How can internal audit functions support business continuity during pandemics?
Once a pandemic like the coronavirus (COVID-19) has occurred, there is little an auditor can be involved in as major audit activities should be reduced due to the possibility of transferring infection between auditor and client. Additionally, the client’s focus may be on the response and recovery of its critical business functions.
While the outbreak is occurring, the audit team can focus on possible breakdowns in controls of processes as business functions operate from a remote or alternate location, or even from home. The key is to strengthen the controls to minimize the potential for errors resulting from manual interventions and the possibility of fraud. It is important to note that the observance of noncompliance with existing protocols should be based on its materiality so that the organization can respond and recover in the shortest possible time.
Business continuity plan reviews are typically predetermined by a business continuity management policy. The frequency of review and updating is usually annual. During a pandemic, like any other disruption, these reviews may need to be conducted more frequently when an audit client’s environment has frequent staff turnover, or if outsourcing or transferring business functions to a third party results in an interdependency risk.
Audit Plans Ignore Key Risks
Cybersecurity and third parties are among omissions, Pulse says.
Internal audit departments are leaving key risks out of their audit plans, The IIA’s 2020 North American Pulse of Internal Audit reports. The survey of 630 chief audit executives, directors, and managers reveals a glaring disconnect between high risks and audit priorities.
Take cybersecurity, rated a high risk by more than three-fourths of respondents. Cybersecurity is the Pulse’s top risk, yet almost one-third say it’s not included in the internal audit plan. Another disconnect is third-party relationships — more than half of respondents rate it a high risk, but less than half include it in the audit plan.
Then there is sustainability risk, which only 10% include in their audit plan. Although only 6% of respondents rate sustainability a high risk, there is growing investor interest in it (see “The Responsible Organization”). That also was the case for another rising investor priority — governance and culture — which less than half of respondents include in their audit plan.
Such shortfalls in risk coverage were noted in The IIA’s OnRisk 2020 and American Corporate Governance Index studies, says IIA President and CEO Richard Chambers. “The Pulse shows just how serious the problem is, and its impact on sustainability, operational efficiency, and culture,” he says.
In addition to missing top risks, one in five are performing below the midpoint (level 3) of the Internal Audit Ambition Model, a maturity scale developed by IIA–Netherlands and LKO/NBA. Those functions aren’t conforming with the International Standards for the Professional Practice of Internal Auditing.
The good news is more than half of respondents say their department is performing at the top two levels of the five-level model. Twelve percent rate themselves at the top level (Optimizing), while 40% are at Level 4 (Managed). Such functions support strategic risk management, long-term planning, and continuous improvement.
— T. McCollum
The State of AI
U.S. technology company decision-makers have high hopes and some concerns for artificial intelligence.
- 88% — Companies should implement an ethics policy to govern their AI work.
- 69% — Governments should regulate AI.
- 62% — AI adoption is moving at an appropriate speed across the technology industry.
- 61% -— Existing employees are prepared for AI adoption.
- 37% — AI could replace their positions.
Source: KPMG, Living in an AI World 2020 Report: Technology Insiders
Boards Fall Short on Diversity Efforts
A U.K. report shows failure to prioritize board ethnicity.
Fewer than half of Financial Times Stock Exchange (FTSE) 250 companies mention ethnicity in their board diversity policy, according to research from the U.K.’s Financial Reporting Council (FRC) and Cranfield University’s School of Management. The report, Ethnic Diversity Enriching Business Leadership, also shows that most of the broader FTSE 350 lacks measurable ethnicity targets.
Only 14% of FTSE 100 companies — the U.K.’s largest publicly listed firms — set measurable objectives for board ethnic diversity; the proportion drops to 2% for the FTSE 250. Even where objectives are established, FTSE 350 companies have not made progress against them. The research also finds that while just over 10% of FTSE 100 firms plan to increase ethnic diversity in succession planning, most of these firms emphasize progression companywide, rather than at the top.
In light of the FRC’s report, the 2020 Parker Review, an independent report on the ethnic diversity of U.K. boards, recommends companies report on diversity of culture, geography, and nationality alongside ethnicity.
— D. Salierno
Insider Threats Put Data at Risk
Human error is behind most data breaches, research says.
Three-fourths of IT professionals say employees at their organizations have intentionally put data at risk in the last 12 months, according to research conducted by Opinion Matters for Egress, a data security solutions company.
Additionally, 78% say employees have accidentally done so. These insider threats pose a significant security risk to organizations, Egress reports.
The Insider Data Breach Survey 2020 polled more than 500 IT leaders and 5,000 employees at companies with more than 100 employees in Belgium, Luxembourg, Netherlands, the U.K., and U.S. It found that 41% of employees who have accidentally leaked information did so because of phishing emails. Nearly one-third caused a breach by sending an email to the wrong person, and almost half have received an email recalling information sent in error.
Egress CEO Tony Pepper explains that organizations and their security teams weigh the advantages of efficient communications against data security considerations. “Frequently they compromise on the latter,” he says.
Employee misconceptions about data ownership negatively impact information security, the survey shows. Two out of five employees don’t recognize that the organization owns its data exclusively, and only 37% say everyone is equally responsible for keeping it safe. “Employees want to own the data they create and work on, but don’t want the responsibility for keeping it safe,” Pepper says. “This is a toxic combination for data protection efforts.”
The more senior the employee, the less likely he or she is to accept data protection accountability liability — just 8% of directors say everyone shares responsibility, compared to more than half of clerical staff. Directors also are most likely to take data with them to a new job. Of those who intentionally broke company policy, 68% did so when they changed jobs, compared to the overall average of 46%.
— S. Steffee
The impacts from climate change and loss of nature could cost the global economy $9.87 trillion between now and 2050.
The economy could lose $327 billion from damage to natural protections from flooding, storm surges, and erosion, while loss of carbon storage could cost $128 billion by 2050.
“Not only will losing nature have a huge impact on human life and livelihoods, it will be catastrophic for our future prosperity,” says Marco Lambertini, director general of WWF International.
Source: WWF, Global Trade Analysis Project, and the Natural Capital Project, Global Futures
No. 1 Cybercrime: Email Fraud
Hackers target company employees in record numbers.
Business email compromise accounted for more than half of total reported U.S. cybercrime last year, according to the Federal Bureau of Investigation’s (FBI’s) 2019 Internet Crime Report. These scams, which typically involve a criminal mimicking a legitimate email address, resulted in more than $1.7 billion in losses in 2019. They were responsible for nearly 24,000 complaints made to the FBI’s Internet Crime Complaint Center (IC3) last year.
Many compromised emails are CEO fraud, where an email sender impersonates an executive within the company. The email requests payment that appears legitimate but actually directs funds to a criminal.
IC3 also reports an increase in complaints that involved diversion of payroll, where hackers mimic an employee requesting an update to his or her direct deposit information. The change then routes that employee’s paycheck to a scammer’s account.
Last year saw the largest number of cybercrime complaints since 2000.
— D. Salierno