Financial services CAEs see cybersecurity as the top threat to growth, with 71% ranking it as the issue most likely to significantly impact their organizations' strategies. While concerns about regulatory risks have decreased slightly, cybersecurity risks are amplified by increased use of mobile technology and third-party relationships. CAEs indicate that cybersecurity must be addressed on an enterprise-wide basis due to operational, regulatory, and reputational risks. Optimizing compliance activities, improving talent quality, and effectively using data analytics and GRC tools are keys to enhancing risk management and delivering greater value.
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
CAEs speak out: Cybersecurity seen as key threat to growth
1. CAEs speak out: Cybersecurity
seen as key threat to growth
Financial Services: Governance, Risk and Compliance Survey 2015
2. 2 CAEs speak out: Cybersecurity seen as key threat to growth
1
The survey was administered online from November to December 2014. A total of 114 internal audit professionals in the financial services industry responded, representing a range of public and
private companies of all sizes across the United States. Respondents perform internal audit functions under varying titles, including CAE, vice president and director; however, for the purpose of
this survey, we will refer to all respondents as CAEs. Visit grantthornton.com/caesurvey for more information.
Introduction
In Grant Thornton LLP’s fifth annual survey of chief audit executives (CAEs), financial
services CAEs revealed that they see considerable room for improvement when it comes
to their risk management functions.1
Although they operate in a heavily regulated industry
and are highly attuned to managing risk, almost two-thirds of financial services CAEs
indicated that their risk management functions would benefit from enhancements. In
addition, almost one-quarter of respondents said their risk framework is either ineffectively
used or has yet to be implemented. Only 15% of CAEs report being fully satisfied with
their framework, saying it is rigorously enforced and used comprehensively (Figure 1).
15%
13%
4%
6%
62%
A framework is in place,
rigorously enforced and
used comprehensively
A framework is in place but
not rigorously enforced nor
used comprehensively
A framework is planned but
not implemented
We do not have a formal
framework or methodology
in place
A framework is in place but
areas for enhancement and
improvement exist
Figure 1: In your opinion, how mature is your
organization’s risk management function?*
*Financial services companies only.
++6+4++DNot surprisingly, in light of numerous high-profile and
reputation-damaging data breaches, financial services CAEs are
especially concerned about data privacy and security. This area
ranked highest (71%) among issues that could have the most
significant impact on their organizations’ growth strategies, a
notable increase from 48% in the 2014 survey. Participants from
the largest entities — those with managed assets of over $50 billion
— are even more concerned with privacy, with 74% of those
respondents ranking it as the biggest threat to future growth.
When asked what type of risk assessments their departments
are conducting, 66% of financial services CAEs named data
security as the top area, although enterprise-wide risk assessments
continue to represent the most prevalent type, as reported by
75% of respondents. Other top responses included technology
(63%) and fraud risk assessments (63%).
3. 3 CAEs speak out: Cybersecurity seen as key threat to growth
Given the industry’s strong ties to data security, these findings are
not surprising, according to Jack Katz, global leader and national
managing partner in Grant Thornton's Financial Services practice.
“For the financial services industry, cybersecurity is a critical risk
that must be addressed on an enterprise basis, as the threat of
cybercrime raises not only operational and regulatory risks but
significant reputational risk exposure as well,” says Katz.
The increasing use of mobile technology and third-party
relationships further amplifies the data security risks facing
the industry, notes Katz. “Financial services companies have
focused their technology strategies largely on customer service
and convenience, which have increased their cybersecurity
exposure. At the same time, as firms have become more and
more technologically interconnected to various vendors and
other third parties, extended data supply chains have expanded
their vulnerability to cybercrime.”
As anxiety about cybersecurity has risen, concerns about
regulatory risks have lessened somewhat, with 38% of CAEs
citing this area as having a significant impact on growth,
compared to 51% last year. Nonetheless, regulatory risks were
still the second-highest concern as ranked by respondents. Risks
related to third parties and vendors came in third, up to 34%
from 22% in 2014. Rounding out the highest-concern risk areas
were execution of strategy (30%) and business continuity.
Managing the compliance burden
Although the financial services industry continues to face the
challenges of a fluid and uncertain regulatory environment, our
survey suggests that the effort dedicated to compliance has not risen.
Thirty percent of CAEs, compared to 54% last year, reported that
meeting compliance requirements constitutes up to 25% of their
workload. Moreover, 67% said this does not represent an increased
effort over last year. That said, while the rate of increase in cost may
be slowing, the industry is still dealing with significant compliance
costs. Optimizing those costs, therefore, remains a priority.
Again this year, CAEs said that regulatory requirements add
costs and distract the internal audit function from other activities.
Increased costs remain the biggest impact of regulations,
according to 72% of respondents, while the inability to devote
resources to higher-value activities was cited by 42%. On the
other hand, 38% said regulation had improved governance and
the rigor of testing (Figure 2).
When it comes to meeting regulatory requirements, financial
services CAEs report that an ongoing challenge facing their
organizations is a dearth of talent and lack of alignment among
processes, operations and technology.
“Meeting compliance obligations remains a pain point for
companies in a variety of sectors,” explains Warren Stippich,
partner and Grant Thornton national Governance, Risk and
Compliance practice leader. “There are continued compliance
requirements in highly regulated industries, such as financial
services, combined with more scrutiny from the PCAOB [Public
Company Accounting Oversight Board] regarding the work that
is done around internal controls. With finite budgets and resource
constraints, internal auditors must look toward optimizing all
aspects of the work they do, including compliance activities,”
Stippich says.
Increased cost
Unable to devote resources to higher-value activities
Improving our governance and rigor of testing
Little to no impact
Other
Figure 2: Impact of regulation on organizations*
71.7%
11.7%
0%
41.7%
38.3%
*Financial services companies only. Respondents were able
to select more than one answer. Responses do not add up to
100% due to rounding.
4. 4 CAEs speak out: Cybersecurity seen as key threat to growth
One-to-many takes root
One path to optimizing compliance is the one-to-many approach,
which allows companies to test once but report on multiple
regulatory requirements while remediating any regulatory gaps.
This lets organizations streamline compliance testing, meet more
regulatory requirements, and provide a sustainable framework
for long-term compliance management without repeating the
same testing activities for different mandates. An example would
be testing logical security and using those test results to satisfy
multiple regulatory requirements, such as those associated with
the Sarbanes-Oxley Act, the Payment Card Industry Data
Security Standard and the International Organization
for Standardization.
Two-thirds of financial services CAEs said their organizations
have had success with a one-to-many approach. Furthermore,
18% said they can potentially apply the principles to up to 75%
of their testing, and 41% said they can use the approach for up to
50% of their testing (Figure 3).
Technology usage: A mixed bag
CAEs in the financial services industry and in our overall survey
indicated that they’re eager to improve the efficiency of the
internal audit function, ranking this as their top goal for the
coming year. However, some see limited value in implementing
or updating governance, risk and compliance (GRC) tools. The
following are responses from audit executives in the financial
services industry:
• More than half (54%) said that investing in GRC technology
is one way they are enhancing or are planning to enhance their
approach to risk management (Figure 4).
0%
1–25%
26–50%
51–75%
76–100%
Figure 3: What percentage of your control testing do you
think is possible to test once and use the results across mul-
tiple compliance requirements?*
*Financial services companies only.
0%
41%
41%
0%
18%
Figure 4: What steps are you taking or planning to take to
enhance your approach to risk management?*
Increased focus on risk management
Refining existing ERM approach
Investing in governance, risk and compliance technology
Integrating with operations and business strategy
Better analytics and risk-modeling
Implementing ERM initiatives
Conducting a third-party risk assessment
None
Other
67%
29%
21%
6%
6.40.0%%
0%
51%
49%
54%
54%
*Financial services companies only. Respondents were able to
select more than one answer.
5. 5 CAEs speak out: Cybersecurity seen as key threat to growth
Internal audit function management and administration
Centralized management and reporting of audit plans and results
ERM
Other compliance or regulatory testing (PCI DSS, FCPA, HIPAA)
SOX testing
Other
• Only 10% disagreed with the assertion that their
organizations effectively use GRC-specific technology. This
is down from 23% last year, suggesting that CAEs are pleased
with the progress made in this area. In addition, 45% agreed
that their organizations are effectively leveraging a GRC tool,
up from 36% last year.
• CAEs whose departments use GRC technology indicated
that they’re using it primarily for internal audit function
management and administration, followed by centralized
management and reporting of audit plans and results,
enterprise-wide risk management, and other compliance or
regulatory testing (Figure 5).
• Despite some positive signs regarding GRC technology, 90%
of respondents, up from 84% last year, said they don’t plan
to implement a GRC tool in the next 12 months, which could
suggest that some CAEs see limited value in implementing or
updating the technology. Nonusers cited the cost and time
required to deploy the technology as the top implementation
challenge, followed by the difficulty of maintaining and
supporting the technology.
As these findings suggest, even if the benefits are considerable, some
organizations, especially smaller ones, may find that they either
cannot marshal the resources needed to adopt GRC technology, or
they cannot realize an adequate return on investment. Some have
found that spreadsheets are equally efficient and more cost-effective
for their purposes.
Data analytics: An aid to risk management
Usage of data analytics to enhance the internal audit function also
seems to be mixed. Consider the following:
• More than half (53%) of financial services CAEs said they
are not using data analytics or business intelligence tools to
enhance the internal audit function, up from 39% last year.
Slightly less than half (47%) of respondents said they are using
data analytics, down from 61% in the 2014 survey.
• Users of data analytics cited a more efficient internal audit
process as the top benefit, which is consistent with the goal of
optimizing compliance monitoring activities. Other benefits
included the ability to quickly identify patterns, trends and
relationships; and greater population testing coverage
(Figure 6).
“Although many large financial institutions, in particular, rely
on advanced analytics, there are opportunities to do more,”
says Nigel Smith, national Financial Services Advisory practice
leader. “Effective use of advanced analytics can enable financial
organizations to gain added benefits from the data they’re gathering
and assembling as they comply with new regulations. Using
advanced analytics, they can leverage those data assets to anticipate
emerging risks and make more appropriate risk
mitigation decisions.”
Figure 6: What are the top benefits you achieve from using
data analytics?
Respondents selected top 3, with 1 being the highest.
*Financial services companies only. Respondents were able to
select more than one answer.
Figure 5: Our organization uses GRC/internal audit
technology tools primarily for the following functions:*
75%
0%
25%
20%
40%
40%
More efficient internal
audit processes
Quickly identify patterns,
trends and relationships
Greater population
testing coverage
1
2
3
6. 6 CAEs speak out: Cybersecurity seen as key threat to growth
Priorities, priorities
As financial services CAEs look ahead, they’re focused on
priorities — not just their own as internal audit professionals but
also those of various stakeholders. Asked about the areas in which
they are most frequently asked to deliver value, CAEs identified
the following: (1) mitigating risk, (2) identifying improvement
opportunities and (3) stronger compliance efforts in other areas.
The priorities of financial services CAEs are not that out of
alignment with those of their stakeholders. Without existing
constraints, they identified the following as areas where
they believe they could add the most value: (1) identifying
improvement opportunities, (2) increasing efficiency and (3)
mitigating risk/stronger corporate governance.
Talent, compliance optimization key to delivering value
Asked about barriers to delivering the greatest value, 51% of
financial services CAEs cited talent quality or capacity, followed
by budget constraints (Figure 7).
The ability to attract talented internal auditors, in particular, is a
significant challenge, but one that CAEs may be able to address
by using a different approach. “With the internal audit function
requiring a greater range of skills and more nontraditional types
of skills — such as information technology expertise — CAEs
may need to focus more on recruiting professionals with
skills in these high-priority areas and complement that with
co-sourcing arrangements,” says Smith. “For instance, by
recruiting auditors who have an IT background, CAEs can
enhance their department’s ability to understand and address
cybersecurity risks.”
In addition, the ongoing quest for greater efficiency can be
addressed by taking the necessary steps to optimize compliance
activities. This may include improving visibility into financial
controls, better allocation of compliance resources (including
talent and skill considerations), and greater responsiveness to
regulatory demands and remediation needs. If CAEs can help
their organizations develop a sustainable process for long-term
compliance management, internal auditors should be able to
increase their focus on facilitating the value-added operational
improvements they view as a priority and strength.
“It’s important that compliance optimization improvements be
made in a way that makes them flexible and sustainable over the
long term,” notes Smith. “The greatest successes occur when
organizations view risk management and compliance effectiveness
as a strategic necessity for the business, rather than just reacting
to the latest regulatory challenges with tactical, manually
intensive solutions.”
Figure 7: What are the barriers to delivering the greatest value?*
Talent quality or capacity
Budget constraints
Focus heavily weighted to compliance (regulatory compliance,
financial controls compliance, SOX compliance and other compliance)
Organizational politics
Perception of internal audit within the organization
51%
42%
33%
44%
42%
Wrongful acts most likely
to result from financial
institution cyberattacks:2
*Financial services companies only. Respondents were able to
select more than one answer.
2
Survey, New York Department of Financial Services, 2013.
46%
Account
takeovers
18%
Identity
theft
15%
Telecommunications
network disruptions
9.3%
Data integrity
breaches
7. 7 CAEs speak out: Cybersecurity seen as key threat to growth
Cybersecurity: Suggested actions for CAEs
Prepare for potential
attacks and regularly test those
preparations. The financial
services industry’s dependence
on IT, its interconnectedness,
and the rapid growth and
evolution of cyberthreats
demand the attention of every
organization’s board and
senior management.
Address exposure
stemming from third-party
and vendor relationships. The
extended data supply chain
created by such associations is a
common path for hackers to gain
access to IT systems. In addition
to establishing risk management
practices related to those third-
party arrangements, financial
institutions need to consider
vendors’ risk management
practices and controls.
Focus on people and
processes, in addition to
technological solutions.
Keep in mind that successfully
addressing cyberrisks is not
simply a matter of finding a
technological fix for potential
problems. It also involves people
and processes.
Shore up cyberrisk
exposure by fully utilizing
key resources available to
businesses. These include
Executive Order 13636,
Improving Critical Infrastructure
Cybersecurity, and the
supporting standards from the
National Institute of Standards
and Technology, the FBI’s
InfraGard program, the U.S.
Computer Emergency Readiness
Team and the U.S. Secret
Service Electronic Crimes
Task Force.
Be alert to warning
signals and identify potential
vulnerabilities across the entire
business ecosystem when
assessing potential cyberrisks
from third-party and
vendor relationships.
Ensure the board and
senior management dedicate
adequate attention to
cyberrisks, including gaining an
understanding of the institution’s
inherent cybersecurity risks,
according to the Federal Financial
Institutions Examination Council.
It is also essential to have routine
discussions about cybersecurity
issues; regularly monitor threats
and vulnerabilities; create and
maintain a dynamic control
environment; manage
third-party connections; and
develop and test business
continuity and disaster recovery
plans by incorporating
cyberincident scenarios.