Optimising financial processes

Posted on:

Getting “Out of Control”

I was invited to present at the Joint Institute of Internal Audit (IIA) and ISACA Governance, Risk and Control Conference recently with my colleague Robin Ashby.

The conference, held on the balmy Florida coast in Fort Lauderdale in the late summer, brought together nearly one thousand governance, risk management, audit, internal controls and IT security specialists from around the world. It was productive, insightful, and engaging. This year’s conference was the fourth event in the ongoing partnership between two world-class associations — The IIA and ISACA — and represents the collective commitment to advancing the audit, governance, risk, and security professions. If you were there, or want to see what you missed, you may want to see some of the photos, you might even be in one!

There were some excellent speakers and a healthy spectrum of experience from the opening keynote session – Big Data and the Internet of Things: Boon or Bust for Your Cybersecurity Efforts? from Theresa Payton, Former White House CIO, through to talks from Richard F. Chambers  IIA President and CEO, Robert Hirth, Chairman of COSO and many other industry leaders and expert practitioners. The 48 concurrent sessions proved to be popular, including hot topics such as Protecting Unauthorized Access; Third-party Risk Management; Digitization and Internal Audit; Impact of AI and Machine Learning and many more.

There were some excellent discussions on Enterprise Risk Management, Transforming Internal Audit, Cyber Security, Big Data and analytics, Machine Learning, the continuing challenge of Segregation of Duties and implementing GRC solutions.

One thought  provoking image reminded us all that investments in security need to be thoughtfully applied or run the risk of wasted investment. Focus security investments on the areas of maximum potential loss or impact!


I was particularly taken with a common, recurring, theme in the conference, and one that has been worrying me for some time, our seemingly overwhelming preoccupation with controls rather than risk. Anyone who has seen one of my talks will recognise this picture that highlights the point:

Parking Control

We can sometimes be so focussed on the barrier to the parking lot that we ignore the real risks, and the tire tracks in the snow. It is reassuring that some balance is returning to the debate and, whilst audit practices may take time to evolve, we need to lead best practice in the field. Thus the phrase was coined, “we have to get out of control”. Fortunately, from the evidence in the hotel bar, this wasn’t taken too literally!

Many of the discussions linked to our own recent developments and work with clients, not least in these areas;

  • Integration of ERM with Continuous Controls Monitoring (CCM)
  • Risk focussed data analytics
  • Management framework for sustained GRC success
  • Sustaining effective Segregation of Duties across the entire business landscape
  • Advancing Risk-Based Analytics with Machine Learning Research

If any of these themes resonate, let us know and we can share what we have learned.

Next year’s GRC Conference is already planned and will be held in Dallas, Texas. Mark your calendars, Aug. 16-18, 2017 and you can even register now.

Don’t forget to “get out of control” regularly, it is a very effective mind-set.

Thanks to the IIA and ISACA for an excellent conference, and thank you for reading . . .