SAP® Systems and Auditing What Every Organization Running SAP Applications Needs to Know to Prepare for Financial, Compliance, and Regulatory Audits

A guide to understanding the impact of new financial, compliance and other regulatory audits on businesses and how to prepare SAP systems to meet those requirements.

© 2014 Dolphin, www.dolphin-corp.com Page 2/15 Version: 20140617 Version: 20140617

TABLE OF CONTENTS

Disclaimer .............................................................................................................................. 3  

Executive Summary .............................................................................................................. 4  

Managing Risk and the Increasing Impact of Audits ............................................................. 5  Increased Oversight ......................................................................................................................... 5  Changing Regulations ...................................................................................................................... 5  Difficult and Costly Process .............................................................................................................. 5  

How Audits Are Transforming Organizations ........................................................................ 6  New Roles and Responsibilities ....................................................................................................... 6  New Policies and Procedures .......................................................................................................... 7  New Systems ................................................................................................................................... 7  

Three Audit Regulations Every SAP Customer Needs to Know ........................................... 8  1.   Impact of Big Data ................................................................................................................. 8  2.   Increased Oversight of Processes ......................................................................................... 8  3.   Tighter Control of Manual Entries .......................................................................................... 9  

Aligning Audit Requirements with SAP Systems ................................................................... 9  

Action Plan for Preparing SAP Systems for Audits ............................................................. 10  1.   Start with an Information Lifecycle Strategy ........................................................................ 10  2.   Consider the Impact of Meeting Diverse, Global Audit Requirements ................................ 10  3.   Lower the Cost of Long Term Data Storage ........................................................................ 10  4.   Simplify the Process of Extracting Audit Data ..................................................................... 11  5.   Adopt the Latest SAP Technologies for Audit ..................................................................... 11  6.   Optimize Audit-Related Tasks in SAP ................................................................................. 11  7.   Calculate the ROI of Audit Compliance ............................................................................... 12  

Dolphin Audit Success Stories ............................................................................................ 13  Retailer Reduces Cost of Storing Large Volumes of Data for Tax Reporting ................................ 13  Beverage Company Improves Audit Response Time by 500% ..................................................... 13  Technology Company Strives to Keep Consumer Data Secure .................................................... 13  

About Dolphin ...................................................................................................................... 14  

Works Cited ......................................................................................................................... 15  

© 2014 Dolphin, www.dolphin-corp.com Page 3/15 Version: 20140617 Version: 20140617

DISCLAIMER

This white paper is for informational purposes only.

Dolphin does not provide audit advice or counsel pertaining to this subject or any related legislation or compliance issue.

We always recommend that you consult your qualified audit professional

Copyright © 2014 Dolphin Enterprise Solutions Corporation (dba Dolphin) All rights are reserved, including those of duplication, reproduction, use or disclosure of the contents of this documentation, or any part of it. No part of it may be reproduced in any form, passed on to third parties or particularly by electronic means, processed, reproduced, distributed or used for publication without the written permission of Dolphin. We reserve the right to update or modify the contents. Trademarks © 2014 Dolphin Enterprise Solutions Corporation (dba Dolphin). SAP, SAP NetWeaver, ArchiveLink, ABAP and

all SAP logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries.

© 2014 Dolphin, www.dolphin-corp.com Page 4/15 Version: 20140617 Version: 20140617

EXECUTIVE SUMMARY

While many organizations are familiar with how to prepare for a financial audit, more and more organizations are also subject to highly complex compliance and other regulatory audits. In response to these new audits, as well as increased oversight from governmental and other regulatory bodies, organizations can go through an incredible period of transformation.

• Roles and responsibilities are changing to address complex audit issues at a company-wide level, requiring a higher degree of cross departmental collaboration.

• Policies and procedures are or should be revamped to ensure that corporations can meet their current and future audit requirements.

• Existing systems are being enhanced so they can flexibly store and retrieve data to support changing audit requests.

From the CEO down to individual contributor levels, rapidly evolving audit requirements are changing the way that organizations do business. Yet, understanding how to align multiple, sometimes conflicting, audit requirements to enterprise-wide systems, such as SAP systems, remains extremely difficult.

This white paper discusses the impact of new financial, compliance and other regulatory audits on business and provides an action plan for preparing SAP systems to meet those requirements. By starting with an information lifecycle management strategy that incorporates the needs of internal and external audit stakeholders, it is possible to put a flexible framework in place to meet the latest audit requirements without great difficulty or cost. If organizations adopt the right combination of SAP technology and add on solutions; secure, long-term storage options; and optimized and automated audit processes they can easily meet diverse, global audit requirements in a timely manner. With the right audit solution in place, organizations are able to leverage their SAP systems to respond quickly and accurately to audit requests without breaking the budget.

© 2014 Dolphin, www.dolphin-corp.com Page 5/15 Version: 20140617 Version: 20140617

69% of internal audit professionals say regulation is increasing internal audit costs

-­‐ CGMA  Magazine,  March  2014  

MANAGING RISK AND THE INCREASING IMPACT OF AUDITS

Read through the headlines in any newspaper and it is evident that audits are becoming front page news. What was once the staid domain of finance departments and corporate auditing firms is now breaking news — with stories relevant to everyday readers. In part, this is due to the increased awareness of financial issues and the many changes to financial regulations that have occurred since Sarbanes-Oxley (SOX) was enacted in 2002, and the global financial crisis of 2008. However, audits are making the news for other reasons.

Increased Oversight

Dramatic stories of personal data breaches, international credit card fraud rings, and environmental disasters are in the news because companies that are responsible for safe-guarding consumer privacy and meeting industry standards are failing to do so. These breaches affect consumers directly, creating a vast public outcry as individuals are required to change passwords, replace credit cards, or deal with the impact of inadequate regulation. Consequently, governments and industry regulators are increasing oversight of companies under their jurisdiction and conducting more frequent financial, compliance, and regulatory audits. As the frequency of audits increases, and CEOs and CFOs are being asked publically to provide evidence that they meet relevant privacy, security, and other regulations, compliance is becoming a major concern for all executives. In fact, in KPMG’s 2014 Global Audit Committee Survey, the surveyed audit committee members cited “regulation and the impact of public policy initiatives, economic, and political uncertainty, and operational risk and controls as the risks posing the greatest challenges for their companies” (KPMG, 2014).

Changing Regulations

Rapid developments in business models and technology are breaking down traditional barriers, making it possible to run global business without large manufacturing operations or a vast network of retail outlets. Old regulations, which were developed to regulate traditional brick and mortar businesses, simply don’t

apply in the new Internet economy. While regulators are introducing new legislation to accommodate the realities of the new economy, business is evolving at a much faster rate than the regulations. For this reason, organizations must be prepared to respond to current regulations and be able to adapt to meet potential future regulations. Retroactive regulations in particular can have a significant impact, causing anxiety throughout the organization as corporate leaders try to anticipate future audit requirements. As a result of this uncertainty, many organizations are holding on to old data and systems “just in case”, which increases the cost and complexity of the business environment.

Difficult and Costly Process

Audits are becoming more difficult and costly to complete. According to a Grant Thorton survey, 69% of internal audit professionals say that “regulation is increasing internal audit costs” (Tysiac, 2014). There

© 2014 Dolphin, www.dolphin-corp.com Page 6/15 Version: 20140617 Version: 20140617

are many reasons for this increase. When large corporations expand into new regions across the globe, the corporation must sort through and comply with multiple, often conflicting audit requirements, which require significant effort on the part of the corporation and high-paid audit consultants. Mergers and acquisitions and corporate divestitures or spin offs can also complicate the process of responding to audits. Old systems and data stores from previous corporate entities must be maintained for long periods of time in order to retain the information for future audits. Additionally, as companies begin to collect vast quantities of data about consumers, regulators are asking corporations how they are keeping that data safe from harm. Companies require new tools and techniques to keep their data and systems secure. All of these factors make the audit process much longer and more difficult than it was in the past, which will certainly eat into the company’s bottom line.

HOW AUDITS ARE TRANSFORMING ORGANIZATIONS

As organizations strive to meet the increasing demands of auditors, they are going through periods of transformation, creating new roles and responsibilities, new policies and procedures and adopting new systems to address specific risks.

New Roles and Responsibilities

The increasing frequency of compliance and regulatory audits is changing the structure of many corporate boards and executive teams. At the highest level, corporate audit committees are looking beyond traditional financial auditing skills and seeking members with necessary legal, technical, and strategy skills to understand the impact of non-financial audits (KPMG, 2014).

Within the organization, changes are happening as well. The Institute of Internal Auditors recently conducted a survey of chief audit executives, and found that “duties related to risk management and control are increasingly being split across multiple departments and divisions”. As executives take on new audit responsibilities, they must ensure that their duties are “coordinated carefully to assure that risk and control processes operate as intended” (The Institute of Internal Auditors, 2014). In some cases, the coordination that is required between the compliance, legal, and IT teams, may not be fully understood and teams may not understand how audit requirements impact one another. Gartner Inc. states that “compliance and legal teams often don't understand and clearly communicate the data retention requirements.” (A. Daley, 2014)

Figure 1: Audit responsibilities require collaboration

© 2014 Dolphin, www.dolphin-corp.com Page 7/15 Version: 20140617 Version: 20140617

New Policies and Procedures

The list of non-financial regulations that organizations must comply with includes, but is not limited to:

• PII: Personally Identifiable Information

• PIPEDA: Personal Information Protection & Electronic Documents Act

• PHIA: Personal Health Information Act

• HIPPA: Health Information Protection Act (USA HIPAA)

• PCI DSS: Payment Card Industry Data Security

Consequently, policies and procedures are being revamped to ensure that corporations can meet their current and future audit requirements. According to Gartner Inc. “Compliance and regulatory requirements are complex, yet vague, and vary by data type and jurisdiction, and have different management requirements.” (A. Daley, 2014). Organizations that do business in North America, Europe, and South America have to contend with different retention requirements for different jurisdictions, which further complicate the process and impact the ability to provide unified company-wide policies.

New Systems

Large enterprise systems, such as SAP systems, are essential for securing data and processes, and enable organizations to demonstrate compliance with regulations to auditors. However, the rapidly changing regulations are having a significant impact on these systems as well. In the report IT compliance and Audit, 2013, Gartner Inc. states that ISO, privacy, and health are all amongst the highest concerns for IT leaders (Pratap, October 2013).

The concern about the impact of audits on IT is also echoed in KPMG’s survey of audit committee members where eighty percent of respondents thought that internal audits should focus more attention on risk management processes, IT risk, and data management and operational risks. (KPMG, 2014)

For companies running SAP systems, the expansion of the functionality in SAP GRC indicates the growing importance of Governance, Risk and Compliance in the SAP application space. As more companies adopt the latest versions of SAP GRC, they will need to understand how to meet their compliance requirements and the increased data flow that GRC creates.

© 2014 Dolphin, www.dolphin-corp.com Page 8/15 Version: 20140617 Version: 20140617

THREE AUDIT REGULATIONS EVERY SAP CUSTOMER NEEDS TO KNOW

While the effect that financial, compliance and other regulatory audits are having on every organization cannot be denied, for companies running SAP solutions, three audit regulations will have a pervasive impact on how organizations manage their SAP systems.

1. Impact of Big Data

As companies expand globally and collect more about their customers, the explosion of Big Data will have a significant impact on organizations that run SAP systems. In fact, in a recent report the Association of Chartered Certified Accountants, stated that data volume growth was a significant challenge for finance departments in the future (Association of Chartered Certified Accountants, 2013).

For financial audits, the increased volume of data available for auditing means that organizations will need to dedicate more time and resources to extracting data and preparing it for auditors.

In the case of regulatory and compliance audits, organizations will need to adapt their internal processes to ensure that non-financial data is controlled according to the regulations (i.e., PII, PCI…) and can be easily collected by their team to respond to audit requests. Organizations that are not prepared for these non-financial audits will have to dedicate time and resources to ensure they are in compliance. In industries such as consumer packages goods, food services, and retail, which conduct a large volume of transactions and potentially collect large amounts of consumer data, responding to audit requests will be particularly resource intensive due to the number of product lines they manage, the complexity of the regulations they must adhere to, and the timeliness required for responses (in some cases as quickly as 24 to 48 hours).

While many organizations running SAP applications are moving onto new platforms such as SAP HANA® to facilitate the issues related with Big Data, it is important that these companies consider their current and future audit requirements when they make the move. By implementing new audit tools and processes and putting an information lifecycle management strategy in place while moving to SAP HANA, organizations will be better prepared to manage the long-term implications of auditing Big Data.

2. Increased Oversight of Processes

Organizations that run large ERP systems, value the high degree of integration that these enterprise solutions provide. However, these organizations must be prepared for the fact that there is an increased oversight of processes when auditing a highly integrated environment. During integrated audits, organizations must demonstrate which automated controls (i.e., Workflows, Approves, Logs, Notification and system validation) are in place and demonstrate where the controls are; how they are used; and how they are being validated and/or audited (Harvard University, 2014).

Regulation, uncertainty and volatility and operational risk are top challenges today. – 2014 Global Audit Committee Survey, KPMG’s Audit Committee Institute

© 2014 Dolphin, www.dolphin-corp.com Page 9/15 Version: 20140617 Version: 20140617

Process diagrams, can be used to show how automated controls interlink with the system and control frameworks.

For this reason, it is essential that organizations running large and complex enterprise systems, which are subject to a complex global regulatory environment, put an integrated governance and risk management strategy in place. Applications, such as SAP GRC, are available to help organizations respond to the reality of increased regulations. However, mapping each organization’s business processes in these applications will take time and effort.

3. Tighter Control of Manual Entries

As described in the Public Company Accounting Oversight Board’s Auditing Standard .61, manual entries will be subject to tighter controls in order to reduce impact on financial statements and detect incidents of fraud (Public Company Accounting Oversight Board, 2010). While in many cases organizations that run SAP systems have gone through the process of automating and centralizing their processes to avoid manual entries, some gaps still exist. To reduce risk due to manual entries, organizations must ensure that they review their processes and leverage SAP systems to automate and control those processes to eliminate areas where the organization is at risk from human error or fraud.

ALIGNING AUDIT REQUIREMENTS WITH SAP SYSTEMS

Given the growing impact of audits across the enterprise and the importance of managing risk to ensure business success, organizations are focusing on how to align these diverse audit requirements with SAP systems. When requirements and systems are properly aligned, organizations are able to respond quickly to auditors and avoid penalties and fines.

To address the particular issues of increased oversight, changing regulations, and the difficulty and cost of the auditing process, organizations are seeking improvements to SAP implementations that benefit all stakeholders.

• Lower Costs: Organizations can improve the timeliness of audit responses and reduce the fees levied by consulting firms and penalties for late or incorrect responses with a comprehensive information lifecycle management strategy and controls.

© 2014 Dolphin, www.dolphin-corp.com Page 10/15 Version: 20140617

• Increased Efficiency: Organizations can reduce the time and effort required to extract data and documents when responding to audit requests by optimizing their storage, retention, and retrieval capabilities.

• Improved Controls: Organizations can align their information lifecycle with corporate and legal retention requirements with an information lifecycle management strategy that proactively considers audit requirements.

With these goals in mind, it is possible to put an action plan in place to prepare SAP systems for audits.

ACTION PLAN FOR PREPARING SAP SYSTEMS FOR AUDITS

While there are many ways to prepare IT systems for an audit, there are several key strategies that will make the process easier for organizations that are running SAP systems.

1. Start with an Information Lifecycle Management Strategy

An information lifecycle management strategy provides organizations with a roadmap for aligning the policies and procedures they must follow with how they put those into practice in their day-to-day business. Too often, organizations try to implement solutions that address the requirements of individual policies without considering all of the related policies and factors that will contribute to successful company-wide compliance. An information lifecycle management strategy enables organizations to map their larger goals of compliance to the specific mechanisms they require to achieve those goals, whether that is through operational execution, technology, or a combination of both. Organizations must understand the SAP landscape that is in place and how the relevant policies and procedures impact those systems if they want to ensure that they are and will be able to meet their compliance requirements. In addition, information lifecycle management is a key component of the SAP GRC roadmap.

2. Consider the Impact of Meeting Diverse, Global Audit Requirements

Whether an organization is doing business globally, or will do so in the future, it is important to consider the impact of meeting global audit requirements before investing in solutions or changing procedures related to SAP systems. DART, the SAP solution most commonly implemented for audit purposes, is intended for U.S.-based financial audits. However, the diverse audit requirements of countries such as France, Luxemburg, and Brazil have resulted in several third-party audit solutions for the SAP ecosystem. As with U.S. regulations, rules and audit guidelines in other jurisdictions are subject to change, therefore, it is important to invest in flexible tools that can support financial and other audit reporting requirements both here and abroad.

3. Lower the Cost of Long Term Data Storage

One audit requirement that has had the greatest impact on SAP systems is data retention. Seven years, which was the traditional length of time required to keep financial data, is no longer the only retention requirement that organizations must adhere to. Health, academic, and other personal data, for example,

© 2014 Dolphin, www.dolphin-corp.com Page 11/15 Version: 20140617

must be kept for much longer periods of time. If data is related to a pending legal case, that data must be retained indefinitely. For this reason, when preparing for audits with SAP systems, it is important to consider the cost of long term data storage.

Data archiving is one way for organizations using SAP solutions to reduce the costs associated with long term data retention. Archiving extracts data from production systems and compresses it so it can be stored cost-effectively on other lower cost storage options. Moving archived or infrequently accessed data to cloud storage is another way to reduce costs.

4. Simplify the Process of Extracting Audit Data

Ask any auditor, member of the finance department or IT service provider — extracting data from SAP systems for audits can be a lengthy and difficult process. The longer it takes to extract data and complete an audit, the more the audit will cost. Internal resources spend time and effort locating and extracting the audit data and external auditing experts charge expensive consulting fees for the duration of the audit.

Therefore, it is important that organizations consider how data will be extracted from their SAP systems when an audit request occurs. To keep audit costs low, organizations must consider ways to simplify the process of extracting audit data. Flexibility is key. Organizations must be able to adapt to the changing local and global audit requirements, so they must leverage SAP’s built in capabilities and available third-party solutions to improve the timeliness of their audit responses and reduce audit fees.

5. Adopt the Latest SAP Technologies for Audit

While the functionality of SAP GRC 5.3 was primarily focused on Access Controls, SAP GRC 10 and 10.1 contain new features that support the latest audit requirements. Controlling risk, preventing fraud, and implementing process controls are key focuses of the latest SAP GRC releases. As discussed at the SAPinsider BI/HANA and Administration conferences in 2014, information lifecycle management forms the cornerstone of the future SAP GRC roadmap. Organizations that adopt the latest versions of SAP GRC, and complementary technologies are prepared to respond to audit requests in the future.

6. Optimize Audit-Related Tasks in SAP

In the past, the infrequency of audits has caused many organizations to deprioritize the importance of optimizing the audit process in their SAP systems. Consequently, audit-related tasks remain very manual and labor intensive. However, as the frequency and variety of audits increases, it is worthwhile for organizations to consider some degree of optimization to simplify and standardize the auditing process. It is possible to leverage optimization efforts that already exist in other areas of SAP solutions to support audit optimization.

Scanning and OCR technologies, which are frequently used for invoice capture can be used to automate the data entry necessary to comply with regulations. Reporting solutions can be extended to include audit reporting requirements, both for internal and external auditors. If archiving is in place, organizations can put controls in place that retain data for the required amount of time, and ensure that it is destroyed when it is no longer needed. The efforts involved in optimizing these audit tasks pay for themselves through quicker audit response times, and reduced fines and penalties from greater control and compliance.

© 2014 Dolphin, www.dolphin-corp.com Page 12/15 Version: 20140617

7. Calculate the ROI of Audit Compliance

Once the proper audit controls are in place, it is important to calculate the ROI of the system to demonstrate the effectiveness of the program and ensure adequate funding and support for compliance at the highest level of the organization. In the report “Making the Bottom Line Case for Compliance: The ROI of a Robust Compliance Department” Robert Diskup discusses a nine- point plan for measuring the quantitative and qualitative benefits of compliance (Diskup, 2013.). Fraud prevention, data privacy and protection, and closing gaps in existing processes are some ways how organizations can measure the effectiveness of their compliance programs and prove that they have addressed potentially significant exposure to risk, redundancy and inefficiency.

© 2014 Dolphin, www.dolphin-corp.com Page 13/15 Version: 20140617

DOLPHIN AUDIT SUCCESS STORIES

Dolphin Enterprise Solutions Corporation (Dolphin) has helped organizations put an action plan in place to prepare SAP systems for audits for almost 20 years. Recent success stories are summarized below.

Retailer Reduces Cost of Storing Large Volumes of Data for Tax Reporting

A large volume retailer located in the Mid-West needed to retain large volumes of sales transaction data for operational reporting and financial audit purposes. However, the volume of data in the online system grew unsustainable over time, increasing costs of managing the systems and impacting the performance of the system for end users.

Dolphin developed a data volume management strategy for the retailer that would reduce the volume of data in the online system, while still providing users with seamless access to data for reporting and audit purposes. Using a combination of online, nearline and archived storage, the retailer was able to maintain maximum performance while reducing their data storage and administrative costs, so they could stay in compliance with data retention periods for Federal and State Tax requirements.

Beverage Company Reduces Audit Response Time from 15 to 3 Weeks

An international beverage company located in Atlanta was running multiple SAP systems with extremely large volumes of data, which made it difficult to respond to audit requests in a timely manner. The finance and IT teams found the process of retrieving data cumbersome and lengthy, and the external costs associated with audit requests (i.e., auditors, consulting fees, and penalties for late responses) grew larger each year.

Dolphin developed a tiered storage strategy that used nearline storage for archived data that would be accessed more frequently and an offline archive repository for data that would be accessed less frequently. Cloud storage was also used for volumes of documents and data that were rarely accessed but that needed to be retained for audit requirements. With the Dolphin solution in place, the company was able to reduce the cost of data storage and improve the average audit response time from 15 weeks to 3 weeks. The company estimates that the solution has resulted in greater than $20M in savings over 5 years.

Technology Company Strives to Keep Consumer Data Secure

As the custodian of large volumes of consumer data, including credit card and personally identifiable information, a global consumer technology company located in Silicon Valley wanted to ensure that data in their SAP systems were secure from potential hacker attacks and fraud. During an internal audit, the company identified several compliance gaps that needed to be fixed to keep customer data secure.

Dolphin helped the company develop an information lifecycle management strategy that would allow them to keep customer and personally identifiable data secure in online systems as well as in archived systems without exposing it to risk.

© 2014 Dolphin, www.dolphin-corp.com Page 14/15 Version: 20140617

ABOUT DOLPHIN

Dolphin leads the way in Business Performance Improvement for companies running SAP solutions. We help organizations achieve maximum enterprise-wide performance by managing both the data that fuels the business and the processes that run it. Dolphin’s business process optimization and data volume management solutions enable customers to effectively leverage their investment in SAP applications through a combination of SAP add-on software solutions and business consulting services. Our SAP-centric and SAP-certified solutions are flexible and can be tailored to each customer’s specific business processes and IT environments, so customers can increase productivity, reduce risk, and lower the total cost of ownership of SAP systems.

The company was founded in 1995 and has offices in Philadelphia, PA, San Jose, CA, and Toronto, ON, Canada. One-third of all Fortune 100 companies that run SAP systems are Dolphin customers. To learn more, email us at contact@dolphincorp.com or visit www.dolphin-corp.com.

© 2014 Dolphin, www.dolphin-corp.com Page 15/15 Version: 20140617

WORKS CITED

A. Daley, e. a. (2014). Best Practices for Data Retention and Policy Creation Will Lower Costs and Reduce Risks. Gartner Inc.

Association of Chartered Certified Accountants. (2013). Big Data: Its Power and Perils. Association of Chartered Certified Accountants.

(2014, Monthy). Continually Evolving to Achieve Stakeholder Expectations. Altamonte Springs, FL: Institute of Internal Auditors.

Harvard University. (2014). What is an Integrated Audit? Retrieved April 23, 2014, from Harvard University: http://rmas.fad.harvard.edu/faq/what-integrated-audit

KPMG. (2014). 2014 Global Audit Committee Survey. KPMG.

Pratap, K. (October 2013). Survey Analysis: IT Compliance and Audit, 2013. Gartner Inc. .

Public Company Accounting Oversight Board. (2010, 08 05). .61. Retrieved 05 14, 2014, from pcaobus.org: http://pcaobus.org/Standards/Auditing/Pages/AU316_61.aspx

The Institute of Internal Auditors. (2014, March 24). Audit Executives Hail From Other Professions, IIA Survey Finds. Retrieved May 13, 2014, from The IIA: https://na.theiia.org/news/press-releases/Pages/Audit-Executives-Hail-From-Other-Professions-IIA-Survey-Finds.aspx

Tysiac, K. (2014, March 26). Regulation demanding increased internal audit focus. CGMA Magazine.