Thriving Under Pressure Under Pressure<p>In response to the global financial crisis of 2008, the U.S. government enacted regulatory reforms requiring banks to perform an in-depth review of the risks in their businesses. Among the regulations, banks had to conduct stress testing and scenario analysis each year. These tests involved performing a “what-if” analysis of how their balance sheets, net income, capital cushion, and other key financial metrics would evolve if an economic stress occurred.</p><p> Since then, stress testing has helped banks greatly improve their skills at identifying, quantifying, and managing risks. That has enabled them to provision capital to absorb losses arising from systematic risk events.</p><p>But stress testing isn’t just for banks. The negative economic impact of the COVID-19 pandemic reveals the need for organizations to be prepared to respond to economic shocks. Organizations and audit functions in other industries can learn from the banks’ processes to implement stress testing in their business.</p><h2>The Banks’ Experience</h2><p> For banks’ capital-planning exercise, internal audit provides assurance that current, new, or changing processes are functioning as designed and controls are in place to mitigate risks. Auditors also identify improvements to enhance the accuracy of the results of stress tests. </p><p> Within stress-testing exercises, internal audit must review the entire end-to-end process — rather than individual components — to assess compliance with regulatory and board expectations. Companies must provide a summary of internal audit’s findings in their capital plan submissions to the Federal Reserve Bank. </p><p> The dynamic nature of capital, risk, and stress management poses unique challenges for internal auditors at banks. Auditors often must learn new systems, review complex loss and forecasting models, track remediation in real time, manage multiple engagements, and work on a timed schedule. Such requirements make planning imperative for these audits. </p><h2>Any Organization Can Stress Test</h2><p> Regardless of industry, internal audit can ensure that stress testing encompasses sound foundational risk management, effective loss and resource-estimation methodologies, a granular capital impact assessment, and robust internal controls and governance.</p><p><strong>Assess Risks Within Scenarios</strong> U.S. publicly listed companies report “risk factors” in their annual 10-K Securities and Exchange Commission filings. This information details the most significant risks to the company such as major industrial accidents, cyberattacks, or employee malfeasance. By quantifying those risks and modeling their impact into the organization’s financial outlook, risk managers can provide insights into its vulnerabilities to key risks. However, organizations often view these risks in silos, which can lead them to miss today’s more complex, interconnected risks. </p><p> Organizations can greatly enhance this exercise by focusing on the scenario that may evolve and by reviewing the impact of a cluster of interrelated risks within that scenario. Risk managers then can focus on scenarios that may impact the business most severely. </p><p><strong>Estimate the Impact of Tail Events</strong> A common risk management practice is modeling broader everyday market variables such as gross domestic product, inflation, or business-specific variables. Scenario analysis then focuses on whether core risk factors are likely to develop in the future. </p><p> Risk managers usually disregard low-likelihood “tail” events, preferring to focus on those events that are more plausible in their experience. They assume that in such extreme scenarios, teams can rally together to sustain business operations. However, COVID-19 is highlighting how seemingly low-probability events can add together to create a highly probable event with material impact. </p><p>Thinking about one-off events, such as a natural disaster or pandemic, can greatly enhance the versatility of a stress-testing exercise. The same is true of events that may have a more extreme outcome such as a large drop in revenues or staff reduction. In looking at such events, organizations can develop a deeper understanding of the impact these shocks could have on their business. That insight would enable them to allot resources to continue business operations under stress. </p><p><strong>Model the Risk Mitigation Impact</strong> While it’s a good start to have a more in-depth review of potential business risks and plan for risk mitigation strategies, corporate boards can benefit from modeling the impact of those strategies on continued operations. Risk mitigating responses, such as reducing dividends and selling business assets, can develop into their own risks over the long term. </p><p>For example, during the pandemic, selling business assets may seem to be a quick way to recapitalize a business. However, those sales may have their own idiosyncratic impact that may show up only after the stress has subsided. Modeling the impact of such measures in response to the original stress event can give senior management more confidence in the exercise’s robustness.<br></p><p> Internal audit can be part of a cross-department initiative that assesses the impact on different interests such as employees, competitors, suppliers, regulators, and customers. Discussing how risk scenarios may impact each team and running reactions through models are ways auditors can help the business devise an organizationwide strategy. </p><p><strong>Integrate Results With Strategic Planning</strong> The usefulness of stress testing will be limited if its results aren’t linked to strategic planning, capital allocation, and other business management decisions. A variety of senior management executives should participate to ensure testing has a meaningful impact. Performing an integrated risk measurement and planning exercise can quantify the amount of capital the organization would need to absorb stress and sustain operations. </p><h2>Stress Testing Audits</h2><p> Just like their counterparts at banks, internal auditors in other industries can help set up a stress-testing exercise. They also can provide assurance that the processes are being executed as intended. <br> Internal audit should consider several factors when setting up its audit plan: </p><ul><li><em>Well-defined objectives, oversight, and governance. </em>Stress-testing frameworks should be designed with clear and well-documented objectives, and a governance structure that must be reviewed and approved by the board. </li><li><em>Material risk capture.</em> Testing should identify and quantify material risk that is relevant to the business. The risk-identification process should be comprehensive and consider both tangible and intangible risks. </li><li><em>Resourcing.</em> Staff members who are involved in stress testing should be well-trained and possess advanced skills. They should have sufficient oversight to provide guidance of their work. </li><li><em>Challenge and review.</em> Models, results, and the framework should be subject to independent challenge and periodic review. </li><li><em>Technology and systems.</em> Modeling and forecasting of stress and risks require robust systems and IT infrastructure. Such exercises deal with large amounts of data that need to be stored and processed appropriately. </li></ul><h2>Making Testing Sustainable</h2><p> A well-planned audit can enable senior management to rely on internal audit’s ability to identify weaknesses in the stress-testing process, both from a stability and regulatory compliance perspective. Moreover, the audit can elevate material issues that may warrant management’s attention. By addressing the deficiencies internal audit uncovers, process owners and risk managers can make stress testing more sustainable.<br></p>Ankit Garg1
What COVID-19 Teaches Us About ESG's Importance COVID-19 Teaches Us About ESG's Importance<p>They say that even a kick in the rear is a step forward, and COVID-19 has delivered one mighty kick to corporate posteriors around the world. Now one question is whether boards will lurch forward — on, of all things, environmental, social, and governance (ESG) issues.</p><p> The ties between COVID-19 and ESG performance are more direct than one might assume. The virus has forced organizations to consider a host of specific questions, but the deeper, existential questions boards face are two: How can we preserve sustainable operations amid unpredictable circumstances? And, how can we hold all our stakeholders together and continue to create value?<br> <br>Well, ESG issues ask those same questions. So boards that have considered how to fit ESG into corporate governance may be better prepared for the crisis.</p><p>“It’s absolutely an accelerator, what’s happening right now,” says Daniela O’Leary-Gill, who sits on the board of the Museum of Science and Industry in Chicago, as well as the board of BMO U.S. Funds, a mutual fund run by BMO Financial. O'Leary-Gill views COVID-19 as a test of corporate resiliency. Strong ESG governance fosters resiliency by driving the company to focus on issues such as sustainable supply chains, trust in the organization, and reliable governance that transcend any specific CEO or board directors.</p><p>That resiliency can then prove invaluable during extreme risk events. O’Leary-Gill says organizations ignore the connection between ESG and resilience at their peril. “The current situation is a lesson in priorities,” she says. “Organizations are well-served to put ESG on the ongoing agenda versus an occasional discussion. That kind of preparedness provides greater resiliency to the company’s operations.”</p><div style="width:300px;float:right;padding-left:10px;padding-right:10px;margin-left:10px;background-color:#6eabba;color:#000000;"><h3>ESG AND SOCIAL JUSTICE</h3><p>COVID-19 isn’t the only urgent concern for boards these days. This spring also saw throngs of people take to the streets in the U.S. and around the world, protesting systemic racism and social injustice.</p><p>It’s another example of how attention to ESG issues can better position a company for swift, unexpected disruption. “It’s a double whammy of ESG issues corporations should pay attention to,” Bonime-Blanc says. </p><p>Since the protests erupted in late May, organizations have rushed to support the Black Lives Matter movement or — as happened with the CrossFit fitness company — to part ways with chief executives who inflame the situation with racist comments.</p><p>The Black Lives Matter protests do raise a challenging point. Social questions — the “S” in ESG — are the most fraught issues to address, with substantial reputational risk. At the same time, they have the least guidance about what boards should do. (Compared to environmental regulations, for example.) “The spotlight will be on the S,” O’Leary-Gill says. “Not to take away from the importance of E or the G … but I think the S is the part that is least prescribed, and the least standardized across companies.”</p><p>So how can companies systematically measure corporate culture, or equity in the workforce? “That’s where the focus needs to be,” O’Leary-Gill says.</p></div><h2>The Relevance of ESG</h2><p> It might seem strange to talk up ESG these days, given the economic calamity and operational crisis all around us. When you examine the component parts of ESG, the relevance of those issues to the COVID-19 crisis becomes clear. Consider:</p><ul><li> <strong>Environment. </strong>One pillar of good environmental stewardship is using as few natural resources as possible, and generating as little waste as possible. That implies an efficiency of operations that’s welcome in a cost-sensitive environment. It’s also a nice hook to woo environmentally conscious consumers.</li><li> <strong>Social. </strong>This can include everything from workplace safety, to paid sick leave, to workforce development. Regulators are already watching companies’ commitment to safe work environments in the time of COVID-19. Sick leave, worker training, and similar policies about human capital also can prove valuable to help companies keep employee sentiment on their side.</li><li><p> <strong>Governance.</strong> This principle encompasses the board’s oversight of corporate conduct, shareholder rights, executive succession, and similar issues. First, the risk of corporate misconduct rises during difficult times, so a board skilled at risk management will do a better job policing against that threat. Second, a rigorous board, committed to good governance, is likely to stay on the right side of investors and root out organizational shortcomings more quickly.</p></li></ul><p>More broadly, boards should pay attention to ESG because investors, employees, business partners, and other stakeholder groups still consider ESG important — <em>especially</em> now as COVID-19 and the ensuing recession drive people to question what role companies should play in society.</p><p> Investment dollars, for example, are still gushing into ESG funds. According to Morningstar, ESG investment funds worldwide saw inflows of $45.7 billion in the first quarter of this year, while the broader investment world saw net outflows of $384.5 billion. Exchange-traded funds had been briskly marching toward all-time highs in 2020 until early March, when they tumbled by 30% or more. Now the largest of those funds is already flirting with its all-time high again.</p><p>“The shareholders are going to be better off because of this,” says Andrea Bonime-Blanc, a former board director of the Ethics and Compliance Officers Association and a current director for the National Association of Corporate Directors, New Jersey Chapter. “Maybe you can’t measure it quarter to quarter, but over the long term, you definitely can measure the progress.” </p><p> She, like O’Leary-Gill, stresses resilience. “To me, the best argument isn’t that the regulators are coming,” she says. “The best argument is that you are building organizational resilience that allows you to survive and thrive in good times and bad.”</p><h2>Putting It Into Practice</h2><p> Boards that want to leverage ESG issues for long-term resiliency need to start with a direct question: Is the necessary experience in the boardroom? "To meet this crisis, boards should have more people who are not chief financial officers or CEOs,” Bonime-Blanc says, “but chief risk officers, chief ethics and compliance officers, and chief corporate responsibility officers.”</p><p> Likewise, O’Leary-Gill asks, what is the fluency on the board in ESG issues generally, as well as the specific ESG issues that might be most relevant to each board’s organization? That is, manufacturing companies might need more expertise in environmental sustainability. Software companies, in contrast, might want expertise in workforce diversity and pay equity.</p><p> From there, the work might start to sound familiar. Boards must decide which ESG issues are most important to their stakeholders, which key performance indicators (KPIs) match those issues, and what sustainability frameworks could help the organization steer those KPIs in the right direction.</p><p> This is where a strong audit function can assist. Frameworks need to be reviewed; metrics need to be developed and translated into policies, procedures, and internal controls — which will then need to be tested. </p><p> How well will all that effort pay off, with a vibrant organization that can weather difficult times? That’s hard to say. <br> <br>Then again, COVID-19 is only the crisis of the moment. Boards also need to consider climate change, social inequity, and other crises after that. Resiliency will be crucial to all.<br></p>Matt Kelly1
Update: The IIA Updates Three Lines Model The IIA Updates Three Lines Model<p>In today’s fast-paced, technology-driven world, risk-based decision-making is as much about seizing opportunities as it is about defensive moves. A long-overdue update to the popular Three Lines of Defense risk management model embraces this new reality. </p><p>“Risk management goes beyond mere defense,” says IIA President and CEO Richard Chambers. “Organizations need effective structures and processes to enable the achievement of objectives and support strong governance and risk management. The updated Three Lines Model addresses the complexities of our modern world.” </p><p> The IIA spearheaded a task force of audit practitioners, risk and compliance executives, stakeholders, and others to identify the relationships between the central and common components of organizations and consider the continued relevancy of the Three Lines concept. “The update reinforces that organizations must determine appropriate, pragmatic structures for themselves, taking into account their objectives and circumstances against a backdrop of an ever-evolving risk landscape,” says task force leader and IIA Global Chair Jenitha John.</p><p> The Three Lines Model is based on six principles: governance, governing body roles, management and first and second line roles, third line roles, third line independence, and creating and protecting value. It presents the accountability of the governing body for oversight, of management to achieve organizational objectives, and of an independent internal audit function for assurance and advice. The model notes that although the governing body, management, and internal audit all have distinct responsibilities, “the basis for successful coherence is regular and effective coordination, collaboration, and communication.”</p><p>“For implementation by organizations on both a reactive and proactive basis, these updates help modernize and strengthen application of the model to ensure its sustained usefulness and value,” Chambers says. <strong>— A. Millage</strong></p> <h2><img src="/2020/PublishingImages/Update-the-high-cost-of-missing-risks-border2.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:183px;" />DOJ Issues Compliance Guidance </h2><h3>Prosecutors to consider risk practices for assessing criminal liability.</h3><p>Revised U.S. Department of Justice (DOJ) guidance provides recommendations to help prosecutors assess whether a company’s compliance program was effective at the time of an offense, make informed charging decisions, and determine an appropriate penalty or resolution. Originally issued in 2017, Evaluation of Corporate Compliance Programs advises prosecutors to consider how the organization has defined its risk profile and whether risk assessment consists of ongoing examination. </p><p>Among key areas of review, the DOJ recommends prosecutors gauge the effectiveness of the organization’s risk management process and determine what methodology it uses to “identify, analyze, and address the particular risks it faces.” They should look at the specific information the company collected to detect the type of misconduct in question. </p><p> The guidance also advises evaluating the company’s risk resource allocation, to help understand whether the company spends too much time focusing on low-risk areas. Moreover, prosecutors should examine whether a process exists for updating and revising the risk assessment program. They also should consider whether the organization captures lessons learned from either its own compliance-related challenges or those experienced by industry and geographic peers. <strong>— D. Salierno</strong></p><h2>Boards Detail Crisis Concerns</h2><h3>Directors share top governance challenges during the pandemic.</h3><p>Most U.S. board members say creating a post-crisis strategy is the top governance challenge at their organization, according to the National Association of Corporate Directors’ latest COVID-19 Pulse Survey. Almost half of the nearly 300 directors surveyed also identify concerns about their ability to understand new risks arising from the pandemic and to ensure employees’ health and safety.</p><p> Looking ahead, directors say shifts in the nature of work would be a chief concern, as would the technological challenges of moving their businesses forward. More than half say changes in how work is accomplished is one of their top three concerns. And almost one-third cite “accelerating digital transformation” as an ongoing priority. </p><p> As the need for communication with management has increased during the pandemic, board members’ time commitment has risen. Directors say they expect to continue a more frequent meeting cadence after the crisis. “New, responsive best practices are potentially on the horizon with directors engaging more frequently with management and in new ways,” the report says.   </p><p> Participants also note issues their board must address as organizations continue to navigate the crisis. They cite, for example, the need to determine what information stakeholders require to maintain confidence in the business, as well as lessons learned from management’s response to the pandemic. </p><p> Directors also say it’s important to consider whether the organization’s workforce should be redesigned after the crisis, what business development opportunities may have arisen, and what risks those opportunities may present. Lastly, they note the importance of considering how boards can promote new leadership capabilities within the executive suite. <strong>— D. Salierno</strong></p><h2>Addressing Social Justice<br></h2><h3>Businesses should be advocates for diversity and inclusion, says Dennis Kennedy, founder and chair of the National Diversity Council.</h3><p> <strong>How can businesses support social justice issues such as Black Lives Matter, and how can internal auditors assist organizations in making changes to support social justice movements? </strong>Companies should advocate for diversity and inclusion for all people and not focus on the risk of being forthright in their stance against racial injustice. They should be inclusive in their messaging and equitable in their business practices, as change starts with leadership and affects how employees view their workplace experiences. Companies should focus on propelling themselves into an inclusive space where all can feel comfortable.</p><p> Internal audit can help companies thrive through these uncertain times by assisting them in making changes to support social justice movements through score cards, diversity and inclusion indexes, integration of equity conversations within their business functions, and using business resource groups to spread awareness. Diversity and inclusion promote growth, creativity, and innovation, and are a source of value for businesses. Recent social protests in the U.S. and around the world have stressed the urgency of creating diverse and inclusive organizations, not just as a matter of economics, but as a means to address systemic racism. </p><p> <strong>What should be expected of businesses in the area of diversity and inclusion?</strong> Businesses should focus on transparency and awareness as it relates to diversity and inclusion, rising to the occasion and taking the lead by investing in efforts to address racial injustice within the community at all levels. Business leaders play an essential role in acknowledging the impact of systemic racism in the larger society and how racism permeates systems, processes, and practices within the workplace. Their commitment to addressing this issue and their intention to advocate towards substantive change will be essential to achieving true racial justice.</p><div class="subhead-article"><p> <strong><br></strong></p><p> <strong>40% of 500 surveyed companie</strong>s delayed revenue-generating initiatives for a month or more to prioritize remote work setup.<br></p><p> <strong>44% of respondents </strong>say the postponed work included cybersecurity initiatives.</p><p>“This research indicates that with many employees remaining at home for the foreseeable future or even permanently, refining how we grant and manage digital access is more important than ever,” says Sectigo CEO Bill Holtz.</p><p>Source: Sectigo and Wakefield Research, 2020 Work-from-home IT Impact Study</p></div><h2>Backing the Blockchain</h2><h3>Executives seek to grow value of digital assets.</h3><p>Once considered a technology experiment, businesses are making blockchain and digital asset investments a top-five priority, says Deloitte’s Global Blockchain Survey of nearly 1,500 senior executives. Nearly 40% report their organizations have implemented blockchain into production, up from 23% last year.</p><p>More than half of respondents view blockchain as a strategic priority, with 83% saying it is necessary to maintain a competitive advantage. As such, 82% plan to hire blockchain expertise in the next 12 months. “Like many disruptive technologies, blockchain has evolved from a merely promising and potentially groundbreaking approach to a now integral solution to organizational innovation,” says Linda Pawczuk, principal, Global and U.S. Consulting Leader for Blockchain and Digital Assets at Deloitte Consulting LLP.</p><p>One key component in blockchain’s value is digital assets, which nearly 90% of respondents say will be important in the next three years. These assets include cryptocurrencies, financial instruments, tokenized debt or equity, and digital representations of land or commodities. Among their benefits are the ability to trade them easily on secondary markets and their heightened transparency to traders. <strong>— T. McCollum</strong></p>Staff1
Working in Concert in Concert<p>​The audit committee is meant to be one of the key champions of internal audit in any organization, so chief audit executives (CAEs) look to it for input, guidance, expertise, and feedback. But many CAEs say the audit committee should be more proactive in ensuring that it gets the best out of the audit function. </p><p>To do that, these CAEs say audit chairs should make more time for questioning the audit plan, as well as challenging internal audit about how effectively it can do the work it has been mandated to carry out. Many audit heads also want audit committees to take more of a lead and bring more of their industry and boardroom experience into the meetings to make the audit process more robust. </p><p> <em>Internal Auditor</em> spoke to several current and former CAEs to find out which key questions they wish their audit committees would have asked them, but never — or rarely — did. </p><h2>1. What can the audit committee do for you?</h2><p>It sounds obvious, but CAEs say that in their experience, audit committee chairs rarely ask what they can do to support internal audit or make the function's job easier, such as requesting that senior management provide additional resources. </p><p>Liz Sandwith, chief professional practices adviser at the Chartered Institute of Internal Auditors in the U.K. and a former CAE, says, in her experience, audit committees are less challenging of internal audit's work than a CAE might expect.</p><p>"Audit committees don't always put themselves forward to champion internal audit within the organization, which is disappointing," Sandwith says. "They should be more proactive. Often, they just want the facts but don't ask any questions. A good audit chair will push to get more information and test the CAE by asking, 'Why aren't you looking at these areas?' and 'Why are you ignoring this?'" After all, if the CAE can't answer these types of questions, what level of assurance is the function really providing and how robust is the assurance the audit committee is receiving? she asks.</p><p>Sandwith also says that audit committees have been reluctant or slow to bring their outside experience and expertise to the table. "In the U.K., a lot of these people have either worked for or sat on the boards of FTSE100 companies, but they don't share that expertise," she explains. "None of them ever said to me, 'This is how our CAE used to manage internal audit' or 'In my previous company, internal audit did X, Y, and Z.'" Audit committee members usually have chief financial officer (CFO), CEO, external audit, and blue-chip corporate experience, but they don't use it to the committee's advantage, something Sandwith considers a wasted opportunity.</p><p>"The relationship between internal audit and the audit committee is a unique one," says Harold Silverman, managing director of CAE services at The IIA and a former vice president of internal audit at fast-food chain Wendy's. And that relationship often is one-sided: The CAE reports what is happening, and the audit committee listens and takes those views on board and perhaps asks management about some of the issues. Silverman says that he was rarely asked by the chair of the audit committee what he or she could do to help with internal audit's work, or how to improve its standing in the organization or with management. "Those attitudes are changing now," he adds. </p><h2>2. Is the audit plan the right one, and can it be delivered?</h2><p>CAEs say audit committees rarely question whether the approved audit plan is actually the right one for the business — even if the risk landscape or circumstances impacting the business have changed. </p><p>"Audit committee chairs do not see themselves as managers," Silverman says. "Instead, they see their role as reviewing and overseeing a process that has already been agreed on with management, and which, therefore, must presumably be the right one to satisfy the needs of the business." </p><p>He adds that audit committees rarely question management's thinking about the audit plan or ask internal audit whether the plan should change in light of new events or information. "Indeed, some chairs actually want internal audit to work out any problems with the plan before they take it to the audit committee because they don't want to second-guess management," he says.</p><p>Sandwith agrees. "It has always appeared to me that the audit committee has just presumed that, as the CAE, the budget and the audit plan as presented is the final version, it meets with the resources that we have, and doesn't need to be discussed," she says. "They simply don't question the process behind the audit plan." Sandwith says the audit committee should check whether the audit plan is going down the right path for the business and that internal audit can do the work effectively with its budget and resources. </p><h2> 3. Does internal audit have the necessary resources and skills to provide the required level of assurance? </h2><p>CAEs say there also is a presumption that just because an audit plan spells out what an internal audit function is meant to do over the course of a year, such work will be carried out to the letter and to a high standard. Not so, experts say. </p><p>"Management may want internal audit to look at a range of areas to provide assurance, but it does not necessarily follow that the function is only capable of doing so within the budget and skills it currently has," Sandwith says. "A lot of the areas under review will be complex, such as cybersecurity, and while internal audit can check whether there are suitable processes and controls in place, many functions will not have the level of technical expertise to provide the kind of assurance that some organizations — particularly those in highly-regulated industries — will need." Additionally, if the audit plan is too optimistic and contains too much work for the function to realistically do well, it will lead to internal audit simply performing basic box-ticking compliance, which is of no use to anyone, she adds. </p><p>Bethmara Kessler, a former CAE and currently chair of the Association of Certified Fraud Examiners' Board of Regents, says a good way for audit chairs to test an audit plan's effectiveness — as well as the capabilities of the CAE and the audit function — is to ask two budgeting questions: 1) If the committee gave internal audit an additional 10% of its budget, how would the funds be used and why? And 2) If the committee cut 10% of the budget, where would the CAE make cuts and why?</p><p>"That kind of questioning focuses the CAE to explain where the key risk areas are, and what amount of resources need to be dedicated to them to ensure that the appropriate level of assurance is achieved," Kessler says. "It also can help open up a discussion about what issues keep the CAE awake at night, and how those concerns can be addressed."</p><p>Kessler says audit committees also should ask internal audit functions whether they have the technical skills to review emerging risks, particularly in fast-moving areas such as technology. "Blockchain, machine learning, and artificial intelligence present both risks and opportunities," she explains. "As a result, internal audit needs to keep pace with developments in these fields and look at what the organization is doing to leverage the benefits and identify and mitigate the risks. Audit committees, therefore, have a right — if not a duty — to question their competence." </p><h2> 4. How responsive is management in dealing with the risks that internal audit and other assurance functions flag to them?</h2><p>Internal audit, risk management, compliance, and in-house legal may be great at highlighting problem areas and emerging risks that need to be controlled, but if management — which is ultimately responsible for managing risk — does not follow through with the recommendations from assurance functions, then the whole exercise can be pointless. However, CAEs say that audit committees do not always ask how responsive management is about putting these recommendations into action, or how effectively they do it.</p><p>"Internal audit can make as many recommendations as it likes to implement controls, but if management does nothing, it is a wasted exercise," says Sarah Blackburn, a former CAE at several FTSE100 companies and now a nonexecutive director at U.K.-based RAC Pension Fund Trustee. "Similarly, it is equally a waste of time if internal audit overwhelms management with dozens and dozens of actions to be taken."</p><p>Blackburn says audit committees need to ensure that internal audit is clearly prioritizing key actions for management to implement, and that management duly does its part. This means audit committees need to raise questions about management's responsiveness, and CAEs need to be prepared to give an objective account of management's actions.</p><p>Kessler adds that "internal audit is the third line of defense and it is in a unique position to provide a clear and objective assessment of how well management accepts its role as being ultimately responsible for risk management within the organization." As such, she says, the audit committee should be asking internal audit to report regularly on the status of actions that management has and has not implemented as a result of audit's work. </p><h2> 5. What is internal audit's view of external audit and other assurance functions?</h2><p>Internal audit is just one of the functions reporting to the audit committee. Others include risk management, compliance, in-house legal, and external audit. Yet, CAEs say that they are rarely asked whether they work alongside these functions, and if so, how frequently they might share information and ideas, or if there is any overlap in work. Nor is internal audit asked to give an opinion on these functions' effectiveness, though audit committees often ask external auditors to provide an opinion on the organization's in-house functions. </p><p>"I don't think in my time as a CAE I have ever been asked by an audit committee chair whether we regularly meet or work alongside the other assurance functions or discuss risks with them," Sandwith says. For example, she might tell the audit committee that internal audit met quarterly with the head of risk management and spoke often with other assurance functions, but the conversation ends there. "I've never been asked to explain what our relationship is like with them, or whether it can be improved, enhanced, or encouraged further," she explains.</p><p>Kessler agrees that audit committees need to ask for internal audit's perspective on external audit, in particular. "Audit committees should consider internal audit an expert on audit in general and should ask for its opinion on external audit's work," she says. "There is no harm — but potentially enormous benefits — in asking the CAE whether the external audit firm is delivering a quality audit."</p><p>Blackburn also says that audit committees need to ask more questions around the quality of risk reporting by assurance functions. "Audit committees need to make sure that internal audit provides them with a professional opinion about how risks are reported and controlled across the organization," she says. For example, audit committees need to ask whether these functions see risk in the same way. Do they report, identify, and manage risk in the same way? Does the organization understand and evaluate risk in the same way across all its operations? Audit committees need to be satisfied that there is consistency in risk understanding and risk reporting, she adds. </p><h2> 6. How can internal audit add value? What is your vision for the function?</h2><p>Internal audit's workload entails more than agreeing on an audit plan and completing it. The profession has made enormous strides in demonstrating it can be a value-adding function, and CAEs say that audit committees should encourage this further. </p><p>Bryant Richards, an associate professor of Accounting and Finance at Nichols College in Dudley, Mass., and former director of corporate governance at the Mohegan Tribe, which owns casinos and other organizations, says that it would have sent a powerful message if the audit committee had asked him, "How can you go out there and add more value?"</p><p>Rather than focusing largely on compliance and areas such as Sarbanes-Oxley controls, Richards says, "If the audit committee had pushed internal audit to get more involved in supporting business strategy, that would have sent a very powerful message to management that the board trusted us and that our skills were being underused." It also would have moved internal audit from defense to offense and would have increased its credibility and value within the organization. That kind of backing may have prompted other functions to engage with them more, too, he adds.</p><p>Richards explains that audit committees also should ask CAEs to explain what their vision is for the audit function for five or 10 years. There is a real opportunity for the audit committee to work with the CAE and find out what his or her vision is for the department — how internal audit can expand its role; provide wider, deeper, and better assurance; help support the overall strategy implementation; and get involved in new areas. It would help transform internal audit into a much more proactive and strategic force within the organization, he says.</p> <h2> 7. Would you like to have a coffee off-site?</h2><p>Asking questions unofficially can be a more effective way of finding out information than asking CAEs to provide answers in a forum with tight time constraints. Some CAEs say that audit committee chairs should approach them separately to establish an informal relationship where they can talk openly and raise concerns and ideas in a more relaxed setting. </p><p>"Audit chairs need to encourage CAEs to speak freely about any concerns they may have about the audit plan, risk management, and any other business," Blackburn says. "Even though internal audit is supposed to be independent and objective, it can still be difficult for CAEs to talk through their concerns in an audit committee meeting with limited time and where key executives — especially the CFO — also may be in attendance."</p><p>An off-site meeting may encourage the CAE to speak more openly, and it may provide a useful opportunity for both parties to get a better understanding of each other's priorities and key concerns, she adds. Alternatively, a virtual one-on-one discussion may suffice.</p><h2> Don't Ask, Do Tell</h2><p>The experts agree that audit committees are getting better at asking more questions around the topic of internal audit — but they add that more can still be done. </p><p>Yet, CAEs also can take better charge of the situation. If they think that the audit committee has missed an opportunity to ask deeper or more pertinent questions, there is an obvious course of action — give them a prompt. To do this, CAEs should act as if they've been asked the question they think should have been asked, supply the answers or follow-up, and make clear what recommendations they feel the audit function should act upon to address the key issues. At best, the inclusion of such details will force the audit committee to discuss the issues being raised. At worst, the committee will think the points raised are part of "business as usual" and will agree with the proposals. </p>Neil Hodge1
Update: Recovery Through Digitization Recovery Through Digitization<p>​A new report from McKinsey & Co. advises businesses to focus on digitization as a means of navigating the coronavirus pandemic. Flexibility and speed will be key as organizational leaders consider how to move ahead, the consulting firm says in The Digital-led Recovery From COVID-19: Five Questions for CEOs, which draws on observed best practices.</p><p>With COVID-19 putting outdated business models to the test, the shift to digital will likely accelerate. Organizations need to take bold action, the report advises, tempered with "a full appreciation of risk from the impact of cyberattacks to the loss of crucial talent." Incremental technological change and half measures are recipes for failure, the report's authors say.</p><p>Making the right technology investments will be crucial moving forward, requiring organizational leaders to work closely with their technology officers to update legacy systems and establish new digital capabilities, McKinsey notes. Technology is a key driver of value — and that includes the use of advanced analytics. </p><p>"Never before has the need for accurate and timely data been greater," the report says. At the same time, CEOs will need to work with their risk leaders to make sure the scramble to harness data follows strict privacy rules and cybersecurity best practice.</p><p>To ensure technology initiatives materialize, CEOs also may need to have a long talk with their chief financial officers. PwC's COVID-19 CFO Pulse Survey shows that more than two-thirds of surveyed finance chiefs say they plan to defer or cancel planned investments in response to the crisis — and of those, more than half say they are eyeing IT initiatives for the chopping block. Another 25% say they are deferring or canceling digital transformation investments. </p><p> <strong>—</strong><strong> </strong><strong>D. Salierno</strong></p><h2>Greater Risk Brings New Scrutiny<br></h2><h3>Stakeholders may find risk management processes lacking, report finds.</h3><table cellspacing="0" width="100%" class="ms-rteTable-default" style="background-color:#ffffff;"><tbody><tr><td class="ms-rteTable-default" style="width:306.667px;"><p> <strong>Cybercrime's Bottom Line</strong></p><p>A survey of U.S. IT security professionals shows the average total cost of a cyberattack across several categories.</p><p> <strong>$1.5</strong> <strong>million</strong><strong>  </strong>Nation-state</p><p> <strong>$1.2 </strong><strong>million</strong><strong>  </strong>Zero-day</p><p> <strong>$832,500</strong><strong>  </strong>Phishing</p><p> <strong>$691,500</strong><strong>  </strong>Spyware</p><p> <strong>$440,750</strong><strong>  </strong>Ransomware<br></p><p>Source: Ponemon Institute and Deep Instinct, The Economic Value of Prevention in the Cybersecurity Lifecycle<br></p></td></tr></tbody></table><p>Today's riskier business environment is pressuring organizations to disclose more about risk management, according to the 2020 State of Risk Oversight. Nearly 60% of the 563 U.S.-based chief financial officers surveyed say risks are growing extensively in volume and complexity, particularly in areas such as talent, innovation, the economy, and brand.</p><p>With greater risk has come heightened attention, notes the report from the American Institute of Certified Public Accountants and North Carolina State University's ERM Initiative. Two-thirds say boards are calling for more management oversight of risk, while 58% say outside parties such as investors are demanding extensive detail about how organizations manage risk.</p><p>Yet, only one-fourth of respondents say their organization's risk management is mature, a decline from previous surveys. Moreover, less than 20% say their risk management process provides strategic value. "If functioning effectively, a robust enterprise risk management process should be an important strategic tool for management," the report says. </p><p> <strong>—</strong><strong> </strong><strong>T. McCollum</strong></p><h2>Weighing the Cost of Fraud<br></h2><h3>Fraud defenses work but could face the budget-cutting ax.</h3><p>Organizations already pay a steep price for fraud, but they may be targeted even more if budget-cutting weakens defenses such as internal audit. Occupational fraud costs organizations about 5% of annual revenues, according to the Association of Certified Fraud Examiners' (ACFE's) 2020 Report to the Nations.</p><p>The report analyzed more than 2,500 fraud cases from 125 countries, with losses totaling more than $3.6 billion. Most of these frauds come from four areas: operations (15%), accounting (14%), executive management (12%), and sales (11%).</p><p>In a post previewing the latest report, ACFE President and CEO Bruce Dorris warns organizations not to cut internal audit and compliance amid the economic fallout from the coronavirus. "Cutbacks to departments or initiatives that are integral to a comprehensive anti-fraud program only serve to leave organizations more vulnerable to the growing likelihood of fraud," he says.</p><p>Weakened defenses combined with individuals facing financial pressures could create a "perfect storm" for fraud, Dorris cautions.</p><p>Effective controls, reporting, and training also help fraud fighting considerably, the report notes. One-third of frauds can be attributed to a lack of internal controls, so over the past decade, the use of controls such as hotlines, anti-fraud policies, and fraud training has increased by at least 9%. Organizations discover 43% of frauds through tips — half of them from employees — but employees are far more likely to report fraud when they receive fraud-awareness training.</p><p>One new trend the report finds is that individuals accused of fraud are less likely to face criminal charges, with organizations increasingly preferring to handle cases through internal discipline or civil litigation. Four out of five fraud perpetrators were disciplined internally, and 46% of victim organizations say they declined to refer cases to law enforcement because internal punishment was sufficient. </p><p> <strong>—</strong><strong> </strong><strong>T. McCollum</strong></p><p></p><h2>Sourcing in a Crisis<br></h2><h3>New vendor relationships can create new risks, says Erich Heneke, director of business integrity and continuity at the Mayo Clinic.</h3><table cellspacing="0" width="100%" class="ms-rteTable-default" style="background-color:#ffffff;"><tbody><tr><td class="ms-rteTable-default" style="width:306.667px;"><ul><li><strong>75</strong><strong>% </strong><strong>of U.S. adults </strong><strong>say that companies</strong> have a responsibility to support coronavirus relief.<br></li><li><strong>71</strong><strong>%</strong> <strong>say they will stop </strong><strong>purchasing products</strong> from companies they perceive to be irresponsible during the crisis.</li></ul><p> </p><p>"Americans are watching which companies are stepping up at this time," says Kate Cusick, chief marketing officer at public relations advisory firm Porter Novelli/Cone. "The decisions businesses make today will define them well after this pandemic has passed."</p><p>Source: Porter Novelli/Cone, COVID-19 Tracker: Insights for a Time of Crisis<br></p><br></td></tr></tbody></table><p> <strong>COVID-19 has businesses looking at the viability of their vendors. How can businesses shift quickly to new vendors? </strong>The pandemic has not only exposed traditional vendor risks with respect to supply chain disruption, but it has unlocked a new set of brokered vendors that enter new risk into the market. In health care, products have become unavailable due to supply and demand issues through traditional channels, and, thus, we are seeking products in alternative markets. When sourcing alternate channels, we have seen an influx of counterfeit products as well as brokers requiring a pre-payment and then vanishing with the hospital's money, which suggests that new tools will be necessary to quickly vet new vendor relationships.</p><p>Internal audit should let business areas do what they do best, while providing higher and wider level views into enterprise risks. Auditors also should be available as consultants to help mitigate risks as they emerge in vendor markets, whether that's by helping to design a third-party risk management program or aid in strategic sourcing needs. Auditors can offer an independent set of eyes on a process that is largely unfamiliar to a health-care supply chain.<br></p><h2>Brown Factors May Affect Credit<br></h2><h3>Harmful activities may become targets of disincentives.<br></h3><p>Organizations are familiar with "green" activities, but the environmentally harmful "brown" activities may have greater credit implications, according to Fitch Ratings' inaugural ESG Credit Quarterly report.</p><p>As defined by The European Commission's (EC's) final report on the European Union taxonomy for sustainable activities, green activities contribute substantially to environmental objectives. Since the report's publication in March, there have been calls for the commission to develop a taxonomy listing environmentally harmful (brown) activities.</p><p>The technical expert group assisting the EC with the sustainability taxonomy states that activities not defined as <em>green</em> should not automatically be considered <em>brown</em>. The Fitch report points out that consensus on a brown taxonomy will be difficult. However, it could impact credit by defining targets for disincentive policies such as higher prudential capital requirements.</p><p>A brown taxonomy "could inform how asset managers and banks screen for other fossil fuels or environmentally harmful activities in the future," Fitch notes. Additionally, it could lead to greater standardization in how investors and banks screen sectors deemed harmful. <strong>—</strong><strong> </strong><strong>S. Steffee</strong></p>Staff0
Assessing Risk in a Post-pandemic World Risk in a Post-pandemic World<p>​As the coronavirus (COVID-19) pandemic has changed the world, internal audit functions have needed to face that world differently. Before the outbreak, internal auditors worked in similar ways, following the same code of conduct, adhering to the same standards, and using many of the same tools. Now, auditors have another thing in common: the need to adapt to frequently changing risk conditions.</p><p>COVID-19 has fundamentally changed the risk profiles of many organizations. As internal audit ramps up to a "new normal," it must recalibrate its audit plan from a dramatically different risk perspective. </p><h2>An Audit Plan in Peril</h2><p>Let's examine the timeline of events. Many internal audit functions started their risk assessment and audit planning process in late 2019. By early 2020, departments in most of the world had formed at least a skeleton of their audit plan, and some had communicated their formal plans to the audit committee and senior management. Some audit functions began executing engagements in early 2020. </p><p>That all changed in March, when the coronavirus began to race swiftly around the world and businesses experienced the first effects of social-distancing measures. Operationally, many organizations altered their business practices. From a compliance perspective, some regulatory requirements were suspended or relaxed for entire industries during the outbreak. </p><p>As these response measures quickly escalated, many audit functions drastically altered their audit plans. Businesses experienced so much disruption that it was nearly impossible to execute some audit engagements, or there simply was no value in doing so. Most respondents to an April 2020 IIA Quick Poll say they discontinued or reduced scope for some audit engagements, and nearly half canceled some engagements in response to COVID-19. </p><p>Four in 10 respondents indicate they redirected audit staff to nonaudit work. For some audit functions, temporary staff furloughs or budget reductions ended audit work or reduced staff activity to administrative duties.<br></p><h2>Post-pandemic Planning</h2><p>The audit plan that existed before the pandemic is based on an old risk paradigm. In a post-pandemic world, chief audit executives (CAEs) must think differently about their organizations' risks and how to redeploy audit resources. Here are some questions CAEs should ask in rethinking their audit plans.<br></p><p><strong>What does the organization's new normal look like?</strong> Even businesses that were least impacted by COVID-19 will have systemic changes in their risk environment (see "Questions for CAEs" at the end of this article). There may be major fallout to institutions and systems that organizations rely on, and regulators, financial institutions, and supply chains may experience disruptions well past the point when stay-at-home orders are relaxed. Some may no longer exist.<br></p><p><strong>Is my risk assessment process agile enough?</strong> This question will be critical as CAEs begin prioritizing how to redeploy resources to address elevated risk in legacy risk areas as well as in new, uncharted territory. Risk assessments need to be agile because risk dynamics may change frequently in the near term. CAEs should evaluate and streamline legacy risk assessment processes.<br></p><p><strong>Does my team still possess the skills to execute the risk assessment and audit plan?</strong> In the post-pandemic world, risk profiles probably will change — in some organizations, dramatically. CAEs need to evaluate the talent in their teams and internal audit's ability to identify risks and execute engagements that focus on new types of risk. They need to address questions such as:</p><ul><li>How has internal audit's staffing changed? </li><li>Are staffing levels different, and have there been any changes in talent? </li><li><p>Are there new talent needs as a result of changes to the organization's risk profile?</p></li></ul><p><strong>Does my team still have an objective mindset?</strong> Unprecedented times call for unprecedented measures, and during the COVID-19 emergency, many internal auditors have been called to duty in ways they never imagined. If auditors were engaged in nonaudit activities within the business or performing activities that normally would be incompatible with professional standards, CAEs should evaluate staff objectivity.</p><h2>A New World of Risk</h2><p>The world is different now, with different risks. Internal audit functions must recalibrate how they view the inherent risks their organizations face as the recovery period begins. </p><p>Although pivoting from the old world to a new one is not a new phenomenon, the magnitude of COVID-19 impacts is more global and more severe than anything most auditors have experienced. Internal audit's ability to respond is vital not only to how its business recovers, but also how audit realigns with its stakeholders' needs.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>Questions for CAEs</strong><br><br><p>To assess their situation during the COVID-19 crisis, CAEs should ask:</p><ul><li>What does organizational staffing look like now? Have there been reductions or reorganizations?</li><li>Have key stakeholders changed? What new audit clients should I anticipate?</li><li>Have workforce reductions or reorganizations impacted how internal controls are executed? Are there new segregation of duties concerns or controls that no longer have control owners?</li><li>What processes have been temporarily or permanently changed?</li><li>What systems were temporarily modified or permanently changed? Were appropriate IT general controls followed for these changes, and, if not, what are the implications? </li><li>What controls were modified to accommodate unique business situations or risks?</li><li>Have there been any key personnel changes such as loss of unique subject-matter expertise or loss of key leaders in strategic areas?</li><li>Has the organization's strategic focus changed in the near or long term?</li><li>How have cost structures changed?</li><li>Have there been fundamental changes in the organization's debt and capital structures? Are there new or different debt covenants?</li><li>What new legal or compliance challenges is the organization facing (lawsuit exposures, changes to compliance infrastructure)?</li><li>Have new business opportunities emerged and have corresponding risks been identified?</li><li>Have the fundamentals of business-unit operations or strategies changed?</li><li>How have business continuity dynamics changed (key infrastructure changes, key customer changes)?</li><li>How have enterprise risk management dynamics changed (key risks, key risk indicators, response plans, and risk appetite)?</li><li>How have U.S. Sarbanes-Oxley Act of 2002 dynamics changed, including changes with external auditors, regulatory dynamics, and control owners?</li></ul></td></tr></tbody></table><p></p>Rick Wright1
A Rational Mindset Rational Mindset<p>​Remember the scene from <em>Raiders of the Lost Ark</em> where Indiana Jones enters the Well of the Souls, which happens to be a snake-infested pit? After throwing a torch into the pit to reveal his plight, he exclaims, "Snakes … why did it have to be snakes?"</p><p>Granted, this scene is plotted to presume the snakes are venomous, so Indiana's fear is rational. But his initial reaction reveals his bias about snakes in general — the same way some people are irrationally averse to risk. </p><p>Internal auditors have a professional duty to remain objective as they perform their work. This unbiased mindset must extend to remaining rational when it comes to communicating with audit clients about risk.</p><h2>Why Did It Have to Be Risk?</h2><p>Snakes are vilified as animals that hide in dark places, stealthily seeking out prey and striking when they least expect it. An objective study of snakes reveals a much more accurate view of these complex creatures. Not all snakes are aggressive, nor are they all venomous or massive constrictors capable of inflicting great harm to people, as we often see in movies or hear about in the news. </p><p>In fact, snakes can be beneficial. Take the black rat snake, which is effective at controlling harmful rodent populations. One black rat snake can eat 100 mice per acre in a year. What farmer wouldn't readily adopt at least a couple of these hunters to offset the negative impact mice have on property and equipment, not to mention the potential spread of disease?<br></p><p>People sometimes perceive risk with the same irrational viewpoint. Too often, when discussing risk and risk management philosophy with business professionals in the course of internal audit work, the conversation gravitates toward an unbalanced, negative attitude about risk. </p><p>One time, my audit team was conducting an audit workshop with a group of business managers. The team was explaining how our audit activities were risk-based so that we focused on things that matter most to their functions' success. The supervisor for this group of managers interrupted our discussion to admonish the group that they needed to be focused on risk to eliminate it from the company. While it was an innocent exclamation the supervisor truly believed, it was an unfortunate and unplanned distraction from our discussion that the audit team had <br>to clarify with the workshop participants. </p><p>The interruption turned out to be a blessing in disguise. It enabled the internal audit team to lead a healthy discussion about the opportunities that also accompany risk, while explaining that eliminating risk was not realistic nor necessarily a desirable goal.</p><h2>Shifting the Risk Mindset</h2><p>With all the focus organizations have devoted to enterprise risk management and updated risk management frameworks, they still get trapped in a vortex where risk is seen in a lopsidedly negative light. Internal audit should thoughtfully redirect this line of thinking when such an uninformed view of risk and risk management is expressed. </p><p>The snake analogy is a good proxy for reframing the risk discussion. The word <em>risk</em> often is misunderstood. Like snakes, risk can do serious harm, so people instinctively project harm to all risk. But is this rational? </p><p>In finance, <em>risk</em> frequently is paired with the word <em>reward</em> to describe offsetting outcomes related to a decision. While taking any given risk may result in a bad outcome, there also is the prospect of a good outcome. No risk, no reward, as the saying goes. This is a more rational view of risk. </p><p>Internal auditors can help organizations balance attitudes about risk by talking and acting rationally about risk. For instance, they shouldn't use risk exclusively as a "four-letter word" in discussions with other business professionals. Risk mitigation is only one potential risk response alternative. When approaching risk assessments or new audit engagements, internal auditors should talk about how informed risk-taking is essential to the organization's growth prospects. </p><p>Internal auditors should counsel clients that risk acceptance is sometimes the best risk response. This can be the case when other risk response alternatives are costly or when the risk is relatively mild. Accepting a risk while continuing to monitor it for changes that may justify a different response is a rational reaction. </p><p>In other instances, it is appropriate to exploit risk for its opportunity. In times of crisis or disruption, offsetting opportunities can present themselves in the face of emerging risks. In these instances, risk opportunities can serve as a hedge against simultaneous negative risk outcomes. When internal auditors set a good example, clients and other stakeholders are more likely to respond to risk with a more rational mindset.</p><h2>Thinking Differently About Risk</h2><p>Let's think about snakes and risk a little differently. A more neutral word to use for snake is reptile. Some reptiles can cause harm to people in certain circumstances such as swimming in a lake known to have large alligators or walking through terrain known for rattlesnakes. In other situations, such as rodent control, reptiles are benign or helpful. </p><p>Likewise, a less polarizing term for risk is uncertainty — specifically, about some outcome. Risk is neither bad nor good; it's just uncertainty. When auditors use the word <em>uncertainty</em> when discussing risk, they can have a more objective, and less polarized, discussion and avoid the biased, negative connotation. This allows auditors to unlock the real value of an intellectual discussion about risk — refocusing attention on decision-making. </p><p>Uncertainty hinders decision-making. The more uncertainty that exists about a pending decision, the more difficult it is to make a decision that will result in a favorable outcome. The better decision-makers can understand the uncertainty they are faced with in a decision, the more likely they should be able to optimize the outcome they are seeking from any given decision. </p><p>The coronavirus pandemic comes to mind. In the present, fear of the unknown is dominating the response conversation. This is a crisis that has not been experienced in most of the modern world, and government leaders are struggling to craft effective responses because of the uncertainty that exists. </p><p>In time, this threat will subside. The world is currently experiencing negative outcomes; however, positive outcomes could emerge, such as a more resilient health-care system to deal with similar threats in the future.</p><h2>Risk Doesn't Have to Be Scary</h2><p>When risk is obscure and lurking in the darkness, it seems more like a rattlesnake waiting to strike against an unsuspecting victim. But when risk is visible, understood, and appreciated for its potential benefit, organizations can exploit it for a beneficial outcome or control it to minimize a negative outcome. With this shift in mindset, risk becomes less of a scary monster and more of a device that uses rational decision-making to optimize risk outcomes. <br></p>Rick Wright1
10 Questions on Culture Questions on Culture<p>​Among an organization's key assets, perhaps none is more valuable than the culture that permeates it from top to bottom. In the words of management consultant and author Peter Drucker, "Culture eats strategy for breakfast," meaning that even a great strategic plan will likely fail if the organization's mindset and workforce don't align with it.</p><p>The word <em>culture, </em>as it applies to organizations, refers to the attitudes and workplace behaviors that drive customer and employee relations, the quality of goods and services, and profitability. Recognition of business culture as a legitimate balance sheet line item under U.S. generally accepted accounting principles underscores that effective culture is a bottom-line essential, not a fuzzy nice-to-have. In fact, a business' culture may carry a book value — in the form of goodwill — higher than any other asset on the balance sheet. </p><p>Culture impacts nearly every aspect of an organization, including morale, productivity, and achievement of goals, making it an essential area for internal audit to examine. An FAQ on culture, assembled from years of questions received from audit committees and stakeholders, can serve as a primer on the topic and help guide internal auditors planning to conduct a cultural assessment. </p><h2>1. How is culture formed?<br></h2><p>An organization's expressed desire to create an employee- and customer-centric, sustainable enterprise represents nothing more than a wish unless actively supported by the incentives, policies and procedures, and goals established by management. Some of the factors that shape a culture for good or bad include:</p><ul><li>Employee workloads.</li><li>Spans of authority.</li><li>Management style.</li><li>Ethics policies.</li><li>Organizational values.</li><li>Relevance and frequency of training.</li><li>Recruitment and retention practices.</li><li>Criteria for employee advancement.</li><li>Compensation plans.</li><li>Personnel policies, including work-hour flexibility and remote-work options.</li><li>Quality controls over products and services.</li><li>Return policies and product warranties.</li></ul> <br> <p>An organization's culture is impossible to conceal because it can be observed almost everywhere. It shows, for example, in the level of respect and teamwork among staff members and in the physical work environment. Culture is quantifiable through productivity metrics and by examining compliance with both the letter and spirit of rules and regulations. Moreover, culture is evident in employee turnover rates, and it is undeniably reflected in the organization's success with retaining repeat customers and garnering their recommendations. </p><p>Culture is profoundly important to an organization's well-being and competitive viability. The factors associated with a healthy or an unhealthy culture are the same ingredients that determine the quality of goods and services it produces, which in turn affect its very survival.</p><h2>2. Why assess culture?</h2><p>Every organization will experience some "sway" or "drift" between its desired state and actual behavior. With that in mind, internal auditors should help gauge whether management and staff are acting on values the organization purports to uphold. And while all the components of a culture may support desired attitudes and behaviors at a point in time, they must be continually assessed for relevance and competitiveness for each generation of employee and customer. What's more, some managers do a better job embracing desired values and instilling them among staff than others. Periodic assessments can identify rogue or ineffective managers — hopefully before they inflict any long-term damage. </p><p>Many governing bodies, C-suite executives, and audit committees recognize culture's impact on these and other key organizational factors, including productivity, product and service quality, and the retention and attraction of customers. No company is successful for long by sheer accident and happenstance. Long-term success is achieved only by design and intent that is translated into the tangibles found in organizational culture. </p><h2>3. What are the vital signs of a healthy culture?</h2><p>The definition of a healthy culture is the same for both the private and public sectors. Health is measured by the degree an organization can sustainably retain committed and capable employees to provide cost-effective, competitive goods or services that are timely and responsive to customers' needs. A sick culture fails in one or more of these critical areas.</p><p>Organizational commitment to the integrity of business processes and true customer-centric services are readily apparent, as they permeate every aspect of the operation — from responsiveness to requested information and the usefulness of procedural manuals to workplace civility and the inclusiveness of staff in decision-making. Nonetheless, the presence of these elements does not necessarily indicate a healthy or well-functioning organization — many other factors must be considered.</p><p>As such, auditors have found that below-market compensation, poorly structured workflows, unreasonable spans of authority, unrealistic production goals, shortcuts that compromise product and service quality, and absent management are among signs of a dysfunctional culture. Avoiding these deficiencies requires a deliberate commitment from management — one that reverberates throughout the organization. </p><h2>4. What does an assessment of culture involve? </h2><p>The typical assessment includes soliciting employees' opinions on the degree the organization lives up to its desired cultural values. This information is usually obtained through surveys and personal interviews, and through an examination of pertinent policies and procedures — including codes of conduct, compensation policies, and promotional criteria.</p><p>The finished report typically presents:<br></p><ul><li>The areas assessed.</li><li>Employee demographics.</li><li>The documents, policies, and procedures examined. </li><li>Responses to each survey question, along with a summary of written comments consolidated into common categories.</li><li>A blank copy of the survey questionnaire.</li></ul> <br><p>Survey reports also frequently include recommendations to address any shortcomings noted. Most assessments are completed within two months.</p><h2>5. Will the assessors rank the culture's various components?</h2><p>The typical assessment scales comments provided in an interview or survey. Most often, respondents are asked to rank their opinion along a continuum between "strongly disagree" and "strongly agree," or through a similar rating system. </p><p>Questions regarding the status of an organization's or subunit's culture are typically grouped into five or more major categories that address values that the board views as its desired corporate identity or personality. These can include innovation, leadership, vision and purpose, collaboration, customer focus, governance and accountability, organizational functionality, adaptability and flexibility, and employee relations. Results commonly present the number of respondents for each of the rankings on the scale, as well as an overall average for each question and category. Survey instruments that enable the reader to gauge the rankings by level of employee, length of service, and gender can be helpful in addressing training, staffing, and funding needs. </p><p>Survey results often show that both the executive level and management believe company policies and practices are more closely aligned with the company's desired values than the employees rank it to be. Such insights are essential to stop the "cultural drift" that typically occurs over time.   </p><h2>6. Will management get to preview the questions and provide a response? </h2><p>Cultural assessments should be a collaborative effort that involves management and staff throughout the engagement. Both perspectives are critical in identifying the questions to be asked of survey participants. To succeed, assessments must receive buy-in from everyone involved, which may involve obtaining their perspectives in a written response attached to the report. </p><h2>7. How can auditors prevent assessments from devolving into a complaint session?</h2><p>Culture assessments typically are designed to avoid being hijacked by a small minority of disgruntled employees. Internal auditors<strong> </strong>should survey a large population that includes a representative cross-section of positions, salary ranges, operating units, ages, and experience levels, as well as both new and veteran employees. All respondents should provide demographic information, kept anonymous by the assessors, via a dedicated section in the survey instrument. Obtaining this information helps management better assess the validity of the responses.  </p><h2>8. Can fiscal, compliance, control, and performance audits be considered audits of culture?</h2><p>All audits are increasingly viewed as a cultural assessment, but only within the narrow bandwidth of the audit's scope. Many managers and auditors view reports from these audits as an implicit assessment of attitudes and commitment toward assigned duties in light of the organization's values and mission. When performing reviews, auditors may also survey and interview employees from the audited activity as a means of determining whether prevalent attitudes and behaviors reflect the desired culture. </p><h2>9. Should the hotline or whistleblower program be assessed?</h2><p>Whether or not an organization supports and protects those who speak up when they see suspected misconduct is a critical reflection of its tone at the top. The support and funding for a hotline program, as well as its placement in the organizational hierarchy, sends a signal to employees about the board and CEO's commitment to ensuring integrity in every aspect of the business. Internal auditors should conduct periodic assessments to gauge employees' perceptions regarding the hotline program's value and effectiveness to ensure it continues to promote and support integrity in the workplace. </p><h2>10. Why are internal auditors well-suited to assess culture?</h2><p>Internal auditors are typically well-regarded and trusted as impartial and objective. Given their exposure to areas throughout the organization, auditors can regularly observe how the tone at the top impacts employees and the extent to which it shapes desired behavior. This experience gives auditors multiple and varied reference points for comparing best practices, attitudes, and expectations that mold a culture for good or bad. It also helps them offer cost-effective, practical recommendations.</p><p>Additionally, auditors are typically well-trained and experienced in assembling evidence and information that supports sound, defensible conclusions. And they are often<strong><em> </em></strong>granted unrestricted access to all personnel, books, and records, as well as cooperation from all affected parties, which removes the typical organizational turf battles and privacy concerns that can thwart other professionals seeking to conduct this type of assessment.  </p><h2>Getting Culture Right</h2><p>Every organization has a culture that affects its daily operations, influencing nearly every decision and impacting virtually all employees. Periodic reviews of the culture have proven to foster employee trust and help keep organizations healthy and strong by alerting management to any drift from desired cultural values. When an organization gets culture right, it can make the difference between just surviving in the marketplace and thriving as an industry leader.  <br></p><p><em>Ken Pun, CPA, managing partner for The Pun Group in Newport Beach, Calif., contributed to this article.</em><br></p>Peter Hughes1
Testing the Boundaries the Boundaries<p>​The outbreak of COVID-19 has forced regulators in the U.S. and around the world to focus on the immediate impacts that the pandemic is having on companies, markets, and consumers. And while some watchdogs have said they may relax some rules or reduce scrutiny to help businesses operate more smoothly, experts warn it does not mean companies should loosen their internal controls. Nor should they take advantage of the situation by engaging in questionable, or even illegal, practices in the hope that authorities have less appetite — or means — to investigate and enforce the rules. As companies face temptation and risk noncompliance, internal audit has a strong role to play in helping them adhere to the rules.<br></p><h2>Business as Usual</h2><p>"Companies are still liable for compliance failures," says Hermès Marangos, partner at U.K. law firm Signature Law. "The virus emergency does not postpone or modify the law — there are no exemptions unless so provided by the legislation itself. Despite this, there are already individuals and entities trying to profiteer, behave unethically and contrary to laws and regulations in many instances," he says.<br></p><p>One area of corporate activity that has seen a relaxation of some rules is competition law. To enable the supply of key medicines, health-care equipment, food stuffs, and other urgent goods, anti-trust regulators have allowed competitors to work together — albeit in very specific and limited circumstances. In some regions, such as Europe, companies can even apply for "comfort letters" to gain increased assurance from the regulator as to what practices may be allowable under these exceptional circumstances, and for how long.  But lawyers warn companies against thinking that such arrangements are the "new normal," or that a relaxation of the rules in one area means that closer cooperation in other areas of business has been tacitly allowed.<br></p><p>Some companies also risk misinterpreting signals from regulatory agencies that enforcement may be pared down. They may assume that watchdogs will focus their resources on tackling companies committing the worst abuses or causing harm to the biggest number of consumers, rather than target organizations generally that have failed to comply. For example, in Europe — which has probably the toughest and most punitive data protection laws in the world under the General Data Protection Regulation — several data protection authorities have said they will naturally be drawn to investigating the "worst offenders."<br></p><p>But lawyers point out that this does not mean companies have been given any special dispensation not to follow the rules as normal. It simply means that the regulators have prioritized their resources.   <br></p><p>"As regards data privacy and enforcement, it is business as usual," says Sarah Pearce, privacy and cybersecurity partner at international law firm Paul Hastings. "No dispensations are being made under current circumstances. Most data regulators have said data protection principles still apply and should be adhered to, so businesses should certainly not view COVID-19 as an excuse for noncompliance."<br></p><p>Companies risk noncompliance by misinterpreting any sign of rules easing — or they may even assume a relaxation simply due to the pandemic. "While there may be some delayed reaction in terms of enforcement by certain regulators due to limited resources during this time, that is not to say there won't be enforcement later down the line," Pearce says. <br></p><h2>Penalties Still Apply</h2><p>Experts also warn against assuming that penalties will be reduced because firms are under financial pressure. Michael Ruck, partner at U.K. law firm TLT, says that although regulators are redeploying their resources during the response to coronavirus, resulting in a reduction in the number or progress of investigations, the top-level amount of fines or penalties imposed will not be relaxed. <br></p><p>"In periods where it is difficult to trade or where profit is hard to come by, there are inevitably instances of a small number of corporates or individuals being increasingly willing to stretch the interpretation of regulatory requirements — sometimes beyond their breaking point," Ruck says. "A perceived relaxation of regulatory intervention may encourage such behavior, but those that are tempted should beware."<br></p><p>While regulators may have discretion to reduce penalties in circumstances where incidents of accidental or low-level noncompliance occur, experts still warn that it will always be the authority that calls the shots.<br></p><p>"Regulators understand that the crisis is putting pressure on firms meeting their day to day obligations and are likely to be reasonable with firms that are making a reasonable effort to comply with regulations in a trying times," says Ian Thomas, regulatory solutions specialist at Quorsus, a financial services consulting firm. "That said, the keywords here are 'reasonable' and 'comply.' Cash crisis or not, the regulators are unlikely to hesitate to issue fines for serious breaches or offences — for example, those financial services firms that put client money at risk." <br></p><h2>An Essential Resource</h2><p>Due to fears that organizations might choose to sail close to the wind if they feel that regulators might allow it, several experts believe that internal audit has a strong role to play in ensuring their organizations follow the usual strict codes of compliance.  <br></p><p>Camilla Winlo, director at international data protection and privacy consultancy DQM GRC, says that "it's good to see regulators taking a pragmatic view of enforcement." But she warns that organizations still need to be mindful of the need for regulatory compliance. <br></p><p>"Internal audit functions need to be particularly aware of the need to carry out risk assessments and policy and process gap analyses to identify where risks have been introduced and ensure that their organizations come back within their risk appetites as quickly as possible," she says.<br></p><p>Nicola Howell, senior compliance and privacy attorney at commercial data and analytics firm Dun & Bradstreet, agrees that there should be no "let up" in following the rules. "Internal audit teams should not be complacent about enforcement and should proceed with upholding the policies their organizations had in place before COVID-19 took hold," she says. "While justifiable allowances may be made, any significant departure from legal requirements or previous company policy could significantly backfire on a business."<br></p>Neil Hodge1
Auditing Knowledge Management Knowledge Management<p>​Technological advances are transforming the nature and importance of the organization’s knowledge assets — intellectual property, software, data, technological expertise, organizational know-how, and other intellectual resources. The value of the global knowledge management market was around $2 billion in 2016 and is expected to exceed $1.2 trillion by 2025, according to Zion Market Research. At this worth, organizations should want to know if their knowledge assets are safeguarded. </p><p>Knowledge assets are vulnerable to loss and can be compromised by internal and external sources. In a 2018 study from the Ponemon Institute and Kilpatrick Townsend & Stockton, 82% of respondents acknowledged that their companies very likely failed to detect a breach involving knowledge assets, up from 74% in 2016. </p><p>Often, audit of knowledge assets is limited to assessing risks, controls, and value derived from the technologies used in their processing (knowledge flow) and the digital records maintained that focus on effective document management. This is only a part of knowledge management auditing in the true sense. It does not get to the core issues of the effectiveness of their protection, how they promote business objectives, and the new opportunities they exploit. </p><p>What has been missing is a structured approach to assess the interplay between strategic and operational risks and controls in enterprisewide knowledge assets management. Unfortunately, there are no comprehensive professional guidelines to assess the adequacy of risks confronting knowledge assets, particularly living knowledge assets held by individuals. Internal auditors must adapt to the evolving risk landscape in knowledge management by reorienting their methodologies and practices to recognize the role of knowledge assets in achieving business objectives. </p><h2>Look for Risk Indicators </h2><p>With disruptive technologies at the forefront, knowledge management tends to be a high-risk activity for most organizations. Risks to knowledge assets are any loss that may decrease the potential to effectively pursue an organization’s business objectives. Key risk indicators in a typical knowledge-based organization include uncertainties about critical knowledge needs, potential business opportunities lost in their absence, and their impact on business objectives. Other indicators may be process related, such as multiple repositories of information in IT-based systems such as an intranet, collaboration platform, or emails that are not integrated. These indicators can lead to wasted resources and inefficiencies and weaknesses in access restrictions to intellectual property. </p><p>Attrition is a common risk involving significant replacement costs that can destabilize even the most successful and steady organizations. It is estimated that the average cost of turnover is 1.5 times the annual salary of the job. Internal auditors also should be vigilant about risks specific to tacit knowledge assets management, which include a high tacit-to-explicit knowledge ratio, high staff turnover, a high percentage of core knowledge held by people nearing retirement, and high market demand for key personnel. It is likely in such cases that these assets will be lost. </p><h2>Assess Strategic Risks</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>Explicit and Tacit Knowledge Comparison</strong></p><p>There are two types of knowledge defined in business. The first, explicit knowledge, is easy to codify, store, and share. It includes textbooks, journals, white papers, patents, literature, audio-visual media, software, and database access. The second, tacit knowledge, comes from personal experience and is not easily replicable or transferrable, such as know-how, methodologies, training algorithms, and professional skepticism. </p><p>Within tacit knowledge, there are two dimensions: technical and cognitive. The highly subjective and personal insights, intuitions, and inspirations derived from an individual’s experience fall under the first category. The second category consists of beliefs, perceptions, values, and emotions ingrained in individuals over years. </p><p>Some argue that tacit knowledge accounts for about 80% to 90% of the knowledge held in a typical organization. Knowledge assets are created at the intersection of, and interaction between, explicit and tacit knowledge. <br></p></td></tr></tbody></table><p>Strategy-related risks in knowledge management typically include the absence of, or a weak, knowledge management strategy; lack of involvement from senior management in knowledge management activities; and lack of alignment between key processes and knowledge assets in place. </p><p>If knowledge is a key driver for the business or is one of the main products of the business entity audited, such as a consulting firm or an educational institute, internal auditors should ask: </p><ul><li>What is the critical knowledge at risk and who determines it? </li><li>What are the core activities? </li><li>How does information flow through those activities? </li><li><p>Is there a knowledge management strategy? <br></p></li></ul><p>Next, internal auditors should remap the business’ critical processes to identify what information is needed to run them. If these needs are not being met, they should determine who needs the missing knowledge. Practitioners should review the enterprisewide risk register to assess whether knowledge management-related risks are recognized, paying attention to the risks of loss of knowledge when core capabilities are outsourced. The instances of high staff turnover and poor knowledge retention among outsourced providers could hamper service quality, involving potential legal risks.</p><p>A robust knowledge management strategy should focus on capturing knowledge assets that are critical to success and that underpin performance to create growth and a competitive advantage. Are there sound human resources policies and succession planning strategies for mentor and peer support before, during, and after key staff with the best situational awareness leave the organization? Are there processes to capture results of lessons-learned exercises, particularly with lawyers, consultants, and accountants’ knowledge and experience that is incorporated into organizational knowledge and change processes? The knowledge lost in such cases could be costly to replace and may require intensive corrective training or retraining. </p><p>In public sector audits, practitioners should pay attention to the procedures followed for valuation of investments in knowledge assets used to support the provision of public services such as water, transportation, and healthcare. There may not be well-defined standards and methodologies for estimating the social, economic, and financial value derived from the assets as they don’t have market-determined equity value. </p><h2>Assess Operational Risks </h2><p>Employees spend almost one-fourth of their time searching for information, according to a survey from The Economist Intelligence Unit. Unclear data definitions, ineffective data governance, and poor search engine performance lead to barriers requiring analysts and developers to resolve them. The root cause of most operational risks in managing knowledge assets is lack of alignment between the strategy and the processes built around it. </p><p>To start, internal auditors should review the accuracy and reliability of the knowledge assets inventory and the core processes they support, and the responsibilities of the people who manage them. The review results will help identify weaknesses in data governance — such as data silos where data is divided across various databases and divisions accentuating memory loss and poor internal coordination of information. The starting point for the review is identifying and using performance criteria for key activities approved by management. While doing so, internal auditors must be able to determine how the key activities are aligned with key stages of knowledge management in the organization, such as needs identification; acquisition; storage, retrieval, and dissemination; archiving; and performance management. If they do not align, that is a strong indicator that these assets are not generating a tangible return. </p><p>Intellectual property in the form of formulae, practices, processes, designs, instruments, patterns, commercial methods, or compilations of information can be subject to loss or compromised by internal or external sources. Internal auditors should assess that the owners of the intellectual property assets have appropriate controls to prevent cyberattacks that could lead to infringements and inappropriate access. </p><h2>Internal Audit's Strategy</h2><p>Auditing knowledge assets requires specific strategies and skills. Each organization’s knowledge needs are unique. As internal audit leaders prepare their audit plans beyond 2020, they should have a multipronged strategy to audit their clients’ knowledge assets from a value-for-money perspective: </p><p></p><ul><li>Retain the best internal audit talent through valuing and investing in the tacit knowledge asset held in the internal audit function.<br><br> </li><li>Develop and maintain a risk-based audit universe of clients’ business operations with significant investments in knowledge assets. This should provide a basis for identifying areas of audit engagement related to knowledge management. <br><br></li><li>Identify and map the knowledge held in the audit department to capture and use the tacit knowledge held, particularly related to complex audit engagements. This information could be used to develop an appropriate knowledge management strategy and system to facilitate collaboration within the audit team. <br><br></li><li>Empower audit teams to recognize the strategic importance of knowledge assets to the business. This will allow them to provide assurance on legal, commercial, technical, social, and financial aspects of the knowledge assets and the relevant risk indicators. For example, develop a bank of risk indicators — quantitative and qualitative — for assessing the processes used in tacit knowledge assets management.<br><br></li><li>Review the adequacy of audit programs used for knowledge management audits. Strengthen them by focusing on strategic and operational aspects of the processes in place to highlight risks of inefficient use of knowledge assets. <br><br></li><li>Focus on the value-for-money aspect of the engagement. Do not get distracted by the technologies and processes used to manage knowledge assets, particularly in engagements involving significant investments in them.</li></ul><h2>Closing the Gap</h2><p>The five most valuable companies in the world report just £172 billion ($223.2 billion) of tangible assets on their balance sheets, though their total worth is £3.5 trillion ($454.2 billion). Almost all of their value is in the form of intangible assets, including intellectual property, data, and other knowledge assets, according to a 2018 budget report from Her Majesty’s Treasury in the U.K. Despite their critical role in business performance, knowledge assets are not traditionally audited with a focus on how organizations safeguard them to retain their competitive position and how they contribute to business performance. As key partners in the assurance process, internal auditors can take a strategic approach to bridge this gap and maximize its influence. </p>Israel Sadu1

  • FastPath-October-2020-Premium-1
  • AuditBoard-October-2020-Premium-2
  • CIALS-October-2020-Premium-3