Enterprise risk management adoption is still lagging. Why haven’t we caught up?

Understanding Internal Audit Outsourcing vs. Co-sourcing

Wed, 08 Apr 2026 02:11:32 GMT

About 73% of CAEs use internal audit outsourcing to obtain critical services related to their internal audit activity. [1]

Short on time? Listen to the quick audio summary.

Length : 1 min 48 sec

Years ago, I wrote about audit sourcing as a Chief Auditor with two decades in the trenches. Today, as a consulting CEO, I see these models from a new vantage point. This data confirms what I’ve always suspected: choosing the right internal audit outsourcing vs. co-sourcing model isn't just about finding extra "hands." It is a strategic investment in the structure that best protects you and your company. [3]

Internal Audit (IA) is a critical function for maintaining regulatory compliance and operational integrity.[2] It provides independent assurance that risk management, governance, and internal control processes are operating effectively, with an end goal of adding business value.[3] Whether your organization requires a full outsourcing solution or a co-sourcing partnership to augment your existing team, the structure you choose must be robust enough to handle modern compliance scrutiny.

Top Audit Recruiting Challenges in the US

Misaligned compensation expectations between candidates and employers.
Candidates lacking critical competencies .
Not enough internal audit experience .

What’s the difference between Internal Audit outsourcing vs. co-sourcing?

Insourcing the IA function is usually the best option. However, that is expensive and hard to accomplish. Therefore, outsourcing solutions can be an appropriate tool for many use cases. [4]

Outsourcing is often seen when companies start their journey of establishing an Internal Audit function. The companies outsource the administration and staffing to an external provider who reports results to management.

Co-sourcing is fairly common in most companies, blending existing internal resources and a third-party provider.

Outsourcing vs Co-sourcing Internal Audits

Both outsourcing and co-sourcing when implemented properly can help organizations maintain control of internal audit activities, deliver on their IA requirements and accomplish objectives.

Outsourcing

Pros

Great starter kit for companies that do not have an existing IA function and do not know how to build one, or for smaller companies. [5]
End to end management & execution of the IA function
Access to expertise and tech skills that otherwise would not be available internally.

Considerations

Challenges in finding the right vendor who can act as an extension of the company.
Often, this is the most expensive option.
Less internal acceptance of external providers (they are not always viewed as part of the team).
Limited knowledge transfer once the auditors' work is complete.

Co-sourcing

Pros

Can provide adequate level of assurance to audit committee / board of directors even with limited resources
Gives greater flexibility & scalability with staffing resources and needed support
Augments current IA capabilities with specialist expertise + skills
Can provide fresh perspectives and independent insights

Considerations

Challenges finding the right vendor who can act as an extension of the company.
External niche technical expertise can be costly.

If you need internal audit services, where should you look?

Large and Medium Firms

Large firms and Big 4 accounting companies are reputable for a reason. They are known to deliver credible reports, offer a wide range of services and resources, and have strong quality assurance processes.

On the other hand, they can be pricey and see high turnover, so it can be more difficult to establish a long-term relationship. It’s also more likely you’ll be working with a manager or senior associate as opposed to a partner, which can limit the depth or type of guidance you’ll receive.

Typically, their employees have no experience as internal auditors.

Small Firms

Smaller firms can meet customers' IA needs without the hefty price tag. They tend to be more agile and can provide direct partnership with senior staff members who can offer valuable insight to your organization. You are more of a priority.

On the other hand, smaller firms may face resource constraints.

Modern internal audit functions need a broad range of skills to provide an effective and comprehensive service [6] .

Alan Simpson

What to look for when selecting the right partner for your Internal Audit needs

There are a few important considerations to use when selecting the right firm for your use case:

Firms that can offer experienced internal auditors , NOT external auditors
The team has the technical expertise relevant to the scope of work (IT, Finance, and Operations processes) and offers relevant industry insights.
Ability to communicate with internal and external stakeholders at every level.
Experience building or streamlining internal audit processes and providing measurable outcomes of increased efficiency.
Lastly, the price should be reasonable. There is no business need to pay the huge margins.

Call Advise Up, we can help.

We’re not lifelong outside consultants. We are career internal auditors with technical expertise and industry experience.

The team at AdviseUp provides hands-on experience in outsourcing, co-sourcing, and in-sourcing internal audit experience to clients of all industry types and sizes.

Start preparing your business for the future today.

Resources

Georgia’s $25 Million Parity Penalty: A New Era of Accountability for Payers?

Fri, 20 Feb 2026 17:04:49 GMT

Regulators are moving from policy review to operational audits. Georgia’s $25M fine isn't just a penalty; it’s a blueprint for future state enforcement.

On January 13, 2026, Georgia’s Insurance and Safety Fire Commissioner John F. King issued nearly $25 million in fines against an array of health insurers for violations of the state’s Mental Health Parity Act, a statute that aligns with the federal Mental Health Parity and Addiction Equity Act (MHPAEA) in requiring that mental health and substance use disorder benefits be provided on terms no more restrictive than medical and surgical benefits.[1]

For payers, whether they’re a large national carrier or a regional plan, this enforcement action exposes a growing problem: mental health parity is no longer being evaluated on the policy level, but at the operational level. Regulators are applying more rigorous audit standards, expanding scrutiny of non-qualitative treatment limitations (NQTLs), and treating inconsistencies in administration as material compliance failures. The result is a sharply elevated regulatory and financial risk environment. Understanding how parity audits are conducted, where payers are most exposed, and how enforcement expectations are evolving is now essential to mitigating that risk.

What “Mental Health Parity” Actually Means

Mental health parity requires that mental health and substance use disorder benefits be administered no more restrictively than medical and surgical benefits. In practice, this extends beyond written plan policies to include utilization management, prior authorization criteria, medical necessity standards, claims processing, and other non-quantitative treatment limitations. Georgia’s audit took into account more than the theoretical parity in plan’s policies and procedures; it reviewed how benefits functioned in real-world operations.

Why Georgia’s Enforcement Matters

Historically, parity compliance has been considered a compliance checkbox by most risk management teams. The Georgia action, however, underscores that regulators can (and will) use market conduct exams to dig more deeply into products, processes, and internal controls. These exams began with a 2023 statewide parity data reporting that assessed insurer data, utilization review patterns, benefit classifications, and administrative practices. Findings from that report triggered in-depth audits of 22 insurers, culminating in the $25 million fines.

Parity Audits: From Concept to Intensive Scrutiny

Parity audits, especially state market conduct examinations, are comprehensive and data-intensive. They typically include:

Comparative analysis of mental health benefits versus medical/surgical benefits, not just on paper, but in practice
Review of NQTLs, such as prior authorization criteria, utilization management protocols, medical necessity definitions, and the clinical review process
Claims processing practices, including consistency of decisions and documentation
Internal governance and compliance infrastructure around parity

Georgia’s market conduct exams spanned months to years of data and pulled millions of data points to identify violations: a model that could increasingly inform other states’ enforcement approaches.

Operational Impacts on Payers

For payers, these audits have immediate and long-term operational implications:

Analytics and Data Preparedness : Insurers must build robust testing capabilities that can generate defensible comparative analysis of mental health and medical benefits. This includes aligning data structures to produce parity-relevant metrics on utilization, authorizations, denials, and appeals.

NQTL Documentation and Rationale : Payers need to make sure that they aren’t just verifying that limits match, but that the rules are applied equitably. A utilization review threshold or prior authorization rule that’s used more stringently for behavioral health services than medical services, even if both policies are written identically, may be flagged as a parity violation if the rationale isn’t documented and justified with evidence such as documented clinical logic and internal oversight.

Governance and Compliance Programs : Payers need to elevate parity compliance from a legal requirement to a core enterprise risk. That means formal governance structures, regular internal audits, and transparency into parity metrics. Documentation of compliance strategy is as crucial as operational compliance itself.

Corrective Actions and Regulatory Dialogue : Payers should be ready for a dialogue with regulators, not one-time data submissions. In Georgia’s process, insurers were required to develop corrective action plans with state regulators. Failure to implement those corrective actions or demonstrate timely compliance can trigger further penalties or more intensive oversight.

Strategic Risk and Financial Planning

While Georgia’s fines represent immediate financial penalties, the strategic cost of insufficient parity compliance can ripple further, causing:

Increased compliance costs: Expect investment in data infrastructure, expertise in parity analytics, and possibly external audit support.
Liability exposure: Beyond state fines, parity violations can lead to federal scrutiny, class actions, or civil penalties under MHPAEA enforcement by federal agencies
Reputation risks: Public enforcement actions often draw media attention and can influence consumer and employer perceptions of payer reliability.

Broader Regulatory Momentum

Georgia isn’t alone. Nationally, regulators at the federal level are increasingly emphasizing that parity isn’t a theoretical entitlement but a practical compliance obligation. The U.S. Departments of Labor, Health and Human Services, and Treasury all finalized updated parity rules with enhanced expectations for NQTL comparative analysis, requiring payers to prove that mental health coverage is actually on par with medical/surgical benefits.[2]

States are also stepping into the fray. Georgia’s actions may embolden other states to pursue similar market conduct exams of insurers within their states.

For payers, the lesson is clear: parity compliance is no longer just an item on the regulatory to-do list. It is now a strategic, operational, and financial priority that touches products, clinical policy, provider relations, and analytics.

Insurers that treat parity compliance as a checkbox risk misalignment with evolving regulatory expectations: an alignment that Georgia’s action shows now include punitive measures when practice diverges from policy.

Georgia’s nearly $25 million enforcement action is an early indicator that markets are entering a compliance era where parity audits are not theoretical, and non-compliance carries real consequences. This is precisely the moment when a clear 90-day action plan matters—one that prioritizes rapid parity risk assessment, validates NQTL application in practice, and establishes audit readiness if scrutiny comes sooner than expected.

References:

Your Major Could Make You a Great Auditor — Here’s How.

Thu, 11 Dec 2025 19:53:14 GMT

Most people think an internal audit job is only for accounting majors. But in 21+ years in this profession, I’ve learned something surprising:

Some of the most effective auditors never studied accounting.

If you’re curious, analytical, organized, or love understanding how organizations really work, your major might make you a stronger auditor than you realize.

Internal audit gives you a front-row seat to how organizations work, including how decisions are made, processes flow, where risks hide, and how culture shapes outcomes. That’s why diverse thinkers thrive here.

Below are several “nontraditional” majors and the value they bring to audit.

The field is changing, and the internal audit profession needs people who are thinking differently . Each non-traditional major brings a unique insight to audit.

Why This Matters

When I started, I was a business administration major. I didn’t think this was where I’d end up, but 21 years later, I’ve never looked back. I can say with confidence that Internal audit isn’t just a stepping-stone. It is a career with depth, purpose, and influence.

As you grow in this profession, you become a trusted advisor to your business leaders, a driver of transparency, accountability, and a catalyst for meaningful change. In our firm, it’s this mix of different thinkers that strengthens the work we do and the results we deliver.

Curious About the Field?

Your major is more than a credential; it’s a perspective. In internal audit, that perspective becomes a strength, a differentiator, and the foundation for a rewarding career. Bring your skills, your way of thinking, and your curiosity to make a real difference.

Protect Healthcare Revenue Before CMS Audits Cost You

Mon, 01 Dec 2025 18:14:24 GMT

Did you know providers lose between 1% and 11% of their net revenue every year due to underpayments?

Long before you receive a CMS audit finding, you might already be leaking revenue without realizing it.

Payment delays of 30–120 days strain your operational budgets. ¹ Staff members spend over ten hours a week managing denials instead of supporting patient care. Even patient experience has become a financial signal—just a 1-point improvement in your PEP score is linked to roughly $45 million in additional retained revenue per hospital. ²

These problems aren't just bad luck. They are symptoms of a gap between what happened during care delivery and what was documented, coded, billed, or reported.

CMS audits exist to reconcile that gap. But instead of viewing them as a threat, you can use the audit scope as a roadmap to strengthen operations and prevent lost revenue. Here is how to understand what’s actually in scope and use it to stop the bleeding.

What is Actually "In Scope"? (It’s More Than You Think)

Defining audit scope often creates tension—too broad wastes resources, but too narrow leaves you exposed. To get it right, you need to look at these specific areas:

The C-Suite Cheat Sheet: 6 Things Auditors Check First

If time is tight, start here:

Encounter Data: Is it complete and accurate?
Risk-Adjustment: Is the documentation bulletproof?
Prior Authorizations: Are denials handled consistently and on time?
Overpayments: Are they identified and repaid on time?
Medical Necessity: Is the rationale documented clearly?
Patient Experience: How are your member measures trending?

3 Habits to Survive Scrutiny

To move from "surviving" to "thriving," adopt these three core habits:

1. Map Your "Audit Universe"

Your audit universe isn't just one thing. It is the intersection of:

Regulatory Requirements
Contract Terms
Documentation Trails
Systems in Scope
Data Flows

2. Strengthen Processes, Not Just Checklists

Audits evaluate not only what was done, but how it was governed, monitored, and corrected.

3. Build Documentation Discipline

Whether it’s a medical record or a policy decision log, your documentation must be clear, consistent, and retrievable.

Don't Wait for the Letter

Right-sizing your scope isn’t just an audit task. It’s a blueprint for financial resilience. When documentation is clear and oversight is embedded, audits stop being disruptive fire drills and start confirming what you already know: that you are operating with integrity.

Don't wait for the audit letter to arrive. Start mapping your audit universe today. Which of the scope areas above is your biggest blind spot right now?

References:

Scaling AI Starts with SOX

Sun, 21 Sep 2025 21:38:08 GMT

Whether you're a CFO, CAE, or compliance leader, your internal control program isn't just a regulatory checkbox. It is the bedrock for successful innovation.

As businesses increasingly adopt AI and other emerging technologies, internal controls must evolve to keep pace with these developments. AI development follows the Software Development Life Cycle (SDLC), which consists of design, testing, approval, and deployment . Therefore, without the right internal controls in place today, future innovation could be built on unstable foundations .

SOX Programs That Do Not Scale Break

Since the Sarbanes-Oxley Act (SOX) was enacted in 2002, its purpose has remained clear: to ensure the accuracy and reliability of financial reporting. Yet, many organizations still struggle with the basics: scoping, ownership, documentation, and change management.

And when those fundamentals are shaky, the downstream effects compound:

Material weaknesses that can lead to restatements, loss of investor confidence, and valuation impact
Audit fee increases of up to 150% (1)
CFO turnover increases by than 62% after reporting material weaknesses
Leadership distraction , shifting focus from growth to compliance firefighting

Control failures don’t just create compliance noise. They can signal a company's inability to absorb future changes.

SOX Compliance Is Getting More Expensive

As internal control expectations rise, so do the costs of maintaining SOX programs. This is in part due to a greater technology footprint, more audit documentation requirements, and greater SEC requirements.

According to Protiviti’s 2024 SOX Compliance Survey (2) :

58% of companies reported an increase in SOX testing hours over the past year
Organizations with $1B–$5B in revenue spend an average of $1.04 million annually on SOX compliance (excluding audit fees)
Companies with $500M–$1B in revenue spend around $651,800

Ultimately, the question should not be whether SOX is costly. It is whether your current spending is building resilience while adding value or just causing friction.

Struggling with ballooning SOX costs?

Our free SOX Pitfall Checklist highlights the most common — and expensive — mistakes companies make when scaling their internal controls.

Use it to:

Streamline your scoping
Eliminate redundant controls
Prepare your program for AI-driven innovation

A Better Approach: Fundamentals First Without the Price Tag

It’s tempting to rush into SOX automation tools, AI risk frameworks, or expensive consultants promising “future-ready compliance.” However, without a solid foundation, those efforts often fall short.

Instead, smart teams are focusing on:

Fixing scope bloat
Aligning control design to business processes , not templates
Establishing scalable SDLC protocols for software and AI
Building project delivery controls to support successful tech rollouts

These aren't just box-checking exercises. They are the foundation for absorbing complexity and enabling innovation.

Case Study: Our Customer’s SOX Reset Strategy

A rapidly growing mobile healthcare provider’s SOX transformation didn't start with AI controls. It started with SOX fundamentals: tighter scoping, better internal alignment, and control rationalization.

Result: 65% reduction in SOX costs and a stronger foundation for growth.

Read the case study.

How AI Is Raising the Stakes for SOX Compliance

As AI tools are integrated into finance and operations, a strong SOX foundation becomes a safeguard by helping you mitigate risks that AI may amplify.
Here’s how:

SOX Foundation Element

Clear Control Ownership

AI risk it helps prevent:

Shadow AI projects launched without oversight or risk review

Strong Software Development Controls

AI risk it helps prevent:

Model errors, hallucinations, and reputational risk due to poor coding or testing

Properly Scoped Control Environment

AI risk it helps prevent:

Lack of focus, making it harder to detect real risks as AI adds operational complexity

Effective Project Delivery Governance

AI risk it helps prevent:

Poorly implemented AI tools that fail, create waste, or cause financial misstatements

Real-World Example:

In July 2025, an AI assistant on the Replit coding platform was asked to help build a software application. Instead, it malfunctioned, ignoring a clear instruction to stop, and deleted the user’s entire live database, erasing months of work in seconds. This happened due to several control failures, including no separation between testing and live environments, giving the AI too much access, and not having a human review its actions. (3)

Final takeaway

If your SOX foundation is strong, AI can drive scale, speed, and precision. But if your foundation is weak, AI will only expose your control gaps faster and more visibly.

Getting the SOX basics right is the most strategic thing you can do to prepare for AI.

Next Steps

Download the SOX Pitfall Checklist
Explore our Internal Controls’ Case Study
Talk to our team about a readiness review

Resources

(1) How a Material Weakness Can Cost You; Stephen Taub; CFO; Nov. 19, 2004

(2) The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber and ESG Mandates; Protiviti; 2023

(3) The Replit AI Disaster: A Wake-Up Call for Every Executive on AI in Production; Bryan Reynolds; July 23, 2025

The Unexpected Career That Turned Out to Be My Perfect Fit

Sun, 08 Jun 2025 14:16:42 GMT

When I was a child, my parents read to me every night before I went to bed. One evening, like many kids of my generation, I was introduced to the Harry Potter series. But unlike most, I asked my dad to stop reading with just about a hundred pages to go. I couldn’t stand how often Harry and his friends broke the rules and seemed to get away with it.

That moment stayed with me. Not because I disliked the story, but because it made me realize something about myself: I care deeply about structure, fairness, and systems that work. Back then, I didn’t have the vocabulary for it. Today, I do. That instinct has led me to a career in internal audit and compliance.

More than just rules

Of course, the real world isn’t as simple as “don’t go into the Chamber of Secrets.” Rules in business, like laws, regulations, and internal policies, are rarely written in plain language. They’re complex, dense, and sometimes contradictory. But that’s what makes working in compliance so intellectually rewarding. It’s not about blind obedience. It’s about interpretation, application, and optimization.

I’ve always been drawn to how systems are built and how they’re meant to operate. In school, I was fascinated by regulatory frameworks, the process of translating legislation into enforceable rules. However, I also knew I didn’t want to become a politician, a regulator, or a litigator. I wanted to work where the rules meet the real world.

Compliance as puzzle-solving

When I eventually stumbled on internal audit and compliance, I immediately knew that I had found exactly what I had been looking for. This field combines two things I love: following the rules and solving complex problems. Working in compliance is like doing a jigsaw puzzle without a reference picture. You have to reverse-engineer a process based only on the result you’re aiming for, using your knowledge of each part of the business that is impacted to suggest the best policies possible.

Sure, you can look at other businesses to get an idea of what might look best for you, but there’s rarely a one-size-fits-all approach. Once those policies are in place, the real fun begins: testing them.

Testing, tuning, and continuous improvement

Testing internal controls is like shifting from a jigsaw puzzle to a logic game. You’re no longer assembling; you’re validating. You're asking: “What evidence proves this process is working as intended?” And equally important: “Is that evidence sufficient?”

Sometimes, a few samples are enough to give you confidence. Other times, a deeper dive is required. And when you find exceptions or failures? That’s not a setback. It is a new puzzle. Where did the breakdown occur? How can we fix it? And how do we do that without creating new risks elsewhere?

This iterative process of design, test, and adapt is what makes compliance so dynamic. It’s not about catching people doing things wrong. It’s about helping businesses do things right.

A profession with purpose

What drew me to this work is the same thing that made me put down Harry Potter all those years ago: a belief that rules matter. But over time, I’ve come to understand that good compliance isn’t about rigid adherence. It is about thoughtful interpretation, careful application, and continuous improvement. In this field, I’ve found a place where my instinct to research, examine, and optimize is as essential as the rules themselves.

For someone who loves systems, puzzles, and meaningful work, I can’t imagine anything more rewarding.

Audit-Ready TPRM: Aligning Your Third-Party Risk Program with the IIA’s 2025 Topical Requirement

Wed, 04 Jun 2025 16:39:13 GMT

Big changes ahead: The IIA's new third-party requirement could reshape internal audit

The Institute of Internal Auditors (IIA) has released a public consultation draft of its new topical requirement on third parties ¹ , and it’s poised to become one of the most significant updates to third-party risk management in years.

This topical requirement is planned for issuance by Q3, 2025. Once finalized, this new standard will require mandatory conformance for internal auditors conducting assurance engagements related to vendors, contractors, and other third-party service providers.

Is your organization ready?

This update introduces new expectations, and for many audit teams, it raises critical questions:

Can your third-party risk management (TPRM) program demonstrate full lifecycle coverage, from onboarding to offboarding?
Are your governance, control, and risk management procedures clearly documented?
Will your program withstand the increased scrutiny from audit committees and regulators?

If you’re unsure, now is the time to act.

Start with our Readiness Questionnaire

Quickly evaluate how well your third-party risk program aligns with the IIA’s draft expectations. It’s a fast, practical way to identify gaps before the requirement becomes mandatory.

Go deeper with the white paper

Audit-Ready: Aligning Your Third-Party Risk (TPRM) Program with the IIA’s 2025 Topical Requirements

This practical resource maps our proven TPRM white paper to the IIA’s proposed requirements for governance, risk, and control, giving you a clear, actionable framework to evaluate, improve, and document your program.

It’s designed for:

Internal auditors assessing conformance with the new requirement
Risk and compliance leaders building or maturing TPRM programs
Executives seeking stronger board visibility into vendor risk

What’s Inside the white paper:

A plain-language breakdown of the IIA’s draft expectations
A checklist of must-have controls across the third-party lifecycle
A crosswalk between the TPRM white paper and IIA assurance areas
Guidance on documentation, escalation, and board oversight
KPI and reporting strategies to demonstrate program maturity

Take the next step

Don't be caught off guard. Prepare now and gain a critical advantage.

Here’s how to get started:

Download the readiness checklist – Pinpoint gaps in your TPRM lifecycle and assess audit readiness
Get the white paper – Align your program with the IIA’s upcoming assurance requirements
Schedule a readiness review – Meet with our team for a personalized consultation

Resources

1 . International Professional Practices Framework (IPPF) Topical Requirement in Third Party (newly published in April 2025)

Auditing Under Pressure: Strategies for Risk Management in a Volatile World

Mon, 03 Mar 2025 13:49:26 GMT

In 2025, organizations are facing unprecedented challenges, from geopolitical instability to cyberattacks and supply chain disruptions.

These external pressures make maintaining stability and compliance increasingly difficult , and mistakes are inevitable—especially when short-term solutions take precedence over long-term strategies.

Auditors feel the weight of these challenges and the pressure to finalize reports quickly or struggle to secure leadership buy-in for corrective actions.

This is when the risk of poorly written findings, vague remediation plans, and insufficient monitoring becomes more prominent.

Auditors play a vital role in risk management. They can help organizations effectively navigate these pressures by accurately identifying issues, documenting findings, and holding management accountable for remediation.

A key example of this importance is the Wells Fargo Fake Account Scandal

The OCC fined the company’s former chief auditor, David Julian, $7 million for failing to escalate the sales practices misconduct adequately (1) .

We’ve put together a white paper that breaks down how auditors can strengthen their impact and drive real accountability. Here’s a preview of what we cover:

Writing Findings That Drive Action

Define issues clearly, identify root causes, and use a risk matrix to prioritize what truly matters.

Creating Remediation Plans That Work

Ensure corrective actions are specific, measurable, and assigned to the right people with clear deadlines.

Building a Continuous Monitoring Program

Track risk effectively and hold leadership accountable for follow-through. Define and track key metrics.

Get the Complete Strategy

Auditors must balance urgency with thoroughness to drive meaningful improvements in risk management. By implementing these strategies—clear findings, actionable CAPs, and continuous monitoring—auditors can add significant value and help organizations thrive in an increasingly volatile world.

Auditing Under Pressure

Strategies for risk management in a volatile world (deeper dive)

Get the full insights—download our checklist now.

Resources

(1) Wells Fargo Treasury Report on the Auditors

Positive Change on the Horizon: HIPAA Security Updates for Healthcare Cybersecurity

Mon, 03 Feb 2025 13:37:18 GMT

In December 2024, the U.S. Department of Health and Human Services (HHS) proposed significant updates to the HIPAA Security Rule, aiming to strengthen cybersecurity in the healthcare sector.

With 67% of healthcare organizations targeted by ransomware in 2024, the updates are a necessary response to growing cyber threats. The median ransom paid was $1.5 million, excluding investigation and recovery costs, highlighting the critical need for stronger security measures(1).

The proposed changes align with best practices from frameworks like NIST, PCI, HITRUST, and SOC2. The key difference is that, under the new rule, HIPAA compliance will become mandatory for healthcare organizations.

Key changes include:

Annual Asset and Network Inventory: Healthcare organizations must maintain inventories related to ePHI data movement.
Comprehensive Risk Analysis: More detailed risk analysis to identify vulnerabilities in electronic systems.
Contingency Planning: Documenting procedures to restore lost ePHI within 72 hours of an incident.
Mandatory Encryption: Encryption of ePHI both at rest and in transit.
Annual Compliance Audits: Regular audits to ensure security measures are in place.
Multi-factor Authentication (MFA): A requirement for systems handling ePHI.
Vulnerability Scanning & Penetration Testing: Scanning every six months and penetration testing annually.

Your Voice Matters

Healthcare organizations have 60 days to provide feedback before these changes are finalized. This is your opportunity to help shape the future of healthcare cybersecurity.

For more information and to submit feedback, visit HHSHIPAA Security Rule NPRM .

Need Help Adopting These Changes?

At AdviseUp, we’re here to guide you through the process of implementing these updates. Contact us today to learn how we can help your organization stay compliant and secure.

Resources

(1) New HIPAA Rules Mandate 72-Hour Data Restoration and Annual Compliance Audits; The Hacker News; 2025

Choosing a GRC Tool? Here’s What to Look For (and What to Avoid)

Mon, 23 Dec 2024 16:41:59 GMT

Imagine your organization facing a sudden regulatory audit, followed by a data breach, and a pressing compliance deadline—all in the same week.

In today’s complex regulatory environment, organizations face constant pressure from surprise audits and compliance deadlines to data breaches and vendor risks. Without the right infrastructure in place, risk and compliance efforts become fragmented, manual, and reactive.

That’s where a well-chosen GRC (Governance, Risk, and Compliance) tool can make all the difference.

GRC tools help organizations centralize compliance, automate controls, and gain real-time visibility into risk, yet too often, companies rush into selection without a clear strategy. This can lead to tools that are poorly configured, underutilized, or ultimately abandoned.

We’ve seen this story play out before:

That’s why it’s critical to approach GRC tool selection strategically.

Here’s a preview of what we cover in our downloadable checklist:

Make the Right Choice the First Time

Selecting a GRC tool isn’t just a tech decision—it’s a critical part of your risk management strategy.

Get the complete checklist to guide your process and avoid costly missteps.

As industry audit leaders with firsthand experience implementing GRC tools, we know what it takes to choose the right solution for your organization’s unique needs. Our expert, unbiased guidance will help you streamline the selection, implementation, and monitoring processes.

By using this checklist, you’ll avoid common pitfalls, prioritize essential features, and ensure the tool you select not only meets your current needs but also scales for future growth. With our actionable insights, you’ll gain the confidence that your GRC solution will set your organization up for long-term success in managing compliance, risk, and governance.

A Vendor-Agnostic Checklist for Your GRC Implementation

Our checklist will help you select and implement the right tool.

Get the full insights—download our checklist now.

Turning Today's Security Trends Into Strategies for Tomorrow

Mon, 14 Oct 2024 22:21:41 GMT

In 2023 and 2024, we witnessed a staggering 72% increase in data breaches. U.S. companies are now facing an average breach cost of $9.36 million(1). While cybersecurity and compliance budgets are on the rise, these investments are not keeping pace with the accelerating threat landscape.

As of 2024, AI adoption has surged to 72%(2), prompting regulators to respond with stricter regulations that will impact business models and long-term strategies.

To stay ahead of these challenges, organizations must adopt comprehensive, year-round security strategies, elevate cybersecurity discussions to the Board level, and invest in robust controls.

Key Takeaways from the Cybersecurity Awareness Month Webinar

On October 8, 2024, our CEO, Dorina Hamzo, participated in a webinar focused on enhancing cybersecurity awareness.

"I know that it can be challenging when drafting your cybersecurity strategy and plans to determine if they will hold true in 6-7 months," she remarked. "Some of the information and advice in this webinar are examples of what we offer to our customers, serving as a second set of eyes to validate that what they design today will still be effective tomorrow."

Here are some key takeaways designed to help organizations secure their assets while ensuring compliance:

Emerging Technologies and Practices Shaping Cybersecurity Strategy in 2025

AI Technology Disruptions and Governance: As AI tools become more prevalent, it’s crucial to establish strong governance frameworks.
Stricter Data Management : Breaches involving shadow data take an average of 26.2% longer to identify and 20.2% longer to contain, highlighting the need for comprehensive data oversight(1).
Third-Party Risk Management : As companies rely more on external partners, managing third-party risks becomes essential.
Resource Shortages : The ongoing shortage of cybersecurity professionals necessitates innovative staffing solutions.
Adoption of Enhanced Controls : With regulatory changes on the horizon, companies must invest in more controls to maintain compliance.

Building a Year-Round Security Strategy

A proactive year-round security strategy should include:

Risk Management Activities: Regularly assessing the risk landscape allows for timely adjustments to strategy and budget.
Cultural Integration of Security: Consider adding key security metrics to corporate scorecards, reinforcing that security is everyone’s responsibility.
Security Audits: Investing in annual independent security audits might seem daunting—who enjoys being audited? But these assessments can be incredibly valuable, especially when shaping your security strategy. Think of them as a supportive tool to help you evaluate the effectiveness of your approach and the overall health of your security measures.

Addressing AI Risks and Governance

The rapid development of AI tools must be approached with caution. With the development of AI technologies, without a balance of emotional intelligence (EQ) alongside intelligence quotient (IQ), organizations may face many risks, including economic inequality, security vulnerabilities, and privacy violations.

Improving the company’s position and strategy around the adoption, development, and protection of AI usage can be done by addressing a number of governance questions including:

What guardrails are in place to ensure AI is used safely and ethically?
Which AI use cases should the company adopt or avoid, and why?

Navigating Regulatory Changes

The recent overruling of the Chevron Doctrine by the Supreme Court signifies that courts will no longer defer to federal agencies' interpretations of federal statutes.

Companies and boards should brace for increased regulatory scrutiny, necessitating a proactive regulatory strategy. Consider the long-term impacts of these changes on business models and the risks and opportunities they present.

Cultivating a Culture of Security

While the culture of compliance is often discussed, the culture of security deserves equal attention. A secure organization is inherently compliant, and a compliant organization prioritizes security.

Key Elements of a Strong Culture of Compliance and Security

Tone from the Top: Leadership must convey that compliance is not merely a “necessary evil” but a core value.
Strong Bias for Action: Issues should be addressed promptly and effectively.
Proactive Adoption of Regulations and Standards : Staying ahead of compliance requirements is essential.
Adequate Resources for Compliance Programs: Proper funding and resourcing ensure effective implementation.

Strategies for Year-round Threat Prevention Webinar

How AdviseUp Can Help

At AdviseUp, we are hands-on partners offering individualized services to help organizations strengthen their security and compliance posture. Our offerings include:

Risk Assessments: Identify vulnerabilities and develop tailored security strategies.
AI Governance: Establish frameworks for ethical AI use and technology investments.
Regulatory Compliance : Navigate complex regulations like ISO 42001 to ensure compliance.
Third-Party Risk Management : Assess and manage risks associated with your vendors.
Security Culture : Foster a culture of security by integrating security metrics into corporate goals.
Training Programs : Equip your team with the knowledge to recognize and respond to threats.

Let’s make security and compliance work for you!

Resources

(1) Cost of a Data Breach Report 2024 ; IBM

(2) The state of AI in early 2024: Gen AI adoption spikes and starts to generate value ; M cKinsey

ERM in Focus: Why CEOs are Demanding Better Risk Management

Sat, 05 Oct 2024 01:11:32 GMT

In 2019, only 31% of respondents to the “State of Risk Oversight” report by AICPA (1) described having a complete Enterprise Risk Management (ERM) program in place. Why?

Although understanding and managing risk has tremendous benefits, 5 years later, ERM programs are still lacking maturity with only 34% of respondents having complete programs.

Several drivers are increasing the need for an effective risk program, including a spike in the volume and complexity of risks, as well as operational surprises.

The good news is that according to the "2023 State of RiskOversight" report(2), “CEOs are calling on other senior executives to increase their level of engagement in risk management, especially those in large organizations or public companies.”

In a prior ERM case study(3) I published in the Internal Auditor magazine titled "In Line with Risk," I identified the following key drivers impacting the maturity of risk programs:

Pervasive knowledge gap in what a good ERM program looks like and its benefits, and

Risk management performed ineffectively or as a check-the-box activity, reducing organizational adoption.

In this article, I will provide an overview of the pain points, barriers, and solutions that can help your organization elevate its enterprise risk programs.

Key Observations and Pain Points

When trying to understand why over 65% of surveyed organizations do not have complete ERM programs, several overarching themes emerged from the data that can be categorized into three main areas:

“The Gray Rhino of Cultural Risk” (4) corroborates this data and points to broader cultural risks that ERM should be uniquely suited to address, but adversely ends up as bottlenecks to ERM maturity such as:

Resistance to change.
Challenges in sustaining culture in the current work environment.
Culture does not encourage the timely identification and escalation of risk issues.
Organization is not sufficiently resilient or agile to manage an unexpected crisis.

Companies need to address these factors with both top-down and bottom-up solutions to maximize the benefits offered by a full ERM program.

AdviseUp Insights

AdviseUp has identified three main barriers that contribute to an organization’s ability to develop and embrace a robust ERM program.

It’s not a mandatory function, but it should be.

ERM is not a mandatory function in corporations the same way Internal Audit is. More specifically, Internal Audit is a function required for all publicly traded companies, companies working with federal programs like CMS, and regulations and standards such as ISO 27001. An independent ERM function is currently a nice to have, instead of a must-have, which affects cultural attitudes and therefore impacts the ability for it to be fully embraced.

The roles of Auditors and Risk Managers need to be clearly defined.

In many companies, risk management is performed by Internal Auditors. Those roles are distinctly different. Internal auditors should be “customers” of the ERM program and not facilitators. Additionally, auditors do not always have a strong understanding of the ERM frameworks, as risk training is not common for auditors.

ERM lacks standardization because it is a new practice.

There are several ERM frameworks that a company may choose to adopt. However, there is a lack of unified standards outlining not only the key components of ERM programs, but also the minimum requirements for implementing, managing, and improving them.

As a result, the implementation of a solid ERM program is solely dependent on the knowledge of the person leading it.

These observations are crucial to address when it comes to future ERM acceptance and maturity. In doing so, corporations can create an integrated and proactive approach to risk management.

Solutions

Macro Level Solutions

The formation of a single internationally recognized set of standards around the structure, independence, qualifications, and implementation of the program
Regulators making ERM a mandatory function like Internal Audit

Micro Level Solutions

Adopting an ERM framework. The most commonly adopted framework is COSO ERM. Offer ERM training to the program team members and selective Internal Auditors. A great source for ERM training is the NC State Enterprise Risk Management Initiative.
Perform a gap analysis and identify the current maturity level and the next desired maturity level
Invest the time in developing a risk register and risk taxonomy that allows your organization to identify risks at the most granular level
Map controls and internal audit findings to the risks
Risk assessments are meant to capture the voice of the organization. Therefore, your first risk assessment must be a bottom-up and top-down assessment, to allow for the creation of a strong risk profile foundation.

Key phases to implement an integrated ERM program

Next Steps - Call AdviseUp

Navigating the world of risk management can feel challenging, especially if your company does not have a formal ERM program in place.

However, ERM remains a highly effective tool at protecting your assets and remaining agile in today’s fluctuating market.

A functioning, mature ERM program can help your company, support better decision making, break down silos, adapt to changing conditions, and not only protect, but also create value.

If you don’t know where to start, contact AdviseUp. We provide expert risk management consulting services with decades of practical, on-the-ground experience building and implementing risk programs.

Start preparing your business for the future today.

Resources

(1) 2019 State of Risk Oversight Report , NC State University, in partnership with the AICPA

(2) 2023 State of Risk Oversight Report , NC State University, in partnership with the AICPA

(3) In line with Risk ; Dorina Hamzo; Internal Auditor; 2019

(4) The Grey Rhino of Cultural Risk - Charles Follet, Business Ingenuity

(5) NC State Enterprise Risk Management Initiative

Operational and Regulatory Compliance Made Easy

Sat, 28 Sep 2024 00:43:36 GMT

Organizations need to adhere to regulatory and operational requirements to create a secure and ethical environment.

However, there are challenges in adopting these requirements. These challenges include:

Remaining current with the changes across multiple jurisdictions and laws
Difficulties understanding and translating complex regulations into business requirements
Viewing compliance as a financial burden
Creating processes and maintaining compliance agility for sustainability over time
Finding and retaining qualified resources to establish and maintain compliance
Responding to potential violations and non-compliance issues

Despite its challenges, compliance comes with many benefits. Here are some examples.

AdviseUp’s tips for addressing compliance challenges

Remaining current with the regulatory changes:

Keep up with regulatory news sources: sign up for news alerts from the authoritative bodies related to the regulations or standards your company has adopted.

Not sure where to look? Here are the top compliance regulations and standards and their governing agencies below.

Difference between standards and regulations

External advisors and auditors: Possess extensive knowledge of regulatory requirements and can be an asset in understanding newly released changes and their applicability to your company.

Governance, risk, and compliance (GRC) software: GRC software offers services that alert users of regulations and standard changes. The tool can be customized based on specific regulatory bodies.

Understanding and translating complex regulations into business requirements.

Engage a subject matter expert: The right partner can help you understand the requirements and what they mean for your business. This is critical at the beginning of your adoption journey and when there are regulation changes.

Gap analysis: Review existing practices and adoption due dates. It is beneficial to engage your compliance and legal team during this process.

Develop a roadmap: Identify the additional work that should be done. Make sure to consider existing processes that can support your compliance posture to avoid unnecessary work.

Avoiding compliance becoming a financial burden.

Check-the-box compliance is a financial burden. You are paying resources and maintaining processes that do not protect your company. Compliance requirements, if used wisely, can serve as a comprehensive guide for managing a company, integrating new technology, and pursuing a merger or acquisition.

Useful Metrics: Develop compliance metrics to measure the benefits to the company.

Ensuring compliance is sustainable over time.

Compliance integration : include your compliance and audit teams in the company's major projects and initiatives so that they can appropriately adapt and scale controls to the company's needs.

Work with AdviseUp

Ensuring that your organization meets regulations and standards is crucial for its safety and success. We understand that navigating compliance can be difficult, but we are here to make it easier for you.

Start preparing your business for the future today.

Resources

How Agile Auditing Saved a $3M Project

Fri, 13 Sep 2024 02:52:36 GMT

As organizations face unprecedented changes—ranging from rapid technological advancements to evolving regulatory landscapes—traditional audit methods are increasingly falling short.

Agile auditing offers a dynamic approach that can address these challenges more effectively by providing real-time feedback and enhanced flexibility.

Yet despite its advantages, only 26% of internal audit functions have embraced Agile principles fully (1) . This slow adoption can be attributed to several barriers:

Lack of Knowledge : Limited understanding of Agile methodology and its application.
Resistance to Change : Reluctance from both auditors and management to shift from traditional practices.
Integration Challenges : Difficulty in adopting the Agile operating model within organizations that have yet to adopt Agile methodologies more broadly.

However, adopting agile auditing can significantly reshape the landscape for organizations willing to embrace this approach. To provide more detail on the agile method as applied to internal audit, we'll walk through some agile audit basics and conclude with a real life agile audit success story.

Agile: Going Beyond Waterfall

Agile is a project management methodology that emerged in 2001, originally designed by software developers to overcome the limitations of the traditional waterfall approach. Unlike the rigid waterfall method, Agile promotes iterative progress through continuous feedback and flexibility. Waterfall is a methodology more widely adopted in finance, audit, and compliance due to external reporting requirements imposed by regulations.

Key Agile Principles Applied to Auditing

Agile methodology uses 12 guiding principles (2) that support teams in implementing and executing with agility and several of them are very beneficial to conducting audits.

Customer Satisfaction : Principle 1 is focused on satisfying the customer through the early delivery of services. In an audit context, this translates to timely delivery of results to improve the value to stakeholders.
Collaboration : Principle 4 is focused on business people and developers working together daily throughout the project. In an audit context, this translates to continuous engagement with business units to ensure that audit activities remain aligned with their evolving needs.
Motivated Teams: Principle 5 is about building projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done. In audit, this translates to hiring motivated people and nurturing them to deliver excellent results.

Adopting the Agile Methodology in Internal Audit

Adopting the agile methodology as the audit operating model can be challenging especially if the rest of the organization operates differently. However, audit functions can easily adopt an iterative process at least in the following two areas:

Risk Assessments:

Integrate audit findings with enterprise risk management programs to promptly identify and address new risks, allowing for adjustments in the audit plan. Discover simple tactics to evolve your risk program in our blog titled “ ERM in Focus: Why CEOs are Demanding Better Risk Management ”.

Audit Projects :

Implement Agile principles in large-scale projects by using iterative reviews, short reports, frequent validation of observations, and continuous feedback loops. This approach enables auditees to address findings as they arise, rather than waiting until project completion. Examples of those projects include organization-wide ERP or HRIS system implementations.

We suggest, however, that the agile methodology should not be applied to all audits. For instance, internal controls testing has timeline constraints and prescriptive testing methodology imposed by external standards.

Benefits of Agile Audits

Increased Efficiency, Engagement and Satisfaction : Results from a Deloitte survey in 2021 showed promising evidence that Agile IA is helping functions to achieve better impact, faster insight, and happier and more engaged stakeholders. (5)

Improved Quality: According to 82% of internal audit professionals, continuous feedback mechanisms inherent in Agile projects significantly enhance audit quality. ( 4)

Overcoming Adoption Barriers

To successfully adopt the agile methodology in internal audits, consider the following strategies:

Pilot Projects : Start with audit projects to demonstrate Agile’s value and build momentum.

Training and Workshops : Offer targeted training to bridge knowledge gaps and foster a culture of innovation.

Process Documentation: Ensure that the agile process is well documented and understood by the audit team.

Clear Communication : Your stakeholders are more likely used to the traditional waterfall audit process. Therefore, it is important to articulate the new process and benefits of the Agile methodology.

AdviseUp Case Study: Agile Audit in Action - How Agile Auditing Transformed a $3M Project and Avoided Penalties.

A Massachusetts-based healthcare payer with $2.6B in revenue embarked on a $3 million claims-processing implementation with a tight one-year deadline — when most projects like this take up to two and a half years.

The stakes:

Missing the deadline would mean regulatory penalties and enrollment suspension.

How we helped: Real-time action

We divided the audit into sprints aligned with the project phases to address critical risks before they snowballed.
We aligned audit scopes with project milestones, offering leadership peace of mind that the project was on track.
We provided guidance to address findings quickly and ensured project team resolved them before the next sprint began.

The outcome: On-time resolution

The project was completed on time with minimal issues and avoided CMS regulatory penalties.
The audit team provided the management and Board of Directors with concise and actionable reports after each sprint, allowing them to prioritize resources as needed.
The project team took action in real time to minimize liability.

Concluding Thoughts

Agile isn’t just a buzzword reserved for software devs or trendy tech startups anymore, the agile methodology presents considerable benefits for internal audit functions. While we never recommend following audit trends blindly, at face value, agile internal audits can empower organizations to navigate the constantly evolving risk landscape more effectively.

By adopting agile principles, internal audit teams can increase their efficiency, reduce documentation burdens, foster collaboration, elevate stakeholder engagement, and provide valuable insights- ultimately establishing themselves as essential strategic partners in driving organizational success.

How AdviseUp Can Help

If you don’t know where to start, contact AdviseUp.

AdviseUp provides expert internal audit consulting services with decades of practical, on-the-ground experience building and transforming audit programs. Start preparing your business for the future today.

Resources

(1) Adapting Agile to internal audit; KPMG; 2022

(2) Agile 12 Principles; Agile Alliance

(3) Building assurance with Agile; D&T

(4) Global Audit Quality Report: a commitment to continuous improvement; E&Y; 2024

(5) Agile Internal Audit four years on, better, faster, happier? A retrospective; Deloitte; 2021

How to Overcome a Material Weakness

Thu, 16 May 2024 21:57:28 GMT

When a company faces a material weakness (MW) due to ineffective internal controls, it can result in a myriad of unwanted consequences. However, it can also be an opportunity to identify new ways to become more efficient and build stronger governance.

When undetected, MWs can create disruptions and material consequences for a company. Some examples include:

The shift in management’s focus away from the initial strategy
Potential financial restatements and decrease in company valuation
Increase in audit fees by an average of 150 percent (1)
Leadership turnover (over 62% of CFOs who reported deficiencies resigned or were pushed out of their organization)

This article provides the key information your company needs on relevant control frameworks, control deficiencies, leading causes, and solutions.

Internal controls regulatory landscape

Internal control frameworks include a set of processes that help organizations design, implement, and evaluate compliance with controls. The end goal is always to create and preserve value for an organization while managing and minimizing risk.

There are three types of internal controls (2) :

Financial controls
Operational controls
Regulatory and compliance controls

In today’s world, businesses rely more and more on complex tech systems for the data used to support the management of their financial and operational functions. In addition, they are also reliant on their internal control systems to be able to address the significant risks posed by flaws and deficiencies in their tech systems, such as fraud or asset loss.

Financial controls’ regulatory landscape:

SOX (3) : The Sarbanes-Oxley Act (SOX) is a federal law requiring publicly traded companies registered with the Securities and Exchange Commission to include internal controls for processes and systems impacting financial reporting. SOX laws aim to ensure accurate and reliable financial reporting and build trust with investors. To comply with SOX, companies must establish internal control over financial reporting (ICFR).
ICFR (2) : Internal control over financial reporting (ICFR), consists of those controls that support and enforce the accuracy, reliability, and integrity of a company’s financial statements. Part of ICFR includes following generally accepted accounting principles (GAAP).
COSO (4) : The Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal controls framework is used by US companies to assess and report on the design and operating effectiveness of their ICFR. COSO provides detailed guidance to managers when designing or mapping internal controls when used for audit risk assessments and by risk management teams.

There are several frameworks that can assist companies with developing and refining their operational and compliance controls. Here are a few examples.

COBIT (5) : The Information Systems Audit and Control Association (ISACA) developed the Control Objectives for Information and Related Technology (COBIT) framework which is designed for IT governance and management.
ISO (6) : The International Organization for Standards creates ISO frameworks on a wide variety of topics. The most commonly used ISO frameworks for internal auditors are ISO:9001 for quality auditing and ISO:27001 for security management.
Service Organization Controls (SOC) (7) : The American Institute of Certified Public Accountants (AICPA) has created the SOC reporting framework. There are three types of SOC reports:
SOC 1 is an attestation of controls at a service organization covering an entity’s internal control over financial reporting.
SOC 2 covers the entity’s security controls plus any of the following additional domains: availability, processing integrity, confidentiality, or privacy.
SOC 3 covers the same areas as SOC 2 but with less details. Therefore it can be freely distributed to the public.

Three types of control deficiencies

A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect risks on a timely basis.

Additionally, control deficiencies can rise to a significant deficiency or material weakness.

A significant deficiency (8) is a deficiency, or a combination of deficiencies, in internal control over financial reporting, that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight of the company's financial reporting.

A material weakness (8) is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.

Current trends

A study done by KPMG in 2023 reveals that MW disclosures increased from 4% in 2021 to 7% in 2023 (9) . The leading causes for the MWs included:

Insufficient or inexperienced accounting personnel
Lack of financial reporting oversight and review processes
Lack of appropriate procedures
Software, security, and access management

Moreover, there is usually more than one overlapping issue or challenge.

These trends are especially critical for pre-IPO companies to pay attention to. Companies that establish SOX compliance before going public have less risk of identifying and reporting a material weakness once they become public.

AdviseUp’s recommendations for remediating material weaknesses

Material Weakness Remediation Phases

It takes companies an average of one year to properly remediate a material weakness. Therefore, if you discover a material weakness, it’s important to jump into action right away to remediate it. Here are some important considerations:

Treat this initiative as a proper project, allocating dedicated internal resources to ensure its success.
Set the right tone from the top so that teams take controls seriously and develop remediations not to just satisfy your auditors but to improve your processes.
Engage subject matter experts who are willing to not only recommend improvements but to roll their sleeves and get their hands dirty.
Scope, Scope, Scope! Evaluate your scope of processes and systems to ensure that your remediation efforts are accurate and effective without going overboard.

AdviseUp has developed a comprehensive playbook that will help you in the process. Work with the experts at AdviseUp today!

Resources

(1) How a Material Weakness Can Cost You ; Stephen Taub; CFO; Nov. 19, 2004

(2) A layperson’s guide to internal control over financial reporting (ICFR) ; Kayla J. Gillan; PCAOB; March 31, 2006

(3) H.R.3763 - Sarbanes-Oxley Act of 2002

(4) Committee of Sponsoring Organizations (COSO)

(5) Control Objectives for Information Technologies (COBIT)

(6) International Organization for Standardization (ISO)

(7) AICPA SOC Standard Overview

(8) PCAOB Control Deficiencies Definition

(9) Trends in Material Weakness; KPMG; 2023

So, You Want to Take Your Company Public?

Fri, 22 Mar 2024 14:33:41 GMT

Initial Public Offerings (IPOs) can be the biggest decision a company will make and it does not come without its fair share of obligations and risk.

In 2023, there was a 42% increase in the number of IPOs on the US exchange compared to 2022 as reported by EY(1). The market is feeling the same level of optimism in 2024 and beyond. So, if you are a company that is considering going public, we are here to help you succeed.

Keep reading to understand more about the IPO process - the good, the bad & the ugly - along with its requirements, benefits, and our governance readiness playbook.

What is an IPO and what are some of the obligations?

An Initial Public Offering, also known as a stock launch, is when companies sell shares to institutional and retail investors publicly for the first time (2) .

IPOs can be the next leg of the hard-earned journey of a company that has created a successful and unique business model and is entering a new stage of growth by becoming publicly traded.

Typically, the decision to enter the public market comes after companies reach a certain revenue growth (typically $100M or more), and establish a growth path as well as a governance structure to meet the obligations of going public.

Some of these obligations include:

Meeting all the requirements of the stock exchanges you’re listing on, as well as the Securities and Exchange Commission (SEC).
An established corporate governance framework - including ESG considerations and Sarbanes-Oxley Act of 2002 (SOX) compliance.
Disclosure of financial statements, contracts, customers & suppliers, etc.
Financial reporting requirements.

What are the benefits?

Increased capital for research and development and the ability to raise more capital in the future.
Increased visibility, leading to more credibility with investors.
Employee attraction with enhanced company awareness, branding & the ability to offer competitive compensation packages with your stock.
Liquidity through public stocks for employees and investors.
Ability to acquire other companies with public stock.

Why do some companies not succeed?

Some of the world’s biggest and most successful IPOs, like Saudi Aramco, Alibaba, and Softbank, have generated tens of billions of dollars (3) . However, success isn’t guaranteed. Infamous IPO flops that prove that point are WeWork, ETSY, Uber, Casper, and Robinhood (4) .

On the flip side, a flop is typically when the stock price dips below the set opening share price on the first day of trading, and initial valuations are not met.

However, IPOs typically only fail for a handful of reasons.

Wrong valuation - the price is set too high to attract investors without real legs to stand on.
Wrong timing to attempt to go public.
Underlying issues with the company’s fundamentals, especially its core processes and governance structure.

IPO readiness

A successful IPO starts with IPO readiness. Our best advice is to start this process well in advance, at least 9 months before filing for an IPO.

It’s important to note that IPO readiness goes beyond starting the filing process and favorable market conditions, it also involves evaluating your resiliency and sufficiently mitigating key risks.

Consider the following readiness questions which were developed by CEOs and CFOs with Deloitte (5) , and endorsed by the team at AdviseUp:

Are you consistently developing and meeting internal forecasts?
Can you articulate established KPIs as well as GAAP measures?
Is your growth strategy clearly defined? Are you currently delivering on it?
Do you have a robust internal financial organization or plan to build one? Or do you have the capital to meet the aggressive reporting requirements of an IPO?
Do you have an established governance framework or plans to get there?

The IPO playbook for your company’s needs

Every IPO process comes with unique challenges but the good news is - you don’t have to reinvent the wheel. Becoming publicly traded can feel like a huge deal - and it is, but the process itself has measurable steps to take, as well as tried and true playbooks to follow.

Download our governance playbook to help you on your IPO readiness journey!

Resources

(1) https://www2.deloitte.com/nl/nl/pages/audit/articles/what-is-an-ipo.html

(2) https://www.ey.com/en_us/ipo/trends/q4-2023-ipo-market-trends

(3) https://www.investopedia.com/articles/investing/011215/top-10-largest-global-ipos-all-time.asp

(4) https://www.sofi.com/learn/content/ipos-that-failed/

(5) https://www2.deloitte.com/us/en/pages/audit/articles/public-company-ipo-spac.html

Third-Party Risk Demands First-Priority Attention

Sat, 23 Dec 2023 02:11:32 GMT

Third-party collaboration has evolved into a necessity for most businesses in today’s market. However, the challenges of managing third-party risk programs can be overwhelming.

This article will cover how business leaders can address their third-party risks by providing an overview of the third-party oversight landscape, regulatory obligations, key implementation challenges & solutions.

Overview of Third-party Risk Management Programs

Third parties which are often referred to as vendors or suppliers can be defined as business entities or individuals that provide products or services directly to an organization or its customers on the organization’s behalf.

Third-party risk management programs (TPRMs) help businesses select the right third parties that can help them meet business objectives while protecting their data. Implementing an effective TPRM also drives compliance throughout an organization’s ecosystem.

Regulatory Compliance Landscape

Third-party risk management is required in many industries. Organizations handling sensitive and protected information will often be required to comply with one or more regulations.

Some example of regulations, standards and frameworks requiring management of third party risks include:

CCPA
HIPAA Final Rule
HITRUST
MA data security lawISO 27001
GDPR
PCI

Still, effective risk management is still lagging, evidenced by the hundreds of data breaches and ransomware attacks happening every year caused by ineffective control and security standards.

Our interconnected business landscape means one company’s data breach could become your headache.

Challenges

Organizations often face difficulties establishing and maintaining a TPRM due to several internal challenges including:

Adoption: Due diligence delaying business initiatives.
Program effectiveness: Lengthy questionnaires are often not acted on by the due diligence teams.
Scalability: The need for third-party services grows faster than internal program resources.
Legacy vendors: Without contracts and proper security protection.

Although there is a margin for error when it comes to the complexity of third-party risk management, there are simple solutions that can help executives sleep better at night, knowing they are proven to be effective at mitigating third-party risk!

Solutions

The secret to successful third-party risk management programs: data-driven due diligence and monitoring programs that tie to your resilience and enterprise risk management program.

Data collected through a solid due diligence program will become a critical asset for your AI systems to better predict risks associated with third parties and recommend sound decisions.

1. Due Diligence

Develop a cross-functional program with representation from various relevant teams in th e organization.
Centralize the due diligence process (one-stop shop for business owners).
Focus your due diligence process on vendors that “touch” your critical data, not every vendor in your procurement system.
Use a tiered risk approach, as the risk level associated with the vendor should determine the review effort.
In the early stages of your due diligence program, establish short and concise due diligence compliance questionnaires.
Based on the due diligence results, incorporate key security, resilience, and audit terms in the contract phase.

Tips to improve the vendor questionnaires

2. Business Continuity Planning (BCP)

Tie the vendor due diligence stage with your disaster recovery and BCP program to identify all new vendors that might impact your program
Capture their Recovery Point Objective and Recovery Time Objective commitments before signing the contract.

3. Monitoring

Consider quarterly performance monitoring.
Implement an annual compliance Review

4. Enterprise Risk Management

After the due diligence and monitoring phases, tie the third-party observations and remediations to your risk register to keep your risk profile up to date.
With time, the risk data will be useful to predict which third parties to engage and retain in your supply chain database.

5. Reporting

Regular reporting shouldn’t fall by the wayside! It’s important to formalize reporting on several key performance indicators as well as outline progress, current and ongoing risks and flag any pertinent issues to management and the Board.

Critical vendor contract terms

It’s not too late to implement your program

By properly implementing a third-party risk management program with the right oversight in place, companies can strike a healthy balance between regulatory compliance and business owner satisfaction.

If your company needs TPRM services, AdviseUp can help. We are an audit, risk, and compliance consulting firm that goes beyond checking the compliance box.

Start preparing your business for the future, today.