Fraud Audit

Audit International recommend five ‘Under the Radar’ Areas to Audit that May Not Be on the Audit Plan.

As internal auditors, we all have a “spidey sense” of what we should be auditing.

Sure, we should, of course, conduct comprehensive risk assessments that drive our audit plan, and many of the usual suspects will end up on that plan: cybersecurity, regulatory compliance, financial reporting, third-party relationships, and you know the rest.

But there are things, we would strongly profess, that should be audited, even if we aren’t formally auditing them and they never make it to the actual audit plan. Just by being aware—casting that web, if you will—you should constantly informally “audit” a few critical areas.

What might be some of those things we should (lower case) audit, even if we aren’t (upper case) Auditing them? Here’s Audit Internationals take on five:

1
Culture: Are Disconnects, Even if Subtle, Surfacing?

So much has been written and said about doing culture audits and internal audit’s potential role in doing such a review. Perhaps, however, your organization doesn’t support internal audit doing a full-blown culture audit. Does that mean you throw your hands up and do nothing with the topic? Heck, no!

Look, we are among the very few in the organization who have the benefit of both grasping the desired culture and viewing the entire company because of our day-to-day work. So, why not leverage that and tune into what is going on around us and notice the organizational behaviors, actions, and attitudes that are consistent with, as well as (importantly) counter to, the desired culture.

So, what’s an internal auditor to do?

Some caveats, though. First, be sure you completely understand the desired culture, both what is formally stated through things like the organization’s listed core values as well as what is implied in the “how things are done around here” subtleties. The formal and the informal culture are equally important. Then, as you go about your work in various departments and interact with people at all levels of the organization, be cognizant of behaviors, language, demeanor, protocols, and other elements that seem inconsistent with what you expected.

Now, if you witness such imbalances, and you’ll know because it will make you a bit uncomfortable, talk with close colleagues or discuss it amongst your team. If something seems amiss, continue to keep your eyes and ears open and provide your internal audit function leadership with examples of what you are witnessing. If there are culture issues in a particular area of your organization, it is likely manifesting itself in a number of other issues as well. Your internal audit function leadership will guide you on what to do and may provide guidance on the next course of action. Chief audit executives will need to consider when and how to elevate such delicate issues. Yes, it’s a sensitive topic, but something that might be critical to address. Your spidey sense will guide the way.

2
Employee Engagement: Are People Checking Out?

While it has been a topic in the corporate world for more than 20 years, at least since the Gallup Organization and their Q12 employee survey instrument brought it into the lexicon, “employee engagement” has re-emerged these days. By now, we’ve all heard the new buzz phrase “quiet quitting.” While it’s a catchy label that has been slapped on what is, in essence, just disengagement, it’s not to be taken lightly. Employees who have become disengaged in your company’s mission, vision, and values don’t have passion to do their best. This should be deeply problematic to executive leaders and, in turn, to you. It is a significant and costly drain on everything your organization does.

So, what’s an internal auditor to do?

Just like with the culture topic, we, as internal auditors, interact with more of the organization across all levels (along with HR) than most anyone else in the entire organization. Therefore, we have our finger on the pulse when it comes to engagement and its evil twin, disengagement. Do we have a general sense though the course of our internal audit work that people care or if they are they just going through the motions? Sure, we do.

We don’t need to be scientific about it, and we don’t have to call anyone or any function, department, or location out, per se, but if we see that there is a trend developing toward greater levels of disengagement, let it be known. Make it a part of what we absorb about the organization on a daily, weekly, and monthly basis. Elevate the concerns, whether to HR, department levels, or even the senior management. In other words, don’t ignore it.

3
The Physical Facilities: Are Things in Disrepair?

As much as we may not all be going into a physical office as much anymore, many employees will still spend at least some time in the office or at company facilities. And, the physical state of the office location, branch, facility, or building space is important. Not only can facility disrepair be unhealthy or unsafe, but it can also just negatively affect employee psyche or customer impressions. Pay attention to what things look like and what is the state of the physical environment around you. It may signal deeper problems or an overall neglectful view of the business.

We all have stories about what we’ve witnessed. I remember walking past a locked closet and smelling a damp odor. I could have just ignored it, thought it was just me, or figured that someone else was probably aware of it. Instead, I decided to mention it to the facilities manager of the location. And, lo and behold, behind the rightfully locked door a roof leak had infiltrated the space and it was a wiring closet. It could have been a big problem if it were ignored for any length of time.

So, what’s an internal auditor to do?

Keep your eyes and ears open as you go about your work. Does something seem amiss regarding the physical location? Mention it to someone who could do something about it. What’s the worst that could happen? They tell you “thanks, we are aware of it.” At best, you help address an issue before it gets out of hand. Sometimes we all become blind to our physical surroundings because we’ve just been there for so long. But a fresh set of eyes and ears might just help the organization out and make employees and customers even more appreciative of the physical space they show up to and that the organization spends so much money on. Internal audit can have a unique perspective of noticing what gets unnoticed.

4
The Parking Lot Check: Is Fraud Hiding in Plain Sight?

Closely related to the physical state of the facilities is the state of the employees. Ever see a change in someone’s habits that don’t sync-up with what has gone on in the past, and you wondering “what’s up with that?” Perhaps someone is showing up to the office in a new luxury car, expensive clothes, or talking about some lavish vacation they went on?

Most often, there is a great explanation, and it is none of our business. But, also, any of us who have been around the block a few times will also know that, occasionally, these changed behaviors are clues that something is amiss and that someone may be on the take. You could call this “doing a parking lot audit.” So many frauds and embezzlements have left a trail of these clues as the perpetrator wanted to channel their ill-gotten gains into the fruits of luxury and apparent success. It’s not an outright indicator or fraud, of course, but it might be a red flag to dig deeper, especially if things weren’t adding up already.

So, what’s an internal auditor to do?

Just keep your eyes and ears open, being observant to uncharacteristic behaviors, purchases, and chatter could provide clues to someone who is taking advantage of their position and situation to pilfer from your company. No, don’t go around accusing people of things where you have no proof, of course. But eyes open and be vigilant. And, if you see something, say something to a trusted colleague within your internal audit department. If necessary, elevate it within your department and, if warranted and approved, do some follow-up in a clandestine manner. You may just catch something in its preliminary stages and head it off at the pass, so to speak. Most people steal from the company in small increments, and it escalates from there if they feel they are getting away with it undetected. But, in hindsight, there were usually always clues … perhaps no further away than in the parking lot.

5
Hotline Activity: Is Volume Up, or Has Volume Decreased?

Most internal audit functions have some role in monitoring their organization’s whistleblower hotline for employees, and sometimes also third parties, to file complaints. This may seem like a no-brainer, but you’d be surprised how often small complaints (that point to bigger problems) go unnoticed. Your internal audit function may have complete ownership of managing what comes though, you may partner with someone else in the organization, such as compliance, human resources, or legal, or you just get things passed to you for review or investigation as needed from one of these organizational partners. Regardless, you need to have some role in monitoring the volume of activity. What types of activity are coming through? Are there recurring issues? What are the trends? It doesn’t take an audit, but it does take awareness. Changes in volume can be very telling, and that could be changes in either direction (increased or decreased volume).

Increases in activity might spell some brewing issues of a more macro sense and, alternatively, decreases in volume may spell a level of distrust in the confidentiality of the hotline or a perceived lack of seriousness with which reported items might be getting addressed.

So, what’s an internal auditor to do?

It doesn’t have to be you, so long as someone in your internal audit function is attuned to the trends, both in terms of volume and types of activity. And, if there are notable changes in the trends, up or down, it might be time for a deeper understanding of what might be going on. This could be a signal of troubles brewing that are inconsistent with the desired culture.
—-
To be clear, internal auditors don’t need a formal audit plan initiative to keep abreast of important developments in the organization. It’s not easy, I know, as the formal audit plan has us busy enough, but a little observation may go a long way. Head up, eyes and ears open, use all your senses and leverage your well-honed intellectual curiosity and professional skepticism. Do some ad-hoc auditing of things you might not be able to (upper case) Audit and don’t necessarily make it to the formal audit plan. The organization will be better for it, and you will enhance your engagement and contributions innumerably.

As popularized in the Spiderman comics of yesteryear and said in more recent movies, “with great power comes great responsibility.” Wield it judiciously!

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

There is a common joke among physicists that fusion energy is 30 years away … and always will be. You could say something similar about artificial intelligence (AI) and robots taking all our jobs. The risks of AI and robotics have been expressed vividly in science fiction by the likes of Isaac Asimov as far back as 1942 and in news articles and industry reports pretty much every year since. “The machines are coming to take your jobs!” they proclaim. And yet, all of us here at Audit International still head to the office or log in from home each weekday morning.

The reality is less striking but potentially just as worrying. Most people expect that one day some sort of machine will be built that will instantly know how to do a certain job—including internal auditing—and then those jobs will be gone forever. More likely, is that AI and smart systems start to permeate into everyday tasks that we perform at work and become critical parts of the business processes our units and companies conduct. (Indeed, many professions and industries have already been greatly disrupted by AI and robotics.)

Technology companies have been so successful over the last 30 years because of the common mantra of “move fast and break things.” And that was maybe just about acceptable when it meant you could connect online to your friend from high school and find out what they had for breakfast or search through the World Wide Web for exactly the right cat meme with a well-crafted string of words.

When the consequences now might mean entrenching biases in Human Resources processes, or mass automated biometric surveillance, not to mention simply not even understanding what a system is doing (so called ‘black boxes’), the levels of oversight and risk management need to be much higher.

The Regulatory Environment :
There is some existing regulation which covers aspects of this brave new world. For example, in the European Union, article 22 of the General Data Protection Regulation (GDPR) on automated individual decision-making, provides protection against an algorithm being solely responsible for something like deciding whether a customer is eligible for a loan or mortgage. However, the next big thing coming to a company near EU is the AI Act.

The proposal aims to make the rules governing the use of AI consistent across the EU. The current wording is written in the style of the GDPR with prescriptive requirements, extraterritorial reach, a risk-based approach, and heavy penalties for infringements. With the objective of bringing about a “Brussels effect,” where regulation in the EU influences the rest of the world.

Other western jurisdictions are taking a lighter touch than the EU, with the United Kingdom working on a “pro-innovation approach to regulating AI,” and the United States’ recent “Blueprint for an AI Bill of Rights” moving towards a non-binding framework. Both have principles which closely match the proposed legal obligations within the AI Act, hinting at the impact the regulation is already having.

Much of the draft regulation is still being discussed, with a final wording soon to be agreed. There are disagreements across industries and countries on whether some of the text goes far enough or goes too far. For example, whether the definition of “AI” should be narrowed, as the current wording could encompass simple rules-based decision-making tools (or even potentially Excel macros) or even expanded to greater capture so-called “general purpose AI.” These are large models which can be used for various different tasks and therefore, applying the prescriptive requirements and risk-based approach of the AI Act can become complex and laborious.

The uncertainty over the final wording has given companies an excuse to not make first moves to prepare for the changes. Anyone who remembers the mad rush to become compliant with the GDPR will remember the pain of leaving these things to the last minute. The potential fines, which may be as high as 6 percent of annual revenue depending on the final wording, could be crippling and have a cascade effect on a company’s going-concern.

What Can Internal Auditors Do?
As internal audit professionals we can start the conversation with the business and other risk and compliance departments to shine the light on the risks and upcoming regulations which they may be unaware of. It is our objective to provide assurance but also add value to the company and this can be done through our unique ability to understand risks, the business, and provide horizon scanning activities.

Performing internal audit advisory or assurance work, depending on the AI risk maturity level at the organization, can highlight the good practice risk management steps that can be taken early to help when the regulation is finalized. These steps could include:

1) Identify AI in Use: To be able to appropriately manage AI risks throughout their lifecycle stakeholders need to be able to identify systems and processes which make use of them. Agreeing on a definition of AI and developing a process to identify where it is in use is the first step. This would include whether it is being developed in-house, is already in use through existing tools or services, or acquired through the procurement process.

2) Inventory: Developing an inventory which includes information such as the intended purpose, data sources used, design specifications, and assumptions on how and what monitoring will be performed is a good starting point and can be added to, based on your company’s unique characteristics and any specific legal requirements that are implemented in the future.
3) Risk Assessments: Since a key aspect of the AI Act is it being “risk-based,” it is important to have a risk assessment process to ensure you take the necessary steps as required in the regulation, based on the type of AI used. For example, what level of robustness, explainability, and user documentation is necessary based on the risk tier provided. It is also important to consider the business and technology risks of using the AI. For example, machine learning using neural networks requires large training datasets, which can raise issues of data protection and security, but may also perpetuate biases that are contained in the datasets. Suitable experts and stakeholders should be involved in the development and assessment of the risk assessment process.

4) Communications: One area that is often forgotten is communication. It is all well and good having a policy or a framework written down but if it isn’t known and understood by the relevant stakeholders it’s worth less than the paper it’s printed on. Involving key stakeholders during the development of your AI risk management processes can help develop a diverse platform of champions throughout the business who can act as enablers as the requirements are communicated and regulation finalized.

5) On-going monitoring: Risk management is not a one-off exercise and this is no exception. Use cases, technology, and the threat landscape change over time and it is important to include a process for on-going monitoring of AI and the associated risks.

The machines may not be coming to take our jobs just yet, but the risks are already here and so are the opportunities to get ahead. There may be a long and winding road in front, as we all prepare for a world where AI is commonplace and new regulations and standards try to shape its use, but each journey starts with a step and it’s never too early to get going.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Here at Audit International, we have seen a significant shift in the way in which environmental, social, and governance (ESG) data has been perceived in recent years. It has gone from being an ‘add-on’ to being a vital opportunity for corporations to boost their competitiveness. As consumers become more discerning about environmental, social, ethical, and responsible business practices, organizations are increasingly starting to realize that reporting ESG data can have significant brand and reputational benefits.

However, this is just the beginning. The value of ESG data extends beyond reporting—when handled properly, it can unlock value for an organization in a variety of ways.

What is ESG and ESG Reporting?
It’s important to note that there is a distinction between ESG and sustainability. The terms are often used interchangeably, but there are important differences. Essentially, sustainability deals with how an organization’s operations impact the environment and society, whereas ESG has more to do with how an organization’s environmental, social, and governance initiatives affect its financial performance.

According to the Center for Audit Quality (CAQ), “ESG reporting encompasses both qualitative discussions of topics as well as quantitative metrics used to measure a company’s performance against ESG risks, opportunities, and related strategies.”

How companies can use ESG data to their advantage
When organizations treat ESG reporting as more than a box-ticking exercise to meet regulatory obligations, they stand to reap a number of benefits, as follows:

● Profitability and sustainability: Including ESG data in an extended planning and analysis (xP&A) strategy allows an enterprise to see how that data affects financial and operational data, which is key to making ESG initiatives sustainable and profitable.

● Risk management: Neglecting ESG issues can result in financial or reputational damage. Thus, all organizations should ensure that they incorporate ESG data into their risk management strategies. By voluntarily disclosing this information, they will demonstrate that they are taking sufficient steps to protect themselves and their stakeholders from ESG-related risks.

● Competitive advantage: Focusing on ESG can help an organization gain a better understanding of what matters to its stakeholders while also identifying opportunities. Furthermore, reporting ESG data will help stakeholders compare the organization with its competitors. This works in the organization’s favour if it is outperforming peers on the ESG front.

● Uncovering critical operational drivers for decision-making: ESG data can help an organization see where sustainable changes could improve efficiency and make its business more ethical and equitable. This can greatly enhance the decision-making process.

What are the main challenges to effective ESG Reporting?
ESG reporting is continuously evolving as governments announce new standards that companies need to comply with, as well as a new mandatory International Sustainability Standards Board (ISSB) standard that is expected to be announced by the end of the year (2022). It also touches every financial process. For these reasons, companies can find the whole ESG journey intimidating.

The following are some of the main obstacles that need to be overcome:

● Several ESG optional frameworks: The Global Reporting Initiative (GRI), Task Force on Climate-Related Financial Disclosures (TCFD), and the Sustainability Accounting Standards Board (SASB) are some of the more notable ESG frameworks, but there are plenty of others, many of which are specific to certain regions or industries. It can be challenging for companies, especially those operating in multiple countries, to know which ESG standards and frameworks to adhere to. This will all change when the mandatory ISSB standards are announced at the end of 2022.

● Complexity of data management: Whether meeting regulatory requirements or carrying out voluntary disclosures, companies need to be able to collect, translate, and process ESG data. This is a task that is complicated by the fact that the data is often siloed across different IT systems and is often stored in different formats. In addition, sustainability can be hard to quantify.

● Lack of ESG insight to inform decisions: Many organizations have difficulty seeing the connection between ESG data and financial results, especially when captured in spreadsheets, which means they are unable to use the data to improve their bottom line and sustainability initiatives.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Amidst issues like supply chain complexity, economic uncertainty, and increased digitalization, Audit International are finding many organizations are adding vendors or changing their existing relationships with those they currently conduct business with.

Working remotely has prompted many companies to add cloud vendors. Supply chain backlogs might have prompted your business to switch to local vendors. Or maybe you’ve added marketing agencies or other types of consultants that have flexible capacity, rather than increasing headcount.

These decisions can help businesses adapt to changing conditions and build resilience, but working with vendors may also introduce new risks. While you might feel like you have a handle on issues like in-house data security processes, you need to be sure that vendors also align with your needs in these areas.

Internal audit teams can play an important oversight role when it comes to vendor risk management. While they might not be making specific vendor management decisions, they can still be involved in making sure proper due diligence is followed when selecting vendors. And once vendor relationships are in place, internal audit teams can monitor these arrangements to ensure organizations aren’t opening themselves up to new risks.

What are the top vendor risk management issues?
Working with third parties like software vendors, managed service providers, cleaning companies, etc. can help businesses fill gaps in current capabilities, increase efficiency, and more. Yet, internal audit teams also need to make sure that their organizations are accounting for any and all potential risks:

Cybersecurity: Internal audit teams should review vendors’ cybersecurity practices to assess whether these meet your organization’s expectations, for example, data security controls and remediation capabilities.

Compliance: Third-party vendors can also create compliance risks, such as improperly storing customer data or engaging in illegal business practices. Even if these vendor issues do not lead to legal action against your organization, internal auditors should aim to get ahead of these issues to avoid reputational damage.

ESG: Environmental, social, and governance (ESG) scrutiny is increasingly extending into supply chains and can also create reputational risk. Internal auditors will want to assess how vendors align with their own ESG goals. This may in turn lead to implementing additional controls, for example, around data sharing practices so that your organization will be able to verify issues like vendor emissions.

Quality: Don’t automatically assume that vendors will provide the quality you’re expecting, even if they come recommended or are widely known. Internal auditors need to ensure that their organizations still conduct proper due diligence to see whether working with that vendor will provide the quality of work you’re expecting. Managing risk can also include looking at vendor performance controls to see if existing third-party vendors maintain appropriate quality standards.
These are just some of the many critical risks that can come from working with third parties. Keep in mind that vendors may also have their own networks of third parties, which could ultimately affect your organization.

While it might not be possible to know every connection point that your vendors have with other third parties, you would likely want to assess what their own third-party risk management practices look like.

How can internal auditors improve third-party risk management?
Internal auditors shouldn’t be the only ones responsible for vendor risk assessments, but they should be mindful of the aforementioned vendor risk management issues and collaborate with other departments to stay on top of these risks.

For example, internal auditors can collaborate with IT leaders to create a vendor security due diligence checklist. From there, internal audit controls can make sure that this checklist is used across all vendor reviews.

Internal audit leaders can also integrate analytics into audit processes, such as collecting performance metrics on third-party vendors, to assess whether they meet your organization’s quality expectations on an ongoing basis.

Too often, however, adding analytics to audit reports is a manual, labor-intensive process that can create its own risks, like data errors. TeamMate Audit Benchmark found 79% of internal audit teams manually leverage data from other applications.

Audit tools like TeamMate+ can help internal auditors get the third-party data they need through automated API exchanges with other platforms, which makes continuous monitoring of risk more feasible. They can then create automated reports to share insights with other departments to stay on top of third-party risk.

By aligning with these steps and staying on top of evolving vendor management risks, internal audit teams can help their organizations stay safe while getting the most out of their third-party partnerships.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

In this final article of the series, Audit International focus on the third element of ESG- Governance risk. This differs from the first two elements – Environmental and Social – in that several governance risks have long been recognized and included in our audit plans. However, many more have recently gained prominence. Therefore, it is important that internal audit understands these risks and is well positioned to provide assurance.

Governance risks :

Some governance risks are broad in nature. Others, are very narrow. Some have little in terms of universal benchmarks, while others have well-established frameworks or regulations. Here are some of the main risks that should be considered:

– Shareholder rights and engagement – are there any limitations on certain classes of shareholders, and does the business engage effectively on important issues?
– Board structure and diversity – are there independent directors, and does the board have sufficient diversity of experience, style, and background? Increasingly, neurodiversity is a consideration, and in some countries a workers’ representative is a requirement.
– Executive compensation – is this structured to be in line with corporate objectives, and is it consistent with peers in comparison to the wages of other staff?
– Anti-bribery and corruption – many countries have a comprehensive legal framework.
– Tax transparency and policy – what is the organization’s approach to tax, and particularly the jurisdictions it operates and pays taxes in?
– Ethics and culture – a broad topic, ethics encompass all the above and more. Culture has become a hot topic over the past 15 years with the link between a strong organization-wide culture and performance becoming increasingly apparent.
– Data protection – often also included as a social risk, good information governance is relevant here as well.
– Typical impacts for the organization will be reputational, legal and regulatory, people, financial, and ultimately strategic.

Getting started – Determining the key risks :
Compared with environmental and social risk, it is much more difficult to take a holistic approach to governance risk, given the breadth of topics. However, it is likely that many activities and risks are already in your audit universe. A governance code may have been adopted by your organization, although these may only cover some of the issues described above. Understanding the relevant governance code(s) –mandatory or optional – is a good starting point. This will depend on jurisdiction(s), market listings, regulators, and industry practices. Governance codes can be principle-based or more prescriptive, and will typically define some or all of the following, often on a “comply or explain” basis:

– Clarity of purpose
– Leadership
– Integrity
– Board composition and division of responsibilities
– Board effectiveness
– Decision making
– Risk management, internal controls, and audit
– Accountability, transparency, and reporting remuneration

In understanding governance risks, you should also take into account what specific legal or regulatory requirements there are around any of these issues. This may include reporting requirements around diversity or executive pay or matters which must regularly be reported and considered by the board. Also, consider what other stakeholder expectations are relevant. This is likely to focus on investors, as they have been increasingly vocal and prepared to vote against boards that do not adequately address specific issues.

With this background information, along with your consideration of the issues highlighted earlier in this article, you can ensure your risk assessment incorporates relevant governance risks.

How internal audit can make an impact :
As always, we should leverage work done by the first and second lines in considering where we can make the biggest impact. We should consider our risk assessment alongside any new information we have about regulatory changes, emerging issues in our sector, or jurisdictions, and investor interest.

Some Examples :
– Governance framework
– Governance codes were mentioned earlier in this article. Whether your organization has adopted a code in full or developed its own framework, it will need to produce a regular (typically, annual) report of compliance with the code. Assessing the processes supporting this reporting is often a good way to execute broad audit coverage of governance risks. Such reports are expected by regulators, provide assurance to the board, and are sometimes published (at least in part in the annual report). – Therefore, it is important that they give an accurate picture.

Reports may take many forms and will often include qualitative assertions and specific data or examples. It is important that any data reported is accurate, but equally as important that narrative assertions or examples are supported by evidence. Internal audit can provide assurance over the processes to collate this evidence, ensuring it is complete and accurate and that the right oversight controls are in place. We can also review the report and verify that the conclusions reached fairly reflect the evidence available. Generally, we take a combined approach to provide comprehensive and broad assurance.

Board composition :
Board composition has been under the spotlight, and while practices have improved there is often still a lack of transparency in recruitment, objective evaluation, and diversity. This is a sensitive audit which needs to be conducted by experienced auditors. When done well, it provides real insight and impact.

It is important not to make this about the individuals currently serving on a board, but about the effectiveness of processes around recruitment, structure, skills-determination, and performance evaluation. Consider some or all of the following:

Is there an evaluation of the skills required on the board and an up-to-date skills matrix? Is this specific enough to ensure the board members possess the right range of skills and experience but sufficiently flexible to attract a diverse pool of candidates?
Do recruitment processes include defining an ideal candidate profile, pre-determined selection criteria, and stakeholder involvement in the exercise? Are candidates sourced in a way that ensures a wide pool of candidates, recognizing that there may be a need for confidentiality?
How are conflicts of interest identified and managed?
What are the rotation policies/term limits for non-executive board members?
How is board performance evaluated? Is there a self-assessment process and a periodic independent assessment?
Is there a training plan for the board and individual board members? Is there an individual appraisal process?
Does the committee structure support effective delegation but ensure the board maintains its responsibility for strategy and oversight?
How effective is the relationship between executives and non-executives? Does the structure facilitate both support and challenge?
Is there an effective process for succession planning?
Do boards allow time for open discussions and strategic thinking, as well as formal meetings?
Some of this can be done by document review — including board papers and minutes, skill matrix, recruitment process documents, etc. But much of this will also require interviews with board members and those who support the board, such as the corporate/company secretarial or corporate governance team.

This article concludes the series on what internal audit should know about ESG risks. If you missed the first two articles, be sure to go back and read our previous blogs, to get you up to speed on our suggestions on how internal audit can approach environmental and social risks.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

A recent study revealed that 82% of finance and business leaders must comply with sustainability requirements or ESG regulations. Even without mandatory regulatory standards in place, Audit International would bet their bottom dollar that more companies would voluntarily take on sustainability initiatives and thus, produce ESG reports.

Why? Because more stakeholders are looking.

The number of parties with vested interests in ESG performance has dramatically increased. The tendency is to think of investors as the sole consumer, judge, and jury of ESG reports, but that’s changing, especially as other stakeholders find themselves subject to ESG expectations.

So, who’s really looking at your ESG reports? And why do they care?

Investors
Let’s start with the obvious: investors! Today’s investors want to ensure their money supports organizations that align with their values. Increasingly, those values are moving further and further away from brown stocks. Investors are leaning away from companies that might risk damaging the environment, operate with inequities, or are vulnerable to corruption.

While sustainable investing is value-based for many investors, it’s also the safer, more lucrative investment in many cases.

A study by Nordea Equity Research reported that, over three years, companies with high ESG ratings outperformed the lowest-rated companies by as much as 40%.

A Bank of America Merrill Lynch study found that firms with a healthier ESG record yielded higher three-year returns. They were also more likely to become high-quality stocks, less likely to experience significant price drops, and less likely to go bankrupt.

All this to say, an ESG score isn’t just a number. It indicates to investors that your company is a proactive, forward-thinking entity that will satisfy the investor’s need for ROI and their conscience.

Internal stakeholders
Many stakeholders within a business can benefit from ESG performance data.

For example:

Sales and marketing can use ESG data to showcase a company’s sustainability performance in their efforts to entice new customers.
IR and PR teams can tout ESG successes to improve the company’s reputation.
HR reps can use social data to attract talent.
Finance teams and chief executives can use ESG insights to improve profitability, contain costs, identify new business opportunities, and recognize areas of investment and divestment when ESG data is connected to financial performance.
Organizations can put ESG performance data to work in many ways. Regarding business value, ESG reports can give every department leverage in furthering the growth and goodwill towards an organization.

ESG scoring bodies
A good ESG score is a golden ticket to a favorable ESG reputation. To receive one, you’ll have to complete surveys or create reports designed by third-party providers, who then calculate ESG scores based on the metrics and ESG performance you reported. Like a credit score or a bond rating, an ESG score demonstrates your company’s ability to meet its ESG commitments, performance, and risk exposure.

Notable ESG scoring organizations are Bloomberg ESG Data Services, Sustainalytics, ESG Risk Ratings, JUST Capital, MSCI, Refinitiv, Dow Jones Sustainability Index Family, and RepRisk.

Banks and financial institutions
Banks, capital markets, and wealth managers are moving towards ESG agendas. This is not just an ethical move but one of demand, risk, and reward.

In terms of demand, millennials lean significantly towards sustainable investments. A survey by EY found that millennials are twice as likely to invest in a fund or stock if social responsibility is a component of the value creation narrative. (Might I remind you millennials are the demographic soon to be society’s primary wealth holders.)

In terms of risk, the liability to banks is two-fold. First, banks are subject to the same sustainability scrutiny as other businesses — customers want to bank with sustainably responsible banks. And second, banks face similar challenges to investors: lending to companies that aren’t sustainable could also pose threats to their business. Will a coal mine be able to repay its debts when sustainable alternatives take over? While banks might not be in this scenario just yet, in the future, it’s possible that businesses could see requests for funding denied if they don’t prove to be sustainable enough.

In terms of reward, again, we see companies with strong ESG performing better than those with weak ESG. An analysis completed by global investment manager BlackRock found that up to 88% of sustainable funds outperformed their non-sustainable counterparts between January 1, 2020, and April 30, 2020. Why would a wealth manager allocate funds to an unsustainable stock when a more sustainable and equally (if not more) profitable alternative exists? Why choose to lose/win when you could choose to win/win?

Regulators
Incoming! A stampede of regulations is making its way into the ESG reporting arena. Two regulations of note are:

The EU’s Corporate Sustainability Due Diligence (CSDD)

In February 2022, the European Commission published a draft of the CSDD. If passed, the CSDD would require companies to disclose the impacts of their operations on human rights and the environment.

The US’s new climate-related disclosures

In March 2022, the SEC proposed expansive new climate-related disclosures related to greenhouse gas emissions, climate risks, transition plans, and governance.

Sullivan and Cromwell LLP has a great round-up of the latest (up to May 2022) ESG regulatory advancements here. The bottom line: ESG is being written into everything from litigation to financial institutions, disclosure and governance, and law. While your particular flavor of ESG regulation will be subject to your jurisdiction and industry, you can bet on increased regulatory scrutiny coming your way soon.

Consumers
B2C companies find themselves with a consumer who cares about their product, how it’s made, and who’s making it. Recent PWC research found that:

Consumers aged 17 – 38 years are almost twice as likely to consider ESG issues when making purchasing decisions than others.
Over half of consumers surveyed said that a company’s purpose and values played a role in their purchasing decisions.
49% of consumers and 66% of millennials use the internet to learn more about a company’s ESG practices before buying a product or service.
From this, we can conclude a few things. The future of the sales will be dependent on ESG performance. And consumers aren’t satisfied with marketing promises — they want the ESG evidence, and your reports will be front in center of their investigations.

Everyone’s looking at ESG
Don’t make stakeholders struggle to seek out your ESG performance. By using a corporate performance management approach to ESG reporting, you can tell your sustainability story, disclose according to multiple new and evolving frameworks, and connect financial outcomes, operational activities, and ESG performance to ensure sustainability is always tied to doing good for the earth, people, and your bottom line.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Transit systems. Healthcare facilities. Financial services firms. What do they all have in common? Organizations within these sectors — and essentially all industries, for that matter — have been hit by ransomware, a type of malware where cybercriminals demand a ransom payment to unlock access to your private and confidential systems and files.

While many cybersecurity risks exist, ransomware is often one of the more pressing challenges. Not only can it bring operations to a screeching halt, but it can also cause issues like data leaks and reputational damage. A global survey by cybersecurity software company Sophos finds that 66% of surveyed organizations suffered ransomware attacks in 2021. “It took on average one month to recover from the damage and disruption,” Sophos adds.

Given the severity of ransomware risk, internal auditors should aim to help their organizations reduce these threats, along with overall cybersecurity risks. How? As Audit International will examine in this article, internal audit departments can take steps such as conducting IT/cybersecurity audits and using technology like internal audit management software to improve internal controls and collaboration.

Review IT practices and controls :
Even though internal auditors generally aren’t responsible for choosing cybersecurity software and establishing employee training to recognize ransomware risks, they can still provide assurance over IT practices and controls, such as with an IT audit.

When IT teams conduct phishing tests to see whether employees are tricked by email scams that can cause ransomware issues, internal auditors are then able to review those results and ensure that the organization is meeting a sufficient standard to prevent social engineering. If the results demonstrate gaps in employee preparedness on ransomware risk or other cybersecurity risks, then internal auditors would likely want to communicate that risk to other stakeholders, like boards and senior management.

Internal audit leaders might also review remote work policies to ensure that IT teams are appropriately managing these with ransomware risk in mind, rather than just focusing on the functionality of work-from-home environments. While internal auditors often rely on guidance from IT leaders, they can still audit areas like access logs to ensure that only approved devices, with the appropriate threat intelligence and data protection technologies, are connecting to their networks.

Align key stakeholders :
Improving ransomware protection also means internal auditors need to align key stakeholders, rather than just collaborating with IT. That means pulling together information from multiple departments to make sure everyone’s on the same page.

Internal auditors should check with finance teams to see how they’re accounting for the potential costs of a ransomware attack, and then ensure that other key stakeholders, like boards and senior management, understand and agree with this approach. Otherwise, issues like not having a sufficient budget to recover from a ransomware attack may arise.

“Regardless of their size or revenue, organizations should assume they will be targeted with ransomware, and they should examine their prevention, detection, mitigation, response, and recovery measures,” notes Zachary Ginsburg, research director for the Gartner Audit and Risk practice, in a Gartner press release.

Leverage internal audit management software :
Internal auditors can mitigate ransomware risk by leveraging internal audit management software. Many technologies are designed to assist with cybersecurity risk management, but from an audit perspective, internal audit management software is important for gaining assurance.

Overall, internal audit teams have an opportunity to make a significant impact when it comes to ransomware risk management. Planning ahead and focusing on internal alignment can go a long way toward reducing ransomware attacks and other cybersecurity risks.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Have you ever had one of those days where you were determined to write that audit report? So you block off the time on your calendar, go into your office, shut the door, remove any and all distractions and breathe. Because now is the time to take all of those thoughts and perfect phrases running wild in your head and put them on paper. You sit down at your desk ready to make it happen. And you come up with nothing.

You decide to invite a colleague in to assist. Because after all, two heads are better than one. The two of you discuss the issues thoroughly, but nothing seems to sound right.

Writing objective observations takes time, skill, and tact. And if you’re like any other auditor, the audit issues sound wonderful in your head. But by the time you formulate the right words, reach for your pencil and place it on paper, that wonderful wording has become a distant memory. It’s worse if you’re in a group setting because you now become frustrated as the group begins asking you to repeat what you said. Unable to remember words uttered only seconds prior, it is only then that you realize how old you truly are.

If you’ve ever faced this situation, do not fear. There are several tools and techniques you can use to speed up and improve your report writing. But first, we must address the five big problems with writing reports:

1. We think faster than we write
2. Our million dollar thoughts come at the wrong time
3. We believe in writer’s block
4. We look for perfection in the first paragraph
5. We don’t understand and/or appreciate the writing process

5 Problems with audit report writing
We think faster than we write
We’ve all been there. Browsing through our cabinets trying to make a mental grocery list. Then you reach the point where there are too many items to remember. You decide to write a list. You reach for your paper and before the pen touches the pad, you’ve already forgotten the five items you wanted to write.

Our brains are fascinating. I can remember where I was in the summer of 1989, but I cannot remember what I ate for breakfast this morning. It is that forgetfulness that can derail your report writing.

Our million dollar thoughts come at the wrong time
Worse yet is when you have this wonderful idea, but then realize that it is 5:00 o’clock and you are stuck in traffic. There is no way you can capture that great thought without causing a pile up. So you try other techniques. You turn off the radio and repeat whatever it is over and over. You hope to continue this until you get home, or at least until you get to a stopping point. Of course something interrupts your thought and you forget what you were trying to remember.

We believe in writer’s block
Some people believe that writer’s block is a thing. I’m here to tell you, it is not. At least in the context of business writing or internal audit reports. Wikipedia define writer’s block as follows:

“Writer’s block is a condition, primarily associated with writing, in which an author loses the ability to produce new work or experiences a creative slowdown. This loss of ability to write and produce new work is not a result of commitment problems or lack of writing skills. The condition ranges from difficulty in coming up with original ideas to being unable to produce a work for years. Writer’s block is not solely measured by time passing without writing. It is measured by time passing without productivity in the task at hand.”

As you can see, writer’s block is a primary concern for creative writers. Our audit reports are, or should be, factually based non fiction. We are taking a series of facts, placing some logic and order to those facts, and providing management with a conclusion. What we are not doing, is creating new characters or developing plots and story lines. We know the beginning, middle and end of the story. Therefore, we know what to say. The problem is how do we say it so that it has the best impact given within the culture of the organization.

We look for perfection in the first paragraph
Because audit report writing is simpler than creative writing, we believe that we should be able to sit down and create the perfect prose in minutes. After all, we know the beginning, middle and end of the story. When we finally put pen to paper, our initial draft is usually not good. We then become frustrated. But I believe that frustration is because we don’t understand the writing process.

We don’t understand and/or appreciate the writing process
All the magic happens in the editing. Any writer will tell you this. Ernest Hemingway famously once said that “The first draft of anything is ****” (insert a very bad word here). As someone who has had articles published, I can tell you this is true. I can recall the first time I sent something to an editor. I thought it was an okay piece. But what came back was a magnificent manuscript. I fined tuned it a little and the result was something we were all pleased with. The writing process does not require perfection at the start. Your initial goal is to get something on the page. After that, trust the process and let the magic happen in editing.

3 tools you can use
Google voice typing
Because our brains seem to signal our mouths to speak faster than our hands can write, voice typing is the perfect shortcut to getting those wonderful words out of your head and on paper. For those unfamiliar with voice typing, you talk, it types. It’s as simple as that. Well, sort of.

The best free voice typing tool I’ve found is through Google. Log in to your account. Then, access Google Docs and open a document. Go to Tools, then Voice Typing (or you can press Ctlr+Shift+S).

You will see a microphone that may say Click to Speak. Click it, talk to it, and watch the magic happen. You will need to learn certain commands like period, comma and new paragraph. But other than that, if you speak clearly, it will recognize most speaking voices and words.

Your Cell Phone voice recorder
If barking out commands to your computer isn’t your thing, you’re in luck. There’s another option. If you’re like me, your cell phone is probably within arms reach. Grab your phone and go to your favorite app store. Search for a voice recorder. You should see several. Download one that piques your interest.

You can now record yourself talking about the audit issues. Now you will never miss that wonderfully worded paragraph that would sound great in an audit report. Once recorded, you can listen to the recording and pull out the impactful paragraphs.

Transcription
If you truly believe the recording represents your best work ever, you can have it transcribed. Yes, you heard me, transcribed. It’s not as bad or as expensive as you think. Before I get into that, I must say that I am not being paid by nor am I endorsing these specific products. there are several transcription services that I have used. Some use live transcribers while others use automated engines.

Summary

Writing audit reports can be a daunting task. But it has to be done. Nowadays we have a lot of tools that can help streamline the process. Many of the biggest issues start with us. Writer’s block is only as real as we allow it to be. Sit down and put something on paper. Use some electronic tools to get your words on paper. Almost any words will do. Afterall, the magic happens in the editing.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

This week Audit International are taking a look at the 4 ways how Internal Audit can get a seat at the table.

When it comes to risk management and compliance, most organizations operate on a 3 Lines of Defense (3LOD) model, in which operational management, compliance, and internal audit work together in tandem to assess and mitigate risk and manage controls and compliance.

This model may be successful in theory, but as the risk management and compliance functions have grown more complex, it doesn’t always work as well as you might hope. Given the rising sophistication of cybersecurity threats and incidents of fraud, and the increasing compliance requirements posed upon organizations of all sizes, it can be difficult to keep an organization-wide pulse on threats and breaches in compliance as they arise.

The problem is, the three branches don’t always collaborate effectively, which may leave internal audit out of the loop and unable to provide much value to the organization. They may not have access to the data they need to generate effective recommendations. The internal audit team’s focus may be simply on checking boxes and ensuring compliance, rather than providing strategic insights that will help your organization understand and take steps to mitigate new threats.

If you want your internal audit team to move the needle at your organization, you need to get the ear of executives who can advocate for your work. By partnering with leadership, you’ll be able to spearhead new initiatives and gain critical access to data that will help your organization save money and reduce risk, proving your team’s value.

Here are four strategies for doing that effectively:

Identify the key people who can support you, and make a plan to build relationships with them
Your audit team will naturally be in touch with the managers who can provide key information needed to conduct your audits—but by focusing only on these contacts, you’re missing out on building relationships with the leaders who will be able to help you gain a more visible role in the organization. Build a plan for conducting periodic outreach to higher-level executives within your organization, such as your chief risk officer or your CTO. You can solicit feedback from them on any open questions they may want your team to review in your audits, or provide high-level executive briefs showcasing work that you’ve done and issues they may want to explore in further detail. Make sure that they know you and your team are available to support them and open for feedback.

Proactively address organization-wide trends
Rather than focusing solely on issues identified in individual audits, start looking at your audit results in aggregate to identify trends. Is a single department or office location having trouble resolving a specific compliance issue, or is it an across-the-board trend that should be shared with your executive team? Review your data frequently to understand risks that should be mitigated, and come up with step-by-step action plans for how they should be addressed, including who’s responsible and what the benchmarks for success are.

Pay close attention to third-party risks
Many audit teams take an insular view of risk management, failing to uncover the external risks brought on by vendors and technology partners. Make sure that you have policies in place to carefully vet and automate compliance on your third-party vendors, pulling in external data that will alert you to any financial or legal issues they may face. Regularly track all of your solutions and technology partners for red flags, and ensure that you have a strategy for mitigating them. You can showcase your findings in sessions with executives and other partners throughout the business, and collaborate to come up with a plan for any of your scenarios. Keep in mind that risks from big providers such as Amazon or Facebook may impact a lot of your customers or partners as well, so ensure that you map out all of the variables that may impact your company’s business model across the board.

Use best-in-class GRC technology to automate compliance and analyze data
In order to provide the most useful insights to your leadership team, it’s important to integrate your entire risk management function across an easy-to-use GRC platform. Your GRC platform should come with pre-built content that will help you automate your controls framework, regardless of your industry. It should make it easy to monitor compliance status and risk levels across the organization at any given time, with triggers prompting action when control levels are not being met. You should be able to easily drill down into your data and generate executive dashboards, so that you can share insights to justify recommendations and help your leadership team make better informed business decisions.

By building a cohesive strategy for integrating with the 3LOD, backed by in-depth data analytics, real-time data feeds, and workflow automation, your audit team will be able to generate insights that can help to identify new risks, and develop new strategies for mitigating risks across the entire organization. This will help you to become a highly visible, influential, and trusted partner to the business.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International were in awe to hear this revolutionary news from the billionaire founder of the outdoor fashion brand Patagonia. He has announced just yesterday he is giving away his company to a charitable trust.

Yvon Chouinard said any profit not reinvested in running the business would go to fighting climate change.

The label has amassed a cult following due to sustainability moves like guaranteeing its clothes for life and offering reasonably priced repairs.

The brand’s website now states: “Earth is now our only shareholder.”

Mr Chouinard has always said he “never wanted to be a businessman”.

A rock climbing fanatic, he started out as making metal climbing spikes for himself and his friends to wedge into rocks, before moving into clothing and eventually creating a hugely successful sportswear brand with a cult following.
Founded in 1973, Patagonia’s sales were worth around $1.5bn this year, while Mr Chouinard’s net worth is thought to be $1.2bn.

He claimed that profits to be donated to climate causes will amount to around $100m (£87m) a year, depending on the health of the company.

“Despite its immensity, the Earth’s resources are not infinite, and it’s clear we’ve exceeded its limits,” the entrepreneur said of his decision to give up ownership.
The Californian firm was already donating 1% of its annual sales to grassroots activists and committed to sustainable practices. But in an open letter to customers, the apparently reluctant businessman said he wanted to do more.

Mr Chouinard said he had initially considered selling Patagonia and donating the money to charity, or taking the company public. But he said both options would have meant giving up control of the business and putting its values at risk.

Instead, the Chouinard family has transferred all ownership to two new entities. The Patagonia Purpose Trust, led by the family, remains the company’s controlling shareholder but will only own 2% of its total stock, Mr Chouinard said.

It will guide the philanthropy of the Holdfast Collective, a US charity “dedicated to fighting the environmental crisis” which now owns all of the non-voting stock – some 98% of the company.

“Each year the money we make after reinvesting in the business will be distributed as a dividend to help fight the crisis,” Mr Chouinard said.
Patagonia combines high-end outdoor fashion with its own brand of environmental and social activism. It’s a heady combination that certainly appeals to a loyal, if predominantly well-heeled following.

Part of the attraction comes from the fact that its environmentally conscious stance isn’t new. It was preaching eco-awareness years before sustainable fashion became fashionable.

But it’s still pretty hard to save the planet, if your business depends on selling stuff, however many recycled or renewable products you use.

By ringfencing future profits for environmental causes, Patagonia’s founder Yvon Chouinard has done his best to square that circle.

But he is also clearly trying to ensure that Patagonia brand is future-proofed and can never fall into the hands of the kind of companies he has accused of greenwashing in the past.

It’s nice to bring a good news story to you readers, and it will be interesting to see if any other climate conscious companies will follow suit. The bar has well and truly been set.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”