Protiviti's latest Internal Audit Capabilities and Needs Survey underscores the importance of the profession embracing a next-generation mindset of innovation and transformation. To build and manage this mindset, internal audit needs to develop its competencies in governance, methodology, and enabling technologies.
survey — which was conducted before the COVID-19 pandemic — finds that chief audit executives (CAEs) and internal audit teams have a lot of work to do. The 777 audit executives surveyed gave themselves low ratings for their competency in those three areas. In what Protiviti calls a "red flag for CAEs," self-assessments for competency with enabling technology such as artificial intelligence (AI), process mining, robotic process automation, and advanced analytics are some of the lowest in the survey.
Protiviti recommends prioritizing the three competencies, especially enabling technology. Next-generation auditing, processes, and tools — from strategic vision, agile auditing, and dynamic risk assessment, to AI, machine learning, and process mining — should receive greater attention from internal audit.
While many internal audit functions see innovation as a core value, the study says fewer groups are undertaking some form of innovation or transformation compared with Protiviti's previous surveys. At the same time, the functions' capabilities have matured. However, the survey cautions audit groups that are not moving forward "to get moving — or risk falling too far behind."
The study says audit committees want CAEs to explain how their efforts are resulting in more risk coverage, and the more detailed information the committees receive, the more their interest increases. — G. Nordhoff
Seeing Talent as an Asset
New white paper describes a framework for valuing human capital.
COVID-19 presents a watershed moment for valuing human capital, says a white paper published by the World Economic Forum in collaboration with Willis Towers Watson. The paper,
Human Capital as an Asset, advises organizations to deploy a framework of principles-based tools and metrics to measure and account for human capital and to govern business performance.
A human capital accounting framework can enable an organization's board and management to track how its investment in people is augmenting its human capital, the paper notes. "As companies look to reset their business models, they need an approach to valuing talent not as an expense but as an asset," says co-author Ravin Jesuthasan, managing director at Willis Towers Watson, "so that boards and management can be held accountable for their investment in people and for delivering better outcomes."
The paper offers examples of human capital metrics, including models for understanding the employee experience, the total cost of work, and the return on work. It provides guidance tailored specifically to chief human resources officers, boards, and policymakers. — L. Nelson
Cyber Skills Gap Widens
Education is needed to build competencies as threats rise.
The global cybersecurity skills gap worsened for the fourth year in a row, even as threats become more advanced. The gap now has affected 70% of organizations, according to The Life and Times of Cybersecurity Professionals 2020, conducted by the Information Systems Security Association (ISSA) and independent analyst firm Enterprise Strategy Group (ESG).
survey (PDF) of 327 cybersecurity professionals reveals that there has not been significant progress made in narrowing the gap since such studies have been conducted. This gap leads to repercussions such as increased workloads, unfilled job openings, and an inability for organizations to use cybersecurity technologies to their full potential.
ISSA and ESG say the only path forward is a holistic approach to cybersecurity education, with organizations making investments in developing and implementing globally accepted career development plans for cybersecurity staff. According to the data, 68% of respondents don't have a well-defined career path, despite the fact that 39% say it can take up to five years of hands-on experience to develop cybersecurity proficiency.
The study also indicates that businesses are not providing adequate training for their cybersecurity staffs. Thirty-six percent of respondents say their organizations should provide a bit more cybersecurity training, and 29% say it should provide significantly more training. Additionally, 64% say their organization should be doing more to address cybersecurity challenges.
"Key constituents are not looking at the profession strategically," says Jon Oltsik, senior principal analyst and fellow at ESG. "These disturbing trends should be of concern to corporate directors and business executives, particularly in light of the alarming findings this year that 67% of respondents believe that cyber-adversaries have a big advantage over cyber-defenders." — L. Wamsley
ERM in Uncertain Times
COSO Board member Patty Miller says the framework's principles can guide internal audit in addressing today's unexpected risks.
How can internal audit apply The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's)
Enterprise Risk Management–Integrating With Strategy and Performance in times of extreme uncertainty?
The COSO ERM framework is principles-based and applies in good times and bad. The framework's five components contain 20 principles, which should be present and functioning to achieve success. A careful consideration of these principles can lead to insights on effective risk management activities that can minimize the ongoing impact of the uncertainty and enable better preparation for the next event.
For example, a Governance principle such as exercising board oversight can help determine if the role of the board is sufficient during great uncertainty. And Performance principles such as identifying, assessing, and prioritizing risks can help in assessing the effectiveness of contingency plans to support a quick response to — or even anticipation of — changes. The Information, Communication, and Reporting principles on communicating and reporting on risk, culture, and performance information can aid in determining how effectively key stakeholders have been kept informed, including employees, strategic partners, shareholders, regulators, customers, and suppliers.
How is the COVID-19 pandemic changing the way organizations assess and manage risk?
Seemingly overnight, major businesses are bankrupt, strapped for capital, scaling back and downsizing, or even changing their business model. The pandemic has reinforced that the pace of change is ever increasing, unpredictable, and that no organization can be complacent in its strategy, market position, or relative competitive advantage. Each organization must reconsider its strategy and related risk appetite, and specifically assess how prepared it is for such widespread risks, including "black swan" events. Do they have processes to scan the external environment for emerging risks? Have they assessed the organization's ability to withstand disruptions? Are they using scenario planning and "what-if" analyses? Do they have effective monitoring processes to alert them to fast-moving changes? Internal audit has an opportunity to assist management in such assessments.
22% of employees globally feel pressure to compromise their organization's ethics standards or policies — or the law.
30% of top management feel pressure to "bend the rules" versus 17% of non-managers.
"By identifying employees who may be at a higher risk for feeling pressured to bend the rules, organizations can be proactive in addressing any possible issues before there is a problem," the
Global Business Ethics Survey notes.
Source: Ethics and Compliance Initiative, Global Business Ethics Survey — Pressure in the Workplace: Possible Risk Factors and Those at Risk
A big part of the COSO ERM framework is considering risk during strategic planning. How can the framework help the many organizations that have been forced to rapidly change strategies in response to changing business conditions?
Whether it's a first-time strategy exercise, or a re-look given unanticipated change, the guidance in the COSO ERM framework is useful. The framework guides organizations to consider downside and upside impacts. In evaluating how the strategy should change, an assessment of the impact on objectives, operations (such as increased use of technology and remote employees), competitors, customers, and regulatory requirements is needed. Can new flags be designed to better alert management to emerging risks? Leveraging the framework in a strategic reassessment helps ensure new strategies are aligned with the mission, vision, and core values; the implications of the chosen strategies are understood; and that long-term capabilities exist to execute the strategies.
The Line Between Negative Tests and Recovery
Employees returning to the office may not be fully recovered from a COVID-19 bout.
In the midst of the COVID-19 pandemic, there has been a blurring of what recovery from the virus actually means. Although a patient can be designated as "recovered" following a negative test for the virus, common symptoms such as chest heaviness, breathlessness, muscle pains, and fatigue can last weeks or even months, according to an
Nature Research. These symptoms could prevent individuals from resuming work at their expected productivity.
"Some people, especially the young and healthy, might not see a need to follow preventive measures, because they expect only a few days of flu-like symptoms at the worst," says Nisreen Alwan, associate professor of public health at the University of Southampton.
Alwan recommends regular follow-ups for all patients who have experienced a positive test or highly probable COVID-19 symptoms. Return-to-work policies should account for this recovery time. — L. Wamsley