Risk and Compliance



On the Money: Time to Revisit Financial Riskhttps://iaonline.theiia.org/2020/Pages/On-the-Money-Time-to-Revisit-Financial-Risk.aspxOn the Money: Time to Revisit Financial Risk<p>​A decade of unprecedented loose monetary policy designed to stimulate the global economy has been a godsend for businesses. Cheap financing has allowed companies to invest in growth and reward shareholders with share buybacks, pushing stock markets to record highs. Recent years have been good to CEOs. </p><p>Meanwhile, increasingly sophisticated automation and a belief that financial risks were relatively well-understood, compared with some emerging audit areas, mean that many internal audit functions had put financial risk on a back burner. But accommodating financial conditions also have allowed risks to build. "In advanced economies, corporate debt and financial risk-taking have increased, the creditworthiness of borrowers has deteriorated, and so-called leveraged loans to highly indebted borrowers continue to be of particular concern," Tobias Adrian, financial counselor of the International Monetary Fund, told an audience in April 2019 at the launch of the most recent Global Financial Stability Report.</p><p>It is hardly surprising then that financial risk has moved back toward the top of the list of business risks cited by chief audit executives in the Risk in Focus 2020 report, a collaboration among IIA institutes in Belgium, France, Germany, Italy, the Netherlands, Spain, Sweden, and the United Kingdom and Ireland. Nearly one-third of respondents listed it in their top five risks. As news headlines highlight a plethora of concerning indicators — anti-globalist trade policy, weak manufacturing data, the inversion of the yield curve on various government bonds, decelerating global growth, and other recessionary signals — boards and audit committees are increasingly likely to seek assurances that financial risk is being mitigated effectively.</p><h2>Coming Full Circle</h2><p>The management of financial risk on a day-to-day level lies ultimately with the finance function. Called the treasury in many countries, the finance function manages the business' liquidity and monitors cash inflows and outflows, current and projected, to ensure sufficient funds are available to support the company's operations and excess cash is invested effectively. Although finance is fundamental to the success of the business, it's useful for internal auditors to remember that some board members may have blind spots in their knowledge and awareness of the basics, particularly when it comes to the company's balance sheet.</p><p>"Nonfinance directors tend to be less familiar with the balance sheet and the cash flow statement than the profit and loss (P&L). By extension, they are typically less comfortable with the balance sheet lexicon, such as the true meaning of assets, liabilities, and equity," warns Steve Giles, a course leader at the London-based Institute of Directors on its Finance for Non-finance Directors learning program. "They are aware of concepts such as 'cash is king,' but do not readily translate this to the importance of managing working capital and the cash cycle in their business." He adds that the "corporate killer" is rarely a lack of profits, but the business' inability to pay debts when they are due.</p><p>This is why internal auditors in many sectors may now be urging boards to think seriously about market conditions and financial risks. In times of growth, when markets are calm, auditors conducting routine finance audits should watch for signs that the finance function is becoming complacent or that financial risk management standards are slipping. But when rising trade tensions combine with the highest-ever levels of corporate debt, they should scrutinize all aspects of financial risk, as earnings are likely to be under pressure.</p><p>"Trade wars are bad for everybody. Their ultimate impact is a movement toward lower earnings," says Pat Leavy, CEO at FTI Treasury, a Dublin-based treasury outsourcing and audit firm. "This combined with the presence of leverage obviously increases risk, but, from an audit perspective, when we're looking at individual companies, we need to understand the data we see." </p><p>Leavy explains that although gross corporate debt has risen, internal audit should focus more on net corporate debt. The risk is lower when corporations have high debt and also high levels of cash and liquid assets — a good example is the airline industry. "The focus should be on debt repayment capability, rather than profits and earnings before interest, tax, depreciation, and amortization alone," he says. "What we're really looking at is cash generation."</p><h2>Qualities of a Good Finance Function</h2><p>So, what does a good finance function look like, and what should internal auditors consider when they audit it? Leavy likens the quality of the finance function to Maslow's hierarchy of motivation. At the bottom of the pyramid is the quality of the infrastructure in place to manage the function: the resources and people, the competency of those people and the quality of the technology infrastructure, including any automation, and the commitment to the processes that are in place. The next level up is the control environment, the segregation of duties, the checks and balances, the flow of information, and compliance with those safety measures.</p><p>"As you move up the pyramid, it becomes more subjective," Leavy says. "Success at the next level depends on getting the right balance between developing strategy and managing the operations." Finance functions often spend 10% of their time on strategy and 90% on managing operations and getting the day-to-day work done. "In reality, getting the treasury strategy right can have a much more significant impact on the business," he says.</p><p>Finance functions often operate in isolation from the business and can be reactive. Ideally, they should be proactive and able to anticipate and be part of the corporate decision-making process. In this kind of finance function, the group treasurer moves up the value chain, working directly with the chief financial officer and risk committee to help define and achieve the corporate strategy. </p><h2>Where Audits Focus</h2><p>Similarly, Leavy says, finance audits tend to focus on the lower (although essential) rungs — operations controls and governance — and less on the finance function's strategy and how it enables the overarching corporate strategy. His points are echoed by Angela O'Hara, who spent five years as group assurance and risk director at an FTSE 100 chemicals and technology company before recently stepping into a director role. She also sits on the finance and general purposes committee of the Royal Veterinary College. O'Hara says limited resources meant that the finance audit she oversaw was outsourced and focused almost entirely on the basics.</p><p>"That audit looked at processes and governance, but not at the impact of the financial risks in the business and the treasury's role in relation to those risks," she explains. Auditors assessed how well the finance function managed bank accounts, and whether it reviewed the business' credit rating and funding arrangements regularly, as well as access rights for critical systems, the payment and processing platform, and foreign exchange (forex) trading. "But it didn't look at, for example, whether there had been a forex gain or loss, what led to that, and whether there should be changes to the roles and responsibilities associated with that," she says.</p><p>O'Hara says it is common for internal audit to assess how a function is set up, but there is additional value to add in assessing that function's effectiveness and what it means for the business. Reviewing structure, governance, policies, procedures, and key controls is fundamental. But, building on that, internal audit needs to challenge the function and its assumptions, even if it is not an expert on forex hedging or financing strategies. </p><p>"It's not a case of suggesting that what the treasury is doing is incorrect, but of raising questions that need to be considered in a rational and objective manner," Leavy adds. "And also of considering alternative approaches that might be more suitable and being open to that dialogue."</p><p>Alistair Smith, U.K. internal audit, risk, and control director at EDF Energy, says the transactional and frequent nature of finance activities makes them suitable for automation. However, in organizations using this kind of technology, internal audit should consider how key person risks and segregation of duties are managed. Another key risk, especially in long-established finance teams, is over-familiarity with the business, which can lead to "passive checking" of approvals for things like setting up new bank accounts. The best finance functions also will be able to provide metrics to demonstrate how they add value, whether through their forex hedging strategy or by optimizing financing.</p><h2>Standard Deviation</h2><p>Internal audit may not be able to predict whether the economy will go into recession, but there are more mundane matters that should be well-understood and managed. Changes to International Financial Reporting Standards (IFRS) accounting standards, for example, can catch finance functions off guard in companies that are required to comply with them.</p><p>IFRS 15, which came into effect in January 2018, requires that businesses subject to IFRS recognize revenues only when they are collected and not when customer contracts are signed, a change that has affected the top lines of high-profile companies. IFRS 16, which went live in January 2019, also has caused some turbulence. The new standard requires that payments made on operating leases — used for property and equipment in asset-heavy industries — must for the first time be reported as a liability on balance sheets. In September, FTSE 100 construction rental business Ashstead reported a huge jump of £1.4 billion ($1.8 million) in its net debt to £5.2 billion ($6.8 million) in the second quarter, well over half of which directly resulted from the accounting switch. </p><p>"The one we are coming across more and more is IFRS 9 on the impairment of intercompany loans," Leavy cautions. "There may be a requirement to calculate potential credit losses and include that as a repairment charge on intercompany debt. So suddenly there can be a movement on the P&L as the result of an accounting amendment, and intercompany lending is a bread-and-butter issue for every large corporation with an international footprint."</p><p>Another consideration for global businesses is the finance function's strategy of cash pooling, whereby the debit and credit balances of numerous subsidiaries' accounts are aggregated, allowing them to centralize group liquidity management. This can improve the interest terms they are offered when they raise finance and optimize cash flow within the group.</p><p>Certain jurisdictions, however, place restrictions on the strategy. "Not-ional cash pooling," a virtual rather than physical concentration of cash, is prohibited in Argentina, Brazil, Chile, India, Mexico, Sweden, Turkey, and Venezuela, in favor of physical pooling. India has even stricter rules that forbid cross-border physical pooling. Internal audit departments working across geographically diverse businesses should bear in mind the complications that can arise from subsidiaries that may sit outside of the pool.</p><p>"You need to look at those outliers as well as at the big risks," O'Hara says. "Clearly there is a big gross risk in the central treasury function, but each of the outliers could impact the P&L."<br><br><em>A version of this article first appeared in the November 2019 issue of </em>Audit & Risk<em>, the magazine of the Chartered Institute of Internal Auditors. Adapted with permission.</em></p>Brendan Scott1
Auditing Culture: Familiar Techniqueshttps://iaonline.theiia.org/2020/Pages/Auditing-Culture-Familiar-Techniques.aspxAuditing Culture: Familiar Techniques<p>​The idea of auditing culture can be intimidating to internal auditors. How can you find objective evidence about something that is inherently subjective? Do you need strange new techniques and psychologists on the audit staff? <br></p><p>Fortunately, internal auditors can accomplish a great deal without the need for a radically different approach. A combination of well-known audit techniques, applied more rigorously by practitioners looking for cultural issues, can go a long way. Four techniques, in particular, can yield valuable information:</p><ul><li>Establishing a participative relationship with audit clients.</li><li>Observing culture while on site.</li><li>Leveraging data that gives perspective on the culture and supports audit observations.</li><li><p>Carrying root cause analysis further than usual.</p></li></ul><p>Incorporating these approaches into routine internal audit work gives practitioners insight into organizational culture and can surface issues critical to the organization's continued success.<br></p><h2>Participative Relationship</h2><p>Establishing participative relationships is perhaps the most important technique, as audit clients are far more likely to discuss their culture if they feel involved in the audit process. This involvement can come during three stages of an audit project.<br></p><p><strong>Planning </strong>Auditors commonly get input from the manager responsible for the area they're reviewing. Some auditors go further and actually plan the audit with that manager. Together, they develop the specific audit objectives, scope, and overall approach. <br></p><p>Does planning the audit with the client compromise independence? It would if the auditor is not thinking critically; but if the client tries to divert internal audit from looking into a risk area, an experienced auditor is likely to recognize it.<br></p><p>For example, as part of the planning process the auditor presumably would explain why he or she thinks a risk area should be examined; the client might then explain why it would be a waste of time. If the client's explanation makes sense, the auditor thanks the client and explains that internal audit needs to confirm what he or she says. If confirmation is established, the auditor saves time. If not, or if what the client says does not make sense, the auditor sees the attempted diversion as a red flag and looks into the risk area with that in mind. <br></p><p>Audit clients are likely to be concerned about how much of their time the joint planning process will take. Internal audit should promise to minimize the impact by performing all the detailed analyses and keeping the planning at a high level.<br></p><p><strong>Risk Assessment </strong>Once the audit objective and scope are agreed upon, the auditor performs a more detailed risk assessment of the key risk areas. Involving the manager in the assessment — or his or her direct reports if the manager can't take the time — has many benefits. First, business owners know their risks better than an auditor coming in from the outside; most of them are just not used to thinking about risk in a systematic way. Guiding the client through a risk assessment gives the auditor a better understanding of the real risks and helps the client become a better risk manager. For auditing culture, it allows the auditor to guide the client's thinking toward cultural objectives and risks to address during the audit. <br></p><p><strong>Reporting </strong>The best way to "report" audit issues — and this is especially true for sensitive cultural issues — is not by telling the client they exist. The most effective way is showing the evidence, enabling clients to realize for themselves that there's a problem. Ideally, the discussion begins before the auditor has all the evidence, when he or she thinks there's an issue but is not quite sure.<br></p><p>For example, suppose an area's staff members complain of unrealistic performance targets. The auditor, being careful to preserve confidentiality, could ask their manager if he or she is aware of the staff's concerns. If the auditor can pique the manager's interest in whether it's true or not, they can design a test to determine that together. If the results indicate it's false, the client will have evidence to show the staff and dispel a morale issue. If the results indicate it's true, the manager is much more likely to be receptive, having asked for the information and helped design the test. <br></p><h2>Observations and Data </h2><p>In any area they review, auditors observe the behavior and attitudes of client management and staff. Their perceptions of the culture are generally accurate, but they are subjective. For most internal auditors, reporting a cultural issue based only on observations results in a fight they can never win. The good news is that there is usually objective data to support those observations.<br></p><p>A negative culture, for example, usually results in high rates of turnover and sick time. These statistics are readily available. Employee survey and exit interview results can also support the auditors' observations and sometimes help identify the cause. A review of customer complaints, frequency of missed performance targets, or project failures can show the impact of the cultural issue. For more examples of metrics that can support auditors' observations, see <a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">"Auditing Culture: Observation and Data</a>."<br></p><h2>Root Cause Analysis</h2><p>When conducting training programs during the early to mid-1990s, I would often say that soft (i.e., cultural) controls are more important to controlling an organization than hard controls. I would present tools like control self-assessment workshops, employee surveys, and structured interviews as ways to identify soft control weaknesses. Sometimes a trainee would ask, "If you just did transaction testing and really got at the cause of hard control deficiencies, wouldn't you get to the same place?" The answer is yes, but that rarely happens. Auditors usually stop short, ending with a more objective, easily defensible intermediate cause.<br></p><p>Today, in my course for new internal auditors I like to illustrate root cause analysis by starting with a hypothetical example where auditors discover inaccuracies on a computer report. I then ask the class to identify potential reasons for the erroneous report. A typical, though abbreviated, exchange between myself and the course participants looks something like this: <br></p><p><span class="ms-rteStyle-IndentBoth">"Why is this information not accurate?"<br></span></p><p><span class="ms-rteStyle-IndentBoth">            "Input errors"</span></p><p><span class="ms-rteStyle-IndentBoth">"Why are there input errors?"<br></span></p><p><span class="ms-rteStyle-IndentBoth">            "Lack of training"</span></p><p><span class="ms-rteStyle-IndentBoth">"Why haven't the input clerks been properly trained?"</span></p><p><span class="ms-rteStyle-IndentBoth">            "No budget for training"</span><br></p><p>At this point I explain the need to look at the effect of the errors. If the organization shifts funds to training, those funds have to come from somewhere else. The loss of funds elsewhere might have a worse effect than these errors:<br></p><p><span class="ms-rteStyle-IndentBoth">"So let's say the effect of these errors is clearly great enough that training is needed, but local management is allocating its budget as best it can."</span></p><p><span class="ms-rteStyle-IndentBoth">            "Then they need a budget increase."</span></p><p><span class="ms-rteStyle-IndentBoth">"Why isn't upper management giving them enough money to train their staff?"</span></p><p><span class="ms-rteStyle-IndentBoth">           "Upper management just looks at numbers and has no idea of the impact of their decisions on lower level employees."</span><br></p><p>Now we have the real root cause. And as often happens when analysis leads to the executive level, the cause is a cultural issue. Correcting it will not just correct the condition, but it will prevent future instances of the same or similar conditions. In this example, the root cause has a pervasive impact on the entire organization — Wells Fargo provided a clear example of what that can lead to.<br></p><p>Of course, upper management is not going to change its approach to managing the organization because of the errors on this computer report — it is one symptom of a deeper problem. The audit report will have to stop at an intermediate cause. The auditors, though, should keep track of this issue and look for similar issues in other audits. If they can connect the dots from enough audits, they may have sufficient evidence to at least discuss the underlying issue with upper management. And this points back to the importance of establishing a participative relationship with management. Finding a root cause on our own is rarely as effective as working with the client to identify it. This is especially true if the root cause is cultural.<br></p><h2>A Powerful Combination</h2><p>Taken together, a participative relationship with audit clients, auditors' observations supported by objective data, and rigorous root cause analysis is a powerful combination. None of these techniques is novel — they are things internal auditors have always done to some extent. Performing them more rigorously, with the goal of identifying cultural issues, can enable internal auditors to provide a deeper, more meaningful level of assurance. <br></p><p>Despite the value of these techniques, auditors should keep in mind that, even when performed together, they do not provide sufficient means to support overall conclusions about the organization's culture. Accomplishing that requires a model or framework that identifies the elements of the culture to be evaluated. And some of these elements might require other techniques.<br></p><p>Nonetheless, this multipronged combination should be a central part of the auditors' approach. Even without overall conclusions, internal auditors using these techniques can identify issues in their organization's culture that need to be addressed. And ultimately, that is the greatest value organizations derive from an internal audit assessment of culture.<br></p><p><em>Read other articles in this series:</em><br></p><p><a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">Auditing Culture: History and Principles</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspx">Auditing Culture: Bumps in the Road</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Where-to-Begin.aspx">Auditing Culture: Where to Begin</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">Auditing Culture: Observation and Data</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Audit-Project-Surveys.aspx">Auditing Culture: Audit Project Surveys</a><br></p><p><a href="/2020/Pages/Auditing-Culture-Employee-Surveys.aspx">Auditing Culture: Employee Surveys</a><br></p>James Roth0
A Study in Risk Tolerancehttps://iaonline.theiia.org/2020/Pages/A-Study-in-Risk-Tolerance.aspxA Study in Risk Tolerance<p>​The general public accesses more information more frequently and expects both private and government organizations to provide more services at a proportionate rate. Each successful technological advancement to provide this information has been accompanied by numerous failures — mistakes that expose vulnerabilities and consequently entrench a risk-averse mindset within organizations. A lack of risk-taking leads to unrealized opportunities and stifled innovation. Conversely, uncontrolled risk-taking can result in disaster. Trying to find a balance between the two can lead organizations to analysis paralysis. Measuring the risks that organizations currently take and those they are willing to take can help avoid over-analysis and enable timely, informed decision-making.</p><p>In 2016, the Canada Revenue Agency (CRA), which administers tax laws for the Government of Canada and most of the country’s provinces and territories, published its Risk Tolerance Tool to quantifiably measure the maximum level of risk exposure that management was willing to accept. The objective of this tool was to provide a basis for management discussions and to inform decisions on actions related to targeted risks. Initially, the CRA used the tool internally in yearly corporate risk profile cycles. It has since been piloted in the agency’s IT security function and internal audit department with positive results.</p><h2>The Tool</h2><p>When approaching risk analysis, distinguishing risk exposure from risk tolerance is critical. Organizations establish risk exposure based on the likelihood that a given risk will occur and its potential impact on the organization. Risk tolerance is the maximum amount of residual risk exposure that an organization is willing to accept while working toward an expected outcome. By comparing how these concepts are quantified, management and assurance providers can more effectively identify the risks that must be mitigated, those that do not require additional action, and even those existing in an overcontrolled environment.</p><h2>Make an Action Plan</h2><p>The risk tolerance portion of the tool consists of five clear tolerance criteria that are selected based on their relevance to audit engagements and their ability to be applied consistently from one engagement to the next: </p><p></p><ul><li>Maturity — The level of experience the agency has dealing with the issue or risk.</li><li>Criticality — The level of critical service that this risk applies to the government or the CRA.</li><li>Sensitivity — The level of sensitivity that the CRA has toward this risk occurring. </li><li>Span of control — The level of control the CRA has over this risk. </li><li>Base profile — A consistent factor that lowers the tolerance to each risk. </li></ul><p><br></p><p>The first four criteria each receive a score out of 25; the lower the number of points, the lower the organization’s tolerance for the risk. A risk that is highly critical and sensitive, and for which the organization has a large span of control, would receive few or no points for those criteria. However, a risk with which an organization has a high level of experience would contribute to a higher tolerance, receiving up to 25 points to account for the organization’s maturity. The tool adds the points for each criterion to calculate the level of tolerance for each risk. But, because the organization is not fully tolerant of any risk, the tool applies a base factor uniformly to all risks by giving 0 points out of a possible 20 points. The final score is out of 120 (see “The Risk Tolerance Model” below). </p><p><img src="/2020/PublishingImages/Risk-Tolerance%20Model-rev.jpg" alt="" style="margin:5px;width:850px;height:300px;" /><br></p><p>Auditors calculate the more traditional residual risk exposure by assessing the risk likelihood and the risk impact and multiplying them. Note that likelihood and impact each have a maximum of 5 points. Therefore, to obtain the residual risk score out of 100, the product of the likelihood times the impact is multiplied by 4. For example, if the likelihood is 3 and the impact is 5, the residual risk exposure would be 3 x 5 x 4 = 60. The tool then factors in the trend for a given risk by considering if it is increasing, decreasing, or stable; +20, -20, and 0 respectively. Adding the trend to the residual risk exposure results in a total risk exposure out of 120. </p><p>The tool compares total risk exposure with the total tolerance to determine if controls should be maintained, if the risk is in a caution zone, or if risk mitigation is required. </p><p>The CRA developed a slider figure alongside the risk tolerance tool to help management visualize the output of its risk analysis (see “Risk Tolerance Slider” below). By inputting the exposure and tolerance values into the slider bar, the user can quickly and clearly visualize the residual risk exposure in relation to the risk tolerance threshold and the necessary level of action. Auditors flag risks that are within the caution zone for closer observation. However, although there is no mandatory requirement for mitigation, management can choose to mitigate or monitor the risk as it sees appropriate. </p><p>One of the CRA’s priorities when developing this tool was ensuring the flexibility and adaptability of the risk criteria. Users can modify these criteria based on organizational needs and scale them to fit any type of project. Because the scoring methodology remains constant across different criteria, organizations can maintain consistency in decision-making when assessing the need for intervention. Additionally, users can modify and adjust both the set of criteria and the weight attributed to each criterion over time to better reflect the organization’s risk environment. Therefore, although consistent criteria allow for comparability, auditors can tailor the tool to any audit phase, as long as it is consistent within that phase. </p><p><img src="/2020/PublishingImages/Risk-Tolerance_Slider.jpg" alt="" style="margin:5px;width:600px;height:300px;" /><br></p><h2>Addressing Risk</h2><p>Internal audit’s use of the tool assessed the risks related to differing opinions of the audit client and audit team about the significance of a finding and internal audit’s recommendation — namely, where the client indicated no action was necessary.</p><p>The tool indicated to management that action was preferable and allowed the audit client to address the areas where risk exposure was above tolerance. Of the three risks related to the recommendation, management confirmed that one risk did not need to be mitigated. However, two risks with gaps between tolerance and exposure should be addressed with a balanced set of actions. Those actions included interim measures to mitigate a risk expected to be eliminated by a system change in a few years. Management may not have recognized the importance of acting on the risk until the system change, but the tool helped executives realize that the risk needed to be mitigated leading up to the system change.</p><p>Having audit client subject-matter experts fill out the risk tolerance tool helped them better understand the recommendation and the possible actions that they could take. This improved relationships between auditors and audit clients so clients could focus their energy on developing solutions for addressing identified gaps instead of negotiating recommendations. </p><p>By applying this stable risk-tolerance process, employees can have a consistent understanding of both the organization’s approach to risk and management’s risk mitigation criteria. This predictability also can lead to increased employee confidence in senior management’s decision-making and improved mitigation strategies by allowing management to concentrate on the most critical risks first.</p><h2>Applying the Tool Across the Organization</h2><p>During the pilot, internal audit management realized there are many other possibilities for using the risk tolerance tool in the audit and evaluation communities. Applying it within an organization’s risk-based audit planning process can facilitate the identification and subsequent triage of potential engagements, so it could focus on those with the highest exposure above tolerance. </p><p>Similarly, incorporating it into the planning phase of an audit could simplify the scope and depth of the audit program. This, in turn, may increase the audit’s effectiveness by focusing audit procedures on risks that have surpassed the caution zone. </p><p>In fact, since the first pilot in the reporting on recommendations, internal audit piloted the tool during scoping in the planning phase of one of its audits. Benefits to this approach are currently being analyzed. Also, internal audit successfully piloted the tool to determine if an outstanding management action plan had become obsolete as a result of changes to the environment that affected the underlying risks that led to the original recommendation. </p><h2>A Risk-aware Culture</h2><p>While the CRA continues to pilot and refine the risk-tolerance assessment approach within internal audit, other Canadian government departments have expressed interest in piloting the tool to identify additional applications. This has expanded intelligent risk-taking across the government. By promoting and getting employee buy-in for a more risk-aware culture, the possibilities for using the tool have become endless. </p>Louis Seabrooke1
Risk in Sessionhttps://iaonline.theiia.org/2020/Pages/Risk-in-Session.aspxRisk in Session<p>Executive sessions should be on the agenda of every audit committee meeting. This means that all members of management leave the room, and the chief audit executive (CAE) has time alone with audit committee members. Executive sessions enable the committee to share risk concerns candidly. Scheduling an executive session at every meeting makes it less unusual when the CAE needs to ask for a session to discuss a specific concern.</p><p>While audit committee agendas can be routine and well-defined, executive session agendas normally are less clear. Although the CAE may have a few prepared remarks, theses sessions typically revolve around one question asked by the audit committee: “Is there anything we need to talk about this time?” Yet, CAEs can make these executive sessions more valuable by engaging committee members in a dialogue about the organization’s risk culture. </p><h3>Set the Agenda</h3><p>As with the full audit committee meeting, having an agenda for the executive session is helpful. This should be a casual agenda that is not distributed; instead, the CAE should use it to ensure the session covers all topics of interest. The executive session agenda can include standard updates and risk topics specific to committee member concerns.</p><p>Because committee members may not know what to ask CAEs during executive sessions, CAEs can engage the audit committee in a variety of topics, including risk culture — how the business understands and manages risk.</p><p>In preparing for executive sessions, CAEs can create a list of ongoing and meeting-specific topics that address risk culture. Examples include tone at the top, corporate culture, governance, or overall risk monitoring. CAEs can provide insight into these areas without the committee having to ask for it, while hearing committee members’ perspectives.</p><h3>Share Risk Perspectives </h3><p>Communication in executive sessions is a two-way street. The committee can provide valuable information to the CAE, while the CAE can share risk information and preferred action steps. During the session, the CAE can ask:</p><ul><li>What decisions is the board contemplating that may represent a strategy change?</li><li>What concerns do audit committee members have about specific strategies or risks?</li><li>What risks should internal audit prioritize? </li></ul><p><br>Additionally, listening to committee member concerns  is valuable for understanding what they view as important. </p><p>For CAEs, targeted questions can yield details that may lead them to update the audit plan or add a project to ensure risk coverage is timely and relevant. For the committee, discussing a specific concern or question can prompt the CAE to share white papers or training information in the materials for future meetings. The better the committee understands risk and its true impact, the better it can influence the risk culture with the board and management.</p><h3>Request Focus or Action</h3><p>Because some topics can be politically charged, executive sessions exclude management to ensure open communication about sensitive topics. In the confidential environment of the session, CAEs can discuss risks that are not receiving necessary management focus along with recommended actions. For example, a change in privacy laws may require specific action by the organization. If the organization is not acting swiftly enough to comply, the CAE can alert the committee. </p><p>CAEs should share the specific requirements or a summary of the risk topic as background information for the committee, along with the potential impact and likelihood of occurrence. They should state whether the discussion is for the committee’s awareness only or if they are asking for action.  </p><p>These situations require tact. Unless the CAE is using the executive session to disclose fraud or wrongdoing by management, a no-surprises approach is best. In the privacy law example, the CAE should exhaust efforts to influence management to take appropriate action before bringing it up to the audit committee. As a courtesy, the CAE should inform management of plans to discuss the matter with the committee. </p><h2>Collaborate for Success</h2><p>Sharing risk culture successes with the audit committee during executive sessions can help it better understand how internal audit impacts the organization’s risk culture. For example, sharing ways that internal audit provided consulting or assurance services to a system implementation demonstrates the function’s key role and proactive risk approach. Moreover, these examples can help committee members see future anomalies with how internal audit may be positioned or used. <br></p>Sarah Duckwitz1
A Plan for Regulatory Changehttps://iaonline.theiia.org/2020/Pages/A-Plan-for-Regulatory-Change.aspxA Plan for Regulatory Change<p>​Noncompliance with laws and regulations carries potentially steep consequences for organizations. Fines, penalties, sanctions, debarment, and public relations nightmares are among the many impacts of compliance failure, not to mention the reputational damage and loss of business that may occur. Moreover, failure to identify and consider laws and regulations may result in missed business opportunities and lack of strategic alignment. In many ways, neglecting to address and manage regulatory change can lead to significant organizational harm. </p><p>In fact, The IIA’s recent OnRisk 2020 research identified regulatory change as one of the most critical risks facing organizations this year. Other risks included cybersecurity, data protection, business continuity, talent management, and third parties. Depending on the industry, each of the risks identified in the report may have a regulatory component. For example, organizations that fail to protect personal data through a cybersecurity control framework can face significant penalties. The data may have been processed through an insufficiently vetted third party, or by unqualified employees whose inclusion in the organization resulted from inadequate talent management. If a data breach occurs, the organization must be able to respond within regulatory time frames and, depending on the significance of the breach, possess reliable crisis response and business continuity plans. </p><p>Internal auditors have a responsibility, under the <em>International Standards for the Professional Practice of Internal Auditing</em>, to help ensure their organizations are addressing and managing regulatory risk effectively. According to Standard 2120: Risk Management, internal audit “must evaluate the effectiveness and contribute to the improvement of risk management processes.” More specifically, according to The IIA’s interpretation for this standard, “The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding … compliance with laws, regulations, policies, procedures, and contracts.” Practitioners may benefit from an assessment tool aimed at achieving that objective.</p><h3>The Assessment Model</h3><p>Using a top-down framework based on compliance guidance from the U.S. Federal Sentencing Guidelines, internal auditors can assess whether the organization is addressing and managing regulatory change effectively. Governments of other countries have emulated the guidance when outlining steps to ensure compliance with major laws and regulations. It can guide auditors, step by step, through a structured review of what’s to be expected by regulators in the management of regulatory risk. <br></p><p><strong>Identification of Laws and Regulations</strong> The group responsible for identifying regulatory change can vary from one organization to the next. Depending on the size, regulatory complexity, and maturity of the organization, internal auditors may be able to perform a top-down assessment of how well the enterprise risk management program, or risk management function, identifies and manages changes in regulatory risk. Moving down a level, if these functions do not exist or are ineffective, auditors can assess the overall compliance program, if one exists. Otherwise, the legal department may be responsible for identifying and disseminating information on changes in laws and regulations. And while not optimal, business management of each function, as the first line of defense, may hold sole responsibility for knowing and managing legal and regulatory changes, as well as regulatory risk overall. </p><p>To assess whether regulatory change is managed effectively, internal auditors should be aware of the common categories of laws and regulations that impact most organizations. These include employment/labor; tax; advertising; environment, health, and safety; financial crimes/anti-bribery/anti-money laundering/anti-trust; and data protection. Internal auditors must also be aware of the laws and regulations that impact their specific industry. Finding reliable sources of industry knowledge and perusing them regularly helps in the identification process. And while the best sources will vary depending on country and industry, one free resource that compiles global legal analysis from law firms is <a href="http://mondaq.com/" rel="nofollow">Mondaq.com</a>. Auditors may also find it helpful to develop relationships with those in the organization who would most benefit from sharing news of regulatory change.<br></p><p><strong>Risk Assessment </strong>Regulatory change risk assessment occurs after identification of regulatory and legal requirements. Internal auditors should examine the effectiveness of processes in place to assess how and where regulatory change will impact the organization, and how that information is communicated to those who need to know. As with the identification process, which function performs the risk assessment depends on the size, maturity, and regulatory complexity of the organization. <br></p><p><strong>Policy Development</strong> To help ensure all impacted employees — and in some cases even third parties — understand what is expected of them, the organization needs to provide an overview of the new law or regulation. Regardless of which function develops such policies, the organization should have a standard template, centralized storage location, and established controls for publishing, reviewing, and updating them. Assessment of these elements may be included in the internal auditor’s program.  <br></p><p><strong>Compliance Procedures</strong> Organizations develop procedures to provide employees with the exact steps they need to perform to ensure compliance with changes in laws or regulations. Procedures may be developed by a dedicated function, a committee, the chief risk officer, compliance, the first line of defense, or other areas. They may be published at the same time, and even within the same document, as the corresponding policy. Internal auditors may determine whether policies are developed timely, are updated periodically, and describe the steps to be taken to ensure compliance.  <br></p><p><strong>Regulatory Communication</strong> The organization’s communication on upcoming regulatory change may include general information about the change, implementation timing, and training. The targeted audience depends on who will need to comply. Communication may be in any form, including emails, intranet bulletins, and staff meetings. Regardless of the vehicle, communications about regulatory change should be maintained in a data repository as documentation for regulators, if needed. Internal audit may decide to assess the timeliness, effectiveness, and retention of the communication. <br></p><p><strong>Staff Training</strong> Effective training is key to ensuring that employees, and in some cases third parties, understand the regulatory change and the importance of compliance. Depending on the targeted audience, training may be general or include specific procedures. For example, everyone in the organization needs to know the importance of complying with anti-bribery and corruption laws and regulations. However, employees in the finance department, for example, may need detailed training on how to monitor payments to ensure compliance. </p><p>Training should be provided to the appropriate targeted populations — including new hires and new third parties — as applicable. The training should include information on available resources, as well as specifics on how to report potential issues of noncompliance. Depending on the topic, targeted population, and in some instances regulatory requirements, the training may be provided online or in person. Regardless of the offering, detailed records of training completion must be maintained, and an escalation procedure should be in place to follow up with individuals who have not completed the training.  <br></p><p><strong>Acknowledgment Procedure</strong> Employee and, in some instances, third-party acknowledgment of the regulatory change, and any corresponding policy and procedures, is critical to document and maintain. Acknowledgment often is tied to, or included in, training completion. An escalation process should be in place to ensure receipt, and documentation of follow-up efforts should also be maintained. Internal auditors can assess whether acknowledgments have been received and stored, and whether the escalation process has been followed. <br></p><p><strong>Whistleblower Hotline</strong> An anonymous reporting mechanism, or whistleblower hotline, represents an important element of the overall legal and regulatory compliance program. Many organizations outsource this responsibility to third-party providers, which offer the ability to report online or by phone. The topics that may be reported depend on the data privacy regulations in each country, although most at least allow reporting of noncompliance with financial laws and regulations. In some countries, however, anonymous reporting is discouraged. The most effective reporting mechanisms include vetting of potential compliance concerns or questions. </p><p>The organization needs to have formal procedures in place for conducting investigations. The procedures should involve the functions that will lead or conduct the investigations, as well as legal counsel. They should also specify how the crisis management plan will be triggered, and the insurance carrier notified, as applicable, and a process for closing and reporting on each investigation. Internal audit may be part of the intake process and investigation. Regardless, internal audit may include in its review an assessment of how concerns or potential issues of noncompliance brought to the hotline are handled, closed, and reported. <br></p><p><strong>Monitoring Controls</strong> The organization needs to implement monitoring controls to ensure that employees, and in some cases third parties, are following procedures. If procedures are not being followed, additional training may be warranted or disciplinary action may be taken, depending on the root cause. Often, the second line of defense establishes and performs the monitoring process. If that’s the case, internal audit can review the work of the second line to assess effectiveness. Monitoring may be continuous or performed at periodic intervals. Regardless, the organization needs to follow established time frames. <br></p><p><strong>Compliance Auditing</strong> Although often mistakenly combined with monitoring, auditing is a separate activity. Whereas the focus of monitoring controls is to ensure procedures are followed, auditing focuses on all of the elements that have been put in place to ensure compliance with regulatory change in a particular risk area. For example, a monitoring control to ensure compliance with insider trading laws may entail electronically scanning emails for keywords and phrases. Auditing for compliance with insider trading laws, on the other hand, would involve a review to ensure the establishment of policy, procedures, training, effective monitoring controls, and disciplinary action in the event of noncompliance. If the second line of defense is responsible for auditing the program’s elements, internal audit may assess its effectiveness. Otherwise, internal audit would perform the audit, including a review of all of the elements. <br></p><p><strong>Corrective Action</strong> The organization needs to take corrective action in response to monitoring, auditing, and investigations. Corrective action may mean implementing additional or different controls or training, or disciplining noncompliant employees. In the case of discipline, employees should be treated equitably, regardless of their position in the organization. For example, a lower level employee should not be treated more harshly than a company officer for the same offense. Often, the organization assigns a committee to monitor equity of disciplinary measures across the board. </p><p>To ensure future compliance, control measures must be evaluated whenever noncompliance is discovered. The review needs to be conducted timely and include root cause identification as well as implementation of appropriate controls. <br></p><h3>Keeping Pace With Change</h3><p>Internal audit should serve as a trusted advisor to management by helping the organization address regulatory change. It all starts by understanding and staying current on industry-specific developments, and considering the regulations that may impact the organization. Using a top-down approach, internal audit may review the entire framework, the compliance program, or the specific elements in place, depending on its risk assessment. The right approach can enable internal auditors to get a bead on regulatory change and help ensure the organization is prepared for what lies ahead.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4" style="height:30px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:50%;"><p><strong>​The Model in Practice</strong><br> <br> </p> <p>To demonstrate how the model works in practice, consider the high-risk area of data protection — more specifically, the European Union’s General Data Protection Regulation (GDPR). The regulation’s purpose is to strengthen and unify data protection for individuals within the EU, regardless of where their personal data is processed. Noncompliance with GDPR carries steep penalties, with fines of up to 4% of worldwide turnover. Following the model’s cadence, internal audit can perform a step-by-step examination of GDPR-related change impacting the organization. </p><p><strong>Step 1.</strong> After identifying relevant GDPR provisions, the organization performs a risk assessment to determine whether the regulation will impact it, and if so, how, where, and when. Because many organizations already have data protection controls in place, the assessment may include a gap analysis to determine changes or additions that may be needed to ensure compliance. <br></p><p><strong>Step 2.</strong> Because data protection constitutes an area of high risk, and given the entitywide importance of data protection compliance, the organization establishes a compliance policy. Specific procedures are developed for the marketing function, as just one example, to ensure all contacts are vetted before release of communications. <br></p><p><strong>Step 3.</strong> The organization develops messaging and disseminates it to employees, explaining GDPR requirements, their impact on the organization, and each individual’s responsibility for compliance. The communication informs employees that the organization is developing GDPR policy and procedures, and provides a time frame for rollout of these items.<br></p></td><td class="ms-rteTableOddCol-4" style="width:50%;"><br><p><br></p><p><span style="color:#222222;background-color:#6eabba;"><strong>Step 4.</strong><strong> </strong>The organization implements a training course for all employees that includes explanation of organizational policy on compliance with all data protection laws and regulations, and </span><span style="color:#222222;background-color:#6eabba;">specifically on GDPR. During the training, employees are required to acknowledge the GDPR policy. Meanwhile, the marketing department employees, as one example, are trained on vetting contacts for campaigns. </span><br></p><p><strong>Step 5.</strong> The organization has already established an anonymous reporting mechanism to help address any potential issues of noncompliance. However, it adds the data protection policy to both the hotline resources and the company intranet resource section.<br></p><p><strong>Step 6. </strong>The organization implements monitoring controls. For example, emails sent directly by individuals<br>to more than 40 external recipients are reviewed each quarter for marketing content, to determine whether contact vetting controls may have been bypassed. <br></p><p><strong>Step 7.</strong> Internal audit either reviews the second line of defense’s program to ensure compliance with data protection regulations, or it reviews the specific elements that have been put in place, depending on the size, maturity, and regulatory complexity of<br>the organization.<br></p><p><strong>Step 8.</strong> If monitoring controls reveal that procedures are not followed, or if internal audit finds that elements of the program are deficient, the organization initiates corrective action. <br></p></td></tr></tbody></table><p></p>Nancy Haig1
Auditing Culture: Employee Surveyshttps://iaonline.theiia.org/2020/Pages/Auditing-Culture-Employee-Surveys.aspxAuditing Culture: Employee Surveys<p>Employee surveys can be a valuable tool for assessing the workplace and spotting potential problems. And while organizations that use them often spend considerable time crafting their survey instrument, internal auditors may find opportunities to improve the content or administration of this key monitoring control. When the survey is tailored appropriately, its results can help auditors develop the periodic audit plan, scope audit projects, and better support audit results. <br></p><p>It is common for organizations to use the employee survey as a "pulse check" on their culture. It is less common for internal auditors to provide assurance on the survey's effectiveness in this capacity, or to use its output to improve their audit work. With the right approach, they can do both. <br></p><h2>Tailoring the Survey for Audit Use</h2><p>The city of Austin, Texas, conducts a citywide employee survey. At one point the city auditors compared its content to the "points of focus" in The Committee of Sponsoring Organizations of the Treadway Commission's <em>Internal Control–Integrated Framework</em>. The auditors found that the survey addressed most of the framework's content, except for ethics. They developed several ethics-related statements and persuaded Human Resources (HR) to add them to the survey. With these modifications in place, the audit team now uses the survey results for audit planning.<br></p><p>Taking a cue from the city auditors' approach, other internal auditors might consider suggesting changes to their own organization's survey. Sources of governance, risk, and control issues that might be addressed include: <br></p><ul><li> <em>The risk factors internal audit uses for audit planning.</em> Could additional survey statements provide insight into cultural risks related to these factors?<br></li><li> <em>Current professional guidance on culture.</em> A few of the cultural topics found in guidance documents are included in "Suggested Culture Topics" below.<br></li><li><p> <em>Survey statements used by others.</em> A selection of such statements appears in "<a href="/2020/PublishingImages/Auditing-Culture-Employee-Surveys2.pdf">Examples of Survey Statements on Cultural Topics.</a>" In addition, audit peers may be willing to share culture-related survey statements from their organizations, and internet searches can help identify more. <br></p></li></ul><p>Getting the survey administrator to add statements to an existing survey may be difficult, especially if the administrator is an external vendor. Internal auditors may want to determine whether the administrator can make changes before taking time to identify or develop additional statements.<br></p><p>Developing meaningful, unambiguous survey statements can be a challenge. Guidelines to keep in mind include: </p><ul><li>Be sure statements are phrased clearly and simply, and provide good instructions (e.g., when referring to "management," specify the level of management). </li><li>Get help. The organization's HR department might have expertise in survey statement development. If not, HR may be able to suggest a good source. Also consider reaching out to peers in the profession for recommendations — and at a minimum, research available guidance online.<br></li><li><p>Field-test the statements. Ask several people to respond to the statements using internal audit's prewritten response options, then ask them what they think each statement was asking. Start within the audit department, then branch out to other willing employees. This process should identify any ambiguity in the statements.<br></p></li></ul><h2>How to Leverage the Survey</h2><p>Even if the organization's survey does not include everything internal audit would like, it almost certainly addresses many important aspects of culture. Because cultural problems can be pervasive, negative survey results may suggest increased risk — perhaps even a substantial increase. Internal auditors should, therefore, factor employee survey results into their global risk assessment for planning which assurance and consulting projects to perform. <br></p><p>Survey results for the affected areas can then be used to plan and scope an audit or consulting project. They can also help support audit findings. The root cause of exceptions, for example, might be a cultural issue identified by the survey.<br></p><p>Some organizations might resist giving internal audit access to survey results with enough detail to be useful. Internal auditors must choose their battles, and the importance of culture suggests this might be a battle worth fighting. With support from the top and tactful communication, access will usually be given.<br></p><h2>Assessing the Survey Process</h2><p>If the business leaders rely on an entitywide employee survey to monitor the organization's culture, it is certainly a key control. And it should be subject to audit. Questions to ask about the process include:</p><ul><li>Is the survey truly anonymous and do employees believe that it is? </li><li>If the survey is not anonymous, is the level of confidentiality sufficient for employees to feel safe being honest?</li><li>Does the survey ask for comments at an appropriate frequency? By the time employees complete the survey, they may not remember issues raised that they want to comment on. Asking for comments several times can generate meaningful, specific information. If the survey is structured into sections, each addressing a broad topic, a comment request at the end of each section is advisable. Comments, of course, are voluntary and must be kept confidential.</li><li>Are the results publicized, with action plans to address issues and explanations when issues can't be addressed?</li><li>Are action plans completed effectively and on time?</li><li>What do employees think of the survey? Do they believe management takes it seriously and that it adds real value?</li><li><p>Is the response rate high? If not, why?<br></p></li></ul><p>If internal audit already knows the survey process well and has full confidence in it, this might constitute sufficient assurance. If not, an audit or advisory review would not take a lot of time and could yield valuable results.<br></p><h2>A Valuable Tool</h2><p>Employee surveys give internal auditors an opportunity to add value to a key monitoring control. They can recommend improvements to the survey content and process. And they can use the results to improve their own global risk assessment, plan and scope audit projects, and enhance and support audit findings. <br></p><p><br></p><table cellspacing="0" class="ms-rteTable-4" style="width:100%;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​ <h2 style="letter-spacing:normal;">Suggested Culture Topics <br></h2><p>The following are examples of topic areas, gathered from a variety of guidance documents, that might be suggested for inclusion in an entitywide survey. The list is by no means comprehensive.</p><p>1. Are the following aligned with the desired cultural values and principles?</p><ul><li>The business strategy.</li><li>The risk appetite.</li><li>The recruitment process.</li><li>The onboarding process and training programs.</li><li>The performance management system.<br></li><li>The incentive structures.</li><li>How employees, customers, and suppliers are treated.</li><li>Tone at the top and in the middle.</li><li><p>Behavior of frontline employees.<br></p></li></ul><p>2. Is risk management integrated into all decisions and activities, at all levels of the organization?<br></p><p>3. Are appropriate risk behaviors rewarded and inappropriate behaviors identified and sanctioned?<br></p><p>4. Is constructive challenge of risk decisions encouraged?<br></p><p>5. Is risk event reporting and whistleblowing encouraged, without fear of retaliation?<br></p><p>6. Is there clear ownership and accountability for specific risks and risk areas?<br></p><p>7. Are integrity and ethical values discussed regularly? Does management practice what it preaches?<br></p><p>8. Are assurance functions respected and appropriately resourced?<br></p> <br> </td></tr></tbody></table><p><em>Read other articles in this series:</em><br></p><p><a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">Auditing Culture: History and Principles</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspx">Auditing Culture: Bumps in the Road</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Where-to-Begin.aspx">Auditing Culture: Where to Begin</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">Auditing Culture: Observation and Data</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Audit-Project-Surveys.aspx">Auditing Culture: Audit Project Surveys</a><br></p>James Roth1
Risk as the Rosetta Stonehttps://iaonline.theiia.org/2019/Pages/Risk-as-the-Rosetta-Stone.aspxRisk as the Rosetta Stone<p>Language determines how people share information, invoke emotion in others, or persuade them to action. The words chosen also frame a listener’s perspective on an individual beyond simply that interaction. How people select and use words appropriately in a situation is important.</p><p>With this as a backdrop, it was no surprise that when my business partner referred to “risk as the Rosetta Stone” for business, the concept rang true. The Rosetta Stone, discovered in 1799, allowed people to decipher once-challenging Egyptian hieroglyphics. Having the key to deciphering the message unlocked understanding and knowledge previously unavailable. </p><p>Using the language of risk offers a similar master decoding structure — in this case, for businesses to leverage for greater understanding. Business demands as varied as resource allocation and product innovation will benefit from the use of a shared risk language that enables the organization to build from a common baseline. Leveraging a common organizational language can increase the organization’s efficiency and heighten value delivery. For auditors, leveraging components of a shared language can not only increase message clarity and enable more effective communications with business partners, but also enhance the understanding and outcomes of audits, projects, and advisory engagements.</p><h2>The Language of Risk</h2><p>Much as a language is made of key components such as vocabulary (shared definition of words and terms), syntax (arranging words in a sentence for meaning), and pragmatic rules for situational use, the language of risk is made of standard components. Ensuring these components are designed, shared, and understood across the organization supports effective communications and decision-making. Internal auditors should consider how these key risk components are structured in their organization and whether modifications or increased awareness might further enable their use as a common language for the business.<br></p><p><strong>Taxonomies</strong> (<em>a common vocabulary</em>) The core of any common language leverages a shared baseline. In risk-speak, this baseline is a taxonomy, naming standard, or universe definition. The risk universe or other classification structure provides a consistent lens to assess operational activities, monitor and compare effectiveness, and frame the scope of project or risk remediation efforts. A defined taxonomy also allows for a common aggregated reporting structure. This structure enables effective business decision-making because there is <br> consistency in comparing and contrasting information over time and across organizational functions.<br></p><p><strong>Measurements/Ratings</strong> (<em>a common vocabulary and a guide on syntax and structure</em>) Prioritization is difficult to define or agree upon without a standard rating scale by which to assess risk. Various functions and teams in an organization often share a scale for rating common risk variables — impact and likelihood. Similarly, internal audit usually defines a rating or prioritization scale for findings and reporting. Other teams, such as enterprise risk or security, also may use rating structures, which may be similar or quite different from others in use. To be able to prioritize and understand risk organizationwide, common scales must be used. When a scale includes metrics that apply cross-functionally — such as financial, operational, regulatory, client, or reputational — it can be better applied and leveraged across functions. For example:</p><ul><li>Apply scale levels to project prioritization based on potential savings or projected revenue increases, or based on customer or marketing impact.</li><li>Apply scale levels to measuring impact and likelihood of audit findings, helping to prioritize resource allocation for remediation efforts.</li><li>Apply scale levels to assessing product opportunities for financial impact, client satisfaction increases, or operational challenge points, aiding in prioritizing focus on go-to-market efforts.</li></ul><p><br><strong>Risk Response/Appetite </strong>(<em>pragmatic rules</em>) Within an enterprise risk management program, the risk response standard, rules, or matrix guide the norms expected for identified risks. The response standards define when a risk is acceptable within organizational parameters, when action is required, or when a risk is out of bounds but acceptable for monitoring for an interim period. This structure can be applied beyond the risk function to identify points for escalating concerns, engaging management approvals, or prioritizing operational activities.<br></p><h2>Business Value of a Shared Language</h2><p>Leveraging components of the risk language as a Rosetta Stone of understanding can quickly provide value to an organization. Focusing on some key components can enhance communication and improve business functions.<br></p><p><strong>Common Language Enhances Communications</strong> Use of a common vocabulary in cross-functional or global communications can ensure the messages reflect a consistent structure and clearly defined operational focus of the organization. The vocabulary should comprise agreed-upon top business risks, common naming, and classification of operational units.<br></p><p><strong>Shared Understanding Improves Efficiencies and Culture</strong> Consistent prioritization processes based on a defined measurement scale can increase understanding and alignment among different teams or operational units. While this doesn’t necessarily mean a shared agreement is always expected, a shared understanding of the “why” and comfort in consistent prioritization efforts may increase the effectiveness of communications and enhance corporate culture.  <br></p><p><strong>Translating</strong><strong> Details to Themes Speeds Decision-making</strong> Use of a defined risk universe structure in operational functions can provide for aggregation of repeated, consistent individual concern points. Use of the standard universe enables comparison across locations or teams and roll-up of reporting and assessments in a framework that is expected and understood by executive management. Enhanced understanding through a common framework can shorten decision-making cycles and produce solutions faster.<br></p><p><strong>Agreed-upon Prioritization for Resources Enables Quick Time to Value</strong> Having standards in place for measurement, response, and escalation can level the playing field, and drive consistent and intentional decision-making for allocating the organization’s resources.</p><h2>Be a Translator</h2><p>In their role as partners across the organization, internal auditors can promote the common communication and benefits associated with a shared risk language. As audit team members interact with stakeholders and partners, they should share their language with the organization with an eye on promoting understanding, improving efficiencies, and enabling the business.  <br></p>Melissa Ryan1
The Rise of Political Riskhttps://iaonline.theiia.org/2019/Pages/The-Rise-of-Political-Risk.aspxThe Rise of Political Risk<p>It hasn’t been a good year for Chinese tech giant Huawei. Last winter, the U.S. asked Canada to arrest the company’s chief financial officer, Meng Wanzhou, on spying charges. By mid-May the U.K. government was embroiled in a fight about whether to allow the firm to be involved in developing the next generation of communications networks. Meanwhile, customers were starting to avoid Huawei’s products after hearing that Google would no longer allow them to update some Android products, citing U.S. sanctions. The impacts are clear for Huawei, but many other firms were left asking what repercussions it could have on their contracts, markets, customers, and business decisions. How would China retaliate? What other businesses could be caught in the crossfire?<br></p><p>This is just one example of the questions that arise when even a small part of a business is caught up in a revolution or exposed to economic crises, coup d’états, interstate trade disputes, economic sanctions, or diplomatic clashes. Such risks ebb and flow with the diplomatic tide; however, as businesses become more dependent on international markets and extended supply chains, they are more exposed to political risks. </p><p>Risk management specialist Marsh, for example, highlighted a period of “unprecedented uncertainty” in its Political Risk Map 2019, citing a rise in geopolitical tensions (namely, Russia against the rest of the world) and protectionist sentiments (namely, the U.S. against the rest of the world). </p><p>Although companies with multinational operations or overseas supply chains have always had to review their exposure to political risks, most U.K.-focused businesses have added the topic to their risk registers only in the past few years. “Up until the election of Donald Trump in the U.S. and the vote for Brexit in the U.K., political risk was always something that companies in other countries had to think about,” says Michael Moore, director general at British Private Equity and Venture Capital Association, former Liberal Democrat Member of Parliament, and the Secretary of State for Scotland who helped prepare for the 2014 Scottish independence referendum. “It never even registered that U.K. companies would need to consider their home country as being politically risky.” </p><p>Worse still, he says, companies have been slow to react. Although Brexit has been a major political and corporate issue for the past three years, Moore says that most U.K. companies have not made any significant preparations for the country leaving the European Union. “Most organizations have still done very little to prepare for Brexit, despite knowing that the worst-case scenario of a ‘no deal’ option is very much on the table,” he says. “It appears that businesses want more certainty about what the outcome is going to be, which rather flies in the face of planning for political risk.” The U.K. has called for a general election on Dec. 12, 2019, and the EU has agreed to extend the Brexit deadline to Jan. 31, 2020. </p><p>Brexit is, of course, just one of many political risks on the global map. Whether organizations are exposed to the fallout from a U.S. trade war with China or increased sanctions on Iran or North Korea, or are more worried about political instability in Venezuela, Russia’s intentions in Ukraine, Chinese military strength in the South China Sea, war in Yemen, or the ever-present threat of terrorism worldwide, none of the current global political risks is likely to disappear soon — organizations need to know they can react rapidly to changing circumstances. Internal auditors should be able to provide assurance on this area and feature political risks in their audit plans.</p><h2>Rapid Response</h2><p>Ian Stone, CEO and founder of business advisory company Vuealta, says that he expects political uncertainty to remain one of the biggest challenges facing decision-makers for the next five years. He warns against trying to “predict the future.” Instead, he advises them to focus on being fluid.</p><p>“Organizations should be prepared for every scenario — worst, best, and everything in between,” he says. “Successful businesses can then choose their course based on the information they have and use the latest technology to test ‘what-if’ scenarios against those plans to cover all bases.”</p><p>He adds that it is possible to react quickly to changing circumstances only if all the parts of the business think the same way and are aware of what they need to do in any given situation. “Planning can be vital in responding to an unpredictable political situation,” he says. “No matter how big the organization, if all departments — from sales and finance to marketing and the supply chain — are not connected, they will never keep pace with rapidly changing and volatile international markets. When one area of the business changes, the effects ripple across the whole company.”</p><p>Business continuity is an obvious priority for those already accustomed to operating in a volatile political environment, so internal audit should review continuity plans regularly. Tom Tahany, an intelligence analyst at security firm Blackstone Consultancy, says it is vital to ensure all threats and risks that could interrupt the business’ output are identified, and plans are up to date and effective. “You may need to prioritize the resilience of key functions so that these can continue, while business areas that are less immediately crucial are brought back online when possible,” he says.</p><p>Conversely, however, companies with subcontractors or suppliers abroad, but with no direct presence overseas, also need to understand how their supply chains and customers could be affected by events outside of their control. It’s generally wise not to rely too heavily on a small group of suppliers and to ensure they are not all in the same political region or subject to the same political forces. It’s also important to keep monitoring changing circumstances and to think broadly about how political developments in one place could potentially have effects elsewhere.</p><p>“You cannot prepare for every possible eventuality and plan a response for every minutia in a crisis,” Tahany says. In some ways this is a good thing. It allows companies a degree of flexibility in planning responses. However, you may need evacuation plans of varying magnitudes and secondary and tertiary options to help staff in different countries in the event of a crisis. It is important that companies are prepared for anything, rather than everything.”</p><h2>Reliable Sources</h2><p>A key problem with political risk is that it can be difficult to get reliable, timely, and accurate information, especially if events unfold quickly — for example, in a government coup, revolution, riot, civil unrest, or an invasion. Another problem is how to quantify the impacts of these risks and assess what contingencies need to be taken and when.</p><p>If asked to provide assurance about operations in another country or region, internal auditors may find it helpful to talk to employees based there and look at risk indicators provided by global nongovernmental organizations, such as Freedom House, the International Monetary Fund, Transparency International, and the World Bank, whose opinions may provide a base layer for measuring risk. However, Pornprom Karnchanachari, a partner at Thailand-based law firm Legal Advisory Council, warns that some “on the ground” views can be skewed by poor reporting, inaccurate commentary, and information sources that cannot easily be challenged or verified. When Thailand experienced a coup in 2014, social media and news coverage helped to spread misconceptions of the political situation, making it seem extremely risky. However, the on-the-ground situation was quite different, he says. Foreign companies were not affected by the political changes, and business continued as usual under the existing legislation while political stability was restored. So, for example, he says, social media “should be taken with a pinch of salt.”</p><p>More reliable sources of information include embassies, which “can offer a basic, but generic, overview,” and local and foreign chambers of commerce, Karnchanachari says. But the best source is foreign companies that have been on the ground for some time, as they will have a government affairs team that can share useful insights.</p><p>“It is only by arming the business with various viewpoints and understanding the history, culture, and unique situation in each country that a business can build a robust understanding and approach to political risk exposure,” he says. However, sometimes you need to act swiftly. </p><p>Ben Abbouddi, global threat analyst at travel and health-care risk management firm Healix International, says companies should always consider the worst-case scenario. A risk matrix that places the likelihood of a risk against its impact can help highlight the most significant risks and those that would require the most time and resources to manage. It may also help to eliminate political “red herrings” that attract media attention, but do not have a significant impact. </p><p>Internal audit can play a significant part in evaluating the level of risk and can offer an objective view if there are clashes of opinion. For instance, project managers working in some regions may find themselves at odds with risk managers at the headquarters office. Their perception of local risk may be very different, and their incentives could make them anxious to pursue contracts or business that, correctly or incorrectly, are seen to be high risk.</p><h2>Level-headed Assurance</h2><p>Jack Darbyshire, manager at De-Risk, a strategic risk management planning firm, says internal audit teams can assess whether risk managers are being too cautious about particular regions. “Uncertain times can make risk managers focus on risks that will probably never happen,” he says. “Risk management is a negative concept, and many traditional risk management teams think so negatively that they end up worrying about extremely unlikely scenarios. This may make project managers reluctant to share communication with the team.”</p><p>This is another reason why accurate, timely, and trustworthy information is vital. Organizations could lose far more than they gain by failing to do profitable business, implementing emergency plans unnecessarily, and removing staff or closing operations, only to find that the crisis blows over. Internal auditors should assess the quality and quantity of information available to management while it makes such difficult decisions. Internal auditors also could consider whether there are other sources of assurance available.</p><h2>Look for Opportunity<br></h2><p>A political crisis may also bring opportunities. Paul McIntosh, CEO of Bridgehead Agency, points out that it is equally important that organizations consider potential advantages associated with volatility. “Companies need to look for the advantages that a change in political circumstances might afford, and not just think about the risks,” he says.</p><p>Brexit is a case in point. “No matter what kind of deal — if any — the U.K. gets, the E.U. and the U.K. are likely to remain major markets, and companies want to continue to do business in both,” McIntosh says. “If there is more paperwork in the future, it will add to costs, but this is usually not as difficult or as expensive as some think. Whichever way you look at it, Brexit will create opportunities — possibly not as many as staying in a single market — but companies need to explore these and exploit them.” <br></p><p><em>A version of this article first appeared in the July/August 2019 issue of Audit & Risk, the magazine of the Chartered Institute of Internal Auditors. Adapted with permission.</em><br></p>Neil Hodge1
Climate Risk Assurancehttps://iaonline.theiia.org/2019/Pages/Climate-Risk-Assurance.aspxClimate Risk Assurance<p>An article published earlier this year in <em>The Wall Street Journal</em> highlighted investor concern about the impacts of climate change, citing “a record of 75 or more climate-related shareholder proposals” expected at annual company meetings. Dupont investors, for example, proposed disclosure of the company’s risks from expansion of its operations in hurricane-prone areas, and nearly 30% of Starbucks shareholders voted for disclosing the coffee giant’s recycling plans. In addition, more and more institutional shareholders are backing the Sustainability Accounting Standards Board’s standards for corporate sustainability, aimed at helping publicly listed companies disclose environmentally relevant information to investors. Internal auditors, and the organizations they serve, should take note of these developments — particularly in businesses where such concerns may not currently be a priority.</p><p>Within the financial industry, climate risk is not always on the agenda. For example, financial companies, and their internal audit functions, may neglect to consider the credit evaluation risks associated with lending money to companies susceptible to climate-related events. In doing so, lenders overlook impacts that could severely disrupt the borrowing companies’ operations, and possibly hinder their repayment abilities. Even if it’s discussed, resulting impacts to the company’s credit risk rating may not be sufficiently accounted for when calculating the borrower’s credit rating. <br></p><p>By contrast, insurance companies are at the forefront of addressing climate-related risk. Policy calculations, for example, factor in threats to homes and businesses in wildfire-prone areas and flood risk to regions susceptible to hurricanes. Financial institutions, however, typically do not include such considerations when calculating the impact of risk to capital. And even if bank leaders do incorporate climate-related impact in their credit risk analyses, there is no real metric in place for that risk. </p><p>As independent assessors of risk, internal auditors could raise the issue of climate change risk with senior management, and even consider it as a point of concern when challenging the organization’s current risk management framework. Internal audit has the opportunity to create value, facilitate improvement, and execute its mission of providing independent assurance over the effectiveness of risk management. From envisioning the impact of climate-related risk on the bank’s daily operations to the impacts on clients’ operations and ability to perform against their credit risk, auditors can place themselves at the forefront of an important debate. </p><p>The financial industry, with the help of its internal audit practitioners, could get ahead of the curve by promoting a broad discussion about how to consider, monitor, and report climate change risk. If past crises taught us anything, reacting to stressed scenarios is arguably more expensive and takes longer to recover from than acting preventively. Let’s start the debate — the sooner the better. <br></p>Luciano Raus1
U.S. Companies Score Low on Governancehttps://iaonline.theiia.org/2019/Pages/US-Companies-Score-Low-on-Governance.aspxU.S. Companies Score Low on Governance<p>​<span style="font-size:12px;">Amidst another season of corporate scandals, it's not surprising that U.S. companies are getting low grades on their governance report cards. A new index gives U.S. publicly listed companies an overall grade of C+, with 1 in 10 companies surveyed earning an F for corporate governance.</span></p><p>The IIA and the University of Tennessee's Neel Corporate Governance Center in Knoxville unveiled the <a href="http://www.theiia.org/ACGI">American Corporate Governance Index</a> (ACGI) this week at press events in New York and Washington, D.C., where speakers discussed the problems it identifies and how internal audit could help companies address them. Based on an anonymous survey of chief audit executives (CAEs), the index grades companies around eight of the <a href="/2019/Pages/A-New-Tool-for-Directors.aspx">Guiding Principles of Corporate Governance</a> (see "The Making of the Index" below), also released this week.<br></p><h2>Beyond the Boardroom</h2><p>Although responsibility for corporate governance begins in the boardroom, "governance is so much bigger than what's going on at the board level," said Terry Neal, director of the Neel Corporate Governance Center, at the Washington event. This is where internal audit, with its enterprisewide perspective, could help companies improve their grades, he said.</p><p>Take the issue of board performance assessments, for example. Principle 8 calls for boards to regularly evaluate "the full system" of corporate governance, yet responding companies received a C- grade — the overall worst grade — with most saying their company didn't formally monitor governance. One takeaway from interviews with CAEs in preparation for the survey is "a lot of CAEs are not doing this, but they are positioned to do it," Neal said.</p><p>But the index indicates that boards have problems of their own. Next to assessing corporate governance, the lowest grade (C) was for Principle 4, where CAEs said organizations were more focused on short-term issues rather than sustainable performance. Contributing to short-term thinking, CAEs say one-third of directors would not challenge the opinions of the CEO, and they gave boards a D grade for questioning whether they were receiving accurate and complete information from management.<br></p><h2>Board Care and Maintenance</h2><p>Christa Steele, a former CEO who serves on several boards, said good dialogue between directors and the CEO is key to a well-functioning board. "If directors are not talking to the CEO in board meetings, they should have those conversations offline," she said in Washington.</p><p>Steele noted it is difficult for boards to capture all the information about technology innovations, new market entrants, and other disruptive risks in what she calls "unprecedented times." Ahead of board meetings, she said she received a staggering 500 to 1,000 pages of information. "Now more than ever, we need to look at the information and scrub it to make sure we get the right information," she said. "But you can have information overload."</p><p>Understanding new risks is one reason "why board refreshment is so important now," she said, because boards often lack the knowledge to provide oversight in an era of greater transparency caused by social media. Although there have been calls for boards to add more specialized expertise — in technology, for example — she says there's a trade-off. "Do you want the technical expert or do you want someone who can ask the right questions?" she asked.</p><p>Board members like Steele increasingly want more insight into how the company is governed, even several levels of management down. That's the information that boards aren't seeing, Neal said. It's also where the ACGI finds some disconnects.<br></p><h2>Areas of Disconnect</h2><p>Principle 5 covers corporate culture, and CAEs gave boards and CEOs a high grade (A-) for setting a strong tone at the top. But CAEs say the board doesn't discuss culture much and that tone isn't communicated well across all levels of the company.</p><p>Fraud reporting is another example. In an era ripe with corporate scandals, CAEs gave their organizations high marks for following up on reports of wrongdoing and ensuring the company doesn't retaliate against employees who speak up. Yet, CAEs say employees aren't familiar with how to report violations. "When there's an event that occurs, you'll see a spike in reports," said Julie Scammahorn, senior vice president and chief auditor at Wells Fargo in New York.</p><p>These disconnects are becoming a greater issue with the rising emphasis on environmental, social, and governance (ESG), an area where companies received a C grade. The ACGI survey was conducted just before the Business Roundtable issued its revised <a href="https://www.businessroundtable.org/business-roundtable-redefines-the-purpose-of-a-corporation-to-promote-an-economy-that-serves-all-americans">Statement on the Purpose of a Corporation</a> in August, in which prominent U.S. CEOs committed to benefiting stakeholders such as customers, employees, suppliers, and communities, in addition to shareholders.<br></p><h2>Auditing Governance</h2><p>While internal audit could be positioned to help boards look at risks deeper down in companies, assessing corporate governance is still a new area for many audit functions. Less than one-fourth of companies evaluate corporate governance annually, and when they do, it goes through the legal function, said Lauren Cunningham, assistant professor and director of research at the Neel Corporate Governance Center. "If legal does it, it's a check-the-box mentality," she said.</p><p>But more internal audit functions are taking on these assessments, Scammahorn observed. "I'm seeing more auditors taking deep dives into the information the board receives to make sure it is accurate and complete," she said. </p><p>Governance audits at the board level should be done by senior audit staff, such as the CAE's direct reports, Scammahorn advised. But they can make a big difference. "If you don't have a formal assessment, there aren't many boards that don't think they're doing a good job," Scammahorn says. "When you put a formal assessment in front of them, they see they have work to do."<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<p><strong>The Making of the Index</strong></p><p>The IIA and the Neel Corporate Governance Center developed the AGCI based on eight of the Guiding Principles of Corporate Governance. In turn, the two organizations compiled those principles from guidance and principles from organizations such as the Business Roundtable, National Association of Corporate Directors, and New York Stock Exchange. </p><p>In preparation for the survey, researchers interviewed prominent CAEs about the principles and their observations of governance practices. They then surveyed 128 CAEs from U.S. companies of various sizes from a wide range of industries. Researchers evaluated these responses and assigned a score and letter grade for each of the principles, as well as elements within those principles. Because responses to the survey were anonymous, the ACGI does not provide grades for individual companies.<br></p><p><em>Principle 1</em> — Effective corporate governance requires regular and constructive interaction among key stakeholders, the board, management, internal audit, legal counsel, and external audit and other advisors. <span style="font-size:12px;">Grade: C+</span></p><p><em>Principle 2</em> — The board should ensure that key stakeholders are identified and, where appropriate, stakeholder feedback is regularly solicited to evaluate whether corporate policies meet key stakeholders' needs and expectations. <span style="font-size:12px;">Grade: B-</span></p><p>Principle 3 — Board members should act in the best interest of the company and the shareholders while balancing the interests of other key external and internal stakeholders. <span style="font-size:12px;">Grade: B-</span></p><p><em>Principle 4</em> — The board should ensure that the company maintains a sustainable strategy focused on long-term performance and value. <span style="font-size:12px;">Grade: C</span></p><p><em>Principle 5</em> — The board should ensure that the culture of the company is healthy, regularly monitor and evaluate the company's core culture and values, assess the integrity and ethics of senior management and, as needed, intervene to correct misaligned corporate objectives and culture. <span style="font-size:12px;">Grade: B-</span></p><p><em>Principle 6</em> — The board should ensure that structures and practices exist and are well-governed so that it receives timely, complete, relevant, accurate, and reliable information to perform its oversight effectively. <span style="font-size:12px;">Grade: C+</span></p><p><em>Principle 7</em> — The board should ensure corporate disclosures are consistently transparent and accurate, and in compliance with legal requirements, regulatory expectations, and ethical norms. <span style="font-size:12px;">Grade: B</span></p><p><em>Principle 8</em> — Companies should be purposeful and transparent in choosing and describing their key policies and procedures related to corporate governance to allow key stakeholders an opportunity to evaluate whether the chosen policies and procedures are optimal for the specific company. <span style="font-size:12px;">Grade: C-</span></p><br></td></tr></tbody></table>Tim McCollum0

  • AuditBoard_Apr 2020_Premium 1
  • Fastpath_Apr 2020_Premium 2
  • IIA Membership Centers_Apr 2020_Premium 3