Ask experts in business risk what makes them most nervous and many will name some aspect of a cybercrime or cybersecurity issue. That’s relatively new; only in recent years has the specter of lost or stolen data — or worse — risen to the top ranks of corporations’ concerns. Others may cite less technological issues, such as the threat of reputational harm, or political and economic uncertainty. But regardless of which areas pose the greatest concern, or how long they’ve been on management’s radar, experts agree that audit leaders with a clear vision and a competent team are a key asset in coming to grips with them.
When internal auditors from across the globe gather in New York City in July for The IIA’s International Conference, they’ll be facing head-on many of the risk-related challenges businesses encounter. The assembled audit professionals will hear about risks and responses from speakers from all over the world, including five distinguished keynoters with a broad range of collective experience and backgrounds. Internal Auditor recently spoke with these individuals to gauge their views on emerging business risks, as well as the important role audit practitioners play in helping to address those areas.
Many businesses have elevated cyber risk to the top of their priority list. Indeed, says Julia Gillard — Australia’s prime minister from 2010 to 2013 and, since, a lecturer, author, and fellow and board member of several institutes and organizations — hackers’ growing sophistication, combined with the ever-increasing interdependence of cyber networks worldwide, represents perhaps the biggest near-term security risk companies face. “The best antidote, aside from constructive work with governments to appreciate and help manage cybercrime,” she says, “is consumer education, so that individuals and businesses, including small businesses, can be more aware of what they can do to take prudent steps to protect their interests.” Gillard adds that she has a deep appreciation from her experience as prime minister for internal auditors’ role in that — especially by helping to ensure organizational integrity — and, generally, for how they work and the businesses with which they interact.
How big could the impact of cybercrime be on business? Richard Quest, CNN international business correspondent and host of the programs Quest Means Business and CNN Business Traveller, says simply: “Huge.” By way of illustration, he adds: “In the past six months, I have received hack advisories from one of my credit card companies, my main bank, my health-care company, and at least two stores where I have shopped online.” Large companies, he adds, may face as many as tens of thousands of hack attempts every day. He cites ransomware, which is becoming a real threat for hospitals, and notes that the Sony hack “showed us how damaging it can be when your confidential emails are dumped into the public domain.”
IIA President and CEO Richard Chambers also fears the growing menace of cybercrime. “Beyond the volatility of an increasingly dynamic global economy, where new risks and disruptions can develop overnight,” he says, “boards and managements have consistently identified cybersecurity and the ills associated with cyber breaches as the biggest business risks. This is likely to remain the biggest threat in the foreseeable future.” Organizations are starting to realize that cybersecurity involves more than just efforts to stop attacks, he explains, and thus there’s an increasing focus on how to identify and respond to cyber breaches when they inevitably occur. That response should include the same elements as any crisis management engagement: customer relations, brand reputation, and business continuity.
Of course, that’s easier to accomplish when the risks aren’t morphing so rapidly; with cybercrime, the frequency and sophistication of attacks are both increasing constantly. “People are addressing it,” notes Olivia Kirtley, president of the International Federation of Accountants and chair of the audit committees at Papa John’s International, ResCare Inc., and U.S. Bancorp, “but you’re addressing against a very active, increasingly capable environment, not a static environment. Trying to keep pace is one of the big risks out there.”
Politics, the Economy, and Terrorism
Politics weighs heavily on Gillard’s mind when it comes to business risks. “The collapse of so many nation states in the Middle East has not yet run its course, and the aftermath will continue to be troubling,” she notes. As well, she points out that the entire world pays great attention to political developments in the U.S.; in her travels, the presidential election in particular comes up often. “To the extent the U.S. registers insecurity and turns inward,” she says, “as opposed to expressing confidence and engagement with the world, this will have a big influence on perceptions of risk.” Balancing that, she calls for “great confidence and optimism from the rise of Asia.” The continent, she explains, is creating the largest middle class the world has ever seen, and Australia and the U.S. are well-positioned to serve it, with exports in technology, services, health care, education, tourism, and food.
In Europe, Gillard adds, other specific concerns include terrorist attacks and the upcoming vote in the U.K. on leaving the European Union. She also points to “overall, slower economic growth than we want and need” as a particular business risk.
The economy also concerns Paul Sobel, vice president and CAE at Georgia-Pacific LLC, as a business risk. His organization continues to feel the pinch of a housing market that “hasn’t bounced back very quickly,” which hurts Georgia-Pacific’s building products business; it’s already burdened with overcapacity, he adds, as new capacity has come online faster than demand has risen. Overall, he sees the world much the same way Gillard does. “Political, socioeconomic, and terrorist events cause unexpected changes in so many ways,” he says. “Combined with rapid technology change and disruption, an organization must be continuously monitoring the external environment and updating its risk profile.”
For Kirtley, reputational risk also ranks high, especially with regard to social media. The problem, she notes, is that social media poses risks that aren’t always within an organization’s control. “For word to travel, it doesn’t have to be true,” she explains. “You’re not just combatting things that might have gone wrong, you’re combatting false information, too.”
The best an internal audit shop can do is basically what it does in the face of any business risk: Make sure the organization has processes, procedures, and controls in place. “The veteran internal audit shops are shifting from being a participant in the risk-control environment to being an auditor of the risk-control environment,” Kirtley says. “Are the risk mitigation plans in place? Are they robust? Are they functioning as they are purported to be?”
Indeed, internal audit’s role in addressing many of the emerging business risks the experts fear most will be largely the same as for the risks companies already deal with all day every day. First and foremost, Sobel says, that means understanding how value is created and measured, so that the internal audit function can focus on its expanding mission of enhancing and protecting organizational value. “We must go beyond talking a downside risk language,” he says, “to more of a value language that recognizes how we can enable future value creation, as well as preserve existing value.”
That should help in accomplishing another one of internal audit’s primary aims: being viewed as effective without destroying the trust in the department that’s essential for its effectiveness. Establishing trust, in fact, is a “fundamental issue for internal auditors,” Quest says. “Auditors should use corporate culture to their advantage, aiming to show that they are part of the wider team that’s ensuring the long-term success of the company.”
Doing that requires strong leadership, especially in the areas of communication, relationship building, and business acumen. “To reach the long-stated goal of becoming trusted advisers to management and the board, internal audit leaders must nurture skills that help meet growing stakeholder demands and offer valuable foresight to the organization,” Chambers says. Successful communication is a two-way street, he adds. Not only must internal audit leaders be able to successfully impart audit recommendations, knowledge, perspective, insight, and foresight, they also must clearly understand stakeholder needs and priorities.
Like many customer-facing operations, internal audit is a people business, and understanding stakeholders happens best when auditors actually know who they are. “Internal audit leaders must develop a rapport with management and the board that builds trust and credibility in the audit function,” Chambers says. They must also understand the risks facing the specific industries they serve, he adds, and identify and monitor all associated key risk indicators. All the while, internal audit needs “a holistic understanding of the pressures and challenges facing management and the board,” he says.
Gauging those risks and challenges can be difficult when stakeholders aren’t working from the same page. “You often find when you survey about risk that there are different views on the risk appetite of a particular area or the overall risk environment and risk culture,” Kirtley notes. “One of the more important things internal audit can do is to assure that there’s a common understanding as to what the risk appetite and risk culture are. You’ve got to make sure everyone is in agreement.” Indeed, she adds, it’s imperative that internal audit pull that concordance down out of the theoretical and assure it’s actually happening on the ground. There could be a disconnect in just two or three of, say, 10 areas of needed agreement, she says, but they could well be the most critical two or three.
Sobel emphasizes that in all things, internal audit must be seen as a key facilitator and enabler of effective risk management. “It must be culturally acceptable, and even required, for internal audit to evaluate and provide advice and assurance related to the effectiveness of risk management,” he asserts. Culture affects everything an organization does, he adds, emphasizing that the tone at the top and executive support must be clear in terms of the enterprise’s risk criteria — such as risk-taking philosophy, risk appetite, and risk tolerance.
Agility and Speed
For all the emphasis on well-established practices being used in the face of emerging business risks, it’s critical as well to see things in a different light and adopt previously unused tactics to move the organization’s control environment forward. “In the immediate post-Enron world, the focus of internal audit was on providing assurance on financial reporting and compliance to a bevy of new reporting requirements,” Chambers says. “Technology and cybersecurity issues have changed that.” And those two issues, in one form or another, will likely continue to be the dominant forces on how business risks change. He agrees with Gillard and Sobel, though, that you can’t discount economic volatility, geopolitical relations, and terrorism as factors that could dramatically alter business risks.
That’s why Chambers urges internal audit practitioners to learn to “audit at the speed of risk.” Internal auditors must become more nimble and agile in their ability to respond to increasingly volatile risk environments, he says, and that means expanding skills to meet those changing risks — and the related stakeholder needs, which are also changing. Internal audit departments should also emphasize constant investment in continuing education, developing business acumen to understand all the factors that influence the organization, and looking toward technology and innovation to improve how they do their work. As organizations’ risks and other challenges continue to evolve, so too must the internal audit function.