Audit Trends 2010: Warren Stippich Jr., Grant Thornton
Warren Stippich Jr., Practice Leader of the Chicago Business Advisory Services Group of Grant Thornton LLP, discusses:
Stippich has over 18 years experience working with multi-national, entrepreneurial, and high-growth companies. He brings experience to the business risk consulting and internal audit services areas from both the public accounting firm and industry perspectives. He leads many Sarbanes- Oxley consulting and internal audit services projects for a wide-array of publicly traded businesses with international operations. He has worked extensively with international internal audit, Sarbanes-Oxley and business consulting assignments in Europe, China, Southeast Asia, Central and South America and Canada.
TOM FIELD: What is the state of internal auditing as we end 2009, and what are some of the trends to look forward to in 2010? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with Warren Stippich. He's the practice leader of the Chicago Business Advisory Services Group with Grant Thornton. Warren, thank you so much for joining me.
STIPPICH: My pleasure. Happy to be here.
FIELD: Just to give our audience a bit of context, why don't you tell us a little bit about yourself and your work at Grant Thornton please?
STIPPICH: Sure, I would be happy to. I am the partner in charge of the Business Advisory Services practice here in Chicago. I am a practicing partner, as well as the supervising partner for this practice area, and I deal with clients, boards and audit committees on a regular basis. I am CPA and a CIA, and I have been practicing for nearly 20 years in the risk and controls space. My background has a combination of external audit in it from Arthur Andersen days, as well as being a chief audit executive for a large public company in the Chicago area where I had global responsibility for internal audit and global risk consulting.
FIELD: Fair to say, Warren, that you have been busy the last year or so?
STIPPICH: Have been busy. I've been busy the last seven years. Absolutely.
FIELD: Warren, in terms of information security, let's get to the fundamental question I asked up front. What would you say is the state of auditing as we end 2009?
STIPPICH: There is a lot of different ways we could go with that question, but I am going to try to keep it focused on a couple of hot topics or a couple of ideas that really come to mind when we talk about information security and the state of auditing.
As we see, there is a lot of compliance pressure on all organizations, but particularly key for certain industries such as healthcare, financial institutions and financial services. That doesn't mean to say that other industries such as manufacturing or retail are excluded because they certainly have their own, such as PCI compliance with credit card type information, but we tend to see these industries I mentioned (healthcare, financial institutions and financial services) with a lot of different things coming down on them.
For example in the healthcare area, there is the HIPAA High-Tech penalty for non-compliance of breach notification requirements that is going to kick in in February 2010. and that is really going to affect healthcare payers, providers, billers and collectors. And as you can see, HIPAA High Tech is going to require some readiness and then some ability to be able to comply with the rules and regulations there.
I already mentioned PCI certification and PCI compliance, which is going to affect retailers, higher education, hospitality, and other areas, and certainly those two areas are complicating the day to day lives of those IT organizations and internal audit organizations.
Additionally, this concept of cloud computing, I believe, presents significant new challenges for internal audit, as well as management and IS departments, as organizations and auditors try to get their arms around this cloud-computing concept. The name in and of itself kind of leads to some ambiguity, and I think as we push further ahead in time we will be able to get a bit more clarity on that.
And then, of course, there is always the basic IT control issues, and as we have come past the last 18 months of the economy with reductions in force and compromising potentially segregation of duties, IT departments I think have been especially exposed to that area and those reductions as organizations have looked to cut payrolls.
FIELD: So, Warren, as you have looked at organizations, where do you find them to be most vulnerable today?
STIPPICH: Well, you know I want to qualify a little bit about vulnerable to what? If we are going to talk about breaches, for example, or a fraud, then I go back to looking at the past 18 months of perhaps reductions in force, it could be the downturn in the economy, reorganizations due to economic pressures and what have you. And really, vulnerability focused on segregation of duties that may have even caused the challenges I see. In many cases, driving vulnerability in risk and organizations and all of those vulnerability issue leads to a risk of fraud, misappropriation or other type of unwanted behavior.
Overseas for example, Foreign Corrupt Practices Act and overseas and international risks, I think, are on the rise and potentially increasing just because maybe there aren't as many people to monitor that. I would say strategic vulnerability at the highest levels within an organization as you look broadly across the strategy; is the strategy firing on all cylinders? Another vulnerability would be around product and product development. Is the product at a certain stage in its life cycle that could create some downturn for our company and are they aware of product vulnerability?
Technology vulnerability, I think, is always something -- not just the controls aspect of technology, but also the functionality, the usability and is it meeting the goals and the objectives of the organization and the organizations operations?
And then, of course, people. I really think the people aspect of what is going on in today's marketplace and in the industry across the board. What is going to happen when the economy improves? Are people going to move? Are people going to jump because they are going to look for a better opportunity? Maybe compensation has been held flat for a couple of years, and maybe there have been reductions in compensation, maybe bonuses have been nonexistent, and we run a people risk, I think, that they may look about and try to see if there is something else out there.
FIELD: Now you mentioned a number of different industries. Do you see any particular industries that are stronger than others in terms of auditing?
STIPPICH: Well, historically I would have to say that because of the regulations that have been around, and I would probably say in addition to Sarbanes-Oxley, I would have to say healthcare, banking, insurance and other financial services, simply because of the regulations as they have been in existence. Many of the regulations have focused on the internal accounting and the internal controls of those industries I mentioned. And I certainly think though there are certainly additional layers of regulation on those industries as they have been coming through the past.
You know, as we look to the future, I know that there are grumblings and debates on Capital Hill and in Washington with what will Congress do to further regulate certain industries that may allegedly have been a contributor to some of the downturn in the economy. I think that that's up to debate and will go forward with time.
My comments here are really limited to those areas that are regulated. As we saw with the Wall Street situation and the economic downturn there has been a lot of complexity with investment products, whether it is mortgaged backed securities or swaps, broker/dealer issues, things that are not necessarily back office compliance issues or accounting, financial statement accounting issues, but more product delivery issues because these financial instruments that are bought and sold are really products that the accountants keeping books and records for the large investment banks, or a larger mutual fund, maybe they weren't focused on the product side of it but were focused on keeping the books.
So this type of regulation, I think, may evolve and come forward as we go through. I am still not sure if audit committees are fully asking all of the correct questions around deeply convoluted areas. Again, not so much looking inward on accounting, but convoluted areas of going to market and what are the products being sold and if they are financial instruments or a financial product or some sort of wrapped convoluted type of instrument, do the communities understand the inherent risks around that.
FIELD: Let's look ahead to 2010, and as you are looking ahead to the new year what types of trends do you foresee in audit?
STIPPICH: As I look at internal audit groups around the country and even talk to my colleagues globally, I see a rebuilding going on related to skills, talents and people. I am seeing a bit of focus or a bit of shift this year to try to get back to some basics on financial and compliance auditing, but not back to where we were probably 24 months ago, which was the last seven or eight years that have been a heavily financial and compliance driven internal audit location if you will, primarily driven by Sarbanes-Oxley and other types of regulations along those lines. I am seeing internal audit being called in to comment on ERM, so that trend I think will continue. Certainly internal audit will play a broad role in ERM from the heavy facilitating role, enterprise risk a management facilitator to something that is more of monitoring the program that the organization is running.
I am seeing internal audit getting calls to focus on operational audits, licensing audits, and audits that may drive financial recovery of some sort. So again, not just traditional Sarbanes-Oxley financial driven audits, but broader in nature. Really operational is something that I am hearing a lot of CEO's and audit committees talk about with their chief audit executives as we kind of go into the calendar year end of the cycle and looking to 2010 and the renewal for next year.
FIELD: What is your take, Warren, on how organizations could improve their auditing practices as we go into the new calendar year?
STIPPICH: Building on the last discussion around different types of auditing and what is next to come on the horizon, I really believe training for our people as professionals in the internal audit space, and that really is to move beyond the financial and compliance aspect of auditing. We have got the seven or eight years of good financial auditors trained up, many of those that came out of school over that continuum of time have only been exposed to financial and compliance audits. I think as we move now into these other auditing areas there is going to be a lot of training that is going to take place, and whether it is on the job training or otherwise, that is what we need to focus on.
Certain areas for example, treasury audits, I think, are going to be something that we need to do more of; this continuous auditing concept, using IT to be more effective, using the ERP system to do continuous auditing. That's a concept that is like cloud computing; it is kind of ambiguous and amorphous, and audit executives and audit committees are hearing about this and talking about it, but we are really trying to scratch the surface to try to put a program in place to really deal with this.
Data analysis, I think, is key. Using more data automated and analytical tools to look at the detail and see trending that is going on. And then other specialized industry auditing that I think is going to need to evolve, especially as we watch what the regulators may or may not do. The executive leadership of the chief audit executive or the head of audit needs to have this front and center in his or her list of top things for 2010. I think it is important for audit leadership to stay connected to peers and other industry partners as they look around and try to learn. And then, of course, drawing on the Institute of Internal Auditors is, I believe a very useful tool and a very useful space to gain knowledge and practical experience and connect into what the profession is doing, not only in the U.S. but also globally.
FIELD: Warren, taking a different direction for a final question here. You have had a distinguished career in audit. If you could boil it down now, what advice would you offer to someone that is entering the field today?
STIPPICH: Yes, an excellent question that I get very often. You know, on the job training today is going to be very different than it was say seven years ago, when the name of the game was financial auditing and compliance auditing because of Sarbanes-Oxley. I really think that today's staff auditors and new graduates have to be excellent communicators, both written and oral, and that has really been the mainstay, but that needs to be paramount, and still learn to develop a healthy skepticism, so we can't forget that if you are coming into an auditing career. And the basic knowledge and training from a university will need to be applied as these auditors are challenged to perform audits in new areas, such as factory operational audit, maybe an order to cash audit looking for operational efficiencies, and audits along those line where you are going to be drawing on the basics of your understanding from the bookwork that you may have done, whether you have a finance or accounting or an IS or some other sort of major through college, and applying that good solid education that you have gotten working through the job training and job shadowing and organizational abilities and really wrapping it all together to drive the next wave of what the future holds. And it is today's new staff auditors that are going to be coming out and setting the course for future leaders in the auditing profession, and I think that they are going to be placed in an excellent spot to really learn auditing kind of the old-fashioned way -- the way many of us that have been in the profession for 20 years did a lot of this other type of auditing. So that has really been in a nutshell kind of the advice I would give to someone entering the field today.
FIELD: Warren, that has been excellent insight. I appreciate your time and your thoughts today.
STIPPICH: Oh, absolutely my pleasure, Tom.
FIELD: The topic has been internal audit and we have been talking with Warren Stippich with Grant Thornton. For Information Security Media Group, I'm Tom Field. Thank you very much.