Governance

 

 

Update: Recovery Through Digitizationhttps://iaonline.theiia.org/2020/Pages/Update-Recovery-Through-Digitization.aspxUpdate: Recovery Through Digitization<p>​A new report from McKinsey & Co. advises businesses to focus on digitization as a means of navigating the coronavirus pandemic. Flexibility and speed will be key as organizational leaders consider how to move ahead, the consulting firm says in The Digital-led Recovery From COVID-19: Five Questions for CEOs, which draws on observed best practices.</p><p>With COVID-19 putting outdated business models to the test, the shift to digital will likely accelerate. Organizations need to take bold action, the report advises, tempered with "a full appreciation of risk from the impact of cyberattacks to the loss of crucial talent." Incremental technological change and half measures are recipes for failure, the report's authors say.</p><p>Making the right technology investments will be crucial moving forward, requiring organizational leaders to work closely with their technology officers to update legacy systems and establish new digital capabilities, McKinsey notes. Technology is a key driver of value — and that includes the use of advanced analytics. </p><p>"Never before has the need for accurate and timely data been greater," the report says. At the same time, CEOs will need to work with their risk leaders to make sure the scramble to harness data follows strict privacy rules and cybersecurity best practice.</p><p>To ensure technology initiatives materialize, CEOs also may need to have a long talk with their chief financial officers. PwC's COVID-19 CFO Pulse Survey shows that more than two-thirds of surveyed finance chiefs say they plan to defer or cancel planned investments in response to the crisis — and of those, more than half say they are eyeing IT initiatives for the chopping block. Another 25% say they are deferring or canceling digital transformation investments. </p><p> <strong>—</strong><strong> </strong><strong>D. Salierno</strong></p><h2>Greater Risk Brings New Scrutiny<br></h2><h3>Stakeholders may find risk management processes lacking, report finds.</h3><table cellspacing="0" width="100%" class="ms-rteTable-default" style="background-color:#ffffff;"><tbody><tr><td class="ms-rteTable-default" style="width:306.667px;"><p> <strong>Cybercrime's Bottom Line</strong></p><p>A survey of U.S. IT security professionals shows the average total cost of a cyberattack across several categories.</p><p> <strong>$1.5</strong> <strong>million</strong><strong>  </strong>Nation-state</p><p> <strong>$1.2 </strong><strong>million</strong><strong>  </strong>Zero-day</p><p> <strong>$832,500</strong><strong>  </strong>Phishing</p><p> <strong>$691,500</strong><strong>  </strong>Spyware</p><p> <strong>$440,750</strong><strong>  </strong>Ransomware<br></p><p>Source: Ponemon Institute and Deep Instinct, The Economic Value of Prevention in the Cybersecurity Lifecycle<br></p></td></tr></tbody></table><p>Today's riskier business environment is pressuring organizations to disclose more about risk management, according to the 2020 State of Risk Oversight. Nearly 60% of the 563 U.S.-based chief financial officers surveyed say risks are growing extensively in volume and complexity, particularly in areas such as talent, innovation, the economy, and brand.</p><p>With greater risk has come heightened attention, notes the report from the American Institute of Certified Public Accountants and North Carolina State University's ERM Initiative. Two-thirds say boards are calling for more management oversight of risk, while 58% say outside parties such as investors are demanding extensive detail about how organizations manage risk.</p><p>Yet, only one-fourth of respondents say their organization's risk management is mature, a decline from previous surveys. Moreover, less than 20% say their risk management process provides strategic value. "If functioning effectively, a robust enterprise risk management process should be an important strategic tool for management," the report says. </p><p> <strong>—</strong><strong> </strong><strong>T. McCollum</strong></p><h2>Weighing the Cost of Fraud<br></h2><h3>Fraud defenses work but could face the budget-cutting ax.</h3><p>Organizations already pay a steep price for fraud, but they may be targeted even more if budget-cutting weakens defenses such as internal audit. Occupational fraud costs organizations about 5% of annual revenues, according to the Association of Certified Fraud Examiners' (ACFE's) 2020 Report to the Nations.</p><p>The report analyzed more than 2,500 fraud cases from 125 countries, with losses totaling more than $3.6 billion. Most of these frauds come from four areas: operations (15%), accounting (14%), executive management (12%), and sales (11%).</p><p>In a post previewing the latest report, ACFE President and CEO Bruce Dorris warns organizations not to cut internal audit and compliance amid the economic fallout from the coronavirus. "Cutbacks to departments or initiatives that are integral to a comprehensive anti-fraud program only serve to leave organizations more vulnerable to the growing likelihood of fraud," he says.</p><p>Weakened defenses combined with individuals facing financial pressures could create a "perfect storm" for fraud, Dorris cautions.</p><p>Effective controls, reporting, and training also help fraud fighting considerably, the report notes. One-third of frauds can be attributed to a lack of internal controls, so over the past decade, the use of controls such as hotlines, anti-fraud policies, and fraud training has increased by at least 9%. Organizations discover 43% of frauds through tips — half of them from employees — but employees are far more likely to report fraud when they receive fraud-awareness training.</p><p>One new trend the report finds is that individuals accused of fraud are less likely to face criminal charges, with organizations increasingly preferring to handle cases through internal discipline or civil litigation. Four out of five fraud perpetrators were disciplined internally, and 46% of victim organizations say they declined to refer cases to law enforcement because internal punishment was sufficient. </p><p> <strong>—</strong><strong> </strong><strong>T. McCollum</strong></p><p></p><h2>Sourcing in a Crisis<br></h2><h3>New vendor relationships can create new risks, says Erich Heneke, director of business integrity and continuity at the Mayo Clinic.</h3><table cellspacing="0" width="100%" class="ms-rteTable-default" style="background-color:#ffffff;"><tbody><tr><td class="ms-rteTable-default" style="width:306.667px;"><ul><li><strong>75</strong><strong>% </strong><strong>of U.S. adults </strong><strong>say that companies</strong> have a responsibility to support coronavirus relief.<br></li><li><strong>71</strong><strong>%</strong> <strong>say they will stop </strong><strong>purchasing products</strong> from companies they perceive to be irresponsible during the crisis.</li></ul><p> </p><p>"Americans are watching which companies are stepping up at this time," says Kate Cusick, chief marketing officer at public relations advisory firm Porter Novelli/Cone. "The decisions businesses make today will define them well after this pandemic has passed."</p><p>Source: Porter Novelli/Cone, COVID-19 Tracker: Insights for a Time of Crisis<br></p><br></td></tr></tbody></table><p> <strong>COVID-19 has businesses looking at the viability of their vendors. How can businesses shift quickly to new vendors? </strong>The pandemic has not only exposed traditional vendor risks with respect to supply chain disruption, but it has unlocked a new set of brokered vendors that enter new risk into the market. In health care, products have become unavailable due to supply and demand issues through traditional channels, and, thus, we are seeking products in alternative markets. When sourcing alternate channels, we have seen an influx of counterfeit products as well as brokers requiring a pre-payment and then vanishing with the hospital's money, which suggests that new tools will be necessary to quickly vet new vendor relationships.</p><p>Internal audit should let business areas do what they do best, while providing higher and wider level views into enterprise risks. Auditors also should be available as consultants to help mitigate risks as they emerge in vendor markets, whether that's by helping to design a third-party risk management program or aid in strategic sourcing needs. Auditors can offer an independent set of eyes on a process that is largely unfamiliar to a health-care supply chain.<br></p><h2>Brown Factors May Affect Credit<br></h2><h3>Harmful activities may become targets of disincentives.<br></h3><p>Organizations are familiar with "green" activities, but the environmentally harmful "brown" activities may have greater credit implications, according to Fitch Ratings' inaugural ESG Credit Quarterly report.</p><p>As defined by The European Commission's (EC's) final report on the European Union taxonomy for sustainable activities, green activities contribute substantially to environmental objectives. Since the report's publication in March, there have been calls for the commission to develop a taxonomy listing environmentally harmful (brown) activities.</p><p>The technical expert group assisting the EC with the sustainability taxonomy states that activities not defined as <em>green</em> should not automatically be considered <em>brown</em>. The Fitch report points out that consensus on a brown taxonomy will be difficult. However, it could impact credit by defining targets for disincentive policies such as higher prudential capital requirements.</p><p>A brown taxonomy "could inform how asset managers and banks screen for other fossil fuels or environmentally harmful activities in the future," Fitch notes. Additionally, it could lead to greater standardization in how investors and banks screen sectors deemed harmful. <strong>—</strong><strong> </strong><strong>S. Steffee</strong></p>Staff0
Assessing Risk in a Post-pandemic Worldhttps://iaonline.theiia.org/2020/Pages/Assessing-Risk-in-a-Post-pandemic-World.aspxAssessing Risk in a Post-pandemic World<p>​As the coronavirus (COVID-19) pandemic has changed the world, internal audit functions have needed to face that world differently. Before the outbreak, internal auditors worked in similar ways, following the same code of conduct, adhering to the same standards, and using many of the same tools. Now, auditors have another thing in common: the need to adapt to frequently changing risk conditions.</p><p>COVID-19 has fundamentally changed the risk profiles of many organizations. As internal audit ramps up to a "new normal," it must recalibrate its audit plan from a dramatically different risk perspective. </p><h2>An Audit Plan in Peril</h2><p>Let's examine the timeline of events. Many internal audit functions started their risk assessment and audit planning process in late 2019. By early 2020, departments in most of the world had formed at least a skeleton of their audit plan, and some had communicated their formal plans to the audit committee and senior management. Some audit functions began executing engagements in early 2020. </p><p>That all changed in March, when the coronavirus began to race swiftly around the world and businesses experienced the first effects of social-distancing measures. Operationally, many organizations altered their business practices. From a compliance perspective, some regulatory requirements were suspended or relaxed for entire industries during the outbreak. </p><p>As these response measures quickly escalated, many audit functions drastically altered their audit plans. Businesses experienced so much disruption that it was nearly impossible to execute some audit engagements, or there simply was no value in doing so. Most respondents to an April 2020 IIA Quick Poll say they discontinued or reduced scope for some audit engagements, and nearly half canceled some engagements in response to COVID-19. </p><p>Four in 10 respondents indicate they redirected audit staff to nonaudit work. For some audit functions, temporary staff furloughs or budget reductions ended audit work or reduced staff activity to administrative duties.<br></p><h2>Post-pandemic Planning</h2><p>The audit plan that existed before the pandemic is based on an old risk paradigm. In a post-pandemic world, chief audit executives (CAEs) must think differently about their organizations' risks and how to redeploy audit resources. Here are some questions CAEs should ask in rethinking their audit plans.<br></p><p><strong>What does the organization's new normal look like?</strong> Even businesses that were least impacted by COVID-19 will have systemic changes in their risk environment (see "Questions for CAEs" at the end of this article). There may be major fallout to institutions and systems that organizations rely on, and regulators, financial institutions, and supply chains may experience disruptions well past the point when stay-at-home orders are relaxed. Some may no longer exist.<br></p><p><strong>Is my risk assessment process agile enough?</strong> This question will be critical as CAEs begin prioritizing how to redeploy resources to address elevated risk in legacy risk areas as well as in new, uncharted territory. Risk assessments need to be agile because risk dynamics may change frequently in the near term. CAEs should evaluate and streamline legacy risk assessment processes.<br></p><p><strong>Does my team still possess the skills to execute the risk assessment and audit plan?</strong> In the post-pandemic world, risk profiles probably will change — in some organizations, dramatically. CAEs need to evaluate the talent in their teams and internal audit's ability to identify risks and execute engagements that focus on new types of risk. They need to address questions such as:</p><ul><li>How has internal audit's staffing changed? </li><li>Are staffing levels different, and have there been any changes in talent? </li><li><p>Are there new talent needs as a result of changes to the organization's risk profile?</p></li></ul><p><strong>Does my team still have an objective mindset?</strong> Unprecedented times call for unprecedented measures, and during the COVID-19 emergency, many internal auditors have been called to duty in ways they never imagined. If auditors were engaged in nonaudit activities within the business or performing activities that normally would be incompatible with professional standards, CAEs should evaluate staff objectivity.</p><h2>A New World of Risk</h2><p>The world is different now, with different risks. Internal audit functions must recalibrate how they view the inherent risks their organizations face as the recovery period begins. </p><p>Although pivoting from the old world to a new one is not a new phenomenon, the magnitude of COVID-19 impacts is more global and more severe than anything most auditors have experienced. Internal audit's ability to respond is vital not only to how its business recovers, but also how audit realigns with its stakeholders' needs.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>Questions for CAEs</strong><br><br><p>To assess their situation during the COVID-19 crisis, CAEs should ask:</p><ul><li>What does organizational staffing look like now? Have there been reductions or reorganizations?</li><li>Have key stakeholders changed? What new audit clients should I anticipate?</li><li>Have workforce reductions or reorganizations impacted how internal controls are executed? Are there new segregation of duties concerns or controls that no longer have control owners?</li><li>What processes have been temporarily or permanently changed?</li><li>What systems were temporarily modified or permanently changed? Were appropriate IT general controls followed for these changes, and, if not, what are the implications? </li><li>What controls were modified to accommodate unique business situations or risks?</li><li>Have there been any key personnel changes such as loss of unique subject-matter expertise or loss of key leaders in strategic areas?</li><li>Has the organization's strategic focus changed in the near or long term?</li><li>How have cost structures changed?</li><li>Have there been fundamental changes in the organization's debt and capital structures? Are there new or different debt covenants?</li><li>What new legal or compliance challenges is the organization facing (lawsuit exposures, changes to compliance infrastructure)?</li><li>Have new business opportunities emerged and have corresponding risks been identified?</li><li>Have the fundamentals of business-unit operations or strategies changed?</li><li>How have business continuity dynamics changed (key infrastructure changes, key customer changes)?</li><li>How have enterprise risk management dynamics changed (key risks, key risk indicators, response plans, and risk appetite)?</li><li>How have U.S. Sarbanes-Oxley Act of 2002 dynamics changed, including changes with external auditors, regulatory dynamics, and control owners?</li></ul></td></tr></tbody></table><p></p>Rick Wright1
A Rational Mindsethttps://iaonline.theiia.org/2020/Pages/A-Rational-Mindset.aspxA Rational Mindset<p>​Remember the scene from <em>Raiders of the Lost Ark</em> where Indiana Jones enters the Well of the Souls, which happens to be a snake-infested pit? After throwing a torch into the pit to reveal his plight, he exclaims, "Snakes … why did it have to be snakes?"</p><p>Granted, this scene is plotted to presume the snakes are venomous, so Indiana's fear is rational. But his initial reaction reveals his bias about snakes in general — the same way some people are irrationally averse to risk. </p><p>Internal auditors have a professional duty to remain objective as they perform their work. This unbiased mindset must extend to remaining rational when it comes to communicating with audit clients about risk.</p><h2>Why Did It Have to Be Risk?</h2><p>Snakes are vilified as animals that hide in dark places, stealthily seeking out prey and striking when they least expect it. An objective study of snakes reveals a much more accurate view of these complex creatures. Not all snakes are aggressive, nor are they all venomous or massive constrictors capable of inflicting great harm to people, as we often see in movies or hear about in the news. </p><p>In fact, snakes can be beneficial. Take the black rat snake, which is effective at controlling harmful rodent populations. One black rat snake can eat 100 mice per acre in a year. What farmer wouldn't readily adopt at least a couple of these hunters to offset the negative impact mice have on property and equipment, not to mention the potential spread of disease?<br></p><p>People sometimes perceive risk with the same irrational viewpoint. Too often, when discussing risk and risk management philosophy with business professionals in the course of internal audit work, the conversation gravitates toward an unbalanced, negative attitude about risk. </p><p>One time, my audit team was conducting an audit workshop with a group of business managers. The team was explaining how our audit activities were risk-based so that we focused on things that matter most to their functions' success. The supervisor for this group of managers interrupted our discussion to admonish the group that they needed to be focused on risk to eliminate it from the company. While it was an innocent exclamation the supervisor truly believed, it was an unfortunate and unplanned distraction from our discussion that the audit team had <br>to clarify with the workshop participants. </p><p>The interruption turned out to be a blessing in disguise. It enabled the internal audit team to lead a healthy discussion about the opportunities that also accompany risk, while explaining that eliminating risk was not realistic nor necessarily a desirable goal.</p><h2>Shifting the Risk Mindset</h2><p>With all the focus organizations have devoted to enterprise risk management and updated risk management frameworks, they still get trapped in a vortex where risk is seen in a lopsidedly negative light. Internal audit should thoughtfully redirect this line of thinking when such an uninformed view of risk and risk management is expressed. </p><p>The snake analogy is a good proxy for reframing the risk discussion. The word <em>risk</em> often is misunderstood. Like snakes, risk can do serious harm, so people instinctively project harm to all risk. But is this rational? </p><p>In finance, <em>risk</em> frequently is paired with the word <em>reward</em> to describe offsetting outcomes related to a decision. While taking any given risk may result in a bad outcome, there also is the prospect of a good outcome. No risk, no reward, as the saying goes. This is a more rational view of risk. </p><p>Internal auditors can help organizations balance attitudes about risk by talking and acting rationally about risk. For instance, they shouldn't use risk exclusively as a "four-letter word" in discussions with other business professionals. Risk mitigation is only one potential risk response alternative. When approaching risk assessments or new audit engagements, internal auditors should talk about how informed risk-taking is essential to the organization's growth prospects. </p><p>Internal auditors should counsel clients that risk acceptance is sometimes the best risk response. This can be the case when other risk response alternatives are costly or when the risk is relatively mild. Accepting a risk while continuing to monitor it for changes that may justify a different response is a rational reaction. </p><p>In other instances, it is appropriate to exploit risk for its opportunity. In times of crisis or disruption, offsetting opportunities can present themselves in the face of emerging risks. In these instances, risk opportunities can serve as a hedge against simultaneous negative risk outcomes. When internal auditors set a good example, clients and other stakeholders are more likely to respond to risk with a more rational mindset.</p><h2>Thinking Differently About Risk</h2><p>Let's think about snakes and risk a little differently. A more neutral word to use for snake is reptile. Some reptiles can cause harm to people in certain circumstances such as swimming in a lake known to have large alligators or walking through terrain known for rattlesnakes. In other situations, such as rodent control, reptiles are benign or helpful. </p><p>Likewise, a less polarizing term for risk is uncertainty — specifically, about some outcome. Risk is neither bad nor good; it's just uncertainty. When auditors use the word <em>uncertainty</em> when discussing risk, they can have a more objective, and less polarized, discussion and avoid the biased, negative connotation. This allows auditors to unlock the real value of an intellectual discussion about risk — refocusing attention on decision-making. </p><p>Uncertainty hinders decision-making. The more uncertainty that exists about a pending decision, the more difficult it is to make a decision that will result in a favorable outcome. The better decision-makers can understand the uncertainty they are faced with in a decision, the more likely they should be able to optimize the outcome they are seeking from any given decision. </p><p>The coronavirus pandemic comes to mind. In the present, fear of the unknown is dominating the response conversation. This is a crisis that has not been experienced in most of the modern world, and government leaders are struggling to craft effective responses because of the uncertainty that exists. </p><p>In time, this threat will subside. The world is currently experiencing negative outcomes; however, positive outcomes could emerge, such as a more resilient health-care system to deal with similar threats in the future.</p><h2>Risk Doesn't Have to Be Scary</h2><p>When risk is obscure and lurking in the darkness, it seems more like a rattlesnake waiting to strike against an unsuspecting victim. But when risk is visible, understood, and appreciated for its potential benefit, organizations can exploit it for a beneficial outcome or control it to minimize a negative outcome. With this shift in mindset, risk becomes less of a scary monster and more of a device that uses rational decision-making to optimize risk outcomes. <br></p>Rick Wright1
10 Questions on Culturehttps://iaonline.theiia.org/2020/Pages/10-Questions-on-Culture.aspx10 Questions on Culture<p>​Among an organization's key assets, perhaps none is more valuable than the culture that permeates it from top to bottom. In the words of management consultant and author Peter Drucker, "Culture eats strategy for breakfast," meaning that even a great strategic plan will likely fail if the organization's mindset and workforce don't align with it.</p><p>The word <em>culture, </em>as it applies to organizations, refers to the attitudes and workplace behaviors that drive customer and employee relations, the quality of goods and services, and profitability. Recognition of business culture as a legitimate balance sheet line item under U.S. generally accepted accounting principles underscores that effective culture is a bottom-line essential, not a fuzzy nice-to-have. In fact, a business' culture may carry a book value — in the form of goodwill — higher than any other asset on the balance sheet. </p><p>Culture impacts nearly every aspect of an organization, including morale, productivity, and achievement of goals, making it an essential area for internal audit to examine. An FAQ on culture, assembled from years of questions received from audit committees and stakeholders, can serve as a primer on the topic and help guide internal auditors planning to conduct a cultural assessment. </p><h2>1. How is culture formed?<br></h2><p>An organization's expressed desire to create an employee- and customer-centric, sustainable enterprise represents nothing more than a wish unless actively supported by the incentives, policies and procedures, and goals established by management. Some of the factors that shape a culture for good or bad include:</p><ul><li>Employee workloads.</li><li>Spans of authority.</li><li>Management style.</li><li>Ethics policies.</li><li>Organizational values.</li><li>Relevance and frequency of training.</li><li>Recruitment and retention practices.</li><li>Criteria for employee advancement.</li><li>Compensation plans.</li><li>Personnel policies, including work-hour flexibility and remote-work options.</li><li>Quality controls over products and services.</li><li>Return policies and product warranties.</li></ul> <br> <p>An organization's culture is impossible to conceal because it can be observed almost everywhere. It shows, for example, in the level of respect and teamwork among staff members and in the physical work environment. Culture is quantifiable through productivity metrics and by examining compliance with both the letter and spirit of rules and regulations. Moreover, culture is evident in employee turnover rates, and it is undeniably reflected in the organization's success with retaining repeat customers and garnering their recommendations. </p><p>Culture is profoundly important to an organization's well-being and competitive viability. The factors associated with a healthy or an unhealthy culture are the same ingredients that determine the quality of goods and services it produces, which in turn affect its very survival.</p><h2>2. Why assess culture?</h2><p>Every organization will experience some "sway" or "drift" between its desired state and actual behavior. With that in mind, internal auditors should help gauge whether management and staff are acting on values the organization purports to uphold. And while all the components of a culture may support desired attitudes and behaviors at a point in time, they must be continually assessed for relevance and competitiveness for each generation of employee and customer. What's more, some managers do a better job embracing desired values and instilling them among staff than others. Periodic assessments can identify rogue or ineffective managers — hopefully before they inflict any long-term damage. </p><p>Many governing bodies, C-suite executives, and audit committees recognize culture's impact on these and other key organizational factors, including productivity, product and service quality, and the retention and attraction of customers. No company is successful for long by sheer accident and happenstance. Long-term success is achieved only by design and intent that is translated into the tangibles found in organizational culture. </p><h2>3. What are the vital signs of a healthy culture?</h2><p>The definition of a healthy culture is the same for both the private and public sectors. Health is measured by the degree an organization can sustainably retain committed and capable employees to provide cost-effective, competitive goods or services that are timely and responsive to customers' needs. A sick culture fails in one or more of these critical areas.</p><p>Organizational commitment to the integrity of business processes and true customer-centric services are readily apparent, as they permeate every aspect of the operation — from responsiveness to requested information and the usefulness of procedural manuals to workplace civility and the inclusiveness of staff in decision-making. Nonetheless, the presence of these elements does not necessarily indicate a healthy or well-functioning organization — many other factors must be considered.</p><p>As such, auditors have found that below-market compensation, poorly structured workflows, unreasonable spans of authority, unrealistic production goals, shortcuts that compromise product and service quality, and absent management are among signs of a dysfunctional culture. Avoiding these deficiencies requires a deliberate commitment from management — one that reverberates throughout the organization. </p><h2>4. What does an assessment of culture involve? </h2><p>The typical assessment includes soliciting employees' opinions on the degree the organization lives up to its desired cultural values. This information is usually obtained through surveys and personal interviews, and through an examination of pertinent policies and procedures — including codes of conduct, compensation policies, and promotional criteria.</p><p>The finished report typically presents:<br></p><ul><li>The areas assessed.</li><li>Employee demographics.</li><li>The documents, policies, and procedures examined. </li><li>Responses to each survey question, along with a summary of written comments consolidated into common categories.</li><li>A blank copy of the survey questionnaire.</li></ul> <br><p>Survey reports also frequently include recommendations to address any shortcomings noted. Most assessments are completed within two months.</p><h2>5. Will the assessors rank the culture's various components?</h2><p>The typical assessment scales comments provided in an interview or survey. Most often, respondents are asked to rank their opinion along a continuum between "strongly disagree" and "strongly agree," or through a similar rating system. </p><p>Questions regarding the status of an organization's or subunit's culture are typically grouped into five or more major categories that address values that the board views as its desired corporate identity or personality. These can include innovation, leadership, vision and purpose, collaboration, customer focus, governance and accountability, organizational functionality, adaptability and flexibility, and employee relations. Results commonly present the number of respondents for each of the rankings on the scale, as well as an overall average for each question and category. Survey instruments that enable the reader to gauge the rankings by level of employee, length of service, and gender can be helpful in addressing training, staffing, and funding needs. </p><p>Survey results often show that both the executive level and management believe company policies and practices are more closely aligned with the company's desired values than the employees rank it to be. Such insights are essential to stop the "cultural drift" that typically occurs over time.   </p><h2>6. Will management get to preview the questions and provide a response? </h2><p>Cultural assessments should be a collaborative effort that involves management and staff throughout the engagement. Both perspectives are critical in identifying the questions to be asked of survey participants. To succeed, assessments must receive buy-in from everyone involved, which may involve obtaining their perspectives in a written response attached to the report. </p><h2>7. How can auditors prevent assessments from devolving into a complaint session?</h2><p>Culture assessments typically are designed to avoid being hijacked by a small minority of disgruntled employees. Internal auditors<strong> </strong>should survey a large population that includes a representative cross-section of positions, salary ranges, operating units, ages, and experience levels, as well as both new and veteran employees. All respondents should provide demographic information, kept anonymous by the assessors, via a dedicated section in the survey instrument. Obtaining this information helps management better assess the validity of the responses.  </p><h2>8. Can fiscal, compliance, control, and performance audits be considered audits of culture?</h2><p>All audits are increasingly viewed as a cultural assessment, but only within the narrow bandwidth of the audit's scope. Many managers and auditors view reports from these audits as an implicit assessment of attitudes and commitment toward assigned duties in light of the organization's values and mission. When performing reviews, auditors may also survey and interview employees from the audited activity as a means of determining whether prevalent attitudes and behaviors reflect the desired culture. </p><h2>9. Should the hotline or whistleblower program be assessed?</h2><p>Whether or not an organization supports and protects those who speak up when they see suspected misconduct is a critical reflection of its tone at the top. The support and funding for a hotline program, as well as its placement in the organizational hierarchy, sends a signal to employees about the board and CEO's commitment to ensuring integrity in every aspect of the business. Internal auditors should conduct periodic assessments to gauge employees' perceptions regarding the hotline program's value and effectiveness to ensure it continues to promote and support integrity in the workplace. </p><h2>10. Why are internal auditors well-suited to assess culture?</h2><p>Internal auditors are typically well-regarded and trusted as impartial and objective. Given their exposure to areas throughout the organization, auditors can regularly observe how the tone at the top impacts employees and the extent to which it shapes desired behavior. This experience gives auditors multiple and varied reference points for comparing best practices, attitudes, and expectations that mold a culture for good or bad. It also helps them offer cost-effective, practical recommendations.</p><p>Additionally, auditors are typically well-trained and experienced in assembling evidence and information that supports sound, defensible conclusions. And they are often<strong><em> </em></strong>granted unrestricted access to all personnel, books, and records, as well as cooperation from all affected parties, which removes the typical organizational turf battles and privacy concerns that can thwart other professionals seeking to conduct this type of assessment.  </p><h2>Getting Culture Right</h2><p>Every organization has a culture that affects its daily operations, influencing nearly every decision and impacting virtually all employees. Periodic reviews of the culture have proven to foster employee trust and help keep organizations healthy and strong by alerting management to any drift from desired cultural values. When an organization gets culture right, it can make the difference between just surviving in the marketplace and thriving as an industry leader.  <br></p><p><em>Ken Pun, CPA, managing partner for The Pun Group in Newport Beach, Calif., contributed to this article.</em><br></p>Peter Hughes1
Testing the Boundarieshttps://iaonline.theiia.org/2020/Pages/Testing-the-Boundaries.aspxTesting the Boundaries<p>​The outbreak of COVID-19 has forced regulators in the U.S. and around the world to focus on the immediate impacts that the pandemic is having on companies, markets, and consumers. And while some watchdogs have said they may relax some rules or reduce scrutiny to help businesses operate more smoothly, experts warn it does not mean companies should loosen their internal controls. Nor should they take advantage of the situation by engaging in questionable, or even illegal, practices in the hope that authorities have less appetite — or means — to investigate and enforce the rules. As companies face temptation and risk noncompliance, internal audit has a strong role to play in helping them adhere to the rules.<br></p><h2>Business as Usual</h2><p>"Companies are still liable for compliance failures," says Hermès Marangos, partner at U.K. law firm Signature Law. "The virus emergency does not postpone or modify the law — there are no exemptions unless so provided by the legislation itself. Despite this, there are already individuals and entities trying to profiteer, behave unethically and contrary to laws and regulations in many instances," he says.<br></p><p>One area of corporate activity that has seen a relaxation of some rules is competition law. To enable the supply of key medicines, health-care equipment, food stuffs, and other urgent goods, anti-trust regulators have allowed competitors to work together — albeit in very specific and limited circumstances. In some regions, such as Europe, companies can even apply for "comfort letters" to gain increased assurance from the regulator as to what practices may be allowable under these exceptional circumstances, and for how long.  But lawyers warn companies against thinking that such arrangements are the "new normal," or that a relaxation of the rules in one area means that closer cooperation in other areas of business has been tacitly allowed.<br></p><p>Some companies also risk misinterpreting signals from regulatory agencies that enforcement may be pared down. They may assume that watchdogs will focus their resources on tackling companies committing the worst abuses or causing harm to the biggest number of consumers, rather than target organizations generally that have failed to comply. For example, in Europe — which has probably the toughest and most punitive data protection laws in the world under the General Data Protection Regulation — several data protection authorities have said they will naturally be drawn to investigating the "worst offenders."<br></p><p>But lawyers point out that this does not mean companies have been given any special dispensation not to follow the rules as normal. It simply means that the regulators have prioritized their resources.   <br></p><p>"As regards data privacy and enforcement, it is business as usual," says Sarah Pearce, privacy and cybersecurity partner at international law firm Paul Hastings. "No dispensations are being made under current circumstances. Most data regulators have said data protection principles still apply and should be adhered to, so businesses should certainly not view COVID-19 as an excuse for noncompliance."<br></p><p>Companies risk noncompliance by misinterpreting any sign of rules easing — or they may even assume a relaxation simply due to the pandemic. "While there may be some delayed reaction in terms of enforcement by certain regulators due to limited resources during this time, that is not to say there won't be enforcement later down the line," Pearce says. <br></p><h2>Penalties Still Apply</h2><p>Experts also warn against assuming that penalties will be reduced because firms are under financial pressure. Michael Ruck, partner at U.K. law firm TLT, says that although regulators are redeploying their resources during the response to coronavirus, resulting in a reduction in the number or progress of investigations, the top-level amount of fines or penalties imposed will not be relaxed. <br></p><p>"In periods where it is difficult to trade or where profit is hard to come by, there are inevitably instances of a small number of corporates or individuals being increasingly willing to stretch the interpretation of regulatory requirements — sometimes beyond their breaking point," Ruck says. "A perceived relaxation of regulatory intervention may encourage such behavior, but those that are tempted should beware."<br></p><p>While regulators may have discretion to reduce penalties in circumstances where incidents of accidental or low-level noncompliance occur, experts still warn that it will always be the authority that calls the shots.<br></p><p>"Regulators understand that the crisis is putting pressure on firms meeting their day to day obligations and are likely to be reasonable with firms that are making a reasonable effort to comply with regulations in a trying times," says Ian Thomas, regulatory solutions specialist at Quorsus, a financial services consulting firm. "That said, the keywords here are 'reasonable' and 'comply.' Cash crisis or not, the regulators are unlikely to hesitate to issue fines for serious breaches or offences — for example, those financial services firms that put client money at risk." <br></p><h2>An Essential Resource</h2><p>Due to fears that organizations might choose to sail close to the wind if they feel that regulators might allow it, several experts believe that internal audit has a strong role to play in ensuring their organizations follow the usual strict codes of compliance.  <br></p><p>Camilla Winlo, director at international data protection and privacy consultancy DQM GRC, says that "it's good to see regulators taking a pragmatic view of enforcement." But she warns that organizations still need to be mindful of the need for regulatory compliance. <br></p><p>"Internal audit functions need to be particularly aware of the need to carry out risk assessments and policy and process gap analyses to identify where risks have been introduced and ensure that their organizations come back within their risk appetites as quickly as possible," she says.<br></p><p>Nicola Howell, senior compliance and privacy attorney at commercial data and analytics firm Dun & Bradstreet, agrees that there should be no "let up" in following the rules. "Internal audit teams should not be complacent about enforcement and should proceed with upholding the policies their organizations had in place before COVID-19 took hold," she says. "While justifiable allowances may be made, any significant departure from legal requirements or previous company policy could significantly backfire on a business."<br></p>Neil Hodge1
Auditing Knowledge Managementhttps://iaonline.theiia.org/2020/Pages/Auditing-Knowledge-Management.aspxAuditing Knowledge Management<p>​Technological advances are transforming the nature and importance of the organization’s knowledge assets — intellectual property, software, data, technological expertise, organizational know-how, and other intellectual resources. The value of the global knowledge management market was around $2 billion in 2016 and is expected to exceed $1.2 trillion by 2025, according to Zion Market Research. At this worth, organizations should want to know if their knowledge assets are safeguarded. </p><p>Knowledge assets are vulnerable to loss and can be compromised by internal and external sources. In a 2018 study from the Ponemon Institute and Kilpatrick Townsend & Stockton, 82% of respondents acknowledged that their companies very likely failed to detect a breach involving knowledge assets, up from 74% in 2016. </p><p>Often, audit of knowledge assets is limited to assessing risks, controls, and value derived from the technologies used in their processing (knowledge flow) and the digital records maintained that focus on effective document management. This is only a part of knowledge management auditing in the true sense. It does not get to the core issues of the effectiveness of their protection, how they promote business objectives, and the new opportunities they exploit. </p><p>What has been missing is a structured approach to assess the interplay between strategic and operational risks and controls in enterprisewide knowledge assets management. Unfortunately, there are no comprehensive professional guidelines to assess the adequacy of risks confronting knowledge assets, particularly living knowledge assets held by individuals. Internal auditors must adapt to the evolving risk landscape in knowledge management by reorienting their methodologies and practices to recognize the role of knowledge assets in achieving business objectives. </p><h2>Look for Risk Indicators </h2><p>With disruptive technologies at the forefront, knowledge management tends to be a high-risk activity for most organizations. Risks to knowledge assets are any loss that may decrease the potential to effectively pursue an organization’s business objectives. Key risk indicators in a typical knowledge-based organization include uncertainties about critical knowledge needs, potential business opportunities lost in their absence, and their impact on business objectives. Other indicators may be process related, such as multiple repositories of information in IT-based systems such as an intranet, collaboration platform, or emails that are not integrated. These indicators can lead to wasted resources and inefficiencies and weaknesses in access restrictions to intellectual property. </p><p>Attrition is a common risk involving significant replacement costs that can destabilize even the most successful and steady organizations. It is estimated that the average cost of turnover is 1.5 times the annual salary of the job. Internal auditors also should be vigilant about risks specific to tacit knowledge assets management, which include a high tacit-to-explicit knowledge ratio, high staff turnover, a high percentage of core knowledge held by people nearing retirement, and high market demand for key personnel. It is likely in such cases that these assets will be lost. </p><h2>Assess Strategic Risks</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>Explicit and Tacit Knowledge Comparison</strong></p><p>There are two types of knowledge defined in business. The first, explicit knowledge, is easy to codify, store, and share. It includes textbooks, journals, white papers, patents, literature, audio-visual media, software, and database access. The second, tacit knowledge, comes from personal experience and is not easily replicable or transferrable, such as know-how, methodologies, training algorithms, and professional skepticism. </p><p>Within tacit knowledge, there are two dimensions: technical and cognitive. The highly subjective and personal insights, intuitions, and inspirations derived from an individual’s experience fall under the first category. The second category consists of beliefs, perceptions, values, and emotions ingrained in individuals over years. </p><p>Some argue that tacit knowledge accounts for about 80% to 90% of the knowledge held in a typical organization. Knowledge assets are created at the intersection of, and interaction between, explicit and tacit knowledge. <br></p></td></tr></tbody></table><p>Strategy-related risks in knowledge management typically include the absence of, or a weak, knowledge management strategy; lack of involvement from senior management in knowledge management activities; and lack of alignment between key processes and knowledge assets in place. </p><p>If knowledge is a key driver for the business or is one of the main products of the business entity audited, such as a consulting firm or an educational institute, internal auditors should ask: </p><ul><li>What is the critical knowledge at risk and who determines it? </li><li>What are the core activities? </li><li>How does information flow through those activities? </li><li><p>Is there a knowledge management strategy? <br></p></li></ul><p>Next, internal auditors should remap the business’ critical processes to identify what information is needed to run them. If these needs are not being met, they should determine who needs the missing knowledge. Practitioners should review the enterprisewide risk register to assess whether knowledge management-related risks are recognized, paying attention to the risks of loss of knowledge when core capabilities are outsourced. The instances of high staff turnover and poor knowledge retention among outsourced providers could hamper service quality, involving potential legal risks.</p><p>A robust knowledge management strategy should focus on capturing knowledge assets that are critical to success and that underpin performance to create growth and a competitive advantage. Are there sound human resources policies and succession planning strategies for mentor and peer support before, during, and after key staff with the best situational awareness leave the organization? Are there processes to capture results of lessons-learned exercises, particularly with lawyers, consultants, and accountants’ knowledge and experience that is incorporated into organizational knowledge and change processes? The knowledge lost in such cases could be costly to replace and may require intensive corrective training or retraining. </p><p>In public sector audits, practitioners should pay attention to the procedures followed for valuation of investments in knowledge assets used to support the provision of public services such as water, transportation, and healthcare. There may not be well-defined standards and methodologies for estimating the social, economic, and financial value derived from the assets as they don’t have market-determined equity value. </p><h2>Assess Operational Risks </h2><p>Employees spend almost one-fourth of their time searching for information, according to a survey from The Economist Intelligence Unit. Unclear data definitions, ineffective data governance, and poor search engine performance lead to barriers requiring analysts and developers to resolve them. The root cause of most operational risks in managing knowledge assets is lack of alignment between the strategy and the processes built around it. </p><p>To start, internal auditors should review the accuracy and reliability of the knowledge assets inventory and the core processes they support, and the responsibilities of the people who manage them. The review results will help identify weaknesses in data governance — such as data silos where data is divided across various databases and divisions accentuating memory loss and poor internal coordination of information. The starting point for the review is identifying and using performance criteria for key activities approved by management. While doing so, internal auditors must be able to determine how the key activities are aligned with key stages of knowledge management in the organization, such as needs identification; acquisition; storage, retrieval, and dissemination; archiving; and performance management. If they do not align, that is a strong indicator that these assets are not generating a tangible return. </p><p>Intellectual property in the form of formulae, practices, processes, designs, instruments, patterns, commercial methods, or compilations of information can be subject to loss or compromised by internal or external sources. Internal auditors should assess that the owners of the intellectual property assets have appropriate controls to prevent cyberattacks that could lead to infringements and inappropriate access. </p><h2>Internal Audit's Strategy</h2><p>Auditing knowledge assets requires specific strategies and skills. Each organization’s knowledge needs are unique. As internal audit leaders prepare their audit plans beyond 2020, they should have a multipronged strategy to audit their clients’ knowledge assets from a value-for-money perspective: </p><p></p><ul><li>Retain the best internal audit talent through valuing and investing in the tacit knowledge asset held in the internal audit function.<br><br> </li><li>Develop and maintain a risk-based audit universe of clients’ business operations with significant investments in knowledge assets. This should provide a basis for identifying areas of audit engagement related to knowledge management. <br><br></li><li>Identify and map the knowledge held in the audit department to capture and use the tacit knowledge held, particularly related to complex audit engagements. This information could be used to develop an appropriate knowledge management strategy and system to facilitate collaboration within the audit team. <br><br></li><li>Empower audit teams to recognize the strategic importance of knowledge assets to the business. This will allow them to provide assurance on legal, commercial, technical, social, and financial aspects of the knowledge assets and the relevant risk indicators. For example, develop a bank of risk indicators — quantitative and qualitative — for assessing the processes used in tacit knowledge assets management.<br><br></li><li>Review the adequacy of audit programs used for knowledge management audits. Strengthen them by focusing on strategic and operational aspects of the processes in place to highlight risks of inefficient use of knowledge assets. <br><br></li><li>Focus on the value-for-money aspect of the engagement. Do not get distracted by the technologies and processes used to manage knowledge assets, particularly in engagements involving significant investments in them.</li></ul><h2>Closing the Gap</h2><p>The five most valuable companies in the world report just £172 billion ($223.2 billion) of tangible assets on their balance sheets, though their total worth is £3.5 trillion ($454.2 billion). Almost all of their value is in the form of intangible assets, including intellectual property, data, and other knowledge assets, according to a 2018 budget report from Her Majesty’s Treasury in the U.K. Despite their critical role in business performance, knowledge assets are not traditionally audited with a focus on how organizations safeguard them to retain their competitive position and how they contribute to business performance. As key partners in the assurance process, internal auditors can take a strategic approach to bridge this gap and maximize its influence. </p>Israel Sadu1
COVID-19: The Ultimate Governance Challengehttps://iaonline.theiia.org/2020/Pages/COVID-19-The-Ultimate-Governance-Challenge.aspxCOVID-19: The Ultimate Governance Challenge<p>​In many ways, coronavirus (COVID-19) is the corporate governance crisis we've been preparing for all our lives. It is a public health crisis that has caused an economic crisis, which for many organizations has also caused operational or liquidity crises.</p><p style="text-align:left;">Its consequences dwarf the financial crisis of 2008 and the Sept. 11 attacks combined. It is global in scope and unending in duration. And yet, corporate boards, management, and internal audit teams have to confront this menace somehow.</p><p style="text-align:left;">We can start with the obvious: Board directors are as bewildered as everyone else by COVID-19. Clearly the pandemic challenges organizations in all sorts of ways, and directors do grasp that point — but understanding the<em> exact</em> ways COVID-19 will challenge their businesses is no small thing. </p><p style="text-align:left;">"For many, this particular risk — basically, of businesses completely shutting down and everyone staying home — well, that wasn't on the risk profile," says Shellye Archambeau, who serves on four corporate boards, including Verizon and Nordstrom. <br></p><p style="text-align:left;">That puts corporate directors in a delicate position. From management, they want to hear about new information, new risks, or new plans being executed, and that can be a lot; Archambeau figures she has been on board-related calls at least once a day, if not more. At the same time, however, directors don't want to burden management too much, since the executive team has plenty to do already. <br></p><p style="text-align:left;">"It's very important at this unusual time to trust management, and let them do their job of running the company," says Alpa Parikh, who was chief audit executive at Puget Sound Energy until last fall and now serves on the audit committee of a Seattle-area social services non-profit. Her operating principle these days: Don't ask unnecessary questions of management; do think about the long-term implications of short-term actions the organization takes to keep operations alive right now. <br></p><p style="text-align:left;">That makes sense. Ill-advised actions today could constrain a company's strategic choices tomorrow, next month, or next year — and that's what a board is supposed to prevent. In that case, several issues rise to the top of corporate directors' concerns.<br></p><h2>Keeping Things Going<br></h2><p style="text-align:left;">Foremost are questions about the organization's cash position, and its ability to continue as a going concern even if COVID-19 drags on for many months. (And let's not kid ourselves, it probably will.)  So, for example, one specific priority would be an organization's ability to preserve the cash it has. That means directors will want to know about spending and hiring freezes, and also about approval processes for significant expenditures — including whether those processes are sufficiently tight, given the company's projected cash flows. <br></p><p style="text-align:left;">Then again, Wendy Pfeiffer, on the audit committees of cybersecurity firm Qualys and consulting business SADA, says companies can't forget about "market moments" either, such as the chance to pick up a merger target on the cheap or to launch a new line of business. <br></p><p style="text-align:left;">You can't do those things without cash, so cash preservation is important; but directors also want to know that management is trying to maintain strategic perspective and flexibility, too, so the company can jump on a good moment when one arises. <br></p><p style="text-align:left;">OK, that concept is easy enough to grasp. Here in the real world, however, audit committees are trying to understand such issues while the economic ground keeps shifting. Well-understood key performance indicators or key risk indicators might no longer fit. Models of expected customer behavior, sales cycles, liquidity, or supply chain risks could all unravel. <br></p><p style="text-align:left;">Directors are acutely aware of that possibility, and want assurance that management — and audit teams — are trying to stay ahead of such shifts. That means lots of scenario-planning. "Leverage your analytical skills to figure out what the scenarios might look like and capitalize on strategic agility," Parikh says.  <br></p><p style="text-align:left;">And audit committees still have their day jobs overseeing the financial reporting function. Regulators have published a laundry list of accounting items that could be difficult to calculate these days, and those items are sure to be concerns for the audit committee, too. <br></p><p style="text-align:left;">Among the issues flagged: lease modifications if a company starts giving back space (which could actually goose the organization's income statement upward), impairment of goodwill or intangible assets (which could wallop the income statement and the balance sheet), revenue recognition, hedging, and more. COVID-19's effect on those items will involve a lot of subjective judgment. Audit committees will want to know that said judgment is sound and grounded in good data, as much as possible. <br></p><h2>Internal Audit's Role in Continuity Today<br></h2><p style="text-align:left;">As companies are scrambling to understand what their new risks are, and how to amend business processes to keep those risks at acceptable levels, internal audit has an important role to play. It is internal audit's job, after all, to perform critical assessments of emerging risks, use data analytics to build monitoring tools, and counsel management on possible changes to business processes. Those are crucial corporate capabilities as COVID-19 continues.<br></p><p style="text-align:left;">"We already have those skill sets that allow us to adapt quickly to things like this," Parikh says. "That overview is very important right now, when you can look at processes end to end, across different functions and areas within a company to assess risks and identify potential opportunities." <br></p><p style="text-align:left;">That's the nub of the COVID-19 challenge for organizations, really. Success isn't about having a business continuity plan per se, because those plans never match the disaster you actually face. They only bring the shortcomings in your plan into sharp relief. The<em> ability</em> to plan, even under today's enormously difficult circumstances, is what keeps an organization alive. <br></p><p style="text-align:left;">It's also what audit committees want to see from management teams: an ability to observe changing conditions and devise a response that won't trap the organization in a strategic or operational dead end.<br></p><p style="text-align:left;">"I'd rather have the human brain," Pfeiffer says. "I'd rather have people who are aware and engaged and have their own early-warning system and expertise and creativity." Then let those people collaborate their way to a feasible solution, "rather than work their way through a playbook." <br></p><p style="text-align:left;">Those are words for an audit team to live by. And if the first weeks of COVID-19 are any indicator, we'll be living by them for quite some time.<br></p>Matt Kelly0
CAMs and the Audit Report: Brace for Impacthttps://iaonline.theiia.org/2020/Pages/CAMs-and-the-Audit-Report-Brace-for-Impact.aspxCAMs and the Audit Report: Brace for Impact<p>​Internal and external audit teams alike have entered a brave new world in the last year or so, as critical audit matters (CAMs) arrived as items to be included in the external auditor’s report. Now comes a crucial question: Will CAMs be an asteroid that slams into the annual audit process — or just a meteor shower that breaks up in the atmosphere? </p><p>CAMs are disclosures audit firms make in their audit report, to tell investors what the audit firm deems the most important accounting issues at the company. CAMs involve line items material to the business, and typically their issues will fall into one of two categories. Either the CAM will have weak controls that need attention; or it will be an item that involves subjective, complex judgment no matter how good or bad the controls are. </p><p>So far, only large accelerated filers have implemented CAMs, starting with companies whose fiscal years ended on or after June 30, 2019. All other companies will implement CAMs starting at the end of this year. </p><p>One school of thought is that despite all the angst that surrounded the development of CAM requirements in the 2010s, the inclusion of CAMs in the audit report won’t do much more than memorialize the same conversations that audit firms and internal audit functions have had for years. But will the process to reach those decisions be substantively different?</p><p>“No, not at all,” says Brian Tremblay, until recently the head of internal audit at Acacia Communications in suburban Boston. Critical audit matters, he says, are simply where audit firms devote most of their time and attention during the audit. That won’t change just because those issues are now written into the audit report.</p><p>Tremblay’s observation gets at a subtle but important point: what the word “critical” really means here. It does <em>not</em> mean that some accounting process is deeply amiss, like a patient in the critical care unit. It only means that the accounting issue is important, in the way that a solid foundation is critical to a whole house. </p><p>Now, can that foundation be a rickety mess that threatens the whole structure? Sure. So conversations ensue about how to repair the foundation as necessary. Conversations with audit firms about significant deficiencies or material weaknesses are no different. </p><p>“If we were not discussing those things before, we would have been incompetent in our jobs,” says Jan Babiak, chair of the audit committee at Walgreens Boots Alliance. She has served on boards where CAMs have come into force both in North America and Europe, and says the experience should not catch anyone — audit committee, management, or audit firm — by surprise. </p><p>Babiak gave the example of the corporate tax cut enacted by Congress in 2017. Audit committees were discussing the implications of that tax cut with management and auditors before the legislation was even final, let alone enacted. “By the time you get to something being in the opinion, it’s really old news — if you’re competent in what you do.” </p><p>OK, so successful implementation of CAMs depends on clear communication with the audit firm about difficult accounting issues. What should that look like for the legions of companies adopting CAMs for the first time this year? </p><h2>The Contours of CAMs</h2><p>One critical step will be a well-defined process to handle significant control deficiencies. A significant deficiency is not automatically a CAM unto itself — although it can be, or it can make a CAM much more likely. So resolving significant deficiencies in a consistent, productive way is crucial. </p><p>Manu Varghese, chief audit executive of Hira Industries in Dubai and previously controller at a Big Three U.S. automaker as it adopted CAMs, used a materiality threshold to grade the severity of control deficiencies. Anything that would affect the income statement by less than $3 million was minor; any effect from $3 million to $10 million was major. Any deficiency that had an effect of more than $10 million was classified as a significant deficiency, or a CAM, “and then management would have to fix it immediately.”</p><p>In Varghese’s case, “immediately” was within six months. The internal audit team created an action plan with management, which was presented to the external auditor and then to the audit committee. </p><p>What internal audit teams <em>don’t</em> want are disputes about significant deficiencies unfolding in front of the audit committee. “If that happens, you’re doing it wrong,” Tremblay says. </p><p>Then again, that’s always been the case: Internal audit, management, and the external auditor should have a method to resolve tensions about internal control issues before going in front of the audit committee. So to that extent, CAMs won’t cause any Big Bang change in how financial audits get done.</p><p>There’s another type of critical audit matter, too. At least some CAMs will exist simply because they are material to the financial statement and involve, as the audit standard says, “especially challenging, subjective, or complex auditor judgment” — even without any significant control deficiency.</p><p>That would be something like assessment of goodwill, contingencies for uncertain tax positions, or reserves for warranties. And sure enough, according to preliminary research of the first companies disclosing CAMs, the most common subjects were goodwill impairment, tax contingencies, and revenue recognition.  </p><p>Those CAMs are not necessarily bad; they’re simply important to the financial statements, even if management is rock-solid confident in its judgment about them. “There are things that exist in every auditor’s file regardless of the ‘real’ risk,” Tremblay says. “Those things are just there because they’re judgments and estimates, and that’s the lay of the land.” </p><p>Varghese puts an even more philosophical spin on such CAMs. “We need to understand the risk and ask, ‘Can we live with it?’” he says. “If it’s wrong, we fix it. But if it’s just complex — I can live with complex.” </p><h2>Whither the Audit Committee</h2><p>A fair question to ask at this juncture is exactly what the audit committee’s role should be in CAMs. For example, the U.S. Securities and Exchange Commission (SEC) published a statement in December encouraging audit committees “to engage in a substantive dialogue with the auditor” about CAMs and how the external auditor planned to describe them. That’s fine advice, but really the SEC is just advising audit committees to maintain good diplomatic relations with their auditor.</p><p>The Public Company Accounting Oversight Board (PCAOB) spent much of 2019 interviewing audit committee chairs, and it found that most chairs already are satisfied with the relationship they have with their audit firms. It’s not like audit committee chairs are straining to dump their audit firms or encouraging investors to deride the audit report at the annual shareholder meeting.</p><p>One could argue that all the SEC and PCAOB attention to audit committees is a charm offensive intended to escort board directors past this truth: The audit firm decides what a CAM is — not management, not the audit committee. To a certain extent, audit committees are bystanders here. Sure, they’re bystanders who can protest loudly if CAMs start complicating the message that the board and management want to convey to investors. They are still relatively powerless to stop an audit firm determined to call an issue a CAM. </p><p>So the more internal audit and management can work with the audit firm to ensure a smooth, consensus-driven process to handle CAMs, the better. And let’s remember, ultimately CAMs are there to help the investor understand the risks of the company. </p><p>“Sometimes people fall asleep reading [audit reports],” Varghese quips. “The CAMs section will probably help focus the attention of the reader, and that’s great."</p>Matt Kelly1
The Responsible Organizationhttps://iaonline.theiia.org/2020/Pages/The-Responsible-Organization.aspxThe Responsible Organization<p>In January, BlackRock CEO Larry Fink published an open letter to company CEOs warning them that if they didn't take immediate steps to help their businesses become more resilient to climate and environmental risks, they risk being dropped from pension fund portfolios. This kind of announcement has the ability to spark boardroom conversations during a time when the push for organizations to identify, mitigate, control, and disclose the myriad risks to their businesses to a wider range of stakeholders — not just shareholders — continues to gather pace worldwide. </p><p>Companies now report not only on the financial risks to their business, but also the nonfinancial risks they face. These risks include climate change, business ethics, human rights abuses, slavery and child labor, and their operations' impact on the environment — which fall under the realm of environmental, social, and governance (ESG) reporting. In fact, the current revision of the International Integrated Reporting Council's <IR> Framework aims to "further embed integrated reporting and thinking into mainstream business practice." </p><p>Yet despite such reporting progress, the consensus view of several experts is that many organizations are paying lip service, disclosing only the bare minimum of detail to comply or satisfy investors, regulators, and other stakeholders. Some organizations, meanwhile, are struggling to get their heads around what exactly they need to report — or how to do it, they add. </p><p>"Sustainability reporting is largely done as a paper exercise," says Lawrence Heim, managing director at audit and consulting firm Elm Sustainability Partners in Atlanta. He adds that "internal audit needs to be more involved in sustainability reporting, or become involved if it is not already part of the process." Such views are shared by other experts. </p><h2>Questionable Disclosures</h2><p>In the U.K., listed companies have a duty to disclose how sustainability risks may impact the long-term viability of the business and what steps management is taking to address them. But research from international accounting firm Mazars found that disclosures around carbon emissions in Financial Times Stock Exchange reports are "not fit-for-purpose" and are "in many cases a box-ticking exercise that does not appear to be integral to the way management runs the business." The Financial Reporting Council, the U.K.'s corporate governance regulator, and the European Union — where sustainability risk reporting has been mandatory for the past two years — have raised concerns about the quality of disclosures around sustainability risks.</p><p> Aside from nonfinancial reporting being voluntary for most organizations around the world, there are several reasons why efforts to improve sustainability reporting and risk management are failing. First, the bulk of all mandatory disclosures is still concerned with financial reporting and most of the effort goes into getting that right. Second, the term <em>sustainability</em> has become an umbrella buzzword for every risk that doesn't have an immediate financial price tag attached to it. Many organizations are either overwhelmed by the scale of work required to report meaningfully on the array of risks included, or are simply confused by the term and the issues being covered under ESG reporting (see "ESG Metrics" below). </p> <img src="/2020/PublishingImages/Hodge-ESG-metrics.jpg" class="ms-rtePosition-4" alt="" style="margin:5px;width:640px;height:363px;" /> <p><br></p><p>Experts have some sympathy, but they say that organizations — and internal audit — cannot be indifferent to the problem, and they stress the need for deeper audit involvement. </p><p>Heim says organizational sustainability is not clearly understood by either internal auditors or boards, and as a result, levels of assurance are decidedly mixed. Globally, he says there are more than 300 different ratings used by investors to assess ESG reporting, and it is unclear just what criteria they are using to base their assessments. </p><p>"There is no agreed on, single definition of what is meant by organizational sustainability," Heim says. "The term means different things to different sets of people, and to some extent, it's an umbrella term for a lot of nonfinancial risks. This is a nightmare for internal auditors."</p><h2>An Exercise in PR</h2><p>According to Heim, sustainability reporting is often done cheaply and usually by public relations (PR) or marketing people rather than anyone trained in ESG issues to provide an additional narrative to the financial figures. "These reports are not thorough, not validated, and contain inaccuracies, yet boards are happy to put their names on them," he says.</p><p>There are two trends in sustainability reporting that amount to PR and marketing exercises that Heim says internal auditors need to try to prevent their organizations from following. One is "greenwashing." This is when companies play up their environmentally friendly efforts and credentials, while downplaying — or ignoring entirely — the areas of their business that may be damaging to the environment, or that do not conform to stakeholder expectations of what constitutes long-term sustainability. The other is "greenwishing," where they talk about what they hope to achieve versus what they've actually implemented. This includes a reduction in carbon emissions, reduced waste, lower energy and water usage, increased telecommuting, cuts in air travel, and so on. </p><p>Robert Pojasek, senior strategist at risk and ESG consultancy Strategic Impact Partners in Boston, agrees that sustainability reporting leaves a lot to be desired. "The primary focus of the sustainability report is to improve its ranking in rating schemes, such as the Corporate Knights, Newsweek, Corporate Responsibility Top 100, and similar ratings," he says. To ensure accuracy and meaningful disclosure, he says, "auditors need to provide assurance to the board that the information meets their financial, risk, and ESG reporting requirements before it is released to the public."</p><h2>Guidance Is Lacking</h2><p>Organizations are using stand-alone sustainability programs with separate reporting, which means the claims made in sustainability reports cannot be independently verified or appropriately benchmarked, Pojasek says. As such, there is some reluctance to accept them because of a lack of rigor associated with the collection of the information, as well as a lack of internal auditing of the data-gathering activity. Many investment firms, for example, will not accept ESG information in their sustainability report because it is not complete and it is not independently verified. </p><p>Part of the problem, Pojasek says, is that there is little guidance for internal auditors because of the array of functions involved in collecting the data: sustainability teams, consultants, corporate social responsibility teams, and corporate citizenship groups, among others. "It is difficult for internal auditors to understand the sustainability program because there are few practice guides available and auditors are confused by the different kinds of stand-alone sustainability programs," he says. </p><p>Pojasek says internal auditors also may lack knowledge and experience in sustainability reporting because there is no mandatory requirement to do so in disclosures to the U.S. Securities and Exchange Commission, as such information is not often included in Form 10-K and 40-F. As a result, he says, "internal audit knowledge around sustainability programs is probably not as comprehensive as it could or should be as a result of not being involved in this activity." </p><p>Heim adds that voluntary reporting on ESG and sustainability issues often means that while the topics and risks are being discussed, they are not necessarily being audited. "Internal auditors are not looking at any figures around ESG because they're not related to financial results, so these figures are published without challenge or any real assurance," he says. </p><p>"It should be impossible for any company report to be made public without checking that the statements are accurate, so sustainability reporting is certainly an area where internal audit can get more deeply involved," Heim says. "Internal audit has the skills to question the basis of these reports — how they were put together, by whom, and using what information or evidence — and it should have a duty to flag up to the board the risks of publishing material or claims that have not been checked or may be false." </p><h2>A United Front</h2><p>Douglas Hileman, an internal audit, risk, and compliance consultant based in Los Angeles, agrees that internal audit is often excluded from reviewing sustainability strategies and reporting — mainly due to competing priorities and a lack of budget. "There's very little time, energy, or expertise to look at ESG risks, reputation risk, third-party risk management, human rights, slavery, health and safety, cyber risk, and so on," he says. "The audit committee decides internal audit's priorities, and at the moment, sustainability risk is not a top item on their agenda." </p><p>Internal audit can try to address this imbalance. First, Hileman says, internal audit should present sustainability in terms of current and long-term business risks. "Boards and management get risk — a lot of them don't get sustainability. If internal audit approaches sustainability like any other risk assessment, executives will take more notice."</p><p>Second, Hileman notes, internal audit should present a business case to incorporate sustainability into strategy. Executives need to be talked to in a language they understand, and they don't like making investments that don't pay off. "Provide evidence that shows that acting more sustainably adds value — operationally, in assuring compliance, reputationally, and even financially," he says. "The area is dynamic, so by acting strategically now they can get ahead of competitors and be better prepared and more resilient for future risks, including environmental risks."</p><p>Third, he says, internal audit should collaborate with other assurance functions — compliance, risk management, environmental, and in-house legal — to "push the case for better aggregated understanding and management of sustainability risk. Clear, concise communication of sustainability risk — and opportunities — can attract the attention and resources it deserves and can also offer a vehicle for internal audit to demonstrate how it can add value to the organization."</p><p>There will be greater scope for internal audit to provide assurance on sustainability issues going forward, says Vanessa Havard-Williams, partner and global head of environment at the London office of international law firm Linklaters. "As organizations — particularly large corporations — begin to integrate sustainability impacts at a detailed level into their enterprise risk management frameworks, internal audit will get more closely involved in reviewing them and providing assurance on their effectiveness to the board," she says.</p><p>"Executives are well aware of the damage that a tarnished reputation can have on the company's bottom line and customer base," says Fay Feeney, CEO of emerging risk strategy consultancy Risk for Good and a board member in Hermosa Beach, Calif. "So internal audit should make it clear that an organization's failure to commit to sustainable business practices will damage the corporate brand among a wide variety of stakeholders, including employees." </p><p>Feeney also warns that auditors need to be prepared to acknowledge that board members are overconfident about the organization's capability to manage risks, as noted in The IIA's OnRisk 2020 report. As a result, she says, "internal auditors need to assess their boards' understanding against their knowledge of sustainability risks as there are likely to be gaps in their knowledge and areas where they do not fully understand what needs to be done, and what impact these risks can have on the business, its operations, and supply chains."</p><h2>Speak the Same Language</h2><p>Paul Sobel, chair of The Committee of Sponsoring Organizations of the Treadway Commission, says internal audit needs to make sure the board — and everyone else in the business — speaks the same language around sustainability so the issues, risks, opportunities, and the organization's long-term goals are understood in the same way. If everyone involved is thinking about risk in the same way, he says, "it will be easier to discuss and appreciate the risks to the organization — and what responses are needed — in the same way, too."</p><p>Sobel adds that internal audit needs to think about the value proposition around sustainability and push the business case for change, rather than follow most boards' leads to consider it as a cost or compliance headache. "Internal audit needs to look at what future investor, regulatory, and stakeholder expectations are likely to be regarding sustainability risk management and reporting and push for management and the board to move in line — or ahead — of them," he says. "This means keeping up to date with best practice, reviewing ongoing trends, and engaging more robustly with stakeholders."</p><h2>Changing Priorities</h2><p>When 181 U.S. CEOs signed the Business Roundtable's new Statement on the Purpose of a Corporation last August, they committed to, among other things, "respect the people in our communities and protect the environment by embracing sustainable practices across our businesses." With support from major U.S. companies to adopt sustainable business practices and embed reporting — and practice what they preach — the expectation is that other organizations need to follow suit, if they aren't already.</p><p>Internal audit needs to get more involved and leverage sustainability to find potential business opportunities and use them to offset the business threats, Pojasek says. "Auditors need to look for the upsides of risk." To do that, he says auditors need to raise questions that can help their organizations enjoy enhanced value: Are there ways to turn what looks like a costly threat into sustained value for the corporation? Does this provide a better way to make sustainability a key part of how the business is operated to secure long-term financial growth? Does this structured form of sustainability and uncertainty risk afford a new opportunity to look at the supply chain?</p><p>There is little doubt of the need for organizations to review their long-term viability and resilience in light of external risks, particularly around the environment and climate change. </p><p>If threats such as BlackRock's do not make boards sit up and pay attention — nothing will. And if boards do not make a greater effort to consider sustainability as a key risk issue, it appears likely that shareholders will do so, as evidence shows investors are becoming increasingly activist about how they want companies to be run, and the priorities they want to see in the boardroom.  <br></p>Neil Hodge1
Auditing Culture: Familiar Techniqueshttps://iaonline.theiia.org/2020/Pages/Auditing-Culture-Familiar-Techniques.aspxAuditing Culture: Familiar Techniques<p>​The idea of auditing culture can be intimidating to internal auditors. How can you find objective evidence about something that is inherently subjective? Do you need strange new techniques and psychologists on the audit staff? <br></p><p>Fortunately, internal auditors can accomplish a great deal without the need for a radically different approach. A combination of well-known audit techniques, applied more rigorously by practitioners looking for cultural issues, can go a long way. Four techniques, in particular, can yield valuable information:</p><ul><li>Establishing a participative relationship with audit clients.</li><li>Observing culture while on site.</li><li>Leveraging data that gives perspective on the culture and supports audit observations.</li><li><p>Carrying root cause analysis further than usual.</p></li></ul><p>Incorporating these approaches into routine internal audit work gives practitioners insight into organizational culture and can surface issues critical to the organization's continued success.<br></p><h2>Participative Relationship</h2><p>Establishing participative relationships is perhaps the most important technique, as audit clients are far more likely to discuss their culture if they feel involved in the audit process. This involvement can come during three stages of an audit project.<br></p><p><strong>Planning </strong>Auditors commonly get input from the manager responsible for the area they're reviewing. Some auditors go further and actually plan the audit with that manager. Together, they develop the specific audit objectives, scope, and overall approach. <br></p><p>Does planning the audit with the client compromise independence? It would if the auditor is not thinking critically; but if the client tries to divert internal audit from looking into a risk area, an experienced auditor is likely to recognize it.<br></p><p>For example, as part of the planning process the auditor presumably would explain why he or she thinks a risk area should be examined; the client might then explain why it would be a waste of time. If the client's explanation makes sense, the auditor thanks the client and explains that internal audit needs to confirm what he or she says. If confirmation is established, the auditor saves time. If not, or if what the client says does not make sense, the auditor sees the attempted diversion as a red flag and looks into the risk area with that in mind. <br></p><p>Audit clients are likely to be concerned about how much of their time the joint planning process will take. Internal audit should promise to minimize the impact by performing all the detailed analyses and keeping the planning at a high level.<br></p><p><strong>Risk Assessment </strong>Once the audit objective and scope are agreed upon, the auditor performs a more detailed risk assessment of the key risk areas. Involving the manager in the assessment — or his or her direct reports if the manager can't take the time — has many benefits. First, business owners know their risks better than an auditor coming in from the outside; most of them are just not used to thinking about risk in a systematic way. Guiding the client through a risk assessment gives the auditor a better understanding of the real risks and helps the client become a better risk manager. For auditing culture, it allows the auditor to guide the client's thinking toward cultural objectives and risks to address during the audit. <br></p><p><strong>Reporting </strong>The best way to "report" audit issues — and this is especially true for sensitive cultural issues — is not by telling the client they exist. The most effective way is showing the evidence, enabling clients to realize for themselves that there's a problem. Ideally, the discussion begins before the auditor has all the evidence, when he or she thinks there's an issue but is not quite sure.<br></p><p>For example, suppose an area's staff members complain of unrealistic performance targets. The auditor, being careful to preserve confidentiality, could ask their manager if he or she is aware of the staff's concerns. If the auditor can pique the manager's interest in whether it's true or not, they can design a test to determine that together. If the results indicate it's false, the client will have evidence to show the staff and dispel a morale issue. If the results indicate it's true, the manager is much more likely to be receptive, having asked for the information and helped design the test. <br></p><h2>Observations and Data </h2><p>In any area they review, auditors observe the behavior and attitudes of client management and staff. Their perceptions of the culture are generally accurate, but they are subjective. For most internal auditors, reporting a cultural issue based only on observations results in a fight they can never win. The good news is that there is usually objective data to support those observations.<br></p><p>A negative culture, for example, usually results in high rates of turnover and sick time. These statistics are readily available. Employee survey and exit interview results can also support the auditors' observations and sometimes help identify the cause. A review of customer complaints, frequency of missed performance targets, or project failures can show the impact of the cultural issue. For more examples of metrics that can support auditors' observations, see <a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">"Auditing Culture: Observation and Data</a>."<br></p><h2>Root Cause Analysis</h2><p>When conducting training programs during the early to mid-1990s, I would often say that soft (i.e., cultural) controls are more important to controlling an organization than hard controls. I would present tools like control self-assessment workshops, employee surveys, and structured interviews as ways to identify soft control weaknesses. Sometimes a trainee would ask, "If you just did transaction testing and really got at the cause of hard control deficiencies, wouldn't you get to the same place?" The answer is yes, but that rarely happens. Auditors usually stop short, ending with a more objective, easily defensible intermediate cause.<br></p><p>Today, in my course for new internal auditors I like to illustrate root cause analysis by starting with a hypothetical example where auditors discover inaccuracies on a computer report. I then ask the class to identify potential reasons for the erroneous report. A typical, though abbreviated, exchange between myself and the course participants looks something like this: <br></p><p><span class="ms-rteStyle-IndentBoth">"Why is this information not accurate?"<br></span></p><p><span class="ms-rteStyle-IndentBoth">            "Input errors"</span></p><p><span class="ms-rteStyle-IndentBoth">"Why are there input errors?"<br></span></p><p><span class="ms-rteStyle-IndentBoth">            "Lack of training"</span></p><p><span class="ms-rteStyle-IndentBoth">"Why haven't the input clerks been properly trained?"</span></p><p><span class="ms-rteStyle-IndentBoth">            "No budget for training"</span><br></p><p>At this point I explain the need to look at the effect of the errors. If the organization shifts funds to training, those funds have to come from somewhere else. The loss of funds elsewhere might have a worse effect than these errors:<br></p><p><span class="ms-rteStyle-IndentBoth">"So let's say the effect of these errors is clearly great enough that training is needed, but local management is allocating its budget as best it can."</span></p><p><span class="ms-rteStyle-IndentBoth">            "Then they need a budget increase."</span></p><p><span class="ms-rteStyle-IndentBoth">"Why isn't upper management giving them enough money to train their staff?"</span></p><p><span class="ms-rteStyle-IndentBoth">           "Upper management just looks at numbers and has no idea of the impact of their decisions on lower level employees."</span><br></p><p>Now we have the real root cause. And as often happens when analysis leads to the executive level, the cause is a cultural issue. Correcting it will not just correct the condition, but it will prevent future instances of the same or similar conditions. In this example, the root cause has a pervasive impact on the entire organization — Wells Fargo provided a clear example of what that can lead to.<br></p><p>Of course, upper management is not going to change its approach to managing the organization because of the errors on this computer report — it is one symptom of a deeper problem. The audit report will have to stop at an intermediate cause. The auditors, though, should keep track of this issue and look for similar issues in other audits. If they can connect the dots from enough audits, they may have sufficient evidence to at least discuss the underlying issue with upper management. And this points back to the importance of establishing a participative relationship with management. Finding a root cause on our own is rarely as effective as working with the client to identify it. This is especially true if the root cause is cultural.<br></p><h2>A Powerful Combination</h2><p>Taken together, a participative relationship with audit clients, auditors' observations supported by objective data, and rigorous root cause analysis is a powerful combination. None of these techniques is novel — they are things internal auditors have always done to some extent. Performing them more rigorously, with the goal of identifying cultural issues, can enable internal auditors to provide a deeper, more meaningful level of assurance. <br></p><p>Despite the value of these techniques, auditors should keep in mind that, even when performed together, they do not provide sufficient means to support overall conclusions about the organization's culture. Accomplishing that requires a model or framework that identifies the elements of the culture to be evaluated. And some of these elements might require other techniques.<br></p><p>Nonetheless, this multipronged combination should be a central part of the auditors' approach. Even without overall conclusions, internal auditors using these techniques can identify issues in their organization's culture that need to be addressed. And ultimately, that is the greatest value organizations derive from an internal audit assessment of culture.<br></p><p><em>Read other articles in this series:</em><br></p><p><a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">Auditing Culture: History and Principles</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspx">Auditing Culture: Bumps in the Road</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Where-to-Begin.aspx">Auditing Culture: Where to Begin</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">Auditing Culture: Observation and Data</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Audit-Project-Surveys.aspx">Auditing Culture: Audit Project Surveys</a><br></p><p><a href="/2020/Pages/Auditing-Culture-Employee-Surveys.aspx">Auditing Culture: Employee Surveys</a><br></p>James Roth0

  • IIA GRC_July 2020_Premium 1
  • AuditBoard_July 2020_Premium 2
  • IDEA_July 2020_Premium 3