Risk and Compliance



7 Lessons from the Pandemichttps://iaonline.theiia.org/2020/Pages/7-Lessons-from-the-Pandemic.aspx7 Lessons from the Pandemic<p>​Consequences from the COVID-19 pandemic pose an unprecedented risk to the world economy. The severity of the pandemic's impact has left businesses facing difficulties in meeting their financial reporting timelines and audit practitioners confronting scope limitations or complex auditing and accounting issues.<br></p><p> As trusted partners of the business, internal auditors have proactively risen to the challenge to support their clients through a multipronged strategy that includes:</p><ul><li>Providing insights by reviewing the changing risk landscape and its short- and long-term impacts on business.</li><li>Participating in clients' emergency response team meetings to deliver value from a risk-based perspective in a nondisruptive way.</li><li>Prioritizing internal audit work plans and audit resources, and pausing or accelerating audits in progress.  </li><li>Planning and providing advisory or consultancy services considering the changing risk landscape.</li><li>Assessing audit skills and diverting short-term surplus capacity to assist clients in their emergency response.</li></ul><p> <br>Even before lockdown restrictions began to ease around the world, business managers began planning for the new normal. This has necessitated evaluating and learning from their handling of the crisis before addressing future preparedness strategies for possible pandemics. Audit practitioners are playing a key role in this process through assessing not only their clients' pandemic readiness, but also their own — providing greater value to its clients.<br></p><p>While internal audit leadership plans for the next normal, there are seven lessons it should consider when modeling its work.<br></p><h2>1. Impact Assessment</h2><p>Finding the best approach to handle future crises requires the willingness and ability to quickly learn from past successes and failures and put them into action. As the pandemic continues to play out, practitioners should quickly seek out and document feedback from business management, audit committees, and other key stakeholders through surveys and interviews. Results of such analysis provide valuable input for future risk analysis and work planning. Next, review the adequacy of pandemic response through testing the effectiveness of business continuity plans and some critical procedures the organization followed when the pandemic first began.</p><p>More than half of respondents in a 2019 ContinuityCentral survey say that the biggest challenge to their business continuity plans is lack of budget and resources. Put differently, when times are good, the need to plan for future crises fades away. Practitioners should pay attention to potential pandemic-specific risks related to third-party relationships, supply chain, cybersecurity, fraud vulnerabilities, the ability to execute remotely, and, most importantly, establishing and communicating a business continuity plan. While it is not always possible to anticipate the factors that may lead to a crisis, the review should seek to answer whether the entity is able to reprioritize business objectives and address risks.  <br></p><h2>2. Business Continuity</h2><p>COVID-19 has demonstrated the relevance and worth of having a robust enterprisewide risk management system. Key questions to ask are: 1) Is the entity's risk management approach sufficiently comprehensive and robust enough to handle a crisis? and 2) Does the entity have the capability to seize potential opportunities that present themselves through innovative business models? For example, when the coronavirus outbreak first occurred, consumers shifted to a stay-at-home economy, ordering groceries online for delivery. To get their share of the online grocery market, grocery chains that didn't offer home delivery invested in their own delivery services or partnered with third parties to compete. In China alone, research shows the online grocery market is expected to grow by 62.9% in 2020 vs. 29.2% in 2019, according to iiMedia Research. <br></p><p>COVID-19 also has highlighted a systemic weakness in that internal audit was not leveraged timely when the pandemic hit. A March Quick Poll by The IIA's Audit Executive Center provides a mixed picture of internal audit's role in the crisis. While most chief audit executives (CAEs) reported that they were involved in their organizations' response to the coronavirus at the time of the survey, 37% said they should have been brought in sooner to discuss the risks and potential responses. Only 43% felt they were involved timely. These numbers should prompt audit practitioners to assess whether their clients' business continuity plans had a spot for audit to partner with management. Pandemic experience should also give CAEs an opportunity to invest time in establishing their own business continuity plans, if they haven't already. Such plans should enable their audit teams to become conversant with remote audit techniques and the technologies used. More importantly, resources and mechanisms should exist for identifying and resolving the constraints in using such technologies.<br></p><h2>3. Supply-chain Resilience</h2><p>Nearly 75% of companies reported supply chain disruptions in some form due to COVID-19-related transportation restrictions, and the figure is expected to rise, according to a March survey conducted by the Institute for Supply Chain Management. People are already questioning the very foundations of the globalized economies that we live within today. Key questions to be considered in the post-pandemic period include:</p><ul><li>Is the supply chain model flexible enough to change if demand for certain products or services rapidly changes?</li><li>Do standard contracts provide sufficient flexibility to maintain key business relationships in the middle of a crisis?</li><li>If suppliers and business partners have their own contingency plans and have prepared for a pandemic, how well will they align with clients' contingency plans?</li></ul><p> <br>Above all, the plans should be resilient enough to enable clients to mobilize resources at speed and scale, move from globalization to regionalization, when required, and stop relying on a single overseas supplier.<br></p><h2>4. Liquidity and Cash Flow</h2><p>Social distancing restrictions will hit cash and working capital, including liquidity, during a pandemic. Practitioners need to review what scenario-based measures have been put in place to mitigate the risks of cash and margins becoming tight when there is a financial pressure point. How this will impact the liquidity and cash flow will be a key concern to review.</p><h2>5. Human Resources Policies</h2><p>Key questions to consider in this area include:</p><ul><li>Are human resources policies adequate and flexible to address employee concerns, particularly when dealing with the fallout of shifting business or suppliers to different jurisdictions during the pandemic, and its impact on the organizational structure?</li><li>Do staff members have the resilience to adapt to the evolving risk environment through adopting remote working modalities?</li></ul><p> <br>Practitioners also should assess if there were policies for staff safety and hygiene and if staff had the skills to work in an environment with limited or no person-to-person contact considering potential social distancing restrictions. This is more relevant in cases where practitioners provide assurance within a school/university system, as the impact of this risk will be felt in the years to come.</p><h2>6. Technology</h2><p>Distance is much less of a consideration in today's business world — especially since the crisis. Experience shows that the pace of automation increased during each of the three recessions over the past 30 years. Pandemic situations lead to a surge in virtual interactions and digital transactions. Practitioners should assess the adequacy and effectiveness of resilience, staff skills, the potential to leverage technologies, and the mitigating actions in place to address the risks of cyberattacks during the pandemic.<br></p><p>One positive aspect of the current pandemic has been the opportunity to explore the potential and possibilities of remote work using available technologies. If sustained in the post-pandemic world, this trend will lead to a more environmentally friendly operating concept where audits could continue to be done remotely in a data-driven world.<br></p><h2>7. Communication Strategy</h2><p>Transparent, consistent, and reliable information, particularly from leadership, will help staff, customers, and investors make informed decisions throughout the crisis. Practitioners should assess the adequacy of clients' communication strategies for their comprehensiveness. Public sector auditors should pay attention to the plans, policies, and procedures in place to provide timely, accurate, and reliable information to the public. Pandemic experience also provides an opportunity for CAEs to establish or review their own strategies to proactively communicate with management and audit committees about the pandemic's impact on the business, changes in risk profiles, and results of reprioritization of internal audit work plans.<br></p><h2>Toward the Next Normal</h2><p>No one knows how long the crisis will last, but its impact may continue to shape the world's economy for months, or even years, to come. In looking at the quality of the organization's response to the pandemic, internal audit has an opportunity to reposition itself as a greater value provider, leveraging experiences gained through the crisis to help pave the path to the next normal.   <br></p>Israel Sadu1
Thriving Under Pressurehttps://iaonline.theiia.org/2020/Pages/Thriving-Under-Pressure.aspxThriving Under Pressure<p>In response to the global financial crisis of 2008, the U.S. government enacted regulatory reforms requiring banks to perform an in-depth review of the risks in their businesses. Among the regulations, banks had to conduct stress testing and scenario analysis each year. These tests involved performing a “what-if” analysis of how their balance sheets, net income, capital cushion, and other key financial metrics would evolve if an economic stress occurred.</p><p> Since then, stress testing has helped banks greatly improve their skills at identifying, quantifying, and managing risks. That has enabled them to provision capital to absorb losses arising from systematic risk events.</p><p>But stress testing isn’t just for banks. The negative economic impact of the COVID-19 pandemic reveals the need for organizations to be prepared to respond to economic shocks. Organizations and audit functions in other industries can learn from the banks’ processes to implement stress testing in their business.</p><h2>The Banks’ Experience</h2><p> For banks’ capital-planning exercise, internal audit provides assurance that current, new, or changing processes are functioning as designed and controls are in place to mitigate risks. Auditors also identify improvements to enhance the accuracy of the results of stress tests. </p><p> Within stress-testing exercises, internal audit must review the entire end-to-end process — rather than individual components — to assess compliance with regulatory and board expectations. Companies must provide a summary of internal audit’s findings in their capital plan submissions to the Federal Reserve Bank. </p><p> The dynamic nature of capital, risk, and stress management poses unique challenges for internal auditors at banks. Auditors often must learn new systems, review complex loss and forecasting models, track remediation in real time, manage multiple engagements, and work on a timed schedule. Such requirements make planning imperative for these audits. </p><h2>Any Organization Can Stress Test</h2><p> Regardless of industry, internal audit can ensure that stress testing encompasses sound foundational risk management, effective loss and resource-estimation methodologies, a granular capital impact assessment, and robust internal controls and governance.</p><p><strong>Assess Risks Within Scenarios</strong> U.S. publicly listed companies report “risk factors” in their annual 10-K Securities and Exchange Commission filings. This information details the most significant risks to the company such as major industrial accidents, cyberattacks, or employee malfeasance. By quantifying those risks and modeling their impact into the organization’s financial outlook, risk managers can provide insights into its vulnerabilities to key risks. However, organizations often view these risks in silos, which can lead them to miss today’s more complex, interconnected risks. </p><p> Organizations can greatly enhance this exercise by focusing on the scenario that may evolve and by reviewing the impact of a cluster of interrelated risks within that scenario. Risk managers then can focus on scenarios that may impact the business most severely. </p><p><strong>Estimate the Impact of Tail Events</strong> A common risk management practice is modeling broader everyday market variables such as gross domestic product, inflation, or business-specific variables. Scenario analysis then focuses on whether core risk factors are likely to develop in the future. </p><p> Risk managers usually disregard low-likelihood “tail” events, preferring to focus on those events that are more plausible in their experience. They assume that in such extreme scenarios, teams can rally together to sustain business operations. However, COVID-19 is highlighting how seemingly low-probability events can add together to create a highly probable event with material impact. </p><p>Thinking about one-off events, such as a natural disaster or pandemic, can greatly enhance the versatility of a stress-testing exercise. The same is true of events that may have a more extreme outcome such as a large drop in revenues or staff reduction. In looking at such events, organizations can develop a deeper understanding of the impact these shocks could have on their business. That insight would enable them to allot resources to continue business operations under stress. </p><p><strong>Model the Risk Mitigation Impact</strong> While it’s a good start to have a more in-depth review of potential business risks and plan for risk mitigation strategies, corporate boards can benefit from modeling the impact of those strategies on continued operations. Risk mitigating responses, such as reducing dividends and selling business assets, can develop into their own risks over the long term. </p><p>For example, during the pandemic, selling business assets may seem to be a quick way to recapitalize a business. However, those sales may have their own idiosyncratic impact that may show up only after the stress has subsided. Modeling the impact of such measures in response to the original stress event can give senior management more confidence in the exercise’s robustness.<br></p><p> Internal audit can be part of a cross-department initiative that assesses the impact on different interests such as employees, competitors, suppliers, regulators, and customers. Discussing how risk scenarios may impact each team and running reactions through models are ways auditors can help the business devise an organizationwide strategy. </p><p><strong>Integrate Results With Strategic Planning</strong> The usefulness of stress testing will be limited if its results aren’t linked to strategic planning, capital allocation, and other business management decisions. A variety of senior management executives should participate to ensure testing has a meaningful impact. Performing an integrated risk measurement and planning exercise can quantify the amount of capital the organization would need to absorb stress and sustain operations. </p><h2>Stress Testing Audits</h2><p> Just like their counterparts at banks, internal auditors in other industries can help set up a stress-testing exercise. They also can provide assurance that the processes are being executed as intended. <br> Internal audit should consider several factors when setting up its audit plan: </p><ul><li><em>Well-defined objectives, oversight, and governance. </em>Stress-testing frameworks should be designed with clear and well-documented objectives, and a governance structure that must be reviewed and approved by the board. </li><li><em>Material risk capture.</em> Testing should identify and quantify material risk that is relevant to the business. The risk-identification process should be comprehensive and consider both tangible and intangible risks. </li><li><em>Resourcing.</em> Staff members who are involved in stress testing should be well-trained and possess advanced skills. They should have sufficient oversight to provide guidance of their work. </li><li><em>Challenge and review.</em> Models, results, and the framework should be subject to independent challenge and periodic review. </li><li><em>Technology and systems.</em> Modeling and forecasting of stress and risks require robust systems and IT infrastructure. Such exercises deal with large amounts of data that need to be stored and processed appropriately. </li></ul><h2>Making Testing Sustainable</h2><p> A well-planned audit can enable senior management to rely on internal audit’s ability to identify weaknesses in the stress-testing process, both from a stability and regulatory compliance perspective. Moreover, the audit can elevate material issues that may warrant management’s attention. By addressing the deficiencies internal audit uncovers, process owners and risk managers can make stress testing more sustainable.<br></p>Ankit Garg1
What COVID-19 Teaches Us About ESG's Importancehttps://iaonline.theiia.org/2020/Pages/What-COVID-19-Teaches-Us-About-ESGs-Importance.aspxWhat COVID-19 Teaches Us About ESG's Importance<p>They say that even a kick in the rear is a step forward, and COVID-19 has delivered one mighty kick to corporate posteriors around the world. Now one question is whether boards will lurch forward — on, of all things, environmental, social, and governance (ESG) issues.</p><p> The ties between COVID-19 and ESG performance are more direct than one might assume. The virus has forced organizations to consider a host of specific questions, but the deeper, existential questions boards face are two: How can we preserve sustainable operations amid unpredictable circumstances? And, how can we hold all our stakeholders together and continue to create value?<br> <br>Well, ESG issues ask those same questions. So boards that have considered how to fit ESG into corporate governance may be better prepared for the crisis.</p><p>“It’s absolutely an accelerator, what’s happening right now,” says Daniela O’Leary-Gill, who sits on the board of the Museum of Science and Industry in Chicago, as well as the board of BMO U.S. Funds, a mutual fund run by BMO Financial. O'Leary-Gill views COVID-19 as a test of corporate resiliency. Strong ESG governance fosters resiliency by driving the company to focus on issues such as sustainable supply chains, trust in the organization, and reliable governance that transcend any specific CEO or board directors.</p><p>That resiliency can then prove invaluable during extreme risk events. O’Leary-Gill says organizations ignore the connection between ESG and resilience at their peril. “The current situation is a lesson in priorities,” she says. “Organizations are well-served to put ESG on the ongoing agenda versus an occasional discussion. That kind of preparedness provides greater resiliency to the company’s operations.”</p><div style="width:300px;float:right;padding-left:10px;padding-right:10px;margin-left:10px;background-color:#6eabba;color:#000000;"><h3>ESG AND SOCIAL JUSTICE</h3><p>COVID-19 isn’t the only urgent concern for boards these days. This spring also saw throngs of people take to the streets in the U.S. and around the world, protesting systemic racism and social injustice.</p><p>It’s another example of how attention to ESG issues can better position a company for swift, unexpected disruption. “It’s a double whammy of ESG issues corporations should pay attention to,” Bonime-Blanc says. </p><p>Since the protests erupted in late May, organizations have rushed to support the Black Lives Matter movement or — as happened with the CrossFit fitness company — to part ways with chief executives who inflame the situation with racist comments.</p><p>The Black Lives Matter protests do raise a challenging point. Social questions — the “S” in ESG — are the most fraught issues to address, with substantial reputational risk. At the same time, they have the least guidance about what boards should do. (Compared to environmental regulations, for example.) “The spotlight will be on the S,” O’Leary-Gill says. “Not to take away from the importance of E or the G … but I think the S is the part that is least prescribed, and the least standardized across companies.”</p><p>So how can companies systematically measure corporate culture, or equity in the workforce? “That’s where the focus needs to be,” O’Leary-Gill says.</p></div><h2>The Relevance of ESG</h2><p> It might seem strange to talk up ESG these days, given the economic calamity and operational crisis all around us. When you examine the component parts of ESG, the relevance of those issues to the COVID-19 crisis becomes clear. Consider:</p><ul><li> <strong>Environment. </strong>One pillar of good environmental stewardship is using as few natural resources as possible, and generating as little waste as possible. That implies an efficiency of operations that’s welcome in a cost-sensitive environment. It’s also a nice hook to woo environmentally conscious consumers.</li><li> <strong>Social. </strong>This can include everything from workplace safety, to paid sick leave, to workforce development. Regulators are already watching companies’ commitment to safe work environments in the time of COVID-19. Sick leave, worker training, and similar policies about human capital also can prove valuable to help companies keep employee sentiment on their side.</li><li><p> <strong>Governance.</strong> This principle encompasses the board’s oversight of corporate conduct, shareholder rights, executive succession, and similar issues. First, the risk of corporate misconduct rises during difficult times, so a board skilled at risk management will do a better job policing against that threat. Second, a rigorous board, committed to good governance, is likely to stay on the right side of investors and root out organizational shortcomings more quickly.</p></li></ul><p>More broadly, boards should pay attention to ESG because investors, employees, business partners, and other stakeholder groups still consider ESG important — <em>especially</em> now as COVID-19 and the ensuing recession drive people to question what role companies should play in society.</p><p> Investment dollars, for example, are still gushing into ESG funds. According to Morningstar, ESG investment funds worldwide saw inflows of $45.7 billion in the first quarter of this year, while the broader investment world saw net outflows of $384.5 billion. Exchange-traded funds had been briskly marching toward all-time highs in 2020 until early March, when they tumbled by 30% or more. Now the largest of those funds is already flirting with its all-time high again.</p><p>“The shareholders are going to be better off because of this,” says Andrea Bonime-Blanc, a former board director of the Ethics and Compliance Officers Association and a current director for the National Association of Corporate Directors, New Jersey Chapter. “Maybe you can’t measure it quarter to quarter, but over the long term, you definitely can measure the progress.” </p><p> She, like O’Leary-Gill, stresses resilience. “To me, the best argument isn’t that the regulators are coming,” she says. “The best argument is that you are building organizational resilience that allows you to survive and thrive in good times and bad.”</p><h2>Putting It Into Practice</h2><p> Boards that want to leverage ESG issues for long-term resiliency need to start with a direct question: Is the necessary experience in the boardroom? "To meet this crisis, boards should have more people who are not chief financial officers or CEOs,” Bonime-Blanc says, “but chief risk officers, chief ethics and compliance officers, and chief corporate responsibility officers.”</p><p> Likewise, O’Leary-Gill asks, what is the fluency on the board in ESG issues generally, as well as the specific ESG issues that might be most relevant to each board’s organization? That is, manufacturing companies might need more expertise in environmental sustainability. Software companies, in contrast, might want expertise in workforce diversity and pay equity.</p><p> From there, the work might start to sound familiar. Boards must decide which ESG issues are most important to their stakeholders, which key performance indicators (KPIs) match those issues, and what sustainability frameworks could help the organization steer those KPIs in the right direction.</p><p> This is where a strong audit function can assist. Frameworks need to be reviewed; metrics need to be developed and translated into policies, procedures, and internal controls — which will then need to be tested. </p><p> How well will all that effort pay off, with a vibrant organization that can weather difficult times? That’s hard to say. <br> <br>Then again, COVID-19 is only the crisis of the moment. Boards also need to consider climate change, social inequity, and other crises after that. Resiliency will be crucial to all.<br></p>Matt Kelly1
Update: The IIA Updates Three Lines Modelhttps://iaonline.theiia.org/2020/Pages/Update-The-IIA-Updates-Three-Lines-Model.aspxUpdate: The IIA Updates Three Lines Model<p>In today’s fast-paced, technology-driven world, risk-based decision-making is as much about seizing opportunities as it is about defensive moves. A long-overdue update to the popular Three Lines of Defense risk management model embraces this new reality. </p><p>“Risk management goes beyond mere defense,” says IIA President and CEO Richard Chambers. “Organizations need effective structures and processes to enable the achievement of objectives and support strong governance and risk management. The updated Three Lines Model addresses the complexities of our modern world.” </p><p> The IIA spearheaded a task force of audit practitioners, risk and compliance executives, stakeholders, and others to identify the relationships between the central and common components of organizations and consider the continued relevancy of the Three Lines concept. “The update reinforces that organizations must determine appropriate, pragmatic structures for themselves, taking into account their objectives and circumstances against a backdrop of an ever-evolving risk landscape,” says task force leader and IIA Global Chair Jenitha John.</p><p> The Three Lines Model is based on six principles: governance, governing body roles, management and first and second line roles, third line roles, third line independence, and creating and protecting value. It presents the accountability of the governing body for oversight, of management to achieve organizational objectives, and of an independent internal audit function for assurance and advice. The model notes that although the governing body, management, and internal audit all have distinct responsibilities, “the basis for successful coherence is regular and effective coordination, collaboration, and communication.”</p><p>“For implementation by organizations on both a reactive and proactive basis, these updates help modernize and strengthen application of the model to ensure its sustained usefulness and value,” Chambers says. <strong>— A. Millage</strong></p> <h2><img src="/2020/PublishingImages/Update-the-high-cost-of-missing-risks-border2.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:183px;" />DOJ Issues Compliance Guidance </h2><h3>Prosecutors to consider risk practices for assessing criminal liability.</h3><p>Revised U.S. Department of Justice (DOJ) guidance provides recommendations to help prosecutors assess whether a company’s compliance program was effective at the time of an offense, make informed charging decisions, and determine an appropriate penalty or resolution. Originally issued in 2017, Evaluation of Corporate Compliance Programs advises prosecutors to consider how the organization has defined its risk profile and whether risk assessment consists of ongoing examination. </p><p>Among key areas of review, the DOJ recommends prosecutors gauge the effectiveness of the organization’s risk management process and determine what methodology it uses to “identify, analyze, and address the particular risks it faces.” They should look at the specific information the company collected to detect the type of misconduct in question. </p><p> The guidance also advises evaluating the company’s risk resource allocation, to help understand whether the company spends too much time focusing on low-risk areas. Moreover, prosecutors should examine whether a process exists for updating and revising the risk assessment program. They also should consider whether the organization captures lessons learned from either its own compliance-related challenges or those experienced by industry and geographic peers. <strong>— D. Salierno</strong></p><h2>Boards Detail Crisis Concerns</h2><h3>Directors share top governance challenges during the pandemic.</h3><p>Most U.S. board members say creating a post-crisis strategy is the top governance challenge at their organization, according to the National Association of Corporate Directors’ latest COVID-19 Pulse Survey. Almost half of the nearly 300 directors surveyed also identify concerns about their ability to understand new risks arising from the pandemic and to ensure employees’ health and safety.</p><p> Looking ahead, directors say shifts in the nature of work would be a chief concern, as would the technological challenges of moving their businesses forward. More than half say changes in how work is accomplished is one of their top three concerns. And almost one-third cite “accelerating digital transformation” as an ongoing priority. </p><p> As the need for communication with management has increased during the pandemic, board members’ time commitment has risen. Directors say they expect to continue a more frequent meeting cadence after the crisis. “New, responsive best practices are potentially on the horizon with directors engaging more frequently with management and in new ways,” the report says.   </p><p> Participants also note issues their board must address as organizations continue to navigate the crisis. They cite, for example, the need to determine what information stakeholders require to maintain confidence in the business, as well as lessons learned from management’s response to the pandemic. </p><p> Directors also say it’s important to consider whether the organization’s workforce should be redesigned after the crisis, what business development opportunities may have arisen, and what risks those opportunities may present. Lastly, they note the importance of considering how boards can promote new leadership capabilities within the executive suite. <strong>— D. Salierno</strong></p><h2>Addressing Social Justice<br></h2><h3>Businesses should be advocates for diversity and inclusion, says Dennis Kennedy, founder and chair of the National Diversity Council.</h3><p> <strong>How can businesses support social justice issues such as Black Lives Matter, and how can internal auditors assist organizations in making changes to support social justice movements? </strong>Companies should advocate for diversity and inclusion for all people and not focus on the risk of being forthright in their stance against racial injustice. They should be inclusive in their messaging and equitable in their business practices, as change starts with leadership and affects how employees view their workplace experiences. Companies should focus on propelling themselves into an inclusive space where all can feel comfortable.</p><p> Internal audit can help companies thrive through these uncertain times by assisting them in making changes to support social justice movements through score cards, diversity and inclusion indexes, integration of equity conversations within their business functions, and using business resource groups to spread awareness. Diversity and inclusion promote growth, creativity, and innovation, and are a source of value for businesses. Recent social protests in the U.S. and around the world have stressed the urgency of creating diverse and inclusive organizations, not just as a matter of economics, but as a means to address systemic racism. </p><p> <strong>What should be expected of businesses in the area of diversity and inclusion?</strong> Businesses should focus on transparency and awareness as it relates to diversity and inclusion, rising to the occasion and taking the lead by investing in efforts to address racial injustice within the community at all levels. Business leaders play an essential role in acknowledging the impact of systemic racism in the larger society and how racism permeates systems, processes, and practices within the workplace. Their commitment to addressing this issue and their intention to advocate towards substantive change will be essential to achieving true racial justice.</p><div class="subhead-article"><p> <strong><br></strong></p><p> <strong>40% of 500 surveyed companie</strong>s delayed revenue-generating initiatives for a month or more to prioritize remote work setup.<br></p><p> <strong>44% of respondents </strong>say the postponed work included cybersecurity initiatives.</p><p>“This research indicates that with many employees remaining at home for the foreseeable future or even permanently, refining how we grant and manage digital access is more important than ever,” says Sectigo CEO Bill Holtz.</p><p>Source: Sectigo and Wakefield Research, 2020 Work-from-home IT Impact Study</p></div><h2>Backing the Blockchain</h2><h3>Executives seek to grow value of digital assets.</h3><p>Once considered a technology experiment, businesses are making blockchain and digital asset investments a top-five priority, says Deloitte’s Global Blockchain Survey of nearly 1,500 senior executives. Nearly 40% report their organizations have implemented blockchain into production, up from 23% last year.</p><p>More than half of respondents view blockchain as a strategic priority, with 83% saying it is necessary to maintain a competitive advantage. As such, 82% plan to hire blockchain expertise in the next 12 months. “Like many disruptive technologies, blockchain has evolved from a merely promising and potentially groundbreaking approach to a now integral solution to organizational innovation,” says Linda Pawczuk, principal, Global and U.S. Consulting Leader for Blockchain and Digital Assets at Deloitte Consulting LLP.</p><p>One key component in blockchain’s value is digital assets, which nearly 90% of respondents say will be important in the next three years. These assets include cryptocurrencies, financial instruments, tokenized debt or equity, and digital representations of land or commodities. Among their benefits are the ability to trade them easily on secondary markets and their heightened transparency to traders. <strong>— T. McCollum</strong></p>Staff1
Update: Recovery Through Digitizationhttps://iaonline.theiia.org/2020/Pages/Update-Recovery-Through-Digitization.aspxUpdate: Recovery Through Digitization<p>​A new report from McKinsey & Co. advises businesses to focus on digitization as a means of navigating the coronavirus pandemic. Flexibility and speed will be key as organizational leaders consider how to move ahead, the consulting firm says in The Digital-led Recovery From COVID-19: Five Questions for CEOs, which draws on observed best practices.</p><p>With COVID-19 putting outdated business models to the test, the shift to digital will likely accelerate. Organizations need to take bold action, the report advises, tempered with "a full appreciation of risk from the impact of cyberattacks to the loss of crucial talent." Incremental technological change and half measures are recipes for failure, the report's authors say.</p><p>Making the right technology investments will be crucial moving forward, requiring organizational leaders to work closely with their technology officers to update legacy systems and establish new digital capabilities, McKinsey notes. Technology is a key driver of value — and that includes the use of advanced analytics. </p><p>"Never before has the need for accurate and timely data been greater," the report says. At the same time, CEOs will need to work with their risk leaders to make sure the scramble to harness data follows strict privacy rules and cybersecurity best practice.</p><p>To ensure technology initiatives materialize, CEOs also may need to have a long talk with their chief financial officers. PwC's COVID-19 CFO Pulse Survey shows that more than two-thirds of surveyed finance chiefs say they plan to defer or cancel planned investments in response to the crisis — and of those, more than half say they are eyeing IT initiatives for the chopping block. Another 25% say they are deferring or canceling digital transformation investments. </p><p> <strong>—</strong><strong> </strong><strong>D. Salierno</strong></p><h2>Greater Risk Brings New Scrutiny<br></h2><h3>Stakeholders may find risk management processes lacking, report finds.</h3><table cellspacing="0" width="100%" class="ms-rteTable-default" style="background-color:#ffffff;"><tbody><tr><td class="ms-rteTable-default" style="width:306.667px;"><p> <strong>Cybercrime's Bottom Line</strong></p><p>A survey of U.S. IT security professionals shows the average total cost of a cyberattack across several categories.</p><p> <strong>$1.5</strong> <strong>million</strong><strong>  </strong>Nation-state</p><p> <strong>$1.2 </strong><strong>million</strong><strong>  </strong>Zero-day</p><p> <strong>$832,500</strong><strong>  </strong>Phishing</p><p> <strong>$691,500</strong><strong>  </strong>Spyware</p><p> <strong>$440,750</strong><strong>  </strong>Ransomware<br></p><p>Source: Ponemon Institute and Deep Instinct, The Economic Value of Prevention in the Cybersecurity Lifecycle<br></p></td></tr></tbody></table><p>Today's riskier business environment is pressuring organizations to disclose more about risk management, according to the 2020 State of Risk Oversight. Nearly 60% of the 563 U.S.-based chief financial officers surveyed say risks are growing extensively in volume and complexity, particularly in areas such as talent, innovation, the economy, and brand.</p><p>With greater risk has come heightened attention, notes the report from the American Institute of Certified Public Accountants and North Carolina State University's ERM Initiative. Two-thirds say boards are calling for more management oversight of risk, while 58% say outside parties such as investors are demanding extensive detail about how organizations manage risk.</p><p>Yet, only one-fourth of respondents say their organization's risk management is mature, a decline from previous surveys. Moreover, less than 20% say their risk management process provides strategic value. "If functioning effectively, a robust enterprise risk management process should be an important strategic tool for management," the report says. </p><p> <strong>—</strong><strong> </strong><strong>T. McCollum</strong></p><h2>Weighing the Cost of Fraud<br></h2><h3>Fraud defenses work but could face the budget-cutting ax.</h3><p>Organizations already pay a steep price for fraud, but they may be targeted even more if budget-cutting weakens defenses such as internal audit. Occupational fraud costs organizations about 5% of annual revenues, according to the Association of Certified Fraud Examiners' (ACFE's) 2020 Report to the Nations.</p><p>The report analyzed more than 2,500 fraud cases from 125 countries, with losses totaling more than $3.6 billion. Most of these frauds come from four areas: operations (15%), accounting (14%), executive management (12%), and sales (11%).</p><p>In a post previewing the latest report, ACFE President and CEO Bruce Dorris warns organizations not to cut internal audit and compliance amid the economic fallout from the coronavirus. "Cutbacks to departments or initiatives that are integral to a comprehensive anti-fraud program only serve to leave organizations more vulnerable to the growing likelihood of fraud," he says.</p><p>Weakened defenses combined with individuals facing financial pressures could create a "perfect storm" for fraud, Dorris cautions.</p><p>Effective controls, reporting, and training also help fraud fighting considerably, the report notes. One-third of frauds can be attributed to a lack of internal controls, so over the past decade, the use of controls such as hotlines, anti-fraud policies, and fraud training has increased by at least 9%. Organizations discover 43% of frauds through tips — half of them from employees — but employees are far more likely to report fraud when they receive fraud-awareness training.</p><p>One new trend the report finds is that individuals accused of fraud are less likely to face criminal charges, with organizations increasingly preferring to handle cases through internal discipline or civil litigation. Four out of five fraud perpetrators were disciplined internally, and 46% of victim organizations say they declined to refer cases to law enforcement because internal punishment was sufficient. </p><p> <strong>—</strong><strong> </strong><strong>T. McCollum</strong></p><p></p><h2>Sourcing in a Crisis<br></h2><h3>New vendor relationships can create new risks, says Erich Heneke, director of business integrity and continuity at the Mayo Clinic.</h3><table cellspacing="0" width="100%" class="ms-rteTable-default" style="background-color:#ffffff;"><tbody><tr><td class="ms-rteTable-default" style="width:306.667px;"><ul><li><strong>75</strong><strong>% </strong><strong>of U.S. adults </strong><strong>say that companies</strong> have a responsibility to support coronavirus relief.<br></li><li><strong>71</strong><strong>%</strong> <strong>say they will stop </strong><strong>purchasing products</strong> from companies they perceive to be irresponsible during the crisis.</li></ul><p> </p><p>"Americans are watching which companies are stepping up at this time," says Kate Cusick, chief marketing officer at public relations advisory firm Porter Novelli/Cone. "The decisions businesses make today will define them well after this pandemic has passed."</p><p>Source: Porter Novelli/Cone, COVID-19 Tracker: Insights for a Time of Crisis<br></p><br></td></tr></tbody></table><p> <strong>COVID-19 has businesses looking at the viability of their vendors. How can businesses shift quickly to new vendors? </strong>The pandemic has not only exposed traditional vendor risks with respect to supply chain disruption, but it has unlocked a new set of brokered vendors that enter new risk into the market. In health care, products have become unavailable due to supply and demand issues through traditional channels, and, thus, we are seeking products in alternative markets. When sourcing alternate channels, we have seen an influx of counterfeit products as well as brokers requiring a pre-payment and then vanishing with the hospital's money, which suggests that new tools will be necessary to quickly vet new vendor relationships.</p><p>Internal audit should let business areas do what they do best, while providing higher and wider level views into enterprise risks. Auditors also should be available as consultants to help mitigate risks as they emerge in vendor markets, whether that's by helping to design a third-party risk management program or aid in strategic sourcing needs. Auditors can offer an independent set of eyes on a process that is largely unfamiliar to a health-care supply chain.<br></p><h2>Brown Factors May Affect Credit<br></h2><h3>Harmful activities may become targets of disincentives.<br></h3><p>Organizations are familiar with "green" activities, but the environmentally harmful "brown" activities may have greater credit implications, according to Fitch Ratings' inaugural ESG Credit Quarterly report.</p><p>As defined by The European Commission's (EC's) final report on the European Union taxonomy for sustainable activities, green activities contribute substantially to environmental objectives. Since the report's publication in March, there have been calls for the commission to develop a taxonomy listing environmentally harmful (brown) activities.</p><p>The technical expert group assisting the EC with the sustainability taxonomy states that activities not defined as <em>green</em> should not automatically be considered <em>brown</em>. The Fitch report points out that consensus on a brown taxonomy will be difficult. However, it could impact credit by defining targets for disincentive policies such as higher prudential capital requirements.</p><p>A brown taxonomy "could inform how asset managers and banks screen for other fossil fuels or environmentally harmful activities in the future," Fitch notes. Additionally, it could lead to greater standardization in how investors and banks screen sectors deemed harmful. <strong>—</strong><strong> </strong><strong>S. Steffee</strong></p>Staff0
Assessing Risk in a Post-pandemic Worldhttps://iaonline.theiia.org/2020/Pages/Assessing-Risk-in-a-Post-pandemic-World.aspxAssessing Risk in a Post-pandemic World<p>​As the coronavirus (COVID-19) pandemic has changed the world, internal audit functions have needed to face that world differently. Before the outbreak, internal auditors worked in similar ways, following the same code of conduct, adhering to the same standards, and using many of the same tools. Now, auditors have another thing in common: the need to adapt to frequently changing risk conditions.</p><p>COVID-19 has fundamentally changed the risk profiles of many organizations. As internal audit ramps up to a "new normal," it must recalibrate its audit plan from a dramatically different risk perspective. </p><h2>An Audit Plan in Peril</h2><p>Let's examine the timeline of events. Many internal audit functions started their risk assessment and audit planning process in late 2019. By early 2020, departments in most of the world had formed at least a skeleton of their audit plan, and some had communicated their formal plans to the audit committee and senior management. Some audit functions began executing engagements in early 2020. </p><p>That all changed in March, when the coronavirus began to race swiftly around the world and businesses experienced the first effects of social-distancing measures. Operationally, many organizations altered their business practices. From a compliance perspective, some regulatory requirements were suspended or relaxed for entire industries during the outbreak. </p><p>As these response measures quickly escalated, many audit functions drastically altered their audit plans. Businesses experienced so much disruption that it was nearly impossible to execute some audit engagements, or there simply was no value in doing so. Most respondents to an April 2020 IIA Quick Poll say they discontinued or reduced scope for some audit engagements, and nearly half canceled some engagements in response to COVID-19. </p><p>Four in 10 respondents indicate they redirected audit staff to nonaudit work. For some audit functions, temporary staff furloughs or budget reductions ended audit work or reduced staff activity to administrative duties.<br></p><h2>Post-pandemic Planning</h2><p>The audit plan that existed before the pandemic is based on an old risk paradigm. In a post-pandemic world, chief audit executives (CAEs) must think differently about their organizations' risks and how to redeploy audit resources. Here are some questions CAEs should ask in rethinking their audit plans.<br></p><p><strong>What does the organization's new normal look like?</strong> Even businesses that were least impacted by COVID-19 will have systemic changes in their risk environment (see "Questions for CAEs" at the end of this article). There may be major fallout to institutions and systems that organizations rely on, and regulators, financial institutions, and supply chains may experience disruptions well past the point when stay-at-home orders are relaxed. Some may no longer exist.<br></p><p><strong>Is my risk assessment process agile enough?</strong> This question will be critical as CAEs begin prioritizing how to redeploy resources to address elevated risk in legacy risk areas as well as in new, uncharted territory. Risk assessments need to be agile because risk dynamics may change frequently in the near term. CAEs should evaluate and streamline legacy risk assessment processes.<br></p><p><strong>Does my team still possess the skills to execute the risk assessment and audit plan?</strong> In the post-pandemic world, risk profiles probably will change — in some organizations, dramatically. CAEs need to evaluate the talent in their teams and internal audit's ability to identify risks and execute engagements that focus on new types of risk. They need to address questions such as:</p><ul><li>How has internal audit's staffing changed? </li><li>Are staffing levels different, and have there been any changes in talent? </li><li><p>Are there new talent needs as a result of changes to the organization's risk profile?</p></li></ul><p><strong>Does my team still have an objective mindset?</strong> Unprecedented times call for unprecedented measures, and during the COVID-19 emergency, many internal auditors have been called to duty in ways they never imagined. If auditors were engaged in nonaudit activities within the business or performing activities that normally would be incompatible with professional standards, CAEs should evaluate staff objectivity.</p><h2>A New World of Risk</h2><p>The world is different now, with different risks. Internal audit functions must recalibrate how they view the inherent risks their organizations face as the recovery period begins. </p><p>Although pivoting from the old world to a new one is not a new phenomenon, the magnitude of COVID-19 impacts is more global and more severe than anything most auditors have experienced. Internal audit's ability to respond is vital not only to how its business recovers, but also how audit realigns with its stakeholders' needs.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>Questions for CAEs</strong><br><br><p>To assess their situation during the COVID-19 crisis, CAEs should ask:</p><ul><li>What does organizational staffing look like now? Have there been reductions or reorganizations?</li><li>Have key stakeholders changed? What new audit clients should I anticipate?</li><li>Have workforce reductions or reorganizations impacted how internal controls are executed? Are there new segregation of duties concerns or controls that no longer have control owners?</li><li>What processes have been temporarily or permanently changed?</li><li>What systems were temporarily modified or permanently changed? Were appropriate IT general controls followed for these changes, and, if not, what are the implications? </li><li>What controls were modified to accommodate unique business situations or risks?</li><li>Have there been any key personnel changes such as loss of unique subject-matter expertise or loss of key leaders in strategic areas?</li><li>Has the organization's strategic focus changed in the near or long term?</li><li>How have cost structures changed?</li><li>Have there been fundamental changes in the organization's debt and capital structures? Are there new or different debt covenants?</li><li>What new legal or compliance challenges is the organization facing (lawsuit exposures, changes to compliance infrastructure)?</li><li>Have new business opportunities emerged and have corresponding risks been identified?</li><li>Have the fundamentals of business-unit operations or strategies changed?</li><li>How have business continuity dynamics changed (key infrastructure changes, key customer changes)?</li><li>How have enterprise risk management dynamics changed (key risks, key risk indicators, response plans, and risk appetite)?</li><li>How have U.S. Sarbanes-Oxley Act of 2002 dynamics changed, including changes with external auditors, regulatory dynamics, and control owners?</li></ul></td></tr></tbody></table><p></p>Rick Wright1
Navigating the Crisishttps://iaonline.theiia.org/2020/Pages/Navigating-the-Crisis.aspxNavigating the Crisis<p>​It may take years to calculate the full human cost of the coronavirus pandemic, but the pain is visible for all to see today. The U.S. has been hard hit. At the time of writing, there were more than 1.5 million confirmed U.S. cases of COVID-19 and more than 90,000 fatalities. Approximately 23 million people, representing nearly 15% of U.S. workers, had filed for unemployment benefits. Some parts of the country have ground to a standstill — a trend that has followed the progress of the virus around the globe.</p><p>Congress has thrown roughly $3 trillion at the problem with help for businesses and hard-hit citizens. Other countries have implemented similar fiscal initiatives. But despite these essential measures, economists are divided on how fast economies will recover — not least because the virus has a habit of bouncing back once lockdown measures are relaxed. Parts of Japan reopened in mid-March, but are into their second period of restrictions. In Europe, Italy paved the way for four million people to return to work  in early May: Manufacturers opened first, and now bars and hairdressers are emerging from two months of lockdown. Spain is in the early stages of its four-phase reopening, which regional authorities are implementing at different speeds. Many sectors remain closed across Europe, and the impact of lockdown grows by the day.</p><p>"This is much stronger in magnitude than the global financial crisis," International Monetary Fund chief economist Gita Gopinath has said. She told <em>The Wall Street Journal</em> in a video interview in April that economies will not pick up until the third or fourth quarters of 2020, but that will depend on whether countries can successfully emerge from lockdowns and stay that way. </p><p>The decisions organizations make now will help determine their survival in the short term. And for those that do survive, those steps will also lay the initial groundwork for recovery. Internal auditors can help organizations navigate the immediate risks, while keeping an eye farther on the horizon. They also can strengthen relationships with stakeholders and reinforce internal audit's value along the way.</p><h2>Sharp Curve Ahead<br></h2><p>The pandemic has already brought with it operating conditions that are potentially dangerous for both businesses and people. For example, as soon as Qatar put in place mitigation measures to protect citizens and residents against the coronavirus, businesses went into value-protection mode, according to Moses Chavi, chief audit executive (CAE) at a privately owned company in the region.</p><p>In particular, he says that two key themes have emerged for internal auditors and management — ones that are likely to persist during the forthcoming global recession this year: working capital management and talent management. The successful handling of these areas will play a crucial role in the eventual upturn. </p><p>"Any company that has only a suboptimal focus on working capital could see their businesses restricted to sustain fixed costs, including employees' salaries and the rent on operational sites," Chavi says. "And with much needed liquidity during the next three to six months, you will still have to catch up despite the fact the world will be entering an inevitable recession." </p><p>Similar to economic stimulus plans seen around the globe, locally Qatar's government has played a huge role to cushion economic activities and stimulate productivity through numerous incentives. Those include providing affordable financing and operational cost waivers, such as rentals, payroll support, and deferred loan repayments.</p><p>Chavi says he wonders whether businesses optimize costs without affecting their critical components, such as human resources. Finding creative ways of keeping people — such as constructive sabbaticals or by allowing more flexible working arrangements, whatever fits the ethos of the company — could be more expensive in the short term. At the same time, it could pay longer term dividends. </p><p>Since the crisis struck, Chavi and his internal audit team have been working flat out on adaptable working shifts fueled by coffee and adrenaline. His first moves were to start collaborating with the audit committee and asking questions among corporate department heads and the financial and business leaders in critical areas of the company.</p><p>"We asked them what plans they had in all of the critical areas we had identified," he says. "Apart from doing a fresh risk assessment and pointing out things that they could not actually see, I'm trying to facilitate a stronger relationship between internal audit and the front-line entities."</p><h2>Relationship Building</h2><p>Chavi has become very active in committees — he was appointed to his company's crisis communication committee, partly to keep abreast of what was happening, but also to advise on how messages needed to be conveyed throughout the organization and beyond. "Internal audit has aggressively created relationships with other control teams across the entire business to make sure there is a common message going around about our monitoring initiatives," he says.</p><p>With social distancing policies in place, internal audit has changed its working routines. The team has used video to meet with managers and to carry out checks in such areas as sanitary controls, and employee and visitor screening, for instance. Chavi also has advocated for managers to make tough and timely decisions on, for example, which parts of their portfolios can be restructured, which need to be boosted, and where new lines need to be introduced to diversify and meet changing consumer behavior.</p><p>"Executives need to make sure they are aggressive in taking decisions," he says. "That also applies to business continuity plans, which may be irrelevant or outdated in the current situation and need radical overhauling." Chavi says he believes it is crucial to be "brutal with the truth" at audit committee meetings and at relevant executive management meetings.</p><p>But there have been some encouraging developments too. The organization's digital transformation has been enhanced by COVID-19, with some companies in the group moving rapidly into social media marketing, e-commerce, home deliveries, and adopting hand-held mobile and online payment. It is a move that he says has boosted customer experience. "Internal audit has had a keen interest in these processes, and we are making sure that we deal with the risks as they come along."</p><p>Chavi says that because his internal audit team has been able to hold management's hand through the crisis so far, and has refrained from judging in favor of providing practical solutions or constructive challenge, it will be well-positioned to continue helping in both an assurance and advisory capacity in crucial areas such as working capital management, talent retention, stakeholder relationships, cybersecurity, and data integrity. </p><p>"Internal audit needs to be visible and participate. You can't influence anybody without actually befriending them, without being close, without understanding and sharing their pain and troubles," Chavi says. "Applying your emotional intelligence is key to being able to influence the agenda and trajectory of risk management going forward so the business can survive and prosper in the future."</p><h2>Further Down the Road</h2><p>The medium-term effects of the pandemic are going to introduce new uncertainties that could make recovery difficult, according to Alexander Larsen, president of Baldwin Global Risk Services, a risk consultancy with offices in the U.K. and North America. Businesses will need to assess and deal with altered social habits, customer expectations, new ways of working, and, in some sectors, unanticipated policy and regulatory changes, if they are to navigate these times successfully.</p><p>"Immediately after COVID-19, people are going to be thinking about the crisis and what they need to do to prepare for another pandemic — or whether they are prepared in the event that they lose their job due to the recession that will follow," he says. "They may be wondering why their homes are full of things that were absolutely useless in times of crisis, and that could affect their spending habits over the next couple of years." </p><p>Fear could also play a part in consumer behavior, Larsen says. Recent surveys suggest that when countries open up for business again, for instance, a large proportion of people will be scared of visiting crowded places. Three out of four people say they would now not attend trade shows or conferences in the future, according to a recent IBM survey. Some businesses may need to transform their operations into social-distancing friendly models where possible, Larsen adds.</p><p>In addition, many employees have learned that they can work from home effectively; some may prefer to continue doing so. Businesses that have been reluctant to be flexible may be forced into changing their policies to retain talent. Moreover, companies should not expect the business landscape to remain static as governments across the globe could take different views on tightening or slackening regulation from supply chains to financial contingencies. Political risk is also likely to increase. </p><p>"When I worked in Iraq during the construction of the world's largest undeveloped oil fields, the government often and unexpectedly instructed our company to stop buying products from certain countries, despite the strategic and financial significance of the project," Larsen says. "These were political decisions, often with valid reasons, and in the aftermath of COVID-19 it will be a more political world where such government sanctions could become more frequent."</p><p>Larsen says good risk management will be critical for survival and that internal audit has a key role to play in making that happen. Organizations will need a thorough understanding of their corporate and departmental risks, with a key focus on critical objectives, he says. They'll also need to examine where survival-level risks, or market-changing opportunities, are identified and linked to key risk indicators — essentially an early warning system for when things start to go wrong or relevant opportunities arise. Scenario planning, risk workshops, and horizon scanning exercises that focus on strategic risks and organizational strategies over the next three to five years must be in place.</p><h2>Risk Tolerance </h2><p>"Most organizations that are in a position of worrying about survival should forget about trying to set a risk appetite," Larsen adds. "They are having to take those risks anyway. The question is rather what levels of risk we can tolerate before the viability of the organization is threatened."</p><p>Key risk indicators should be introduced and linked to these risk tolerance levels — rather than appetite, Larsen says. That way, the business is put on alert when things start getting rocky. </p><p> But internal audit's support of risk management efforts is key. CAEs should use their influence at the board level to ensure the risk function is not tied down by processes and bureaucracy — risk management has to be dynamic. Internal audit also should provide assurance on whether management is implementing risk management's program. "Essentially, internal audit should be the risk function's ally by including risk management as part of their audits," Larsen says. "That will enable it to ensure that threats and opportunities are being identified across the organization and to ensure that they are being properly measured and controlled according to the risk procedures set by the risk management function."</p><h2>Maximum Speed<br></h2><p>Louis Cooper, chief executive of the Non-Executive Directors' Association, a board training and education, advisory, and support body based in London, agrees with Larsen that some businesses need to reappraise their approach to risk management. He has seen organizations begin to add a velocity factor to their risk matrices that traditionally only measure the impact and likelihood of risk: a dimension that he says needs to be incorporated into scenario planning, as it provides a speed of change component to the assessment of individual risks.</p><p>In addition, others are moving away from the traditional enterprise risk management view and toward looking at risk in the extended enterprise. This approach takes further into account that many organizations increasingly rely on strategic partners, outsourced arrangements, and other third parties to take their products and services to market. Cooper agrees that internal audit should be undertaking more informed reviews of management activities and processes rather than doing test checks on individual business processes and transactions — following The IIA's long-held perspectives on risk-based auditing.</p><p>Cooper is concerned that an extended lockdown, or repeated ones, could mean that the accuracy of reporting and the information the board receives is compromised. Giving assurance in those areas could be equally affected. Without sending people out on location, internal auditors could be prevented from doing essential checks. In the U.K., the Financial Reporting Council's COVID-19 Bulletin March 2020 offers guidance to external auditors on such issues, which could be equally applicable to some internal audit assignments.</p><h2>A Test of Governance</h2><p>Cooper also says that boards have been questioning whether their governance frameworks have been able to cope with fast-changing circumstances and whether they will enable their companies to be agile enough in the coming months and years. Some organizations, for example, have done a poor job of targeting their corporate communications and key business relationships — a clear indication that stakeholder groups and contacts are inadequately mapped and understood. And some have fallen short in demonstrating whether executive leadership has had the right mandate to deal with unfolding problems. Other organizations have been unable to flex their business models — the way some fashion design enterprises were able to switch quickly from making clothes to making protective garments for health workers, for instance — and some have had difficulty with adapting to the culture shock of continuous remote working.</p><p>"I'm not sure that governance frameworks have been tested in this way before, including in fundamental areas such as business continuity planning," Cooper says. "People are very good at documenting things and putting them in the drawer without going through scenarios and checking that, if something were to happen, what the chain of command is and how it works in practice."</p><p>If internal audit has not been involved in those areas historically, boards will need them to take that role now, he says. They also will be looking for the function to assess how well the business has performed, identify gaps, and collate and disseminate the lessons learned to the board and management.</p><h2>Working Smart</h2><p>As well as participating on management committees dealing with business recovery, internal auditors need to work in a smarter, more focused way, says Esi Akinosho, EY Global Advisory Internal Audit leader. That includes following their businesses' lead in forcing rapid digital transformation.</p><p>"Internal audit has an opportunity to provide real-time risk advice as businesses establish new processes in the 'new normal,'" she says. "Teams can use predictive analytics to help identify emerging vulnerabilities and opportunities — this will give more timely value-add to management than traditional audit procedures."</p><p>She advises audit departments to focus on business-critical risks, especially cost recovery — such as working capital, cash management, vendor spending, and capital expenditure. Internal audit analytics can be applied to identify any cash recovery opportunities. That initiative also should extend to optimizing cost efficiency in the audit department itself. </p><p>"Internal audit should make its own contribution to the organization's cost diligence by optimizing the function's costs," she says. "Teams should take advantage of the technology momentum created by remote working to gain efficiencies across the internal audit life cycle. For example, digitize any procedures where possible and consider remote possibilities before spending on travel."</p><p>Where the internal audit function is less developed, or has issues with how its brand is perceived, it is time to act. "Organizations must start looking for opportunities to build the function's brand," she says. "For example, redeploy some resources to directly support business crisis management teams — this has the added benefit of building relationships and business knowledge simultaneously."</p><h2>Alternate Routes<br></h2><p>Similarly, CAEs could build a more flexible resource structure in which, for instance, specialists are brought into the function for limited periods to provide additional expertise — either from within the business or from third-party providers.</p><p>"Internal audit has a great opportunity to help organizations transition out of the downturn by using the current disruption to accelerate transformation," Akinosho says. "Internal audit, as a profession, needs digitalization, a flexible people model, new skills, and a more dynamic approach that is more efficient and geared to giving timely insights on strategic risks."</p><p>Many businesses are going to have a life and death struggle with the effects of the coronavirus outbreak. Some will not make it. Those that do have their work cut out in streamlining portfolios and business processes; strengthening governance, risk management, and internal audit functions; and fast-tracking moves to make their enterprises digital — as well as keeping abreast of events and trends in the economy and among customers. Internal auditors have a key role to play in helping ensure their organizations make it along the road to recovery. If there was ever a time to demonstrate the true value of internal audit, it is today. <br></p>Arthur Piper1
A Rational Mindsethttps://iaonline.theiia.org/2020/Pages/A-Rational-Mindset.aspxA Rational Mindset<p>​Remember the scene from <em>Raiders of the Lost Ark</em> where Indiana Jones enters the Well of the Souls, which happens to be a snake-infested pit? After throwing a torch into the pit to reveal his plight, he exclaims, "Snakes … why did it have to be snakes?"</p><p>Granted, this scene is plotted to presume the snakes are venomous, so Indiana's fear is rational. But his initial reaction reveals his bias about snakes in general — the same way some people are irrationally averse to risk. </p><p>Internal auditors have a professional duty to remain objective as they perform their work. This unbiased mindset must extend to remaining rational when it comes to communicating with audit clients about risk.</p><h2>Why Did It Have to Be Risk?</h2><p>Snakes are vilified as animals that hide in dark places, stealthily seeking out prey and striking when they least expect it. An objective study of snakes reveals a much more accurate view of these complex creatures. Not all snakes are aggressive, nor are they all venomous or massive constrictors capable of inflicting great harm to people, as we often see in movies or hear about in the news. </p><p>In fact, snakes can be beneficial. Take the black rat snake, which is effective at controlling harmful rodent populations. One black rat snake can eat 100 mice per acre in a year. What farmer wouldn't readily adopt at least a couple of these hunters to offset the negative impact mice have on property and equipment, not to mention the potential spread of disease?<br></p><p>People sometimes perceive risk with the same irrational viewpoint. Too often, when discussing risk and risk management philosophy with business professionals in the course of internal audit work, the conversation gravitates toward an unbalanced, negative attitude about risk. </p><p>One time, my audit team was conducting an audit workshop with a group of business managers. The team was explaining how our audit activities were risk-based so that we focused on things that matter most to their functions' success. The supervisor for this group of managers interrupted our discussion to admonish the group that they needed to be focused on risk to eliminate it from the company. While it was an innocent exclamation the supervisor truly believed, it was an unfortunate and unplanned distraction from our discussion that the audit team had <br>to clarify with the workshop participants. </p><p>The interruption turned out to be a blessing in disguise. It enabled the internal audit team to lead a healthy discussion about the opportunities that also accompany risk, while explaining that eliminating risk was not realistic nor necessarily a desirable goal.</p><h2>Shifting the Risk Mindset</h2><p>With all the focus organizations have devoted to enterprise risk management and updated risk management frameworks, they still get trapped in a vortex where risk is seen in a lopsidedly negative light. Internal audit should thoughtfully redirect this line of thinking when such an uninformed view of risk and risk management is expressed. </p><p>The snake analogy is a good proxy for reframing the risk discussion. The word <em>risk</em> often is misunderstood. Like snakes, risk can do serious harm, so people instinctively project harm to all risk. But is this rational? </p><p>In finance, <em>risk</em> frequently is paired with the word <em>reward</em> to describe offsetting outcomes related to a decision. While taking any given risk may result in a bad outcome, there also is the prospect of a good outcome. No risk, no reward, as the saying goes. This is a more rational view of risk. </p><p>Internal auditors can help organizations balance attitudes about risk by talking and acting rationally about risk. For instance, they shouldn't use risk exclusively as a "four-letter word" in discussions with other business professionals. Risk mitigation is only one potential risk response alternative. When approaching risk assessments or new audit engagements, internal auditors should talk about how informed risk-taking is essential to the organization's growth prospects. </p><p>Internal auditors should counsel clients that risk acceptance is sometimes the best risk response. This can be the case when other risk response alternatives are costly or when the risk is relatively mild. Accepting a risk while continuing to monitor it for changes that may justify a different response is a rational reaction. </p><p>In other instances, it is appropriate to exploit risk for its opportunity. In times of crisis or disruption, offsetting opportunities can present themselves in the face of emerging risks. In these instances, risk opportunities can serve as a hedge against simultaneous negative risk outcomes. When internal auditors set a good example, clients and other stakeholders are more likely to respond to risk with a more rational mindset.</p><h2>Thinking Differently About Risk</h2><p>Let's think about snakes and risk a little differently. A more neutral word to use for snake is reptile. Some reptiles can cause harm to people in certain circumstances such as swimming in a lake known to have large alligators or walking through terrain known for rattlesnakes. In other situations, such as rodent control, reptiles are benign or helpful. </p><p>Likewise, a less polarizing term for risk is uncertainty — specifically, about some outcome. Risk is neither bad nor good; it's just uncertainty. When auditors use the word <em>uncertainty</em> when discussing risk, they can have a more objective, and less polarized, discussion and avoid the biased, negative connotation. This allows auditors to unlock the real value of an intellectual discussion about risk — refocusing attention on decision-making. </p><p>Uncertainty hinders decision-making. The more uncertainty that exists about a pending decision, the more difficult it is to make a decision that will result in a favorable outcome. The better decision-makers can understand the uncertainty they are faced with in a decision, the more likely they should be able to optimize the outcome they are seeking from any given decision. </p><p>The coronavirus pandemic comes to mind. In the present, fear of the unknown is dominating the response conversation. This is a crisis that has not been experienced in most of the modern world, and government leaders are struggling to craft effective responses because of the uncertainty that exists. </p><p>In time, this threat will subside. The world is currently experiencing negative outcomes; however, positive outcomes could emerge, such as a more resilient health-care system to deal with similar threats in the future.</p><h2>Risk Doesn't Have to Be Scary</h2><p>When risk is obscure and lurking in the darkness, it seems more like a rattlesnake waiting to strike against an unsuspecting victim. But when risk is visible, understood, and appreciated for its potential benefit, organizations can exploit it for a beneficial outcome or control it to minimize a negative outcome. With this shift in mindset, risk becomes less of a scary monster and more of a device that uses rational decision-making to optimize risk outcomes. <br></p>Rick Wright1
Testing the Boundarieshttps://iaonline.theiia.org/2020/Pages/Testing-the-Boundaries.aspxTesting the Boundaries<p>​The outbreak of COVID-19 has forced regulators in the U.S. and around the world to focus on the immediate impacts that the pandemic is having on companies, markets, and consumers. And while some watchdogs have said they may relax some rules or reduce scrutiny to help businesses operate more smoothly, experts warn it does not mean companies should loosen their internal controls. Nor should they take advantage of the situation by engaging in questionable, or even illegal, practices in the hope that authorities have less appetite — or means — to investigate and enforce the rules. As companies face temptation and risk noncompliance, internal audit has a strong role to play in helping them adhere to the rules.<br></p><h2>Business as Usual</h2><p>"Companies are still liable for compliance failures," says Hermès Marangos, partner at U.K. law firm Signature Law. "The virus emergency does not postpone or modify the law — there are no exemptions unless so provided by the legislation itself. Despite this, there are already individuals and entities trying to profiteer, behave unethically and contrary to laws and regulations in many instances," he says.<br></p><p>One area of corporate activity that has seen a relaxation of some rules is competition law. To enable the supply of key medicines, health-care equipment, food stuffs, and other urgent goods, anti-trust regulators have allowed competitors to work together — albeit in very specific and limited circumstances. In some regions, such as Europe, companies can even apply for "comfort letters" to gain increased assurance from the regulator as to what practices may be allowable under these exceptional circumstances, and for how long.  But lawyers warn companies against thinking that such arrangements are the "new normal," or that a relaxation of the rules in one area means that closer cooperation in other areas of business has been tacitly allowed.<br></p><p>Some companies also risk misinterpreting signals from regulatory agencies that enforcement may be pared down. They may assume that watchdogs will focus their resources on tackling companies committing the worst abuses or causing harm to the biggest number of consumers, rather than target organizations generally that have failed to comply. For example, in Europe — which has probably the toughest and most punitive data protection laws in the world under the General Data Protection Regulation — several data protection authorities have said they will naturally be drawn to investigating the "worst offenders."<br></p><p>But lawyers point out that this does not mean companies have been given any special dispensation not to follow the rules as normal. It simply means that the regulators have prioritized their resources.   <br></p><p>"As regards data privacy and enforcement, it is business as usual," says Sarah Pearce, privacy and cybersecurity partner at international law firm Paul Hastings. "No dispensations are being made under current circumstances. Most data regulators have said data protection principles still apply and should be adhered to, so businesses should certainly not view COVID-19 as an excuse for noncompliance."<br></p><p>Companies risk noncompliance by misinterpreting any sign of rules easing — or they may even assume a relaxation simply due to the pandemic. "While there may be some delayed reaction in terms of enforcement by certain regulators due to limited resources during this time, that is not to say there won't be enforcement later down the line," Pearce says. <br></p><h2>Penalties Still Apply</h2><p>Experts also warn against assuming that penalties will be reduced because firms are under financial pressure. Michael Ruck, partner at U.K. law firm TLT, says that although regulators are redeploying their resources during the response to coronavirus, resulting in a reduction in the number or progress of investigations, the top-level amount of fines or penalties imposed will not be relaxed. <br></p><p>"In periods where it is difficult to trade or where profit is hard to come by, there are inevitably instances of a small number of corporates or individuals being increasingly willing to stretch the interpretation of regulatory requirements — sometimes beyond their breaking point," Ruck says. "A perceived relaxation of regulatory intervention may encourage such behavior, but those that are tempted should beware."<br></p><p>While regulators may have discretion to reduce penalties in circumstances where incidents of accidental or low-level noncompliance occur, experts still warn that it will always be the authority that calls the shots.<br></p><p>"Regulators understand that the crisis is putting pressure on firms meeting their day to day obligations and are likely to be reasonable with firms that are making a reasonable effort to comply with regulations in a trying times," says Ian Thomas, regulatory solutions specialist at Quorsus, a financial services consulting firm. "That said, the keywords here are 'reasonable' and 'comply.' Cash crisis or not, the regulators are unlikely to hesitate to issue fines for serious breaches or offences — for example, those financial services firms that put client money at risk." <br></p><h2>An Essential Resource</h2><p>Due to fears that organizations might choose to sail close to the wind if they feel that regulators might allow it, several experts believe that internal audit has a strong role to play in ensuring their organizations follow the usual strict codes of compliance.  <br></p><p>Camilla Winlo, director at international data protection and privacy consultancy DQM GRC, says that "it's good to see regulators taking a pragmatic view of enforcement." But she warns that organizations still need to be mindful of the need for regulatory compliance. <br></p><p>"Internal audit functions need to be particularly aware of the need to carry out risk assessments and policy and process gap analyses to identify where risks have been introduced and ensure that their organizations come back within their risk appetites as quickly as possible," she says.<br></p><p>Nicola Howell, senior compliance and privacy attorney at commercial data and analytics firm Dun & Bradstreet, agrees that there should be no "let up" in following the rules. "Internal audit teams should not be complacent about enforcement and should proceed with upholding the policies their organizations had in place before COVID-19 took hold," she says. "While justifiable allowances may be made, any significant departure from legal requirements or previous company policy could significantly backfire on a business."<br></p>Neil Hodge1
Responding to the Crisishttps://iaonline.theiia.org/2020/Pages/Responding-to-the-Crisis.aspxResponding to the Crisis<p>While many organizations were monitoring the spread of COVID-19 from China to the U.S., executive leadership at The IIA was already taking action. They were meeting regularly to discuss several upcoming events scheduled in March within a span of three weeks, including the General Audit Management (GAM) conference in Las Vegas, Global Assembly in London, and Leadership Academy in Orlando. </p><p>"We started monitoring COVID-19 early on because of our certifications business in China," said Bill Michalisin, The IIA's chief operating officer. "Our testing centers there started shutting down in early February, so we took note and began mobilizing to explore alternatives." With attendees from more than 50 countries planning to attend GAM, IIA leadership had to take a closer look at the safety of IIA staff and attendees. </p><p>Once cases of COVID-19 emerged in Washington State and California, events unfolded quickly and the decision was made to turn the in-person GAM conference into a virtual event, livestreamed from the conference hotel. But even as IIA staff arrived in Las Vegas, they were notified that the hotel was closing down due to the pandemic, and the three-day event would now be a one-day event. </p><p>"When times get tough, that's when your people rise to their best," Michalisin shared. "We focused on delivering the program and getting our staff and members back home safely." IIA staff did not return to the office, however, as IIA President and CEO Richard Chambers had shut down Headquarters and instructed employees to work from home.</p><p>As this was happening, Chief Risk Officer Greg Jaynes was conducting a risk assessment to ensure employees had the resources to work from home. "We had to develop guidance for people who had never used the VPN to log in to the office," he explained. "People were taking on roles that they never had before to get people up and running."</p><p>As decisions were being made, Lynn Moehl, The Institute's chief audit executive, was taking on a monitoring and advisory role and looking across the organization to make sure it was a cross-functional effort. In the highly charged situation, she told webinar attendees, she had to ask, "Are we making decisions based on the best set of information we have? How do we communicate about GAM, issue refunds, and switch people from in-person to virtual attendees?" </p><h2>Driving Change</h2><p>An event like COVID-19 can be a significant change driver for organizations. According to Michalisin, The IIA has taken a step back to look at what its members need and want and asked, "How can we help them survive and thrive?" The IIA immediately began developing daily news items in the <a href="/2020/Pages/COVID-19-Newswire.aspx"><span style="text-decoration:underline;">COVID-19 Newswire</span></a>, pulling together content related to the pandemic in the <a href="https://na.theiia.org/Pages/Updates.aspx"><span style="text-decoration:underline;">COVID-19 Resource Exchange</span></a>, and looking at how to evolve training and certifications so members can still access the resources they need virtually to help them navigate the crisis now and be better positioned to help their organizations do the same in the long term. The Audit Executive Center began hosting roundtable discussions so CAEs could connect on issues and The IIA could share what CAEs are doing in their organizations with the broader membership.  </p><p>"I think it's going to change the way we do business going forward," Jaynes said. "Whether it's flexibility, taking on different roles, reprioritizing goals for the year or deferring some, it's forced us to look at our operations differently." </p><p>This scenario has allowed The IIA to think differently about how it operates and apply a more entrepreneurial spirit while identifying opportunity to better serve our members and the profession, Michalisin told attendees.</p><h2>Staying Connected With Members<br></h2><p>Members are at the core of The IIA's business so The Institute continues to reach out to CAEs and members to help them navigate the crisis, Michalisin said. Internal auditors still have to maintain their primary roles within their organizations and now they're trying to figure out how to do that in the shadow of a global pandemic. They're looking for guidance on how to complete a virtual quality assessment, or continue their professional development, or revamp a risk assessment, and The IIA is trying to meet all those needs, he explained. </p><p>"We've continued to have great engagement with our members and we're learning as they're learning," Michalisin shared.</p><h2>Opportunity for the Profession</h2><p>COVID-19 has provided a huge opportunity for internal audit to step up, and stakeholders may be taking note of that for the first time. As Jaynes said, "Internal auditors have been exposed to all the nuts and bolts of a business. Who else can bring that perspective and information to the table very quickly?"</p><p>Moehl added that it has highlighted the need for internal auditors to be viewed as a critical resource. "It's an opportunity for your function to demonstrate the value it can bring the organization —being agile and getting things done in a different way." As the crisis began to develop, Moehl put aside her audit plan and asked where she could be of help.</p><h2>Front-line Advice</h2><p>This pandemic won't be the last, but it has taught organizations that they can never be fully be prepared, said Michalisin. Testing business continuity plans, learning to be flexible, and not losing sight of emerging risks can at least give them a head start. </p><p>"Learn from what you're dealing with every single day and commit to the fact that whatever the new normal will be will move your organization forward," Michalisin advised. "If we go back to where we were before COVID-19, then we haven't applied that learning." Part of that is staying focused on your people and communication.</p><p>"As an internal auditor, continue building relationships and your brand within the company," Moehl said. "Relationships with all levels of staff are key to being plugged into risk." <br></p><p>And integrating risks into decision-making, planning, and forecasting, said Jayne, is where we all can do a better job.<br></p><p>View the full webinar: <a href="https://www.workiva.com/resources/roundtable-iia-executives-business-continuity-speed-covid-19-risk">Roundtable With IIA Executives — Business Continuity at the Speed of COVID-19 Risk</a>.<br></p>Shannon Steffee0

  • FastPath-October-2020-Premium-1
  • AuditBoard-October-2020-Premium-2
  • CIALS-October-2020-Premium-3