Accounting & Auditing Update

At Compliance Week’s annual conference this week, Jose Tabuena, chief compliance officer for NextHealth, advocated for the three lines of defense model. “I’ve worked with the accounting firms and those working with the COSO framework, and I find three lines of defense easier to explain,” he said. “The board may have limited time, and you have to explain a lot in that limited time. I don’t think the COSO cube does it.” More inside.

A PwC poll suggests internal audit still struggles to keep up with the rapid pace of change in the business environment. Nearly 70 percent of organizations said they are going through or have recently gone through a significant transformation in the business, yet only 11 percent of chief audit executives said their current internal audit functions provide value-added services to the business.

The Federal Housing Finance Agency has provided a primer for corporate audit committees on how not to appoint and manage a chief audit executive. The FHFA’s inspector general has released a detailed report criticizing Fannie Mae’s selection of a chief audit executive in 2013, calling the audit committee’s process “far from diligent” and “haphazard at best.” More inside.

Protiviti’s recent survey of more than 800 internal audit professionals reports that half of respondents said a cyber-security evaluation is included in their current audit plan, and 60 percent of those organizations use the National Institute of Standards and Technology cyber-security framework to evaluate risks. Protiviti EVP Brian Christensen said the survey “shines a light on the evolving set of challenges faced by internal audit professionals as they work to incorporate cyber-security frameworks into business processes.” More inside.

Yet more findings—these from Grant Thornton—reveal that audit committees and chief audit executives differ on priorities. According to the survey, audit committees rank financial risk as most important for internal audit, followed by compliance, operational, and strategic risks. CAEs, however, give compliance risk top billing, followed by operational, financial, and then strategic risks.

Nearly 7 in 10 internal audit leaders participating in the IIA’s annual “Pulse of Internal Audit” survey ranked cyber-attacks and other security issues as a major concern, but only about one-third said they have high confidence in their organizations’ ability to address such risks. IIA President Richard Chambers says the results confirm that “organizations must improve how they identify emerging risks.”

The Institute of Internal Auditors is reworking its International Professional Practices Framework, including the addition of a mission statement, core principles, and guidance for emerging issues. “After months of careful consideration, we are proposing enhancements we believe make the IPPF more reflective of the profession’s core principles and mission,” IIA senior vice chairman Larry Harrington said. Details inside.