The idea of cannabis as an industry is relatively new, as the legalization or even basic decriminalization of marijuana is, for the most part, only a recent occurrence worldwide. As a result, few public sector internal auditors — and even fewer private sector ones — have any experience working around this emerging industry.
Melissa Polak, senior director, Enterprise Risk and Assurance, for Aurora Cannabis, is the rare exception. Based in Vancouver, British Columbia, Polak describes her role with the publicly traded cannabis producer as something of a dream job. "As a listed company, your compliance and reporting obligations increase significantly," Polak says. "I always thought it would be a once-in-a-lifetime opportunity to jump in on the cannabis sector as it was getting going, from a risk and internal audit perspective."
In 2019, Canada became only the second country in the world to legalize recreational cannabis, after Uruguay, which made it legal in 2014. Since then, the industry has been evolving rapidly. Several countries and U.S. states have passed laws over the past decade to legalize at least some aspect of cannabis consumption — whether for widespread recreational use, highly regulated medical use, or simply allowing people to grow or possess it in their own home. In the U.S. and elsewhere, all of these changes mean that public sector practitioners who aren't already auditing the cannabis industry may soon encounter it in their work.
Public Sector Oversight
Despite the movement among U.S. states to loosen restrictions, marijuana remains illegal at the national level. In 2018, then-Attorney General Jeff Sessions created more uncertainty for businesses and investors by rescinding the 2013 Cole Memorandum — guidance by the previous Justice Department recommending that federal prosecutors avoid focusing resources on "individuals whose conduct is limited to possession of small amounts of marijuana for personal use on private-property."
Stephen Winn, principal auditor for the Oregon Audits Division, Oregon Secretary of State, says he thinks the inconsistency of laws and regulations in the U.S. makes it more challenging for public sector auditors and regulators. "It's a big lift because each state is kind of developing its own laws itself," he says. "There's no federal system in place that lays the groundwork, so to speak, which the state laws can then be built off of. Hopefully, those states that are thinking about it at least look at some of the states that have gone before them."
For auditors, there is potentially a lot of ground to cover, including data integrity, physical inspections, financial transactions, product testing, and licensing. Based on his experience, Winn thinks data management and analysis pose the biggest risk to marijuana regulation. Winn's division, which is independent of the state's executive and legislative branches, conducted a 2018 audit of Oregon's marijuana and alcohol regulator, the Oregon Liquor Control Commission (OLCC). The Oregon Audits Division focused first on the IT systems and controls within the OLCC's new Cannabis Tracking System.
"It was a brand new program still trying to work out what the IT controls would look like, so our office conducted an audit just looking at the IT systems and how well those worked," says Winn, who participated in an IIA webinar on the topic of the OLCC audit. Some of the problems the audit team found were specific to a new platform, such as not having all the right IT controls in place to restrict access and an inability to reconcile data between the licensing and tracking systems.
The OLCC also needed to build its data analytics capacity to be able to monitor data and recognize red flags involved in the "seed-to-sale" tracking, Winn adds. "There are so many data points in that system — I think the OLCC is realizing they need a lot of analysts with strong data skills to be able to analyze that data," he says. Another issue was a lack of trained staff to perform on-site inspections and the absence of a methodology for performing inspections.
Some other risks that the Oregon internal auditors are focused on include diversion (the transfer of cannabis products from the legal to the illegal or black market), product purity and testing accuracy, and equity among license holders — ensuring that the market doesn't become dominated by deep-pocketed conglomerates that crowd out smaller, local operations. Winn says the OLCC is doing a good job, considering it only had six months to go live with the program, or as an OLCC analyst put it to him, "building the plane while flying the plane," based on its mandate. "It's a big lift without having any sort of federal regulatory backbone," he says.
Private Sector Prospects
For practitioners in the private sector, the industry's rapid expansion means that there will likely be more opportunities to work in the cannabis industry in the future. "The more cannabis companies are able to start moving toward that public company model, the more you're going to need internal auditors leading functions in-house as well," Polak says. Like audit functions at other publicly traded companies, Polak's team manages the Sarbanes-Oxley Section 404 compliance, enterprise risk, and corporate insurance programs and works on other compliance initiatives. Polak says she jokes with management and the audit committee that the Canadian company provides the "most exciting SOX environment" she's ever been in. "I would say there are very few places or industries where internal audit is on the bleeding edge of development of some of the auditing and accounting standards."
Similar to other startup-type environments, Polak says there is more of an opportunity for internal audit to define its role and for auditors to employ their advisory skills. "A lot of other industries are more standardized or just established, and you end up doing a lot of assurance-type engagements," Polak says. "I think there's a really great opportunity here to do more process reviews, risk assessments, and maturity assessments to really help the organization professionalize and improve their practices."
While Canada enjoys a much more uniform regulatory environment, Polak says Canada's system has also undergone growing pains. "I would say there's definitely been a lot of evolution and a lot of hiccups in some of the initial iterations, and you can see that through the fact that they've actually issued a number of significant amendments now on an act that is barely three years old," Polak says.
Sonia Luna, CEO of Aviva Spectrum in Los Angeles, says that unlike Canada, the cannabis industry in the U.S. is still in its infancy — but there are some opportunities for internal auditors to find a niche, or gain a foothold. Luna's company is a cannabis compliance accounting and internal audit firm, based on a service-for-hire model. Luna says she was drawn to the industry after realizing that there was a huge need for accounting and audit advice among cannabis operators, especially as they navigate unique cannabis tax rules and local regulations.
"For cannabis, we don't define it as internal audit; it's more of a compliance process approach, meaning, 'Here's what the rule says you can do with cannabis and how the workflow should operate," Luna explains. "And then the other part of compliance is the tax compliance because each jurisdiction has its own methodology of how things need to be calculated, including when payment is due. There are different rules at the local jurisdiction, state, and federal level."
In the U.S., as of May, there have been two bills introduced in the House of Representatives that would legalize marijuana at the federal level. One bill passed the House in December 2020 but has stalled in the Senate. The second bill was introduced to the House in May by two Republican lawmakers. If one of the bills passes, both public and private internal auditors may be having a lot more discussions on cannabis business risk and opportunity.
Even if that happens, Luna doesn't think opportunities for private sector internal auditors will mature until the industry does. However, public sector internal auditors may find themselves quickly ramping up oversight programs. Winn points out that while "everything looks like a big risk to start with," as regulators and auditors get acclimated to the industry, they will be able to start pinpointing which areas may be subject to noncompliance and where to focus their efforts.
Despite some of the obvious hurdles, Winn thinks that public sector internal auditors are up to the challenge. "I think public sector auditors will probably be pretty good at picking up on controls because we're just so used to looking at different programs and looking at control weaknesses and figuring out where those are," he says. "I think a lot of the auditors will pick that up pretty well at the state level."