Risk and Compliance



Risk as the Rosetta Stonehttps://iaonline.theiia.org/2019/Pages/Risk-as-the-Rosetta-Stone.aspxRisk as the Rosetta Stone<p>Language determines how people share information, invoke emotion in others, or persuade them to action. The words chosen also frame a listener’s perspective on an individual beyond simply that interaction. How people select and use words appropriately in a situation is important.</p><p>With this as a backdrop, it was no surprise that when my business partner referred to “risk as the Rosetta Stone” for business, the concept rang true. The Rosetta Stone, discovered in 1799, allowed people to decipher once-challenging Egyptian hieroglyphics. Having the key to deciphering the message unlocked understanding and knowledge previously unavailable. </p><p>Using the language of risk offers a similar master decoding structure — in this case, for businesses to leverage for greater understanding. Business demands as varied as resource allocation and product innovation will benefit from the use of a shared risk language that enables the organization to build from a common baseline. Leveraging a common organizational language can increase the organization’s efficiency and heighten value delivery. For auditors, leveraging components of a shared language can not only increase message clarity and enable more effective communications with business partners, but also enhance the understanding and outcomes of audits, projects, and advisory engagements.</p><h2>The Language of Risk</h2><p>Much as a language is made of key components such as vocabulary (shared definition of words and terms), syntax (arranging words in a sentence for meaning), and pragmatic rules for situational use, the language of risk is made of standard components. Ensuring these components are designed, shared, and understood across the organization supports effective communications and decision-making. Internal auditors should consider how these key risk components are structured in their organization and whether modifications or increased awareness might further enable their use as a common language for the business.<br></p><p><strong>Taxonomies</strong> (<em>a common vocabulary</em>) The core of any common language leverages a shared baseline. In risk-speak, this baseline is a taxonomy, naming standard, or universe definition. The risk universe or other classification structure provides a consistent lens to assess operational activities, monitor and compare effectiveness, and frame the scope of project or risk remediation efforts. A defined taxonomy also allows for a common aggregated reporting structure. This structure enables effective business decision-making because there is <br> consistency in comparing and contrasting information over time and across organizational functions.<br></p><p><strong>Measurements/Ratings</strong> (<em>a common vocabulary and a guide on syntax and structure</em>) Prioritization is difficult to define or agree upon without a standard rating scale by which to assess risk. Various functions and teams in an organization often share a scale for rating common risk variables — impact and likelihood. Similarly, internal audit usually defines a rating or prioritization scale for findings and reporting. Other teams, such as enterprise risk or security, also may use rating structures, which may be similar or quite different from others in use. To be able to prioritize and understand risk organizationwide, common scales must be used. When a scale includes metrics that apply cross-functionally — such as financial, operational, regulatory, client, or reputational — it can be better applied and leveraged across functions. For example:</p><ul><li>Apply scale levels to project prioritization based on potential savings or projected revenue increases, or based on customer or marketing impact.</li><li>Apply scale levels to measuring impact and likelihood of audit findings, helping to prioritize resource allocation for remediation efforts.</li><li>Apply scale levels to assessing product opportunities for financial impact, client satisfaction increases, or operational challenge points, aiding in prioritizing focus on go-to-market efforts.</li></ul><p><br><strong>Risk Response/Appetite </strong>(<em>pragmatic rules</em>) Within an enterprise risk management program, the risk response standard, rules, or matrix guide the norms expected for identified risks. The response standards define when a risk is acceptable within organizational parameters, when action is required, or when a risk is out of bounds but acceptable for monitoring for an interim period. This structure can be applied beyond the risk function to identify points for escalating concerns, engaging management approvals, or prioritizing operational activities.<br></p><h2>Business Value of a Shared Language</h2><p>Leveraging components of the risk language as a Rosetta Stone of understanding can quickly provide value to an organization. Focusing on some key components can enhance communication and improve business functions.<br></p><p><strong>Common Language Enhances Communications</strong> Use of a common vocabulary in cross-functional or global communications can ensure the messages reflect a consistent structure and clearly defined operational focus of the organization. The vocabulary should comprise agreed-upon top business risks, common naming, and classification of operational units.<br></p><p><strong>Shared Understanding Improves Efficiencies and Culture</strong> Consistent prioritization processes based on a defined measurement scale can increase understanding and alignment among different teams or operational units. While this doesn’t necessarily mean a shared agreement is always expected, a shared understanding of the “why” and comfort in consistent prioritization efforts may increase the effectiveness of communications and enhance corporate culture.  <br></p><p><strong>Translating</strong><strong> Details to Themes Speeds Decision-making</strong> Use of a defined risk universe structure in operational functions can provide for aggregation of repeated, consistent individual concern points. Use of the standard universe enables comparison across locations or teams and roll-up of reporting and assessments in a framework that is expected and understood by executive management. Enhanced understanding through a common framework can shorten decision-making cycles and produce solutions faster.<br></p><p><strong>Agreed-upon Prioritization for Resources Enables Quick Time to Value</strong> Having standards in place for measurement, response, and escalation can level the playing field, and drive consistent and intentional decision-making for allocating the organization’s resources.</p><h2>Be a Translator</h2><p>In their role as partners across the organization, internal auditors can promote the common communication and benefits associated with a shared risk language. As audit team members interact with stakeholders and partners, they should share their language with the organization with an eye on promoting understanding, improving efficiencies, and enabling the business.  <br></p>Melissa Ryan1
The Rise of Political Riskhttps://iaonline.theiia.org/2019/Pages/The-Rise-of-Political-Risk.aspxThe Rise of Political Risk<p>It hasn’t been a good year for Chinese tech giant Huawei. Last winter, the U.S. asked Canada to arrest the company’s chief financial officer, Meng Wanzhou, on spying charges. By mid-May the U.K. government was embroiled in a fight about whether to allow the firm to be involved in developing the next generation of communications networks. Meanwhile, customers were starting to avoid Huawei’s products after hearing that Google would no longer allow them to update some Android products, citing U.S. sanctions. The impacts are clear for Huawei, but many other firms were left asking what repercussions it could have on their contracts, markets, customers, and business decisions. How would China retaliate? What other businesses could be caught in the crossfire?<br></p><p>This is just one example of the questions that arise when even a small part of a business is caught up in a revolution or exposed to economic crises, coup d’états, interstate trade disputes, economic sanctions, or diplomatic clashes. Such risks ebb and flow with the diplomatic tide; however, as businesses become more dependent on international markets and extended supply chains, they are more exposed to political risks. </p><p>Risk management specialist Marsh, for example, highlighted a period of “unprecedented uncertainty” in its Political Risk Map 2019, citing a rise in geopolitical tensions (namely, Russia against the rest of the world) and protectionist sentiments (namely, the U.S. against the rest of the world). </p><p>Although companies with multinational operations or overseas supply chains have always had to review their exposure to political risks, most U.K.-focused businesses have added the topic to their risk registers only in the past few years. “Up until the election of Donald Trump in the U.S. and the vote for Brexit in the U.K., political risk was always something that companies in other countries had to think about,” says Michael Moore, director general at British Private Equity and Venture Capital Association, former Liberal Democrat Member of Parliament, and the Secretary of State for Scotland who helped prepare for the 2014 Scottish independence referendum. “It never even registered that U.K. companies would need to consider their home country as being politically risky.” </p><p>Worse still, he says, companies have been slow to react. Although Brexit has been a major political and corporate issue for the past three years, Moore says that most U.K. companies have not made any significant preparations for the country leaving the European Union. “Most organizations have still done very little to prepare for Brexit, despite knowing that the worst-case scenario of a ‘no deal’ option is very much on the table,” he says. “It appears that businesses want more certainty about what the outcome is going to be, which rather flies in the face of planning for political risk.” The U.K. has called for a general election on Dec. 12, 2019, and the EU has agreed to extend the Brexit deadline to Jan. 31, 2020. </p><p>Brexit is, of course, just one of many political risks on the global map. Whether organizations are exposed to the fallout from a U.S. trade war with China or increased sanctions on Iran or North Korea, or are more worried about political instability in Venezuela, Russia’s intentions in Ukraine, Chinese military strength in the South China Sea, war in Yemen, or the ever-present threat of terrorism worldwide, none of the current global political risks is likely to disappear soon — organizations need to know they can react rapidly to changing circumstances. Internal auditors should be able to provide assurance on this area and feature political risks in their audit plans.</p><h2>Rapid Response</h2><p>Ian Stone, CEO and founder of business advisory company Vuealta, says that he expects political uncertainty to remain one of the biggest challenges facing decision-makers for the next five years. He warns against trying to “predict the future.” Instead, he advises them to focus on being fluid.</p><p>“Organizations should be prepared for every scenario — worst, best, and everything in between,” he says. “Successful businesses can then choose their course based on the information they have and use the latest technology to test ‘what-if’ scenarios against those plans to cover all bases.”</p><p>He adds that it is possible to react quickly to changing circumstances only if all the parts of the business think the same way and are aware of what they need to do in any given situation. “Planning can be vital in responding to an unpredictable political situation,” he says. “No matter how big the organization, if all departments — from sales and finance to marketing and the supply chain — are not connected, they will never keep pace with rapidly changing and volatile international markets. When one area of the business changes, the effects ripple across the whole company.”</p><p>Business continuity is an obvious priority for those already accustomed to operating in a volatile political environment, so internal audit should review continuity plans regularly. Tom Tahany, an intelligence analyst at security firm Blackstone Consultancy, says it is vital to ensure all threats and risks that could interrupt the business’ output are identified, and plans are up to date and effective. “You may need to prioritize the resilience of key functions so that these can continue, while business areas that are less immediately crucial are brought back online when possible,” he says.</p><p>Conversely, however, companies with subcontractors or suppliers abroad, but with no direct presence overseas, also need to understand how their supply chains and customers could be affected by events outside of their control. It’s generally wise not to rely too heavily on a small group of suppliers and to ensure they are not all in the same political region or subject to the same political forces. It’s also important to keep monitoring changing circumstances and to think broadly about how political developments in one place could potentially have effects elsewhere.</p><p>“You cannot prepare for every possible eventuality and plan a response for every minutia in a crisis,” Tahany says. In some ways this is a good thing. It allows companies a degree of flexibility in planning responses. However, you may need evacuation plans of varying magnitudes and secondary and tertiary options to help staff in different countries in the event of a crisis. It is important that companies are prepared for anything, rather than everything.”</p><h2>Reliable Sources</h2><p>A key problem with political risk is that it can be difficult to get reliable, timely, and accurate information, especially if events unfold quickly — for example, in a government coup, revolution, riot, civil unrest, or an invasion. Another problem is how to quantify the impacts of these risks and assess what contingencies need to be taken and when.</p><p>If asked to provide assurance about operations in another country or region, internal auditors may find it helpful to talk to employees based there and look at risk indicators provided by global nongovernmental organizations, such as Freedom House, the International Monetary Fund, Transparency International, and the World Bank, whose opinions may provide a base layer for measuring risk. However, Pornprom Karnchanachari, a partner at Thailand-based law firm Legal Advisory Council, warns that some “on the ground” views can be skewed by poor reporting, inaccurate commentary, and information sources that cannot easily be challenged or verified. When Thailand experienced a coup in 2014, social media and news coverage helped to spread misconceptions of the political situation, making it seem extremely risky. However, the on-the-ground situation was quite different, he says. Foreign companies were not affected by the political changes, and business continued as usual under the existing legislation while political stability was restored. So, for example, he says, social media “should be taken with a pinch of salt.”</p><p>More reliable sources of information include embassies, which “can offer a basic, but generic, overview,” and local and foreign chambers of commerce, Karnchanachari says. But the best source is foreign companies that have been on the ground for some time, as they will have a government affairs team that can share useful insights.</p><p>“It is only by arming the business with various viewpoints and understanding the history, culture, and unique situation in each country that a business can build a robust understanding and approach to political risk exposure,” he says. However, sometimes you need to act swiftly. </p><p>Ben Abbouddi, global threat analyst at travel and health-care risk management firm Healix International, says companies should always consider the worst-case scenario. A risk matrix that places the likelihood of a risk against its impact can help highlight the most significant risks and those that would require the most time and resources to manage. It may also help to eliminate political “red herrings” that attract media attention, but do not have a significant impact. </p><p>Internal audit can play a significant part in evaluating the level of risk and can offer an objective view if there are clashes of opinion. For instance, project managers working in some regions may find themselves at odds with risk managers at the headquarters office. Their perception of local risk may be very different, and their incentives could make them anxious to pursue contracts or business that, correctly or incorrectly, are seen to be high risk.</p><h2>Level-headed Assurance</h2><p>Jack Darbyshire, manager at De-Risk, a strategic risk management planning firm, says internal audit teams can assess whether risk managers are being too cautious about particular regions. “Uncertain times can make risk managers focus on risks that will probably never happen,” he says. “Risk management is a negative concept, and many traditional risk management teams think so negatively that they end up worrying about extremely unlikely scenarios. This may make project managers reluctant to share communication with the team.”</p><p>This is another reason why accurate, timely, and trustworthy information is vital. Organizations could lose far more than they gain by failing to do profitable business, implementing emergency plans unnecessarily, and removing staff or closing operations, only to find that the crisis blows over. Internal auditors should assess the quality and quantity of information available to management while it makes such difficult decisions. Internal auditors also could consider whether there are other sources of assurance available.</p><h2>Look for Opportunity<br></h2><p>A political crisis may also bring opportunities. Paul McIntosh, CEO of Bridgehead Agency, points out that it is equally important that organizations consider potential advantages associated with volatility. “Companies need to look for the advantages that a change in political circumstances might afford, and not just think about the risks,” he says.</p><p>Brexit is a case in point. “No matter what kind of deal — if any — the U.K. gets, the E.U. and the U.K. are likely to remain major markets, and companies want to continue to do business in both,” McIntosh says. “If there is more paperwork in the future, it will add to costs, but this is usually not as difficult or as expensive as some think. Whichever way you look at it, Brexit will create opportunities — possibly not as many as staying in a single market — but companies need to explore these and exploit them.” <br></p><p><em>A version of this article first appeared in the July/August 2019 issue of Audit & Risk, the magazine of the Chartered Institute of Internal Auditors. Adapted with permission.</em><br></p>Neil Hodge1
Climate Risk Assurancehttps://iaonline.theiia.org/2019/Pages/Climate-Risk-Assurance.aspxClimate Risk Assurance<p>An article published earlier this year in <em>The Wall Street Journal</em> highlighted investor concern about the impacts of climate change, citing “a record of 75 or more climate-related shareholder proposals” expected at annual company meetings. Dupont investors, for example, proposed disclosure of the company’s risks from expansion of its operations in hurricane-prone areas, and nearly 30% of Starbucks shareholders voted for disclosing the coffee giant’s recycling plans. In addition, more and more institutional shareholders are backing the Sustainability Accounting Standards Board’s standards for corporate sustainability, aimed at helping publicly listed companies disclose environmentally relevant information to investors. Internal auditors, and the organizations they serve, should take note of these developments — particularly in businesses where such concerns may not currently be a priority.</p><p>Within the financial industry, climate risk is not always on the agenda. For example, financial companies, and their internal audit functions, may neglect to consider the credit evaluation risks associated with lending money to companies susceptible to climate-related events. In doing so, lenders overlook impacts that could severely disrupt the borrowing companies’ operations, and possibly hinder their repayment abilities. Even if it’s discussed, resulting impacts to the company’s credit risk rating may not be sufficiently accounted for when calculating the borrower’s credit rating. <br></p><p>By contrast, insurance companies are at the forefront of addressing climate-related risk. Policy calculations, for example, factor in threats to homes and businesses in wildfire-prone areas and flood risk to regions susceptible to hurricanes. Financial institutions, however, typically do not include such considerations when calculating the impact of risk to capital. And even if bank leaders do incorporate climate-related impact in their credit risk analyses, there is no real metric in place for that risk. </p><p>As independent assessors of risk, internal auditors could raise the issue of climate change risk with senior management, and even consider it as a point of concern when challenging the organization’s current risk management framework. Internal audit has the opportunity to create value, facilitate improvement, and execute its mission of providing independent assurance over the effectiveness of risk management. From envisioning the impact of climate-related risk on the bank’s daily operations to the impacts on clients’ operations and ability to perform against their credit risk, auditors can place themselves at the forefront of an important debate. </p><p>The financial industry, with the help of its internal audit practitioners, could get ahead of the curve by promoting a broad discussion about how to consider, monitor, and report climate change risk. If past crises taught us anything, reacting to stressed scenarios is arguably more expensive and takes longer to recover from than acting preventively. Let’s start the debate — the sooner the better. <br></p>Luciano Raus1
U.S. Companies Score Low on Governancehttps://iaonline.theiia.org/2019/Pages/US-Companies-Score-Low-on-Governance.aspxU.S. Companies Score Low on Governance<p>​<span style="font-size:12px;">Amidst another season of corporate scandals, it's not surprising that U.S. companies are getting low grades on their governance report cards. A new index gives U.S. publicly listed companies an overall grade of C+, with 1 in 10 companies surveyed earning an F for corporate governance.</span></p><p>The IIA and the University of Tennessee's Neel Corporate Governance Center in Knoxville unveiled the <a href="http://www.theiia.org/ACGI">American Corporate Governance Index</a> (ACGI) this week at press events in New York and Washington, D.C., where speakers discussed the problems it identifies and how internal audit could help companies address them. Based on an anonymous survey of chief audit executives (CAEs), the index grades companies around eight of the <a href="/2019/Pages/A-New-Tool-for-Directors.aspx">Guiding Principles of Corporate Governance</a> (see "The Making of the Index" below), also released this week.<br></p><h2>Beyond the Boardroom</h2><p>Although responsibility for corporate governance begins in the boardroom, "governance is so much bigger than what's going on at the board level," said Terry Neal, director of the Neel Corporate Governance Center, at the Washington event. This is where internal audit, with its enterprisewide perspective, could help companies improve their grades, he said.</p><p>Take the issue of board performance assessments, for example. Principle 8 calls for boards to regularly evaluate "the full system" of corporate governance, yet responding companies received a C- grade — the overall worst grade — with most saying their company didn't formally monitor governance. One takeaway from interviews with CAEs in preparation for the survey is "a lot of CAEs are not doing this, but they are positioned to do it," Neal said.</p><p>But the index indicates that boards have problems of their own. Next to assessing corporate governance, the lowest grade (C) was for Principle 4, where CAEs said organizations were more focused on short-term issues rather than sustainable performance. Contributing to short-term thinking, CAEs say one-third of directors would not challenge the opinions of the CEO, and they gave boards a D grade for questioning whether they were receiving accurate and complete information from management.<br></p><h2>Board Care and Maintenance</h2><p>Christa Steele, a former CEO who serves on several boards, said good dialogue between directors and the CEO is key to a well-functioning board. "If directors are not talking to the CEO in board meetings, they should have those conversations offline," she said in Washington.</p><p>Steele noted it is difficult for boards to capture all the information about technology innovations, new market entrants, and other disruptive risks in what she calls "unprecedented times." Ahead of board meetings, she said she received a staggering 500 to 1,000 pages of information. "Now more than ever, we need to look at the information and scrub it to make sure we get the right information," she said. "But you can have information overload."</p><p>Understanding new risks is one reason "why board refreshment is so important now," she said, because boards often lack the knowledge to provide oversight in an era of greater transparency caused by social media. Although there have been calls for boards to add more specialized expertise — in technology, for example — she says there's a trade-off. "Do you want the technical expert or do you want someone who can ask the right questions?" she asked.</p><p>Board members like Steele increasingly want more insight into how the company is governed, even several levels of management down. That's the information that boards aren't seeing, Neal said. It's also where the ACGI finds some disconnects.<br></p><h2>Areas of Disconnect</h2><p>Principle 5 covers corporate culture, and CAEs gave boards and CEOs a high grade (A-) for setting a strong tone at the top. But CAEs say the board doesn't discuss culture much and that tone isn't communicated well across all levels of the company.</p><p>Fraud reporting is another example. In an era ripe with corporate scandals, CAEs gave their organizations high marks for following up on reports of wrongdoing and ensuring the company doesn't retaliate against employees who speak up. Yet, CAEs say employees aren't familiar with how to report violations. "When there's an event that occurs, you'll see a spike in reports," said Julie Scammahorn, senior vice president and chief auditor at Wells Fargo in New York.</p><p>These disconnects are becoming a greater issue with the rising emphasis on environmental, social, and governance (ESG), an area where companies received a C grade. The ACGI survey was conducted just before the Business Roundtable issued its revised <a href="https://www.businessroundtable.org/business-roundtable-redefines-the-purpose-of-a-corporation-to-promote-an-economy-that-serves-all-americans">Statement on the Purpose of a Corporation</a> in August, in which prominent U.S. CEOs committed to benefiting stakeholders such as customers, employees, suppliers, and communities, in addition to shareholders.<br></p><h2>Auditing Governance</h2><p>While internal audit could be positioned to help boards look at risks deeper down in companies, assessing corporate governance is still a new area for many audit functions. Less than one-fourth of companies evaluate corporate governance annually, and when they do, it goes through the legal function, said Lauren Cunningham, assistant professor and director of research at the Neel Corporate Governance Center. "If legal does it, it's a check-the-box mentality," she said.</p><p>But more internal audit functions are taking on these assessments, Scammahorn observed. "I'm seeing more auditors taking deep dives into the information the board receives to make sure it is accurate and complete," she said. </p><p>Governance audits at the board level should be done by senior audit staff, such as the CAE's direct reports, Scammahorn advised. But they can make a big difference. "If you don't have a formal assessment, there aren't many boards that don't think they're doing a good job," Scammahorn says. "When you put a formal assessment in front of them, they see they have work to do."<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<p><strong>The Making of the Index</strong></p><p>The IIA and the Neel Corporate Governance Center developed the AGCI based on eight of the Guiding Principles of Corporate Governance. In turn, the two organizations compiled those principles from guidance and principles from organizations such as the Business Roundtable, National Association of Corporate Directors, and New York Stock Exchange. </p><p>In preparation for the survey, researchers interviewed prominent CAEs about the principles and their observations of governance practices. They then surveyed 128 CAEs from U.S. companies of various sizes from a wide range of industries. Researchers evaluated these responses and assigned a score and letter grade for each of the principles, as well as elements within those principles. Because responses to the survey were anonymous, the ACGI does not provide grades for individual companies.<br></p><p><em>Principle 1</em> — Effective corporate governance requires regular and constructive interaction among key stakeholders, the board, management, internal audit, legal counsel, and external audit and other advisors. <span style="font-size:12px;">Grade: C+</span></p><p><em>Principle 2</em> — The board should ensure that key stakeholders are identified and, where appropriate, stakeholder feedback is regularly solicited to evaluate whether corporate policies meet key stakeholders' needs and expectations. <span style="font-size:12px;">Grade: B-</span></p><p>Principle 3 — Board members should act in the best interest of the company and the shareholders while balancing the interests of other key external and internal stakeholders. <span style="font-size:12px;">Grade: B-</span></p><p><em>Principle 4</em> — The board should ensure that the company maintains a sustainable strategy focused on long-term performance and value. <span style="font-size:12px;">Grade: C</span></p><p><em>Principle 5</em> — The board should ensure that the culture of the company is healthy, regularly monitor and evaluate the company's core culture and values, assess the integrity and ethics of senior management and, as needed, intervene to correct misaligned corporate objectives and culture. <span style="font-size:12px;">Grade: B-</span></p><p><em>Principle 6</em> — The board should ensure that structures and practices exist and are well-governed so that it receives timely, complete, relevant, accurate, and reliable information to perform its oversight effectively. <span style="font-size:12px;">Grade: C+</span></p><p><em>Principle 7</em> — The board should ensure corporate disclosures are consistently transparent and accurate, and in compliance with legal requirements, regulatory expectations, and ethical norms. <span style="font-size:12px;">Grade: B</span></p><p><em>Principle 8</em> — Companies should be purposeful and transparent in choosing and describing their key policies and procedures related to corporate governance to allow key stakeholders an opportunity to evaluate whether the chosen policies and procedures are optimal for the specific company. <span style="font-size:12px;">Grade: C-</span></p><br></td></tr></tbody></table>Tim McCollum0
Risks in Viewhttps://iaonline.theiia.org/2019/Pages/Risks-in-View.aspxRisks in View<p>​Over the past several decades, the spotlight on corporate governance has intensified as organizations realize the criticality of managing risk and making well-informed, strategic decisions. But despite widespread adoption and implementation of corporate governance models, the health of corporate governance isn’t where it should be, according to a recent study from The IIA. <a href="https://na.theiia.org/periodicals/OnRisk/Pages/default.aspx" target="_blank">OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk</a> investigates how far the three main pillars of corporate governance — executive management, the board, and internal audit — are aligned when it comes to understanding and managing risk. The report uncovers a pervasive lack of communication and coordination among those groups in key risk areas organizations are likely to face in 2020 and beyond (see “Key Findings” below right).</p><p>Boards were found to be more confident than executive management that their businesses are capable of addressing threats in nearly every one of the 11 risks examined. Moreover, internal audit and the board share similar views on their organizations’ level of risk management maturity, generally rating those capabilities higher than executive management in most areas. And while the findings highlight a troubling disconnect among the three groups surveyed, they also point to opportunities for internal auditors to help bridge knowledge gaps among the organization’s key decision-makers.</p><h2>Lack of Alignment</h2><p>Worryingly, most businesses lack alignment around the knowledge and capabilities needed to address risk. Jim Pelletier, The IIA’s vice president, Professional Standards and Knowledge, says that finding should be ringing alarm bells across corporate America. Given that the C-suite is responsible for the day-to-day management of risk and for setting a strategy to cope with those threats, their consistently more pessimistic view of their organization’s capacity to do so effectively is likely to be in touch with the realities on the ground. </p><p>“What the report really points out is that internal audit is not playing the critical role it ought to play,” Pelletier says. “Boards should, of course, rely heavily on management, but relying on management alone is incomplete. Boards need to turn to a source independent from management — internal audit — for assurance that the information they are receiving is complete, accurate, and reliable.” While failure to do so could indicate lack of maturity of the internal audit function’s role — the survey found one-third of organizations have no systematic approach to risk management — it also suggests the benefits an independent audit function can bring are not understood by the board. </p><p>While IIA surveys confirm that most internal audit functions report administratively to the audit committee, the reality, according to Pelletier, is that many audit committees are shirking their oversight responsibilities and pushing internal audit down in the organization. Boards that allow this to happen, he adds, are missing the critical perspective that a correctly placed, well-resourced audit function can provide. </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​</strong><strong>Key Findings </strong></p><p>The OnRisk 2020 report identifies seven key findings that provide insight on respondents’ understanding of risk and their perceptions of how those risks are managed:</p><ul><li>Boards are overconfident because they consistently view the organization’s capability to manage risks higher than executive management.</li><li>Boards generally perceive higher levels of maturity in risk management practices than executive management and chief audit executives. </li><li>“Acceptable misalignment” on risk is a prevalent and dangerous mindset, with some respondents describing such misalignment as “healthy.”</li><li>Some industries are lagging in adopting systematic approaches to risk — particularly in the health-care, retail/wholesale, and public sectors.</li><li>Cybersecurity, data, and new technologies represent critical knowledge deficits. </li><li>Data and new technologies, data ethics, and sustainability risks are expected to grow in relevance. </li><li>Talent management and retention is at the center of future concerns, with the inability to attract and retain business-critical skills emerging as a key risk.</li></ul></td></tr></tbody></table><p>“When the board is clear that it wants a strong, independent internal audit function that can look across the organization and ensure it is getting all of the information it needs for good decision-making, it won’t get that from an audit function that is simply there to take care of complying with the requirements of the U.S. Sarbanes-Oxley Act of 2002,” Pelletier says. “Boards are missing out on the opportunity to leverage internal audit as a tool to help them become stronger.”</p><h2>Risk Governance</h2><p>Many survey respondents played down the significance of a misalignment in understanding risk among the three groups — often saying it was a healthy state of affairs. The respondents’ ratings of their personal knowledge of each risk were, in fact, closely aligned. But in many areas, their reported understanding of how well the organization could manage risk varied widely. </p><p>“I believe it is healthy to look at something through different lenses and assess risk through those different lenses,” says Mark Carawan, chief compliance officer and former chief auditor at Citigroup in New York. Geography, product sets, and legal entities, for instance, can all provide useful constructs through which to consider risk. “But if it is real misalignment, that points to a lack of a proper risk governance framework, common risk taxonomies, a well-articulated risk appetite, and agreed and consistently applied key risk indicators — so you can identify, measure, monitor, report, and control risks in a way that everyone understands,” he says.</p><p>Carawan adds that without an effective risk management framework, clear communication among the three groups surveyed is impossible. CAEs can readily assess the state of their organizations’ risk governance framework and its relation to the articulation and measurement of risk through an audit. But the task of understanding how well the whole gamut of risks the business faces is linked to a well-articulated risk appetite is problematic — the world’s business landscape is dynamic and complex, producing new risks regularly. Audit reports must articulate whether the business is on track to meet its strategic goals within the risk appetite.</p><p>“That is one of the tough things for an auditor to achieve, because what one does is very focused on the tactical execution of different audit procedures and on producing an audit report,” Carawan says. “The output of the audit doesn’t have anywhere near the impact that it should if it is not linked to the outcome for the organization, the client, and the success of the firm and how it manages risk — particularly in stress scenarios.” Even in audit planning, internal auditors need to make sure they are looking at key risks rather than at the key processes — strategic issues, not tactical ones.</p><p>For instance, OnRisk 2020 identifies regulatory change as one of the areas of greatest misalignment in terms of perceived organizational risk management capacity. Only one-third of C-suite respondents feel confident they are doing well in this area, whereas two-thirds of CAEs rate their capability as good. </p><p>“The volume of regulatory change can present challenges for many organizations,” Carawan says. “But it’s critical to make sure that it is well-monitored, measured, and reported. In many cases, this is a significant risk area that has been underexplored by the third line of defense.” Boards should have available for review an inventory of regulations mapped onto the organization’s processes and controls, as well as clear metrics for the rate of regulatory change, he says. While government officials announce planned new legislation well in advance, such as Europe’s General Data Protection Regulation (GDPR), the detailed requirements may only appear near, or even after, the legislation actually goes into effect. That means key risk areas likely have not been identified and are not subject to adequate, timely risk management oversight and control — unless the CAE strives to stay on top of regulatory developments.</p><h2>Persistently Behind</h2><p>CAEs surveyed by The IIA predict that, by 2024, the top three most relevant risk areas will be technological (see “Present and Future Risks” below right). It cites data and new technology, and data ethics, as the fastest rising risks — leaping 18 and 15 percentage points, respectively, in the next five years. “Technology and digital innovation are evolving at a rapid pace — much faster than ever before,” says Christa Steele, a California-based board director on both New York Stock Exchange listed companies and privately owned businesses. “This is a game changer for tried and true business models — it is no longer business as usual. A lot of boardrooms are not current on the pace of industry change, and the same can be said about some C-suites. Yet, all industries are being disrupted.”</p><p>In many sectors, competition and technology are changing so quickly that boards simply do not understand what questions to ask, Steele says. The report says this knowledge gap stems in part from a lack of board education, as well as insufficient communication among the three groups surveyed. </p><p>“One thing that would be highly valuable for the board to ask the CAE in executive session is to give an overview of his or her thoughts on what the risks look like in the company,” she says. “The CAE has the best visibility with the largest number of boots on the ground to surveil risk. I think the CAE is underutilized right now.” Now that she is working as a board member, Steele adds, she has a greater appreciation for what a pivotal role the CAE can play — not just in overseeing and communicating on risk, but in setting up educational sessions with the board to talk about the wider risk landscape and to use recent news headlines involving poor company decision-making that might provide useful lessons. But her enthusiasm is tempered by a caveat.</p><p> <img src="/2019/PublishingImages/Piper-Present-Future.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:445px;height:355px;" />“The CAE needs to have a shift in mindset, which is to move away from just reporting past findings and, instead, interpret, predict, and prevent risk,” she says. “If we can get that mindset at the CAE level, at the C-suite level, and at the board level, then we create better alignment.”</p><p>For its part, the board also has to step up and make sure the CAE and internal audit have the right people and budget dollars allocated to innovation and the transitional risk oversight caused by new innovation in the business. She agrees with Pelletier that too many boards — and specifically audit committees — are heavily driven by Sarbanes-Oxley in the way they use the internal audit function. To broaden board thinking, Steele says board members need to get educated on the uses of artificial intelligence, data aggregation, predictive analytics, and blockchain and to understand how these technologies impact their company business models. Only then can board oversight encompass the right kind of key performance indicators and key risk indicators. </p><p>“I’ve spent a significant amount of time in Silicon Valley working with early- to late-stage startups across a variety of industries,” she says. “This time in my life has forever changed how I think with regard to business operations and digital disruption — I encourage the C-suite, the CAE, and the board to do the same. Communication and transparency are key. Better communication comes from better education and dialogue.”</p><h2>Technology Risk</h2><p>Cybersecurity ranks as the most relevant risk to tackle by all groups both now and in the future, according to the report. Yet while cyber breaches are a prevalent reality in business life, the threat is as old as the internet itself — so why do businesses say they find it so hard to deal with? The OnRisk survey suggests that, due to a lack of knowledge within the internal audit team, some CAEs rely too much on assurance from the chief information security officer that controls around cyber risk are sound. It is an explanation that Dominique Vincenti, global head of internal audit–chief audit executive at Uber in San Francisco does not accept.</p><p>“Knowing what to do in this field has been understood for years,” she says. “CAEs are well-equipped with lots of robust frameworks — such as the [U.S. National Institute of Standards and Technology (NIST)] Cybersecurity Framework and the Sender Policy Framework for email — to help them ask the right questions. It is the topic most written about with the most guidance available, so there is really no excuse. That’s why I call it negligence.”</p><p>Cyber-risk expertise should be no less difficult to understand than legal risk, for Vincenti, because she does not see it as the CAE’s job to be a subject-matter expert in anything other than risk management. As risks evolve and become more complex, it is up to the CAE to continually restructure his or her team with the right skills and expertise needed. For the CAE, she says, the question should be, “Am I building the team I need to do the job in today’s context?” Addressing the talent management issue identified by the survey requires internal audit leaders to think more laterally about the staff they hire.</p><p>Like Steele, Vincenti says the crux of the problem is that many boards, C-suite executives, and CAEs have not caught up with the fundamental structural change digitalization implies — especially in areas such as third-party risk where problems need to be reframed. “For me, when people talk about third-party risks, it shows me that they are already 10 years in the past,” she says. “We are not dealing with third parties anymore — we are working in ecosystems and on platforms where we are interconnected and interdependent. The problem is we are often employing old tools to deal with these new constructs, which makes it very difficult to manage today’s risks effectively.” </p><p>She accepts it is not always easy to get such messages across and has had personal experience failing to convince boards and C-suites to act on emerging issues in previous roles. In one organization, she repeatedly told management that it needed to care more about data privacy and was repeatedly ignored. Later, when preparing for GDPR, the company found its data privacy processes to be relatively poor. She jokes that she felt like the ancient Greek seer Cassandra who warned the Trojans not to accept the gift of a giant wooden horse — it was secretly packed with heavily armed Greek warriors — because it would lead to the sacking of the city of Troy. But she sees providing foresight as a critical role for internal audit to play and devotes one-third of every executive meeting to emerging issues — often repeating the same material if she thinks inadequate action has been taken.</p><h2>Time to Act</h2><p>The world may have changed radically over the last few decades, but the need for effective risk management has not. If the corporate governance model is to work well, CAEs need to play their part more effectively. They not only need to understand today’s business environment, build the right audit teams, and use cutting-edge tools to deal with complex and interconnected risks, but they also must be outspoken and resilient enough to press their organizations to act on the emerging threats on the horizon. </p><p>While there is work to do, the paths that each of the three groups surveyed in the report must follow are relatively clear, according to those interviewed. Communication on risk must be clear and unambiguous, underpinned by an effective risk governance framework. The C-suite needs to bring the CAE’s team in early on key strategic issues. The board needs to make sure the internal audit function is well-resourced to deal with strategic risks and innovation, rather than relegating the department to play only a compliance role. Perhaps many people in corporate America already thought the way business leaders communicate and act on risk within their organizations was out of kilter. The OnRisk 2020 survey provides the objective evidence that such misalignment on risk is real. It is time to act on that knowledge. </p>Arthur Piper1
Recession Resilienthttps://iaonline.theiia.org/2019/Pages/Recession-Resilient.aspxRecession Resilient<h2>​How do boards evaluate the risk and potential impact of a recession — and how can internal audit help? </h2><p><img src="/2019/PublishingImages/dotty-hayes.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />I do my own environmental scanning such as staying current with news sources and updates from professional organizations. I also look for management’s viewpoint on the economy and risks to the business, specifically. In budgeting or forecasting discussions, I expect a dialogue on the range of potential outcomes and am attuned to the risk attitude taken by management. Are they barreling ahead without regard to what is happening in the world? Are they afraid of the dark? Neither extreme is good. In particular, I look for ways in which business plans provide optionality — the quality of being chosen but not obligatory — and escape hatches to increase resilience in the face of uncertainty.</p><p>Internal audit also should be doing environmental scanning as part of its risk assessment processes. As auditors are on the ground with local management teams and having discussions deep within the organization, they may pick up signals before they make their way up the management chain. Developing a process for collecting and communicating this information in a way that is helpful to senior management, but doesn’t leave local management feeling exposed, is critical to success.</p><h2>What should boards be looking at to ensure that the organization is prepared for an economic downturn? </h2><p>As much as possible, make sure the key performance indicators (KPIs) reported to the board are forward-looking. This is harder than it sounds, and will be different for each company, but this should be a focus in the boardroom. It also is helpful to understand the historic patterns behind these KPIs to provide context for analysis. Understand how management, as much as possible, is building resilience and flexibility into the company's operations.</p>Staff0
Confronting Climate Changehttps://iaonline.theiia.org/2019/Pages/Confronting-Climate-Change.aspxConfronting Climate Change<p>​The adverse impacts of rising global temperatures and extreme weather conditions are becoming a front-line risk for businesses. A 2015 Economist Intelligence Unit study estimated that the value of global manageable assets at risk due to climate change could be as much as $4.2 trillion between now and 2100 in discounted, present-value terms. That is roughly on par with the total value of all the world’s listed oil and gas companies. Meanwhile, increased regulation to confront climate change is gaining momentum around the world.</p><p>These trends are leading boards and executives to realize that today’s climate-related decisions may dramatically impact their organizations in the future. Leaders are recognizing that the magnitude of climate change risks warrants a collective action as their impacts are widespread and not just a future threat. As a result, organizations may incur increased production costs, decreased demand, and delayed delivery of goods and services to their customers. </p><p>The growing stakeholder concern about climate change risks is creating demand for climate-competent auditors to help analyze the threats and recommend remedies. Such practitioners can help their organization address financial, process, and governance implications. Through a multipronged approach encompassing both strategic and tactical activities, internal audit can assist organizations in confronting climate change risks. </p><h2>Being Climate-competent</h2><p>Today, audit stakeholders are seeking answers to the basic questions about what climate change risks might impact them and the arrangements in place to mitigate them. Internal audit must adapt to these expectations and demonstrate the “insightful, proactive, and future-focused” characteristics described in The IIA’s Core Principles for the Professional Practice of Internal Auditing. </p><p>Internal audit functions that conform to the International Professional Practices Framework should be qualified to audit climate change risks. To supplement their knowledge, The IIA has published the Practice Guide on Evaluating Corporate Social Responsibility/Sustainable Development.</p><p>Yet, a worrying trend in audit reports is that many auditors do not see climate change risks beyond financial risks to the business. Some internal audit functions may not include climate change risks in the audit plan because they are not considered a principal risk to the business. For example, according to the KPMG Survey of Corporate Social Responsibility Reporting 2017, 72% of large and midcap companies did not acknowledge the financial risks of climate change. This could be because boards, executives, and internal audit lack understanding of climate change risks and their implications. </p><p>In other cases, although internal auditors may consider climate change risks in the audit plan, they may not understand the assumptions and estimates used in preparing the financial statements. Likewise, auditors may not comprehend the implications of climate change risks when applying existing accounting treatments and audit standards. Additionally, standard audit programs may not be helpful in assessing climate change risks, control criteria, and their potential impact. Finally, the audit team may not have climate-change risk specialists to assist the teams in focusing on key areas of concern. </p><h2>Strategy and Risk Management Insight </h2><p>Those internal audit functions can’t ignore climate change for long. With these risks looming on the near-horizon, auditors can advise the board and management by promoting accountability in addressing climate change risks.</p><p>Internal audit can help ensure the organization is identifying, prioritizing, and remedying key climate change risks appropriately. For example, internal audit can advise on strategies for developing a process to define, monitor, and assess climate change risks. Auditors can ask management about the organization’s resilience and sustainability, as well as audit the organization’s sustainability report. </p><p>Another way internal audit can provide value is reviewing whether the business strategy aligns with the applicable regulatory environment. Auditors can facilitate root-cause analysis of potential regulatory noncompliance. Coordinating control self-assessment workshops can identify the areas where the organization’s climate-change response strategy does not align with its business processes.</p><p>Internal auditors also should evaluate the financial and strategic implications of climate change risks. While the changes to carbon-free or low-carbon technology could pose potential financial risks, they also could result in opportunities such as alternative technologies, business processes, services, and products.</p><p>Internal audit should ensure the organization’s enterprise risk management process includes an appropriate focus on climate change risks. Auditors can assist in developing a granular view of risks that can enable management to create appropriate risk management strategies. In addition, they should evaluate whether management has established benchmarks, metrics, success criteria, key performance indicators, and leading practices.</p><p>Where management is reluctant to consider climate change risks, internal audit can help change executives’ attitudes by enhancing their knowledge of the risks and demonstrating how to assess and predict their impacts. In addition, internal auditors who have assisted other organizations in addressing climate change risks can share information and analysis of their experiences and promote the use of tools and systems for these purposes. </p><h2>The Way Forward</h2><p>The audit function should understand the climate change risks affecting the organization and be able to add value proactively, timely, and effectively. It is important to assess whether the organization fully grasps the implications of climate change risks. To move forward, internal audit should: </p><ul><li>Develop a consensus with the board and senior management about internal audit’s role. </li><li>Champion a focus on climate change-related risks by participating in the risk analysis process and educating management on the best practices in climate change-related governance, risks, and controls.</li><li>Ensure the audit function has the appropriate skills to evaluate climate change risks and execute related audit engagements.</li><li>Empower audit teams by developing appropriate tools and procedures for assessing climate change risks, capacity building through mentoring and effective onboarding, and including climate experts in the audit teams.</li><li>Incorporate climate change risks into the organization’s risk register and ensure appropriate audit units are contained in the audit universe. The chief audit executive should ensure that the identified risks are embedded in each audit engagement.</li></ul><p>Climate change risks impact all of humanity. Consequently, there is much work to be done. The responsibilities of internal audit and the required skills are changing quickly. As a partner in a good governance process, the modern internal audit function can be pivotal in addressing climate change by positioning itself as an agent of change.  <br></p><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { line-height:12.0px; font:10.0px Amplitude; } p.p5 { text-indent:-12.0px; line-height:12.0px; } p.p6 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p7 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { vertical-align:1.0px; letter-spacing:-0.1px; } span.s3 { font:8.0px Interstate; letter-spacing:-0.1px; } </style>Israel Sadu1
The Risks in Supply Chainshttps://iaonline.theiia.org/2019/Pages/The-Risks-in-Supply-Chains.aspxThe Risks in Supply Chains<p>Over the last couple of years, supply chain risk has become a key concern for the U.S. government. In December last year, for example, the U.S. Senate passed the Federal Acquisition Supply Chain Security Act of 2018, which contains powers to establish a security council specifically charged with supply chain risk. Further legislation with ramifications for supply chain management — such as the Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property, and Supply Act — has been tabled at a federal level. The hazards are many, but all point to a recognition that with increasing globalization and digitalization, supply chains have become longer, less transparent, and open to a range of threats. That means a business anywhere in the chain with weak security and controls is a potential target. <br></p><p>“Supply chain risk is a huge issue in the U.S. right now,” says Dan Shoemaker, director of the Master of Science in Information Assurance Program at the University of Detroit Mercy Center for Cyber Security and Intelligence Studies. He says it came to the attention of the U.S. government over fears that Chinese malware was turning up in U.S. military equipment. The risk with purchasing software is that vendors never give buyers the source code because of their need to protect intellectual property. So, companies effectively buy most software blind.</p><p>Shoemaker says this exposes organizations that build and use complex systems to two key risks: 1) malware can be injected into components at the bottom of the supply chain where transparency tends to be lowest; and 2) poor-quality counterfeit products can slip into a system because of cost-cutting pressures.</p><p>“This is the frontier in supply chain risk — we have systems built on top of systems that have all been built by mysterious people, and we have no idea who <span style="font-size:12px;">they are, and we often have no idea of how secure they are,” Shoemaker says. He adds, half-jokingly, if he were a country that wanted to take over the world, he would set up shop as a cut-price programming shop. “Everything I sent up the process ladder would have a killer piece of software in it that basically said, ‘When I push the button, I’ll take over the world,’” he says. “That would be easy to do because unlike other things, we just buy software without carefully looking at the ingredients.”</span></p><p>Internal auditors can suggest processes to reduce such supply chain risk, he says, and insist their organizations follow procedures established by the U.S. National Institute of Standards and Technology (NIST), such as NIST 800-161 that deals specifically with IT procurement and supply chain management, and also International Organization for Standardization (ISO) standards such as ISO 27000 dealing with information security.               </p><p>“Installing a standards-based process will help you understand what you are buying, because you can demand to see everything that is going on at any level of the supply chain,” he explains. “It will be documentation — not a physical examination of the actual activity — but that documentation will not be available otherwise.”</p><h2>Complex Contracts</h2><p>In fact, supply chain documentation is often ignored or badly managed by the purchasing organization. Without a solid understanding of the contracts upon which agreements to buy are based, organizations run the risk of being arbitrarily overcharged by suppliers.</p><p>“Once signed, a shrewd supplier will hand the contract to their commercial department to start drafting claims against you while the ink is still wet,” Christopher Kelly, partner at Kelly & Yang in Melbourne, Australia, says. Complex supply chains that entail huge, ongoing projects subject to multiple amendments can be daunting. But internal auditors typically can get to grips with the structure of their supply chains by mapping what it looks like. That will help flush out conflicts of interest between related-party companies, directors, and shareholders who may sit on both sides of a procurement deal, as well as reduce the risk of compounding overhead costs, for instance, within the project. </p><p>Contract agreements can be voluminous and take effort to digest, so internal auditors who put in the hours have a fighting chance of helping their organizations manage them because each contract effectively builds its own distinctive rules around costs, profits, and target parameters, Kelly says. Failing to understand the contractual intricacies is the No. 1 mistake internal auditors make, he adds. Internal auditors trained in financial accounting, for instance, cannot assume that they will be able to apply Generally Accepted Accounting Principles to any items of expenditure. IT costs allowable under the contract as a direct cost, for example, may already be included in the overhead rate. Accruals may or may not be allowed. Only the contract’s terms will make the correct treatments clear. </p><p>If the organization and its internal auditors are on top of their contracts, however, data mining and analytics become a powerful way of validating the costs charged against those allowed under the contract. That requires attention to detail. Keyword searches for entertainment, gifts, parties, or rework because of the supplier’s mistakes can expose multiple errors, duplications, and advance charges, for instance. Cost analysis also reduces the risk of organizations being charged up front by the supplier for work not yet completed and then the supplier going out of business.</p><p>“When the internal auditor does his or her job well, the cost recoveries are amazing,” Kelly says. The biggest recovery he achieved was about $9 million. “I didn’t get a bonus, but it got me noticed,” he says. “And as an auditor wanting to advance in his or her career, that’s not a bad thing.” </p><p>Outside of the contract terms, changing the manager on the buyer side of the contract can be disastrous. On one audit, Kelly found that while the supplier had used the same manager on the project for 10 years, there were frequent changes to management personnel at the buying business. “The contractor was running rings around the buyer with unbudgeted charges, and when I asked for the contract, I was shown a heap of boxes and told, ‘We think it’s in there,’” he recalls. “It’s vital to keep continuity of knowledge when managing large-scale projects.”</p><h2>Building Resilience</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } p.p2 { line-height:12.0px; font:9.0px 'Interstate Light'; } p.p3 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } p.p4 { line-height:12.0px; font:6.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; } span.s2 { letter-spacing:-0.1px; } </style> <p><strong>2019 Supply Chain Trends </strong></p><p>The five themes impacting supply chains most in 2019:</p><ul><li>Revision of the Minimum Security Criteria under the U.S. Border Protection’s Customs-Trade Partnership Against Terrorism (CTPAT).</li><li>Supply chain growth in Africa, which increases exposure to risks.</li><li>Ongoing mass migration, which poses both security and corporate social responsibility risks.</li><li>Dramatic shifts in politics, such as elections in Brazil, the U.S.-China trade dispute, and uncertainty over Great Britain’s departure from the European Union.</li><li>The continued threat to supply chains posed by cybersecurity issues.</li></ul><p><em>Source: BSI’s Supply Chain Risk Insights 2019 report.</em><br></p></td></tr></tbody></table><p>New supply chain risks are not as easy to detect and deal with. “We’re seeing key shifts to global supply chains this year, driven by quite dramatic changes in the geopolitical landscape,” said Jim Yarbrough, global intelligence program manager at BSI, the business standards company, at the launch of a new report this year (see “2019 Supply Chain Trends” on this page). “The concern is that as supply chains change — with Chinese companies moving operations to Africa, for example, or the U.S. sourcing goods from other Southeast Asian nations — major implications will also evolve.”</p><p>Rapid change requires a flexible strategy from internal audit teams. “It is important to look at the supply chain through the lens of risk and resilience,” Jonathan Eaton, practice leader in Grant Thornton’s National Supply Chain Practice in Charlotte, N.C., says. “That means digging into the operating model to identify the potential failure points.” </p><p>Internal auditors can do that by using a Six Sigma tool called failure mode and effects analysis (FMEA), for instance, or a host of other tools. But, he says, the question they need to address is, “In your unique business model and industry, what are the failure modes within your supply chain that can hurt your business?” Eaton says that’s something audit leadership will ultimately need to determine. “The buck stops with the chief internal audit executive on this,” he says. “If he or she knows that a business could be vulnerable within the supply chain, but does not know where, when, or why, then he or she must take action to find out. A deep dive into the processes using FMEA is a great place to start.”</p><p>Internal audit leaders need to ensure they are positioned as a trusted advisor to the business; otherwise, helping the business deal with supply chain risk is going to be virtually impossible. </p><p>“You have to be able to proactively track, manage, and measure risk,” he says. “But nobody has a silver bullet that is going to deal with all of the possible combinations of risk that can arise. That is why having a good relationship with the business is important for internal auditors, because the people who manage the supply chain have to be forthright with internal audit about what the risks are and the triggers that make them real.” </p><p>This task recently has become more difficult. Many companies have expanded their business and sales through the use of multiple sales channels, and they often have not reconfigured their supply chains to deal with the range of new platforms or delivery requirements that are in play. Managing risk in the supply chain in this scenario becomes a way of protecting against the potential erosion of profitability, says Eaton, and internal audit needs to have an in-depth knowledge of the business’ operations to be able to truly assist the organization in this area.</p><p>He sees the ability to track, manage, and measure risk as internal audit’s central role when it comes to supply chain resilience — particularly because those processes should be aligned to the biggest financial supply chain risks the business faces. Eaton describes robotic process automation (RPA) as a brilliant tool once audit understands the business’ failure modes and its strategy for tracking, managing, and measuring risk. RPA deals with high-volume, repetitive processes, so it can continually scan supply chain transactions in real time and be programmed to alert for weaknesses and red-flag events. He says too few businesses have made this move. “Internal auditors can introduce thought leadership into an organization in this area by bringing in these advanced technologies to mitigate the risk and build supply chain resilience,” he adds. But he also warns that an overdependence on technology and analytics can equally make internal audit blind to the more complex interrelated risks in the supply chain. For supply chain technology to work well, it needs to be aligned strategically with the business’ objectives for supply chain risk management.</p><h2>Preventing Crime<br></h2><p>Supply chains are also open to bribery, corruption, money laundering, and human trafficking risks. More recently, sanctions have become a pressing issue as the trade war between China and the U.S. gathers pace, and the Trump Administration applies pressure on its allies to keep its sanctions against Iran effective, for instance. The Office of Foreign Assets Control, the U.S. sanctions watchdog of the Department of the Treasury, has been increasing its activity in this area.</p><p>“Corporations need to make sure they understand the risk in their supply chain if they want to avoid being caught in the crosshairs,” says Samar Pratt, managing director of Exiger, a global governance, risk, and compliance business in London. But she warns that the boundaries between different types of risks can be porous. “If people want to evade sanctions, they will lie — which is where sanction risk crosses over into potential fraud,” she says. </p><p>Internal auditors should expect their organizations to do solid due diligence checks, she says. “While there is only so much a firm can do, as long as it can demonstrate it is taking a risk-based approach to its due diligence, it will help the organization demonstrate to internal audit it is taking appropriate steps. As part of this process, organizations are increasingly using artificial intelligence-powered, automated due diligence technology to detect red flags while onboarding new suppliers, or to monitor third parties on an ongoing basis.” Other methods include looking at the countries where raw materials are coming from, for instance, and, potentially, where the risk warrants it, sending people to those countries to ask questions on the ground. </p><p>“The due diligence needs to be proportionate to the risk and reflect the risk appetite of the organization,” she adds. While internal auditors are not specialists in investigating fraud in the supply chain, IIA standards require them to look for fraud indicators. If found, internal audit is likely to refer those issues to the organization’s fraud or financial crime team and possibly the legal team. Pratt says internal audit’s follow-up role is frequently overlooked. That involves coming back in post-investigation to examine what went wrong in the supply chain and add significant value to the business by focusing on the lessons learned and whether controls need to be strengthened. </p><h2>Making an Impact</h2><p>While the direct impact of mishandling a contract or breaking a government sanction can be significant, the reputational damage can be equally long-lasting and harmful. And as geopolitical risk increases and digitalization gathers speed, supply chain resilience is likely to become even more important. It is a difficult area for internal auditors to master. Doing so requires wide-ranging knowledge of different types of contracts, the business, and its supply chain structure — as well as keeping up to date with fast-changing threats. But the rewards can be great. Internal auditors who can play a central role in helping their organizations build robust supply chains will enable them to compete globally and successfully integrate new products and services into their offerings. <br></p>Arthur Piper1
Auditing Culture: Audit Project Surveyshttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-Audit-Project-Surveys.aspxAuditing Culture: Audit Project Surveys<p>​Internal auditors looking to gauge organizational culture can choose from a variety of assessment techniques. Some are innovative, robust, and resource-intensive, while others are fairly simple. Typically, using a combination of techniques provides a more well-rounded picture of the culture.</p><p>Some of the most commonly used assessment techniques include: </p><ul><li>Entitywide employee surveys.</li><li>Open-ended interviews.</li><li>Structured interviews, in which a sample of employees is asked the same set of questions.</li><li>Combining objective data with auditors' perceptions.</li><li>Focus groups.</li><li>Self-assessment workshops.</li><li><p>In-depth root cause analysis.</p></li></ul><p>One of the simplest tools for auditing culture is an audit project survey — a survey conducted during the course of an audit engagement. There are several advantages to using a survey tool, as well as limitations and challenges that should be considered. Armed with this knowledge, and familiarity with suggested development and implementation practices, auditors may be better positioned to harness audit project surveys as a means of gaining valuable insight on organizational culture.</p><h2>Advantages</h2><p>Employee surveys have several advantages over other techniques for evaluating culture, including:</p><ul><li> <strong>Anonymity. </strong>If employees know survey results will remain anonymous, they may be more candid than they would in an interview.</li></ul><ul><li> <strong>Potentially Greater Validity. </strong>If employees feel safe and believe action will be taken to address their concerns, surveys usually constitute an accurate measure of employee perceptions.</li></ul><ul><li> <strong>Quantitative Results</strong>. Most employee surveys I have seen ask respondents to indicate the extent to which they agree or disagree with statements (see, for example, the "University of Minnesota Employee Survey" below). The percentage of employees who disagree or strongly disagree with a statement is an objective fact, and significant disagreement represents strong evidence that something needs to be examined.</li></ul><ul><li><p> <strong>Efficiency.</strong> Audit project surveys provide an efficient way of gathering input from a large sample of employees. Effective project surveys often yield a response rate of 60-70%, and online survey tools make aggregating and analyzing the responses relatively easy. Unless the audited area is unusually small, interviewing and analyzing responses from a comparable percentage of employees would be prohibitively time-consuming.<br></p></li></ul><h2>Challenges and Drawbacks</h2><p>While the advantages of employee surveys are considerable, internal auditors should be aware of several potential drawbacks. Recommendations for addressing these limitations are also provided. </p><ul><li> <strong>Possible Lack of Candor. </strong>Employees may not be candid, in which case positive results will produce false assurance.<strong> </strong>Although surveys can be anonymous, employees might not believe they are. And if employees fear retribution from their manager, responses are likely to be positive regardless of how they really feel. </li></ul><ul><li> <strong>Potential Blind Spots. </strong>Employees may have blind spots about cultural issues, which can affect their assessments. An often used definition of culture is "how we do things around here." When someone joins an organization, he or she wants to fit in and may accept the way things are done without question. Similar to a lack of candor, this will produce false assurance.<br><em>Recommendation. </em>To address both lack of candor and cultural blind spots, auditors should avoid relying solely on survey results. Some people will be more candid in an interview than on a survey. For example, I think of an objection I received when discussing entitywide surveys at a conference in the Pacific Rim. An attendee who worked for a U.S. multinational company that used this type of survey said, "Surveys don't work here. People in this country will never be honest on a survey. They'll tell us exactly what's going on but they would never write it down." I now tell this story when I teach in that country, and the attendees always agree.<br>No single tool or technique is sufficient. Auditors need to be aware of limitations that exist in a given location and complement surveys with their own observations, available data that reflects the culture, interviews, and whatever other tools might be useful in that context. <br></li><li> <strong>Employee Misperceptions. </strong>Although surveys can be an accurate measure of employee perceptions, employees can be wrong. I think, for example, of a lead auditor who worked for me when I was an audit manager. She would occasionally come into my office, ask to close the door, and say, "What are you managers thinking? Do you have any idea what the staff is saying about this decision you made two weeks ago?" I'd say, "But Pam, they don't understand why we made that decision," and realize that we needed to tell them. Pam did a great service by alerting us to the staff's misperceptions, which we could then correct.<br><em>Recommendation.</em> Auditors should not present negative survey results as an issue unless they find corroborating evidence. However, if they can't find such evidence, or what they find contradicts the survey results, they should report it to local management as a possible misunderstanding it might want to correct.<br> </li><li> <strong>Ambiguity. </strong>Developing survey statements that are clear and unambiguous can be difficult. Take, for example, the statement, "Management is ethical, fair, and open to employee suggestions." This statement asks about three different qualities. A manager might have one or two of these qualities, but not the third. Also, does "management" refer to the employee's immediate supervisor, the head of the organization, or something in-between? <br><em>Recommendation. </em>Auditors can use a couple of methods to prevent survey statement ambiguity. First, they can draw from good models. Examples of effective surveys can be found in internal audit literature, obtained from colleagues, and accessed on the internet. With established models, any initial ambiguity is likely to have already been identified and corrected. Moreover, auditors will be able to approach prewritten survey statements more objectively, and identify any residual ambiguity more easily, compared to statements written by themselves.<br> Auditors can also field-test the survey once it's been developed. Before finalizing the survey instrument, they can give it to several people and ask what they thought each statement was asking. This exercise should identify most or all remaining ambiguity.</li></ul><ul><li> <strong>Scope Limitations. </strong>Surveys are limited to the predefined issues they include. And obviously, culture encompasses much more than a brief survey can assess. <br><em>Recommendation. </em>Internal auditors can address this concern by asking survey participants for explanatory comments. The University of Minnesota Employee Survey below has only 12 statements, but it asks respondents, "Would you like to tell us anything else about the operations of your (college, department, center, or other term as appropriate)?" Respondents can elaborate on any of the 12 statements or include something else they want the auditors to consider. </li></ul><h2>Development, Implementation, and Analysis</h2><p>Audit project surveys should be adjusted to best fit the environment in which they will be applied. Several considerations should be kept in mind when tailoring a survey for use with a particular client or organization, and during survey implementation and analysis. </p><ul style="list-style-type:disc;"><li>Design the survey carefully. Provide clear instructions for completing the survey, and phrase statements carefully using simple, easy-to-understand language.</li><li>Ask for level of agreement/disagreement with statements — such as those shown in the University of Minnesota Employee Survey's Likert scale below — and for explanatory comments.</li><li>Ask managers if they want to add issues they're concerned about. Good managers often wonder what their employees really think about certain decisions they've made or aspects of the environment. This is their chance to get honest feedback that employees might not want to give them in person.</li><li>If the content might be highly sensitive, consider asking the legal department to review the survey instrument. The lawyers are less likely to object if they are consulted up front than if they see the survey once it's underway. And they might have legitimate concerns.</li><li>To demonstrate management's support, ask the head of the audited area, as well as the chief audit executive, to sign the survey invitation email.</li><li>Consider using online survey tools to survey 100% of the population and to facilitate results analysis. </li><li>Stratify responses by level — for example, senior management, middle management, staff — and compare the differing perceptions.</li><li>Remember that surveys measure employee perceptions; they must be substantiated to be reported as audit issues. If they can't be substantiated, they still provide valuable information for the manager. </li><li><p>Involve the "experts" in interpreting the results. Some audit departments review the stratified results with a focus group of experienced employees who know better than the auditors why employees responded as they did. The confidentiality of individuals' comments, of course, must be preserved.</p></li></ul><p>Regardless of the technique or combination of techniques used, auditors and their stakeholders must keep in mind the objective of culture auditing: to continually enrich stakeholders' understanding of the culture through a blend of qualitative and quantitative evidence; the objective is not to reach final conclusions. Without this shared understanding, internal auditors risk giving false assurance when assessment results are positive and assigning unfair blame when results are negative. </p><h2>An Important Tool</h2><p>Project audit surveys can provide key insight on organizational culture. Like other tools used for this purpose, they will not be effective in every situation. But when applied with discretion and in conjunction with other techniques, they can be a valuable asset in the culture auditor's toolbox.<br></p><p><img src="/2019/PublishingImages/auditing-culture-questionnaire-smaller.jpg" alt="" style="margin:5px;" /><br></p><p>Read the other articles in Jim Roth's series on culture:<br></p><span aria-hidden="true"></span><ul><li><a href="/2019/Pages/Auditing-Culture-History-and-Principles.aspx">Auditing Culture: History and Principles</a><br></li><li><a href="/2019/Pages/Auditing-Culture-Bumps-in-the-Road.aspx">Auditing Culture: Bumps in the Road</a><br></li><li><a href="/2019/Pages/Auditing-Culture-Where-to-Begin.aspx">Auditing Culture: Where to Begin</a><br></li><li><a href="/2019/Pages/Auditing-Culture-Observation-and-Data.aspx">Auditing Culture: Observation and Data</a><br></li></ul><p><br></p>James Roth1
Social Media Governancehttps://iaonline.theiia.org/2019/Pages/Social-Media-Governance.aspxSocial Media Governance<p>Social media’s strategic role within organizations has grown exponentially as it has become a ubiquitous juggernaut of nonstop information of varying degrees of accuracy and relevance. But its risks to the organization have accelerated, as well. To keep up, organizations need a strong governance structure that specifically emphasizes social media.<br></p><p>Similarly, social media’s high impact and high risks mean internal audit should look closely at all related activities. Perhaps the most important of these activities for internal audit is ensuring the organization’s social media governance is effective. </p><h2>It Starts at the Top</h2><p>Any aspect of governance starts with the board. As part of its assurance efforts, internal audit should ensure the board understands the broad scope of risks related to social media, as well as the board’s role in establishing an appropriate governance structure. </p><p>Foundationally, the organization already should have an effective governance structure in place. But the fast pace of change related to social media means the board should take a more active role in ensuring the organization’s governance structure addresses unique social media issues effectively. This not only helps the organization successfully achieve these objectives, but also further ensures the organization will not be broadsided by change, irrelevance, and damaging reputation issues.</p><p>The board must understand the changing landscape of social media, as well as the current and evolving risks. Further, directors must understand the organization’s social media strategies — both the strategies specific to social media and those using social media to better achieve objectives. This includes understanding how the strategies were developed and how they support the organization’s overall mission. Finally, the board should understand how the organization will address emerging issues, potential crises, and the overall changes in the social media environment. </p><p>Ultimately, board members must be able to lead conversations that get to the heart of the organization’s approach (see “Questions the Board Should Ask” at the bottom of this page). To ensure the board is prepared to successfully oversee social media activities, internal audit should focus on three areas: knowledge, training, and communication. </p><p><strong>Knowledge</strong> The constant press coverage related to social media “fails” has resulted in boards becoming more aware of social media’s risks and pitfalls. But it also has led many boards to focus on the latest YouTube debacle or Twitter mistake, rather than understanding the broader risks. Therefore, internal audit should ensure board members fully understand the risks and opportunities related to social media, as well as the organization’s activities. <br></p><p><strong>Training</strong> Internal audit should ensure the board has been trained appropriately on new and emerging social media technologies, how they are used, the risks to the organization and its industry, and how competitors are using social media. Such training will help the board understand how the organization developed its strategic approach and what it needs to be successful. <br></p><p><strong>Communication</strong> Internal audit should ensure communication channels allow the board unfettered and timely access to the information it needs about social media. In addition to information from executives, this communication should come from committees responsible for social media, departments involved in developing and communicating through social media, and front-line personnel who are dealing with day-to-day issues that can quickly grow into organizational disasters.<br></p><p>Internal audit can provide assurance that board members are prepared by examining activities at the highest levels of the organization. The best way is for auditors to speak directly with board members to gain assurance that directors are providing the best oversight possible. Additionally, auditors should review correspondence and minutes of board meetings, as well as the information received by the board, to ensure that it has been kept in the loop. They also should review training materials to ensure materials cover all appropriate areas and that all board members have participated.<br></p><p><img src="/2019/PublishingImages/Jacka-social-media-governance-at-a-glance-chart.jpg" alt="" style="margin:5px;width:800px;height:562px;" /><br></p><h2>Executive Oversight</h2><p>At the next layer of governance, the executive level is responsible for developing and implementing the organization’s social media strategies and objectives, as well as ensuring they align with the organization’s other strategies and objectives. Like the board, executives should obtain assurance that social media projects are advancing as expected, the projects are aligned with other strategies, the objectives are being met, significant risks and issues are communicated, and all other necessary information is brought to executives’ attention timely.</p><p>Best practice is to assign a social media champion at the executive level to oversee social media activities organizationwide and be responsible for their success. The executive should fully understand and believe in the value of social media to the organization, while also understanding the associated risks. This individual also should have the status to freely communicate potential issues and concerns to fellow executives. Otherwise, social media activities may fail because of lack of interest.</p><p>It also is best practice to establish a social media oversight committee to handle responsibilities at a more granular level. The committee should encompass all departments with a role in social media and include individuals with the authority to initiate changes. The committee will be responsible for ensuring the alignment and success of all social media strategies, objectives, and plans; monitoring project progress; and communicating potential issues. The executive champion should be an active member of this committee, providing guidance and ensuring necessary communication between the committee and executives.</p><p>Much of internal audit’s review of executive oversight is similar to that outlined for the board — just more detailed. This includes obtaining assurance that executives receive ongoing training that allows them to understand how social media can best be used, and that executives are adequately updated on social media. In addition, internal audit should determine whether executives are actively ensuring their individual departments are using social media appropriately, and that those activities are aligned with other departments and functions.</p><p>Interviews with executives are the best way for auditors to obtain this information. And, while social media-focused interviews can be an important part of the review, an effective alternative is to discuss the topic in meetings about departmental risks, concerns, and upcoming initiatives. Special attention should be paid to the executive champion, who can be a significant source of information about the status and growth of social media. If the relationship is cultivated appropriately, the champion can be a source for potential areas of review.</p><h2>The First Line of Defense</h2><p>A challenge in any governance structure is ensuring coordination among the teams that manage the various aspects of risk. Effective social media governance requires each of the three lines of defense — operational management, risk management and compliance functions, and internal audit — to understand the specific risks and responses that apply to their functions. </p><p>The first of these lines, operational management, owns and manages the risk. These are the operational managers responsible for maintaining effective internal controls and executing ongoing risk and control procedures. Each operational function must understand the impact of social media on its responsibilities, as well as the function’s role in the organization’s social media presence. Although their roles and responsibilities can vary from one organization to the next, the following are functions that could be involved with social media. </p><p><strong>Marketing</strong> This function is responsible for marketing through social media channels, including brand management. Responsibilities include ensuring social media delivers a consistent message to the right customers, brand integrity and standards are maintained in all social media channels — including the activities of agencies and third-party vendors — and the message being delivered matches organizational objectives. <br></p><p><strong>Sales</strong> The sales function’s responsibilities include ensuring sales efforts on social media match marketing’s message, delivery of products and services sold through social media is accurate and timely, and follow-up is taken on leads generated through social media. The department also must keep online sales information updated and accurate, and use social media data to analyze trends related to leads, sales, and returns. Ultimately, the function should ensure social media improves sales efficiencies and costs.<br></p><p><strong>Customer Service</strong> This function ensures complaints received through social media are handled efficiently, customer satisfaction in the online sales process is maintained at the desired levels, and customers are referred to the appropriate goods and services. Customer service also makes sure all online communications maintain the appropriate tone and social media is used to accurately measure customer satisfaction.<br></p><p><strong>Public Relations</strong> Also known as corporate communications or community relations, public relations manages how the public perceives the organization. Its responsibilities include ensuring social media messages related to public relations match the overall messaging strategy and monitoring exists to identify, avert, and mitigate crisis situations. Public relations also should have an effective crisis management plan that includes responding to social media issues and using social media as part of the crisis management process.<br></p><p><strong>IT</strong> This function develops and maintains hardware and software used for social media. IT’s responsibilities include ensuring customers have a seamless experience while using social media and maintaining sufficient backups to reduce or eliminate downtimes. This function implements technology to achieve the organization’s social media objectives and ensures access to the organization’s social media sites is controlled.</p><p><strong>Human Resources</strong> This function uses social media to recruit new employees and potentially uses social media to deliver training. Human resources should ensure that training on the use of social media includes all employees and all facets of social media use. It should ensure a social media policy is developed that complies with existing regulations and the organization’s other policies, and monitor employee satisfaction through external comment boards and websites.<br></p><h2>The Second Line</h2><p>The second line of defense comprises those functions that ensure first line of defense controls are designed appropriately, in place, and operating as intended. Spanning the organization, these functions provide assurance related to their field of expertise. Second line functions need to keep abreast of changes in social media with a particular emphasis on issues impacting the areas they oversee. As with the first line of defense, the specific structure and responsibilities of second-line functions differs among organizations. In reviewing governance, internal audit should ensure that the organization is addressing all of the potential social media oversight roles these functions perform.</p><p><strong>Risk Management</strong> This function ensures social media risks are understood throughout the organization and included in risk assessment processes. Responsibilities include ensuring all risk assessments consider social media, departments keep abreast of emerging issues and risks related to social media, and those issues and risks are communicated timely. The risk function also must ensure all departments’ risk assessment and management procedures address social media risks appropriately.<br></p><p><strong>Compliance</strong> The compliance function is responsible for ensuring existing regulations are reviewed for reinterpretations that may impact social media and that new and changing regulations are monitored. It must advise all departments of regulations that will impact their use of social media and ensure that potential noncompliance issues are reported and acted upon.<br></p><p><strong>Security</strong> The security function must ensure appropriate access to and control over social media activities. It ensures general IT security controls such as password, antivirus, anti-malware, and firewalls have been established and are being used effectively. It also makes sure that access to the organization’s social media accounts is restricted appropriately, all accounts are monitored for suspicious activity, and accounts that are no longer in use have been decommissioned. Additionally, the security function should ensure all employees understand the risks related to inappropriate use of social media.<br></p><p><strong>Quality</strong> This function is responsible for ensuring the organization’s use of social media complies with standards related to brand and image. Its responsibilities include ensuring branding and imaging within social media accounts match established standards, and making sure overall quality and professionalism of social media interactions match the desired level. The quality function also should ensure information reported through social media channels is accurate, and the organization takes effective corrective action on identified issues.<br></p><h2>The Third Line</h2><p>Internal audit provides the board and senior management with independent and objective assurance of the other two lines’ efficiency and effectiveness. To that end, auditors should ensure that all entities in the three lines understand social media risks as well as their responsibilities for those risks. Internal audit can use two approaches to provide this assurance.</p><p>The first is to conduct an overall review of social media, focusing on the functions where the greatest risk may reside. This review may entail separate audits of social media for each function — which will provide detail on how the function is performing — or a review of social media risks, adding focus on potential gaps among departments. </p><p>The second approach is to include social media as a risk area in all audits planned for the year. The results should be included in the individual reports, but auditors also should consider providing an overview of organizationwide responses to social media risks.</p><h2>Audit’s Social Impact</h2><p>Social media has become an integral part of any organization’s success and an area that internal audit functions ignore at their own peril. In providing assurance regarding social media, governance can be one of the most impactful areas in which internal audit can provide value. Moreover, reviewing governance establishes a foundation upon which internal audit can begin to build its understanding of, and assurance work related to, social media. <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​Questions the Board Should Ask</strong></p><p>A well-informed board is equipped to ask the important questions about the organization’s use of social media. To ensure the organization understands its social media strategies and direction, here are some questions board members should be prepared to ask and the organization should be able to answer.</p><p><strong>How are we using social media to engage with our customers, open new markets, and recruit top talent?</strong> </p><p>These three areas are only a small part of how the organization is using social media. But they provide a good foundation to ensure the organization understands the impact of social media, and they may help the organization explore how best to use it.</p><p><strong>How are our competitors using social media?</strong></p><p>Social media is a competitive advantage. Without understanding how the competition is involved, the organization cannot know if it is ahead of or behind the curve. Understanding the competition’s use of social media also provides lessons learned without actually taking the risks. In addition, following competitors on social media provides insights into their strategies and plans beyond social media.</p><p><strong>How are our employees and other stakeholders using social media? What do we allow?</strong></p><p>This question generally will lead to a discussion about existing social media policies. But the primary purpose is to provide assurance that the organization is aware of the risks related to employee and stakeholder use of social media, is monitoring those activities, and is prepared to respond quickly to potential issues.</p><p><strong>What regulations regarding social media does our organization need to be aware of?</strong></p><p>Board members need assurance that the organization understands the impact of regulators on the organization’s use of social media, monitors compliance with those regulations and regulatory changes, and takes appropriate actions.</p><p><strong>How are we monitoring social media activity for potential negative issues? Does this include plaintiff, activist, regulator, and vendor social media activity?</strong></p><p>Monitoring is an important part of the organization’s social media risk management process. Almost every social media fail could have been better controlled had the organization monitored and responded to social media conversations appropriately. Monitoring can provide early warning about public relations, brand, regulatory, or legal issues before they get out of hand. </p><p><strong>How are we interacting with the organization’s followers, friends, etc.?</strong></p><p>The board needs to understand how success is measured related to the investment in social media. The important aspect of this question relates to how any measures of success will be used to positively impact organizational objectives. Board members should be asking for a direct link between social media metrics and broader organizational success.</p><p><strong>What do board members need to do to ensure they keep out of trouble?</strong></p><p>First, the board must be assured that it has the information necessary to understand and respond to relevant social media risks. Second, board members must understand how their use of social media — whether as a representative of the organization or as a private citizen — can impact the organization. While these are questions that should be asked by board members, they also are excellent questions for internal audit to use during its reviews, particularly at a governance level. The questions dig deeply into the knowledge and awareness of all social media participants.<br></p><p><em>Adapted from “Critical Social Media Questions for the Board Room” by Richard S. Levick, Fast Company, 11/27/12.</em><br></p></td></tr></tbody></table><p><em>Jacka and Scott are the authors of Auditing Social Media, Second Edition, published in August by The IIA’s Internal Audit Foundation.</em><br></p>Mike Jacka1

  • AuditBoard_Jan 2020_Premium 1
  • IIA Integrated BOY_Jan 2020_Premium 2
  • IIA GAM_Jan 2020_Premium 3