caes speak out: cybersecurity seen as key threat to growth

CAEs speak out: Cybersecurity seen as key threat to growthFinancial Services: Governance, Risk and Compliance Survey 2015

2 CAEs speak out: Cybersecurity seen as key threat to growth

1 The survey was administered online from November to December 2014. A total of 114 internal audit professionals in the fi nancial services industry responded, representing a range of public and private companies of all sizes across the United States. Respondents perform internal audit functions under varying titles, including CAE, vice president and director; however, for the purpose of this survey, we will refer to all respondents as CAEs. Visit grantthornton.com/caesurvey for more information.

Introduction

In Grant Thornton LLP’s fifth annual survey of chief audit executives (CAEs), financial services CAEs revealed that they see considerable room for improvement when it comes to their risk management functions.1 Although they operate in a heavily regulated industry and are highly attuned to managing risk, almost two-thirds of financial services CAEs indicated that their risk management functions would benefit from enhancements. In addition, almost one-quarter of respondents said their risk framework is either ineffectively used or has yet to be implemented. Only 15% of CAEs report being fully satisfied with their framework, saying it is rigorously enforced and used comprehensively (Figure 1).

15%

13%

4%

6%

62%

A framework is in place, rigorously enforced and used comprehensively

A framework is in place but not rigorously enforced nor used comprehensively

A framework is planned but not implemented

We do not have a formal framework or methodology in place

A framework is in place but areas for enhancement and improvement exist

Figure 1: In your opinion, how mature is your organization’s risk management function?*

*Financial services companies only.

� +� +6+4+� +DNot surprisingly, in light of numerous high-profile and reputation-damaging data breaches, financial services CAEs are especially concerned about data privacy and security. This area ranked highest (71%) among issues that could have the most significant impact on their organizations’ growth strategies, a notable increase from 48% in the 2014 survey. Participants from the largest entities — those with managed assets of over $50 billion — are even more concerned with privacy, with 74% of those respondents ranking it as the biggest threat to future growth.

When asked what type of risk assessments their departments are conducting, 66% of financial services CAEs named data security as the top area, although enterprise-wide risk assessments continue to represent the most prevalent type, as reported by 75% of respondents. Other top responses included technology (63%) and fraud risk assessments (63%).


Given the industry’s strong ties to data security, these findings are not surprising, according to Jack Katz, global leader and national managing partner in Grant Thornton's Financial Services practice. “For the financial services industry, cybersecurity is a critical risk that must be addressed on an enterprise basis, as the threat of cybercrime raises not only operational and regulatory risks but significant reputational risk exposure as well,” says Katz.

The increasing use of mobile technology and third-party relationships further amplifies the data security risks facing the industry, notes Katz. “Financial services companies have focused their technology strategies largely on customer service and convenience, which have increased their cybersecurity exposure. At the same time, as firms have become more and more technologically interconnected to various vendors and other third parties, extended data supply chains have expanded their vulnerability to cybercrime.”

As anxiety about cybersecurity has risen, concerns about regulatory risks have lessened somewhat, with 38% of CAEs citing this area as having a significant impact on growth, compared to 51% last year. Nonetheless, regulatory risks were still the second-highest concern as ranked by respondents. Risks related to third parties and vendors came in third, up to 34% from 22% in 2014. Rounding out the highest-concern risk areas were execution of strategy (30%) and business continuity.

Managing the compliance burden Although the financial services industry continues to face the challenges of a fluid and uncertain regulatory environment, our survey suggests that the effort dedicated to compliance has not risen. Thirty percent of CAEs, compared to 54% last year, reported that meeting compliance requirements constitutes up to 25% of their workload. Moreover, 67% said this does not represent an increased effort over last year. That said, while the rate of increase in cost may be slowing, the industry is still dealing with significant compliance costs. Optimizing those costs, therefore, remains a priority.

Again this year, CAEs said that regulatory requirements add costs and distract the internal audit function from other activities. Increased costs remain the biggest impact of regulations, according to 72% of respondents, while the inability to devote resources to higher-value activities was cited by 42%. On the other hand, 38% said regulation had improved governance and the rigor of testing (Figure 2).

When it comes to meeting regulatory requirements, financial services CAEs report that an ongoing challenge facing their organizations is a dearth of talent and lack of alignment among processes, operations and technology.

“Meeting compliance obligations remains a pain point for companies in a variety of sectors,” explains Warren Stippich, partner and Grant Thornton national Governance, Risk and Compliance practice leader. “There are continued compliance requirements in highly regulated industries, such as financial services, combined with more scrutiny from the PCAOB [Public Company Accounting Oversight Board] regarding the work that is done around internal controls. With finite budgets and resource constraints, internal auditors must look toward optimizing all aspects of the work they do, including compliance activities,” Stippich says.

Increased cost

Unable to devote resources to higher-value activities

Improving our governance and rigor of testing

Little to no impact

Other

Figure 2: Impact of regulation on organizations*

71.7%

11.7%

0%

41.7%

38.3%

*Financial services companies only. Respondents were able to select more than one answer. Responses do not add up to 100% due to rounding.


One-to-many takes rootOne path to optimizing compliance is the one-to-many approach, which allows companies to test once but report on multiple regulatory requirements while remediating any regulatory gaps. This lets organizations streamline compliance testing, meet more regulatory requirements, and provide a sustainable framework for long-term compliance management without repeating the same testing activities for different mandates. An example would be testing logical security and using those test results to satisfy multiple regulatory requirements, such as those associated with the Sarbanes-Oxley Act, the Payment Card Industry Data Security Standard and the International Organization for Standardization.

Two-thirds of financial services CAEs said their organizations have had success with a one-to-many approach. Furthermore, 18% said they can potentially apply the principles to up to 75% of their testing, and 41% said they can use the approach for up to 50% of their testing (Figure 3).

Technology usage: A mixed bag CAEs in the financial services industry and in our overall survey indicated that they’re eager to improve the efficiency of the internal audit function, ranking this as their top goal for the coming year. However, some see limited value in implementing or updating governance, risk and compliance (GRC) tools. The following are responses from audit executives in the financial services industry:

• More than half (54%) said that investing in GRC technology is one way they are enhancing or are planning to enhance their approach to risk management (Figure 4).

0%

1–25%

26–50%

51–75%

76–100%

Figure 3: What percentage of your control testing do you think is possible to test once and use the results across mul-tiple compliance requirements?*

*Financial services companies only.

0%

41%

41%

0%

18%

Figure 4: What steps are you taking or planning to take to enhance your approach to risk management?*

Increased focus on risk management

Refining existing ERM approach

Investing in governance, risk and compliance technology

Integrating with operations and business strategy

Better analytics and risk-modeling

Implementing ERM initiatives

Conducting a third-party risk assessment

None

Other

67%

29%

21%

6%

6.40.0%%0%

51%

49%

54%

54%

*Financial services companies only. Respondents were able to select more than one answer.


Internal audit function management and administration

Centralized management and reporting of audit plans and results

ERM

Other compliance or regulatory testing (PCI DSS, FCPA, HIPAA)

SOX testing

Other

• Only 10% disagreed with the assertion that their organizations effectively use GRC-specific technology. This is down from 23% last year, suggesting that CAEs are pleased with the progress made in this area. In addition, 45% agreed that their organizations are effectively leveraging a GRC tool, up from 36% last year.

• CAEs whose departments use GRC technology indicated that they’re using it primarily for internal audit function management and administration, followed by centralized management and reporting of audit plans and results, enterprise-wide risk management, and other compliance or regulatory testing (Figure 5).

• Despite some positive signs regarding GRC technology, 90% of respondents, up from 84% last year, said they don’t plan to implement a GRC tool in the next 12 months, which could suggest that some CAEs see limited value in implementing or updating the technology. Nonusers cited the cost and time required to deploy the technology as the top implementation challenge, followed by the difficulty of maintaining and supporting the technology.

As these findings suggest, even if the benefits are considerable, some organizations, especially smaller ones, may find that they either cannot marshal the resources needed to adopt GRC technology, or they cannot realize an adequate return on investment. Some have found that spreadsheets are equally efficient and more cost-effective for their purposes.

Data analytics: An aid to risk managementUsage of data analytics to enhance the internal audit function also seems to be mixed. Consider the following:

• More than half (53%) of financial services CAEs said they are not using data analytics or business intelligence tools to enhance the internal audit function, up from 39% last year. Slightly less than half (47%) of respondents said they are using data analytics, down from 61% in the 2014 survey.

• Users of data analytics cited a more efficient internal audit process as the top benefit, which is consistent with the goal of optimizing compliance monitoring activities. Other benefits included the ability to quickly identify patterns, trends and relationships; and greater population testing coverage (Figure 6).

“Although many large financial institutions, in particular, rely on advanced analytics, there are opportunities to do more,” says Nigel Smith, national Financial Services Advisory practice leader. “Effective use of advanced analytics can enable financial organizations to gain added benefits from the data they’re gathering and assembling as they comply with new regulations. Using advanced analytics, they can leverage those data assets to anticipate emerging risks and make more appropriate risk mitigation decisions.”

Figure 6: What are the top benefi ts you achieve from using data analytics? Respondents selected top 3, with 1 being the highest.


Figure 5: Our organization uses GRC/internal audit technology tools primarily for the following functions:*

75%

0%

25%

20%

40%

40%

More effi cient internal audit processes

Quickly identify patterns, trends and relationships

Greater population testing coverage

1

2

3


Priorities, prioritiesAs financial services CAEs look ahead, they’re focused on priorities — not just their own as internal audit professionals but also those of various stakeholders. Asked about the areas in which they are most frequently asked to deliver value, CAEs identified the following: (1) mitigating risk, (2) identifying improvement opportunities and (3) stronger compliance efforts in other areas.

The priorities of financial services CAEs are not that out of alignment with those of their stakeholders. Without existing constraints, they identified the following as areas where they believe they could add the most value: (1) identifying improvement opportunities, (2) increasing efficiency and (3) mitigating risk/stronger corporate governance.

Talent, compliance optimization key to delivering valueAsked about barriers to delivering the greatest value, 51% of financial services CAEs cited talent quality or capacity, followed by budget constraints (Figure 7).

The ability to attract talented internal auditors, in particular, is a significant challenge, but one that CAEs may be able to address by using a different approach. “With the internal audit function requiring a greater range of skills and more nontraditional types of skills — such as information technology expertise — CAEs may need to focus more on recruiting professionals with skills in these high-priority areas and complement that with co-sourcing arrangements,” says Smith. “For instance, by recruiting auditors who have an IT background, CAEs can enhance their department’s ability to understand and address cybersecurity risks.”

In addition, the ongoing quest for greater efficiency can be addressed by taking the necessary steps to optimize compliance activities. This may include improving visibility into financial controls, better allocation of compliance resources (including talent and skill considerations), and greater responsiveness to regulatory demands and remediation needs. If CAEs can help their organizations develop a sustainable process for long-term compliance management, internal auditors should be able to increase their focus on facilitating the value-added operational improvements they view as a priority and strength.

“It’s important that compliance optimization improvements be made in a way that makes them flexible and sustainable over the long term,” notes Smith. “The greatest successes occur when organizations view risk management and compliance effectiveness as a strategic necessity for the business, rather than just reacting to the latest regulatory challenges with tactical, manually intensive solutions.”

Figure 7: What are the barriers to delivering the greatest value?*

Talent quality or capacity

Budget constraints

Focus heavily weighted to compliance (regulatory compliance, fi nancial controls compliance, SOX compliance and other compliance)

Organizational politics

Perception of internal audit within the organization

51%

42%

33%

44%

42%

Wrongful acts most likely to result from financial institution cyberattacks:2


2 Survey, New York Department of Financial Services, 2013.

46%Account

takeovers

18%Identity theft

15%Telecommunications network disruptions

9.3%Data integrity

breaches


Cybersecurity: Suggested actions for CAEs

Prepare for potential attacks and regularly test those preparations. The fi nancial services industry’s dependence on IT, its interconnectedness, and the rapid growth and evolution of cyberthreats demand the attention of every organization’s board and senior management.

Address exposure stemming from third-party and vendor relationships. The extended data supply chain created by such associations is a common path for hackers to gain access to IT systems. In addition to establishing risk management practices related to those third-party arrangements, fi nancial institutions need to consider vendors’ risk management practices and controls.

Focus on people and processes, in addition to technological solutions.

Keep in mind that successfully addressing cyberrisks is not simply a matter of fi nding a technological fi x for potential problems. It also involves people and processes.

Shore up cyberrisk exposure by fully utilizing key resources available to businesses. These include Executive Order 13636, Improving Critical Infrastructure Cybersecurity, and the supporting standards from the National Institute of Standards and Technology, the FBI’s InfraGard program, the U.S. Computer Emergency Readiness Team and the U.S. Secret Service Electronic Crimes Task Force.

Be alert to warning signals and identify potential vulnerabilities across the entire business ecosystem when assessing potential cyberrisks from third-party and vendor relationships.

Ensure the board and senior management dedicate adequate attention to cyberrisks, including gaining an understanding of the institution’s inherent cybersecurity risks, according to the Federal Financial Institutions Examination Council. It is also essential to have routine discussions about cybersecurity issues; regularly monitor threats and vulnerabilities; create and maintain a dynamic control environment; manage third-party connections; and develop and test business continuity and disaster recovery plans by incorporating cyberincident scenarios.

About Grant Thornton LLPFounded in Chicago in 1924, Grant Thornton LLP (Grant Thornton) is the U.S. member firm of Grant Thornton International Ltd, one of the world’s leading organizations of independent audit, tax and advisory firms. In the United States, Grant Thornton has revenue in excess of $1.3 billion and operates 57 offices with more than 500 partners and 6,000 employees. Grant Thornton works with a broad range of dynamic publicly and privately held companies, government agencies, financial institutions, and civic and religious organizations.

This content is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information about the issues discussed, contact a Grant Thornton LLP professional.

“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the GTIL member firms provide audit, tax and advisory services to their clients, as the context requires. GTIL and each of its member firms are separate legal entities and are not a worldwide partnership. GTIL does not provide services to clients. Services are delivered by the member firms in their respective countries. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. In the United States, visit grantthornton.com for details.

© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd

Connect with us

grantthornton.com

@grantthorntonus

linkd.in/grantthorntonus

caes speak out: cybersecurity seen as key threat to growth

Business

risk framework

growth financial services

financial services industry

financial services companies

critical risk

caes report

risk management functions

type of risk assessments