Internal Audit Monitors the Technology Horizon at Marriott Vacations Worldwide Corporation

Case Study: Internal Audit Monitors the Technology Horizon at Marriott Vacations Worldwide Corporation

Marriott Vacations
Company Headquarters  —  United States
Number of Employees in Company — Nearly 10,000
Industry — Vacation Ownership
Annual Revenues — US$1.8 billion (as of Jan. 1, 2016)
Number in IA Function — 9.5 FTEs
Number of Years IA Function Has Been in Place  — 4.5
IA Director/CAE Reports to  — Audit Committee of the Board of  Directors

The NIST framework-mapping exercise is actually quite comprehensive. Our role is to help make sure it gets done, while also asking challenging questions and making some objective observations throughout the process.

Julie Cochrane Meyer, Senior Vice President and Chief Audit Executive

Marriott Vacations Worldwide Corporation, a leading global pure-play vacation ownership company with more than 60 resorts, offers a diverse portfolio of products, programs and management expertise. The company’s brands include Marriott Vacation Club, The Ritz-Carlton Destination Club and Grand Residences by Marriott. Formerly a division of Marriott International, with which it maintains a long-term relationship, Marriott Vacations Worldwide became a separate public company in 2011 through a spin-off.

At the time of the spin-off, senior vice president and chief audit executive Julie Cochrane Meyer was tasked with creating the company’s internal audit department. “Our audit function’s journey during the past several years has been unique,” Meyer says. “We had a relatively short period to get a number of processes up and running while our company was separating from Marriott International.”

Meyer is the former vice president of finance and accounting for Marriott International. She says her knowledge of Marriott Vacations Worldwide’s executives – a team she worked closely with in her previous role – was helpful as she built the internal audit function from scratch. “I saw how the management team addressed challenges and made decisions,” she explains. “That influences how my team communicates and works with the management team.”

The internal audit function at Marriott Vacations Worldwide features a diverse collection of skills, including several types of IT expertise. Internal audit is also able to perform more consultative work related to cybersecurity assessments and the company’s breach response program, for example.

“Our audit committee wants to talk about cybersecurity breaches that are reported in the news, and learn more about the types of cybersecurity risks we’re facing,” Meyer says. She adds that she works closely with the company’s chief information officer (CIO) and chief financial officer (CFO) to make sure the audit committee is “kept up to speed on these topics while providing them with comfort that we’re managing cybersecurity risk.”

Meyer is well-versed in audit committee concerns because she reports to that group on a functional basis; administratively, she reports to the CFO. According to Meyer, the internal audit function is well-equipped to provide assurance to address the audit committee’s cybersecurity concerns because its 9.5 full-time equivalents (five full-time associates and 4.5 auditors through a co-sourcing relationship with Protiviti) possess a variety of auditing, accounting and IT expertise, including IT auditing, IT security and data privacy skills.

“I think it is extremely helpful to bring together different technical expertise in the internal audit function,” Meyer says. “You get a variety of views and ways to think about risks and other business challenges. I also think that general business acumen is crucial. As an internal auditor, you need a balanced view of what would be an ideal solution from a risk or controls perspective with what is realistic from a business perspective.”

She continues, “The one thing that I did not understand about internal audit until I worked in internal audit was that on any given day, we can be faced with absolutely any type of issue. So, being adaptable is probably highest on the list of skills that I look for.”

Types of IT Audits

As cybersecurity risks have grown at all organizations, including Marriott Vacations Worldwide, the company’s internal audit function has adapted its audit plan to include more IT-related audits. Meyer’s function selects specific IT audits based on the company-wide risk assessment it conducts each year and a separate risk assessment related solely to IT risks.

This company-wide risk assessment covers about 20 different categories of risks. These categories are selected after considering the risk factors identified in the company’s annual report, which includes its financial statements. “That way, we can make sure we’re aligned with the executive team’s view of our top risks,” Meyer says. “We then create a ranking of risks based on the management team’s input. Ultimately, we create a risk map that my function uses to identify which areas are auditable and that management uses in its risk management programs.”

The risk categories include two sets of IT risks, says Meyer. “About three years ago, we decided that if we wanted to leverage our risk assessment to identify which IT audits to include in our annual auditing plan, we needed to dig deeper into the IT risk areas,” she explains. “So, we created a one- page infographic that depicts our company’s IT risk environment. We also met with our CIO’s direct reports to get more information on about eight different categories of IT risks.” The internal audit team and their IT colleagues then ranked those IT risk categories.

As a result of risk assessments, internal audit includes IT audits in its annual audit plan. For example, one IT audit focused on network security. After becoming a public company, Marriott Vacations Worldwide remained on Marriott International’s IT network through a transition agreement. After the agreement concluded, the company moved to its own, newly created network. “As soon as our new network was established,” Meyer says, “I had my IT audit team audit the configuration to look for potential weaknesses.”

Another IT audit focused on data security related to the company’s use of Software-as-a-Service (SaaS) technology. “Like most companies these days, we use many SaaS solutions,” says Meyer. “We conducted an audit where we looked at the configurations that are used over the internet to transfer data back and forth between our company and the third parties that provide software services to us.”

A separate IT audit addressed mobile technology use throughout the company. This audit, which Meyer says was aided by mobile technology auditing experts from Protiviti, focused on security. Specifically, the assessment looked at how data on the devices, and the devices themselves, are kept secure.

Facilitation Through Consultation

Another positive outcome of internal audit’s mobile audit, Meyer points out, was that it “facilitated a discussion throughout the management team of how we want our overall mobile program to operate.”

This type of facilitation is a primary objective of the more consultative work that the internal audit function delivers. “That’s our business-facing consultative area that helps facilitate improvements in control and audit readiness,” Meyer explains. “It is separate from the assurance arm of our function.”

For example, internal audit associates offer privacy and data security guidance to their colleagues when the company enters into a relationship with a new technology vendor. Members of the internal audit team participate on a project team charged with refreshing the company’s breach response pro- gram, a key component of organizational cybersecurity. “There is a lot of data privacy expertise within the team,” Meyer says.

Internal audit has also assisted Marriott Vacations Worldwide’s information security group with its mapping of the company’s cybersecurity program to the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

“The NIST framework-mapping exercise is actually quite comprehensive,” Meyer says. “Our role is to help make sure it gets done, while also asking challenging questions and making some objective observations throughout the process. This self-assessment is new, and we want to make sure risks are thoroughly considered and addressed.”

Keeping an Eye on Technology Changes

Internal audit’s consulting and facilitating contributions have helped earn the function trust through- out the business. “While we necessarily do some policing as part of our role, I certainly hope we’re seen more as a business partner,” Meyer says. “And I think the fact that we’re often auditing or consulting on a process that is either under development or brand-new shows that our business partners trust us. We are often participating, reviewing or consulting on a new program before it has been in existence long enough to be subjected to assurance.”

For example, internal auditors recently worked with an IT project team testing a new application at three of the company’s resorts. “The application was still in its infancy,” Meyer explains. “We worked with the project team to identify what improvements could be put in place before the application was rolled out on a wider basis.”

Meyer regularly sits in on high-level IT governance meetings at Marriott Vacations Worldwide. “I keep an eye on our internal governance as it relates to technology – not just to the spending, but to the strategies that are being put in place,” she says. “Even though we do a pretty deep dive into IT risks during our risk assessment each year, we try to keep abreast of IT changes on the horizon.”