​Update: Recovery Through Digitization

Research points to technology as a key driver for crisis navigation.

Comments Views

​A new report from McKinsey & Co. advises businesses to focus on digitization as a means of navigating the coronavirus pandemic. Flexibility and speed will be key as organizational leaders consider how to move ahead, the consulting firm says in The Digital-led Recovery From COVID-19: Five Questions for CEOs, which draws on observed best practices.

With COVID-19 putting outdated business models to the test, the shift to digital will likely accelerate. Organizations need to take bold action, the report advises, tempered with "a full appreciation of risk from the impact of cyberattacks to the loss of crucial talent." Incremental technological change and half measures are recipes for failure, the report's authors say.

Making the right technology investments will be crucial moving forward, requiring organizational leaders to work closely with their technology officers to update legacy systems and establish new digital capabilities, McKinsey notes. Technology is a key driver of value — and that includes the use of advanced analytics.

"Never before has the need for accurate and timely data been greater," the report says. At the same time, CEOs will need to work with their risk leaders to make sure the scramble to harness data follows strict privacy rules and cybersecurity best practice.

To ensure technology initiatives materialize, CEOs also may need to have a long talk with their chief financial officers. PwC's COVID-19 CFO Pulse Survey shows that more than two-thirds of surveyed finance chiefs say they plan to defer or cancel planned investments in response to the crisis — and of those, more than half say they are eyeing IT initiatives for the chopping block. Another 25% say they are deferring or canceling digital transformation investments. 

D. Salierno

Greater Risk Brings New Scrutiny

Stakeholders may find risk management processes lacking, report finds.

Cybercrime's Bottom Line

A survey of U.S. IT security professionals shows the average total cost of a cyberattack across several categories.

$1.5 million  Nation-state

$1.2 million  Zero-day

$832,500  Phishing

$691,500  Spyware

$440,750  Ransomware

Source: Ponemon Institute and Deep Instinct, The Economic Value of Prevention in the Cybersecurity Lifecycle

Today's riskier business environment is pressuring organizations to disclose more about risk management, according to the 2020 State of Risk Oversight. Nearly 60% of the 563 U.S.-based chief financial officers surveyed say risks are growing extensively in volume and complexity, particularly in areas such as talent, innovation, the economy, and brand.

With greater risk has come heightened attention, notes the report from the American Institute of Certified Public Accountants and North Carolina State University's ERM Initiative. Two-thirds say boards are calling for more management oversight of risk, while 58% say outside parties such as investors are demanding extensive detail about how organizations manage risk.

Yet, only one-fourth of respondents say their organization's risk management is mature, a decline from previous surveys. Moreover, less than 20% say their risk management process provides strategic value. "If functioning effectively, a robust enterprise risk management process should be an important strategic tool for management," the report says. 

T. McCollum

Weighing the Cost of Fraud

Fraud defenses work but could face the budget-cutting ax.

Organizations already pay a steep price for fraud, but they may be targeted even more if budget-cutting weakens defenses such as internal audit. Occupational fraud costs organizations about 5% of annual revenues, according to the Association of Certified Fraud Examiners' (ACFE's) 2020 Report to the Nations.

The report analyzed more than 2,500 fraud cases from 125 countries, with losses totaling more than $3.6 billion. Most of these frauds come from four areas: operations (15%), accounting (14%), executive management (12%), and sales (11%).

In a post previewing the latest report, ACFE President and CEO Bruce Dorris warns organizations not to cut internal audit and compliance amid the economic fallout from the coronavirus. "Cutbacks to departments or initiatives that are integral to a comprehensive anti-fraud program only serve to leave organizations more vulnerable to the growing likelihood of fraud," he says.

Weakened defenses combined with individuals facing financial pressures could create a "perfect storm" for fraud, Dorris cautions.

Effective controls, reporting, and training also help fraud fighting considerably, the report notes. One-third of frauds can be attributed to a lack of internal controls, so over the past decade, the use of controls such as hotlines, anti-fraud policies, and fraud training has increased by at least 9%. Organizations discover 43% of frauds through tips — half of them from employees — but employees are far more likely to report fraud when they receive fraud-awareness training.

One new trend the report finds is that individuals accused of fraud are less likely to face criminal charges, with organizations increasingly preferring to handle cases through internal discipline or civil litigation. Four out of five fraud perpetrators were disciplined internally, and 46% of victim organizations say they declined to refer cases to law enforcement because internal punishment was sufficient. 

T. McCollum

Sourcing in a Crisis

New vendor relationships can create new risks, says Erich Heneke, director of business integrity and continuity at the Mayo Clinic.

  • 75of U.S. adults say that companies have a responsibility to support coronavirus relief.
  • 71% say they will stop purchasing products from companies they perceive to be irresponsible during the crisis.


"Americans are watching which companies are stepping up at this time," says Kate Cusick, chief marketing officer at public relations advisory firm Porter Novelli/Cone. "The decisions businesses make today will define them well after this pandemic has passed."

Source: Porter Novelli/Cone, COVID-19 Tracker: Insights for a Time of Crisis

COVID-19 has businesses looking at the viability of their vendors. How can businesses shift quickly to new vendors? The pandemic has not only exposed traditional vendor risks with respect to supply chain disruption, but it has unlocked a new set of brokered vendors that enter new risk into the market. In health care, products have become unavailable due to supply and demand issues through traditional channels, and, thus, we are seeking products in alternative markets. When sourcing alternate channels, we have seen an influx of counterfeit products as well as brokers requiring a pre-payment and then vanishing with the hospital's money, which suggests that new tools will be necessary to quickly vet new vendor relationships.

Internal audit should let business areas do what they do best, while providing higher and wider level views into enterprise risks. Auditors also should be available as consultants to help mitigate risks as they emerge in vendor markets, whether that's by helping to design a third-party risk management program or aid in strategic sourcing needs. Auditors can offer an independent set of eyes on a process that is largely unfamiliar to a health-care supply chain.

Brown Factors May Affect Credit

Harmful activities may become targets of disincentives.

Organizations are familiar with "green" activities, but the environmentally harmful "brown" activities may have greater credit implications, according to Fitch Ratings' inaugural ESG Credit Quarterly report.

As defined by The European Commission's (EC's) final report on the European Union taxonomy for sustainable activities, green activities contribute substantially to environmental objectives. Since the report's publication in March, there have been calls for the commission to develop a taxonomy listing environmentally harmful (brown) activities.

The technical expert group assisting the EC with the sustainability taxonomy states that activities not defined as green should not automatically be considered brown. The Fitch report points out that consensus on a brown taxonomy will be difficult. However, it could impact credit by defining targets for disincentive policies such as higher prudential capital requirements.

A brown taxonomy "could inform how asset managers and banks screen for other fossil fuels or environmentally harmful activities in the future," Fitch notes. Additionally, it could lead to greater standardization in how investors and banks screen sectors deemed harmful. S. Steffee

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Ia Online StaffIa Online Staff<p>Written by <em>Internal Auditor </em>magazine staff.</p>https://iaonline.theiia.org/authors/Pages/Ia-Online-Staff.aspx


Comment on this article

comments powered by Disqus
  • Galvanize-September-2020-Premium-1
  • Auditboard-September-2020-Premium-3