CAA-Banner-Colour
Management

The CISO role is relatively new and the competitive advantages it brings are beginning to become apparent, write Nicola O’Connor and Yousef Hazimee. Cybersecurity is an ever-growing concern for all businesses and one that cannot be ignored. In larger organisations, the Chief Information Security Officer (CISO) is typically responsible for overseeing the security control environment and keeping things secure. However, this traditionalist view of the CISO does not consider opportunities for the CISO to create value for the business and turn their position into a leadership role that provides a competitive advantage for the organisation. So how can a CISO successfully evolve their role given their existing commitments? And what must the organisation do to support them in this endeavour? Business and leadership All CISOs must have a thorough understanding of the organisation’s business and product lines, and overall business model. This is imperative as the CISO role typically spans the breadth of the organisation. Without this, the CISO cannot maximise value creation as they will not know what is considered truly valuable from a business perspective. This understanding can be achieved through experiential learning, multi-disciplinary work experience, and the establishment of cross-functional committees. In addition to understanding the business, the CISO must ensure appropriate support from the C-suite and the board. This requires strong leadership and interpersonal skills to ensure that sufficient resources (financial and human capital) can be secured. The breadth of the CISO role, as well as regulatory guidance – most notably in the financial sector – means that cybersecurity is a board-level issue. This provides an excellent opportunity for the CISO to articulate their value through demonstrable delivery against cybersecurity objectives, showing how these align and support the broader organisational strategy, and how they protect the business. The board must also empower the CISO by giving them opportunities to make board presentations and provide updates periodically. The board should challenge them and ensure that they are receiving meaningful cybersecurity metrics that inform their decision-making. These are imperative as quantitative metrics are easily consumable for board members and trends are more readily identifiable. Strategy and risk CISO activities should always align with organisational objectives. A cybersecurity strategy is therefore vital as it not only shifts the CISO role from that of a technical role to a strategic one, but also gives both the CISO and the board assurance that the CISO’s activities align to broader organisational objectives. The added benefit for the CISO is that a defined and approved strategy can help secure resources. Another way to highlight the importance of cybersecurity in an organisational context is by embedding cyber risk as part of the wider IT and enterprise risk frameworks. This allows the CISO to frame cyber risk in a business context and ideally, identify services and dollar losses pertinent to individual cyber threats. Framing cyber risk alongside other enterprise risks (such as regulatory and financial risk, for example) gives a more accurate reflection of the overall risk to the business and can inform decisions about prioritisation and investment. Fundamental to this is a clearly articulated, quantifiable and proactively managed risk appetite, which is necessary to support the decision-making process. Product development Building relationships and gaining knowledge of product lines and services allows for greater involvement of the CISO in product development. This embeds a ‘security by design’ culture, which allows for more seamless and appropriate security controls while exponentially reducing the costs and time to remediate defects as they are discovered earlier in the development cycle. This reduces the time to market and ensures a smoother customer/user experience while allowing for greater functionality on potentially less secure customer endpoints, such as mobile devices. This is particularly important for higher-risk apps, such as mobile banking. Greater CISO involvement earlier in the development lifecycle also allows for better use of emerging technologies in a secure manner. Evolving the CISO role CISO roles have traditionally been inward-facing but this is starting to change, particularly for CISOs in larger organisations. For example, clients now regularly look for evidence of suppliers’ adherence to security frameworks and standards, and these are generally considered a minimum for larger tenders. Other stakeholders such as rating agencies, insurers and pension trustees now seek assurances that appropriate cybersecurity controls are in place. By 2022, Gartner claims that cybersecurity ratings will become as important as credit ratings when assessing the risk of business relationships. From a reputational perspective, the CISO benefits from the fact that cybersecurity affects almost everyone given the pervasiveness of social networks and people’s growing digital footprints. This gives rise to opportunities, through outreach and corporate social responsibility initiatives, to educate communities on how they can better protect themselves and their children online, which is especially important for digital natives who may not understand the scale and impact of their digital footprint. This can, in turn, create digital trust in your brand. The CISO role is relatively new, and the competitive advantages it brings are beginning to become apparent. No longer is it the CISO’s sole responsibility to protect the business; they can also be a real differentiator between organisations as the impact of their role on an organisation’s bottom line becomes more evident. The most significant value creation will be achieved by those organisations that select the right CISO and empower them to deliver. CISO: Creating a competitive edge In a recent survey, security was considered the number one reason for selecting a bank among US participants. Meanwhile, in the UK, 85% of consumers claim that they will change their spending habits with brands that have been the subject of a security breach or hack. When factoring in growing compliance requirements, data growth rates and a global shortage of cybersecurity talent, it is not surprising that most Chief Information Security Officers (CISO) concentrate on their core role of protecting the business. These CISOs, however, risk missing a valuable opportunity to become a real enabler and strategic driver for the business. Through a combination of active stakeholder management, goal alignment and ensuring a thorough understanding of business and product lines, a CISO can create demonstrable value and transform their role from one of pure risk management to one of strategic importance that can make decisions at the highest level of the organisation. As a simple demonstration of how security can provide a competitive advantage, look no further than mobile banking. Security in mobile banking apps is of the utmost importance, but it can be seen to restrict the functionality and service offerings on these apps. Through new technologies and the application of security by design principles, robust and user-friendly controls can be used to safely introduce new, higher-risk functionality such as one-time payments and direct debit/standing order set-ups. This can allow banks to differentiate themselves from their competitors and gain market share.  Nicola O’Connor is Chief Information Security and IT Risk Officer at AIB. Yousef Hazimee is Cyber Security Practice Manager at AIB.

Feb 10, 2020
Strategy

Building a successful practice can be a daunting prospect, but according to John Kennedy, it boils down to one elementary skill. Have you ever found yourself wondering whether your practice could be more successful? If so, you might be doing all the right work but ignoring the simple steps that could turn your effort into tangible rewards. At a basic level, successful accountancy practice owner-managers create the following: A network of high-quality and loyal clients they enjoy working with; A good income based on reasonable fees that reflect the real value of  the work they deliver; A good standard of living – not just financially, but in terms of doing things they enjoy; and A high-quality retirement as a respected and valued member of the community. All of this sounds attractive but is often far removed from the day-to-day reality of running an office. A more recognisable scenario might be spending your time on things forced upon you at the expense of concentrating on the critical steps. And when you do get around to thinking about how to build your practice, there are many options, issues and conflicting sources of advice. It is therefore unsurprising that many accountants never get to focus on the steps that are more important before the day-to-day issues drag them back. The simple truth is that some practices thrive and enjoy more success than most, while many never fulfil their potential. The latter instead get stuck on the day-to-day issues that overwhelm occasional good intentions to invest time in securing new clients or promoting the practice. In this new series of articles, I will set out the steps you should take to build the practice you want. There will be no theory or abstract ideas, and I won’t advise you to do things you don’t understand or don’t like. It’s simpler than you think Achieving success is not complicated. In truth, the key is knowing how to get past the complexity and focus on mastering a small number of straightforward tasks. When you think about it, the single most crucial step in understanding a new client is the conversation you have with them. It doesn’t matter whether they were referred to you by an existing client, heard about you from a mutual friend, or – less likely – found out about you from a branded pen. Almost every client in every practice decides to take their business there because of a conversation with someone in that practice. The ability to turn an initial conversation into a client relationship is the cornerstone of every successful practice, but this is where many potentially valuable client relationships stop – at the first conversation. Your success in these initial, and often unexpected, discussions will determine whether you get an opportunity to move on to a more substantial conversation. And you then need a series of precise steps that will build trust, deliver value and guarantee a mutually rewarding relationship. The standard approach is to feel that you need to move quickly, to jump to the things you are familiar with – but this leap takes the conversation onto ground that is not yet comfortable for your potential client. So, building a high-quality practice is about having a clear structure that enables you to move confidently from an initial, casual chat to a trusting relationship. And if one person can do that, then so can you. Much of the advice about marketing, networking, promotional gifts, websites and digital strategy won’t work for you simply because it wasn’t designed for you in the first place. Most of the existing advice was created to sell products to customers, but you are doing something very different. Building a successful practice is about building trusting relationships with clients, you need to master the ability to take the individuals you most want to work with through a sequence of specific steps. And, like most things in life, it’s easy when you know how. Getting the right fit What criteria do you use to select your clients? For many years, we have asked this question when accountants seek our help, and we do it to reframe how they think about successfully building their practice. When we probe this question, we are almost always told that the key is to get as many clients as possible. “So,” we ask, “you want anyone? Your criterion for a client is that they should have a pulse?” I believe your standards should be a bit more rigorous and for very practical reasons. To target the whole universe effectively, you will need a vast amount of money to promote your practice – not to mention an infinite amount of time to talk to all those potential clients. In truth, your pool of potential clients is much more restricted than you realise. Successful practices are built on having a clear focus on a specific, and therefore accessible, group of people. These can be people who share your interests, or they can reflect a specific aspect of your expertise, or who you are as a person. The right people for your practice very much depends on who you are. Building a successful practice is not a task exclusively for extroverts or ‘natural sellers’ or gifted networkers; if you are a quiet, reserved thinker who pursues every issue in depth, there are many clients who are looking for precisely those attributes. If you are excited, engaged and enthusiastic about the fast-moving opportunities of the ever-expanding digital world, there are other clients who want to have an accountant just like that. If a hobby or a specific interest obsesses you, that too can be the basis for building a highly successful practice. A thriving, fulfilling practice is one that brings together the type of people with whom you most want to work in a way that creates value both for them and for you. Connect in the right way For many years, we have been fascinated by the ever-increasing ways in which practice owners voluntarily waste their time, effort and money. We have seen expensive (and cheap) branded corporate gifts and a seemingly endless series of “networking opportunities” ranging from breakfast groups to conferences and sponsored events. Equally unproductive is the more recent phenomenon of websites and emails that are “done for you”, which say things that are never going to help you build the strong relationships that are essential for a thriving practice. If you find these enjoyable or fulfilling in their own right, then go ahead – but they aren’t central to building a successful practice. When you cut away the marketing theory, the promotional gimmicks and the pointless pressure of networking, you see a stark reality: every potential new client decides to work with you because you have an effective conversation with them. You get a new client by talking to them; it is that simple. And when you know how to speak to them in the right way, they will want to talk to you again. And by getting good at creating a sequence of steps, you are much more likely to get the clients you want. Focus on trust The key is to understand the structure of talking to someone in the right way. Much of the traditional advice is not the right way; it can leave you feeling uneasy – especially the bit where you are told that you need to “close the sale”. You don’t. You need to build a relationship of trust that evolves from both you and your client becoming increasingly clear on how to achieve more by working together. To talk to a potential client in the right way, you need to understand how to chat easily with them, and this means being wholly at ease yourself. You also need to know how to move the conversation from a general chat to one where they decide to become your client and to ask you to do a specific piece of work for them. When you understand how this works, it’s easy. The effective conversation structure was developed by examining a vast number of informal chats that evolved into mutually rewarding relationships. By following this blueprint, which is outlined in Table 1, you will create a system that works for you, that helps build a practice that makes you feel good each day and that delivers a steady stream of clients with whom you want to work. In this way, your practice will evolve and grow over time and so will your expertise, your reputation and your rewards. The structure of an effective conversation An effective conversation involves knowing how to listen and what to say. Prepare First you prepare a clear summary of the value your potential client most needs and a clear message to make sure they understand precisely why you are the best person to help them. Probe The most common mistake is to rush to try to convince your potential client of your value. The key to success is to become highly skilled at asking high-quality questions so the client convinces themselves that they really need your help. Present It is only when your questions have helped your client get clearer on what they need do that you begin to present your value and set out the way in which you can best help them achieve the success they seek. Propose Then – and only then – have you created the firm foundations needed to propose that you work together.  To download a more detailed overview of The Practice Builder Blueprint, visit  www.insightstrategiesonline.com.   John Kennedy is a strategic advisor. He has worked with leaders and senior management teams in a range of organisations and sectors.

Feb 10, 2020
Management

The General Data Protection Regulation mandates organisations to embed privacy by design into the development of new initiatives involving the use of personal data. Donal Murray discusses the impact of privacy by design from a practical perspective, and explores its benefits. The General Data Protection Regulation (GDPR) has changed European privacy rules significantly. The introduction of the concept of privacy by design (PbD) is one of these changes but many organisations have struggled to understand what it entails. For those that have adopted PbD correctly, the burden of GDPR compliance can greatly decrease while also having the potential to achieve operational as well as commercial gains. What is privacy by design? PbD is a requirement placed on organisations that must comply with the GDPR. The specific requirement is detailed in Article 25 of the regulation. PbD holds that organisations must consider privacy at the initial design stages and throughout the entire development of new products, processes or services that involve processing personal data. This means that privacy is considered at the earliest of stages and reduces the risk of privacy bolted onto a system or product at a later stage. While this may initially seem complex, it is, in fact, easier to implement than applying privacy considerations after a design is fully developed.  What are the origins of privacy by design? Although PbD has become a new legal requirement in Europe under the GDPR, the concept is not new. It originated in Canada in the mid-90s and was developed by Dr Ann Cavoukian, a recognised leading privacy expert who held the position of Information and Privacy Commissioner in Ontario for three terms. In October 2010, regulators at the International Conference of Data Protection Authorities and Privacy Commissioners unanimously passed a resolution recognising PbD as an essential component of fundamental privacy protection. It is touched upon in many well-known frameworks; however, many of them have come under much criticism.   Why should organisations focus on privacy by design? Privacy by design promotes a privacy-conscious culture within an organisation. If done correctly, it embeds privacy thinking into many aspects of an organisation’s operations. Further, as it focuses on early privacy considerations and checks prior to new products, systems and processes being released, it greatly decreases the risk of non-compliance with the GDPR and enables a sustainable GDPR/privacy-compliant environment as an organisation evolves.  From an operational perspective, a strong PbD framework can present efficiencies and reduce costs. Consciously considering and planning for the personal data you want to use, the purpose for which you want to use it and how to do this legitimately greatly reduces the chance of discovering that embedding privacy is technologically challenging, expensive or even impossible at a later stage. Knowing what data you want to use at an early stage and being confident in its usage can make the development process more efficient and makes it easier to be transparent to those data subjects. Transparency is critical when it comes to earning the trust to collect the data in the first place.  Implementing a robust framework can also present commercial advantages. It is seen as an enhancement to a brand and a key element in building trust with an increasingly privacy-conscious public.  Implementation While frameworks exist that cover PbD, many of them are too rigid for real benefits to be realised. The key to implementing PbD is adapting privacy to the business and not forcing a boilerplate framework. PbD is optimally implemented when privacy measures are designed based on the specific ways of working within an organisation. The approach to achieving an efficient PbD implementation consists of three steps:  1. Identify and understand: In order to tailor privacy measures to an organisation’s operations, it is important to have a detailed understanding of your organisation’s design processes – of which there could be many across different functions. Once you identify the relevant design processes, an exercise should be performed to obtain a comprehensive analysis of the steps involved in each process. If the processes are not already formally defined, it is useful to spend time mapping the design steps as this will support later PbD implementation activities. As well as the design steps, it’s also key that you understand what teams and third parties are involved in executing the process, and the tools and formats (e.g. Excel, Word checklists) used in each.  2. Evolve: Once the processes and ways of working are fully understood, specific privacy measures should be designed to fit them. The objective of these measures is to ensure that certain privacy topics are considered and assessed at suitable points in the identified processes. These privacy measures could take many different forms. For example, ethical questions built into a design brainstorming session; user stories built into development; or privacy checklists asking a series of questions on the purpose of processing at the initial design stages. These measures are to be applied to identified steps within your design processes and are designed in line with how the current process works. Tailoring the measures to the current processes allows for seamless integration. Together, these set of measures create the Privacy by Design Toolkit.  3. Establish: Implement the measures into your design processes and train employees involved in those processes to ensure the measures are understood and executed correctly. While these measures typically do not require significant process change, the main challenge is ensuring that each measure is executed consistently at the required standard. Those executing the measures are typically not privacy specialists, so educating and training individuals is a critical factor in achieving a sustainable PbD framework.  Think of ethics, not just compliance There have been many public cases where personal data has been used perfectly in line with the rules, but far outside societal and ethical norms. In a PbD process, measures can be built-in to detect cases like these. For instance, to what extent an idea or initiative may be considered unethical can be found by asking a number of questions:  Can I explain why I’m going to process this personal data and what I intend to do with it? Would my family and friends be comfortable if their personal data was used in this idea? Would I be happy to explain my idea in the daily news? Does my idea match the values of the company? Where the answers to these types of questions point towards an attitude of trying to hide the idea from the public eye or not wanting to be part of the data processing, the idea may be unethical and may need to be redesigned.  Compliance PbD is integral to ensuring compliance with data privacy legislation for numerous reasons. First, because effective PbD involves seeking independent testing of privacy and security controls, it helps to maintain best practices. Second, PbD builds an organisation’s brand by fostering greater consumer confidence and trust (through, for example, better management of post-breach incidents) and, in turn, supports organisations in their quest for a competitive advantage. In a reactive approach, the costs are much greater, such as through class-action lawsuits, the damage to reputation and loss of consumer confidence and trust.  In summary, PbD reduces the likelihood of fines, penalties and the resulting financial and reputational damage, and ensures that a firm stays ahead of the legislative curve, thereby minimising compliance risk.   Donal Murray is a Director in Risk Advisory in Deloitte Ireland, where he leads the Data Privacy Services team.

Feb 10, 2020
Strategy

Jens Gladikowski explains why finance leaders need to lead more than the finance function. In today’s business environment, the role of finance leaders is more demanding than ever. They are required to run their function at low cost, create incisive insights from a complex pool of data, support risk and control governance, and manage a variety of stakeholders. They also play an increasingly critical role in business transformations – initiatives that aim to change the competitive position of an entire enterprise. By addressing five critical tasks, finance leaders can play an essential part in helping such transformations succeed. 1. Identifying value Perhaps surprisingly, a significant number of transformations do not have a comprehensive case for change that lays out their scope, rationale and benefits. For example, business cases often centre on cost-cutting to improve profit. A more thorough analysis might suggest re-directing savings into strategic areas of investment, which may yield higher returns in years to come. Finance leaders are well-placed to identify and balance competing options for the transformation scope and help set targets. That requires a holistic view of the organisation and an understanding of how value is generated and measured. In the case of one Irish consumer goods company, the CFO led an initiative that comprehensively aligned the organisation’s value drivers with corporate targets. Key performance indicators (KPIs) and performance measures (such as outbound delivery accuracy, for example) were then linked to those drivers. The impact of the company’s transformation can be associated with those KPIs, benefits owners assigned, and success measured. 2. Shaping the organisation of the future The future operating model is formed during a transformation. Here, finance leaders can influence critical decisions in several ways. For example: The overall business model may change with new products, services and markets introduced. Through financial modelling, scenario analysis and risk-based assessments, finance leaders can influence these decisions and help business leaders make the right choices. Operating models define responsibilities and the relationships between organisational units. Finance leaders bring a pan-organisational view and can ‘broker’ the best outcomes from an enterprise-wide perspective. Recently, a global fast-moving consumer goods (FMCG) company assessed the relationship between its manufacturing and sales units. This required an evaluation of the impact of profit margin on transfer pricing and external reporting – the consequences of which were not fully understood outside finance. Technology enablement is at the core of many, if not all, business transformations. Finance leaders often have responsibility for IT budgets and, in conjunction with chief information officers (CIOs), need to shape the technology roadmap. This is best done up-front by assessing current, and agreeing future, capabilities. 3. Keeping stakeholders honest  It can be challenging for executives to establish the exact status of in-flight transformations. Here, finance leaders can use their analytical skills and professional scepticism to provide clarity and challenge. For example, cost-benefit projections should be adjusted as new information becomes available. Frequently, only the cost impact is assessed – and often with delays – and the effect on benefits is not always easy to evaluate. In the case of a large automation programme for an insurance company, benefits were still discovered post-go-live. The processes were deemed too complex to gain the full picture earlier, but a more rigorous financial analysis might have addressed that. There can also be a tendency among benefits owners to be conservative in their commitment to transformation targets. This may be down to a lack of buy-in or to avoid falling short of expectations, especially where they are linked to incentives. Here, finance has a role to play as a critical partner to drive ambitious, yet achievable, benefits targets. 4. Coaxing, connecting and communicating Significant research has been conducted into the future of finance. There is consensus that, generally, roles are changing from traditional scorekeepers to pro-active business advisors and (co-) owners of business decisions. Finance leaders in many organisations are already defining their purpose as influencers, business navigators and drivers of change. They often stay longer in the role and understand their organisations more deeply than other executives. The average tenure of a CFO in a FTSE 100 company is around ten years – twice that of a typical CEO. Finance leaders, with their informed view of the business, can connect different interest groups, communicate key messages and guide an organisation towards expected outcomes. 5. Leading by example A critical factor in successful transformations is aligned and robust leadership. This creates an opportunity for finance leaders to make a positive example of their function, for instance, by: Articulating a vision for finance that is aligned to the transformation objectives. Importantly, leaders must promote and live up to the values associated with that vision. Finance can influence wider cultural and organisational changes. At a national broadcaster, finance pioneered structures and performance measures that were replicated across other functions. Creating early success is essential in any project and realising quick wins is often possible in finance. One could, for example, review how reports produced by finance are used and eliminate those that don’t support decision-making.  Freeing up the best resources for the transformation. In practice, this is often a challenge – not many finance teams can release their ‘go-to’ people. Yet having precisely these people on projects is arguably the most critical driver of success. Finance leaders have an essential role to play in business transformations. Aside from bringing financial understanding and business insights, their primary purpose is to support and lead on the structural, cultural and behavioural changes that are critical to successful business transformations. To do them well, finance leaders must, therefore, lead on a lot more than finance. Technology: Easier than ever? A key challenge in a transformation is selecting the right enabling technologies and implementing them successfully. The technology landscape has changed dramatically during recent years: many businesses deploy cloud applications, automation tools are increasingly used, next-generation enterprise resource planning solutions have entered the market, and more end-user reporting tools are available. These developments can enable more insight from data, drive process standardisation and provide greater focus on business value, rather than IT. Yet in practice, many challenges remain and the promises of more value, more quickly, do not always materialise. Why? Most of the success factors of technology deployment are similar to what they were a decade ago. Enabling technology will not be successful if requirements are not precise and aligned with the transformation objectives, if the underlying data are of poor quality, and if change management is not addressed adequately. Typical examples for the first point are implementations where reporting requirements are simply a re-statement of the ‘as-is’, and consequently, opportunities are missed to create greater insight. Other challenges have emerged for newer technologies. Below are a few lessons from process automation:  The deployment of automation tools should not happen at the expense of process improvements (i.e. don’t automate a bad process); Implementation is relatively easy, and business-led innovation can be managed differently to traditional technology; and Software robots often need user rights to access transactions. Controls must, therefore, be adjusted. Technology choices can be bewildering, and their implications are a challenge for many finance leaders who are expected to understand the options and help govern and deliver transformations. Technology today is neither harder nor easier than it was – but it is different. Finance leaders need to work closely with their IT function and vendors to identify the value of technology and steer the organisation successfully through transformations. Jens Gladikowski is a Director at PwC Consulting.

Feb 10, 2020
Audit

Changes to quality control systems and regulation require some getting used to, but let us not forget their primary goal – to help firms complete good quality audits effectively, writes Lisa Campbell. Most accountants know that having a sound quality control system is a good idea, but people often think in terms of the various systems that feed into the quality of products and/or financial statements. A good quality control system is essential in a professional services environment as well. So, in relation to an audit firm, what does a quality control system mean and how does it interact with the regulation of the firm? What is quality control in an audit firm? The purpose of a quality control system in an audit firm is to ensure that the firm has the capacity, capability and resources required to carry out its audit engagements effectively and consistently. ISQC (Ireland) 1 applies to all audit firms in Ireland, from sole practitioners to the largest firms. It sets out requirements for all firms to implement policies and procedures covering all aspects of carrying out a proper and independent audit, from hiring and training to methodology, remuneration, accepting an audit engagement, ethics and the tone at the top of the firm. Firms are responsible for ensuring that the people employed to carry out audits, from the most junior to the most senior, are suitably qualified, trained and are aware of – and complying with – ethical requirements. The leaders in the firm are required to ensure that their communications have enough focus on quality, aiming to ensure a robust culture of performing quality audits and not tolerating anything less than that. The standard also requires firms to implement their own monitoring systems to ensure that the relevant requirements are complied with, and to action failure to do so. Furthermore, firms are required to have documented evidence of the operation of each element of its system of quality control, including whether the firm has competent personnel, time and resources; any threats to independence; and whether the firm complies with the relevant independence and objectivity requirements. How does it interact with regulation? All audit firms in Ireland, and many places across the globe, are subject to what is known as a quality assurance review (sometimes also known as an audit inspection). In Ireland, this may be done by an accountancy body or directly by IAASA. Regardless of which organisation carries out the quality assurance review, the review is split into an assessment of the firm’s quality control system, supported by the analysis of a sample of the audits completed by the firm. The inspector will review policies and procedures and assess if they appear to be appropriate given the size and complexity of the firm. The proof of the pudding, however, is in the eating, so a sample of audits are reviewed to assess whether the policies and procedures have resulted in good quality audits. Where poor quality is identified as part of an inspection or review and hasn’t been caught in advance by the firm, the firm needs to ask itself whether there was an issue with the design or implementation of their quality control systems – or both. Was it a case of an isolated incident of an audit team failing to comply with good policies? Is it a pervasive issue that might indicate a firm culture of ignoring policies? Was it a lack of policy or an unclear policy? Could another policy have been implemented that would either have prevented or detected the problem? Do the policies contain enough incentive and/or sanction to encourage a continuous focus on quality? Future of quality control Most people are aware that the best control processes will prevent an issue arising in the first place (preventative control) rather than catch a problem after the fact (detective control); and that a good quality control system is not something that is designed once and left in place forever. It needs to be part of a continuous cycle of design, implement, assess, tweak the design, implement, assess etc. It evolves in a constant feedback loop, taking inputs from internal reviews, external reviews, experiences of peers, global developments and technology developments. And that is, really, the basis for proposed changes to the international standard on quality control, which will ultimately be adopted in many countries around the globe, including Ireland. The new international standard is expected to be finalised in 2020. The standard has been updated to think in a different way about quality control and to underpin the need for firms to proactively manage quality to prevent issues arising, rather than just react to control quality issues that do arise. The existing standard has a list of policies and procedures that must be developed and implemented by firms, whereas the new standard requires a much more integrated process and a more bespoke system customised by firms to address the risks that may impact on that particular firm’s engagement quality, specific to the nature of that particular firm and its audit clients. This fundamental shift in thinking is even reflected in the name of the standard, which is changing from “international standard on quality control” to “international standard on quality management”. In addition to the components of quality control dealt with in the existing standard, the new standard introduces some other elements, looking at the firm’s risk assessment process as well as information and communication. This shift in thinking may appear subtle on the face of it. However, firms are going to be required to rethink their entire systems of control and ensure that they are mapped to the standard. The US regulator, the Public Company Accounting Oversight Board (PCAOB) announced in December 2019 that it is also considering the standards on quality control in place in the US, which is something that needs to be considered by the many firms in Ireland that carry out work on any part of a US group of companies. PCAOB has stated that it intends to use the international standard as a starting point in developing its standard, which is good news for many firms as it should allow them to comply with both standards easily should they need to. So, what will this change mean for regulation? The changes will require regulators, to the extent that they don’t already do so, to become part of the feedback loop for firms. IAASA’s inspection approach already reflects this, whereby we look at the design of controls and do some sample testing to ensure that the controls are in place. For example, we look at communications issued by the firm’s leadership to ensure that there is enough focus on quality in those communications. This test may look okay, but then, when audits are inspected, we find poor quality. If this happens, we then reconsider the tone at the top testing and consider whether, while the control might be operating as designed, is it effective enough and should we recommend changes to firms to make the control more effective? The future for quality control is, therefore, a more interlinked and integrated approach with firms needing to integrate their internal reviews, external reviews and other feedback into a continuous loop of tweaking their systems – all the while remembering the ultimate aim, which is to get consistently good quality audits completed effectively.   Lisa Campbell FCA is Head of Operations at the Irish Auditing & Accounting Supervisory Authority.

Feb 10, 2020
Personal Impact

Garvan Callan explains why digital transformation is both necessary and defining for companies and their leaders. If the Olympic Games handed out medals for buzzwords, ‘digital transformation’ would surely bring home the gold. However, the ubiquitous overuse of the term has also removed all clarity from the concept. It doesn’t matter who is to blame, though software vendors and marketing overlords selling digital transformation as the stairway to heaven do look a little guilty. What is important is that we reclaim digital transformation from its superficial buzzword status and fully understand why and, most importantly, how. Full contact – not a spectator sport One of the first pre-conceptions about digital transformation is that it arrives in the cloud, in a box, through an app or in lines of code. While technology solutions play a part, they don’t deliver digital transformation on their own (far from it) but are critical enablers in conveying a modern strategy and ambition. Nor does digital transformation arrive on a PowerPoint deck from a strategy guru or a social media article. One must imagine it, develop it, and make it happen – for your customers, your market and your context. Digital transformation involves a fundamental rethink of how organisations make use of people, processes and technology to improve performance. It is a complete change in how your organisation develops and delivers value to your customers, colleagues and investors. Organisations that truly want to embark on a digital transformation strategy start and end with the customer, creating a working environment that nurtures creativity, drives growth and delivers new arcs of value. The 360° approach Figure 1 depicts a 360° approach to digital transformation, split across five layers. At the core are the processes, which enable the revenue-creating propositions (features, products and services) that are brought to market through the engagement layer. The workplace is the people, tools and environment harnessed to create those propositions, with underpinning technology making it all possible. Processes are at the epicentre of transformation. This is where what is required to deliver your products and services is hard-coded. Therefore, this is also where the costs lie and risks exist. Taking out unnecessary steps (simplification), automating steps through low-cost, mature technologies such as robotics and then digitising value chains end-to-end is a great place to start the transformation. Does this mean it’s not about the customer? Of course not. Listening to what your customers and colleagues say about where the friction lies should drive the change. The most successful transformations start by reducing unnecessary ‘effort’ anchored in processes, and retiring whole products and services that don’t add, or even destroy, value. This not only improves the customer and employee experience (assuming you hold everyone’s hand through the change curve), but also reduces risk and releases capacity for the innovation of new propositions – constellations of products and services that fulfil customers’ desires, developed from customer insights leveraged from process-transformation analysis, and informed by techniques such as design thinking and the value proposition canvas. Digitising value chains also facilitates the capture of data, the fuel that powers continuous improvement programmes and the application of artificial intelligence (AI). Combining new data with AI can support a step-change in the personalisation of marketing and improve sales-funnel conversion, automate back-office processing, and support channels in becoming faster and more efficient for the customer. Executing process transformation also offers brands a range of points with which they can tell the story of change, of building a better business, of listening to customers and responding to needs – message opportunities often overlooked in the transformation trenches. The workplace and technology Empowering colleagues with the right tools and environment, and enough time to manage the complexities across the transformation layers, is fundamental to the optimum workplace. Harnessing the team’s insights and motivation, and liberating them to make customer-oriented improvements, is the defining prerequisite. Creating the enabling conditions for such a journey requires strong foundations, and here’s where technology fits in – not last on the list by any means. Technologists and leaders who immerse themselves in the process, proposition, engagement and workplace layers can then determine the technology required, and the operating model needed, to deliver successful transformation and a thriving organisation. The customer is the touchstone Knowing that you need to implement a digital transformation on this scale is one thing, but where to begin is quite another. Embarking on such a monumental organisational shift can be extremely challenging for even the most experienced leaders. To find a good starting point, become deeply knowledgeable about what your customers want to achieve when they engage with you, about their ‘jobs to be done’. It is not only the marketeers who should have such insight into the customer experience; everyone involved in digital transformation needs to have a forensic understanding of the customer and how your business does (or does not) facilitate them. Now that you know what you want digital transformation to achieve for your customers, you need to roll up your sleeves and ask: Are large organisational changes necessary? Do our teams require re-skilling and re-orientating? Do hard re-prioritisation decisions need to be made? You will most likely answer ‘yes’, but beware of procrastination; the time to start is now. Mobilise the effort by making the desire for better customer outcomes the focus. The customer guiding you on ‘what to do and why’ must be the unequivocal and undeniable touchstone to motivate, guide and, if required in the transformation haze, reset the mission at hand. Getting digital transformation right Since successful digital transformation is a 360° endeavour that spans the breadth and depth of the business, each organisation’s roadmap will be different. That said, there are some common principles to abide by: 1. Gain consensus from the whole team: whether your project/programme involves building the new or enhancing the existing, it’s imperative to have buy-in from everyone involved, leveraging the customer as the touchstone and data as the tinder. 2. Embrace the unknown with adaptive design: embracing an adaptive design and project management approach allows for tweaks to be made to the transformation strategy as needs arise – and they will arise. Remember, you’re building your transformation strategy around humans (customers, colleagues and investors) and humans don’t act in linear and predictable ways. 3. De-risk: delivering transformation and building a customer-centric organisation involves taking more than a few risks. Communicate the ambition and the stretch outcomes you’re working towards. Then de-risk by managing the change activity in sprints of two to three weeks. This supports decision-making, seeing progress or calling failure early and learning quickly. Leaders should allow teams to ‘learn as they do’ and build an environment of self-sufficient innovation. In the long-term, this is a great de-risker: smaller projects equate to smaller risks. 4. Initiate and react: Amazon’s game-changing ‘one-click economy’ has put just about every other industry into reaction mode, attempting to catch up with customers’ expectations. But that doesn’t mean that your whole transformation strategy should be a reactive response to the wider e-commerce forces at play. Get ahead of the game with pre-emptive or first-strike moves to truly future-proof your organisation. Larger, well-resourced organisations that are good at this often use game theory exercises; for smaller organisations, less elaborate scenario planning activities can be equally effective. Is it that easy? If it were that easy, everyone would have done it. Most organisations are trying and a few are thriving; some are just embarking and starting to grind it out, while only a few have yet to begin. But let’s be honest, it isn’t easy. It takes years. It takes vision. It takes resilience and it takes persistence. But it is necessary, and it is defining. As Albert Einstein said, “In the middle of difficulty lies opportunity”.   Garvan Callan is a strategist, innovator and transformation advisor.

Feb 10, 2020