Governance

 

 

A Rational Mindsethttps://iaonline.theiia.org/2020/Pages/A-Rational-Mindset.aspxA Rational Mindset<p>​Remember the scene from <em>Raiders of the Lost Ark</em> where Indiana Jones enters the Well of the Souls, which happens to be a snake-infested pit? After throwing a torch into the pit to reveal his plight, he exclaims, "Snakes … why did it have to be snakes?"</p><p>Granted, this scene is plotted to presume the snakes are venomous, so Indiana's fear is rational. But his initial reaction reveals his bias about snakes in general — the same way some people are irrationally averse to risk. </p><p>Internal auditors have a professional duty to remain objective as they perform their work. This unbiased mindset must extend to remaining rational when it comes to communicating with audit clients about risk.</p><h2>Why Did It Have to Be Risk?</h2><p>Snakes are vilified as animals that hide in dark places, stealthily seeking out prey and striking when they least expect it. An objective study of snakes reveals a much more accurate view of these complex creatures. Not all snakes are aggressive, nor are they all venomous or massive constrictors capable of inflicting great harm to people, as we often see in movies or hear about in the news. </p><p>In fact, snakes can be beneficial. Take the black rat snake, which is effective at controlling harmful rodent populations. One black rat snake can eat 100 mice per acre in a year. What farmer wouldn't readily adopt at least a couple of these hunters to offset the negative impact mice have on property and equipment, not to mention the potential spread of disease?<br></p><p>People sometimes perceive risk with the same irrational viewpoint. Too often, when discussing risk and risk management philosophy with business professionals in the course of internal audit work, the conversation gravitates toward an unbalanced, negative attitude about risk. </p><p>One time, my audit team was conducting an audit workshop with a group of business managers. The team was explaining how our audit activities were risk-based so that we focused on things that matter most to their functions' success. The supervisor for this group of managers interrupted our discussion to admonish the group that they needed to be focused on risk to eliminate it from the company. While it was an innocent exclamation the supervisor truly believed, it was an unfortunate and unplanned distraction from our discussion that the audit team had <br>to clarify with the workshop participants. </p><p>The interruption turned out to be a blessing in disguise. It enabled the internal audit team to lead a healthy discussion about the opportunities that also accompany risk, while explaining that eliminating risk was not realistic nor necessarily a desirable goal.</p><h2>Shifting the Risk Mindset</h2><p>With all the focus organizations have devoted to enterprise risk management and updated risk management frameworks, they still get trapped in a vortex where risk is seen in a lopsidedly negative light. Internal audit should thoughtfully redirect this line of thinking when such an uninformed view of risk and risk management is expressed. </p><p>The snake analogy is a good proxy for reframing the risk discussion. The word <em>risk</em> often is misunderstood. Like snakes, risk can do serious harm, so people instinctively project harm to all risk. But is this rational? </p><p>In finance, <em>risk</em> frequently is paired with the word <em>reward</em> to describe offsetting outcomes related to a decision. While taking any given risk may result in a bad outcome, there also is the prospect of a good outcome. No risk, no reward, as the saying goes. This is a more rational view of risk. </p><p>Internal auditors can help organizations balance attitudes about risk by talking and acting rationally about risk. For instance, they shouldn't use risk exclusively as a "four-letter word" in discussions with other business professionals. Risk mitigation is only one potential risk response alternative. When approaching risk assessments or new audit engagements, internal auditors should talk about how informed risk-taking is essential to the organization's growth prospects. </p><p>Internal auditors should counsel clients that risk acceptance is sometimes the best risk response. This can be the case when other risk response alternatives are costly or when the risk is relatively mild. Accepting a risk while continuing to monitor it for changes that may justify a different response is a rational reaction. </p><p>In other instances, it is appropriate to exploit risk for its opportunity. In times of crisis or disruption, offsetting opportunities can present themselves in the face of emerging risks. In these instances, risk opportunities can serve as a hedge against simultaneous negative risk outcomes. When internal auditors set a good example, clients and other stakeholders are more likely to respond to risk with a more rational mindset.</p><h2>Thinking Differently About Risk</h2><p>Let's think about snakes and risk a little differently. A more neutral word to use for snake is reptile. Some reptiles can cause harm to people in certain circumstances such as swimming in a lake known to have large alligators or walking through terrain known for rattlesnakes. In other situations, such as rodent control, reptiles are benign or helpful. </p><p>Likewise, a less polarizing term for risk is uncertainty — specifically, about some outcome. Risk is neither bad nor good; it's just uncertainty. When auditors use the word <em>uncertainty</em> when discussing risk, they can have a more objective, and less polarized, discussion and avoid the biased, negative connotation. This allows auditors to unlock the real value of an intellectual discussion about risk — refocusing attention on decision-making. </p><p>Uncertainty hinders decision-making. The more uncertainty that exists about a pending decision, the more difficult it is to make a decision that will result in a favorable outcome. The better decision-makers can understand the uncertainty they are faced with in a decision, the more likely they should be able to optimize the outcome they are seeking from any given decision. </p><p>The coronavirus pandemic comes to mind. In the present, fear of the unknown is dominating the response conversation. This is a crisis that has not been experienced in most of the modern world, and government leaders are struggling to craft effective responses because of the uncertainty that exists. </p><p>In time, this threat will subside. The world is currently experiencing negative outcomes; however, positive outcomes could emerge, such as a more resilient health-care system to deal with similar threats in the future.</p><h2>Risk Doesn't Have to Be Scary</h2><p>When risk is obscure and lurking in the darkness, it seems more like a rattlesnake waiting to strike against an unsuspecting victim. But when risk is visible, understood, and appreciated for its potential benefit, organizations can exploit it for a beneficial outcome or control it to minimize a negative outcome. With this shift in mindset, risk becomes less of a scary monster and more of a device that uses rational decision-making to optimize risk outcomes. <br></p>Rick Wright1
10 Questions on Culturehttps://iaonline.theiia.org/2020/Pages/10-Questions-on-Culture.aspx10 Questions on Culture<p>​Among an organization's key assets, perhaps none is more valuable than the culture that permeates it from top to bottom. In the words of management consultant and author Peter Drucker, "Culture eats strategy for breakfast," meaning that even a great strategic plan will likely fail if the organization's mindset and workforce don't align with it.</p><p>The word <em>culture, </em>as it applies to organizations, refers to the attitudes and workplace behaviors that drive customer and employee relations, the quality of goods and services, and profitability. Recognition of business culture as a legitimate balance sheet line item under U.S. generally accepted accounting principles underscores that effective culture is a bottom-line essential, not a fuzzy nice-to-have. In fact, a business' culture may carry a book value — in the form of goodwill — higher than any other asset on the balance sheet. </p><p>Culture impacts nearly every aspect of an organization, including morale, productivity, and achievement of goals, making it an essential area for internal audit to examine. An FAQ on culture, assembled from years of questions received from audit committees and stakeholders, can serve as a primer on the topic and help guide internal auditors planning to conduct a cultural assessment. </p><h2>1. How is culture formed?<br></h2><p>An organization's expressed desire to create an employee- and customer-centric, sustainable enterprise represents nothing more than a wish unless actively supported by the incentives, policies and procedures, and goals established by management. Some of the factors that shape a culture for good or bad include:</p><ul><li>Employee workloads.</li><li>Spans of authority.</li><li>Management style.</li><li>Ethics policies.</li><li>Organizational values.</li><li>Relevance and frequency of training.</li><li>Recruitment and retention practices.</li><li>Criteria for employee advancement.</li><li>Compensation plans.</li><li>Personnel policies, including work-hour flexibility and remote-work options.</li><li>Quality controls over products and services.</li><li>Return policies and product warranties.</li></ul> <br> <p>An organization's culture is impossible to conceal because it can be observed almost everywhere. It shows, for example, in the level of respect and teamwork among staff members and in the physical work environment. Culture is quantifiable through productivity metrics and by examining compliance with both the letter and spirit of rules and regulations. Moreover, culture is evident in employee turnover rates, and it is undeniably reflected in the organization's success with retaining repeat customers and garnering their recommendations. </p><p>Culture is profoundly important to an organization's well-being and competitive viability. The factors associated with a healthy or an unhealthy culture are the same ingredients that determine the quality of goods and services it produces, which in turn affect its very survival.</p><h2>2. Why assess culture?</h2><p>Every organization will experience some "sway" or "drift" between its desired state and actual behavior. With that in mind, internal auditors should help gauge whether management and staff are acting on values the organization purports to uphold. And while all the components of a culture may support desired attitudes and behaviors at a point in time, they must be continually assessed for relevance and competitiveness for each generation of employee and customer. What's more, some managers do a better job embracing desired values and instilling them among staff than others. Periodic assessments can identify rogue or ineffective managers — hopefully before they inflict any long-term damage. </p><p>Many governing bodies, C-suite executives, and audit committees recognize culture's impact on these and other key organizational factors, including productivity, product and service quality, and the retention and attraction of customers. No company is successful for long by sheer accident and happenstance. Long-term success is achieved only by design and intent that is translated into the tangibles found in organizational culture. </p><h2>3. What are the vital signs of a healthy culture?</h2><p>The definition of a healthy culture is the same for both the private and public sectors. Health is measured by the degree an organization can sustainably retain committed and capable employees to provide cost-effective, competitive goods or services that are timely and responsive to customers' needs. A sick culture fails in one or more of these critical areas.</p><p>Organizational commitment to the integrity of business processes and true customer-centric services are readily apparent, as they permeate every aspect of the operation — from responsiveness to requested information and the usefulness of procedural manuals to workplace civility and the inclusiveness of staff in decision-making. Nonetheless, the presence of these elements does not necessarily indicate a healthy or well-functioning organization — many other factors must be considered.</p><p>As such, auditors have found that below-market compensation, poorly structured workflows, unreasonable spans of authority, unrealistic production goals, shortcuts that compromise product and service quality, and absent management are among signs of a dysfunctional culture. Avoiding these deficiencies requires a deliberate commitment from management — one that reverberates throughout the organization. </p><h2>4. What does an assessment of culture involve? </h2><p>The typical assessment includes soliciting employees' opinions on the degree the organization lives up to its desired cultural values. This information is usually obtained through surveys and personal interviews, and through an examination of pertinent policies and procedures — including codes of conduct, compensation policies, and promotional criteria.</p><p>The finished report typically presents:<br></p><ul><li>The areas assessed.</li><li>Employee demographics.</li><li>The documents, policies, and procedures examined. </li><li>Responses to each survey question, along with a summary of written comments consolidated into common categories.</li><li>A blank copy of the survey questionnaire.</li></ul> <br><p>Survey reports also frequently include recommendations to address any shortcomings noted. Most assessments are completed within two months.</p><h2>5. Will the assessors rank the culture's various components?</h2><p>The typical assessment scales comments provided in an interview or survey. Most often, respondents are asked to rank their opinion along a continuum between "strongly disagree" and "strongly agree," or through a similar rating system. </p><p>Questions regarding the status of an organization's or subunit's culture are typically grouped into five or more major categories that address values that the board views as its desired corporate identity or personality. These can include innovation, leadership, vision and purpose, collaboration, customer focus, governance and accountability, organizational functionality, adaptability and flexibility, and employee relations. Results commonly present the number of respondents for each of the rankings on the scale, as well as an overall average for each question and category. Survey instruments that enable the reader to gauge the rankings by level of employee, length of service, and gender can be helpful in addressing training, staffing, and funding needs. </p><p>Survey results often show that both the executive level and management believe company policies and practices are more closely aligned with the company's desired values than the employees rank it to be. Such insights are essential to stop the "cultural drift" that typically occurs over time.   </p><h2>6. Will management get to preview the questions and provide a response? </h2><p>Cultural assessments should be a collaborative effort that involves management and staff throughout the engagement. Both perspectives are critical in identifying the questions to be asked of survey participants. To succeed, assessments must receive buy-in from everyone involved, which may involve obtaining their perspectives in a written response attached to the report. </p><h2>7. How can auditors prevent assessments from devolving into a complaint session?</h2><p>Culture assessments typically are designed to avoid being hijacked by a small minority of disgruntled employees. Internal auditors<strong> </strong>should survey a large population that includes a representative cross-section of positions, salary ranges, operating units, ages, and experience levels, as well as both new and veteran employees. All respondents should provide demographic information, kept anonymous by the assessors, via a dedicated section in the survey instrument. Obtaining this information helps management better assess the validity of the responses.  </p><h2>8. Can fiscal, compliance, control, and performance audits be considered audits of culture?</h2><p>All audits are increasingly viewed as a cultural assessment, but only within the narrow bandwidth of the audit's scope. Many managers and auditors view reports from these audits as an implicit assessment of attitudes and commitment toward assigned duties in light of the organization's values and mission. When performing reviews, auditors may also survey and interview employees from the audited activity as a means of determining whether prevalent attitudes and behaviors reflect the desired culture. </p><h2>9. Should the hotline or whistleblower program be assessed?</h2><p>Whether or not an organization supports and protects those who speak up when they see suspected misconduct is a critical reflection of its tone at the top. The support and funding for a hotline program, as well as its placement in the organizational hierarchy, sends a signal to employees about the board and CEO's commitment to ensuring integrity in every aspect of the business. Internal auditors should conduct periodic assessments to gauge employees' perceptions regarding the hotline program's value and effectiveness to ensure it continues to promote and support integrity in the workplace. </p><h2>10. Why are internal auditors well-suited to assess culture?</h2><p>Internal auditors are typically well-regarded and trusted as impartial and objective. Given their exposure to areas throughout the organization, auditors can regularly observe how the tone at the top impacts employees and the extent to which it shapes desired behavior. This experience gives auditors multiple and varied reference points for comparing best practices, attitudes, and expectations that mold a culture for good or bad. It also helps them offer cost-effective, practical recommendations.</p><p>Additionally, auditors are typically well-trained and experienced in assembling evidence and information that supports sound, defensible conclusions. And they are often<strong><em> </em></strong>granted unrestricted access to all personnel, books, and records, as well as cooperation from all affected parties, which removes the typical organizational turf battles and privacy concerns that can thwart other professionals seeking to conduct this type of assessment.  </p><h2>Getting Culture Right</h2><p>Every organization has a culture that affects its daily operations, influencing nearly every decision and impacting virtually all employees. Periodic reviews of the culture have proven to foster employee trust and help keep organizations healthy and strong by alerting management to any drift from desired cultural values. When an organization gets culture right, it can make the difference between just surviving in the marketplace and thriving as an industry leader.  <br></p><p><em>Ken Pun, CPA, managing partner for The Pun Group in Newport Beach, Calif., contributed to this article.</em><br></p>Peter Hughes1
Testing the Boundarieshttps://iaonline.theiia.org/2020/Pages/Testing-the-Boundaries.aspxTesting the Boundaries<p>​The outbreak of COVID-19 has forced regulators in the U.S. and around the world to focus on the immediate impacts that the pandemic is having on companies, markets, and consumers. And while some watchdogs have said they may relax some rules or reduce scrutiny to help businesses operate more smoothly, experts warn it does not mean companies should loosen their internal controls. Nor should they take advantage of the situation by engaging in questionable, or even illegal, practices in the hope that authorities have less appetite — or means — to investigate and enforce the rules. As companies face temptation and risk noncompliance, internal audit has a strong role to play in helping them adhere to the rules.<br></p><h2>Business as Usual</h2><p>"Companies are still liable for compliance failures," says Hermès Marangos, partner at U.K. law firm Signature Law. "The virus emergency does not postpone or modify the law — there are no exemptions unless so provided by the legislation itself. Despite this, there are already individuals and entities trying to profiteer, behave unethically and contrary to laws and regulations in many instances," he says.<br></p><p>One area of corporate activity that has seen a relaxation of some rules is competition law. To enable the supply of key medicines, health-care equipment, food stuffs, and other urgent goods, anti-trust regulators have allowed competitors to work together — albeit in very specific and limited circumstances. In some regions, such as Europe, companies can even apply for "comfort letters" to gain increased assurance from the regulator as to what practices may be allowable under these exceptional circumstances, and for how long.  But lawyers warn companies against thinking that such arrangements are the "new normal," or that a relaxation of the rules in one area means that closer cooperation in other areas of business has been tacitly allowed.<br></p><p>Some companies also risk misinterpreting signals from regulatory agencies that enforcement may be pared down. They may assume that watchdogs will focus their resources on tackling companies committing the worst abuses or causing harm to the biggest number of consumers, rather than target organizations generally that have failed to comply. For example, in Europe — which has probably the toughest and most punitive data protection laws in the world under the General Data Protection Regulation — several data protection authorities have said they will naturally be drawn to investigating the "worst offenders."<br></p><p>But lawyers point out that this does not mean companies have been given any special dispensation not to follow the rules as normal. It simply means that the regulators have prioritized their resources.   <br></p><p>"As regards data privacy and enforcement, it is business as usual," says Sarah Pearce, privacy and cybersecurity partner at international law firm Paul Hastings. "No dispensations are being made under current circumstances. Most data regulators have said data protection principles still apply and should be adhered to, so businesses should certainly not view COVID-19 as an excuse for noncompliance."<br></p><p>Companies risk noncompliance by misinterpreting any sign of rules easing — or they may even assume a relaxation simply due to the pandemic. "While there may be some delayed reaction in terms of enforcement by certain regulators due to limited resources during this time, that is not to say there won't be enforcement later down the line," Pearce says. <br></p><h2>Penalties Still Apply</h2><p>Experts also warn against assuming that penalties will be reduced because firms are under financial pressure. Michael Ruck, partner at U.K. law firm TLT, says that although regulators are redeploying their resources during the response to coronavirus, resulting in a reduction in the number or progress of investigations, the top-level amount of fines or penalties imposed will not be relaxed. <br></p><p>"In periods where it is difficult to trade or where profit is hard to come by, there are inevitably instances of a small number of corporates or individuals being increasingly willing to stretch the interpretation of regulatory requirements — sometimes beyond their breaking point," Ruck says. "A perceived relaxation of regulatory intervention may encourage such behavior, but those that are tempted should beware."<br></p><p>While regulators may have discretion to reduce penalties in circumstances where incidents of accidental or low-level noncompliance occur, experts still warn that it will always be the authority that calls the shots.<br></p><p>"Regulators understand that the crisis is putting pressure on firms meeting their day to day obligations and are likely to be reasonable with firms that are making a reasonable effort to comply with regulations in a trying times," says Ian Thomas, regulatory solutions specialist at Quorsus, a financial services consulting firm. "That said, the keywords here are 'reasonable' and 'comply.' Cash crisis or not, the regulators are unlikely to hesitate to issue fines for serious breaches or offences — for example, those financial services firms that put client money at risk." <br></p><h2>An Essential Resource</h2><p>Due to fears that organizations might choose to sail close to the wind if they feel that regulators might allow it, several experts believe that internal audit has a strong role to play in ensuring their organizations follow the usual strict codes of compliance.  <br></p><p>Camilla Winlo, director at international data protection and privacy consultancy DQM GRC, says that "it's good to see regulators taking a pragmatic view of enforcement." But she warns that organizations still need to be mindful of the need for regulatory compliance. <br></p><p>"Internal audit functions need to be particularly aware of the need to carry out risk assessments and policy and process gap analyses to identify where risks have been introduced and ensure that their organizations come back within their risk appetites as quickly as possible," she says.<br></p><p>Nicola Howell, senior compliance and privacy attorney at commercial data and analytics firm Dun & Bradstreet, agrees that there should be no "let up" in following the rules. "Internal audit teams should not be complacent about enforcement and should proceed with upholding the policies their organizations had in place before COVID-19 took hold," she says. "While justifiable allowances may be made, any significant departure from legal requirements or previous company policy could significantly backfire on a business."<br></p>Neil Hodge1
Auditing Knowledge Managementhttps://iaonline.theiia.org/2020/Pages/Auditing-Knowledge-Management.aspxAuditing Knowledge Management<p>​Technological advances are transforming the nature and importance of the organization’s knowledge assets — intellectual property, software, data, technological expertise, organizational know-how, and other intellectual resources. The value of the global knowledge management market was around $2 billion in 2016 and is expected to exceed $1.2 trillion by 2025, according to Zion Market Research. At this worth, organizations should want to know if their knowledge assets are safeguarded. </p><p>Knowledge assets are vulnerable to loss and can be compromised by internal and external sources. In a 2018 study from the Ponemon Institute and Kilpatrick Townsend & Stockton, 82% of respondents acknowledged that their companies very likely failed to detect a breach involving knowledge assets, up from 74% in 2016. </p><p>Often, audit of knowledge assets is limited to assessing risks, controls, and value derived from the technologies used in their processing (knowledge flow) and the digital records maintained that focus on effective document management. This is only a part of knowledge management auditing in the true sense. It does not get to the core issues of the effectiveness of their protection, how they promote business objectives, and the new opportunities they exploit. </p><p>What has been missing is a structured approach to assess the interplay between strategic and operational risks and controls in enterprisewide knowledge assets management. Unfortunately, there are no comprehensive professional guidelines to assess the adequacy of risks confronting knowledge assets, particularly living knowledge assets held by individuals. Internal auditors must adapt to the evolving risk landscape in knowledge management by reorienting their methodologies and practices to recognize the role of knowledge assets in achieving business objectives. </p><h2>Look for Risk Indicators </h2><p>With disruptive technologies at the forefront, knowledge management tends to be a high-risk activity for most organizations. Risks to knowledge assets are any loss that may decrease the potential to effectively pursue an organization’s business objectives. Key risk indicators in a typical knowledge-based organization include uncertainties about critical knowledge needs, potential business opportunities lost in their absence, and their impact on business objectives. Other indicators may be process related, such as multiple repositories of information in IT-based systems such as an intranet, collaboration platform, or emails that are not integrated. These indicators can lead to wasted resources and inefficiencies and weaknesses in access restrictions to intellectual property. </p><p>Attrition is a common risk involving significant replacement costs that can destabilize even the most successful and steady organizations. It is estimated that the average cost of turnover is 1.5 times the annual salary of the job. Internal auditors also should be vigilant about risks specific to tacit knowledge assets management, which include a high tacit-to-explicit knowledge ratio, high staff turnover, a high percentage of core knowledge held by people nearing retirement, and high market demand for key personnel. It is likely in such cases that these assets will be lost. </p><h2>Assess Strategic Risks</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>Explicit and Tacit Knowledge Comparison</strong></p><p>There are two types of knowledge defined in business. The first, explicit knowledge, is easy to codify, store, and share. It includes textbooks, journals, white papers, patents, literature, audio-visual media, software, and database access. The second, tacit knowledge, comes from personal experience and is not easily replicable or transferrable, such as know-how, methodologies, training algorithms, and professional skepticism. </p><p>Within tacit knowledge, there are two dimensions: technical and cognitive. The highly subjective and personal insights, intuitions, and inspirations derived from an individual’s experience fall under the first category. The second category consists of beliefs, perceptions, values, and emotions ingrained in individuals over years. </p><p>Some argue that tacit knowledge accounts for about 80% to 90% of the knowledge held in a typical organization. Knowledge assets are created at the intersection of, and interaction between, explicit and tacit knowledge. <br></p></td></tr></tbody></table><p>Strategy-related risks in knowledge management typically include the absence of, or a weak, knowledge management strategy; lack of involvement from senior management in knowledge management activities; and lack of alignment between key processes and knowledge assets in place. </p><p>If knowledge is a key driver for the business or is one of the main products of the business entity audited, such as a consulting firm or an educational institute, internal auditors should ask: </p><ul><li>What is the critical knowledge at risk and who determines it? </li><li>What are the core activities? </li><li>How does information flow through those activities? </li><li><p>Is there a knowledge management strategy? <br></p></li></ul><p>Next, internal auditors should remap the business’ critical processes to identify what information is needed to run them. If these needs are not being met, they should determine who needs the missing knowledge. Practitioners should review the enterprisewide risk register to assess whether knowledge management-related risks are recognized, paying attention to the risks of loss of knowledge when core capabilities are outsourced. The instances of high staff turnover and poor knowledge retention among outsourced providers could hamper service quality, involving potential legal risks.</p><p>A robust knowledge management strategy should focus on capturing knowledge assets that are critical to success and that underpin performance to create growth and a competitive advantage. Are there sound human resources policies and succession planning strategies for mentor and peer support before, during, and after key staff with the best situational awareness leave the organization? Are there processes to capture results of lessons-learned exercises, particularly with lawyers, consultants, and accountants’ knowledge and experience that is incorporated into organizational knowledge and change processes? The knowledge lost in such cases could be costly to replace and may require intensive corrective training or retraining. </p><p>In public sector audits, practitioners should pay attention to the procedures followed for valuation of investments in knowledge assets used to support the provision of public services such as water, transportation, and healthcare. There may not be well-defined standards and methodologies for estimating the social, economic, and financial value derived from the assets as they don’t have market-determined equity value. </p><h2>Assess Operational Risks </h2><p>Employees spend almost one-fourth of their time searching for information, according to a survey from The Economist Intelligence Unit. Unclear data definitions, ineffective data governance, and poor search engine performance lead to barriers requiring analysts and developers to resolve them. The root cause of most operational risks in managing knowledge assets is lack of alignment between the strategy and the processes built around it. </p><p>To start, internal auditors should review the accuracy and reliability of the knowledge assets inventory and the core processes they support, and the responsibilities of the people who manage them. The review results will help identify weaknesses in data governance — such as data silos where data is divided across various databases and divisions accentuating memory loss and poor internal coordination of information. The starting point for the review is identifying and using performance criteria for key activities approved by management. While doing so, internal auditors must be able to determine how the key activities are aligned with key stages of knowledge management in the organization, such as needs identification; acquisition; storage, retrieval, and dissemination; archiving; and performance management. If they do not align, that is a strong indicator that these assets are not generating a tangible return. </p><p>Intellectual property in the form of formulae, practices, processes, designs, instruments, patterns, commercial methods, or compilations of information can be subject to loss or compromised by internal or external sources. Internal auditors should assess that the owners of the intellectual property assets have appropriate controls to prevent cyberattacks that could lead to infringements and inappropriate access. </p><h2>Internal Audit's Strategy</h2><p>Auditing knowledge assets requires specific strategies and skills. Each organization’s knowledge needs are unique. As internal audit leaders prepare their audit plans beyond 2020, they should have a multipronged strategy to audit their clients’ knowledge assets from a value-for-money perspective: </p><p></p><ul><li>Retain the best internal audit talent through valuing and investing in the tacit knowledge asset held in the internal audit function.<br><br> </li><li>Develop and maintain a risk-based audit universe of clients’ business operations with significant investments in knowledge assets. This should provide a basis for identifying areas of audit engagement related to knowledge management. <br><br></li><li>Identify and map the knowledge held in the audit department to capture and use the tacit knowledge held, particularly related to complex audit engagements. This information could be used to develop an appropriate knowledge management strategy and system to facilitate collaboration within the audit team. <br><br></li><li>Empower audit teams to recognize the strategic importance of knowledge assets to the business. This will allow them to provide assurance on legal, commercial, technical, social, and financial aspects of the knowledge assets and the relevant risk indicators. For example, develop a bank of risk indicators — quantitative and qualitative — for assessing the processes used in tacit knowledge assets management.<br><br></li><li>Review the adequacy of audit programs used for knowledge management audits. Strengthen them by focusing on strategic and operational aspects of the processes in place to highlight risks of inefficient use of knowledge assets. <br><br></li><li>Focus on the value-for-money aspect of the engagement. Do not get distracted by the technologies and processes used to manage knowledge assets, particularly in engagements involving significant investments in them.</li></ul><h2>Closing the Gap</h2><p>The five most valuable companies in the world report just £172 billion ($223.2 billion) of tangible assets on their balance sheets, though their total worth is £3.5 trillion ($454.2 billion). Almost all of their value is in the form of intangible assets, including intellectual property, data, and other knowledge assets, according to a 2018 budget report from Her Majesty’s Treasury in the U.K. Despite their critical role in business performance, knowledge assets are not traditionally audited with a focus on how organizations safeguard them to retain their competitive position and how they contribute to business performance. As key partners in the assurance process, internal auditors can take a strategic approach to bridge this gap and maximize its influence. </p>Israel Sadu1
COVID-19: The Ultimate Governance Challengehttps://iaonline.theiia.org/2020/Pages/COVID-19-The-Ultimate-Governance-Challenge.aspxCOVID-19: The Ultimate Governance Challenge<p>​In many ways, coronavirus (COVID-19) is the corporate governance crisis we've been preparing for all our lives. It is a public health crisis that has caused an economic crisis, which for many organizations has also caused operational or liquidity crises.</p><p style="text-align:left;">Its consequences dwarf the financial crisis of 2008 and the Sept. 11 attacks combined. It is global in scope and unending in duration. And yet, corporate boards, management, and internal audit teams have to confront this menace somehow.</p><p style="text-align:left;">We can start with the obvious: Board directors are as bewildered as everyone else by COVID-19. Clearly the pandemic challenges organizations in all sorts of ways, and directors do grasp that point — but understanding the<em> exact</em> ways COVID-19 will challenge their businesses is no small thing. </p><p style="text-align:left;">"For many, this particular risk — basically, of businesses completely shutting down and everyone staying home — well, that wasn't on the risk profile," says Shellye Archambeau, who serves on four corporate boards, including Verizon and Nordstrom. <br></p><p style="text-align:left;">That puts corporate directors in a delicate position. From management, they want to hear about new information, new risks, or new plans being executed, and that can be a lot; Archambeau figures she has been on board-related calls at least once a day, if not more. At the same time, however, directors don't want to burden management too much, since the executive team has plenty to do already. <br></p><p style="text-align:left;">"It's very important at this unusual time to trust management, and let them do their job of running the company," says Alpa Parikh, who was chief audit executive at Puget Sound Energy until last fall and now serves on the audit committee of a Seattle-area social services non-profit. Her operating principle these days: Don't ask unnecessary questions of management; do think about the long-term implications of short-term actions the organization takes to keep operations alive right now. <br></p><p style="text-align:left;">That makes sense. Ill-advised actions today could constrain a company's strategic choices tomorrow, next month, or next year — and that's what a board is supposed to prevent. In that case, several issues rise to the top of corporate directors' concerns.<br></p><h2>Keeping Things Going<br></h2><p style="text-align:left;">Foremost are questions about the organization's cash position, and its ability to continue as a going concern even if COVID-19 drags on for many months. (And let's not kid ourselves, it probably will.)  So, for example, one specific priority would be an organization's ability to preserve the cash it has. That means directors will want to know about spending and hiring freezes, and also about approval processes for significant expenditures — including whether those processes are sufficiently tight, given the company's projected cash flows. <br></p><p style="text-align:left;">Then again, Wendy Pfeiffer, on the audit committees of cybersecurity firm Qualys and consulting business SADA, says companies can't forget about "market moments" either, such as the chance to pick up a merger target on the cheap or to launch a new line of business. <br></p><p style="text-align:left;">You can't do those things without cash, so cash preservation is important; but directors also want to know that management is trying to maintain strategic perspective and flexibility, too, so the company can jump on a good moment when one arises. <br></p><p style="text-align:left;">OK, that concept is easy enough to grasp. Here in the real world, however, audit committees are trying to understand such issues while the economic ground keeps shifting. Well-understood key performance indicators or key risk indicators might no longer fit. Models of expected customer behavior, sales cycles, liquidity, or supply chain risks could all unravel. <br></p><p style="text-align:left;">Directors are acutely aware of that possibility, and want assurance that management — and audit teams — are trying to stay ahead of such shifts. That means lots of scenario-planning. "Leverage your analytical skills to figure out what the scenarios might look like and capitalize on strategic agility," Parikh says.  <br></p><p style="text-align:left;">And audit committees still have their day jobs overseeing the financial reporting function. Regulators have published a laundry list of accounting items that could be difficult to calculate these days, and those items are sure to be concerns for the audit committee, too. <br></p><p style="text-align:left;">Among the issues flagged: lease modifications if a company starts giving back space (which could actually goose the organization's income statement upward), impairment of goodwill or intangible assets (which could wallop the income statement and the balance sheet), revenue recognition, hedging, and more. COVID-19's effect on those items will involve a lot of subjective judgment. Audit committees will want to know that said judgment is sound and grounded in good data, as much as possible. <br></p><h2>Internal Audit's Role in Continuity Today<br></h2><p style="text-align:left;">As companies are scrambling to understand what their new risks are, and how to amend business processes to keep those risks at acceptable levels, internal audit has an important role to play. It is internal audit's job, after all, to perform critical assessments of emerging risks, use data analytics to build monitoring tools, and counsel management on possible changes to business processes. Those are crucial corporate capabilities as COVID-19 continues.<br></p><p style="text-align:left;">"We already have those skill sets that allow us to adapt quickly to things like this," Parikh says. "That overview is very important right now, when you can look at processes end to end, across different functions and areas within a company to assess risks and identify potential opportunities." <br></p><p style="text-align:left;">That's the nub of the COVID-19 challenge for organizations, really. Success isn't about having a business continuity plan per se, because those plans never match the disaster you actually face. They only bring the shortcomings in your plan into sharp relief. The<em> ability</em> to plan, even under today's enormously difficult circumstances, is what keeps an organization alive. <br></p><p style="text-align:left;">It's also what audit committees want to see from management teams: an ability to observe changing conditions and devise a response that won't trap the organization in a strategic or operational dead end.<br></p><p style="text-align:left;">"I'd rather have the human brain," Pfeiffer says. "I'd rather have people who are aware and engaged and have their own early-warning system and expertise and creativity." Then let those people collaborate their way to a feasible solution, "rather than work their way through a playbook." <br></p><p style="text-align:left;">Those are words for an audit team to live by. And if the first weeks of COVID-19 are any indicator, we'll be living by them for quite some time.<br></p>Matt Kelly0
CAMs and the Audit Report: Brace for Impacthttps://iaonline.theiia.org/2020/Pages/CAMs-and-the-Audit-Report-Brace-for-Impact.aspxCAMs and the Audit Report: Brace for Impact<p>​Internal and external audit teams alike have entered a brave new world in the last year or so, as critical audit matters (CAMs) arrived as items to be included in the external auditor’s report. Now comes a crucial question: Will CAMs be an asteroid that slams into the annual audit process — or just a meteor shower that breaks up in the atmosphere? </p><p>CAMs are disclosures audit firms make in their audit report, to tell investors what the audit firm deems the most important accounting issues at the company. CAMs involve line items material to the business, and typically their issues will fall into one of two categories. Either the CAM will have weak controls that need attention; or it will be an item that involves subjective, complex judgment no matter how good or bad the controls are. </p><p>So far, only large accelerated filers have implemented CAMs, starting with companies whose fiscal years ended on or after June 30, 2019. All other companies will implement CAMs starting at the end of this year. </p><p>One school of thought is that despite all the angst that surrounded the development of CAM requirements in the 2010s, the inclusion of CAMs in the audit report won’t do much more than memorialize the same conversations that audit firms and internal audit functions have had for years. But will the process to reach those decisions be substantively different?</p><p>“No, not at all,” says Brian Tremblay, until recently the head of internal audit at Acacia Communications in suburban Boston. Critical audit matters, he says, are simply where audit firms devote most of their time and attention during the audit. That won’t change just because those issues are now written into the audit report.</p><p>Tremblay’s observation gets at a subtle but important point: what the word “critical” really means here. It does <em>not</em> mean that some accounting process is deeply amiss, like a patient in the critical care unit. It only means that the accounting issue is important, in the way that a solid foundation is critical to a whole house. </p><p>Now, can that foundation be a rickety mess that threatens the whole structure? Sure. So conversations ensue about how to repair the foundation as necessary. Conversations with audit firms about significant deficiencies or material weaknesses are no different. </p><p>“If we were not discussing those things before, we would have been incompetent in our jobs,” says Jan Babiak, chair of the audit committee at Walgreens Boots Alliance. She has served on boards where CAMs have come into force both in North America and Europe, and says the experience should not catch anyone — audit committee, management, or audit firm — by surprise. </p><p>Babiak gave the example of the corporate tax cut enacted by Congress in 2017. Audit committees were discussing the implications of that tax cut with management and auditors before the legislation was even final, let alone enacted. “By the time you get to something being in the opinion, it’s really old news — if you’re competent in what you do.” </p><p>OK, so successful implementation of CAMs depends on clear communication with the audit firm about difficult accounting issues. What should that look like for the legions of companies adopting CAMs for the first time this year? </p><h2>The Contours of CAMs</h2><p>One critical step will be a well-defined process to handle significant control deficiencies. A significant deficiency is not automatically a CAM unto itself — although it can be, or it can make a CAM much more likely. So resolving significant deficiencies in a consistent, productive way is crucial. </p><p>Manu Varghese, chief audit executive of Hira Industries in Dubai and previously controller at a Big Three U.S. automaker as it adopted CAMs, used a materiality threshold to grade the severity of control deficiencies. Anything that would affect the income statement by less than $3 million was minor; any effect from $3 million to $10 million was major. Any deficiency that had an effect of more than $10 million was classified as a significant deficiency, or a CAM, “and then management would have to fix it immediately.”</p><p>In Varghese’s case, “immediately” was within six months. The internal audit team created an action plan with management, which was presented to the external auditor and then to the audit committee. </p><p>What internal audit teams <em>don’t</em> want are disputes about significant deficiencies unfolding in front of the audit committee. “If that happens, you’re doing it wrong,” Tremblay says. </p><p>Then again, that’s always been the case: Internal audit, management, and the external auditor should have a method to resolve tensions about internal control issues before going in front of the audit committee. So to that extent, CAMs won’t cause any Big Bang change in how financial audits get done.</p><p>There’s another type of critical audit matter, too. At least some CAMs will exist simply because they are material to the financial statement and involve, as the audit standard says, “especially challenging, subjective, or complex auditor judgment” — even without any significant control deficiency.</p><p>That would be something like assessment of goodwill, contingencies for uncertain tax positions, or reserves for warranties. And sure enough, according to preliminary research of the first companies disclosing CAMs, the most common subjects were goodwill impairment, tax contingencies, and revenue recognition.  </p><p>Those CAMs are not necessarily bad; they’re simply important to the financial statements, even if management is rock-solid confident in its judgment about them. “There are things that exist in every auditor’s file regardless of the ‘real’ risk,” Tremblay says. “Those things are just there because they’re judgments and estimates, and that’s the lay of the land.” </p><p>Varghese puts an even more philosophical spin on such CAMs. “We need to understand the risk and ask, ‘Can we live with it?’” he says. “If it’s wrong, we fix it. But if it’s just complex — I can live with complex.” </p><h2>Whither the Audit Committee</h2><p>A fair question to ask at this juncture is exactly what the audit committee’s role should be in CAMs. For example, the U.S. Securities and Exchange Commission (SEC) published a statement in December encouraging audit committees “to engage in a substantive dialogue with the auditor” about CAMs and how the external auditor planned to describe them. That’s fine advice, but really the SEC is just advising audit committees to maintain good diplomatic relations with their auditor.</p><p>The Public Company Accounting Oversight Board (PCAOB) spent much of 2019 interviewing audit committee chairs, and it found that most chairs already are satisfied with the relationship they have with their audit firms. It’s not like audit committee chairs are straining to dump their audit firms or encouraging investors to deride the audit report at the annual shareholder meeting.</p><p>One could argue that all the SEC and PCAOB attention to audit committees is a charm offensive intended to escort board directors past this truth: The audit firm decides what a CAM is — not management, not the audit committee. To a certain extent, audit committees are bystanders here. Sure, they’re bystanders who can protest loudly if CAMs start complicating the message that the board and management want to convey to investors. They are still relatively powerless to stop an audit firm determined to call an issue a CAM. </p><p>So the more internal audit and management can work with the audit firm to ensure a smooth, consensus-driven process to handle CAMs, the better. And let’s remember, ultimately CAMs are there to help the investor understand the risks of the company. </p><p>“Sometimes people fall asleep reading [audit reports],” Varghese quips. “The CAMs section will probably help focus the attention of the reader, and that’s great."</p>Matt Kelly1
The Responsible Organizationhttps://iaonline.theiia.org/2020/Pages/The-Responsible-Organization.aspxThe Responsible Organization<p>In January, BlackRock CEO Larry Fink published an open letter to company CEOs warning them that if they didn't take immediate steps to help their businesses become more resilient to climate and environmental risks, they risk being dropped from pension fund portfolios. This kind of announcement has the ability to spark boardroom conversations during a time when the push for organizations to identify, mitigate, control, and disclose the myriad risks to their businesses to a wider range of stakeholders — not just shareholders — continues to gather pace worldwide. </p><p>Companies now report not only on the financial risks to their business, but also the nonfinancial risks they face. These risks include climate change, business ethics, human rights abuses, slavery and child labor, and their operations' impact on the environment — which fall under the realm of environmental, social, and governance (ESG) reporting. In fact, the current revision of the International Integrated Reporting Council's <IR> Framework aims to "further embed integrated reporting and thinking into mainstream business practice." </p><p>Yet despite such reporting progress, the consensus view of several experts is that many organizations are paying lip service, disclosing only the bare minimum of detail to comply or satisfy investors, regulators, and other stakeholders. Some organizations, meanwhile, are struggling to get their heads around what exactly they need to report — or how to do it, they add. </p><p>"Sustainability reporting is largely done as a paper exercise," says Lawrence Heim, managing director at audit and consulting firm Elm Sustainability Partners in Atlanta. He adds that "internal audit needs to be more involved in sustainability reporting, or become involved if it is not already part of the process." Such views are shared by other experts. </p><h2>Questionable Disclosures</h2><p>In the U.K., listed companies have a duty to disclose how sustainability risks may impact the long-term viability of the business and what steps management is taking to address them. But research from international accounting firm Mazars found that disclosures around carbon emissions in Financial Times Stock Exchange reports are "not fit-for-purpose" and are "in many cases a box-ticking exercise that does not appear to be integral to the way management runs the business." The Financial Reporting Council, the U.K.'s corporate governance regulator, and the European Union — where sustainability risk reporting has been mandatory for the past two years — have raised concerns about the quality of disclosures around sustainability risks.</p><p> Aside from nonfinancial reporting being voluntary for most organizations around the world, there are several reasons why efforts to improve sustainability reporting and risk management are failing. First, the bulk of all mandatory disclosures is still concerned with financial reporting and most of the effort goes into getting that right. Second, the term <em>sustainability</em> has become an umbrella buzzword for every risk that doesn't have an immediate financial price tag attached to it. Many organizations are either overwhelmed by the scale of work required to report meaningfully on the array of risks included, or are simply confused by the term and the issues being covered under ESG reporting (see "ESG Metrics" below). </p> <img src="/2020/PublishingImages/Hodge-ESG-metrics.jpg" class="ms-rtePosition-4" alt="" style="margin:5px;width:640px;height:363px;" /> <p><br></p><p>Experts have some sympathy, but they say that organizations — and internal audit — cannot be indifferent to the problem, and they stress the need for deeper audit involvement. </p><p>Heim says organizational sustainability is not clearly understood by either internal auditors or boards, and as a result, levels of assurance are decidedly mixed. Globally, he says there are more than 300 different ratings used by investors to assess ESG reporting, and it is unclear just what criteria they are using to base their assessments. </p><p>"There is no agreed on, single definition of what is meant by organizational sustainability," Heim says. "The term means different things to different sets of people, and to some extent, it's an umbrella term for a lot of nonfinancial risks. This is a nightmare for internal auditors."</p><h2>An Exercise in PR</h2><p>According to Heim, sustainability reporting is often done cheaply and usually by public relations (PR) or marketing people rather than anyone trained in ESG issues to provide an additional narrative to the financial figures. "These reports are not thorough, not validated, and contain inaccuracies, yet boards are happy to put their names on them," he says.</p><p>There are two trends in sustainability reporting that amount to PR and marketing exercises that Heim says internal auditors need to try to prevent their organizations from following. One is "greenwashing." This is when companies play up their environmentally friendly efforts and credentials, while downplaying — or ignoring entirely — the areas of their business that may be damaging to the environment, or that do not conform to stakeholder expectations of what constitutes long-term sustainability. The other is "greenwishing," where they talk about what they hope to achieve versus what they've actually implemented. This includes a reduction in carbon emissions, reduced waste, lower energy and water usage, increased telecommuting, cuts in air travel, and so on. </p><p>Robert Pojasek, senior strategist at risk and ESG consultancy Strategic Impact Partners in Boston, agrees that sustainability reporting leaves a lot to be desired. "The primary focus of the sustainability report is to improve its ranking in rating schemes, such as the Corporate Knights, Newsweek, Corporate Responsibility Top 100, and similar ratings," he says. To ensure accuracy and meaningful disclosure, he says, "auditors need to provide assurance to the board that the information meets their financial, risk, and ESG reporting requirements before it is released to the public."</p><h2>Guidance Is Lacking</h2><p>Organizations are using stand-alone sustainability programs with separate reporting, which means the claims made in sustainability reports cannot be independently verified or appropriately benchmarked, Pojasek says. As such, there is some reluctance to accept them because of a lack of rigor associated with the collection of the information, as well as a lack of internal auditing of the data-gathering activity. Many investment firms, for example, will not accept ESG information in their sustainability report because it is not complete and it is not independently verified. </p><p>Part of the problem, Pojasek says, is that there is little guidance for internal auditors because of the array of functions involved in collecting the data: sustainability teams, consultants, corporate social responsibility teams, and corporate citizenship groups, among others. "It is difficult for internal auditors to understand the sustainability program because there are few practice guides available and auditors are confused by the different kinds of stand-alone sustainability programs," he says. </p><p>Pojasek says internal auditors also may lack knowledge and experience in sustainability reporting because there is no mandatory requirement to do so in disclosures to the U.S. Securities and Exchange Commission, as such information is not often included in Form 10-K and 40-F. As a result, he says, "internal audit knowledge around sustainability programs is probably not as comprehensive as it could or should be as a result of not being involved in this activity." </p><p>Heim adds that voluntary reporting on ESG and sustainability issues often means that while the topics and risks are being discussed, they are not necessarily being audited. "Internal auditors are not looking at any figures around ESG because they're not related to financial results, so these figures are published without challenge or any real assurance," he says. </p><p>"It should be impossible for any company report to be made public without checking that the statements are accurate, so sustainability reporting is certainly an area where internal audit can get more deeply involved," Heim says. "Internal audit has the skills to question the basis of these reports — how they were put together, by whom, and using what information or evidence — and it should have a duty to flag up to the board the risks of publishing material or claims that have not been checked or may be false." </p><h2>A United Front</h2><p>Douglas Hileman, an internal audit, risk, and compliance consultant based in Los Angeles, agrees that internal audit is often excluded from reviewing sustainability strategies and reporting — mainly due to competing priorities and a lack of budget. "There's very little time, energy, or expertise to look at ESG risks, reputation risk, third-party risk management, human rights, slavery, health and safety, cyber risk, and so on," he says. "The audit committee decides internal audit's priorities, and at the moment, sustainability risk is not a top item on their agenda." </p><p>Internal audit can try to address this imbalance. First, Hileman says, internal audit should present sustainability in terms of current and long-term business risks. "Boards and management get risk — a lot of them don't get sustainability. If internal audit approaches sustainability like any other risk assessment, executives will take more notice."</p><p>Second, Hileman notes, internal audit should present a business case to incorporate sustainability into strategy. Executives need to be talked to in a language they understand, and they don't like making investments that don't pay off. "Provide evidence that shows that acting more sustainably adds value — operationally, in assuring compliance, reputationally, and even financially," he says. "The area is dynamic, so by acting strategically now they can get ahead of competitors and be better prepared and more resilient for future risks, including environmental risks."</p><p>Third, he says, internal audit should collaborate with other assurance functions — compliance, risk management, environmental, and in-house legal — to "push the case for better aggregated understanding and management of sustainability risk. Clear, concise communication of sustainability risk — and opportunities — can attract the attention and resources it deserves and can also offer a vehicle for internal audit to demonstrate how it can add value to the organization."</p><p>There will be greater scope for internal audit to provide assurance on sustainability issues going forward, says Vanessa Havard-Williams, partner and global head of environment at the London office of international law firm Linklaters. "As organizations — particularly large corporations — begin to integrate sustainability impacts at a detailed level into their enterprise risk management frameworks, internal audit will get more closely involved in reviewing them and providing assurance on their effectiveness to the board," she says.</p><p>"Executives are well aware of the damage that a tarnished reputation can have on the company's bottom line and customer base," says Fay Feeney, CEO of emerging risk strategy consultancy Risk for Good and a board member in Hermosa Beach, Calif. "So internal audit should make it clear that an organization's failure to commit to sustainable business practices will damage the corporate brand among a wide variety of stakeholders, including employees." </p><p>Feeney also warns that auditors need to be prepared to acknowledge that board members are overconfident about the organization's capability to manage risks, as noted in The IIA's OnRisk 2020 report. As a result, she says, "internal auditors need to assess their boards' understanding against their knowledge of sustainability risks as there are likely to be gaps in their knowledge and areas where they do not fully understand what needs to be done, and what impact these risks can have on the business, its operations, and supply chains."</p><h2>Speak the Same Language</h2><p>Paul Sobel, chair of The Committee of Sponsoring Organizations of the Treadway Commission, says internal audit needs to make sure the board — and everyone else in the business — speaks the same language around sustainability so the issues, risks, opportunities, and the organization's long-term goals are understood in the same way. If everyone involved is thinking about risk in the same way, he says, "it will be easier to discuss and appreciate the risks to the organization — and what responses are needed — in the same way, too."</p><p>Sobel adds that internal audit needs to think about the value proposition around sustainability and push the business case for change, rather than follow most boards' leads to consider it as a cost or compliance headache. "Internal audit needs to look at what future investor, regulatory, and stakeholder expectations are likely to be regarding sustainability risk management and reporting and push for management and the board to move in line — or ahead — of them," he says. "This means keeping up to date with best practice, reviewing ongoing trends, and engaging more robustly with stakeholders."</p><h2>Changing Priorities</h2><p>When 181 U.S. CEOs signed the Business Roundtable's new Statement on the Purpose of a Corporation last August, they committed to, among other things, "respect the people in our communities and protect the environment by embracing sustainable practices across our businesses." With support from major U.S. companies to adopt sustainable business practices and embed reporting — and practice what they preach — the expectation is that other organizations need to follow suit, if they aren't already.</p><p>Internal audit needs to get more involved and leverage sustainability to find potential business opportunities and use them to offset the business threats, Pojasek says. "Auditors need to look for the upsides of risk." To do that, he says auditors need to raise questions that can help their organizations enjoy enhanced value: Are there ways to turn what looks like a costly threat into sustained value for the corporation? Does this provide a better way to make sustainability a key part of how the business is operated to secure long-term financial growth? Does this structured form of sustainability and uncertainty risk afford a new opportunity to look at the supply chain?</p><p>There is little doubt of the need for organizations to review their long-term viability and resilience in light of external risks, particularly around the environment and climate change. </p><p>If threats such as BlackRock's do not make boards sit up and pay attention — nothing will. And if boards do not make a greater effort to consider sustainability as a key risk issue, it appears likely that shareholders will do so, as evidence shows investors are becoming increasingly activist about how they want companies to be run, and the priorities they want to see in the boardroom.  <br></p>Neil Hodge1
Auditing Culture: Familiar Techniqueshttps://iaonline.theiia.org/2020/Pages/Auditing-Culture-Familiar-Techniques.aspxAuditing Culture: Familiar Techniques<p>​The idea of auditing culture can be intimidating to internal auditors. How can you find objective evidence about something that is inherently subjective? Do you need strange new techniques and psychologists on the audit staff? <br></p><p>Fortunately, internal auditors can accomplish a great deal without the need for a radically different approach. A combination of well-known audit techniques, applied more rigorously by practitioners looking for cultural issues, can go a long way. Four techniques, in particular, can yield valuable information:</p><ul><li>Establishing a participative relationship with audit clients.</li><li>Observing culture while on site.</li><li>Leveraging data that gives perspective on the culture and supports audit observations.</li><li><p>Carrying root cause analysis further than usual.</p></li></ul><p>Incorporating these approaches into routine internal audit work gives practitioners insight into organizational culture and can surface issues critical to the organization's continued success.<br></p><h2>Participative Relationship</h2><p>Establishing participative relationships is perhaps the most important technique, as audit clients are far more likely to discuss their culture if they feel involved in the audit process. This involvement can come during three stages of an audit project.<br></p><p><strong>Planning </strong>Auditors commonly get input from the manager responsible for the area they're reviewing. Some auditors go further and actually plan the audit with that manager. Together, they develop the specific audit objectives, scope, and overall approach. <br></p><p>Does planning the audit with the client compromise independence? It would if the auditor is not thinking critically; but if the client tries to divert internal audit from looking into a risk area, an experienced auditor is likely to recognize it.<br></p><p>For example, as part of the planning process the auditor presumably would explain why he or she thinks a risk area should be examined; the client might then explain why it would be a waste of time. If the client's explanation makes sense, the auditor thanks the client and explains that internal audit needs to confirm what he or she says. If confirmation is established, the auditor saves time. If not, or if what the client says does not make sense, the auditor sees the attempted diversion as a red flag and looks into the risk area with that in mind. <br></p><p>Audit clients are likely to be concerned about how much of their time the joint planning process will take. Internal audit should promise to minimize the impact by performing all the detailed analyses and keeping the planning at a high level.<br></p><p><strong>Risk Assessment </strong>Once the audit objective and scope are agreed upon, the auditor performs a more detailed risk assessment of the key risk areas. Involving the manager in the assessment — or his or her direct reports if the manager can't take the time — has many benefits. First, business owners know their risks better than an auditor coming in from the outside; most of them are just not used to thinking about risk in a systematic way. Guiding the client through a risk assessment gives the auditor a better understanding of the real risks and helps the client become a better risk manager. For auditing culture, it allows the auditor to guide the client's thinking toward cultural objectives and risks to address during the audit. <br></p><p><strong>Reporting </strong>The best way to "report" audit issues — and this is especially true for sensitive cultural issues — is not by telling the client they exist. The most effective way is showing the evidence, enabling clients to realize for themselves that there's a problem. Ideally, the discussion begins before the auditor has all the evidence, when he or she thinks there's an issue but is not quite sure.<br></p><p>For example, suppose an area's staff members complain of unrealistic performance targets. The auditor, being careful to preserve confidentiality, could ask their manager if he or she is aware of the staff's concerns. If the auditor can pique the manager's interest in whether it's true or not, they can design a test to determine that together. If the results indicate it's false, the client will have evidence to show the staff and dispel a morale issue. If the results indicate it's true, the manager is much more likely to be receptive, having asked for the information and helped design the test. <br></p><h2>Observations and Data </h2><p>In any area they review, auditors observe the behavior and attitudes of client management and staff. Their perceptions of the culture are generally accurate, but they are subjective. For most internal auditors, reporting a cultural issue based only on observations results in a fight they can never win. The good news is that there is usually objective data to support those observations.<br></p><p>A negative culture, for example, usually results in high rates of turnover and sick time. These statistics are readily available. Employee survey and exit interview results can also support the auditors' observations and sometimes help identify the cause. A review of customer complaints, frequency of missed performance targets, or project failures can show the impact of the cultural issue. For more examples of metrics that can support auditors' observations, see <a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">"Auditing Culture: Observation and Data</a>."<br></p><h2>Root Cause Analysis</h2><p>When conducting training programs during the early to mid-1990s, I would often say that soft (i.e., cultural) controls are more important to controlling an organization than hard controls. I would present tools like control self-assessment workshops, employee surveys, and structured interviews as ways to identify soft control weaknesses. Sometimes a trainee would ask, "If you just did transaction testing and really got at the cause of hard control deficiencies, wouldn't you get to the same place?" The answer is yes, but that rarely happens. Auditors usually stop short, ending with a more objective, easily defensible intermediate cause.<br></p><p>Today, in my course for new internal auditors I like to illustrate root cause analysis by starting with a hypothetical example where auditors discover inaccuracies on a computer report. I then ask the class to identify potential reasons for the erroneous report. A typical, though abbreviated, exchange between myself and the course participants looks something like this: <br></p><p><span class="ms-rteStyle-IndentBoth">"Why is this information not accurate?"<br></span></p><p><span class="ms-rteStyle-IndentBoth">            "Input errors"</span></p><p><span class="ms-rteStyle-IndentBoth">"Why are there input errors?"<br></span></p><p><span class="ms-rteStyle-IndentBoth">            "Lack of training"</span></p><p><span class="ms-rteStyle-IndentBoth">"Why haven't the input clerks been properly trained?"</span></p><p><span class="ms-rteStyle-IndentBoth">            "No budget for training"</span><br></p><p>At this point I explain the need to look at the effect of the errors. If the organization shifts funds to training, those funds have to come from somewhere else. The loss of funds elsewhere might have a worse effect than these errors:<br></p><p><span class="ms-rteStyle-IndentBoth">"So let's say the effect of these errors is clearly great enough that training is needed, but local management is allocating its budget as best it can."</span></p><p><span class="ms-rteStyle-IndentBoth">            "Then they need a budget increase."</span></p><p><span class="ms-rteStyle-IndentBoth">"Why isn't upper management giving them enough money to train their staff?"</span></p><p><span class="ms-rteStyle-IndentBoth">           "Upper management just looks at numbers and has no idea of the impact of their decisions on lower level employees."</span><br></p><p>Now we have the real root cause. And as often happens when analysis leads to the executive level, the cause is a cultural issue. Correcting it will not just correct the condition, but it will prevent future instances of the same or similar conditions. In this example, the root cause has a pervasive impact on the entire organization — Wells Fargo provided a clear example of what that can lead to.<br></p><p>Of course, upper management is not going to change its approach to managing the organization because of the errors on this computer report — it is one symptom of a deeper problem. The audit report will have to stop at an intermediate cause. The auditors, though, should keep track of this issue and look for similar issues in other audits. If they can connect the dots from enough audits, they may have sufficient evidence to at least discuss the underlying issue with upper management. And this points back to the importance of establishing a participative relationship with management. Finding a root cause on our own is rarely as effective as working with the client to identify it. This is especially true if the root cause is cultural.<br></p><h2>A Powerful Combination</h2><p>Taken together, a participative relationship with audit clients, auditors' observations supported by objective data, and rigorous root cause analysis is a powerful combination. None of these techniques is novel — they are things internal auditors have always done to some extent. Performing them more rigorously, with the goal of identifying cultural issues, can enable internal auditors to provide a deeper, more meaningful level of assurance. <br></p><p>Despite the value of these techniques, auditors should keep in mind that, even when performed together, they do not provide sufficient means to support overall conclusions about the organization's culture. Accomplishing that requires a model or framework that identifies the elements of the culture to be evaluated. And some of these elements might require other techniques.<br></p><p>Nonetheless, this multipronged combination should be a central part of the auditors' approach. Even without overall conclusions, internal auditors using these techniques can identify issues in their organization's culture that need to be addressed. And ultimately, that is the greatest value organizations derive from an internal audit assessment of culture.<br></p><p><em>Read other articles in this series:</em><br></p><p><a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">Auditing Culture: History and Principles</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspx">Auditing Culture: Bumps in the Road</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Where-to-Begin.aspx">Auditing Culture: Where to Begin</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">Auditing Culture: Observation and Data</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Audit-Project-Surveys.aspx">Auditing Culture: Audit Project Surveys</a><br></p><p><a href="/2020/Pages/Auditing-Culture-Employee-Surveys.aspx">Auditing Culture: Employee Surveys</a><br></p>James Roth0
The Board and Whistleblowershttps://iaonline.theiia.org/2020/Pages/The-Board-and-Whistleblowers.aspxThe Board and Whistleblowers<p>In 2018 the CEO of Barclays, Jes Staley, was castigated by British regulators for trying to unmask a whistleblower who had raised concerns about one of Staley's top lieutenants. Barclays' board clawed back a £500,000 bonus from Staley, and regulators fined him £640,000. Regulators in New York then hit Barclays, itself, with another $15 million penalty.</p><p>The year prior, life sciences company Bio-Rad had to pay nearly $8 million to former general counsel Sanford Wadler after he reported fears of possible bribe payments to government officials in China. The company sacked Wadler, who filed a whistleblower retaliation lawsuit. </p><p>Bio-Rad and Barclays are especially noteworthy because in both cases, the whistleblowers' allegations were later determined to be unfounded. An arbitrary approach to handling whistleblowers is what got those companies into hot water. In our highly regulated, highly litigious, highly transparent world, it always is. Hence the need for rigor — and the need for boards to assure that rigor exists. </p><p>"It's important to set up a process [for addressing whistleblower complaints] in advance because you have to take every one of these issues seriously," says Dotty Hayes, a former CAE at both Intuit and Hewlett-Packard and now chair of the board of directors at First Tech Federal Credit Union in San Jose, Calif., and a board member and audit committee chair at a range of organizations. "You can't do it haphazardly." </p><p>That point is true even if the allegation doesn't seem credible, and even if it's proven wrong, Hayes says. The last thing a board wants is to improvise a response.  </p><h2>Be Disciplined; Be Independent</h2><p>The good news is that truly grave whistleblower reports — allegations so serious that the board should oversee them, and should do so immediately — seem to be rare. "In my experience, if you have one or two a year that are significant and require high priority, that's a lot," says David Diamond, former head of internal audit at Lionsgate Entertainment, and now audit committee chair for The Daily Breath, a chain of Pilates studios in Brazil and the U.S. Likewise, Charlotte Valeur, CEO of the Global Governance Group and currently a director on seven boards, says that in 14 years of working in board governance, she has encountered only two instances of whistleblower allegations so serious that only the board could address it. </p><p>Again, so what? Boards don't know the veracity of a whistleblower allegation when the report first arrives. So establishing a consistent, disciplined, objective process to evaluate whistleblower reports is paramount.</p><p>"Independence on boards is key for whistleblowing," Valeur says. "If you don't have independent board members who can deal with it — and <em>will</em> deal with it, truly independently — everybody is at risk. The whistleblower is at risk, and the company is at risk."</p><p>In truth, that triage process is a nuanced tango between board and management. Boards might <em>receive</em> reports, but they should not <em>investigate</em> reports; that duty should go to trained professionals: internal audit, the compliance or legal team, human resources (HR), or even outside counsel. Even in grave scenarios such as allegations of CEO misconduct, the board should oversee that investigations are happening and moving forward — but not <em>participate</em> in the investigation, itself. "The last thing I want to do is be the investigator," Hayes says. </p><p>Conversely, management receives lots of reports, and might even investigate many of them without troubling the board. That's fine, so long as all parties have a clear understanding of which reports <em>should</em> be escalated to the board right away.</p><p>So what should that process look like? Who's involved in the triage? Typically a large company will outsource its whistleblower hotline; that's one layer of independence. A whistleblower might be able to select categories of complaint (accounting fraud, employee bullying, discrimination, theft, and so forth), or specialists at the outsourced hotline provider could assign one based on certain key phrases, issues, or even names the whistleblower might include.</p><p>A critical question is which categories of complaint should automatically go to the board, even if the board then bats the issue right back to audit, legal, or compliance for further action. For example, anything that mentions corporate accounting, compliance violations, or CEO misconduct should go to the board. If the issue involves personal misconduct rather than financial, consideration by a risk or governance committee might be the best option.  </p><p>Should the accused be informed of the allegations against him or her? Generally no, although some privacy rules in Europe can make that a complicated question best left to professional investigators. And should a company try to unmask a whistleblower? Pretty much never, since that action is a whisker away from retaliation and violates the spirit of following the facts wherever they may lead. ("It's irrelevant," Valeur says of the idea.)</p><p>And regardless of how any specific allegation is investigated, boards still need a process to oversee whistleblower reporting holistically. Valeur, for example, says she wants regular briefings on the total number of reports, the issues they involve, substantiation rates, and so forth. </p><p>"All companies over a certain threshold should have a mature process," Diamond adds. "If you don't, in this day and age, you're way behind."</p><h2>Speaking of Substantiation...</h2><p>Boards might also be surprised at this news: Whistleblower reports based on secondhand knowledge — that is, information passed along to the whistleblower from someone else; or that the whistleblower discovers by finding evidence of misconduct, without witnessing the act directly — tend to be more reliable than reports from people with firsthand knowledge. So says research from The George Washington University and the University of Utah, where academics studied 2 million whistleblower reports filed at more than 1,000 companies from 2004 through 2017. They found that management was 48% more likely to substantiate whistleblower reports based on secondhand information. Those reports were more likely to be about accounting and business integrity issues, too; while firsthand reports are more often about HR issues.</p><p>That makes sense when you think about it. People filing firsthand reports are usually claiming that they have somehow been wronged personally — and, yes, some portion of those reports will be false, or based on hot-headed judgments that don't hold up under scrutiny.</p><p>Whistleblowers with secondhand information, however, are claiming that something in the company is amiss. You typically wouldn't do that unless you care about the organization. And if you care about the organization, you're probably not involved in the misconduct, so it's more likely you have fragments of evidence. In other words, boards should welcome whistleblower reports based on secondhand information, even though that means more investigative spadework to find the truth.  </p><p>"Many times the report needs to be ferreted out," Diamond says. "A lot more details need to be derived to understand the full significance of the report."</p><p>True, but investigations are the subject for a different day. The importance of establishing a process to oversee whistleblower allegations in an objective, disciplined way and follow the facts where they lead — that advice is irrefutable. <br></p>Matt Kelly1
Risk in Sessionhttps://iaonline.theiia.org/2020/Pages/Risk-in-Session.aspxRisk in Session<p>Executive sessions should be on the agenda of every audit committee meeting. This means that all members of management leave the room, and the chief audit executive (CAE) has time alone with audit committee members. Executive sessions enable the committee to share risk concerns candidly. Scheduling an executive session at every meeting makes it less unusual when the CAE needs to ask for a session to discuss a specific concern.</p><p>While audit committee agendas can be routine and well-defined, executive session agendas normally are less clear. Although the CAE may have a few prepared remarks, theses sessions typically revolve around one question asked by the audit committee: “Is there anything we need to talk about this time?” Yet, CAEs can make these executive sessions more valuable by engaging committee members in a dialogue about the organization’s risk culture. </p><h3>Set the Agenda</h3><p>As with the full audit committee meeting, having an agenda for the executive session is helpful. This should be a casual agenda that is not distributed; instead, the CAE should use it to ensure the session covers all topics of interest. The executive session agenda can include standard updates and risk topics specific to committee member concerns.</p><p>Because committee members may not know what to ask CAEs during executive sessions, CAEs can engage the audit committee in a variety of topics, including risk culture — how the business understands and manages risk.</p><p>In preparing for executive sessions, CAEs can create a list of ongoing and meeting-specific topics that address risk culture. Examples include tone at the top, corporate culture, governance, or overall risk monitoring. CAEs can provide insight into these areas without the committee having to ask for it, while hearing committee members’ perspectives.</p><h3>Share Risk Perspectives </h3><p>Communication in executive sessions is a two-way street. The committee can provide valuable information to the CAE, while the CAE can share risk information and preferred action steps. During the session, the CAE can ask:</p><ul><li>What decisions is the board contemplating that may represent a strategy change?</li><li>What concerns do audit committee members have about specific strategies or risks?</li><li>What risks should internal audit prioritize? </li></ul><p><br>Additionally, listening to committee member concerns  is valuable for understanding what they view as important. </p><p>For CAEs, targeted questions can yield details that may lead them to update the audit plan or add a project to ensure risk coverage is timely and relevant. For the committee, discussing a specific concern or question can prompt the CAE to share white papers or training information in the materials for future meetings. The better the committee understands risk and its true impact, the better it can influence the risk culture with the board and management.</p><h3>Request Focus or Action</h3><p>Because some topics can be politically charged, executive sessions exclude management to ensure open communication about sensitive topics. In the confidential environment of the session, CAEs can discuss risks that are not receiving necessary management focus along with recommended actions. For example, a change in privacy laws may require specific action by the organization. If the organization is not acting swiftly enough to comply, the CAE can alert the committee. </p><p>CAEs should share the specific requirements or a summary of the risk topic as background information for the committee, along with the potential impact and likelihood of occurrence. They should state whether the discussion is for the committee’s awareness only or if they are asking for action.  </p><p>These situations require tact. Unless the CAE is using the executive session to disclose fraud or wrongdoing by management, a no-surprises approach is best. In the privacy law example, the CAE should exhaust efforts to influence management to take appropriate action before bringing it up to the audit committee. As a courtesy, the CAE should inform management of plans to discuss the matter with the committee. </p><h2>Collaborate for Success</h2><p>Sharing risk culture successes with the audit committee during executive sessions can help it better understand how internal audit impacts the organization’s risk culture. For example, sharing ways that internal audit provided consulting or assurance services to a system implementation demonstrates the function’s key role and proactive risk approach. Moreover, these examples can help committee members see future anomalies with how internal audit may be positioned or used. <br></p>Sarah Duckwitz1

  • AuditBoard_Pandemic_May 2020_Premium 1_
  • Galvanize_May 2020_Premium 2
  • IIA CERT-Online Proctering_May 2020_Premium 3