, however, and the future is less predictable. In response, they need risk management strategies that are more suitable to the economic climate.

"Leaders will want a more thoughtful and systematic approach of risk and how these risks could impact accomplishing critical mission objectives. Agencies and programs that can more clearly connect their budget requests with risk will do better as they face these looming budget cuts," she added.

According to a recent survey from JP Morgan, treasurers are growing less risk-adverse. They want to generate revenues, and they are willing to do more to achieve this goal, highlighting the need for better risk management. 

The audit analyzed the school year that ended June 30, with auditing firm Yeo & Yeo finding eight cases of material weakness. After observing the report, the school district says it agrees with the findings. Now, it plans to fix all the instances except one. This is the first time the school district was notified for improper accounting practices, says superintendent Linda Thompson.

"Some of these practices we did not realize were not good practices," Thompson told the news source, explaining that she was just following the procedures put in place by those who served before her. "That was practice long before me … You follow what the people before you did."

David Martell, executive director of Michigan School Business Officials, notes that eight material weaknesses in one audit is a surprisingly large discrepancy.

Many Michigan schools are finding ways to cut expenses where possible, and the newly-discovered deficits certainly won't help the district. This further highlights the importance of internal audit software.

Users get frustrated at having to look through all sorts of features and information that don’t apply to the task in hand. Some people, particularly infrequent users, can feel like they are being forced to play some cruel game of Where’s Waldo? when they look at an unfamiliar and cluttered interface.

In GRC Cloud we have worked hard to minimize this issue by making each field configurable for any user role, setting it as editable, read only or hiding it completely from view. In our new Workflow concept we have gone one step further.

In Workflow, a user may work on an item in more than one step – or state – of a workflow. In each state he or she may be required to complete different information and read different information that has been provided. In fact they may be required to attach evidence in the form of an external file in one state, but need to be prevented from doing so in another.

GRC Cloud’s Workflow Builder enables you to manage not only what a user can see or change, but when the user can see or change it. This enables your users to complete their work more quickly, as they do not have to search for the relevant information and wonder whether they are doing the right work at the right point of the business process.

For administrators, by simplifying the interface not only do you have happier users (and thus more buy-in to the program), you can also train people more quickly on what they need to do and when and you get fewer questions from people once they start their work.

We believe that workflow is all about providing the right information to the right people at the right time. The easier it is for people to work in your GRC program, the more enthusiastically it is adopted and the better input you will receive

This begs some questions.

• If you could expand the reach of your governance, risk or compliance program without increasing your training budget or administrative workload, would you do so?
• Could you ask people to assess more risks or evaluate more controls if they could do the work more quickly?
• Would you invite more people to participate if you knew your process and software design was intuitive and those additional people would provide valuable insights?
• Wouldn’t this make your company a more effective GRC organization?

Users get frustrated at having to look through all sorts of features and information that don’t apply to the task in hand. Some people, particularly infrequent users, can feel like they are being forced to play some cruel game of Where’s Waldo? when they look at an unfamiliar and cluttered interface.

In GRC Cloud we have worked hard to minimize this issue by making each field configurable for any user role, setting it as editable, read only or hiding it completely from view. In our new Workflow concept we have gone one step further.

In Workflow, a user may work on an item in more than one step – or state – of a workflow. In each state he or she may be required to complete different information and read different information that has been provided. In fact they may be required to attach evidence in the form of an external file in one state, but need to be prevented from doing so in another.

GRC Cloud’s Workflow Builder enables you to manage not only what a user can see or change, but when the user can see or change it. This enables your users to complete their work more quickly, as they do not have to search for the relevant information and wonder whether they are doing the right work at the right point of the business process.

For administrators, by simplifying the interface not only do you have happier users (and thus more buy-in to the program), you can also train people more quickly on what they need to do and when and you get fewer questions from people once they start their work.

We believe that workflow is all about providing the right information to the right people at the right time. The easier it is for people to work in your GRC program, the more enthusiastically it is adopted and the better input you will receive
This begs some questions.

• If you could expand the reach of your governance, risk or compliance program without increasing your training budget or administrative workload, would you do so?
• Could you ask people to assess more risks or evaluate more controls if they could do the work more quickly?
• Would you invite more people to participate if you knew your process and software design was intuitive and those additional people would provide valuable insights?
• Wouldn’t this make your company a more effective GRC organization?

By the way, the new workflow capability is introduced in GRC Cloud 6 which is being launched in January.

"Risk can never be entirely eliminated, but using risk assessments as part of an enterprise-wide risk management strategy will help credit unions continue to provide meaningful products and services to members while including necessary safeguards to protect the credit union," Davidson said at the CUES Directors Conference, the Credit Union Times reports.

The growing number of regulatory requirements – such as the Federal Financial Institutions Examination Council's new online authentication guidance – are increasingly making everyday operations at credit unions more complex. Better risk assessment processes will go a long way to ensuring companies aren't putting their earnings in danger.

As both entrepreneurs and consumers grow tired of new fees levied by traditional financial institutions, credit unions are becoming more popular and are increasingly managing more money. A number of credit unions saw an influx of tens of thousands of members in October after several banks launched debit card usage fees.

Given the growing importance of risk management, it's crucial that companies conduct effective risk assessments and have the right tools to do so.

According to a JP Morgan survey of 487 treasurers worldwide, risk appetite has continued to grow. This is despite the growing European economic crisis and the soft recovery of the U.S. economy.

Although surplus cash levels are at historic highs and still growing, the desire for return on investment is increasing even faster. Return on investment is now the key indicator of financial success, respondents said, up 48 percent in 2010 to 64 percent this year.

"At the same time, risk management is now the third most important issue for treasurers, moving up from fifth in 2010," the news source notes. "When selecting a primary bank, treasurers are now more focused on the financial strength of an institution rather than the importance of relationship management – down from 62 percent in 2010 to 50 percent this year."

When corporations are striving to achieve ROI so heartily, risk assessment software may help them avoid any potentially disastrous scenarios. 

The Tax Administration recently reviewed whether IRS examiners were following the guidelines they were supposed to as they reviewed the tax returns belonging to small-time corporations that owned less than $10 million in assets, Accounting Today reports. As the news source notes, these organizations typically have shareholders that are very involved with management of day-to-day transactions, which could lead to improperly organized financial operations.

"However, when TIGTA reviewed a nonstatistical sample of 51 closed corporate audits, it found potential quality concerns in 19 of them," Accounting Today added. "For example, IRS examiners did not always document the steps taken to investigate significant differences between the labor costs deducted in the corporate return and the amounts reflected on employment tax returns filed with the IRS."

If the IRS intends to become stricter with its auditing procedures, small corporations should consider integrating internal audit software to avoid costly run-ins with the agency.

Structural shifts in supply and demand are expected to keep commodity prices unpredictable. Short- and long-term commodity risk management strategies are seen as being the key to riding out the volatile price market.

"Companies need to set up a formal commodity risk management program," says report co-author and partner at Oliver Wyman's Global Risk & Trading consulting practice Alex Wittenberg. "The impact of volatile commodity prices can no longer be managed within a single function as a cost or procurement issue if companies are to respond successfully to these long-term trends."

Given the rocky economy, proper risk management has become especially important – one wrong step could have a detrimental impact on businesses. By leveraging risk and compliance software, companies can establish programs that will help them avoid these scenarios.

Please join us for an informative webinar presentation to help you prepare, set, and use Risk Tolerances in your Credit Union. Our speakers will overview guidance from the DICO web site (posted in September 2011), and will provide examples on how Risk Tolerances work, and how to use them.

Click here to register now.

Webinar Details

Presenter Information

Click here to Register

Vote with PC, MAC, iPhone, iPad and Blackberry

Grant Thornton LLP and Directors Global™ would like to invite you to an exclusive presentation on Wednesday, November 16, 2011 on the topic of Enterprise Risk Management. Register now!

Setting and using corporate risk tolerance—engaging your board and executive team is the first in a series designed to provide executives and directors with the necessary tools to implement best practice risk strategies. The series will also provide solutions on how to mitigate corporate risks and offer insights into improving board governance practices.

Registration is complimentary but space is limited. To register and for more information, please visit our event page.

The following positions are effective immediately:

• Malissa Lundgren, VP, Product, GRC Cloud
• Joe Crampton, VP, Product, Ballot & Survey
• David Pinder, VP, Services and Support

BPS Resolver, a leading GRC solution provider, is reorganizing to better fulfill the demands of current and future customers. A key element of this strategy is the appointment of “product owners” who are mandated to drive product strategy and execution across sales, development, professional services and support. With full management of each product line’s P&L, they will lead cross functional teams that manage the product roadmap, support sales and delivery and coordinate effort across company departments.

Steve Taylor said of these appointments “We have been considering for some time how to better meet changing customer needs and a dynamic business environment. Under this structure we will unleash the entrepreneurial spirit of these highly motivated individuals and give them the tools and resources they need to deliver the features and benefits demanded by our customers, while identifying new markets that will continue to propel BPS Resolver’s business.”

Malissa Lundgren joined Resolver Inc. in 2004 and has held a number of diverse positions and taken on growing responsibility during her career with the company. These roles have included marketing, product management and most recently, Director of Solutions Consulting. In this role Malissa lead professional services and was instrumental in building out a department that designs and implements tailored solutions for customers. Prior to her BPS Resolver career, Malissa co-founded a company focused in mobile workforce solutions.

Joe Crampton joined Resolver Inc in 2006 and quickly demonstrated an ability to help clients achieve project objectives and to innovate alternative benefits of the company’s products. Joe was promoted to Senior Solution Manager where he managed large software implementations across North America and around the world. Following the merger of Resolver and BPS, Joe was appointed Director of Product Research and Marketing working closely with analysts, customers and management to help set product strategy and determine market opportunities while also acting as internal product evangelist. Joe has an honours degree in Human Computer Interaction, a combination of psychology and computer science, and continuously applies that perspective to the design and development of BPS Resolver’s software solutions.

David Pinder leads the professional services group at BPS Resolver, which provides training, custom development and implementation support. Dave has a wealth of experience managing enterprise level software implementations for large financial institutions, having worked on multi-million dollar, multi-year rollouts of solutions in both the compliance and audit universes, leading talented development and services teams. Dave joined BPS Inc. in 2004 and, as Director of Solution Delivery, has been responsible for the entire project life cycle, from gathering and documenting initial requirements and timeframes through delivering the final solution and obtaining client signoff and acceptance.

Dave’s mandate is now being extended to encompass ownership of the GRC Enterprise product line.

The company is currently finalizing transition plans to ensure smooth handover to other members of the BPS Resolver team where required. The new positions report to James Patterson, Chief Operating Officer.

About BPS Resolver:

BPS Resolver products are purchased by companies that have material exposure to failures in legislative compliance, shareholder assurance and long term sustainability. BPS Resolver makes it simple for companies to effectively mobilize their people to address issues proactively and to demonstrate and document these efforts to third parties. BPS Resolver adds value by replacing informal, unreliable, expensive or inflexible systems with easy to adopt and easy to use solutions. We proudly support over 300 companies in over 100 countries, with an approach that achieves the objectives of hundreds of risk management, audit and compliance groups, involving thousands of users. BPS Resolver applications were included in Gartner Inc.’s 2010 and 2011 Magic Quadrant for Enterprise GRC Platforms.

Contact:

For more information, please contact Steve Taylor, CEO at steve.taylor@bpsresolver.com or 416-622-2299.

Effective immediately, James Patterson is promoted to the role of Chief Operating Officer. In this position James will take on overall responsibility for the business’ operations with the heads of sales, client services, finance, product management and technology reporting to him.

Mike Wertman has been promoted to Chief Technical Officer, the position previously held by James. In his new role, Mike is responsible for technical strategy, software development, quality assurance, technical support, hosted infrastructure management and internal IT.

James Patterson has over 15 years experience developing advanced enterprise web applications and managing businesses. James’ career has included technology leadership roles across a variety of industries including oil and gas and hospitality. After several years with Accenture working in projects in Canada, the US and the UK, James exhibited his entrepreneurial spirit, co-founding a web retail business that he eventually sold to his partner. James joined Resolver Inc. in early 2004 and has held many development and technology related positions and increasing corporate management responsibility before formally transitioning into the new role. James holds a Bachelor of Commerce degree with an Information Systems major from McGill University.

Mike Wertman has more than ten years of experience developing and architecting enterprise software. Mike joined BPS as a senior software developer in 2004. He has held multiple development and technology related positions spanning all of BPS Resolver’s GRC product portfolio. Most recently, Mike has been serving as Chief Architect with a technical mandate across the product lines. Mike holds a Bachelor of Science degree in Computing and Information Sciences from the University Guelph.

Steve Taylor, CEO, continues in his role architecting corporate strategy and strategic relationships. Steve Taylor said of the appointments: “This is an exciting time for BPS Resolver. James has been continually expanding his responsibility within our company and has impressed me—and the board—with his business insight and drive to take the company to the next level. Meanwhile Mike has a track record of technical innovation and process improvement that will enable our development operation to meet the challenges ahead in this competitive arena.”

About BPS Resolver:

BPS Resolver products are purchased by companies that have material exposure to failures in legislative compliance, shareholder assurance and long term sustainability. BPS Resolver makes it simple for companies to effectively mobilize their people to address issues proactively and to demonstrate and document these efforts to third parties. BPS Resolver adds value by replacing informal, unreliable, expensive or inflexible systems with easy to adopt and easy to use solutions. We proudly support over 300 top brand companies in over 100 countries, with an approach that achieves the objectives of hundreds of risk management, audit and compliance groups, involving thousands of users. BPS Resolver applications were included in Gartner Inc.’s 2010 and 2011 Magic Quadrant for Enterprise GRC Platforms.

Contact: For more information, please contact Steve Taylor, CEO at steve.taylor@bpsresolver.com or 416-622-2299.

Bangor Hydro will document regulatory requirements and its associated procedures in GRC Cloud and use the software to track any necessary compliance activities.

Bangor Hydro reviewed several vendors before purchasing and recognized BPS Resolver’s deep experience in NERC compliance from working with utilities across the United States and Canada. Bangor Hydro will be supported by BPS Resolver’s solutions consulting team in implementing the software and structuring all the compliance information in a manner specifically suited to their needs.

Bangor Hydro will use GRC Cloud on its Software-as-a-Service (SaaS) platform where BPS Resolver and its hosting partner maintain the application, databases and servers, apply upgrades and ensure maximum uptime.

Air Canada, Canada’s largest airline, has recently adopted GRC Cloud from BPS Resolver as its repository and reporting software for internal controls over financial reporting.

Although National Instrument 52-109 (the Canadian equivalent of Sarbanes-Oxley section 404) has been in effect for several years, many companies are still seeking the most efficient way to carry out their annual assessments and the most effective way to surface issues and implement improvements to their financial reporting controls.

Air Canada recently adopted GRC Cloud to consolidate and streamline their approach to managing internal controls and to provide a consolidated view of processes, risks, and controls to the organization.

BPS Resolver Inc, leading Canadian provider of ERM software solutions and Directors Global, experienced ERM consultants have collaborated to provide Ontario Class 2 credit unions with an efficient and cost effective approach to meeting DICO’s Enterprise Risk Management (ERM) requirements.

This high quality but low cost solution enables Credit Unions to self-develop, implement, and self-manage their ERM programs. Directors Global consultants will guide participating credit unions through a specifically designed process, based on our in deep understanding of DICO’s objectives and documentation. Credit union staff will record all necessary information and carry out their work on BPS Resolver’s easy to use and secure web-based risk management application, GRC Cloud, avoiding inefficient and unsecure spreadsheet approaches.

This package of expertise, workshops and software will enable any credit union to manage risk more effectively and meet DICO’s requirements efficiently in an affordable package. In addition, participation in the program enables credit unions to share their knowledge and experience with each other by working in a common approach and a common platform.

For further information please check out Enterprise Risk Management for Ontario Credit Unions or view our ERM for Ontario Credit Unions Webinar.

So why is it so effective?

At its simplest, BPS Resolver Ballot is voting software. (Think in terms of the Ask the Audience lifeline in Who Wants to be a Millionaire.) Risk managers ask a group of managers to rate the likelihood and impact of potential risks on a sliding scale using keypads.

As part of our product research, from time to time I sit in on customer risk workshops and training sessions. I once attended a risk assessment technique training session at one of the major risk management professional services firms. The program was for new consultants and was given by a long time user and advocate of Ballot at that firm. As he knew I was in the room I think he was being tongue in cheek when he told the new recruits that the risk assessment software had nothing to do with making risk assessment workshops effective. But he did have a serious point.

If you only want to gather opinions from a group, Ballot is certainly an efficient way to capture information quickly and an interactive and engaging approach for participants. But just because it is quick and fun, does not mean that you get better answers. BPS Resolver Ballot is truly effective when it is used to reach conclusions based on a collaborative, consensus-building process. If you are just using it to collect votes you are missing out on this powerful methodology.

Here is how the approach works. The first thing to understand is that the voting is anonymous. Therefore people give their views on likelihood or impact of a risk without concern they are going to be identified and directly criticized by a dominant personality or a more senior manager in the group.

So far, so good, as all views are represented in the voting. But if you just accept the majority vote and move on, you still have nothing more than an efficient system. Voting results are now used to kick-start a discussion. The facilitator uses the spread analysis (see the screen image of the voting results) to see if there are marked differences of opinion represented in the voting and, if so, starts probing the participants. As the votes were anonymous, she has to seek out a volunteer to represent one of the points of view and explain how their experience led to that view. She then seeks out someone to represent the opposing viewpoint. However, during this discussion she gives everyone in the room an opportunity to chip in and build on opinions expressed. As a result, people often hear a new take on a subject from people with different experience from their own.

OK, so how does the anonymity of the voting translate into a truly open discussion that avoids the risk of strong personalities or senior individuals dominating the discussion? Well, as all participants have seen the votes, they know that there is range of opinions in the room. A person who holds a less popular viewpoint will typically see that he or she is not the only one to do so and therefore is emboldened to share that view, knowing someone in the room will back them up. However, sometimes there is only one “outlier” who may not feel comfortable expressing that view and so the facilitator uses techniques to get other people to be “devil’s advocate” and represent those views. I won’t get into the details of these techniques here, but the end result is typically a healthy banter, that enables all participants, including the senior voices and strong personalities to hear differing points of view. This airing of diverse opinions and perspectives must take place to avoid “Groupthink”.

When the subject has been more fully discussed, the facilitator puts the question to a re-vote and typically one of two things happen. Either the re-vote doesn’t change the overall result but provides a lot more consensus, or the original minority view has persuaded the other participants to reconsider their views on the issue.

Either of these outcomes is valuable. Obviously if discussion and consideration have led the team to come to a conclusion they would have otherwise not made this is hugely valuable, preventing the company from making potentially expensive mistakes in under-controlling or over-controlling a risk. However, there is also value in achieving greater consensus. After the workshop has finished there may be mitigations to be put in place. These are more likely to be effectively resourced, prioritized and acted upon when all the people responsible feel they were part of the decision-making process that identified the actions to be done. At a minimum, participants leave the room with a representative understanding of the varying perspectives in the company, an effect which does not occur when the most senior or loudest voices in the room dictate the discussion’s tone.

So BPS Resolver Ballot risk assessment softwareimproves the efficiency of a workshop for sure, but better risk management decisions emerge when the technology is combined with training in the methodology and skills to bring ideas and opinions out of people. Together they are the cornerstone of probably the most effective way to assess business risks.

In response to the findings, Steve Taylor, CEO of BPS Resolver said “we live in an increasingly collaborative world where more stakeholders are involved, which makes decisions more difficult. Consensus-based cultures need to adopt tools and best practices to ensure they get the benefits of collaboration, but without getting bogged down by the process”. Phil Obendorf, EVP of Sales added “The survey results reflect our own experience running hundreds of assessment workshops for customers, which is that BPS Resolver Ballot lets you make better decisions in less time that you thought possible and in a process that participants enjoy!”

BPS Resolver Ballot is a voting application in which workshop participants use keypads to vote on questions and then review the results in order to stimulate discussion and make better decisions. The anonymous voting approach encourages candor, counterbalancing the influences of strong personalities in the meeting room. Facilitators use a variety of approaches to bring out the reasoning behind all sides of a debate, before putting the issue back to voting again. The end result is a set of decisions that have undergone more rigor, are of better quality and have greater buy-in by the group and therefore an increased opportunity to be successfully acted upon.

About BPS Resolver

BPS Resolver’s solutions make it simple for companies to proactively identify and address governance, risk and compliance (GRC) issues and to demonstrate these efforts to third parties. BPS Resolver adds value by replacing informal, unreliable, expensive or inflexible systems with easy to adopt and easy to use solutions. Over the past 12 years we have supported 500 companies in over 100 countries in achieving the objectives of hundreds of risk management, audit and compliance groups, involving thousands of users. BPS Resolver applications are included in Gartner Inc.’s Magic Quadrant for Enterprise GRC Platforms.

For further information

Phil Obendorf Executive VP,
Sales, BPS Resolver Inc.
+1 (416) 622-2299 ext 435
phil.obendorf@bpsresolver.com

Our product team recently ran a customer satisfaction survey on Resolver*Ballot, our decision support software.  While we have always been proud of this software, we were frankly a bit blown away by the results. Here are some key findings:

Does Resolver Ballot help your company make decisions more quickly?

-          An astounding 83% agreed and only 3% disagreed.

Does Resolver Ballot help your company make better decisions?

-          73% said they agreed! Only 1% disagreed.

So at the intersection of these two questions our customers are saying that our software helps them make better decisions and make them more quickly.

Today we live in increasingly collaborative world where more stakeholders are involved and which makes decisions more difficult.  Consensus-based cultures need to adopt tools and best practices to ensure they get the benefits of collaboration, without getting bogged down by this same process.

Resolver Ballot, according to our partners and customers, is clearly an important piece of this puzzle!

Some of the other folks here at BPS Resolver will blog more on the results in the coming days.

Behavior of Completion Reminders on sub-types is now configurable.

Completion reminders set on item sub-types can now be configured to generate reminders either when only that sub-type’s criteria remain uncompleted or when both the sub-type and the main type criteria are incomplete. The Administrator can use the new option while creating the completion reminder schedule.

New Color Picker used in Item Designer

The color picker used to set the display colors in criteria choices has been upgraded. The new pop-up picker features the same 216 “classic” web palette colors that were previously available or the option of chooisng any of 16,000,000 colors. The expanded palette can be selected by hexadecimal code, RGB values or HSB values. This ability to define colors will not only give administartors more choice, but also make it easier to keep color shades consisent across their site.

Say what?

By posing a series of logical questions to a group, Resolver*Ballot creates a visual depiction of patterns of influence that show how one risk event increases the likelihood or impact of another. This picture is generated in real-time in a risk workshop, and can be done together with—or independently  from—the anonymous assessment.  The result is a map of interconnected risks with ratings of the impact on the organization.

Wow!

Here’s an example. The screen image below shows the impact that a new acquisition may have on an organization.  As a risk manager, you may or may not have visibility on M&A activity, but this visual representation helps us understand the sequence of risks that are more likely to come about if that event occurs.

Studies in psychology indicate that people are naturally good at seeing one or two levels of influence, but how many of us would look at an acquisition and immediately think of inadequate IT security (#4) and the increased probability of IP theft (#9)?

Now take the same picture and simply overlay the impact vote from a regular risk assessment workshop and you get something even cooler.

From the color coding (green is low impact, yellow is medium and red is high), you can see that according to the group’s votes, the acquisition risk (#7) is ranked as a medium impact risk. But seeing the risks in this view, it prompts us at least to reconsider #7 as a high impact risk, since it leads to an increase in probability for many other risks including, in this case, a high impact risk (#9). (F0r the same reason, risks #4 and #5 should also be considered for upgrading to high impact.

With this information in hand, a good risk manager who goes through an acquisition simply opens up their model and examines the types of risks that fall out from an acquisition. In this scenario some diligent work in the IT department to beef up the two new joined networks has the potential of stopping the flow of increasing likelihood between the risks.

I think this is pretty cool but I’d love to hear your thoughts…

Before you start

• Determine what type of results you want out to get out of the session—rankings, discussions, ideas, response plans…
• Figure out who should be involved – make sure you have representation from all key stakeholder groups
• Determine what format works for you – interviews, online surveys, workshops…

Effective Risk Assessment Workshops

• Book a reasonable amount of time to cover the topics
• Determine assessment scales that everyone will understand and get agreement from the two most senior people in the room.  Make sure they have both qualitative and quantitative components and do not focus exclusively on financial risk.
• Agree on a language for your risks that will reduce confusion. (e.g. don’t put the word “or” in your risks)

• Ensure you get viewpoints from everyone
• Use an effective technique for anonymous voting (i.e. Resolver*Ballot)
• Have a “scribe” – one person dedicated to writing everything down. (Not you, and not one of the participants.)

Sample 90-Minute Agenda (30 Risks)

1. Ensure that everyone understands the scales
2. Inform people that votes will be completely anonymous and that they should be open and honest
3. Describe your agenda and emphasize the importance of getting through the votes quickly

1. Voting should be done quickly and silently to avoid “overtalking” each risk. There will be plenty of time for discussion later in the workshop.

Resolver*Ballot Feature: Anonymous voting is done through wireless keypads and should only take about 30 seconds per risk per criteria with our software – compare that to sticky notes or ballot boxes.

1. If you want to avoid pointless academic discussions vote on Residual Risk  only. Inherent Risk is only really only relevant to auditors, will double the time of the session and will add minimal value
2. If necessary, make sure that senior managers do not try to influence the vote with their comments

Resolver*Ballot Feature: You just click on the “Spreads” button and Resolver*Ballot will show you the standard deviation of the anonymous votes.

1. Get your scribe ready to write.
2. Examine the wording of the risk. It’s possible people have interpreted the risk in different ways
3. If not, prompt discussion by asking people to volunteer why they or someone else voted either high or low.  (Remember the voting in Resolver*Ballot is anonymous so don’t corner someone and force them to tell you what they voted. If you didn’t use our software then this will be much more difficult.)
4. The discussion that emerges here is fantastic. When people have extremely different opinions this may be as a result of experience, personal exposure, education or many other factors. These viewpoints will improve the accuracy of your assessment immensely and are not possible without anonymous voting!
5. On occasion you will uncover a view point that a person has because of something they know that is personal (e.g. a career change). Make sure you respect people’s privacy and manage the conversation carefully.
6. Once you have discussed, if it sounds like people have changed their opinions then re-vote and see if the result has changed.

Another shameless Resolver*Ballot plug! If you don’t use anonymous voting the entire category (areas of low consensus) tends to disappear off the radar. The loudest voice or the most senior person will influence the room and the note taker into recording their position. Our software eliminates those problems and ensures that you will capture the different opinions resulting in a better product.

1. Start with the high impact and high likelihood risks

Resolver*Ballot Feature:Look at the auto generated Heatmap and zoom in on the values you are interested in (e.g top right of the Heatmap).

1. Get the discussion started on what risks are above appetite, and what that would actually be like for the project/company
2. Get ideas about what you could do to control them, and document actions.
3. Make sure your scribe is writing everything down.
4. If you have time, also look at the high impact and low likelihood risks, the company killers that should “never” happen.  Try to determine which other risks increase the probability of that risk occurring.

• Share the results and the corresponding actions with participants; this will dramatically improve the process the next time around.
  • Resolver*Ballot Feature: Easily exports to PowerPoint and Excel documents to share with others.
• Keep the voting results and use them next time to plot change over time. If you are doing a routine assessment (e.g. every quarter) which risks are changing? Which risks are increasing?  Which actions did not get executed on?
  • Resolver*Ballot Feature: Merge multiple files and plot them on a single Heatmap to understand change

The OCEG framework is broken down into several practices and in the table below we have mapped the OCEG GRC elements against key features and functionality in the BPS Resolver GRC Suite.

For more information on  GRC Suite’s capabilities please contact our account team or call 1-888-891-5500 or +1 416-622-2299.

Two colleagues of mine, Tim and Lauren Leech have recently submitted to Congress a thought provoking paper advocating a re-write of Sarbanes-Oxley.  While the proposal suggests only a minor edit to the Act, the implications are significant, far-reaching and would represent a tremendous improvement to an Act that has generated considerable controversy.

Essentially Leech & Leech have put forth the idea that Sarbanes-Oxley becomes primarily risk-based in its approach, vs. the current focus at the control level. Their argument (at least part of it) is that without the right attention to – and understanding of – the risk environment, the work done at the control level is often wasteful and not focused on areas that represent a true potential source of unreliable financial reporting.  A risk based approach, according to the authors will help “allocate resources to the most statistically probable root causes that account for the majority of materially wrong financial statements.”

When reviewing potential software applications it is vital to view them from the perspective of all your types of users. Some buyers fall into the trap of purchasing the tool that best meets the needs of the “owners” of the GRC program, without considering what is most important to the regular – and irregular users – of the tool.

At BPS Resolver, we tend to think in terms of three types: Administrators, Heavy Users and Light Users. Although the definition of heavy and light users varies with how the software is used and the company that is using it, Each of these groups has very different usage patterns, needs and preferences.

The Administrators, who build frameworks, manage permissions, design reports and such, are often daily users who know features and functionality in detail. At the opposite end of the scale are the light users, who access the software quarterly or annually, and frankly forget a lot of what they know between these regular cycles.

As there are typically more light users than administrators, an intuitive interface and an ability to get to their tasks quickly and easily (i.e. very few clicks from the home page) is vital to assure their ongoing use of the system.  Our experience also shows that easy access to immediate reporting (pre-built or ad hoc) and the ability to click through those reports to underlying information is valuable to many types of user.

When we configure sites for customers we spend a lot of time thinking through making the site as intuitive as possible to use. Techniques include:

• Custom roles and permissions, so that a user’s view of content is limited to what they need to read and answer and not cluttered with details that other types of user require
• Custom workflows that refine the view to show just what is needed in each stage of a process, as well as define the work item’s path through the organization.
• Corporate terminology, that ensures terms currently used by the company are reflected in the software, rather than the company have to adopt the software’s terms
• Custom icons that appear on screen and in reports that reflect the corporate terminology or any company’s “house style”.

In the world of the smartphones, people see their consumer technologies rapidly becoming much easier to use, and thus their expectations of the technology they use at work are also increasing. Although an enterprise GRC application is always going to require more of a learning curve than an iPhone app, people are not afraid to click on things any more. And when they do click on something, they expect something intuitive and useful to happen, such as drilling down from a chart to a report.

We are regularly contacted by companies whose first GRC software deployment has failed due to their people not accepting the tool provided and who now want to replace their current solution. To ensure a successful software rollout, make sure the application – and professional services team – you select provides customized, intuitive experiences for all your user types.

The previous four blogs in this series touched on some important concepts companies need to understand and manage in order ensure growth and success: Safeguarding Compliance, Seamless Collaboration, Avoiding Perfect Storms and Data Breach Remediation and Prevention.

Audit is our fifth topic in this series. Any definition of GRC is incomplete without understanding the role, value and unique attributes of audit. In particular it is important to understand that while audit needs to be considered as an integrated element of GRC, it also needs to be understood to sit alongside your GRC initiatives.

The audit function will touch every aspect of the GRC landscape as the Audit team seeks to validate, support and enhance the various activities that are underway within your enterprise.

So what is the benefit to your audit program of a shared GRC Platform? The answer lies in the data. This follows along the theme highlighted in Clark Abrahams’ Seamless Collaboration piece. The modern audit paradigm is really a collaboration with the business, not simply a review.

We have clients who have made significant strides toward lightening the burden of audit on the business. The reason they have been able to achieve this is that information on business processes, risks and controls are organized and managed in a consistent way.

The audit teams are able to access data through the GRC platform and in some cases, make determinations with almost no additional requests for information from the business. The data is there for them and they can see when an area of the business is being managed and controlled according to the policies and standards of the company, and when it is not.

In today’s regulated environment, the business is often asked for information – sometimes the same information – on an almost continuous basis. So any progress towards lightening this burden will create efficiencies and will also be greatly appreciated by the business process owners.

Some of our clients call this ‘self-audit’ and it is a significant reason why audit should be an integrated component of the overall GRC landscape.

Speaking of collaboration, this post was brought to you by:

Steve Taylor | CEO | BPS Resolver Inc.
Clark Abrahams| Chief Financial Architect |SAS Institute Inc.

It appears on both of our company’s blog spaces, so please feel free to post comments on either one of our sites — we want to hear from you!

Many customers already use GRC Cloud’s scoping framework feature to relate risks and controls to corporate financial statements or other methods for determining scope for business processes in their compliance and risk management programs. However, a number of sophisticated users are utilizing this feature as a corporate strategy framework that overlays a typical risk/control framework. This corporate strategy framework relates processes risks and controls to areas such as:

• Balanced Score Card
• Corporate Objectives
• Value Based Management
• Mission, Vision & Values
  and others

Companies can set up any number of overlaying structures to provide a multi dimensional analysis of business issues and measures.

Having built out these strategic frameworks, companies are now able to understand the impact their controls, risks, and most critically gaps have on their key corporate objectives.  Or in other words, the things the Board cares about. One this is established, a company can move into tracking how those seemingly independent compliance objectives, risks and controls change over time, and hence how they affect performance.

From a corporate performance perspective, only part of the information is contained within the GRC system. A recent integration project illustrated a capacity not just to build KRIs and KPIs in GRC Cloud, but also integrate them with other software as a service (SaaS) business applications.

Many customers define quantitative thresholds for KPIs and KRIs and use GRC Cloud’s mathematical functions to measure deviation from these objectives for their risk management and performance management programs. In a recent project we built on this capability to integrate GRC Cloud, via its open API, with Microsoft Dynamics CRM to enable tracking within GRC Cloud based on the number and severity of customer service issues entered into Microsoft Dynamics. Having created KPI/KRI items that were in turn attached to risks related to the quality of customer service in GRC Cloud, we gave users the capability to associate these factors with information such as reports from the CRM system. This provides risk and performance managers visibility into detailed data direct from their risk/performance dashboard. Although in this case we worked with a CRM system, the same integration could have been done with systems used by manufacturing departments, quality assurance, sales, customer service or any other business area.

We would be pleased to demonstrate these capabilities to any organizations who are recognize the value of integration of GRC with strategy and performance management. Please contact your Account Director or our sales team to arrange a meeting.

GRC Cloud 5.4 builds on and expands many key features in response to feedback from BPS Resolver’s customers, many of whom are leading companies in their industries. These enhancements include:

• Greater capabilities for non-Administrative users with new advanced permissions to add items and edit items within the framework from their normal working screens
• More flexibility in determining how users access and interact with reports in the home page dashboard.
• Enhanced abilities to efficiently remove or purge external documents from the application
• Capability to determine the display order of mathematical  functions and include function results in more chart types

“This release of GRC Cloud brings to fruition ideas generated both by our own product team and our customers, and allows companies to assign greater responsibility for maintenance of the GRC framework to qualified users across their organization.” said Steve Taylor, CEO,  BPS Resolver Inc.

“These customer-driven features complement some major development that is close to completion and that will significantly change the way customers manage GRC in their organization. Our new approaches will enable more users to participate in GRC activities in a very intuitive experience, while giving administrators a detailed view of the progress of their compliance, audit or risk management activities.” stated James Patterson, Chief Technology Officer, BPS Resolver Inc., adding “Customers will be able to take advantage of this new approach in Q3.”

About BPS Resolver

BPS Resolver products are purchased by companies that have material exposure to failures in legislative compliance, shareholder assurance and long term sustainability. BPS Resolver makes it simple for companies to effectively mobilize their people to address issues proactively and to demonstrate and document these efforts to third parties. BPS Resolver adds value by replacing informal, unreliable, expensive or inflexible systems with easy to adopt and easy to use solutions. We proudly support over 300 top brand companies in over 100 countries, with an approach that achieves the objectives of hundreds of risk management, audit and compliance groups, involving thousands of users. BPS Resolver applications were included in Gartner Inc.’s 2010 Magic Quadrant for Enterprise GRC Platforms.

Contact:
Phil Obendorf
Executive VP, Sales, BPS Resolver Inc.
+1 (416) 622-2299 ext 435
phil.obendorf@bpsresolver.com

Attributes for new and existing framework items can be updated from Manage by Location

To enable non-Administrator users to participate in building a framework, items may be created and all attributes may then be saved to the framework library using a new Update Framework button. In addition existing framework items may be edited and their attributes updated in the corresponding item in the library. A user’s ability to use this feature is determined by a new advanced permission.

Ability to move items between locations and to create multi parent items in Manage by Location

A Change Parent button may be used to move items in Manage by Location and therefore change the design of the framework. IN addition, the same button may be used to create multi-parent items (multis). In both case, these changes are then applied to the framework library. Access to the feature is determined by two new advanced permissions.

Enhancements to the Home Page My Reports feature.

The size of the My Reports box has been expanded to enable easy readability of longer report names. The My Reports box now appears at the top of the home page.

The action of left clicking can be set either to open a report, open the report settings, or open the information from the report in matrix assessor. This setting is made on the user’s homepage preferences tab in their profile.

Ability to remove file attachments in the Period End process

Step 4 of the Period End process has been expanded to include the ability to either remove files from items or to purge files entirely form the system.

Ordering of Functions

A new ability to set the order in which functions appear in item templates, matrix assessor and reports brings Function is line with the approach to setting the display order for attributes and evaluations.

Charting of Functions

Function results can now be included in scatter charts or heat maps

Enhanced information available in “Attached To” field

Mousing over the item names in the attached to field in the item information panel will also display the item number.

Enhancement to Role Builder display

When assigning users to roles and positions in the location framework, multi parent items and single assessment items are displayed with the appropriate icons to enable these to be identified.

Clark Abrahams, a colleague of mine at SAS, has authored an excellent Blog outlining the powerful additions SAS has made to their platform as well as the advantages of the integration with the BPS Resolver audit tool.

One of the thought provoking concepts in the piece is the idea that success in business is not only driven by what the business is trying to do, put equally by how it is trying to do it.

Measuring and managing the how is very much the business of GRC.  How refers to everything from the ethical manner in which a company conducts itself – the values of the company – right down to the monitoring of tactical controls that have been implemented to govern the company.

Plotting an effective course requires leadership to understand risk.  This is part of what makes SAS such a powerful partner for us.  Their tagline ‘The Power to Know’ is a great phrase for a company that is in the e-GRC space.  Getting access to data is critical.   This can be historic data on your company and your industry or it can be real time information delivered within seconds of a risk event or the breach of a control.  Great data allows for great decision making.

Strategy and GRC are completely intertwined.  They are two sides of the same coin.  This is why it is also significant that the SAS^® Enterprise GRC platform has been further integrated with the SAS^® Corporate Performance Management solution.

You very likely know what your business is trying to do.  The combined solutions of SAS and BPS Resolver will help you determine how to do it.

I urge you to read Clark’s Blog on the SAS website and learn more!

Steve Taylor, CEO, BPS Resolver Inc.

(c) Public Service Commission of Canada

The Public Service Commission (PSC) has been a BPS Resolver customer since 2009. The PSC’s is an independent agency reporting to the Parliament of Canada, mandated to safeguard the integrity of the public service staffing system and the political neutrality of the public service. The PSC is the first of a number of federal agencies assessing their ICFR activities using GRC Cloud.

Public sector bodies around the world use BPS Resolver software applications for risk management, compliance and audit activities because of their ease of use and the speed cost-effectiveness of deploying Software as a Service (SaaS), also known as Cloud computing.

The full report is available here.

Therefore, in the next release we intend to double the width of this box, to incorporate the longer names. It will look like this:

An issue we stumbled upon was that because this box is twice the width of all the others, it cannot remain as the last item on the page without leading to some strange spacing issues. In other words, if the last row of charts on your home page includes three pies, the My Reports box would need to wrap around to another row, leaving a “ragged” look. Therefore we are going to put the wider My Reports box at the very top of the home page going forward, starting with GRC Cloud Release 5.4.

We would be interested in your thoughts on this. Will the double width My Reports box help you, or do your report names fit fine in the current box? Does having My Reports at the top of your home page avoid you having to scroll down to reach it, or do you prefer seeing your pie charts front and centre?

By the way, we are also going to change how left clicking a report name in My Reports functions. Currently when you left-click on an item overview report, it goes straight to the report itself, whereas for summary and hierarchical report it goes to the report builder. In future, you will be able to set for your site whether the left click goes straight to the report or to the builder page and this setting will apply to all reports.

Please give us your thoughts using the form below or e-mail us anytime at productmanagement@bpsresolver.com.

The webinar was a great success and we have had many requests for the recording. It is available here: Webinar Recording

Webinar Summary:

In each organization, a host of critical IT projects, processes and services are in constant motion, and few organizations understand the ways that these activities impact the company overall and which are the most critical.

For years, organizations have spoken about linking IT to the business. While some have done this effectively, few CIOs can directly demonstrate the risk in how their behavior specifically links to the business and the CEO’s top objectives and priorities.

BPS Resolver and Encore Consulting will show how companies can use a few simple software tools to assess and link activities to the CEO’s business drivers such as: Cash Flow, Operational Efficiency, and ROI.

For more information about BPS Resolver or Encore Consulting please follow the links below:

www.bpsresolver.com

www.Encore-c.com

Click here for the article at arabnews.com.

Integration of Balanced Scorecards with Enterprise Risk Management

Login page more content rich and rebranded. Other branding elements also updated.

• The home page now features news and updates from BPS Resolver, while the username and password fields and login button have been moved to the very top of the screen.
• The new branding is apparent on the home page and continues throughout the site including the Help documentation, broweser title bars, default “from” addresses in e-mail notifications etc.

Data from previous periods available in Item Overview reports.

• Item Overview Reports can now feature data from previous periods.
• The Report Builder screen has a new interface to select either specific periods or to display a number of successive previous periods (see item below).

Previous period selection data available as number of most recent periods in addition to selected periods

• In the Data Preferences screen and the Item Overview report builder there is a new option for selecting past period data to display, based on choosing a number of the most recent previous periods to display, rather than selecting specific periods.
• The advantage of this approach is that this setting can be saved in a report or in data preferences and therefore will always display a selected number of past periods rather than requiring a user to update his or her selection after each period end.

Functions that are not calculated or invalid now displayed appropriately in pie charts. Wording for invalid results and not calculated now rationalized across application.

• Functions that have not been calculated and functions that cannot be calculated (usually due to the values used as variables in the calculation being blank, such as an unrated risk or control) are now reported consistently across GRC Cloud, including in pie charts on the home page and the Executive Dashboard.

Release Notes now available from System menu

• Release Notes now have a permanent “home” in the GRC Cloud menu system and can be found under the System menu. The Release Notes are in PDF format and contain more detailed descriptions of all these features.

GRC Cloud recently introduced a number of “logical” mathematical functions. These are tools that enable administrators to create “If/Then” type logic in items.

Terms such as CHOOSE, EQUAL, GREATERTHANOREQUAL, LESSTHANOREQUAL, IF, LOOKUP, AND, OR, NOT, NOTEQUAL, ISINVALID, SET are all new mathematical operators available when building out functions.

The purpose of many of these is not easy to explain without context, although sophisticated Excel users may be familiar with some of the terms. The Help documentation (both the pop up screens in the Function Builder and the full on-line Help) are good resources, but in this article and some future blog entries we will look at some practical applications. The results of these functions can be combined with the existing ability to assign names to function result ranges to provide plain English results.

Example 1

For our first example, let’s imagine that two managers are both required to agree that an issue can be closed, for it to be closed. Each manager is required to complete a simple Yes/No criteria. We can then create a function to show whether both managers agreed or not.

The EQUAL operator

The EQUAL operator is quite straightforward. The syntax or structure of the function is EQUAL(Arg1,Arg2). Arg1 and Arg2 (short for argument) are simply numbers in the formula or anything that evaluates to a number, such as a selection from a drop-down menu or radio button or the result of another function. The operator indicates whether the two arguments are the same (equal) or not. As this is a “logical function”, if the result is true (the arguments are equal) the result is 1. If the arguments have different values, the result is false and therefore 0.

Therefore, for the example above, the Admin could create a function as follows:

EQUAL(manager_approval_a,manager_approval_b) where the two arguments are the criteria for the two managers’ approvals.

If both managers approve the item the result will be 1. If only one manager approves it the result will be 0.

We can now use function result ranges to clearly state the result. The only possible results are 0 and 1, so we can set the result ranges as follows:

No Consensus <=  0  < Consensus

Example 2

Beyond this, you would probably want to know not just whether the managers agreed or not but whether they both agreed the issue should be closed or whether they both agreed it should remain open.

If we want to know when both managers agreed to close an issue, we have to break down the logic. Here is one approach:

We know both managers have approved when:

1. Manager A has approved
   and
2. Both managers  are in agreement

As logical functions work well with 1’s and 0’s we can utilize those values to get the results we need. In the Manager Approval A and Manager Approval B fields we will equate Yes with the value of 1 and No with the value of 0. (By default the second item on the scale would have a value of 2, but this can be changed in the Item editor.)

The IF Operator

You may be familiar with the IF function in Excel, although the one in GRC Cloud works slightly differently. The syntax or structure of the function is IF(Arg1,Arg2,Arg3). Arg1 is a number, value from a drop down or radio button criteria, or the result of a function. If Arg1 is any value other than 0, the result is Arg 2. If Arg 1 equates to 0, the result is Arg 3.

Therefore, the Administratpr could create a function as follows:

IF(consensus,manager_approval_a,0)

Where consensus is the result of the function in Example 1 and manager_approval_a is Manager A’s assessment of whether the issue can be closed or not, as explained in Example 1.

Consensus will result in either 1 or 0. If the value of Consensus is 1 it will display the value from The Manager Approval A field. If the value of Agreement is 0, it will display 0.

Therefore the possible results are:

Where Manager A and Manager B agree, the result of Consensus (Arg1) is 1 and therefore the end result of the IF function is the value generated by the Manager Approval A function (Arg2), which could be 1 or 0.

Where Manager A and Manager B disagreed, the result of the Consensus (Arg1) function is 0 and so it generates 0 (Arg3) in this function.

Once again, we use function result ranges to state the result. The only possible results are 0 and 1, so we can set the result ranges as follows:

Not Approved <=  0  < Both Managers Approved

BPS Resolver’s Solutions Consulting Group can help you solve business problems and build out these and more complex scenarios using GRC Cloud’s new logical function operators. Please do not hesitate to contact the team at 1-888-891-550 or +1-416-622-2299 and ask for Client Support or e-mail clientsupport@bpsresolver.com.

Resolver*Risk became GRC Cloud today, coinciding with the release of version 5.3 which contains a number of valuable features and enhancements.

Following the merger of Resolver Inc. and BPS Inc. at the beginning of this year, our product names are being rationalized under the banner of GRC Suite, and starting today, Resolver*Risk is now GRC Cloud. 

GRC Cloud v5.3 introduces a number of new features plus a dramatic enhancement to the login page. The new appearance is in sync with BPS Resolver’s corporate site and it also provides more ways (Product Update, News and Blog) for customers to stay up to date on product and corporate developments at BPS Resolver, plus easy access to Support contact information.

The other highlights of GRC Cloud v5.3 are:

• Ability for the first time to include past period data in Item Overview reports.
• Additional flexibility in selecting previous periods for display and reporting.
• Rationalization of reporting of results from functions and enhancements to reporting in pie charts.

For more details on what is included in this release, customers can check the Product Updates section on the login page.

Login page more content rich and rebranded. Other branding elements also updated.

• The home page now features news and updates from BPS Resolver, while the username and password fields and login button have been moved to the very top of the screen.
• The new branding is apparent on the home page and continues throughout the site including the Help documentation, broweser title bars, default “from” addresses in e-mail notifications etc.

Data from previous periods available in Item Overview reports.

• Item Overview Reports can now feature data from previous periods.
• The Report Builder screen has a new interface to select either specific periods or to display a number of successive previous periods (see item below).

Previous period selection data available as number of most recent periods in addition to selected periods

• In the Data Preferences screen and the Item Overview report builder there is a new option for selecting past period data to display, based on choosing a number of the most recent previous periods to display, rather than selecting specific periods.
• The advantage of this approach is that this setting can be saved in a report or in data preferences and therefore will always display a selected number of past periods rather than requiring a user to update his or her selection after each period end.

Functions that are not calculated or invalid now displayed appropriately in pie charts. Wording for invalid results and not calculated now rationalized across application.

• Functions that have not been calculated and functions that cannot be calculated (usually due to the values used as variables in the calculation being blank, such as an unrated risk or control) are now reported consistently across GRC Cloud, including in pie charts on the home page and the Executive Dashboard.

Release Notes now available from System menu

• Release Notes now have a permanent “home” in the GRC Cloud menu system and can be found under the System menu. The Release Notes are in PDF format and contain more detailed descriptions of all these features.

Today marks BPS Resolver’s first release of GRC Cloud, a new name and new look for Resolver*Risk, which has been a leading web-delivered governance, risk and compliance application since 2005.

Following the merger of Resolver Inc. and BPS Inc. at the beginning of this year, a lot of thinking and communication with customers and industry opinion leaders has taken place to determine how the range of software products offered by the two predecessor companies should be aligned to provide a product suite that would appeal both to companies executing on a fully developed GRC strategy, as well as companies that are currently executing specific areas of GRC.

The product line and product names are being rationalized under the banner of GRC Suite, and starting today, Resolver*Risk is now GRC Cloud.

Why GRC Cloud?

Over the years, customers asked us “Why do you call your application Resolver*Risk when we use it for SOX, NERC, IT-GRC, PCI, Bill 198, and Audit as well as Risk Management?” We listened; GRC Cloud now reflects exactly what you use it for, GRC, and how it is typically delivered, via the cloud. If you are not familiar with the term “Cloud”, it encompasses what is also known as software as a service (SaaS), where an application is hosted by the software provider and offered over the Internet. The use of the word Cloud is also significant following BPS Resolver’s migration to a new hosting provider which operates our application on a virtual infrastructure, enabling us to continue to more efficiently ramp up computing power as the number of customers increases.

GRC Cloud v5.3 introduces a number of new features but the revised look to the login page will be the first thing that most users notice. The new appearance is in sync with BPS Resolver’s corporate site and it also provides more ways (Product Update, News and Blog) to update customers on product and corporate developments at BPS Resolver, plus easy access to Support contact information. For more details on what is included in this release, please check the Product Updates section on the login page.

For details on where Resolver*Ballot, Resolver*Net and BPS Suite fit in this strategy and upcoming integration and rebranding, please see my colleague Joe Crampton’s blog entry from last month.

One of the first things users will notice is that the login area has moved to the very top of the screen.

If your site had your company logo on it before, it will still have this on the homepage, located just below the banner of the man sitting on the mountaintop.

There is a lot of frequently updated content at the bottom of the home page. The Product Updates section will list information on new releases, features and enhancements, while the blog will contain articles relating to GRC in general plus BPS Resolver related items of general interest. Meanwhile, News and Events will include corporate news releases, upcoming webinars, other events and so on.

Feel free to look at the preview page (see link above) and check out what’s new under the Product Updates, Blog and News links.

As part of our company strategy, we are in the process of rebranding our products. On September 22nd, Resolver*Risk version 5.3 will be released under the new banner of BPS Resolver GRC Cloud. This rebranding will be apparent from a new login page which you can preview at preview.sb.bpsresolver.net.

Release Scheduled September 22nd!

The first release of GRC Cloud will include:

-          Inclusion of past data saved through the period end process in item overview reports

-          A new way to select the periods to be included in data views, including the new report

-          Breakdown of not calculated and invalid function results in pie charts and consistent reporting of these in other sections of the application

Consider that the principle goal of risk management is to ensure that an organization performs as expected. In other words, it achieves its objectives. Therefore the risks that you identify need to be directly related to your organizations objectives. Risks not related to the achievement of corporate goals are off strategy – a distraction.

“What keeps you up at night?” is a disembodied question that will result in both relevant and irrelevant risks. Here is the question to ask…

“Considering the objective to… (describe a key objective), what events may prevent the organization from achieving this objective?”.

The result will be risk events that are well aligned with management’s goals. Feel free to present your interviewee with a list of potential risk internal and external risk categories to refer to when answering the question. For example, economic, competitive, strategic, HR, financial, technology, information, and corporate integrity are some of the major categories. There are up to 100 subcategories that fall under these major categories as well (business is complex!).

This objectives-focused question will ensure that your risk management process is strategic and focused on corporate performance.

by Richard Wilson
]]> http://www.bpsresolver.com/why-what-keeps-you-up-at-night-is-the-wrong-question/feed/ 0 http://www.bpsresolver.com/grcxml/ http://www.bpsresolver.com/grcxml/#comments Thu, 15 Apr 2010 18:06:36 +0000 BPS Resolver http://bpsresolver.com/?p=2988 The Governance, Risk and Compliance (GRC) technology landscape is large and diverse. A truly complete GRC solution would be comprised of many modules including risk modeling, risk assessment, policy management, helpline/whistleblower, access controls management, incident capture and management, investigations management, controls monitoring and management, root cause analysis, audit management and more. While many Governance, Risk and Compliance (GRC) vendors claim to have a complete solution, the reality is that GRC is too big for any one vendor to meet every need. No one vendor today actually has a complete solution. Depending what you include as GRC, it’s likely no one vendor will ever have it. Even amongst those vendors who can tick many of the GRC boxes, each has different strengths and weaknesses that might limit which GRC modules a company might purchase.

Today’s reality is that any complete solution will be comprised of multiple vendors (for example BPS Resolver for ERM, Compliance and Audit and SymSure for Continuous Controls Monitoring). Looking at the market, many vendors, including us, have created partnerships and alliances to bring a more complete solution to clients. However, this approach is somewhat limiting and clients can’t really mix and match a solution from any vendor they choose without custom projects. Custom integration projects are required because there is no industry standard common GRC interface or language that would allow GRC systems to consume and publish data.

Enter GRC XBRL. XBRL stands for Extensible Business Reporting Language and is an open standard based on XML to define a common language for business reporting. GRC XBRL (sometimes called GRC XML) is a GRC specific definition built on the foundation of XBRL by the Open Ethics and Compliance Group (OCEG), including members from Approva, Thomson Reuters, Fujitsu, and PricewaterhouseCoopers. The alpha version of the standard was released to peer-review in October 2009 and should be published for widespread consumption in 2010.

Currently, no technology vendor reads or writes data to this open standard. The benefits of all GRC vendors adopting GRC XBRL as a common language would be enormous. To date, all systems integration has been customized and proprietary. If all GRC vendors adopt GRC XML and provide standard interfaces to publish and consume this data, the GRC market would enter a new era of plug and play components. Clients could choose a GRC backbone platform and add specialized components or modules from other vendors that best suit their business needs.

Another interesting opportunity from GRC XBRL is that it provides a common language across companies and industries to share and compare GRC data. In the future, GRC XBRL could be a mechanism for companies to benchmark their progress and practices against their peers in industry and geography.

In the same way that XBRL is transforming the business reporting landscape, GRC XML will soon have a large impact on GRC applications. All vendors with GRC related applications should move to support this new standard.

According to Michael Rasmussen, Microsoft Excel (in concert with SharePoint and Word) is the most widely used Governance, Risk and Compliance (GRC) software. This approach certainly has many shortcomings, including security, data consistency and integrity, ease of reporting and version management. Most users of spreadsheet based approach recognize the need for a true GRC backbone platform. However, Microsoft Excel has some valuable lessons that Governance, Risk and Compliance applications could learn.

1. Simple but Powerful

The concepts behind a spreadsheet are simple yet incredibly powerful. Users can enter almost any kind of information, create functions and relate information. And spreadsheets don’t require a lot of configuration; users can just open a workbook and begin. GRC systems should also be flexible enough to capture any sort of information, provide facilities to calculate or rollup information and allow multiple relationship modeling. All this should be presented in an interface that is obvious and familiar to the user, perhaps in an interactive table similar to Excel.

2. Ubiquitous

It is very rare to find a business desktop that does not have MS Excel installed or a user who does not know how to use it. This application is so pervasive and well known that it is second nature to users. GRC systems should be the same way. They should be deployed on every users’ workstation in the company. Users should employ them as part of their daily life. GRC should become a ubiquitous part of their work experience and ingrained in the deep in the roots of daily activities.

3. Flexible

The spreadsheet was one of the first “killer apps” for the computer. This visible calculator unleashed the power of the pc and its incredible flexibility gave rise an almost infinite amount of uses. GRC platforms must also be flexible and adaptable. The GRC environment is a rapidly changing and evolving and backbone applications must have powerful modeling capabilities to match. This modeling ability must be easy to configure by end users who can take ownership of the system and keep it up to date.

4. Intuitive

Spreadsheets make sense. Generally, users look at them and know exactly what to do. They are accustomed to the table format that allows them to see and interact with large quantities of data at the same time. GRC platforms must also be intuitive to end users. As roles change in an organization, users will come and go and must be able to quickly learn and use GRC platforms as they relate to their duties. GRC platforms must be intuitive, easy to learn and present information in a fashion that users are accustomed to.

5. Unobtrusive

Excel is a normal part of knowledge workers everyday existence. It is an essential tool used in everyday activities. Users don’t think of it as another application they have to learn. It is just part of their life and routine. GRC platforms must also become unnoticeable to end users. They should not inconvenience users or put them out of their normal routine. This is essential if GRC platforms are to have widespread usage and adoption within an organization.

1. Ensure you consider the overall ERM strategy so that it is a sustainable, recurring process rather than doing it piecemeal.  Avoid the temptation to direct your efforts into a “big bang” report for only part of the business. This is particularly important if this effort prevents you from revisiting the business area for years to come.
2. Carefully consider the link between business unit or department risks and enterprise level risks.  The roll-up can be very powerful and convincing and is worth the effort.
3. If you are conducting workshops to better identify and measure risk, consider the use of voting technology to enhance efficiency and build consensus among the participants. Have this information transfer into a Risk Repository. This allows you to build a decentralized program that pulls information from the business units rather than the central team chasing them via email.
4. Knowledge of your industry is vital when selecting a consultant. The language and culture of your industry and even your particular company is a critical tool in ensuring that people are thinking about risk in the right way.  Equally as important is the ability to translate your enterprise risk management program into meaningful real-life scenarios for your business.
5. No executive or board level enterprise risk management report is complete without a view into the root causes and what is being done (or could be done) to prevent them.  Boards of directors are looking for the simplest possible way to understand their top issues and assess if the company is applying the right amount of focus or coverage. Many risk management reports look impressive but ultimately fail the “so what” test (nice heat map – so what?).

At present, the Alternative Investment Fund Manager (AIFM), of which Hedge Funds come under, are regulated predominantly by a number of national financial and company legal regulations. The global financial crisis has highlighted much stronger hazards than initially thought, especially in reflecting cross-border risk.

Hedge Funds have been directly linked to the growth of structured credit markets and asset price inflation resulting in market turbulence throughout the credit crunch. Many have been struggling to withdraw cash for their investors, as they are unable to liquidate assets promptly.

One of the key requirements from the directive is that an AIFM cannot provide services to a Fund unless they have been registered and authorised by ‘a competent authority in the Member State’. In the UK this means the Hedge Fund Manager must be authorised by the FSA (Financial Services Authority) and comply to all Directive requirements in order to continue to provide the service.

There are also stricter requirements for AIFMs to prove that they have risk procedures in place and that they carry out regular ‘stress tests’ and annual reviews on all portfolios and risk management. An annual report for each Fund will be required within four months of the end of the financial year and include a full financial breakdown with all activities to be disclosed. An independent valuator will also be appointed to review each fund on a minimum of an annual basis.

Some of the most controversial changes involve Fund Managers (AIFM) making ‘pre-investment disclosures’ to investors and will also be required to disclose details of any leverage on which they use, which could be restricted by the FSA if it is seen as being high on a regular basis. The requirement for Hedge Fund Managers to disclose all their positions has been met with great resistance by the industry and it remains unclear as to when and how it will be enforced if the Directive is approved.

Where matters get murky is whether or not the Directive applies to the Fund Manager. There are a number of exemptions, for example an AIFM who is managing a Fund portfolio of less than 100 million euro (or 500 million euro with a five year lock in) is not applicable.

The increased level of reporting expected by the new Directive will raise the amount and thoroughness of administrative time required at the very least, although at this point it is unclear how much of the Directive will go through as it stands currently in draft form. If approved later in 2009, it is expected to be enforced by 2011 with a third of countries joining in by 2014; but there is clearly a lot of work to be done in assisting Hedge Fund Managers in complying with the new Directive, if the new compliance regulations do indeed apply to them.

Audits are an important and essential part of managing risk and control effectiveness within an organization. Audit Management Software simplifies the entire auditing process, from planning and scheduling to performing the audit. What Audit Management Software offers you is an easy way to perform the most challenging and complex audits simply and more efficiently.

Why?

Audit Management Software is vital in letting you do more with less. In addition to the existing internal audit requirements, Auditors are now being asked to be proactive with risk management and provide insights into government regulations. It is no wonder that companies are looking for solutions to make these tasks easier and more time efficient. Being able to execute the audit process quickly and effectively to a high standard reduces the risk of non-compliance and provides insights into any potential problems or issues much quicker than conventional approaches to auditing.

Audit Management Software provides you with a system to support all types of audits in your company and seamlessly customize how you would like that information delivered to and viewed by key staff, management and any other authorized users.

All aspects of auditing can become automated to save time and improve productivity and efficiency. As you create them, audit checklists can be saved and used for any future audits. Saved audit checklists can be modified and updated or saved under new titles to prevent you from wasting time by having to start from scratch each time. Checklists can easily be printed off to ensure that your off-line record keeping meets regulations.

Audit Management Software can run audits at any time of the day or night and with any desired frequency. Audits can be scheduled across different departments simultaneously that use the same audit checklist across the entire company without conflict.

Audit Management Software reminds the auditors and their auditees a few days before the audit is due. On the first day of the new audit, the software flags the audit to the auditor and remains on their system until the audit is completed. This helps auditors stay on top of their audit commitments. The software allows auditors to make amendments even when the program is running, which means that alterations can be made as matters arise when the audit is in progress.

The Audit Management software will ‘remember’ previous audits and authorized staff members can have access to this information when and wherever necessary. Since previous audits are stored, the final results of a current audit can easily be compared to past audits.

Once the Audit Management software has completed its cycle, a list of issues and problems will be reported back to the auditor, clearly stating the necessary actions required to remain compliant. The software can track and acknowledge when these tasks have been completed.

It is easy to see why using Audit Management Software can enhance your auditing. With the software at hand you can easily audit any specific area over the whole of your organization.

Where?

To find out more about the latest in professional Audit Management Software, please contact us. We have implemented software solutions across a number of industries including Finance, Utilities and Health. We would love to discuss your auditing processes and how we might be able to help you utilize our Audit Management Software product BPS Audit.

Ok there is no simple answer other then the obvious. The best software is the one that is right for you and for what you are trying to do. I know this doesn’t sound helpful, but it’s true. Think of the car analogy. Next time you are on the highway (carefully) take note of the vehicles around you and think about their designs. Each is clearly doing the basics well, that is, driving on the highway. But each is also purpose built. Trucks are different than compact cars, which are different than motorcycles. If you have lots of stuff you need to haul, but still want to commute every day, maybe you have a pickup. If your life compels you to drive with speed and style, then a sports car may be the obvious choice. Just going from A to B for as little money as possible? Get a small car. For those in between people, you have one of those small sporty SUV’s that are so popular and kind of do everything OK.

The simplest audit tools basically give you a file tree structure and some standard templates that you can fill out to record your work, attach documents and the like. You rename and reuse these concepts if you want to create an issue or a review note, or if you want to get specific about listing risks, controls, objectives and so forth. When you finish filling out the forms and completing the tree structure, you are done and can save your audit for future reference. Most vendors will create some good looking reports including a final audit report which takes your information and re-organizes it into a friendly output. Some of the same tools are applicable to SOX testing and certain regulatory compliance checklists that your company may need to run. Justifying the expense seems easy and there appears to be little in the way of start-up costs. Let call this system Type A

By contrast, the more sophisticated tools give you the options to set up complete living-breathing pictures of your audit universe through some form of multi-hierarchical system. You can separate your legal, organizational and auditable entities and create elaborate relationships between processes, risk, controls, etc. You can run risk assessments across hierarchies (say, processes), have the results roll up using rules you define, then conduct formal targeted audits using other structures (say, your traditional auditable units). You can even compare year-over-year results. Systems like these expect that auditors may work in teams with junior and senior positions so scheduling and workflow (approvals, notifications etc) and secure roles are well developed concepts in the software. Some have centralized controls libraries with the ability to reference policy, risk, KRIs, losses and other data create a rich central control point from which audits are spawned by the system. These features also lend themselves well to integrated controls initiatives, secure and specific sharing of information between risk management and compliance groups and even some advanced analytical reporting. Let’s call this system Type B.

If your needs are strait forward and will always be that way. I think the choice is obvious. Type A. Even if you’re somewhere in the middle you will be able to stretch the A type of system pretty far. It will (with a little help from the vendor) do quite a bit for you. Say it’s a small car, you can get a roof rack for it and haul home a living room set from IKEA on the highway and it will work. Do this every weekend, however, and your going to be longing for a pick up truck.

The second type of system, delivers the more sophisticated and heavier duty functionality because it is designed from the frame up to do so. This system, however, will take a bit more effort to get up and running and for administrators of the system will require more focus and training. It has more moving parts, and is most likely be more expensive. On the other hand, you will most likely never find yourself constrained; it will be easy to modify to meet diverse needs of a larger group and will integrate well into your IT infrastructure. For some companies, buying for the long term, means choosing a system like this one.

Both systems will work for you but they are built on different frames. You can’t turn one into the other any more that you can turn a small car into a pick-up. The car analogy is a bit silly, I grant you that but I use it because it’s easy to tell a compact car from a pickup truck. It is less easy to distinguish audit software tools during an RFP. If the difference is critical to you and your organization, then I would like to offer you some points to consider when looking at audit software:

1 – Do you need a centralized facility to model your audit universe? For many companies this is a lot more than creating a couple of hierarchies and attaching testing plans to them. You may also need to classify and rate risks, controls, processes and other artifacts in multiple ways (principle risk, organizational unit, key business process, key control, etc.). If you are a global organization you may conduct risk assessments at a different granularity than you conduct audits. Add in geography, departmental risk scoring, results from previous audits and assessments, SOX testing, confidentiality requirements and the whole thing can no longer be managed reliably without a more sophisticated tool. A tool that has built all of these elements properly will ensure that you can make the necessary cross references and connection between these elements and that these connections will drive the behaviour and automation you would expect. Less sophisticated audit tools can, in fact, still work for you. The danger is that they are stretching their concepts to achieve the functionality – meaning you may have unexpected compromises in your future. These compromises usually lead to abandoning part of your system in favor of spreadsheets or some other flexible tool.

2 – What are your expectations with respect to work papers automation? Remember that the goal here should be to make it easier for auditors to conduct their work in a complete fashion and support the final report with credibility. If you only need a system of record, then a less sophisticated tool will do. As long as there are plenty of places to type and an easy way to categorize and link things, you will have little problem ensuring that your work is stored electronically and is easy to access and report on.

Work paper automation, however, can also get quite deep. In fact, I recently sat in on a study of audit tools and found that only a handful of vendors (by their own admission) had actually invested to create specific work paper management functionality. These vendors have created dedicated concepts for things like audit approach, key control matrix, risks, controls, tests, assertions, scoping, issues and evidence. Each of these concepts has their own workflows, collaborative facilities and configurable automation that presents to the auditor as needed. The features are designed to streamline the work, minimize the typing and allows for re-use of standard components and knowledge in the company. By far one of the biggest differentiators in the audit tool space is the amount of support for work papers management or automation. It is basically the difference between a general assessment tool and an audit tool and is always present when comparing Type A tools (basic audit functionality) to Type B tools (sophisticated audit functionality).

3 – Audit planning. Many of the tools available to auditors and compliance folks have some concept that allows for planning. From the audit perspective, we are trying to ensure that the effort of auditing is concentrated in the areas of the business that need it most. For many shops, this means a tool that helps them conduct mini-audits or self-assessments so that they can rank each auditable unit in terms of risk. Ultimately this information is used to design an audit plan for the year. Once again, bigger is not always better here. There are Type A products out there that do a fine job of helping auditors with this task. In fact, many of the products that completely fall down in terms of work paper automation actually have great risk assessment and planning features. Given this fact, please ensure that you understand what your real requirements might be. For instance, are the “assessable units” in your company (the smallest unit that you will risk assess) the same as your auditable units (the organization you will plan and execute an audit on)? Larger or more sophisticated shops often do not bring these two concepts into alignment. Ensure that your candidate system can separately handle the ideas of auditable unit, assessments and organizational unit. Ensure that the scoring rules, and how they roll-up, are not dependant on any single hierarchical relationship. This is all sounding quite technical, but it can be an important subtlety for some companies. All I am saying is that one should take extra care to ensure that you don’t buy a system and then find yourself longing for the flexibility of spreadsheets once again. A few other points on audit planning: Do you desire multi-year planning? And do you consider your staffing and resource availability in the planning process? Finally, is the audit plan a living thing that you are constantly updating based on changing conditions? Or is it a static plan that you re-build every year? The final considerations tend to lead prospective buyers to more elaborate audit Type B tools.

4 – ERM and Compliance. Recently I had a conversation with some thinkers at OCEG and they confirmed for me that auditors are being asked to deal with more compliance testing and enterprise risk management information gathering. The discussion of how tools manage this, or should manage this, is so long that it should be broken up over the course of several blogs (this being already too long as it is). I will say that if the first three items that I have discussed in this piece are built with care and appropriate sophistication, then you will most likely be set up well to help manage ERM and compliance problems for your company. Remember that risk definitions vary depending on the regulation or ERM framework you may be adopting. Control definitions are not any exception either. We have seen risks be defined as root causes (supplier ships bad parts), events (company product fails when customer tires to use it) or consequences (lawsuit and bad press). Similarly controls can be preventative (catch bad parts before they get into our product), or mitigating (ensure we have enough insurance). A unified set of definitions and frameworks on which to hang your company policies will always leave gaps, so ensure your audit product has a way to deal with multiple interpretations of the concept of risk and control. Without this ability, your ERM initiative will be divorced from your audit universe.

In conclusion, please forgive the car analogy (it was the best one I had going for now) and I hope you find some of the points here helpful.Four

Toronto, Canada. BPS (Business Propulsion Systems Inc.) (see bpsresolver.com) and Resolver Inc. (see bpsresolver.com) today announced a merger which took effect on January 1, 2010 to form BPS Resolver Inc.

This merger brings together two highly successful governance, risk, and compliance (GRC) software product offerings. The new company’s combined offering will provide a complete product suite of planning, execution & refinement solutions for GRC and Sustainability best practices. Together, they will focus on rapid delivery of software-as-a-service (SaaS) compliance solutions, as well as large scale more customized enterprise licensed solutions, to utilities, financial institutions and healthcare markets worldwide. The merged company’s increased scale and combined expertise will enhance, accelerate and strengthen our responsiveness to client software requirements and service needs.

BPS provides GRC software solutions to many of the world’s best-managed companies. The highly successful BPS Suite™ has proven itself best-in-class in terms of completeness, functional depth, ease of use, adaptability and sophistication of technology. Resolver provides a comprehensive suite of quickly deployed SaaS solutions to address governance, risk management and compliance. Resolver’s GRC Suite of products is used by many Fortune 1000 organizations to maintain successful and effective enterprise wide GRC programs. The combination of these two offerings to suit the differing needs of different clients will make BPS Resolver increasingly attractive.

The combined entity, BPS Resolver, is also taking a significant new money investment of growth capital from Covington Capital in order to continue to aggressively pursue market share. According to BPS CEO, Mr. Mark Opausky, and Resolver CEO, Mr. Steve Taylor, the merger will provide clients with a greatly expanded set of GRC solutions. “Both organizations are recognized as leaders in their respective market segments and have a history of outperforming expectations. As a combined company, we bring the strength of both product suites and our employees’ industry expertise to our customers.”

Top industry analyst Michael Rasmussen of Corporate Integrity LLC says “The market for GRC software is blossoming as companies look for solutions to support processes to consolidate risk and compliance activities.” He also stated that “The combination of BPS and Resolver provides significant synergies to enhance the economies of risk and compliance processes within organizations. Together they provide a stronger solution for audit, risk management, compliance and finance roles in today’s dynamic business environment.”

“BPS Resolver has a unique combination of product strength and agility that can now reach wider varieties of customers and deliver superior value” says Mark Opausky. “Many companies already see us as the go to provider for GRC technology and knowledge, we are confident that we can expand this perception quickly in the coming year”

Gartner GRC research vice president French Caldwell states “a new competitive vendor has arisen…”

The merger was completed effective January 1st, 2010. BPS Resolver is to be headquartered in Toronto, Canada at 703 Evans Ave.

About BPS
BPS is an industry-leading provider of enterprise governance, risk and compliance (GRC) software, including internal audit, compliance, operational risk management, and enterprise risk management. A best-in-breed, risk-based planning and execution tool, BPS Audit’s™ robust functionality helps internal auditors achieve their objective more efficiently. With BPS Compliance™, a single repository of risks and controls can be used to support multiple regulations, reducing overlap and duplicative costs. BPS Compliance™ also includes a full document and evidence management facility and our powerful Risk Management Library (RML) enabling users to incorporate all types of documents, policies and evidence to manage financial, information technology and operational controls. BPS OpRisk™ enables risk managers to integrate loss data from a variety of sources to develop a comprehensive view of operational risk exposure. For questions or more information about BPS, please contact us directly at 1-877-755-3716 or visit us at bpsresolver.com.

About Resolver Inc.
Resolver Inc. provides a comprehensive suite of software and services for risk managers, internal auditors, compliance managers and strategic planners. Its products include Resolver*Risk, Governance, Risk, and Compliance Software; Resolver*Ballot, a risk and control self-assessment system; and Resolver*Net, an Internet-based platform for enterprise-wide risk identification and assessment. Resolver also provides facilitation, training, and consulting services in the areas of risk management, corporate governance, and regulatory needs. In business since 1994, Resolver’s clients span all fields, including services, utilities,
government, education, natural resources, consumer goods, and manufacturing with a client base that includes Cardinal Healthcare, Philips, TD Bank Financial and others

BPS