The IIA's latest North American Pulse of Internal Audit report reveals the profession is doing better than many audit leaders initially feared under the shadow of the COVID-19 pandemic. The survey of 588 internal audit leaders finds that although the pandemic's impact on organizations has been severe, its impact on internal audit has been largely stable.
For example, 80% of health-care industry respondents rate the pandemic's impact as extensive for the organization, but only 37% say it had an extensive impact on internal audit. Less than 20% of audit leaders in financial and insurance organizations rate COVID-19's impact as minimal for the overall organization, but 41% rate it as minimal for internal audit.
This is not to say that internal audit functions were unaffected, however. Travel budgets were drastically reduced across industries. Yet despite such cuts, many variables that are most important to assessing internal audit's health remain relatively stable.
For example, only 17% of respondents report internal audit staffing budgets were cut, and only 26% say their external sourcing budgets have decreased. For professional development, 69% of respondents say their budgets stayed about the same or increased.
Overall, 44% say their budgets have stayed about the same. Internal audit staffing was more stable, with 64% reporting their staffing levels remain unchanged.
Although internal audit functions still face challenges as a result of the pandemic, such signs are encouraging as the economy recovers. "While the pandemic continues to extract a heavy cost and organizations manage through crisis, many internal audit functions have been able to adapt, innovate, and rise to the challenge," says Jim Pelletier, vice president, Professional Standards and Knowledge, at The IIA. — L. Wamsley
ESG Is Top Success Driver
Investors link environmental and social impact to value.
Nearly half of institutional investors rate the integration of material environmental, social, and governance (ESG) opportunities into strategy as the biggest driver of success, according to the EY Center for Board Matters' 2021 Proxy Season Preview. Of the more than 60 institutional investors surveyed, 42% cite the diversity of the board, management, and workforce as a top driver.
The report offers six ways to help companies enhance their ESG reporting, starting with focusing on topics that intersect with the business and its strategy. It advises that "investors want boards to help companies adapt their strategies for a future in which prioritizing stakeholders and considering environmental and social impacts will be critical to building resilience and creating long-term value."
Without mandated ESG reporting globally, ratings systems have proliferated but are poorly correlated, according to Aggregate Confusion: The Divergence of ESG Ratings, a working paper from the MIT Sloan School of Management. One attempt to establish a global set of uniform standards is Stakeholder Capitalism Metrics, released in September 2020 by the World Economic Forum International Business Council. — L. Nelson
Contrasting Views of Today's Risks
Global studies warn of digital- and pandemic-related threats.
Risk is in the eye of the beholder, and such is the case in looking at two global risk reports for 2021 and beyond. There are crossover areas of risk in the Global Risks Report 2021 from the World Economic Forum (WEF) and Executive Perspectives on Top Risks for 2021 and 2030 from North Carolina State University and Protiviti. Predictably, the pandemic rose to the top of both studies.
The WEF report focuses on societal impacts of risk based on insights from about 650 respondents representing international coalitions, business leaders, academia, and government and nongovernmental organizations. The N.C. State/Protiviti report represents the views of 1,081 C-suite executives and board members. Each respondent group sees the pandemic from different perspectives.
Business leaders view the crisis through the lens of pandemic-related policies and regulations as well as how economic conditions may constrain growth and reduce customer demand. The WEF study, meanwhile, identifies livelihood crises and youth disillusionment as knock-on effects of the pandemic.
Digital disruption also features prominently in both surveys, with business leaders concerned about retraining employees and competing with "born-digital" companies. In contrast, the WEF report examines this risk through the lens of digital inequality, digital power concentration, and adverse technology advances. Cyber risk is echoed in both studies.
The biggest disconnect involves climate change. The environment is not as high on the radar of business leaders, with some exceptions. "Climate is in there, but it's not a short-term issue for 2021," said Mark Beasley, director of the Enterprise Risk Management Initiative at N.C. State University in Raleigh, during a recent Protiviti webinar.
Conversely, climate action failure, human-caused damage, extreme weather, and biodiversity loss rank high in the WEF's risk survey. — C. Janesko
Cyber Governance After SolarWinds
Following the massive 2020 cyberattack, boards will be accountable for catastrophic systemic risks, says Digital Directors Network CEO Bob Zukis.
Is the magnitude of the SolarWinds attack putting pressure on boards to be accountable for cybersecurity governance?
While I don't think we'll see a Sarbanes-Oxley-like regulatory response, it will result in some targeted legislation — specifically the U.S. Cybersecurity Disclosure Act. This legislation will require the board to disclose if it has any directors with cybersecurity skills. Now cybersecurity is an investor and consumer public interest issue, the stakes are high financially, and it's clearly in the public interest. So regulators have to act because companies are not even taking the basic steps they should be.
In terms of governance, the SolarWinds breach is highlighting the scale and scope of systemic risk — that is, risk within and between the parts of a highly connected digital ecosystem. This also will be a real challenge for the technology industry to identify and mitigate systemic risk issues and concerns for their products. The first class-action lawsuit has already been filed against SolarWinds focusing on claims of misleading disclosures around the impact of its products to its customers. But every company's digital business system is also inherently rife with systemic risk.
Are directors knowledgeable enough about the risks and all the different ways attacks can occur to provide effective oversight and governance?
Most corporate boards are nowhere near where they need to be. The fact that well over 50% of the S&P 500 still tasks their audit committee with cybersecurity risk oversight is one warning sign. However, there is a small group of leaders who get it. They are putting cybersecurity skills onto their boards, organizing their boardroom efforts on these issues in focused technology and cybersecurity committees, and starting to change how they understand risk — moving beyond conventional risk management into systemic risk management.
While accounting and finance directors on audit committees do a great job, the skills and competencies aren't there to effectively oversee the cybersecurity agenda. You can't govern what you don't understand. Directors need to do much more than ask questions; they are there to question and understand answers.
The full board should also be trained and develop a base competency in digital and cybersecurity risk oversight. As more and more business value drives through digital means and channels, boardrooms need that cybersecurity breadth and depth to protect the digital value that they are creating.
How can internal audit functions help boards be more prepared and informed to address cybersecurity risks?
This is the lesson from SolarWinds and the digital business system: Companies will continue to neglect systemic risk at their peril. Systemic failure is often much faster and cataclysmic than traditional risk failures. That's what's unique about cybersecurity risk — there is a constant battle to take or impair value going on. Improve your odds of winning that battle, and it drives a better business outcome. Cybersecurity risk is also increasingly looking to exploit the inherent systemic weaknesses in complex digital business systems, so the two need to work together.
This is where internal audit has a critical role to play in understanding, managing, and mitigating systemic risks throughout a business. Cybersecurity risk is the active threat to the digital business system. The internal audit function has an entirely new world of risk to begin to understand, and it's all about systemic risk. Delaware Supreme Court Chief Justice Collins Seitz recently said, "Boards must be able to demonstrate credibly that they are thinking about systemic risk." If the courts are making this kind of a statement, they are clearly anticipating holding the board to a higher standard of accountability to this issue.
Fixing America’s Broken Infrastructure
Investment is needed to raise competitiveness, report says.
Revitalizing U.S. infrastructure is a recurring theme in the political platforms of the country's two main political parties. Yet, "nearly every facet of the country's infrastructure is below global standards and deteriorating daily," says a report from the Committee for Economic Development of The Conference Board.
COVID-19 has only "increased the urgency of raising America's global competitiveness," according to A U.S. Infrastructure Plan: Building for the Long Haul. The report from the New York-based business think tank notes that federal nondefense physical investment has generally declined since the 1960s.
Closing the U.S. infrastructure gap will require principled cost-benefit analyses, sound use of public–private partnerships, and alternative approaches for using private investment resources, the report advises. Efficient choices will account for climate change risk and incorporate user fees into sustainable funding, according to the report. — L. Nelson