Audit Salary

There is a common joke among physicists that fusion energy is 30 years away … and always will be. You could say something similar about artificial intelligence (AI) and robots taking all our jobs. The risks of AI and robotics have been expressed vividly in science fiction by the likes of Isaac Asimov as far back as 1942 and in news articles and industry reports pretty much every year since. “The machines are coming to take your jobs!” they proclaim. And yet, all of us here at Audit International still head to the office or log in from home each weekday morning.

The reality is less striking but potentially just as worrying. Most people expect that one day some sort of machine will be built that will instantly know how to do a certain job—including internal auditing—and then those jobs will be gone forever. More likely, is that AI and smart systems start to permeate into everyday tasks that we perform at work and become critical parts of the business processes our units and companies conduct. (Indeed, many professions and industries have already been greatly disrupted by AI and robotics.)

Technology companies have been so successful over the last 30 years because of the common mantra of “move fast and break things.” And that was maybe just about acceptable when it meant you could connect online to your friend from high school and find out what they had for breakfast or search through the World Wide Web for exactly the right cat meme with a well-crafted string of words.

When the consequences now might mean entrenching biases in Human Resources processes, or mass automated biometric surveillance, not to mention simply not even understanding what a system is doing (so called ‘black boxes’), the levels of oversight and risk management need to be much higher.

The Regulatory Environment :
There is some existing regulation which covers aspects of this brave new world. For example, in the European Union, article 22 of the General Data Protection Regulation (GDPR) on automated individual decision-making, provides protection against an algorithm being solely responsible for something like deciding whether a customer is eligible for a loan or mortgage. However, the next big thing coming to a company near EU is the AI Act.

The proposal aims to make the rules governing the use of AI consistent across the EU. The current wording is written in the style of the GDPR with prescriptive requirements, extraterritorial reach, a risk-based approach, and heavy penalties for infringements. With the objective of bringing about a “Brussels effect,” where regulation in the EU influences the rest of the world.

Other western jurisdictions are taking a lighter touch than the EU, with the United Kingdom working on a “pro-innovation approach to regulating AI,” and the United States’ recent “Blueprint for an AI Bill of Rights” moving towards a non-binding framework. Both have principles which closely match the proposed legal obligations within the AI Act, hinting at the impact the regulation is already having.

Much of the draft regulation is still being discussed, with a final wording soon to be agreed. There are disagreements across industries and countries on whether some of the text goes far enough or goes too far. For example, whether the definition of “AI” should be narrowed, as the current wording could encompass simple rules-based decision-making tools (or even potentially Excel macros) or even expanded to greater capture so-called “general purpose AI.” These are large models which can be used for various different tasks and therefore, applying the prescriptive requirements and risk-based approach of the AI Act can become complex and laborious.

The uncertainty over the final wording has given companies an excuse to not make first moves to prepare for the changes. Anyone who remembers the mad rush to become compliant with the GDPR will remember the pain of leaving these things to the last minute. The potential fines, which may be as high as 6 percent of annual revenue depending on the final wording, could be crippling and have a cascade effect on a company’s going-concern.

What Can Internal Auditors Do?
As internal audit professionals we can start the conversation with the business and other risk and compliance departments to shine the light on the risks and upcoming regulations which they may be unaware of. It is our objective to provide assurance but also add value to the company and this can be done through our unique ability to understand risks, the business, and provide horizon scanning activities.

Performing internal audit advisory or assurance work, depending on the AI risk maturity level at the organization, can highlight the good practice risk management steps that can be taken early to help when the regulation is finalized. These steps could include:

1) Identify AI in Use: To be able to appropriately manage AI risks throughout their lifecycle stakeholders need to be able to identify systems and processes which make use of them. Agreeing on a definition of AI and developing a process to identify where it is in use is the first step. This would include whether it is being developed in-house, is already in use through existing tools or services, or acquired through the procurement process.

2) Inventory: Developing an inventory which includes information such as the intended purpose, data sources used, design specifications, and assumptions on how and what monitoring will be performed is a good starting point and can be added to, based on your company’s unique characteristics and any specific legal requirements that are implemented in the future.
3) Risk Assessments: Since a key aspect of the AI Act is it being “risk-based,” it is important to have a risk assessment process to ensure you take the necessary steps as required in the regulation, based on the type of AI used. For example, what level of robustness, explainability, and user documentation is necessary based on the risk tier provided. It is also important to consider the business and technology risks of using the AI. For example, machine learning using neural networks requires large training datasets, which can raise issues of data protection and security, but may also perpetuate biases that are contained in the datasets. Suitable experts and stakeholders should be involved in the development and assessment of the risk assessment process.

4) Communications: One area that is often forgotten is communication. It is all well and good having a policy or a framework written down but if it isn’t known and understood by the relevant stakeholders it’s worth less than the paper it’s printed on. Involving key stakeholders during the development of your AI risk management processes can help develop a diverse platform of champions throughout the business who can act as enablers as the requirements are communicated and regulation finalized.

5) On-going monitoring: Risk management is not a one-off exercise and this is no exception. Use cases, technology, and the threat landscape change over time and it is important to include a process for on-going monitoring of AI and the associated risks.

The machines may not be coming to take our jobs just yet, but the risks are already here and so are the opportunities to get ahead. There may be a long and winding road in front, as we all prepare for a world where AI is commonplace and new regulations and standards try to shape its use, but each journey starts with a step and it’s never too early to get going.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Here at Audit International, we have seen a significant shift in the way in which environmental, social, and governance (ESG) data has been perceived in recent years. It has gone from being an ‘add-on’ to being a vital opportunity for corporations to boost their competitiveness. As consumers become more discerning about environmental, social, ethical, and responsible business practices, organizations are increasingly starting to realize that reporting ESG data can have significant brand and reputational benefits.

However, this is just the beginning. The value of ESG data extends beyond reporting—when handled properly, it can unlock value for an organization in a variety of ways.

What is ESG and ESG Reporting?
It’s important to note that there is a distinction between ESG and sustainability. The terms are often used interchangeably, but there are important differences. Essentially, sustainability deals with how an organization’s operations impact the environment and society, whereas ESG has more to do with how an organization’s environmental, social, and governance initiatives affect its financial performance.

According to the Center for Audit Quality (CAQ), “ESG reporting encompasses both qualitative discussions of topics as well as quantitative metrics used to measure a company’s performance against ESG risks, opportunities, and related strategies.”

How companies can use ESG data to their advantage
When organizations treat ESG reporting as more than a box-ticking exercise to meet regulatory obligations, they stand to reap a number of benefits, as follows:

● Profitability and sustainability: Including ESG data in an extended planning and analysis (xP&A) strategy allows an enterprise to see how that data affects financial and operational data, which is key to making ESG initiatives sustainable and profitable.

● Risk management: Neglecting ESG issues can result in financial or reputational damage. Thus, all organizations should ensure that they incorporate ESG data into their risk management strategies. By voluntarily disclosing this information, they will demonstrate that they are taking sufficient steps to protect themselves and their stakeholders from ESG-related risks.

● Competitive advantage: Focusing on ESG can help an organization gain a better understanding of what matters to its stakeholders while also identifying opportunities. Furthermore, reporting ESG data will help stakeholders compare the organization with its competitors. This works in the organization’s favour if it is outperforming peers on the ESG front.

● Uncovering critical operational drivers for decision-making: ESG data can help an organization see where sustainable changes could improve efficiency and make its business more ethical and equitable. This can greatly enhance the decision-making process.

What are the main challenges to effective ESG Reporting?
ESG reporting is continuously evolving as governments announce new standards that companies need to comply with, as well as a new mandatory International Sustainability Standards Board (ISSB) standard that is expected to be announced by the end of the year (2022). It also touches every financial process. For these reasons, companies can find the whole ESG journey intimidating.

The following are some of the main obstacles that need to be overcome:

● Several ESG optional frameworks: The Global Reporting Initiative (GRI), Task Force on Climate-Related Financial Disclosures (TCFD), and the Sustainability Accounting Standards Board (SASB) are some of the more notable ESG frameworks, but there are plenty of others, many of which are specific to certain regions or industries. It can be challenging for companies, especially those operating in multiple countries, to know which ESG standards and frameworks to adhere to. This will all change when the mandatory ISSB standards are announced at the end of 2022.

● Complexity of data management: Whether meeting regulatory requirements or carrying out voluntary disclosures, companies need to be able to collect, translate, and process ESG data. This is a task that is complicated by the fact that the data is often siloed across different IT systems and is often stored in different formats. In addition, sustainability can be hard to quantify.

● Lack of ESG insight to inform decisions: Many organizations have difficulty seeing the connection between ESG data and financial results, especially when captured in spreadsheets, which means they are unable to use the data to improve their bottom line and sustainability initiatives.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

As the threat of climate change mounts, Audit International know that businesses must take steps to counter its damaging effects. This is in order to meet ambitious government Net Zero targets, which aim to halve emissions in a little over a decade.

The promising news is that the majority of organisations now understand that sustainability must be made a priority when it comes to devising their overall strategy.

However, companies are often left in the dark as to how best to report on their ESG credentials in a way that’s impactful and means something to shareholders and other stakeholders. It’s clear that what’s needed is a uniform set of standards for measurement and reporting, just as there is for financial performance. This is particularly prevalent in the Accounting sector, where calls are increasingly being made to introduce universal and transparent ESG standards.

However, the world of sustainability reporting is a confusing and often disparate mass of names and frameworks. They include the Climate Disclosure Standards Board (CDSB), the Global Reporting Initiative (GRI), the International Integrated Reporting Council (IIRC), the Sustainability Accounting Standards Board (SASB) and the Task Force on Climate-related Financial Disclosures (TCFD).

The good news is that a forerunner has emerged that promises to offer a single source of truth when it comes to ESG reporting. It is called the International Sustainability Standards Board (ISSB). The ISSB will do for sustainability reporting what the International Accounting Standards Board (IASB) does for financial reporting. That is, develop standards for companies to report their performance to investors. Both will be under the International Financial Reporting Standards (IFRS) Foundation umbrella.

Where did the new framework originate and what exactly is it?

Created at 2021’s COP26, ISSB will provide a global baseline for high-quality sustainability reporting that supports the work being done in the US by the Securities and Exchange Commission (SEC) and the European Union (EU)’s Corporate Sustainability Reporting Directive (CSRD).

The ISSB is focused on ‘single materiality’ or the ESG information that drives valuation and matters most to investors. This is also the focus of the SEC and so the mandates are consistent. In contrast, the CSRD has a broader ‘double materiality’ mandate, which means it will cover information of interest to stakeholders, even if it is not of interest to investors. Linking the two is the concept of ‘dynamic materiality’, meaning that more light can be shed on ESG issues – such as climate change – moving forwards.

The ideal outcome is that ISSB becomes a global standard which integrates the work of all previous standards and frameworks focused on investor needs. Ideally, the SEC and EU can use its standards. The EU can then top these standards up with those covering double materiality. As dynamic materiality makes these relevant to investors, the ISSB can then take over responsibility for the standard setting process.

How can ISSB success be achieved?

The corporate community has a key role to play in ensuring the success of the ISSB. Investors are increasingly demanding information on a company of interest’s sustainability performance. At the same time, companies are increasingly being accused of greenwashing their sustainability reporting by making it appear more environmentally sound than it is.

Having standards, with proper audits, addresses both issues. That said, it’s important to note that standards aren’t targets for issues like carbon emissions or diversity and inclusion. Rather, they provide credible information on the reporting done by a company on its progress in achieving whatever targets it decides to set, if any.

While ensuring that ISSB is a success, companies can also take steps to secure their own long-term viability. The first way is to participate in the standard setting process. As with financial standard setting, exposure drafts for proposed standards will be published in the public domain. Companies need to join investors in providing their input, including constructive critiques. If a company has an opportunity to participate in any advisory councils and working groups or share its views in comment letters, it should make the effort to do so.

The second approach is to proactively adopt these standards. There will be an inevitable lag between when the standards are published and the country in which the company is headquartered making them mandatory. However, those who wait will likely lose out.

As some companies quickly adopt ISSB’s standards, investor pressure will mount for others to follow suit so they can compare companies’ performance and do their own analysis. Failure to report won’t give a company the benefit of the doubt. Rather, investors will likely assume the worst, all to the possible detriment of the company’s stock price.

Ultimately, the ISSB will make life better for any company which cares about having a sustainable, long-term corporate strategy. Therefore, companies should give their full support to make these standards the best and most accurate they can be.

​“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Amidst issues like supply chain complexity, economic uncertainty, and increased digitalization, Audit International are finding many organizations are adding vendors or changing their existing relationships with those they currently conduct business with.

Working remotely has prompted many companies to add cloud vendors. Supply chain backlogs might have prompted your business to switch to local vendors. Or maybe you’ve added marketing agencies or other types of consultants that have flexible capacity, rather than increasing headcount.

These decisions can help businesses adapt to changing conditions and build resilience, but working with vendors may also introduce new risks. While you might feel like you have a handle on issues like in-house data security processes, you need to be sure that vendors also align with your needs in these areas.

Internal audit teams can play an important oversight role when it comes to vendor risk management. While they might not be making specific vendor management decisions, they can still be involved in making sure proper due diligence is followed when selecting vendors. And once vendor relationships are in place, internal audit teams can monitor these arrangements to ensure organizations aren’t opening themselves up to new risks.

What are the top vendor risk management issues?
Working with third parties like software vendors, managed service providers, cleaning companies, etc. can help businesses fill gaps in current capabilities, increase efficiency, and more. Yet, internal audit teams also need to make sure that their organizations are accounting for any and all potential risks:

Cybersecurity: Internal audit teams should review vendors’ cybersecurity practices to assess whether these meet your organization’s expectations, for example, data security controls and remediation capabilities.

Compliance: Third-party vendors can also create compliance risks, such as improperly storing customer data or engaging in illegal business practices. Even if these vendor issues do not lead to legal action against your organization, internal auditors should aim to get ahead of these issues to avoid reputational damage.

ESG: Environmental, social, and governance (ESG) scrutiny is increasingly extending into supply chains and can also create reputational risk. Internal auditors will want to assess how vendors align with their own ESG goals. This may in turn lead to implementing additional controls, for example, around data sharing practices so that your organization will be able to verify issues like vendor emissions.

Quality: Don’t automatically assume that vendors will provide the quality you’re expecting, even if they come recommended or are widely known. Internal auditors need to ensure that their organizations still conduct proper due diligence to see whether working with that vendor will provide the quality of work you’re expecting. Managing risk can also include looking at vendor performance controls to see if existing third-party vendors maintain appropriate quality standards.
These are just some of the many critical risks that can come from working with third parties. Keep in mind that vendors may also have their own networks of third parties, which could ultimately affect your organization.

While it might not be possible to know every connection point that your vendors have with other third parties, you would likely want to assess what their own third-party risk management practices look like.

How can internal auditors improve third-party risk management?
Internal auditors shouldn’t be the only ones responsible for vendor risk assessments, but they should be mindful of the aforementioned vendor risk management issues and collaborate with other departments to stay on top of these risks.

For example, internal auditors can collaborate with IT leaders to create a vendor security due diligence checklist. From there, internal audit controls can make sure that this checklist is used across all vendor reviews.

Internal audit leaders can also integrate analytics into audit processes, such as collecting performance metrics on third-party vendors, to assess whether they meet your organization’s quality expectations on an ongoing basis.

Too often, however, adding analytics to audit reports is a manual, labor-intensive process that can create its own risks, like data errors. TeamMate Audit Benchmark found 79% of internal audit teams manually leverage data from other applications.

Audit tools like TeamMate+ can help internal auditors get the third-party data they need through automated API exchanges with other platforms, which makes continuous monitoring of risk more feasible. They can then create automated reports to share insights with other departments to stay on top of third-party risk.

By aligning with these steps and staying on top of evolving vendor management risks, internal audit teams can help their organizations stay safe while getting the most out of their third-party partnerships.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

In this final article of the series, Audit International focus on the third element of ESG- Governance risk. This differs from the first two elements – Environmental and Social – in that several governance risks have long been recognized and included in our audit plans. However, many more have recently gained prominence. Therefore, it is important that internal audit understands these risks and is well positioned to provide assurance.

Governance risks :

Some governance risks are broad in nature. Others, are very narrow. Some have little in terms of universal benchmarks, while others have well-established frameworks or regulations. Here are some of the main risks that should be considered:

– Shareholder rights and engagement – are there any limitations on certain classes of shareholders, and does the business engage effectively on important issues?
– Board structure and diversity – are there independent directors, and does the board have sufficient diversity of experience, style, and background? Increasingly, neurodiversity is a consideration, and in some countries a workers’ representative is a requirement.
– Executive compensation – is this structured to be in line with corporate objectives, and is it consistent with peers in comparison to the wages of other staff?
– Anti-bribery and corruption – many countries have a comprehensive legal framework.
– Tax transparency and policy – what is the organization’s approach to tax, and particularly the jurisdictions it operates and pays taxes in?
– Ethics and culture – a broad topic, ethics encompass all the above and more. Culture has become a hot topic over the past 15 years with the link between a strong organization-wide culture and performance becoming increasingly apparent.
– Data protection – often also included as a social risk, good information governance is relevant here as well.
– Typical impacts for the organization will be reputational, legal and regulatory, people, financial, and ultimately strategic.

Getting started – Determining the key risks :
Compared with environmental and social risk, it is much more difficult to take a holistic approach to governance risk, given the breadth of topics. However, it is likely that many activities and risks are already in your audit universe. A governance code may have been adopted by your organization, although these may only cover some of the issues described above. Understanding the relevant governance code(s) –mandatory or optional – is a good starting point. This will depend on jurisdiction(s), market listings, regulators, and industry practices. Governance codes can be principle-based or more prescriptive, and will typically define some or all of the following, often on a “comply or explain” basis:

– Clarity of purpose
– Leadership
– Integrity
– Board composition and division of responsibilities
– Board effectiveness
– Decision making
– Risk management, internal controls, and audit
– Accountability, transparency, and reporting remuneration

In understanding governance risks, you should also take into account what specific legal or regulatory requirements there are around any of these issues. This may include reporting requirements around diversity or executive pay or matters which must regularly be reported and considered by the board. Also, consider what other stakeholder expectations are relevant. This is likely to focus on investors, as they have been increasingly vocal and prepared to vote against boards that do not adequately address specific issues.

With this background information, along with your consideration of the issues highlighted earlier in this article, you can ensure your risk assessment incorporates relevant governance risks.

How internal audit can make an impact :
As always, we should leverage work done by the first and second lines in considering where we can make the biggest impact. We should consider our risk assessment alongside any new information we have about regulatory changes, emerging issues in our sector, or jurisdictions, and investor interest.

Some Examples :
– Governance framework
– Governance codes were mentioned earlier in this article. Whether your organization has adopted a code in full or developed its own framework, it will need to produce a regular (typically, annual) report of compliance with the code. Assessing the processes supporting this reporting is often a good way to execute broad audit coverage of governance risks. Such reports are expected by regulators, provide assurance to the board, and are sometimes published (at least in part in the annual report). – Therefore, it is important that they give an accurate picture.

Reports may take many forms and will often include qualitative assertions and specific data or examples. It is important that any data reported is accurate, but equally as important that narrative assertions or examples are supported by evidence. Internal audit can provide assurance over the processes to collate this evidence, ensuring it is complete and accurate and that the right oversight controls are in place. We can also review the report and verify that the conclusions reached fairly reflect the evidence available. Generally, we take a combined approach to provide comprehensive and broad assurance.

Board composition :
Board composition has been under the spotlight, and while practices have improved there is often still a lack of transparency in recruitment, objective evaluation, and diversity. This is a sensitive audit which needs to be conducted by experienced auditors. When done well, it provides real insight and impact.

It is important not to make this about the individuals currently serving on a board, but about the effectiveness of processes around recruitment, structure, skills-determination, and performance evaluation. Consider some or all of the following:

Is there an evaluation of the skills required on the board and an up-to-date skills matrix? Is this specific enough to ensure the board members possess the right range of skills and experience but sufficiently flexible to attract a diverse pool of candidates?
Do recruitment processes include defining an ideal candidate profile, pre-determined selection criteria, and stakeholder involvement in the exercise? Are candidates sourced in a way that ensures a wide pool of candidates, recognizing that there may be a need for confidentiality?
How are conflicts of interest identified and managed?
What are the rotation policies/term limits for non-executive board members?
How is board performance evaluated? Is there a self-assessment process and a periodic independent assessment?
Is there a training plan for the board and individual board members? Is there an individual appraisal process?
Does the committee structure support effective delegation but ensure the board maintains its responsibility for strategy and oversight?
How effective is the relationship between executives and non-executives? Does the structure facilitate both support and challenge?
Is there an effective process for succession planning?
Do boards allow time for open discussions and strategic thinking, as well as formal meetings?
Some of this can be done by document review — including board papers and minutes, skill matrix, recruitment process documents, etc. But much of this will also require interviews with board members and those who support the board, such as the corporate/company secretarial or corporate governance team.

This article concludes the series on what internal audit should know about ESG risks. If you missed the first two articles, be sure to go back and read our previous blogs, to get you up to speed on our suggestions on how internal audit can approach environmental and social risks.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

A recent study revealed that 82% of finance and business leaders must comply with sustainability requirements or ESG regulations. Even without mandatory regulatory standards in place, Audit International would bet their bottom dollar that more companies would voluntarily take on sustainability initiatives and thus, produce ESG reports.

Why? Because more stakeholders are looking.

The number of parties with vested interests in ESG performance has dramatically increased. The tendency is to think of investors as the sole consumer, judge, and jury of ESG reports, but that’s changing, especially as other stakeholders find themselves subject to ESG expectations.

So, who’s really looking at your ESG reports? And why do they care?

Investors
Let’s start with the obvious: investors! Today’s investors want to ensure their money supports organizations that align with their values. Increasingly, those values are moving further and further away from brown stocks. Investors are leaning away from companies that might risk damaging the environment, operate with inequities, or are vulnerable to corruption.

While sustainable investing is value-based for many investors, it’s also the safer, more lucrative investment in many cases.

A study by Nordea Equity Research reported that, over three years, companies with high ESG ratings outperformed the lowest-rated companies by as much as 40%.

A Bank of America Merrill Lynch study found that firms with a healthier ESG record yielded higher three-year returns. They were also more likely to become high-quality stocks, less likely to experience significant price drops, and less likely to go bankrupt.

All this to say, an ESG score isn’t just a number. It indicates to investors that your company is a proactive, forward-thinking entity that will satisfy the investor’s need for ROI and their conscience.

Internal stakeholders
Many stakeholders within a business can benefit from ESG performance data.

For example:

Sales and marketing can use ESG data to showcase a company’s sustainability performance in their efforts to entice new customers.
IR and PR teams can tout ESG successes to improve the company’s reputation.
HR reps can use social data to attract talent.
Finance teams and chief executives can use ESG insights to improve profitability, contain costs, identify new business opportunities, and recognize areas of investment and divestment when ESG data is connected to financial performance.
Organizations can put ESG performance data to work in many ways. Regarding business value, ESG reports can give every department leverage in furthering the growth and goodwill towards an organization.

ESG scoring bodies
A good ESG score is a golden ticket to a favorable ESG reputation. To receive one, you’ll have to complete surveys or create reports designed by third-party providers, who then calculate ESG scores based on the metrics and ESG performance you reported. Like a credit score or a bond rating, an ESG score demonstrates your company’s ability to meet its ESG commitments, performance, and risk exposure.

Notable ESG scoring organizations are Bloomberg ESG Data Services, Sustainalytics, ESG Risk Ratings, JUST Capital, MSCI, Refinitiv, Dow Jones Sustainability Index Family, and RepRisk.

Banks and financial institutions
Banks, capital markets, and wealth managers are moving towards ESG agendas. This is not just an ethical move but one of demand, risk, and reward.

In terms of demand, millennials lean significantly towards sustainable investments. A survey by EY found that millennials are twice as likely to invest in a fund or stock if social responsibility is a component of the value creation narrative. (Might I remind you millennials are the demographic soon to be society’s primary wealth holders.)

In terms of risk, the liability to banks is two-fold. First, banks are subject to the same sustainability scrutiny as other businesses — customers want to bank with sustainably responsible banks. And second, banks face similar challenges to investors: lending to companies that aren’t sustainable could also pose threats to their business. Will a coal mine be able to repay its debts when sustainable alternatives take over? While banks might not be in this scenario just yet, in the future, it’s possible that businesses could see requests for funding denied if they don’t prove to be sustainable enough.

In terms of reward, again, we see companies with strong ESG performing better than those with weak ESG. An analysis completed by global investment manager BlackRock found that up to 88% of sustainable funds outperformed their non-sustainable counterparts between January 1, 2020, and April 30, 2020. Why would a wealth manager allocate funds to an unsustainable stock when a more sustainable and equally (if not more) profitable alternative exists? Why choose to lose/win when you could choose to win/win?

Regulators
Incoming! A stampede of regulations is making its way into the ESG reporting arena. Two regulations of note are:

The EU’s Corporate Sustainability Due Diligence (CSDD)

In February 2022, the European Commission published a draft of the CSDD. If passed, the CSDD would require companies to disclose the impacts of their operations on human rights and the environment.

The US’s new climate-related disclosures

In March 2022, the SEC proposed expansive new climate-related disclosures related to greenhouse gas emissions, climate risks, transition plans, and governance.

Sullivan and Cromwell LLP has a great round-up of the latest (up to May 2022) ESG regulatory advancements here. The bottom line: ESG is being written into everything from litigation to financial institutions, disclosure and governance, and law. While your particular flavor of ESG regulation will be subject to your jurisdiction and industry, you can bet on increased regulatory scrutiny coming your way soon.

Consumers
B2C companies find themselves with a consumer who cares about their product, how it’s made, and who’s making it. Recent PWC research found that:

Consumers aged 17 – 38 years are almost twice as likely to consider ESG issues when making purchasing decisions than others.
Over half of consumers surveyed said that a company’s purpose and values played a role in their purchasing decisions.
49% of consumers and 66% of millennials use the internet to learn more about a company’s ESG practices before buying a product or service.
From this, we can conclude a few things. The future of the sales will be dependent on ESG performance. And consumers aren’t satisfied with marketing promises — they want the ESG evidence, and your reports will be front in center of their investigations.

Everyone’s looking at ESG
Don’t make stakeholders struggle to seek out your ESG performance. By using a corporate performance management approach to ESG reporting, you can tell your sustainability story, disclose according to multiple new and evolving frameworks, and connect financial outcomes, operational activities, and ESG performance to ensure sustainability is always tied to doing good for the earth, people, and your bottom line.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Transit systems. Healthcare facilities. Financial services firms. What do they all have in common? Organizations within these sectors — and essentially all industries, for that matter — have been hit by ransomware, a type of malware where cybercriminals demand a ransom payment to unlock access to your private and confidential systems and files.

While many cybersecurity risks exist, ransomware is often one of the more pressing challenges. Not only can it bring operations to a screeching halt, but it can also cause issues like data leaks and reputational damage. A global survey by cybersecurity software company Sophos finds that 66% of surveyed organizations suffered ransomware attacks in 2021. “It took on average one month to recover from the damage and disruption,” Sophos adds.

Given the severity of ransomware risk, internal auditors should aim to help their organizations reduce these threats, along with overall cybersecurity risks. How? As Audit International will examine in this article, internal audit departments can take steps such as conducting IT/cybersecurity audits and using technology like internal audit management software to improve internal controls and collaboration.

Review IT practices and controls :
Even though internal auditors generally aren’t responsible for choosing cybersecurity software and establishing employee training to recognize ransomware risks, they can still provide assurance over IT practices and controls, such as with an IT audit.

When IT teams conduct phishing tests to see whether employees are tricked by email scams that can cause ransomware issues, internal auditors are then able to review those results and ensure that the organization is meeting a sufficient standard to prevent social engineering. If the results demonstrate gaps in employee preparedness on ransomware risk or other cybersecurity risks, then internal auditors would likely want to communicate that risk to other stakeholders, like boards and senior management.

Internal audit leaders might also review remote work policies to ensure that IT teams are appropriately managing these with ransomware risk in mind, rather than just focusing on the functionality of work-from-home environments. While internal auditors often rely on guidance from IT leaders, they can still audit areas like access logs to ensure that only approved devices, with the appropriate threat intelligence and data protection technologies, are connecting to their networks.

Align key stakeholders :
Improving ransomware protection also means internal auditors need to align key stakeholders, rather than just collaborating with IT. That means pulling together information from multiple departments to make sure everyone’s on the same page.

Internal auditors should check with finance teams to see how they’re accounting for the potential costs of a ransomware attack, and then ensure that other key stakeholders, like boards and senior management, understand and agree with this approach. Otherwise, issues like not having a sufficient budget to recover from a ransomware attack may arise.

“Regardless of their size or revenue, organizations should assume they will be targeted with ransomware, and they should examine their prevention, detection, mitigation, response, and recovery measures,” notes Zachary Ginsburg, research director for the Gartner Audit and Risk practice, in a Gartner press release.

Leverage internal audit management software :
Internal auditors can mitigate ransomware risk by leveraging internal audit management software. Many technologies are designed to assist with cybersecurity risk management, but from an audit perspective, internal audit management software is important for gaining assurance.

Overall, internal audit teams have an opportunity to make a significant impact when it comes to ransomware risk management. Planning ahead and focusing on internal alignment can go a long way toward reducing ransomware attacks and other cybersecurity risks.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Having considered how internal audit can address environmental risks in the first article in this Audit International series, this article turns to the second element of ESG, social risk. This can be a sensitive area, and many risks are hard to quantify. But over the last decade, expectations of organizations have evolved significantly, and internal audit has a key role in providing assurance over the risks that this presents.

Social risks :
Social risk can be viewed from several perspectives. While we traditionally look at business activities, here it can also be helpful to look through the lens of different stakeholders to ensure all risks are captured and completely understood. For example, consider impacts on the organization itself, staff, customers, suppliers, investors, other third parties, and the wider communities in which you operate. Below are some of the key risks – not an exhaustive list — but those that outline the main risk areas you will want to capture:

– Health and safety – consider both workplace and customer safety.
– Labor standards – your own and those throughout your supply chain. This goes beyond compliance with legislation and international protocols to include issues such as well-being, benefits, and employee engagement.
– Equality, diversity, and inclusion (EDI) – very important to staff, customers, and the community, this is a significant topic in and of itself
– Sales practices – important to your customer base and the wider community, poor practices can quickly damage a reputation.
– Data privacy – sometimes considered a social risk, given its impact on staff, customers, and other partners.
– Community engagement – how effective is your organization in working with local (and broader) stakeholders to maximize the positive and minimize the negative impacts on the community. This started with CSR (Corporate Social Responsibility) but often goes much deeper.
– Other broad, but important, issues such as human rights and the rights of indigenous peoples.
– Typical impacts for the organization will be the same as for many other ESG risks – reputational, legal and regulatory, financial, operational, and ultimately strategic. Other than potentially using different stakeholder perspectives when considering risks, this fits well into your risk assessment process.

Getting started – Determining the key risks :
Your risk assessment should always be the starting point. In order to do this, you will first need to go through several steps to get sufficient background context:

Understand your organization’s approach to social risk. Given the variety of risks and the number of stakeholders, it is likely that it will sit across the organization with many different risk owners. For example, staff-related risks and issues will be owned by Human Resources, whereas supply chain risks will be owned by the relevant business unit or a procurement function. Are there anywhere these risks are also considered and assessed together or across the organization, such as part of a risk function?
Consider who the key stakeholders are. Some will be common to all organizations – staff and customers for instance. Others will be specific to your business – such as a community close to a quarry.
As always, consider key sector and industry risks, drawing on industry guidance, frameworks, and other resources, and on standards such as GRI (Global Reporting Initiative).
Pay attention to your supply chain, particularly if sourcing (directly or indirectly) from jurisdictions where labor or safety standards may not reflect those in your home country.
Understand legal and regulatory requirements in all jurisdictions in which you operate.
With this background information, you can start to include social risks into your risk assessment, leveraging work done by the first and second lines, and begin to provide assurance over these key risks.

How internal audit can make an impact :
Clearly, we should be focusing on the biggest risks for the organization. However, we often need to consider the impact on stakeholder groups in aggregate, rather than just for each risk. Staff is a good example. We should certainly consider risks around compliance with labor laws but understanding the impacts on staff also requires the inclusion of wellbeing, health and safety, benefits, employee engagement, and EDI to assess the potential risk around staff as a group. Internal audit can add value by looking at risk in this way and provide more holistic assurance over risks relating to specific stakeholders.

Internal audit can also take a broader look at the organization’s approach to social risk. As I suggested earlier, it is often a distributed responsibility, but the risks do not exist in isolation. Some questions you can ask:

What is the organization’s attitude towards social risks? Are social factors (collectively or specific issues) considered in strategic planning or discussed at the Board level?
Have key stakeholders been identified? Do these make sense given what you know?
Is social impact considered in decision-making, particularly investment decisions and project evaluation? For government and social-purpose organizations, this will often be a core part of the decision-making process. But even in commercial organizations, evaluation of social risks and impacts will often be built in.
Are there targets and performance metrics in place? For key risks there often are metrics, but they may not be evaluated as a whole – which could be acceptable if they have sufficient prominence. As for other ESG risks, the availability and quality of the data may be a challenge as standards, systems, and processes are evolving. This provides an opportunity for internal audit to make an impact by evaluating systems and processes and by validating the data.
Some examples
Labor standards
The subject of labor standards is broad, but if we consider it in two parts, it may help. First there are fundamental rights at a global level which most countries are adhering to as members of the International Labour Organization. These cover issues such as forced labor, child labor, maternity, working hours, discrimination, health and safety, and unionization rights. Second, there are expectations beyond this, which often vary by country and include benefits, well-being, and employee engagement. There are many ways for internal audit to make an impact here. I will address two very different audit examples:

An organization’s own employment activities have always been part of an audit universe. There is an opportunity to take this further, providing insight and assurance into, for example, employee wellbeing and engagement. Most large organizations conduct surveys covering one or both, but how effectively do they select, track, and use metrics? Also, how effective are follow-up plans? These are sensitive areas, but this is largely about how data is collected and used, and how effectively plans are defined and implemented. All are very well aligned to core internal audit skill sets.
The broader issue of labor standards risk incorporates many parts of a business. As well as an organization’s own employees, we need to consider those in the supply chain, service companies, and any other partners. The focus of an audit is likely to be on procurement and contract management processes. Do contracts stipulate appropriate measures (which vary on the size and nature of the organization)? What independent verification is available that standards are complied with? What monitoring is in place within the organization to highlight emerging issues? All questions internal audit is well-positioned to consider and provide assurance over.

Sales practices :
Sales practices have been under the microscope at various points over the last century. Often it relates to providing dishonest or misleading information, or selling products or services are known not to be in the best interest of the buyer. The banking crisis of 2008 highlighted unethical practices which led to a significant shift to providing services based on the customer. Earlier examples are tobacco and baby formula, the health impacts of which were not accurately portrayed. In both cases, poor practices continued in parts of the developing world long after they were prohibited in the West.

Risks are primarily reputational, but often there are legal and regulatory considerations that can be substantial. Let’s look at two ways in which internal audit can make an impact in this area:

The first is not about the sales process itself, but about whether organizations are considering the customer in the products and services they sell. All jurisdictions have regulations about product quality or the types of services that can be sold to different groups of consumers. Examples range from food standards to complex financial products. In addition, there are overarching responsibilities to ensure customer health and safety (whether on-site or through the products or services they are using) that should be considered. This could be as obvious as ensuring products don’t cause a choking hazard or more complex such as the danger posed when providing social media platforms to young people. Internal auditors should understand the relevant regulations, and any voluntary codes, to provide assurance that there are appropriate controls over these risks, often as part of an existing audit. But you can also go further by considering the more complex aspects of risk and raising concerns if these have not been appropriately considered as customer needs and welfare are an integral part of product/service design and production.
Internal audit can provide assurance over the sales process itself. In any setting and for any customer group, there should be defined processes for marketing, customer communications, and best practices and guidelines a salesperson should consider when making the sale. For complex products such as insurance, this may be very structured, whereas a very light touch would be expected for simple products. Controls may include guidelines, review, and approval for marketing materials, standard templates for communications, and certifications and training for sales. When auditing, we need to be mindful of having realistic expectations for the type of products and services being sold but also be prepared to challenge when processes are insufficient or not well-evidenced. Additional considerations include data privacy, avoidance of discrimination, and the need to look at practices in all relevant jurisdictions.
To summarize, we have shown the variety of social risks within ESG and how internal audit can use their skill set to make an impact by providing assurance over some of these key risks. There are good sources of information freely available to understand different issues in more detail to help assess how social risks may impact your organization and your audit response.

The third and final article in this series will focus on the “G” (Governance) in ESG which covers a broad range of corporate activities. It is important to understand these risks as they provide the foundation for effective ESG program management.

Have you ever had one of those days where you were determined to write that audit report? So you block off the time on your calendar, go into your office, shut the door, remove any and all distractions and breathe. Because now is the time to take all of those thoughts and perfect phrases running wild in your head and put them on paper. You sit down at your desk ready to make it happen. And you come up with nothing.

You decide to invite a colleague in to assist. Because after all, two heads are better than one. The two of you discuss the issues thoroughly, but nothing seems to sound right.

Writing objective observations takes time, skill, and tact. And if you’re like any other auditor, the audit issues sound wonderful in your head. But by the time you formulate the right words, reach for your pencil and place it on paper, that wonderful wording has become a distant memory. It’s worse if you’re in a group setting because you now become frustrated as the group begins asking you to repeat what you said. Unable to remember words uttered only seconds prior, it is only then that you realize how old you truly are.

If you’ve ever faced this situation, do not fear. There are several tools and techniques you can use to speed up and improve your report writing. But first, we must address the five big problems with writing reports:

1. We think faster than we write
2. Our million dollar thoughts come at the wrong time
3. We believe in writer’s block
4. We look for perfection in the first paragraph
5. We don’t understand and/or appreciate the writing process

5 Problems with audit report writing
We think faster than we write
We’ve all been there. Browsing through our cabinets trying to make a mental grocery list. Then you reach the point where there are too many items to remember. You decide to write a list. You reach for your paper and before the pen touches the pad, you’ve already forgotten the five items you wanted to write.

Our brains are fascinating. I can remember where I was in the summer of 1989, but I cannot remember what I ate for breakfast this morning. It is that forgetfulness that can derail your report writing.

Our million dollar thoughts come at the wrong time
Worse yet is when you have this wonderful idea, but then realize that it is 5:00 o’clock and you are stuck in traffic. There is no way you can capture that great thought without causing a pile up. So you try other techniques. You turn off the radio and repeat whatever it is over and over. You hope to continue this until you get home, or at least until you get to a stopping point. Of course something interrupts your thought and you forget what you were trying to remember.

We believe in writer’s block
Some people believe that writer’s block is a thing. I’m here to tell you, it is not. At least in the context of business writing or internal audit reports. Wikipedia define writer’s block as follows:

“Writer’s block is a condition, primarily associated with writing, in which an author loses the ability to produce new work or experiences a creative slowdown. This loss of ability to write and produce new work is not a result of commitment problems or lack of writing skills. The condition ranges from difficulty in coming up with original ideas to being unable to produce a work for years. Writer’s block is not solely measured by time passing without writing. It is measured by time passing without productivity in the task at hand.”

As you can see, writer’s block is a primary concern for creative writers. Our audit reports are, or should be, factually based non fiction. We are taking a series of facts, placing some logic and order to those facts, and providing management with a conclusion. What we are not doing, is creating new characters or developing plots and story lines. We know the beginning, middle and end of the story. Therefore, we know what to say. The problem is how do we say it so that it has the best impact given within the culture of the organization.

We look for perfection in the first paragraph
Because audit report writing is simpler than creative writing, we believe that we should be able to sit down and create the perfect prose in minutes. After all, we know the beginning, middle and end of the story. When we finally put pen to paper, our initial draft is usually not good. We then become frustrated. But I believe that frustration is because we don’t understand the writing process.

We don’t understand and/or appreciate the writing process
All the magic happens in the editing. Any writer will tell you this. Ernest Hemingway famously once said that “The first draft of anything is ****” (insert a very bad word here). As someone who has had articles published, I can tell you this is true. I can recall the first time I sent something to an editor. I thought it was an okay piece. But what came back was a magnificent manuscript. I fined tuned it a little and the result was something we were all pleased with. The writing process does not require perfection at the start. Your initial goal is to get something on the page. After that, trust the process and let the magic happen in editing.

3 tools you can use
Google voice typing
Because our brains seem to signal our mouths to speak faster than our hands can write, voice typing is the perfect shortcut to getting those wonderful words out of your head and on paper. For those unfamiliar with voice typing, you talk, it types. It’s as simple as that. Well, sort of.

The best free voice typing tool I’ve found is through Google. Log in to your account. Then, access Google Docs and open a document. Go to Tools, then Voice Typing (or you can press Ctlr+Shift+S).

You will see a microphone that may say Click to Speak. Click it, talk to it, and watch the magic happen. You will need to learn certain commands like period, comma and new paragraph. But other than that, if you speak clearly, it will recognize most speaking voices and words.

Your Cell Phone voice recorder
If barking out commands to your computer isn’t your thing, you’re in luck. There’s another option. If you’re like me, your cell phone is probably within arms reach. Grab your phone and go to your favorite app store. Search for a voice recorder. You should see several. Download one that piques your interest.

You can now record yourself talking about the audit issues. Now you will never miss that wonderfully worded paragraph that would sound great in an audit report. Once recorded, you can listen to the recording and pull out the impactful paragraphs.

Transcription
If you truly believe the recording represents your best work ever, you can have it transcribed. Yes, you heard me, transcribed. It’s not as bad or as expensive as you think. Before I get into that, I must say that I am not being paid by nor am I endorsing these specific products. there are several transcription services that I have used. Some use live transcribers while others use automated engines.

Summary

Writing audit reports can be a daunting task. But it has to be done. Nowadays we have a lot of tools that can help streamline the process. Many of the biggest issues start with us. Writer’s block is only as real as we allow it to be. Sit down and put something on paper. Use some electronic tools to get your words on paper. Almost any words will do. Afterall, the magic happens in the editing.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

This week Audit International are taking a look at the 4 ways how Internal Audit can get a seat at the table.

When it comes to risk management and compliance, most organizations operate on a 3 Lines of Defense (3LOD) model, in which operational management, compliance, and internal audit work together in tandem to assess and mitigate risk and manage controls and compliance.

This model may be successful in theory, but as the risk management and compliance functions have grown more complex, it doesn’t always work as well as you might hope. Given the rising sophistication of cybersecurity threats and incidents of fraud, and the increasing compliance requirements posed upon organizations of all sizes, it can be difficult to keep an organization-wide pulse on threats and breaches in compliance as they arise.

The problem is, the three branches don’t always collaborate effectively, which may leave internal audit out of the loop and unable to provide much value to the organization. They may not have access to the data they need to generate effective recommendations. The internal audit team’s focus may be simply on checking boxes and ensuring compliance, rather than providing strategic insights that will help your organization understand and take steps to mitigate new threats.

If you want your internal audit team to move the needle at your organization, you need to get the ear of executives who can advocate for your work. By partnering with leadership, you’ll be able to spearhead new initiatives and gain critical access to data that will help your organization save money and reduce risk, proving your team’s value.

Here are four strategies for doing that effectively:

Identify the key people who can support you, and make a plan to build relationships with them
Your audit team will naturally be in touch with the managers who can provide key information needed to conduct your audits—but by focusing only on these contacts, you’re missing out on building relationships with the leaders who will be able to help you gain a more visible role in the organization. Build a plan for conducting periodic outreach to higher-level executives within your organization, such as your chief risk officer or your CTO. You can solicit feedback from them on any open questions they may want your team to review in your audits, or provide high-level executive briefs showcasing work that you’ve done and issues they may want to explore in further detail. Make sure that they know you and your team are available to support them and open for feedback.

Proactively address organization-wide trends
Rather than focusing solely on issues identified in individual audits, start looking at your audit results in aggregate to identify trends. Is a single department or office location having trouble resolving a specific compliance issue, or is it an across-the-board trend that should be shared with your executive team? Review your data frequently to understand risks that should be mitigated, and come up with step-by-step action plans for how they should be addressed, including who’s responsible and what the benchmarks for success are.

Pay close attention to third-party risks
Many audit teams take an insular view of risk management, failing to uncover the external risks brought on by vendors and technology partners. Make sure that you have policies in place to carefully vet and automate compliance on your third-party vendors, pulling in external data that will alert you to any financial or legal issues they may face. Regularly track all of your solutions and technology partners for red flags, and ensure that you have a strategy for mitigating them. You can showcase your findings in sessions with executives and other partners throughout the business, and collaborate to come up with a plan for any of your scenarios. Keep in mind that risks from big providers such as Amazon or Facebook may impact a lot of your customers or partners as well, so ensure that you map out all of the variables that may impact your company’s business model across the board.

Use best-in-class GRC technology to automate compliance and analyze data
In order to provide the most useful insights to your leadership team, it’s important to integrate your entire risk management function across an easy-to-use GRC platform. Your GRC platform should come with pre-built content that will help you automate your controls framework, regardless of your industry. It should make it easy to monitor compliance status and risk levels across the organization at any given time, with triggers prompting action when control levels are not being met. You should be able to easily drill down into your data and generate executive dashboards, so that you can share insights to justify recommendations and help your leadership team make better informed business decisions.

By building a cohesive strategy for integrating with the 3LOD, backed by in-depth data analytics, real-time data feeds, and workflow automation, your audit team will be able to generate insights that can help to identify new risks, and develop new strategies for mitigating risks across the entire organization. This will help you to become a highly visible, influential, and trusted partner to the business.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”