The latest news headlines on issues and developments affecting the internal audit profession.
Sept. 18, 2020
Last week, five environmental, social, and governance (ESG) and sustainability reporting standard-setters released a white paper outlining a process to create a single disclosure framework, according to an Agenda article (paywall). The paper, Statement of Intent to Work Together Towards Comprehensive Corporate Reporting (PDF), describes how the organizations will collaborate to create a framework of corporate disclosure — comparable to those used for financial reporting — covering nonfinancial material issues that impact companies and society. The consortium intends to create a cohesive standard-setting process, a globally agreed-upon set of sustainability topics and disclosure requirements, and a comprehensive system to measure and report how ESG and sustainability initiatives can create enterprise value.
Europe's leading business leaders have warned that failure to co-ordinate the rollout of 5G wireless technology across the region could pose a significant business risk, The Financial Times (paywall) reports. According to analysts, a delayed 5G rollout risks leaving supply chains uncompetitive, which may result in declining investment. This state contrasts starkly with the implementation of 5G in countries such as China and South Korea, which completed their transition to 5G in 2018 and 2019, respectively. "We have had too much of a fragmented approach in Europe," said Carl-Henric Svanberg, chairman of the European Round Table. "If we don't have the right support for small and medium-sized companies, we will not have the support we need for our [larger] businesses either. We need to make sure we have the right environment, right infrastructure … 5G is key to that, and it is one of the most key parts to creating a competitive society in the future."
The World Health Organization (WHO) called attention to a recent surge in COVID-19 cases across Europe, calling it a "wake-up call" to the region, SBS News
reported. The statement was based on news of 54,000 cases recorded in 24 hours last week — a new record in Europe. "Although these numbers reflect more comprehensive testing, it also shows alarming rates of transmission across the region," Dr. Hans Kluge, a regional director for the WHO, told reporters. Across Europe, governments are fighting spikes in new cases, while also trying to minimize damage to economies. In Austria, France, and the U.K., authorities are tightening restrictions on certain activities in hard-hit cities. According to SBS, the U.K. has fared the worst in the pandemic, with nearly 42,000 deaths.
Only 44% of health-care institutions — including hospitals, health systems, and physician practices — met national cybersecurity standards in 2019, according to Business Insider, which cited an annual report from consulting firm CynergisTek. The firm's report also found that health-care supply chain security is one of the lowest ranked areas for conformance to the U.S. National Institute of Standards and Technology's Cybersecurity Framework. The report said leading factors influencing performance include poor security planning and lack of organizational focus, inadequate reporting structures and funding, confusion around priorities, and lack of staff.
A new study on the link between bank interest rates and consumer investment in riskier assets appears to show that the "sweet spot" for rates is between 0% and 1% — but not below that, Reuters
reported. The study, published in the
Journal of Experimental Economics, found that participants were more willing to borrow to invest in assets like stocks when rates fell to 0% or just above, but were less willing to borrow at negative rates because these suggest "some kind of emergency situation," said Anatoli Annenkov, a former European Central Bank economist. The study could serve as a forewarning to central banks not to go "subzero," as some may be considering, the Reuters article stated. Evidence of this behavioral effect can be seen in the actions of Europeans, whose savings rates increased as official rates fell further below 0% after 2014.
Sept. 17, 2020
TODAY'S COVERAGE OF THE IIA'S WOMEN IN LEADERSHIP CONFERENCE
Times of Change Can Propel People Forward
In the closing keynote speech today at The IIA's Women in Leadership conference, Dr. Shirley Davis asked participants, "If you had to live your life over again, how would you live your life differently?" In the poll, the highest number of respondents answered that they would "live their life with more passion," followed by "take more risks" and "conquer my fears."
Davis, who is president and CEO of SDS Global Enterprises and a corporate coach, wants people to know that they can continue to reinvent themselves. Having a more meaningful life starts with defining goals in all areas of one's life, making a plan, and being willing to fail at times, she said.
"I'm not one who believes that failure is not an option," Davis said. "Failure is necessary if you want to grow." She described some of her own failures and tragedies, including seeing her marriage and businesses fail and coming back from a terrible car accident.
Such "defining moments" can give people the insight to reinvent themselves, Davis said. She pointed out that despite the challenges, the disruption caused by the COVID-19 pandemic has given people a unique opportunity to reflect on their lives and what is important to them.
Davis shared some of the self-assessment questions she uses to help her clients define their "purpose" or what is the most meaningful to them, such as:
- How do you define success and what does it look like for you?
- What do you value most in life and why?
- Are you where you want to be in life, and if not, why?
- What are you most proud of?
Davis said her goals encompass not just her work life, but also personal relationships, health, finance, and spiritual areas. She revisits her goals frequently throughout the year, reevaluating them as things change.
"Passion comes from purpose," Davis said, and having a purpose "gives you a reason to say yes to things, and it gives you a reason to say no. I'm going to stay where my purpose is aligned with my goals."
Sept. 16, 2020
COVERAGE OF THE IIA'S WOMEN IN LEADERSHIP CONFERENCE
Using Body Language to Improve Communication
Although internal auditors may be the bearers of bad or unwanted news initially, simple body language tips can help shift that dynamic. That was the message of author Tracy Brown in her presentation, Body Language Confidential, which opened The IIA's Women in Leadership Conference this morning.
Brown, the author of the recently released book
How to Detect Lies, Fraud, and Identity Theft, presented a series of photos to highlight the subtle cues transmitted through body language. She warned that different cultural norms should be considered when implementing any of the generalizations.
For example, a handshake in which both participants' hands are vertically level shows that the two are "meeting on even ground." Initiating a handshake with a palm facing down indicates a desire for control, while offering an upward-facing palm indicates openness and a willingness to accept. In Asian cultures, she said, a firm handshake is considered rude.
Comfort level with personal space is related somewhat to what a person is accustomed to. However, in conversations, Brown said, if a person is leaning, scooting, or backing away from you, as little as a half step, the person is uncomfortable. She described "matching," or doing what the other person is doing, as a body language technique that builds rapport unconsciously and creates a deeper connection. Matching includes using the same hand gestures, phrases, tone, and energy as the other person, but without mirroring directly, or reflecting a person as they would see themselves in a mirror.
While being aware of body language may seem difficult at first, with practice, it becomes easier, according to Brown. The goal is to create positive feelings so the other party is receptive.
"You're going to feel like you're acting, but only a few minutes is required," she said. "Once you establish the rapport, you can bring them with you."
Additionally, matching may need to be used again if rapport seems to be lost in a moment, such as when difficult topics are being discussed. "Anger happens when they think you don't get them," she said. "Meet them at their intensity level and bring yourself down, and they will follow you."
So You Want to Sit on a Board?
Securing a seat on a board of directors can be a three- to four-year journey, according to Rochelle Campbell, director of Board Recruitment and Special Projects at the National Association of Corporate Directors. Campbell and independent board member D'Anne Hurd lent their expertise to the 2020 Women in Leadership Conference in a session on Navigating the Corporate Ladder.
The presenters outlined ways women can prepare themselves for a board seat, starting with developing their board resume, bio, and LinkedIn profile. Profiles should include the companies the individual has worked for, as well as "your industries, company revenue, your functional roles, and any special skills," Campbell said.
Keywords also are important in helping companies find a professional's profile for a board opening. "In addition to internal audit skills, you should be mapping internal audit to some trends that are important today," Hurd said. This includes things such as digital transformation and environmental, social, and governance (ESG), which are areas where boards are looking for knowledge.
"Certain skills align with certain boards," Hurd said. And that doesn't always mean hard skills. Soft skills — leader, consensus builder, mentor — should also be on a board candidate's resume, she noted.
It's also important to have a strategic plan because a board role can also help feed one's executive career, Campbell said. The professional's plan should include how a board seat will support her, how she can support a board, and how she can execute the plan.
When networking, Hurd suggests opening with "How can I help you?" Listening and offering help will go further than anything else, she said.
"Your reputation will precede you," Campbell said. The more a potential board candidate shows up with her "A" game and says "yes" — to things such as speaking engagements — the more likely she is to get a board seat. Reputation can also be built on social media by sharing accomplishments, speaking engagements, and published work.
"Internal auditors have a skill that is transferable to any board, any industry," Hurd said. "So don't worry about being a subject-matter expert on every board you look at. You have something that every board is going to want — compliance and governance work."
COVERAGE OF THE IIA'S 2020 FINANCIAL SERVICES EXCHANGE
Internal Audit's Role in Integrating Assurance
Aligning assurance work across an organization is an important goal, but many organizations struggle to achieve the correct level of partnership and coordination. Reaching this goal was the topic of a panel session, Integrating Assurance: Enhancing Coordination and Partnership Across Your Organization, on Tuesday at the 2020 Financial Services Exchange.
Various parts of the organization — not just internal audit — provide risk assurance in areas such as regulatory and cybersecurity. It is normal for these assurance roles to blend, said Sarah Saunders, assistant vice president, Internal Audit at Jackson National Life Insurance Co.
As a result, integration of assurance is not only a best practice, but also something that The IIA says should be done under Standard 2050: Coordination and Resilience. The goal is to get the best coverage of key risks, Saunders noted.
The IIA's recently updated
Three Lines Model (PDF) was discussed, with Saunders calling it is the gold standard for structuring risk management. The update gives an organization a clear idea of roles, including the roles of external audit and external providers.
When starting the integration process, it's important to do a lot of listening to gain an understanding of the kinds of assurance providers across the organization, said Megan Reed Kramer, director, Internal Audit at GATX Corp. Also, internal audit should look at the organization's consultants to see if they are providing assurance work. In addition to gathering information, this process will identify key contacts as the integration process moves forward, she noted.
From internal audit's perspective, it is important to explain how the audit function integrates with the organization's strategies and to underscore the importance of staying independent, Kramer said.
Steering committees — which bring together workers from various parts of the organization — can be a good place to start conversations about integration, said Jude Viator, associate director, Consulting Services Group at accounting firm Postlethwaite & Netterville. Reporting also is important to inform and build support from senior leadership, the audit committee, and the board. In addition, strong communication is necessary to provide a common language and reporting style when various assurance providers are involved, Viator said.
The global economy has performed better than expected, but it is still on track for an "unprecedented" decline in output this year as a result of the COVID-19 pandemic, the Organisation for Economic Co-operation and Development (OECD) warned in its latest economic outlook. The OECD said the world economy will contract by 4.5% this year, revised upward from June, when it forecast a 6% decline in gross domestic product globally. China, the U.S., and Eurozone nations are expected to perform better than originally forecast in June, but growth expectations for India, Mexico, and South Africa have worsened. Looking ahead, the OECD expects the global economy to grow by 5% in 2021.
The FBI issued an
advisory (PDF) in late August warning companies about a new type of a cybersecurity threat involving remote employees and virtual private networks (VPNs). According to an article in
EHS Today, the so-called "vishing" campaigns are multistep scams, in which criminal groups first create a dossier on employees from a target company by "scraping" their personal and work-related data via social media sites, background check services, and marketing tools. Posing as an IT help desk employee from the targeted company, someone then calls an employee's cell phone, gains the person's trust using the employee's personal details, and asks the employee to log in to a page set up to look like the company's VPN landing page. Criminals are using the captured login credentials to access company databases with the further intention of launching ransomware or other attacks. The FBI advisory recommends restricting VPN to managed devices, restricting VPN hours, and scanning web applications for unauthorized access. Internal audit should continue to monitor threats aimed at remote workers.
According to a recent report by the World Wildlife Fund, wildlife populations monitored by the organization have declined on average by 68% since 1970, a trend driven largely by human activities. However, despite these figures, businesses find themselves uniquely positioned to help reverse these trends, says an article in Triple Pundit. "Smart investments in nature — from the protection and restoration of forests, wetlands, and other key ecosystems to green infrastructure like green urban areas and roofs — can help stabilize the climate, support communities adapting to climatic changes that have already occurred, ensure resources for future generations, and prevent the next pandemic," the article says. The article recommends that businesses adopt science-based targets that align their emissions reduction goals with what is the best available science — not just because of moral obligation, but because of the financial impact that could occur if nothing is done.
Sept. 15, 2020
COVERAGE OF THE IIA'S 2020 FINANCIAL SERVICES EXCHANGE
Managing the Pandemic's Impact on Internal Audit
As COVID-19 has progressed, internal audit leaders have needed to change approaches and actions. Yet, managing people and communicating well have remained essential throughout all phases of the pandemic, according to speakers at Tuesday's opening general session at the 2020 Financial Services Exchange.
Nimble responsiveness to continuing risk assessments and flexible internal audit plans also are vital, noted co-presenters Stacey Schabel, chief audit executive for Jackson National Life Insurance Co., and Dana Lawrence, senior director, Compliance and Internal Controls, for Azlo. Their session covered the Effects of the Pandemic on Internal Audit Practices.
Schabel and Lawrence discussed ways to engage the remote workforce, saying that formal and informal modes of communication should be used. Examples of improving formal communication include implementing one-on-ones and daily check-ins, as well as changing the way meetings are structured to solicit more team input. Opportunities for unstructured interaction include virtual coffee meet-ups or happy hours, team bingo and trivia, and virtual charity fundraising and challenge events such as virtual 5K runs.
Schabel suggested polling employees regularly to determine whether leaders have established the right balance of meetings and independent work time. Lawrence added that empathy and candor are key leadership skills. "It's important to ask employees directly: 'How are you doing? How is your stress level? How can I support you right now?'" she said.
Lawrence discussed the importance of continuing training and development. "Don't put it on hold," she emphasized, pointing out the abundance of virtual learning opportunities available. Besides attending virtual conferences and earning certifications and continuing professional education credits, Lawrence suggested connecting with other professionals via LinkedIn and reading white papers and guidance.
Organizations should update their enterprise risk assessments to account for the pandemic's effects, Schabel said. She advised internal audit leaders to "challenge everything" by continuously assessing risks and adjusting the internal audit plan frequently. Internal audit leaders should also transparently communicate high-quality, relevant information — supported by data — to the audit committee and regulators so that changes are well-documented and clearly understood.
Real-Time Project Audits Provide Significant Organizational Value
In his presentation, Case-Based Learning: Project Audit Approach for Large Enterprise Programs, Joseph Keller, global head of Technology, Payments, Fraud, Digital, and Project Audit at TD Bank Group, presented a broad overview of project auditing concepts and how internal audit can get its voice heard at the management table.
Although project audits and operational audits are similar, they differ in both their objectives and their timing, Keller said. Operational audits, for example, assess the design and operating effectiveness of a specific area, function, or subject matter and are conducted as part of standard business operations. Project audits assess design effectiveness based on a project's business case.
"A project audit should be conducted as a project is in progress," Keller said. "You are step by step with the client prior to implementation. We look at the impact of what's going on as [the project] goes live, which allows us to provide that feedback to management right up front. It's the real-time look versus the look back."
Project audits are a blend between project monitoring and project auditing, with regular monitoring functions often leading to audits as necessary, Keller explained. To do so effectively, internal audit must be a part of project discussions from the beginning, attending steering committee meetings and including key projects in its audit plan. As critical findings come up, internal audit must report them immediately, he stressed.
"With project audits, don't wait for the final report to go out," Keller said. "This is not the time for a formal report. Project auditing is raising awareness of issues as you see them."
Keller cautioned auditors to speak up when they receive project updates that don't make sense to them. "The last thing you want said when something goes sideways is, 'Where was audit?'" he said.
There is no one-size-fits-all approach to conducting project audits; the core fundamentals remain the same, Keller noted. An internal audit function performing a project audit must be nimble, mindful of the skills required to complete it, and humble in its assessments of how to improve for the next engagement.
Audit in an Age of Disruption
COVID-19 has put operational resilience front-and-center for financial institutions and internal auditors, said speakers during a general session Monday afternoon at the 2020 Financial Services Exchange. For 42% of the audience, the pandemic has shaped their view of internal audit in business continuity, according to a poll during The Internal Auditor's Role in the New Normal session, moderated by Julie Scammahorn, senior executive vice president and chief auditor at Wells Fargo & Co.
The pandemic is the latest in an increasing number of "extreme but plausible events" companies now face, said Doug Wilbert, managing director, Risk and Compliance, at Protiviti. Organizations need a resilience framework comprising governance, business services, foundational elements (business, cyber, third-party, and technology resilience), and assurance, he said.
Wilbert said the internal audit plan should ensure operational resilience has sponsorship from the top and governance across the organization. From there, internal audit needs to ensure that the organization has defined which business services are important, map the components of those services end to end, and review whether the organization tests resilience regularly.
Internal audit also can help organizations become more resilient to extreme events, said Theresa Grafenstine, Citigroup's global audit leader for Cyber, Resiliency, and Third Parties.
To prepare for future crises, internal audit must enhance its audit universe by mapping resilience risks, processes, and systems, and identifying coverage gaps, she advised. It also must update risk assessments and ensure that audit reports provide a holistic view of resilience across the organization.
In business continuity planning, internal audit needs to define what the organization is up against, rationalize how it will cover a crisis in the audit plan, and document that information, said Seth Morgan, deputy chief auditor, U.S. Audit, at Scotiabank. Additionally, internal audit must play four roles: initially responding by listening, helping the organization where it's needed, assessing risk during recovery, and documenting lessons learned during the restoration phase, said Kevin Bertscha, managing director of internal audit at Pershing.
Each crisis presents new risks — and new lessons — for internal auditors and their organizations. "Everything we're learning now is going to be the starting point for what happens next," Morgan said.
Sept. 14, 2020
COVERAGE OF THE IIA'S 2020 FINANCIAL SERVICES EXCHANGE
Keynote Speaker Todd Buchholz Remains Bullish on Economy
During the opening keynote of the 2020 Financial Services Exchange, former White House Director of Economic Policy Todd Buchholz presented his analysis of the U.S. economic recovery amid the COVID-19 pandemic. The prognosticator and CNBC regular offered an optimistic outlook for the year ahead in his presentation, How to Compete in a Global Economy.
Despite being in "the most complicated economic and possibly political time since the second world war," Buchholz said the U.S. has some factors in its favor for a relatively swift recovery. He pointed out that the U.S. derives only 12% of its gross domestic product (GDP) from exports — a much smaller percentage than many other developed countries. Additionally, the Federal Reserve and Congress both moved aggressively to buy bonds and provide relief to consumers and businesses. Moreover, Buchholz noted that while some sectors are struggling, industries such as wholesale and retail trade, construction, and manufacturing are doing well, and the unemployment rate has receded considerably from its high of roughly 20%.
Buchholz said the nature of the economic crisis that resulted from the pandemic also is different than previous recessions. "I call what we're going through the great cessation," he said. Rather than being caused by a true economic dislocation, the downturn instead was caused by government lockdown orders and shop doors closing, he explained.
On the downside, the U.S. is heavily indebted, Buchholz said, with its debt-to-GDP ratio being "the greatest since World War II." Buchholz said the U.S. recovered from its post-war debt through fast growth, the issuance of long-term bonds, and locking in low interest rates.
Buchholz said he sees a V-shaped recovery in the wake of the pandemic. But he said that growth hinges on, among other things, interest rates staying low to keep the stock market thriving, inflation remaining low, consumers remaining solvent, the U.S. staying out of trade wars, and, ultimately positive vaccine news.
Panel Addresses Corporate Culture's Impact
A 2019 study by Grant Thornton and Oxford Economics found that publicly listed companies with extremely healthy cultures were nearly 2.5 times more likely to report significant increases in their stock prices. In addition, the average S&P 500 company with a healthy culture would save $156 million in turnover costs.
The importance of understanding corporate culture and the influence — positive or negative — that culture can have on an organization was the topic of the panel session, Culture: Is It Your Enemy or Your Friend?, today at the Financial Services Exchange virtual event. Culture includes such elements as the attitudes, behaviors, and shared values of a company, said panelist Melissa Dimitri, managing director, Practice Lead Culture and Behavior Strategy at Grant Thornton LLP.
Because of its importance, culture should be designed intentionally, Dimitri advised. Culture and employee engagement are two different things, she added. Culture drives engagement: A positive culture will encourage employee involvement, while a negative culture will discourage employees and cause problems.
Grant Thornton splits culture into five types — customer, employee, continuous improvement, risk and quality, and innovative. A company's first step in building a healthy culture is to understand its own blend of these five. However, problems can occur with misalignment. For example, this can happen when a company's leaders say the organization is innovative, but employees say they are penalized for taking risks.
Culture impacts business performance. It can be an accelerator, promoting values-driven behaviors, communication and collaboration, diverse perspectives, and employee engagement, said Katherine Delesalle, manager, Strategy and Transactions at Grant Thornton. Or, it can be an inhibitor, promoting self-interested or politically motivated behaviors, siloed teams and power struggles, uniform thinking, and high employee turnover.
No corporate control can fully protect against risk, Dimitri said. But a healthy corporate culture aligned with the company's strategy and values can help fill in the gaps and reduce the risk of bad behaviors. It can lay the foundation for employees to make good choices and manage risk effectively, she said.
Assessing culture can be challenging, said panelist Pamela McWilliams Hause, senior consultant, internal audit for Nationwide Insurance. Both stakeholder and executive buy-in are key, and the right people need to be involved from the start, she noted.
Hause described how Nationwide's internal audit function assessed culture at the company, beginning with consulting guidance from The IIA and The Committee of Sponsoring Organizations of the Treadway Commission. Nationwide also found that its most senior auditors needed to be involved, and that auditors needed to carefully consider how they communicated their findings.
Public scrutiny of CEO pay is heightened during times of economic distress, especially when all stakeholders have to bear the cost and companies layoff, furlough, or reduce the pay of employees. To look at related board decisions, a Stanford Graduate School of Business study (PDF) examined the compensation disclosures of companies in the Russell 3000 for the period between Jan. 1 and June 30. Only 17% of the companies adjusted CEO salary, bonus, long-term incentive programs, or director fees during that period. Retail, manufacturing, and transportation companies were among the most likely to make such adjustments. Approximately 60% of pay and incentive changes resulted in a clear-cut reduction in value for the CEO. The other 40% were changes that gave the CEO the opportunity to earn value he or she might otherwise have lost. Internal audit can assist the board in assessing its compensation strategy during the pandemic.
As many countries explore a transition from fossil fuels to renewable energy alternatives such as wind, solar, and nuclear power, many analysts are seeing an evolution of the risks typically associated with energy. Fossil fuels, according to an article in Forbes, were prone to geopolitical risks that affected energy supply such as coal miner strikes, oil embargos, and general political instability. Renewable energy negates many of these risks by being produced locally or at least within a nation's borders. However, renewable energy also has unique vulnerabilities such as changes in weather patterns or sudden natural disasters. For example, a drought can cut river flows needed to cool nuclear reactors. Renewable energy also comes with a risk of over-reliance on any one source of equipment. As energy industries around the world continue to shift their focus to renewable resources, it is important to realize that their risk scope must also shift.
Although it is not a new concept, European countries such as Greece, Ireland, and Spain are embracing "right to disconnect" policies that are designed to preserve the work-life balance of those who have been working from home during the pandemic, The Washington Post reports. Spain, for example, saw "right to a flexible schedule" legislation circulate, which would require businesses to set clear hours when workers are expected to be at their jobs. In addition to these guidelines, Greece would also ban the use of cameras that some employers have adopted to make sure their employees were actually putting in their hours and require employers to respect the private lives of remote workers. This widespread response in Europe contrasts with the U.S., which has not seen much of a policy response addressing this issue. For businesses operating in European countries, this should be a trend worth following to ensure necessary compliance.