Risk and Compliance



Update: Recovery Through Digitizationhttps://iaonline.theiia.org/2020/Pages/Update-Recovery-Through-Digitization.aspxUpdate: Recovery Through Digitization<p>​A new report from McKinsey & Co. advises businesses to focus on digitization as a means of navigating the coronavirus pandemic. Flexibility and speed will be key as organizational leaders consider how to move ahead, the consulting firm says in The Digital-led Recovery From COVID-19: Five Questions for CEOs, which draws on observed best practices.</p><p>With COVID-19 putting outdated business models to the test, the shift to digital will likely accelerate. Organizations need to take bold action, the report advises, tempered with "a full appreciation of risk from the impact of cyberattacks to the loss of crucial talent." Incremental technological change and half measures are recipes for failure, the report's authors say.</p><p>Making the right technology investments will be crucial moving forward, requiring organizational leaders to work closely with their technology officers to update legacy systems and establish new digital capabilities, McKinsey notes. Technology is a key driver of value — and that includes the use of advanced analytics. </p><p>"Never before has the need for accurate and timely data been greater," the report says. At the same time, CEOs will need to work with their risk leaders to make sure the scramble to harness data follows strict privacy rules and cybersecurity best practice.</p><p>To ensure technology initiatives materialize, CEOs also may need to have a long talk with their chief financial officers. PwC's COVID-19 CFO Pulse Survey shows that more than two-thirds of surveyed finance chiefs say they plan to defer or cancel planned investments in response to the crisis — and of those, more than half say they are eyeing IT initiatives for the chopping block. Another 25% say they are deferring or canceling digital transformation investments. </p><p> <strong>—</strong><strong> </strong><strong>D. Salierno</strong></p><h2>Greater Risk Brings New Scrutiny<br></h2><h3>Stakeholders may find risk management processes lacking, report finds.</h3><table cellspacing="0" width="100%" class="ms-rteTable-default" style="background-color:#ffffff;"><tbody><tr><td class="ms-rteTable-default" style="width:306.667px;"><p> <strong>Cybercrime's Bottom Line</strong></p><p>A survey of U.S. IT security professionals shows the average total cost of a cyberattack across several categories.</p><p> <strong>$1.5</strong> <strong>million</strong><strong>  </strong>Nation-state</p><p> <strong>$1.2 </strong><strong>million</strong><strong>  </strong>Zero-day</p><p> <strong>$832,500</strong><strong>  </strong>Phishing</p><p> <strong>$691,500</strong><strong>  </strong>Spyware</p><p> <strong>$440,750</strong><strong>  </strong>Ransomware<br></p><p>Source: Ponemon Institute and Deep Instinct, The Economic Value of Prevention in the Cybersecurity Lifecycle<br></p></td></tr></tbody></table><p>Today's riskier business environment is pressuring organizations to disclose more about risk management, according to the 2020 State of Risk Oversight. Nearly 60% of the 563 U.S.-based chief financial officers surveyed say risks are growing extensively in volume and complexity, particularly in areas such as talent, innovation, the economy, and brand.</p><p>With greater risk has come heightened attention, notes the report from the American Institute of Certified Public Accountants and North Carolina State University's ERM Initiative. Two-thirds say boards are calling for more management oversight of risk, while 58% say outside parties such as investors are demanding extensive detail about how organizations manage risk.</p><p>Yet, only one-fourth of respondents say their organization's risk management is mature, a decline from previous surveys. Moreover, less than 20% say their risk management process provides strategic value. "If functioning effectively, a robust enterprise risk management process should be an important strategic tool for management," the report says. </p><p> <strong>—</strong><strong> </strong><strong>T. McCollum</strong></p><h2>Weighing the Cost of Fraud<br></h2><h3>Fraud defenses work but could face the budget-cutting ax.</h3><p>Organizations already pay a steep price for fraud, but they may be targeted even more if budget-cutting weakens defenses such as internal audit. Occupational fraud costs organizations about 5% of annual revenues, according to the Association of Certified Fraud Examiners' (ACFE's) 2020 Report to the Nations.</p><p>The report analyzed more than 2,500 fraud cases from 125 countries, with losses totaling more than $3.6 billion. Most of these frauds come from four areas: operations (15%), accounting (14%), executive management (12%), and sales (11%).</p><p>In a post previewing the latest report, ACFE President and CEO Bruce Dorris warns organizations not to cut internal audit and compliance amid the economic fallout from the coronavirus. "Cutbacks to departments or initiatives that are integral to a comprehensive anti-fraud program only serve to leave organizations more vulnerable to the growing likelihood of fraud," he says.</p><p>Weakened defenses combined with individuals facing financial pressures could create a "perfect storm" for fraud, Dorris cautions.</p><p>Effective controls, reporting, and training also help fraud fighting considerably, the report notes. One-third of frauds can be attributed to a lack of internal controls, so over the past decade, the use of controls such as hotlines, anti-fraud policies, and fraud training has increased by at least 9%. Organizations discover 43% of frauds through tips — half of them from employees — but employees are far more likely to report fraud when they receive fraud-awareness training.</p><p>One new trend the report finds is that individuals accused of fraud are less likely to face criminal charges, with organizations increasingly preferring to handle cases through internal discipline or civil litigation. Four out of five fraud perpetrators were disciplined internally, and 46% of victim organizations say they declined to refer cases to law enforcement because internal punishment was sufficient. </p><p> <strong>—</strong><strong> </strong><strong>T. McCollum</strong></p><p></p><h2>Sourcing in a Crisis<br></h2><h3>New vendor relationships can create new risks, says Erich Heneke, director of business integrity and continuity at the Mayo Clinic.</h3><table cellspacing="0" width="100%" class="ms-rteTable-default" style="background-color:#ffffff;"><tbody><tr><td class="ms-rteTable-default" style="width:306.667px;"><ul><li><strong>75</strong><strong>% </strong><strong>of U.S. adults </strong><strong>say that companies</strong> have a responsibility to support coronavirus relief.<br></li><li><strong>71</strong><strong>%</strong> <strong>say they will stop </strong><strong>purchasing products</strong> from companies they perceive to be irresponsible during the crisis.</li></ul><p> </p><p>"Americans are watching which companies are stepping up at this time," says Kate Cusick, chief marketing officer at public relations advisory firm Porter Novelli/Cone. "The decisions businesses make today will define them well after this pandemic has passed."</p><p>Source: Porter Novelli/Cone, COVID-19 Tracker: Insights for a Time of Crisis<br></p><br></td></tr></tbody></table><p> <strong>COVID-19 has businesses looking at the viability of their vendors. How can businesses shift quickly to new vendors? </strong>The pandemic has not only exposed traditional vendor risks with respect to supply chain disruption, but it has unlocked a new set of brokered vendors that enter new risk into the market. In health care, products have become unavailable due to supply and demand issues through traditional channels, and, thus, we are seeking products in alternative markets. When sourcing alternate channels, we have seen an influx of counterfeit products as well as brokers requiring a pre-payment and then vanishing with the hospital's money, which suggests that new tools will be necessary to quickly vet new vendor relationships.</p><p>Internal audit should let business areas do what they do best, while providing higher and wider level views into enterprise risks. Auditors also should be available as consultants to help mitigate risks as they emerge in vendor markets, whether that's by helping to design a third-party risk management program or aid in strategic sourcing needs. Auditors can offer an independent set of eyes on a process that is largely unfamiliar to a health-care supply chain.<br></p><h2>Brown Factors May Affect Credit<br></h2><h3>Harmful activities may become targets of disincentives.<br></h3><p>Organizations are familiar with "green" activities, but the environmentally harmful "brown" activities may have greater credit implications, according to Fitch Ratings' inaugural ESG Credit Quarterly report.</p><p>As defined by The European Commission's (EC's) final report on the European Union taxonomy for sustainable activities, green activities contribute substantially to environmental objectives. Since the report's publication in March, there have been calls for the commission to develop a taxonomy listing environmentally harmful (brown) activities.</p><p>The technical expert group assisting the EC with the sustainability taxonomy states that activities not defined as <em>green</em> should not automatically be considered <em>brown</em>. The Fitch report points out that consensus on a brown taxonomy will be difficult. However, it could impact credit by defining targets for disincentive policies such as higher prudential capital requirements.</p><p>A brown taxonomy "could inform how asset managers and banks screen for other fossil fuels or environmentally harmful activities in the future," Fitch notes. Additionally, it could lead to greater standardization in how investors and banks screen sectors deemed harmful. <strong>—</strong><strong> </strong><strong>S. Steffee</strong></p>Staff0
Assessing Risk in a Post-pandemic Worldhttps://iaonline.theiia.org/2020/Pages/Assessing-Risk-in-a-Post-pandemic-World.aspxAssessing Risk in a Post-pandemic World<p>​As the coronavirus (COVID-19) pandemic has changed the world, internal audit functions have needed to face that world differently. Before the outbreak, internal auditors worked in similar ways, following the same code of conduct, adhering to the same standards, and using many of the same tools. Now, auditors have another thing in common: the need to adapt to frequently changing risk conditions.</p><p>COVID-19 has fundamentally changed the risk profiles of many organizations. As internal audit ramps up to a "new normal," it must recalibrate its audit plan from a dramatically different risk perspective. </p><h2>An Audit Plan in Peril</h2><p>Let's examine the timeline of events. Many internal audit functions started their risk assessment and audit planning process in late 2019. By early 2020, departments in most of the world had formed at least a skeleton of their audit plan, and some had communicated their formal plans to the audit committee and senior management. Some audit functions began executing engagements in early 2020. </p><p>That all changed in March, when the coronavirus began to race swiftly around the world and businesses experienced the first effects of social-distancing measures. Operationally, many organizations altered their business practices. From a compliance perspective, some regulatory requirements were suspended or relaxed for entire industries during the outbreak. </p><p>As these response measures quickly escalated, many audit functions drastically altered their audit plans. Businesses experienced so much disruption that it was nearly impossible to execute some audit engagements, or there simply was no value in doing so. Most respondents to an April 2020 IIA Quick Poll say they discontinued or reduced scope for some audit engagements, and nearly half canceled some engagements in response to COVID-19. </p><p>Four in 10 respondents indicate they redirected audit staff to nonaudit work. For some audit functions, temporary staff furloughs or budget reductions ended audit work or reduced staff activity to administrative duties.<br></p><h2>Post-pandemic Planning</h2><p>The audit plan that existed before the pandemic is based on an old risk paradigm. In a post-pandemic world, chief audit executives (CAEs) must think differently about their organizations' risks and how to redeploy audit resources. Here are some questions CAEs should ask in rethinking their audit plans.<br></p><p><strong>What does the organization's new normal look like?</strong> Even businesses that were least impacted by COVID-19 will have systemic changes in their risk environment (see "Questions for CAEs" at the end of this article). There may be major fallout to institutions and systems that organizations rely on, and regulators, financial institutions, and supply chains may experience disruptions well past the point when stay-at-home orders are relaxed. Some may no longer exist.<br></p><p><strong>Is my risk assessment process agile enough?</strong> This question will be critical as CAEs begin prioritizing how to redeploy resources to address elevated risk in legacy risk areas as well as in new, uncharted territory. Risk assessments need to be agile because risk dynamics may change frequently in the near term. CAEs should evaluate and streamline legacy risk assessment processes.<br></p><p><strong>Does my team still possess the skills to execute the risk assessment and audit plan?</strong> In the post-pandemic world, risk profiles probably will change — in some organizations, dramatically. CAEs need to evaluate the talent in their teams and internal audit's ability to identify risks and execute engagements that focus on new types of risk. They need to address questions such as:</p><ul><li>How has internal audit's staffing changed? </li><li>Are staffing levels different, and have there been any changes in talent? </li><li><p>Are there new talent needs as a result of changes to the organization's risk profile?</p></li></ul><p><strong>Does my team still have an objective mindset?</strong> Unprecedented times call for unprecedented measures, and during the COVID-19 emergency, many internal auditors have been called to duty in ways they never imagined. If auditors were engaged in nonaudit activities within the business or performing activities that normally would be incompatible with professional standards, CAEs should evaluate staff objectivity.</p><h2>A New World of Risk</h2><p>The world is different now, with different risks. Internal audit functions must recalibrate how they view the inherent risks their organizations face as the recovery period begins. </p><p>Although pivoting from the old world to a new one is not a new phenomenon, the magnitude of COVID-19 impacts is more global and more severe than anything most auditors have experienced. Internal audit's ability to respond is vital not only to how its business recovers, but also how audit realigns with its stakeholders' needs.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>Questions for CAEs</strong><br><br><p>To assess their situation during the COVID-19 crisis, CAEs should ask:</p><ul><li>What does organizational staffing look like now? Have there been reductions or reorganizations?</li><li>Have key stakeholders changed? What new audit clients should I anticipate?</li><li>Have workforce reductions or reorganizations impacted how internal controls are executed? Are there new segregation of duties concerns or controls that no longer have control owners?</li><li>What processes have been temporarily or permanently changed?</li><li>What systems were temporarily modified or permanently changed? Were appropriate IT general controls followed for these changes, and, if not, what are the implications? </li><li>What controls were modified to accommodate unique business situations or risks?</li><li>Have there been any key personnel changes such as loss of unique subject-matter expertise or loss of key leaders in strategic areas?</li><li>Has the organization's strategic focus changed in the near or long term?</li><li>How have cost structures changed?</li><li>Have there been fundamental changes in the organization's debt and capital structures? Are there new or different debt covenants?</li><li>What new legal or compliance challenges is the organization facing (lawsuit exposures, changes to compliance infrastructure)?</li><li>Have new business opportunities emerged and have corresponding risks been identified?</li><li>Have the fundamentals of business-unit operations or strategies changed?</li><li>How have business continuity dynamics changed (key infrastructure changes, key customer changes)?</li><li>How have enterprise risk management dynamics changed (key risks, key risk indicators, response plans, and risk appetite)?</li><li>How have U.S. Sarbanes-Oxley Act of 2002 dynamics changed, including changes with external auditors, regulatory dynamics, and control owners?</li></ul></td></tr></tbody></table><p></p>Rick Wright1
Navigating the Crisishttps://iaonline.theiia.org/2020/Pages/Navigating-the-Crisis.aspxNavigating the Crisis<p>​It may take years to calculate the full human cost of the coronavirus pandemic, but the pain is visible for all to see today. The U.S. has been hard hit. At the time of writing, there were more than 1.5 million confirmed U.S. cases of COVID-19 and more than 90,000 fatalities. Approximately 23 million people, representing nearly 15% of U.S. workers, had filed for unemployment benefits. Some parts of the country have ground to a standstill — a trend that has followed the progress of the virus around the globe.</p><p>Congress has thrown roughly $3 trillion at the problem with help for businesses and hard-hit citizens. Other countries have implemented similar fiscal initiatives. But despite these essential measures, economists are divided on how fast economies will recover — not least because the virus has a habit of bouncing back once lockdown measures are relaxed. Parts of Japan reopened in mid-March, but are into their second period of restrictions. In Europe, Italy paved the way for four million people to return to work  in early May: Manufacturers opened first, and now bars and hairdressers are emerging from two months of lockdown. Spain is in the early stages of its four-phase reopening, which regional authorities are implementing at different speeds. Many sectors remain closed across Europe, and the impact of lockdown grows by the day.</p><p>"This is much stronger in magnitude than the global financial crisis," International Monetary Fund chief economist Gita Gopinath has said. She told <em>The Wall Street Journal</em> in a video interview in April that economies will not pick up until the third or fourth quarters of 2020, but that will depend on whether countries can successfully emerge from lockdowns and stay that way. </p><p>The decisions organizations make now will help determine their survival in the short term. And for those that do survive, those steps will also lay the initial groundwork for recovery. Internal auditors can help organizations navigate the immediate risks, while keeping an eye farther on the horizon. They also can strengthen relationships with stakeholders and reinforce internal audit's value along the way.</p><h2>Sharp Curve Ahead<br></h2><p>The pandemic has already brought with it operating conditions that are potentially dangerous for both businesses and people. For example, as soon as Qatar put in place mitigation measures to protect citizens and residents against the coronavirus, businesses went into value-protection mode, according to Moses Chavi, chief audit executive (CAE) at a privately owned company in the region.</p><p>In particular, he says that two key themes have emerged for internal auditors and management — ones that are likely to persist during the forthcoming global recession this year: working capital management and talent management. The successful handling of these areas will play a crucial role in the eventual upturn. </p><p>"Any company that has only a suboptimal focus on working capital could see their businesses restricted to sustain fixed costs, including employees' salaries and the rent on operational sites," Chavi says. "And with much needed liquidity during the next three to six months, you will still have to catch up despite the fact the world will be entering an inevitable recession." </p><p>Similar to economic stimulus plans seen around the globe, locally Qatar's government has played a huge role to cushion economic activities and stimulate productivity through numerous incentives. Those include providing affordable financing and operational cost waivers, such as rentals, payroll support, and deferred loan repayments.</p><p>Chavi says he wonders whether businesses optimize costs without affecting their critical components, such as human resources. Finding creative ways of keeping people — such as constructive sabbaticals or by allowing more flexible working arrangements, whatever fits the ethos of the company — could be more expensive in the short term. At the same time, it could pay longer term dividends. </p><p>Since the crisis struck, Chavi and his internal audit team have been working flat out on adaptable working shifts fueled by coffee and adrenaline. His first moves were to start collaborating with the audit committee and asking questions among corporate department heads and the financial and business leaders in critical areas of the company.</p><p>"We asked them what plans they had in all of the critical areas we had identified," he says. "Apart from doing a fresh risk assessment and pointing out things that they could not actually see, I'm trying to facilitate a stronger relationship between internal audit and the front-line entities."</p><h2>Relationship Building</h2><p>Chavi has become very active in committees — he was appointed to his company's crisis communication committee, partly to keep abreast of what was happening, but also to advise on how messages needed to be conveyed throughout the organization and beyond. "Internal audit has aggressively created relationships with other control teams across the entire business to make sure there is a common message going around about our monitoring initiatives," he says.</p><p>With social distancing policies in place, internal audit has changed its working routines. The team has used video to meet with managers and to carry out checks in such areas as sanitary controls, and employee and visitor screening, for instance. Chavi also has advocated for managers to make tough and timely decisions on, for example, which parts of their portfolios can be restructured, which need to be boosted, and where new lines need to be introduced to diversify and meet changing consumer behavior.</p><p>"Executives need to make sure they are aggressive in taking decisions," he says. "That also applies to business continuity plans, which may be irrelevant or outdated in the current situation and need radical overhauling." Chavi says he believes it is crucial to be "brutal with the truth" at audit committee meetings and at relevant executive management meetings.</p><p>But there have been some encouraging developments too. The organization's digital transformation has been enhanced by COVID-19, with some companies in the group moving rapidly into social media marketing, e-commerce, home deliveries, and adopting hand-held mobile and online payment. It is a move that he says has boosted customer experience. "Internal audit has had a keen interest in these processes, and we are making sure that we deal with the risks as they come along."</p><p>Chavi says that because his internal audit team has been able to hold management's hand through the crisis so far, and has refrained from judging in favor of providing practical solutions or constructive challenge, it will be well-positioned to continue helping in both an assurance and advisory capacity in crucial areas such as working capital management, talent retention, stakeholder relationships, cybersecurity, and data integrity. </p><p>"Internal audit needs to be visible and participate. You can't influence anybody without actually befriending them, without being close, without understanding and sharing their pain and troubles," Chavi says. "Applying your emotional intelligence is key to being able to influence the agenda and trajectory of risk management going forward so the business can survive and prosper in the future."</p><h2>Further Down the Road</h2><p>The medium-term effects of the pandemic are going to introduce new uncertainties that could make recovery difficult, according to Alexander Larsen, president of Baldwin Global Risk Services, a risk consultancy with offices in the U.K. and North America. Businesses will need to assess and deal with altered social habits, customer expectations, new ways of working, and, in some sectors, unanticipated policy and regulatory changes, if they are to navigate these times successfully.</p><p>"Immediately after COVID-19, people are going to be thinking about the crisis and what they need to do to prepare for another pandemic — or whether they are prepared in the event that they lose their job due to the recession that will follow," he says. "They may be wondering why their homes are full of things that were absolutely useless in times of crisis, and that could affect their spending habits over the next couple of years." </p><p>Fear could also play a part in consumer behavior, Larsen says. Recent surveys suggest that when countries open up for business again, for instance, a large proportion of people will be scared of visiting crowded places. Three out of four people say they would now not attend trade shows or conferences in the future, according to a recent IBM survey. Some businesses may need to transform their operations into social-distancing friendly models where possible, Larsen adds.</p><p>In addition, many employees have learned that they can work from home effectively; some may prefer to continue doing so. Businesses that have been reluctant to be flexible may be forced into changing their policies to retain talent. Moreover, companies should not expect the business landscape to remain static as governments across the globe could take different views on tightening or slackening regulation from supply chains to financial contingencies. Political risk is also likely to increase. </p><p>"When I worked in Iraq during the construction of the world's largest undeveloped oil fields, the government often and unexpectedly instructed our company to stop buying products from certain countries, despite the strategic and financial significance of the project," Larsen says. "These were political decisions, often with valid reasons, and in the aftermath of COVID-19 it will be a more political world where such government sanctions could become more frequent."</p><p>Larsen says good risk management will be critical for survival and that internal audit has a key role to play in making that happen. Organizations will need a thorough understanding of their corporate and departmental risks, with a key focus on critical objectives, he says. They'll also need to examine where survival-level risks, or market-changing opportunities, are identified and linked to key risk indicators — essentially an early warning system for when things start to go wrong or relevant opportunities arise. Scenario planning, risk workshops, and horizon scanning exercises that focus on strategic risks and organizational strategies over the next three to five years must be in place.</p><h2>Risk Tolerance </h2><p>"Most organizations that are in a position of worrying about survival should forget about trying to set a risk appetite," Larsen adds. "They are having to take those risks anyway. The question is rather what levels of risk we can tolerate before the viability of the organization is threatened."</p><p>Key risk indicators should be introduced and linked to these risk tolerance levels — rather than appetite, Larsen says. That way, the business is put on alert when things start getting rocky. </p><p> But internal audit's support of risk management efforts is key. CAEs should use their influence at the board level to ensure the risk function is not tied down by processes and bureaucracy — risk management has to be dynamic. Internal audit also should provide assurance on whether management is implementing risk management's program. "Essentially, internal audit should be the risk function's ally by including risk management as part of their audits," Larsen says. "That will enable it to ensure that threats and opportunities are being identified across the organization and to ensure that they are being properly measured and controlled according to the risk procedures set by the risk management function."</p><h2>Maximum Speed<br></h2><p>Louis Cooper, chief executive of the Non-Executive Directors' Association, a board training and education, advisory, and support body based in London, agrees with Larsen that some businesses need to reappraise their approach to risk management. He has seen organizations begin to add a velocity factor to their risk matrices that traditionally only measure the impact and likelihood of risk: a dimension that he says needs to be incorporated into scenario planning, as it provides a speed of change component to the assessment of individual risks.</p><p>In addition, others are moving away from the traditional enterprise risk management view and toward looking at risk in the extended enterprise. This approach takes further into account that many organizations increasingly rely on strategic partners, outsourced arrangements, and other third parties to take their products and services to market. Cooper agrees that internal audit should be undertaking more informed reviews of management activities and processes rather than doing test checks on individual business processes and transactions — following The IIA's long-held perspectives on risk-based auditing.</p><p>Cooper is concerned that an extended lockdown, or repeated ones, could mean that the accuracy of reporting and the information the board receives is compromised. Giving assurance in those areas could be equally affected. Without sending people out on location, internal auditors could be prevented from doing essential checks. In the U.K., the Financial Reporting Council's COVID-19 Bulletin March 2020 offers guidance to external auditors on such issues, which could be equally applicable to some internal audit assignments.</p><h2>A Test of Governance</h2><p>Cooper also says that boards have been questioning whether their governance frameworks have been able to cope with fast-changing circumstances and whether they will enable their companies to be agile enough in the coming months and years. Some organizations, for example, have done a poor job of targeting their corporate communications and key business relationships — a clear indication that stakeholder groups and contacts are inadequately mapped and understood. And some have fallen short in demonstrating whether executive leadership has had the right mandate to deal with unfolding problems. Other organizations have been unable to flex their business models — the way some fashion design enterprises were able to switch quickly from making clothes to making protective garments for health workers, for instance — and some have had difficulty with adapting to the culture shock of continuous remote working.</p><p>"I'm not sure that governance frameworks have been tested in this way before, including in fundamental areas such as business continuity planning," Cooper says. "People are very good at documenting things and putting them in the drawer without going through scenarios and checking that, if something were to happen, what the chain of command is and how it works in practice."</p><p>If internal audit has not been involved in those areas historically, boards will need them to take that role now, he says. They also will be looking for the function to assess how well the business has performed, identify gaps, and collate and disseminate the lessons learned to the board and management.</p><h2>Working Smart</h2><p>As well as participating on management committees dealing with business recovery, internal auditors need to work in a smarter, more focused way, says Esi Akinosho, EY Global Advisory Internal Audit leader. That includes following their businesses' lead in forcing rapid digital transformation.</p><p>"Internal audit has an opportunity to provide real-time risk advice as businesses establish new processes in the 'new normal,'" she says. "Teams can use predictive analytics to help identify emerging vulnerabilities and opportunities — this will give more timely value-add to management than traditional audit procedures."</p><p>She advises audit departments to focus on business-critical risks, especially cost recovery — such as working capital, cash management, vendor spending, and capital expenditure. Internal audit analytics can be applied to identify any cash recovery opportunities. That initiative also should extend to optimizing cost efficiency in the audit department itself. </p><p>"Internal audit should make its own contribution to the organization's cost diligence by optimizing the function's costs," she says. "Teams should take advantage of the technology momentum created by remote working to gain efficiencies across the internal audit life cycle. For example, digitize any procedures where possible and consider remote possibilities before spending on travel."</p><p>Where the internal audit function is less developed, or has issues with how its brand is perceived, it is time to act. "Organizations must start looking for opportunities to build the function's brand," she says. "For example, redeploy some resources to directly support business crisis management teams — this has the added benefit of building relationships and business knowledge simultaneously."</p><h2>Alternate Routes<br></h2><p>Similarly, CAEs could build a more flexible resource structure in which, for instance, specialists are brought into the function for limited periods to provide additional expertise — either from within the business or from third-party providers.</p><p>"Internal audit has a great opportunity to help organizations transition out of the downturn by using the current disruption to accelerate transformation," Akinosho says. "Internal audit, as a profession, needs digitalization, a flexible people model, new skills, and a more dynamic approach that is more efficient and geared to giving timely insights on strategic risks."</p><p>Many businesses are going to have a life and death struggle with the effects of the coronavirus outbreak. Some will not make it. Those that do have their work cut out in streamlining portfolios and business processes; strengthening governance, risk management, and internal audit functions; and fast-tracking moves to make their enterprises digital — as well as keeping abreast of events and trends in the economy and among customers. Internal auditors have a key role to play in helping ensure their organizations make it along the road to recovery. If there was ever a time to demonstrate the true value of internal audit, it is today. <br></p>Arthur Piper1
A Rational Mindsethttps://iaonline.theiia.org/2020/Pages/A-Rational-Mindset.aspxA Rational Mindset<p>​Remember the scene from <em>Raiders of the Lost Ark</em> where Indiana Jones enters the Well of the Souls, which happens to be a snake-infested pit? After throwing a torch into the pit to reveal his plight, he exclaims, "Snakes … why did it have to be snakes?"</p><p>Granted, this scene is plotted to presume the snakes are venomous, so Indiana's fear is rational. But his initial reaction reveals his bias about snakes in general — the same way some people are irrationally averse to risk. </p><p>Internal auditors have a professional duty to remain objective as they perform their work. This unbiased mindset must extend to remaining rational when it comes to communicating with audit clients about risk.</p><h2>Why Did It Have to Be Risk?</h2><p>Snakes are vilified as animals that hide in dark places, stealthily seeking out prey and striking when they least expect it. An objective study of snakes reveals a much more accurate view of these complex creatures. Not all snakes are aggressive, nor are they all venomous or massive constrictors capable of inflicting great harm to people, as we often see in movies or hear about in the news. </p><p>In fact, snakes can be beneficial. Take the black rat snake, which is effective at controlling harmful rodent populations. One black rat snake can eat 100 mice per acre in a year. What farmer wouldn't readily adopt at least a couple of these hunters to offset the negative impact mice have on property and equipment, not to mention the potential spread of disease?<br></p><p>People sometimes perceive risk with the same irrational viewpoint. Too often, when discussing risk and risk management philosophy with business professionals in the course of internal audit work, the conversation gravitates toward an unbalanced, negative attitude about risk. </p><p>One time, my audit team was conducting an audit workshop with a group of business managers. The team was explaining how our audit activities were risk-based so that we focused on things that matter most to their functions' success. The supervisor for this group of managers interrupted our discussion to admonish the group that they needed to be focused on risk to eliminate it from the company. While it was an innocent exclamation the supervisor truly believed, it was an unfortunate and unplanned distraction from our discussion that the audit team had <br>to clarify with the workshop participants. </p><p>The interruption turned out to be a blessing in disguise. It enabled the internal audit team to lead a healthy discussion about the opportunities that also accompany risk, while explaining that eliminating risk was not realistic nor necessarily a desirable goal.</p><h2>Shifting the Risk Mindset</h2><p>With all the focus organizations have devoted to enterprise risk management and updated risk management frameworks, they still get trapped in a vortex where risk is seen in a lopsidedly negative light. Internal audit should thoughtfully redirect this line of thinking when such an uninformed view of risk and risk management is expressed. </p><p>The snake analogy is a good proxy for reframing the risk discussion. The word <em>risk</em> often is misunderstood. Like snakes, risk can do serious harm, so people instinctively project harm to all risk. But is this rational? </p><p>In finance, <em>risk</em> frequently is paired with the word <em>reward</em> to describe offsetting outcomes related to a decision. While taking any given risk may result in a bad outcome, there also is the prospect of a good outcome. No risk, no reward, as the saying goes. This is a more rational view of risk. </p><p>Internal auditors can help organizations balance attitudes about risk by talking and acting rationally about risk. For instance, they shouldn't use risk exclusively as a "four-letter word" in discussions with other business professionals. Risk mitigation is only one potential risk response alternative. When approaching risk assessments or new audit engagements, internal auditors should talk about how informed risk-taking is essential to the organization's growth prospects. </p><p>Internal auditors should counsel clients that risk acceptance is sometimes the best risk response. This can be the case when other risk response alternatives are costly or when the risk is relatively mild. Accepting a risk while continuing to monitor it for changes that may justify a different response is a rational reaction. </p><p>In other instances, it is appropriate to exploit risk for its opportunity. In times of crisis or disruption, offsetting opportunities can present themselves in the face of emerging risks. In these instances, risk opportunities can serve as a hedge against simultaneous negative risk outcomes. When internal auditors set a good example, clients and other stakeholders are more likely to respond to risk with a more rational mindset.</p><h2>Thinking Differently About Risk</h2><p>Let's think about snakes and risk a little differently. A more neutral word to use for snake is reptile. Some reptiles can cause harm to people in certain circumstances such as swimming in a lake known to have large alligators or walking through terrain known for rattlesnakes. In other situations, such as rodent control, reptiles are benign or helpful. </p><p>Likewise, a less polarizing term for risk is uncertainty — specifically, about some outcome. Risk is neither bad nor good; it's just uncertainty. When auditors use the word <em>uncertainty</em> when discussing risk, they can have a more objective, and less polarized, discussion and avoid the biased, negative connotation. This allows auditors to unlock the real value of an intellectual discussion about risk — refocusing attention on decision-making. </p><p>Uncertainty hinders decision-making. The more uncertainty that exists about a pending decision, the more difficult it is to make a decision that will result in a favorable outcome. The better decision-makers can understand the uncertainty they are faced with in a decision, the more likely they should be able to optimize the outcome they are seeking from any given decision. </p><p>The coronavirus pandemic comes to mind. In the present, fear of the unknown is dominating the response conversation. This is a crisis that has not been experienced in most of the modern world, and government leaders are struggling to craft effective responses because of the uncertainty that exists. </p><p>In time, this threat will subside. The world is currently experiencing negative outcomes; however, positive outcomes could emerge, such as a more resilient health-care system to deal with similar threats in the future.</p><h2>Risk Doesn't Have to Be Scary</h2><p>When risk is obscure and lurking in the darkness, it seems more like a rattlesnake waiting to strike against an unsuspecting victim. But when risk is visible, understood, and appreciated for its potential benefit, organizations can exploit it for a beneficial outcome or control it to minimize a negative outcome. With this shift in mindset, risk becomes less of a scary monster and more of a device that uses rational decision-making to optimize risk outcomes. <br></p>Rick Wright1
Testing the Boundarieshttps://iaonline.theiia.org/2020/Pages/Testing-the-Boundaries.aspxTesting the Boundaries<p>​The outbreak of COVID-19 has forced regulators in the U.S. and around the world to focus on the immediate impacts that the pandemic is having on companies, markets, and consumers. And while some watchdogs have said they may relax some rules or reduce scrutiny to help businesses operate more smoothly, experts warn it does not mean companies should loosen their internal controls. Nor should they take advantage of the situation by engaging in questionable, or even illegal, practices in the hope that authorities have less appetite — or means — to investigate and enforce the rules. As companies face temptation and risk noncompliance, internal audit has a strong role to play in helping them adhere to the rules.<br></p><h2>Business as Usual</h2><p>"Companies are still liable for compliance failures," says Hermès Marangos, partner at U.K. law firm Signature Law. "The virus emergency does not postpone or modify the law — there are no exemptions unless so provided by the legislation itself. Despite this, there are already individuals and entities trying to profiteer, behave unethically and contrary to laws and regulations in many instances," he says.<br></p><p>One area of corporate activity that has seen a relaxation of some rules is competition law. To enable the supply of key medicines, health-care equipment, food stuffs, and other urgent goods, anti-trust regulators have allowed competitors to work together — albeit in very specific and limited circumstances. In some regions, such as Europe, companies can even apply for "comfort letters" to gain increased assurance from the regulator as to what practices may be allowable under these exceptional circumstances, and for how long.  But lawyers warn companies against thinking that such arrangements are the "new normal," or that a relaxation of the rules in one area means that closer cooperation in other areas of business has been tacitly allowed.<br></p><p>Some companies also risk misinterpreting signals from regulatory agencies that enforcement may be pared down. They may assume that watchdogs will focus their resources on tackling companies committing the worst abuses or causing harm to the biggest number of consumers, rather than target organizations generally that have failed to comply. For example, in Europe — which has probably the toughest and most punitive data protection laws in the world under the General Data Protection Regulation — several data protection authorities have said they will naturally be drawn to investigating the "worst offenders."<br></p><p>But lawyers point out that this does not mean companies have been given any special dispensation not to follow the rules as normal. It simply means that the regulators have prioritized their resources.   <br></p><p>"As regards data privacy and enforcement, it is business as usual," says Sarah Pearce, privacy and cybersecurity partner at international law firm Paul Hastings. "No dispensations are being made under current circumstances. Most data regulators have said data protection principles still apply and should be adhered to, so businesses should certainly not view COVID-19 as an excuse for noncompliance."<br></p><p>Companies risk noncompliance by misinterpreting any sign of rules easing — or they may even assume a relaxation simply due to the pandemic. "While there may be some delayed reaction in terms of enforcement by certain regulators due to limited resources during this time, that is not to say there won't be enforcement later down the line," Pearce says. <br></p><h2>Penalties Still Apply</h2><p>Experts also warn against assuming that penalties will be reduced because firms are under financial pressure. Michael Ruck, partner at U.K. law firm TLT, says that although regulators are redeploying their resources during the response to coronavirus, resulting in a reduction in the number or progress of investigations, the top-level amount of fines or penalties imposed will not be relaxed. <br></p><p>"In periods where it is difficult to trade or where profit is hard to come by, there are inevitably instances of a small number of corporates or individuals being increasingly willing to stretch the interpretation of regulatory requirements — sometimes beyond their breaking point," Ruck says. "A perceived relaxation of regulatory intervention may encourage such behavior, but those that are tempted should beware."<br></p><p>While regulators may have discretion to reduce penalties in circumstances where incidents of accidental or low-level noncompliance occur, experts still warn that it will always be the authority that calls the shots.<br></p><p>"Regulators understand that the crisis is putting pressure on firms meeting their day to day obligations and are likely to be reasonable with firms that are making a reasonable effort to comply with regulations in a trying times," says Ian Thomas, regulatory solutions specialist at Quorsus, a financial services consulting firm. "That said, the keywords here are 'reasonable' and 'comply.' Cash crisis or not, the regulators are unlikely to hesitate to issue fines for serious breaches or offences — for example, those financial services firms that put client money at risk." <br></p><h2>An Essential Resource</h2><p>Due to fears that organizations might choose to sail close to the wind if they feel that regulators might allow it, several experts believe that internal audit has a strong role to play in ensuring their organizations follow the usual strict codes of compliance.  <br></p><p>Camilla Winlo, director at international data protection and privacy consultancy DQM GRC, says that "it's good to see regulators taking a pragmatic view of enforcement." But she warns that organizations still need to be mindful of the need for regulatory compliance. <br></p><p>"Internal audit functions need to be particularly aware of the need to carry out risk assessments and policy and process gap analyses to identify where risks have been introduced and ensure that their organizations come back within their risk appetites as quickly as possible," she says.<br></p><p>Nicola Howell, senior compliance and privacy attorney at commercial data and analytics firm Dun & Bradstreet, agrees that there should be no "let up" in following the rules. "Internal audit teams should not be complacent about enforcement and should proceed with upholding the policies their organizations had in place before COVID-19 took hold," she says. "While justifiable allowances may be made, any significant departure from legal requirements or previous company policy could significantly backfire on a business."<br></p>Neil Hodge1
Responding to the Crisishttps://iaonline.theiia.org/2020/Pages/Responding-to-the-Crisis.aspxResponding to the Crisis<p>While many organizations were monitoring the spread of COVID-19 from China to the U.S., executive leadership at The IIA was already taking action. They were meeting regularly to discuss several upcoming events scheduled in March within a span of three weeks, including the General Audit Management (GAM) conference in Las Vegas, Global Assembly in London, and Leadership Academy in Orlando. </p><p>"We started monitoring COVID-19 early on because of our certifications business in China," said Bill Michalisin, The IIA's chief operating officer. "Our testing centers there started shutting down in early February, so we took note and began mobilizing to explore alternatives." With attendees from more than 50 countries planning to attend GAM, IIA leadership had to take a closer look at the safety of IIA staff and attendees. </p><p>Once cases of COVID-19 emerged in Washington State and California, events unfolded quickly and the decision was made to turn the in-person GAM conference into a virtual event, livestreamed from the conference hotel. But even as IIA staff arrived in Las Vegas, they were notified that the hotel was closing down due to the pandemic, and the three-day event would now be a one-day event. </p><p>"When times get tough, that's when your people rise to their best," Michalisin shared. "We focused on delivering the program and getting our staff and members back home safely." IIA staff did not return to the office, however, as IIA President and CEO Richard Chambers had shut down Headquarters and instructed employees to work from home.</p><p>As this was happening, Chief Risk Officer Greg Jaynes was conducting a risk assessment to ensure employees had the resources to work from home. "We had to develop guidance for people who had never used the VPN to log in to the office," he explained. "People were taking on roles that they never had before to get people up and running."</p><p>As decisions were being made, Lynn Moehl, The Institute's chief audit executive, was taking on a monitoring and advisory role and looking across the organization to make sure it was a cross-functional effort. In the highly charged situation, she told webinar attendees, she had to ask, "Are we making decisions based on the best set of information we have? How do we communicate about GAM, issue refunds, and switch people from in-person to virtual attendees?" </p><h2>Driving Change</h2><p>An event like COVID-19 can be a significant change driver for organizations. According to Michalisin, The IIA has taken a step back to look at what its members need and want and asked, "How can we help them survive and thrive?" The IIA immediately began developing daily news items in the <a href="/2020/Pages/COVID-19-Newswire.aspx"><span style="text-decoration:underline;">COVID-19 Newswire</span></a>, pulling together content related to the pandemic in the <a href="https://na.theiia.org/Pages/Updates.aspx"><span style="text-decoration:underline;">COVID-19 Resource Exchange</span></a>, and looking at how to evolve training and certifications so members can still access the resources they need virtually to help them navigate the crisis now and be better positioned to help their organizations do the same in the long term. The Audit Executive Center began hosting roundtable discussions so CAEs could connect on issues and The IIA could share what CAEs are doing in their organizations with the broader membership.  </p><p>"I think it's going to change the way we do business going forward," Jaynes said. "Whether it's flexibility, taking on different roles, reprioritizing goals for the year or deferring some, it's forced us to look at our operations differently." </p><p>This scenario has allowed The IIA to think differently about how it operates and apply a more entrepreneurial spirit while identifying opportunity to better serve our members and the profession, Michalisin told attendees.</p><h2>Staying Connected With Members<br></h2><p>Members are at the core of The IIA's business so The Institute continues to reach out to CAEs and members to help them navigate the crisis, Michalisin said. Internal auditors still have to maintain their primary roles within their organizations and now they're trying to figure out how to do that in the shadow of a global pandemic. They're looking for guidance on how to complete a virtual quality assessment, or continue their professional development, or revamp a risk assessment, and The IIA is trying to meet all those needs, he explained. </p><p>"We've continued to have great engagement with our members and we're learning as they're learning," Michalisin shared.</p><h2>Opportunity for the Profession</h2><p>COVID-19 has provided a huge opportunity for internal audit to step up, and stakeholders may be taking note of that for the first time. As Jaynes said, "Internal auditors have been exposed to all the nuts and bolts of a business. Who else can bring that perspective and information to the table very quickly?"</p><p>Moehl added that it has highlighted the need for internal auditors to be viewed as a critical resource. "It's an opportunity for your function to demonstrate the value it can bring the organization —being agile and getting things done in a different way." As the crisis began to develop, Moehl put aside her audit plan and asked where she could be of help.</p><h2>Front-line Advice</h2><p>This pandemic won't be the last, but it has taught organizations that they can never be fully be prepared, said Michalisin. Testing business continuity plans, learning to be flexible, and not losing sight of emerging risks can at least give them a head start. </p><p>"Learn from what you're dealing with every single day and commit to the fact that whatever the new normal will be will move your organization forward," Michalisin advised. "If we go back to where we were before COVID-19, then we haven't applied that learning." Part of that is staying focused on your people and communication.</p><p>"As an internal auditor, continue building relationships and your brand within the company," Moehl said. "Relationships with all levels of staff are key to being plugged into risk." <br></p><p>And integrating risks into decision-making, planning, and forecasting, said Jayne, is where we all can do a better job.<br></p><p>View the full webinar: <a href="https://www.workiva.com/resources/roundtable-iia-executives-business-continuity-speed-covid-19-risk">Roundtable With IIA Executives — Business Continuity at the Speed of COVID-19 Risk</a>.<br></p>Shannon Steffee0
The Value in the Business Ecosystemhttps://iaonline.theiia.org/2020/Pages/The-Value-in-the-Business-Ecosystem.aspxThe Value in the Business Ecosystem<p>​Whether they know it or not, consumers in today’s economy are likely being impacted by an organization’s third parties daily. From online merchants, and the delivery partners they use to complete the transaction, to call centers and other support services, third parties support organizations in almost every imaginable way. </p><p>In the end, these end-to-end business “ecosystems” are what drive value creation and revenue for today’s organizations. Some examples may not be in the control of the organization or its third parties, such as the recent coronavirus outbreak that has had a global impact on operational value chains. And as things go wrong, it is likely that the organization with the brand name is the one impacted and not the third party supporting the product or service in the marketplace. </p><p>Understanding an organization’s end-to-end processes and how those processes deliver value should be the objective and outcome of an internal audit. That means internal auditors must look beyond third parties to incorporate key fourth, fifth, and sixth parties into planning, scoping, and executing every audit — a process known as “ecosystem management.” </p><h2>Shifting the Emphasis</h2><p>Focusing on an organization’s ecosystem can change the underlying approach and output of an internal audit. Aiming scoping questions, walk-throughs, and outputs at the organization’s external partners shifts the emphasis from control gaps, issues, and items requiring resolution to how the business protects its value-driving activities and profit-making ability. This doesn’t mean that an organization should change how it plans its annual internal audit schedule. Instead, it should integrate three key principles into how it executes each audit. In other words, the annual audit schedule should continue to focus on higher risk areas, but the scope of each audit should include the ecosystem principles. This approach may result in longer and more complex audits.</p><p><strong>Focus on End-to-end Processes</strong> Audits should focus on the auditable entity and how each process supports the desired inputs and outputs. The scope of the audit of each end-to-end process should include a view of third, fourth, and fifth parties that drive business value. This approach requires auditors to conduct activities as if the external parties are internal to the organization. The audit should demonstrate how the auditable entity delivers value: through internal people, processes, and technologies only; external parties; or a mix of both.</p><p><strong>Focus on Return on Investment (ROI) and Value-generating Activities</strong> Audits should focus on how each process and end-to-end activity supports ROI generation. If the process doesn’t support the organization’s ROI, auditors should question its role in the broader organizational ecosystem. The role of external parties in supporting value-generating activities should be a key focus of this exercise. </p><p><strong>Include Business Resilience in the Context of Business Activities</strong> To get operational resilience right requires a change in perspective by management, boards, IT functions, and control functions. For a long time, organizations have focused on determining the probability of an adverse event occurring and ways to prevent it or minimize the damage. As part of this approach, most organizations have developed business continuity and disaster recovery plans, including simulated testing. Business resilience is broader than those traditional topics, though, encompassing business, cyber, infrastructure, and third-party resilience. Internal audit can help drive the broader perspective of operational resilience by integrating these concepts into its ecosystem management approach. </p><h2>Integrate Process Documentation</h2><p>When conducting integrated ecosystem audits, internal audit should combine internal and external process documentation into a single and consistent documentation standard. Auditors should communicate this standard to the auditable entity to allow enough time to capture external party documentation in the preferred format, including process and control information. </p><p>This approach gives internal audit and other internal parties a single viewpoint on how business activities are driving value and profits. Additionally, it enables internal audit to effectively challenge each auditable entity on the risks and underlying strength of its controls, and how they protect the interests of the organization. </p><h2>Manage Third and Fourth Parties</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>​Ecosystem and Extended-party Risk Questions</strong><p>The following examples are questions specific to third-party management that can be used in ecosystem audits:</p><ol><li>Does a third party support the business activity in meeting its market and customer needs?</li><li>How does the organization monitor the quality of its third parties and their ability to continue to meet the organization’s needs?</li><li>Does the decision to leverage a third party align with the organization’s strategic decisions and key competencies? </li><li>Does the use of a third party expose the organization to additional reputation and brand risks that must be monitored and managed? </li><li>What outputs of the process drive value- and profit-generating activities for the organization? </li><li>Does the use of a third party create potential disruption risks, including impacting the organization’s ability to continue to operate and generate value? </li><li>Does the third party maintain plans to ensure its services would continue in the event of a disruption? </li></ol></td></tr></tbody></table><p>Does the organization know who its third parties are and how they support value-generating activities (see “Ecosystem and Extended-party Risk Questions” at right)? If it does not know, that could spell problems for the organization as a whole and for auditors conducting an audit, as it should be the starting point to completely understanding the ecosystem. </p><p>Maintaining a list of contracts and data that does not explain which processes are supported by third parties does little to enhance this understanding. Organizations should go beyond such lists by determining who the third parties of the third party (fourth parties) are. This exercise boils down to two questions: </p><p></p><ul><li>Does the organization understand how it delivers its value proposition to the marketplace? </li><li>Does that understanding include how its suppliers, service providers, or other entities contribute to that overall mission? </li></ul><p><br></p><p>The organization does not need to know every single party within the chain of external relationships. However, it should have a solid understanding of those parties that help to support its value-generating activities. Parties that have direct inputs are defined as value-generating.</p><p>Once an organization has an end-to-end view of internal and external processes, it should consider controls among the entities. This requires internal audit to document the operating controls of both the auditable entity and the external parties supporting the delivery of the activity. They also must capture the controls monitoring the transition of processes (hand-offs) between the entities. </p><p>That last category becomes more important for key activities that are outsourced to fourth, fifth, or sixth parties. In such scenarios, the organization may rely on an external entity to monitor the quality of delivery of those activities. While this may seem like a lot of additional work, in theory, the business already should have a view of these key activities and monitoring protocols in place to protect its own interests. </p><p>If a third party refuses to provide the requested support or documentation, auditors should still be able to understand how the auditable entity monitors third parties’ performance in delivering inputs or services. That knowledge can improve their understanding of the value external parties deliver to the entity. </p><h2>Link to Operational Resilience</h2><p>Business resilience requires organizations to focus on activities that are critical to their customers and markets, and the infrastructure needed to continue to provide those services. Within ecosystem audits, internal audit should help capture and challenge the business understanding of the end-to-end ecosystem, and whether business leaders are considering all the risks associated with it. Auditors should leverage recent industry and world events as examples to challenge the business on whether it is truly resilient to known and unknown risks to value-generating activities.</p><p><strong>Identify Critical Services</strong> The organization should identify which of its activities are critical to customers, other market participants, the ongoing continuity of the organization, or the economy. It should prioritize these services for resiliency and have clear tolerances for disruption to those services.</p><p><strong>Understand Impact Tolerance</strong> The organization should use scenarios to estimate the extent of disruption to a business service that it could tolerate. Scenarios should be severe but plausible and assume that a failure of a system or process has occurred. The organization must then decide the point at which disruption becomes no longer tolerable. While using cyber events for such scenarios can focus attention, the organization also should use other events in scenario analysis such as failure of change or IT implementation, and disruption at third parties, outsourced providers, or offshore centers. Senior management and the board should use the information to update policies and contractual agreements, and drive investment decisions around improving business processes.</p><p><strong>Understand Change Processes</strong> The operational resilience program should evolve with the business as it changes. The organization should understand what external or internal factors could change over time and the trends that could impact key business services, and adjust its resilience plans accordingly.</p><h2>Focus on Value </h2><p>Embedded in the audit methodology should be a focus on the business’ value-identification, value-generation, and value-realization activities. Every business audit should capture documentation consistently to support the understanding of internal and external processes and controls. </p><p>Internal auditors should ask about external entities and collect data to understand the future state of key third parties. They should discuss the criticality of activities and their relation to value-generating activities. Auditors should link the concept of key activities, third parties (and additional parties), and process inputs and outputs to value generation and ROI across the organization. Finally, they should provide an opinion on whether activities are generating the most value possible and whether the business is allocating the necessary resources to meet that objective.</p><p><strong>Business-as-usual Audits</strong> Integrating these concepts into business-as-usual audits can benefit the organization by focusing on the criticality of value-generating activities. As a result, they can help the organization identify key business risks. During these audits, business personnel typically are more comfortable discussing why the business operates in the manner it does. Moreover, integrated audits limit the need to perform targeted audits on third-party risk, business continuity, cyber risk, and operational resilience.</p><p><strong>Standalone Audits</strong> For organizations that can’t integrate these ecosystem concepts into business-as-usual audits, an ecosystem management audit can help them understand how the business delivers value. That understanding is fundamental to gaining a holistic view of the organization’s risks. Conducting this audit starts with answering questions about the value delivered to external and internal stakeholders. </p><p>Questions for external stakeholders include: </p><p></p><ul><li>What products and services does the organization offer?</li><li>How does the organization deliver its products and services?</li><li>What would happen if the organization couldn’t deliver its products and services?</li><li>How does the organization confirm that its products and services are meeting the needs of the market?</li><li>How does the organization confirm that its products and services are meeting its legal and regulatory obligations?</li><li>For internal stakeholders, auditors should ask:</li><li>How does the organization continue to operate profitably and promote its core values?</li><li>How does the organization continue to meet board members’ expectations?</li><li>How does the organization promote the continued success of its employees and their future well-being?</li></ul><p><br><strong>Risk Management Program</strong> The answers to these questions can help the organization build core data to support an ecosystem risk management program. The organization can leverage this data across its enterprise risk management frameworks to provide a common taxonomy for how the business drives value.</p><p>Moreover, the answers can help the organization address additional questions that could provide a basis for developing an ecosystem mindset for future-state audits: </p><p></p><ul><li>What products and services do we offer, and how do we deliver them? For example, does the organization provide 100% of products and services through internal processes, or does it rely on third parties to provide 50% of inputs, outputs, or continued servicing?</li><li>What are the core business objectives, and how does the organization manage them? </li><li>Does the organization’s culture align with its products and services, and is it consistent with the core business objectives?</li></ul><p><br></p><h2>A Deeper Understanding of the Business</h2><p>Some internal auditors may find the ecosystem management audit concept far-fetched. These professionals may think such audits are beyond their organization’s capabilities. While this is a reasonable view, those practitioners should keep in mind that without the value the business generates, their role within the organization would not exist.</p><p>Internal audit functions should drive value to an organization wherever possible. Standalone audits of value-chain operations can be beneficial to ensuring they function effectively. However, by embedding ecosystem management concepts into business-as-usual activities, internal auditors can drive a deeper understanding of the organization’s value-generating activities and most profitable businesses. </p>Brian Kostek1
On the Money: Time to Revisit Financial Riskhttps://iaonline.theiia.org/2020/Pages/On-the-Money-Time-to-Revisit-Financial-Risk.aspxOn the Money: Time to Revisit Financial Risk<p>​A decade of unprecedented loose monetary policy designed to stimulate the global economy has been a godsend for businesses. Cheap financing has allowed companies to invest in growth and reward shareholders with share buybacks, pushing stock markets to record highs. Recent years have been good to CEOs. </p><p>Meanwhile, increasingly sophisticated automation and a belief that financial risks were relatively well-understood, compared with some emerging audit areas, mean that many internal audit functions had put financial risk on a back burner. But accommodating financial conditions also have allowed risks to build. "In advanced economies, corporate debt and financial risk-taking have increased, the creditworthiness of borrowers has deteriorated, and so-called leveraged loans to highly indebted borrowers continue to be of particular concern," Tobias Adrian, financial counselor of the International Monetary Fund, told an audience in April 2019 at the launch of the most recent Global Financial Stability Report.</p><p>It is hardly surprising then that financial risk has moved back toward the top of the list of business risks cited by chief audit executives in the Risk in Focus 2020 report, a collaboration among IIA institutes in Belgium, France, Germany, Italy, the Netherlands, Spain, Sweden, and the United Kingdom and Ireland. Nearly one-third of respondents listed it in their top five risks. As news headlines highlight a plethora of concerning indicators — anti-globalist trade policy, weak manufacturing data, the inversion of the yield curve on various government bonds, decelerating global growth, and other recessionary signals — boards and audit committees are increasingly likely to seek assurances that financial risk is being mitigated effectively.</p><h2>Coming Full Circle</h2><p>The management of financial risk on a day-to-day level lies ultimately with the finance function. Called the treasury in many countries, the finance function manages the business' liquidity and monitors cash inflows and outflows, current and projected, to ensure sufficient funds are available to support the company's operations and excess cash is invested effectively. Although finance is fundamental to the success of the business, it's useful for internal auditors to remember that some board members may have blind spots in their knowledge and awareness of the basics, particularly when it comes to the company's balance sheet.</p><p>"Nonfinance directors tend to be less familiar with the balance sheet and the cash flow statement than the profit and loss (P&L). By extension, they are typically less comfortable with the balance sheet lexicon, such as the true meaning of assets, liabilities, and equity," warns Steve Giles, a course leader at the London-based Institute of Directors on its Finance for Non-finance Directors learning program. "They are aware of concepts such as 'cash is king,' but do not readily translate this to the importance of managing working capital and the cash cycle in their business." He adds that the "corporate killer" is rarely a lack of profits, but the business' inability to pay debts when they are due.</p><p>This is why internal auditors in many sectors may now be urging boards to think seriously about market conditions and financial risks. In times of growth, when markets are calm, auditors conducting routine finance audits should watch for signs that the finance function is becoming complacent or that financial risk management standards are slipping. But when rising trade tensions combine with the highest-ever levels of corporate debt, they should scrutinize all aspects of financial risk, as earnings are likely to be under pressure.</p><p>"Trade wars are bad for everybody. Their ultimate impact is a movement toward lower earnings," says Pat Leavy, CEO at FTI Treasury, a Dublin-based treasury outsourcing and audit firm. "This combined with the presence of leverage obviously increases risk, but, from an audit perspective, when we're looking at individual companies, we need to understand the data we see." </p><p>Leavy explains that although gross corporate debt has risen, internal audit should focus more on net corporate debt. The risk is lower when corporations have high debt and also high levels of cash and liquid assets — a good example is the airline industry. "The focus should be on debt repayment capability, rather than profits and earnings before interest, tax, depreciation, and amortization alone," he says. "What we're really looking at is cash generation."</p><h2>Qualities of a Good Finance Function</h2><p>So, what does a good finance function look like, and what should internal auditors consider when they audit it? Leavy likens the quality of the finance function to Maslow's hierarchy of motivation. At the bottom of the pyramid is the quality of the infrastructure in place to manage the function: the resources and people, the competency of those people and the quality of the technology infrastructure, including any automation, and the commitment to the processes that are in place. The next level up is the control environment, the segregation of duties, the checks and balances, the flow of information, and compliance with those safety measures.</p><p>"As you move up the pyramid, it becomes more subjective," Leavy says. "Success at the next level depends on getting the right balance between developing strategy and managing the operations." Finance functions often spend 10% of their time on strategy and 90% on managing operations and getting the day-to-day work done. "In reality, getting the treasury strategy right can have a much more significant impact on the business," he says.</p><p>Finance functions often operate in isolation from the business and can be reactive. Ideally, they should be proactive and able to anticipate and be part of the corporate decision-making process. In this kind of finance function, the group treasurer moves up the value chain, working directly with the chief financial officer and risk committee to help define and achieve the corporate strategy. </p><h2>Where Audits Focus</h2><p>Similarly, Leavy says, finance audits tend to focus on the lower (although essential) rungs — operations controls and governance — and less on the finance function's strategy and how it enables the overarching corporate strategy. His points are echoed by Angela O'Hara, who spent five years as group assurance and risk director at an FTSE 100 chemicals and technology company before recently stepping into a director role. She also sits on the finance and general purposes committee of the Royal Veterinary College. O'Hara says limited resources meant that the finance audit she oversaw was outsourced and focused almost entirely on the basics.</p><p>"That audit looked at processes and governance, but not at the impact of the financial risks in the business and the treasury's role in relation to those risks," she explains. Auditors assessed how well the finance function managed bank accounts, and whether it reviewed the business' credit rating and funding arrangements regularly, as well as access rights for critical systems, the payment and processing platform, and foreign exchange (forex) trading. "But it didn't look at, for example, whether there had been a forex gain or loss, what led to that, and whether there should be changes to the roles and responsibilities associated with that," she says.</p><p>O'Hara says it is common for internal audit to assess how a function is set up, but there is additional value to add in assessing that function's effectiveness and what it means for the business. Reviewing structure, governance, policies, procedures, and key controls is fundamental. But, building on that, internal audit needs to challenge the function and its assumptions, even if it is not an expert on forex hedging or financing strategies. </p><p>"It's not a case of suggesting that what the treasury is doing is incorrect, but of raising questions that need to be considered in a rational and objective manner," Leavy adds. "And also of considering alternative approaches that might be more suitable and being open to that dialogue."</p><p>Alistair Smith, U.K. internal audit, risk, and control director at EDF Energy, says the transactional and frequent nature of finance activities makes them suitable for automation. However, in organizations using this kind of technology, internal audit should consider how key person risks and segregation of duties are managed. Another key risk, especially in long-established finance teams, is over-familiarity with the business, which can lead to "passive checking" of approvals for things like setting up new bank accounts. The best finance functions also will be able to provide metrics to demonstrate how they add value, whether through their forex hedging strategy or by optimizing financing.</p><h2>Standard Deviation</h2><p>Internal audit may not be able to predict whether the economy will go into recession, but there are more mundane matters that should be well-understood and managed. Changes to International Financial Reporting Standards (IFRS) accounting standards, for example, can catch finance functions off guard in companies that are required to comply with them.</p><p>IFRS 15, which came into effect in January 2018, requires that businesses subject to IFRS recognize revenues only when they are collected and not when customer contracts are signed, a change that has affected the top lines of high-profile companies. IFRS 16, which went live in January 2019, also has caused some turbulence. The new standard requires that payments made on operating leases — used for property and equipment in asset-heavy industries — must for the first time be reported as a liability on balance sheets. In September, FTSE 100 construction rental business Ashstead reported a huge jump of £1.4 billion ($1.8 million) in its net debt to £5.2 billion ($6.8 million) in the second quarter, well over half of which directly resulted from the accounting switch. </p><p>"The one we are coming across more and more is IFRS 9 on the impairment of intercompany loans," Leavy cautions. "There may be a requirement to calculate potential credit losses and include that as a repairment charge on intercompany debt. So suddenly there can be a movement on the P&L as the result of an accounting amendment, and intercompany lending is a bread-and-butter issue for every large corporation with an international footprint."</p><p>Another consideration for global businesses is the finance function's strategy of cash pooling, whereby the debit and credit balances of numerous subsidiaries' accounts are aggregated, allowing them to centralize group liquidity management. This can improve the interest terms they are offered when they raise finance and optimize cash flow within the group.</p><p>Certain jurisdictions, however, place restrictions on the strategy. "Not-ional cash pooling," a virtual rather than physical concentration of cash, is prohibited in Argentina, Brazil, Chile, India, Mexico, Sweden, Turkey, and Venezuela, in favor of physical pooling. India has even stricter rules that forbid cross-border physical pooling. Internal audit departments working across geographically diverse businesses should bear in mind the complications that can arise from subsidiaries that may sit outside of the pool.</p><p>"You need to look at those outliers as well as at the big risks," O'Hara says. "Clearly there is a big gross risk in the central treasury function, but each of the outliers could impact the P&L."<br><br><em>A version of this article first appeared in the November 2019 issue of </em>Audit & Risk<em>, the magazine of the Chartered Institute of Internal Auditors. Adapted with permission.</em></p>Brendan Scott1
Auditing Culture: Familiar Techniqueshttps://iaonline.theiia.org/2020/Pages/Auditing-Culture-Familiar-Techniques.aspxAuditing Culture: Familiar Techniques<p>​The idea of auditing culture can be intimidating to internal auditors. How can you find objective evidence about something that is inherently subjective? Do you need strange new techniques and psychologists on the audit staff? <br></p><p>Fortunately, internal auditors can accomplish a great deal without the need for a radically different approach. A combination of well-known audit techniques, applied more rigorously by practitioners looking for cultural issues, can go a long way. Four techniques, in particular, can yield valuable information:</p><ul><li>Establishing a participative relationship with audit clients.</li><li>Observing culture while on site.</li><li>Leveraging data that gives perspective on the culture and supports audit observations.</li><li><p>Carrying root cause analysis further than usual.</p></li></ul><p>Incorporating these approaches into routine internal audit work gives practitioners insight into organizational culture and can surface issues critical to the organization's continued success.<br></p><h2>Participative Relationship</h2><p>Establishing participative relationships is perhaps the most important technique, as audit clients are far more likely to discuss their culture if they feel involved in the audit process. This involvement can come during three stages of an audit project.<br></p><p><strong>Planning </strong>Auditors commonly get input from the manager responsible for the area they're reviewing. Some auditors go further and actually plan the audit with that manager. Together, they develop the specific audit objectives, scope, and overall approach. <br></p><p>Does planning the audit with the client compromise independence? It would if the auditor is not thinking critically; but if the client tries to divert internal audit from looking into a risk area, an experienced auditor is likely to recognize it.<br></p><p>For example, as part of the planning process the auditor presumably would explain why he or she thinks a risk area should be examined; the client might then explain why it would be a waste of time. If the client's explanation makes sense, the auditor thanks the client and explains that internal audit needs to confirm what he or she says. If confirmation is established, the auditor saves time. If not, or if what the client says does not make sense, the auditor sees the attempted diversion as a red flag and looks into the risk area with that in mind. <br></p><p>Audit clients are likely to be concerned about how much of their time the joint planning process will take. Internal audit should promise to minimize the impact by performing all the detailed analyses and keeping the planning at a high level.<br></p><p><strong>Risk Assessment </strong>Once the audit objective and scope are agreed upon, the auditor performs a more detailed risk assessment of the key risk areas. Involving the manager in the assessment — or his or her direct reports if the manager can't take the time — has many benefits. First, business owners know their risks better than an auditor coming in from the outside; most of them are just not used to thinking about risk in a systematic way. Guiding the client through a risk assessment gives the auditor a better understanding of the real risks and helps the client become a better risk manager. For auditing culture, it allows the auditor to guide the client's thinking toward cultural objectives and risks to address during the audit. <br></p><p><strong>Reporting </strong>The best way to "report" audit issues — and this is especially true for sensitive cultural issues — is not by telling the client they exist. The most effective way is showing the evidence, enabling clients to realize for themselves that there's a problem. Ideally, the discussion begins before the auditor has all the evidence, when he or she thinks there's an issue but is not quite sure.<br></p><p>For example, suppose an area's staff members complain of unrealistic performance targets. The auditor, being careful to preserve confidentiality, could ask their manager if he or she is aware of the staff's concerns. If the auditor can pique the manager's interest in whether it's true or not, they can design a test to determine that together. If the results indicate it's false, the client will have evidence to show the staff and dispel a morale issue. If the results indicate it's true, the manager is much more likely to be receptive, having asked for the information and helped design the test. <br></p><h2>Observations and Data </h2><p>In any area they review, auditors observe the behavior and attitudes of client management and staff. Their perceptions of the culture are generally accurate, but they are subjective. For most internal auditors, reporting a cultural issue based only on observations results in a fight they can never win. The good news is that there is usually objective data to support those observations.<br></p><p>A negative culture, for example, usually results in high rates of turnover and sick time. These statistics are readily available. Employee survey and exit interview results can also support the auditors' observations and sometimes help identify the cause. A review of customer complaints, frequency of missed performance targets, or project failures can show the impact of the cultural issue. For more examples of metrics that can support auditors' observations, see <a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">"Auditing Culture: Observation and Data</a>."<br></p><h2>Root Cause Analysis</h2><p>When conducting training programs during the early to mid-1990s, I would often say that soft (i.e., cultural) controls are more important to controlling an organization than hard controls. I would present tools like control self-assessment workshops, employee surveys, and structured interviews as ways to identify soft control weaknesses. Sometimes a trainee would ask, "If you just did transaction testing and really got at the cause of hard control deficiencies, wouldn't you get to the same place?" The answer is yes, but that rarely happens. Auditors usually stop short, ending with a more objective, easily defensible intermediate cause.<br></p><p>Today, in my course for new internal auditors I like to illustrate root cause analysis by starting with a hypothetical example where auditors discover inaccuracies on a computer report. I then ask the class to identify potential reasons for the erroneous report. A typical, though abbreviated, exchange between myself and the course participants looks something like this: <br></p><p><span class="ms-rteStyle-IndentBoth">"Why is this information not accurate?"<br></span></p><p><span class="ms-rteStyle-IndentBoth">            "Input errors"</span></p><p><span class="ms-rteStyle-IndentBoth">"Why are there input errors?"<br></span></p><p><span class="ms-rteStyle-IndentBoth">            "Lack of training"</span></p><p><span class="ms-rteStyle-IndentBoth">"Why haven't the input clerks been properly trained?"</span></p><p><span class="ms-rteStyle-IndentBoth">            "No budget for training"</span><br></p><p>At this point I explain the need to look at the effect of the errors. If the organization shifts funds to training, those funds have to come from somewhere else. The loss of funds elsewhere might have a worse effect than these errors:<br></p><p><span class="ms-rteStyle-IndentBoth">"So let's say the effect of these errors is clearly great enough that training is needed, but local management is allocating its budget as best it can."</span></p><p><span class="ms-rteStyle-IndentBoth">            "Then they need a budget increase."</span></p><p><span class="ms-rteStyle-IndentBoth">"Why isn't upper management giving them enough money to train their staff?"</span></p><p><span class="ms-rteStyle-IndentBoth">           "Upper management just looks at numbers and has no idea of the impact of their decisions on lower level employees."</span><br></p><p>Now we have the real root cause. And as often happens when analysis leads to the executive level, the cause is a cultural issue. Correcting it will not just correct the condition, but it will prevent future instances of the same or similar conditions. In this example, the root cause has a pervasive impact on the entire organization — Wells Fargo provided a clear example of what that can lead to.<br></p><p>Of course, upper management is not going to change its approach to managing the organization because of the errors on this computer report — it is one symptom of a deeper problem. The audit report will have to stop at an intermediate cause. The auditors, though, should keep track of this issue and look for similar issues in other audits. If they can connect the dots from enough audits, they may have sufficient evidence to at least discuss the underlying issue with upper management. And this points back to the importance of establishing a participative relationship with management. Finding a root cause on our own is rarely as effective as working with the client to identify it. This is especially true if the root cause is cultural.<br></p><h2>A Powerful Combination</h2><p>Taken together, a participative relationship with audit clients, auditors' observations supported by objective data, and rigorous root cause analysis is a powerful combination. None of these techniques is novel — they are things internal auditors have always done to some extent. Performing them more rigorously, with the goal of identifying cultural issues, can enable internal auditors to provide a deeper, more meaningful level of assurance. <br></p><p>Despite the value of these techniques, auditors should keep in mind that, even when performed together, they do not provide sufficient means to support overall conclusions about the organization's culture. Accomplishing that requires a model or framework that identifies the elements of the culture to be evaluated. And some of these elements might require other techniques.<br></p><p>Nonetheless, this multipronged combination should be a central part of the auditors' approach. Even without overall conclusions, internal auditors using these techniques can identify issues in their organization's culture that need to be addressed. And ultimately, that is the greatest value organizations derive from an internal audit assessment of culture.<br></p><p><em>Read other articles in this series:</em><br></p><p><a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">Auditing Culture: History and Principles</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspx">Auditing Culture: Bumps in the Road</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Where-to-Begin.aspx">Auditing Culture: Where to Begin</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">Auditing Culture: Observation and Data</a><br></p><p><a href="/2019/Pages/Auditing-Culture-Audit-Project-Surveys.aspx">Auditing Culture: Audit Project Surveys</a><br></p><p><a href="/2020/Pages/Auditing-Culture-Employee-Surveys.aspx">Auditing Culture: Employee Surveys</a><br></p>James Roth0
The Board and Whistleblowershttps://iaonline.theiia.org/2020/Pages/The-Board-and-Whistleblowers.aspxThe Board and Whistleblowers<p>In 2018 the CEO of Barclays, Jes Staley, was castigated by British regulators for trying to unmask a whistleblower who had raised concerns about one of Staley's top lieutenants. Barclays' board clawed back a £500,000 bonus from Staley, and regulators fined him £640,000. Regulators in New York then hit Barclays, itself, with another $15 million penalty.</p><p>The year prior, life sciences company Bio-Rad had to pay nearly $8 million to former general counsel Sanford Wadler after he reported fears of possible bribe payments to government officials in China. The company sacked Wadler, who filed a whistleblower retaliation lawsuit. </p><p>Bio-Rad and Barclays are especially noteworthy because in both cases, the whistleblowers' allegations were later determined to be unfounded. An arbitrary approach to handling whistleblowers is what got those companies into hot water. In our highly regulated, highly litigious, highly transparent world, it always is. Hence the need for rigor — and the need for boards to assure that rigor exists. </p><p>"It's important to set up a process [for addressing whistleblower complaints] in advance because you have to take every one of these issues seriously," says Dotty Hayes, a former CAE at both Intuit and Hewlett-Packard and now chair of the board of directors at First Tech Federal Credit Union in San Jose, Calif., and a board member and audit committee chair at a range of organizations. "You can't do it haphazardly." </p><p>That point is true even if the allegation doesn't seem credible, and even if it's proven wrong, Hayes says. The last thing a board wants is to improvise a response.  </p><h2>Be Disciplined; Be Independent</h2><p>The good news is that truly grave whistleblower reports — allegations so serious that the board should oversee them, and should do so immediately — seem to be rare. "In my experience, if you have one or two a year that are significant and require high priority, that's a lot," says David Diamond, former head of internal audit at Lionsgate Entertainment, and now audit committee chair for The Daily Breath, a chain of Pilates studios in Brazil and the U.S. Likewise, Charlotte Valeur, CEO of the Global Governance Group and currently a director on seven boards, says that in 14 years of working in board governance, she has encountered only two instances of whistleblower allegations so serious that only the board could address it. </p><p>Again, so what? Boards don't know the veracity of a whistleblower allegation when the report first arrives. So establishing a consistent, disciplined, objective process to evaluate whistleblower reports is paramount.</p><p>"Independence on boards is key for whistleblowing," Valeur says. "If you don't have independent board members who can deal with it — and <em>will</em> deal with it, truly independently — everybody is at risk. The whistleblower is at risk, and the company is at risk."</p><p>In truth, that triage process is a nuanced tango between board and management. Boards might <em>receive</em> reports, but they should not <em>investigate</em> reports; that duty should go to trained professionals: internal audit, the compliance or legal team, human resources (HR), or even outside counsel. Even in grave scenarios such as allegations of CEO misconduct, the board should oversee that investigations are happening and moving forward — but not <em>participate</em> in the investigation, itself. "The last thing I want to do is be the investigator," Hayes says. </p><p>Conversely, management receives lots of reports, and might even investigate many of them without troubling the board. That's fine, so long as all parties have a clear understanding of which reports <em>should</em> be escalated to the board right away.</p><p>So what should that process look like? Who's involved in the triage? Typically a large company will outsource its whistleblower hotline; that's one layer of independence. A whistleblower might be able to select categories of complaint (accounting fraud, employee bullying, discrimination, theft, and so forth), or specialists at the outsourced hotline provider could assign one based on certain key phrases, issues, or even names the whistleblower might include.</p><p>A critical question is which categories of complaint should automatically go to the board, even if the board then bats the issue right back to audit, legal, or compliance for further action. For example, anything that mentions corporate accounting, compliance violations, or CEO misconduct should go to the board. If the issue involves personal misconduct rather than financial, consideration by a risk or governance committee might be the best option.  </p><p>Should the accused be informed of the allegations against him or her? Generally no, although some privacy rules in Europe can make that a complicated question best left to professional investigators. And should a company try to unmask a whistleblower? Pretty much never, since that action is a whisker away from retaliation and violates the spirit of following the facts wherever they may lead. ("It's irrelevant," Valeur says of the idea.)</p><p>And regardless of how any specific allegation is investigated, boards still need a process to oversee whistleblower reporting holistically. Valeur, for example, says she wants regular briefings on the total number of reports, the issues they involve, substantiation rates, and so forth. </p><p>"All companies over a certain threshold should have a mature process," Diamond adds. "If you don't, in this day and age, you're way behind."</p><h2>Speaking of Substantiation...</h2><p>Boards might also be surprised at this news: Whistleblower reports based on secondhand knowledge — that is, information passed along to the whistleblower from someone else; or that the whistleblower discovers by finding evidence of misconduct, without witnessing the act directly — tend to be more reliable than reports from people with firsthand knowledge. So says research from The George Washington University and the University of Utah, where academics studied 2 million whistleblower reports filed at more than 1,000 companies from 2004 through 2017. They found that management was 48% more likely to substantiate whistleblower reports based on secondhand information. Those reports were more likely to be about accounting and business integrity issues, too; while firsthand reports are more often about HR issues.</p><p>That makes sense when you think about it. People filing firsthand reports are usually claiming that they have somehow been wronged personally — and, yes, some portion of those reports will be false, or based on hot-headed judgments that don't hold up under scrutiny.</p><p>Whistleblowers with secondhand information, however, are claiming that something in the company is amiss. You typically wouldn't do that unless you care about the organization. And if you care about the organization, you're probably not involved in the misconduct, so it's more likely you have fragments of evidence. In other words, boards should welcome whistleblower reports based on secondhand information, even though that means more investigative spadework to find the truth.  </p><p>"Many times the report needs to be ferreted out," Diamond says. "A lot more details need to be derived to understand the full significance of the report."</p><p>True, but investigations are the subject for a different day. The importance of establishing a process to oversee whistleblower allegations in an objective, disciplined way and follow the facts where they lead — that advice is irrefutable. <br></p>Matt Kelly1

  • IIA GRC_July 2020_Premium 1
  • AuditBoard_July 2020_Premium 2
  • IDEA_July 2020_Premium 3