Sarbanes-Oxley
When SOX was first enacted in 2002, its goal was to increase the overall transparency of financial reporting while, at the same time, develop a more reliable system of checks and balances. It was understood that compliance was both a legal obligation and good business practice.
Affecting both public and private U.S. companies, as well as those non-U.S. companies with a U.S. presence, SOX is focused on corporate governance and financial disclosure. It requires that all financial reports include Internal Controls Reporting and demonstrate that a company’s financial data is complete and accurate, with an adequate number of controls established to safeguard it. It also encourages the disclosure of corporate fraud by protecting whistleblower employees of publicly traded companies or their subsidiaries who report illegal activities.
The continued evolution of ESG on the other hand, includes a variety of factors that are often used to evaluate a company’s commitment to sustainable operations. The environmental factors in ESG offer insight into an organization’s environmental impact, including its carbon footprint, climate change initiatives, waste management policies, natural resource conservation, pollution, or efforts to decrease deforestation.
The social component of ESG examines an organization’s treatment of stakeholders (workforce, customers, providers and suppliers, government, regulators, or the local or global community) on issues such as diversity, equity, and inclusion practices, wages and salaries, and sales practices.
Lastly, the ‘G’ in ESG focuses on the governance factors and how to assess whether a company’s internal processes are able to ensure the organization, and its employees, act with professionalism and integrity.
While SOX is primarily focused on financial information — working with finance professionals and accountants — ESG is more concerned with non-financial data and metrics. It shouldn’t come as any surprise when organizations faced with these evolving and new ESG reporting requirements ask themselves.
The role of internal audit, Starting small and look at the bigger picture:
In the years that followed the introduction of SOX, the effect that it had on the internal audit profession was clearly a double-edged sword. On the one hand, internal auditors were quickly recognized as the experts needed to step into this space and provide the guidance that so many organizations needed. This resulted in growth across both the internal audit profession, as well as the various functions internal auditors were able to provide assurances for. It’s fair to say that internal audit membership more than doubled during the first few years of SOX implementation.
However, due to the urgency and level of uncertainty that SOX presented, leaning heavily on internal auditors also resulted in their spending greater amounts of time focused exclusively on SOX priorities, and significantly less time focused on those risk-based audits that organizations depend on. From an internal audit perspective it was a massive undertaking, and one that led to organizations developing SOX-specific internal audit teams.
Over the course of the last 20 years, and as a direct result of SOX, internal audit’s role around internal controls for financial reporting has become well established. Many of those same auditing skills and practices can (and should) be applied to ESG. However, an all-too-common question that’s on everyone’s mind is — “Who is responsible for ESG?”
ESG should be viewed as a top-down initiative, particularly from an organizational perspective regarding mandates, targets, and how goals are being established, monitored, and reported on. Each area or department of an organization should be aware of and responsible for their ESG initiatives. However, internal audit has an opportunity to become trusted advisors and take on more of an influential role when it comes to those first step.
How can internal audit provide the greatest value?
Organizations should reflect on the experiences they had in the early days of SOX and focus on identifying and understanding what the key controls of ESG will be. Where SOX was focused exclusively on financial reporting, ESG falls into that category of “everything else”. It comes down to the accuracy and reliability of the information. But how does an organization go about achieving that? The same way financial reporting was achieved with SOX.
Organizations have become comfortable with their financial reporting. They have been measured according to their financial results for a very long time. ESG in audit is different. It’s broader. It covers more ground and organizations will need to take some time to comprehend how to effectively turn the foundations of ESG into meaningful reports. Although it may be more complicated, the underlying processes that have been used for Sarbanes-Oxley for the last 20 years can be leaned on as a starting point when addressing ESG and identifying a methodology for assurance.
ESG presents a tremendous opportunity for internal audit to make an impact within their organizations. Because it is still evolving, and new guidelines and mandates are being released every day, a good strategy for internal audit would be to start small and identify those ESG factors that can be quickly included into your existing audit plan. Whether that’s reducing overall energy consumption throughout your office or working more closely with Human Resources to ensure new-hire practices are following appropriate guidelines, acknowledging the industry your organization resides in, understanding its risk landscape, and identifying a best-practices framework will give you the direction you need to successfully navigate ESG.
If there is one takeaway from the lessons learned when SOX was first implemented, it’s that those in the internal audit profession should avoid taking the “wait and see” approach with ESG. ESG is here and is gaining exposure and traction every day. The social ramifications of ESG alone should be enough for organizations to sit up and take notice. Understanding how to audit ESG — knowing your organization’s metrics and targeted reporting requirements, what to audit against and include in the final audit report — will better position you for success as a trusted advisor within your organization. Fill those essential Subject Matter Expert gaps early on with Audit International, identify and engage with key stakeholders, and avoid the reactionary trappings and costly mistakes of waiting too long and scrambling for solutions.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc. across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com
Audit International recommend five ‘Under the Radar’ Areas to Audit that May Not Be on the Audit Plan.
As internal auditors, we all have a “spidey sense” of what we should be auditing.
Sure, we should, of course, conduct comprehensive risk assessments that drive our audit plan, and many of the usual suspects will end up on that plan: cybersecurity, regulatory compliance, financial reporting, third-party relationships, and you know the rest.
But there are things, we would strongly profess, that should be audited, even if we aren’t formally auditing them and they never make it to the actual audit plan. Just by being aware—casting that web, if you will—you should constantly informally “audit” a few critical areas.
What might be some of those things we should (lower case) audit, even if we aren’t (upper case) Auditing them? Here’s Audit Internationals take on five:
1
Culture: Are Disconnects, Even if Subtle, Surfacing?
So much has been written and said about doing culture audits and internal audit’s potential role in doing such a review. Perhaps, however, your organization doesn’t support internal audit doing a full-blown culture audit. Does that mean you throw your hands up and do nothing with the topic? Heck, no!
Look, we are among the very few in the organization who have the benefit of both grasping the desired culture and viewing the entire company because of our day-to-day work. So, why not leverage that and tune into what is going on around us and notice the organizational behaviors, actions, and attitudes that are consistent with, as well as (importantly) counter to, the desired culture.
So, what’s an internal auditor to do?
Some caveats, though. First, be sure you completely understand the desired culture, both what is formally stated through things like the organization’s listed core values as well as what is implied in the “how things are done around here” subtleties. The formal and the informal culture are equally important. Then, as you go about your work in various departments and interact with people at all levels of the organization, be cognizant of behaviors, language, demeanor, protocols, and other elements that seem inconsistent with what you expected.
Now, if you witness such imbalances, and you’ll know because it will make you a bit uncomfortable, talk with close colleagues or discuss it amongst your team. If something seems amiss, continue to keep your eyes and ears open and provide your internal audit function leadership with examples of what you are witnessing. If there are culture issues in a particular area of your organization, it is likely manifesting itself in a number of other issues as well. Your internal audit function leadership will guide you on what to do and may provide guidance on the next course of action. Chief audit executives will need to consider when and how to elevate such delicate issues. Yes, it’s a sensitive topic, but something that might be critical to address. Your spidey sense will guide the way.
2
Employee Engagement: Are People Checking Out?
While it has been a topic in the corporate world for more than 20 years, at least since the Gallup Organization and their Q12 employee survey instrument brought it into the lexicon, “employee engagement” has re-emerged these days. By now, we’ve all heard the new buzz phrase “quiet quitting.” While it’s a catchy label that has been slapped on what is, in essence, just disengagement, it’s not to be taken lightly. Employees who have become disengaged in your company’s mission, vision, and values don’t have passion to do their best. This should be deeply problematic to executive leaders and, in turn, to you. It is a significant and costly drain on everything your organization does.
So, what’s an internal auditor to do?
Just like with the culture topic, we, as internal auditors, interact with more of the organization across all levels (along with HR) than most anyone else in the entire organization. Therefore, we have our finger on the pulse when it comes to engagement and its evil twin, disengagement. Do we have a general sense though the course of our internal audit work that people care or if they are they just going through the motions? Sure, we do.
We don’t need to be scientific about it, and we don’t have to call anyone or any function, department, or location out, per se, but if we see that there is a trend developing toward greater levels of disengagement, let it be known. Make it a part of what we absorb about the organization on a daily, weekly, and monthly basis. Elevate the concerns, whether to HR, department levels, or even the senior management. In other words, don’t ignore it.
3
The Physical Facilities: Are Things in Disrepair?
As much as we may not all be going into a physical office as much anymore, many employees will still spend at least some time in the office or at company facilities. And, the physical state of the office location, branch, facility, or building space is important. Not only can facility disrepair be unhealthy or unsafe, but it can also just negatively affect employee psyche or customer impressions. Pay attention to what things look like and what is the state of the physical environment around you. It may signal deeper problems or an overall neglectful view of the business.
We all have stories about what we’ve witnessed. I remember walking past a locked closet and smelling a damp odor. I could have just ignored it, thought it was just me, or figured that someone else was probably aware of it. Instead, I decided to mention it to the facilities manager of the location. And, lo and behold, behind the rightfully locked door a roof leak had infiltrated the space and it was a wiring closet. It could have been a big problem if it were ignored for any length of time.
So, what’s an internal auditor to do?
Keep your eyes and ears open as you go about your work. Does something seem amiss regarding the physical location? Mention it to someone who could do something about it. What’s the worst that could happen? They tell you “thanks, we are aware of it.” At best, you help address an issue before it gets out of hand. Sometimes we all become blind to our physical surroundings because we’ve just been there for so long. But a fresh set of eyes and ears might just help the organization out and make employees and customers even more appreciative of the physical space they show up to and that the organization spends so much money on. Internal audit can have a unique perspective of noticing what gets unnoticed.
4
The Parking Lot Check: Is Fraud Hiding in Plain Sight?
Closely related to the physical state of the facilities is the state of the employees. Ever see a change in someone’s habits that don’t sync-up with what has gone on in the past, and you wondering “what’s up with that?” Perhaps someone is showing up to the office in a new luxury car, expensive clothes, or talking about some lavish vacation they went on?
Most often, there is a great explanation, and it is none of our business. But, also, any of us who have been around the block a few times will also know that, occasionally, these changed behaviors are clues that something is amiss and that someone may be on the take. You could call this “doing a parking lot audit.” So many frauds and embezzlements have left a trail of these clues as the perpetrator wanted to channel their ill-gotten gains into the fruits of luxury and apparent success. It’s not an outright indicator or fraud, of course, but it might be a red flag to dig deeper, especially if things weren’t adding up already.
So, what’s an internal auditor to do?
Just keep your eyes and ears open, being observant to uncharacteristic behaviors, purchases, and chatter could provide clues to someone who is taking advantage of their position and situation to pilfer from your company. No, don’t go around accusing people of things where you have no proof, of course. But eyes open and be vigilant. And, if you see something, say something to a trusted colleague within your internal audit department. If necessary, elevate it within your department and, if warranted and approved, do some follow-up in a clandestine manner. You may just catch something in its preliminary stages and head it off at the pass, so to speak. Most people steal from the company in small increments, and it escalates from there if they feel they are getting away with it undetected. But, in hindsight, there were usually always clues … perhaps no further away than in the parking lot.
5
Hotline Activity: Is Volume Up, or Has Volume Decreased?
Most internal audit functions have some role in monitoring their organization’s whistleblower hotline for employees, and sometimes also third parties, to file complaints. This may seem like a no-brainer, but you’d be surprised how often small complaints (that point to bigger problems) go unnoticed. Your internal audit function may have complete ownership of managing what comes though, you may partner with someone else in the organization, such as compliance, human resources, or legal, or you just get things passed to you for review or investigation as needed from one of these organizational partners. Regardless, you need to have some role in monitoring the volume of activity. What types of activity are coming through? Are there recurring issues? What are the trends? It doesn’t take an audit, but it does take awareness. Changes in volume can be very telling, and that could be changes in either direction (increased or decreased volume).
Increases in activity might spell some brewing issues of a more macro sense and, alternatively, decreases in volume may spell a level of distrust in the confidentiality of the hotline or a perceived lack of seriousness with which reported items might be getting addressed.
So, what’s an internal auditor to do?
It doesn’t have to be you, so long as someone in your internal audit function is attuned to the trends, both in terms of volume and types of activity. And, if there are notable changes in the trends, up or down, it might be time for a deeper understanding of what might be going on. This could be a signal of troubles brewing that are inconsistent with the desired culture.
—-
To be clear, internal auditors don’t need a formal audit plan initiative to keep abreast of important developments in the organization. It’s not easy, I know, as the formal audit plan has us busy enough, but a little observation may go a long way. Head up, eyes and ears open, use all your senses and leverage your well-honed intellectual curiosity and professional skepticism. Do some ad-hoc auditing of things you might not be able to (upper case) Audit and don’t necessarily make it to the formal audit plan. The organization will be better for it, and you will enhance your engagement and contributions innumerably.
As popularized in the Spiderman comics of yesteryear and said in more recent movies, “with great power comes great responsibility.” Wield it judiciously!
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
There is a common joke among physicists that fusion energy is 30 years away … and always will be. You could say something similar about artificial intelligence (AI) and robots taking all our jobs. The risks of AI and robotics have been expressed vividly in science fiction by the likes of Isaac Asimov as far back as 1942 and in news articles and industry reports pretty much every year since. “The machines are coming to take your jobs!” they proclaim. And yet, all of us here at Audit International still head to the office or log in from home each weekday morning.
The reality is less striking but potentially just as worrying. Most people expect that one day some sort of machine will be built that will instantly know how to do a certain job—including internal auditing—and then those jobs will be gone forever. More likely, is that AI and smart systems start to permeate into everyday tasks that we perform at work and become critical parts of the business processes our units and companies conduct. (Indeed, many professions and industries have already been greatly disrupted by AI and robotics.)
Technology companies have been so successful over the last 30 years because of the common mantra of “move fast and break things.” And that was maybe just about acceptable when it meant you could connect online to your friend from high school and find out what they had for breakfast or search through the World Wide Web for exactly the right cat meme with a well-crafted string of words.
When the consequences now might mean entrenching biases in Human Resources processes, or mass automated biometric surveillance, not to mention simply not even understanding what a system is doing (so called ‘black boxes’), the levels of oversight and risk management need to be much higher.
The Regulatory Environment :
There is some existing regulation which covers aspects of this brave new world. For example, in the European Union, article 22 of the General Data Protection Regulation (GDPR) on automated individual decision-making, provides protection against an algorithm being solely responsible for something like deciding whether a customer is eligible for a loan or mortgage. However, the next big thing coming to a company near EU is the AI Act.
The proposal aims to make the rules governing the use of AI consistent across the EU. The current wording is written in the style of the GDPR with prescriptive requirements, extraterritorial reach, a risk-based approach, and heavy penalties for infringements. With the objective of bringing about a “Brussels effect,” where regulation in the EU influences the rest of the world.
Other western jurisdictions are taking a lighter touch than the EU, with the United Kingdom working on a “pro-innovation approach to regulating AI,” and the United States’ recent “Blueprint for an AI Bill of Rights” moving towards a non-binding framework. Both have principles which closely match the proposed legal obligations within the AI Act, hinting at the impact the regulation is already having.
Much of the draft regulation is still being discussed, with a final wording soon to be agreed. There are disagreements across industries and countries on whether some of the text goes far enough or goes too far. For example, whether the definition of “AI” should be narrowed, as the current wording could encompass simple rules-based decision-making tools (or even potentially Excel macros) or even expanded to greater capture so-called “general purpose AI.” These are large models which can be used for various different tasks and therefore, applying the prescriptive requirements and risk-based approach of the AI Act can become complex and laborious.
The uncertainty over the final wording has given companies an excuse to not make first moves to prepare for the changes. Anyone who remembers the mad rush to become compliant with the GDPR will remember the pain of leaving these things to the last minute. The potential fines, which may be as high as 6 percent of annual revenue depending on the final wording, could be crippling and have a cascade effect on a company’s going-concern.
What Can Internal Auditors Do?
As internal audit professionals we can start the conversation with the business and other risk and compliance departments to shine the light on the risks and upcoming regulations which they may be unaware of. It is our objective to provide assurance but also add value to the company and this can be done through our unique ability to understand risks, the business, and provide horizon scanning activities.
Performing internal audit advisory or assurance work, depending on the AI risk maturity level at the organization, can highlight the good practice risk management steps that can be taken early to help when the regulation is finalized. These steps could include:
1) Identify AI in Use: To be able to appropriately manage AI risks throughout their lifecycle stakeholders need to be able to identify systems and processes which make use of them. Agreeing on a definition of AI and developing a process to identify where it is in use is the first step. This would include whether it is being developed in-house, is already in use through existing tools or services, or acquired through the procurement process.
2) Inventory: Developing an inventory which includes information such as the intended purpose, data sources used, design specifications, and assumptions on how and what monitoring will be performed is a good starting point and can be added to, based on your company’s unique characteristics and any specific legal requirements that are implemented in the future.
3) Risk Assessments: Since a key aspect of the AI Act is it being “risk-based,” it is important to have a risk assessment process to ensure you take the necessary steps as required in the regulation, based on the type of AI used. For example, what level of robustness, explainability, and user documentation is necessary based on the risk tier provided. It is also important to consider the business and technology risks of using the AI. For example, machine learning using neural networks requires large training datasets, which can raise issues of data protection and security, but may also perpetuate biases that are contained in the datasets. Suitable experts and stakeholders should be involved in the development and assessment of the risk assessment process.
4) Communications: One area that is often forgotten is communication. It is all well and good having a policy or a framework written down but if it isn’t known and understood by the relevant stakeholders it’s worth less than the paper it’s printed on. Involving key stakeholders during the development of your AI risk management processes can help develop a diverse platform of champions throughout the business who can act as enablers as the requirements are communicated and regulation finalized.
5) On-going monitoring: Risk management is not a one-off exercise and this is no exception. Use cases, technology, and the threat landscape change over time and it is important to include a process for on-going monitoring of AI and the associated risks.
The machines may not be coming to take our jobs just yet, but the risks are already here and so are the opportunities to get ahead. There may be a long and winding road in front, as we all prepare for a world where AI is commonplace and new regulations and standards try to shape its use, but each journey starts with a step and it’s never too early to get going.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
A recent study revealed that 82% of finance and business leaders must comply with sustainability requirements or ESG regulations. Even without mandatory regulatory standards in place, Audit International would bet their bottom dollar that more companies would voluntarily take on sustainability initiatives and thus, produce ESG reports.
Why? Because more stakeholders are looking.
The number of parties with vested interests in ESG performance has dramatically increased. The tendency is to think of investors as the sole consumer, judge, and jury of ESG reports, but that’s changing, especially as other stakeholders find themselves subject to ESG expectations.
So, who’s really looking at your ESG reports? And why do they care?
Investors
Let’s start with the obvious: investors! Today’s investors want to ensure their money supports organizations that align with their values. Increasingly, those values are moving further and further away from brown stocks. Investors are leaning away from companies that might risk damaging the environment, operate with inequities, or are vulnerable to corruption.
While sustainable investing is value-based for many investors, it’s also the safer, more lucrative investment in many cases.
A study by Nordea Equity Research reported that, over three years, companies with high ESG ratings outperformed the lowest-rated companies by as much as 40%.
A Bank of America Merrill Lynch study found that firms with a healthier ESG record yielded higher three-year returns. They were also more likely to become high-quality stocks, less likely to experience significant price drops, and less likely to go bankrupt.
All this to say, an ESG score isn’t just a number. It indicates to investors that your company is a proactive, forward-thinking entity that will satisfy the investor’s need for ROI and their conscience.
Internal stakeholders
Many stakeholders within a business can benefit from ESG performance data.
For example:
Sales and marketing can use ESG data to showcase a company’s sustainability performance in their efforts to entice new customers.
IR and PR teams can tout ESG successes to improve the company’s reputation.
HR reps can use social data to attract talent.
Finance teams and chief executives can use ESG insights to improve profitability, contain costs, identify new business opportunities, and recognize areas of investment and divestment when ESG data is connected to financial performance.
Organizations can put ESG performance data to work in many ways. Regarding business value, ESG reports can give every department leverage in furthering the growth and goodwill towards an organization.
ESG scoring bodies
A good ESG score is a golden ticket to a favorable ESG reputation. To receive one, you’ll have to complete surveys or create reports designed by third-party providers, who then calculate ESG scores based on the metrics and ESG performance you reported. Like a credit score or a bond rating, an ESG score demonstrates your company’s ability to meet its ESG commitments, performance, and risk exposure.
Notable ESG scoring organizations are Bloomberg ESG Data Services, Sustainalytics, ESG Risk Ratings, JUST Capital, MSCI, Refinitiv, Dow Jones Sustainability Index Family, and RepRisk.
Banks and financial institutions
Banks, capital markets, and wealth managers are moving towards ESG agendas. This is not just an ethical move but one of demand, risk, and reward.
In terms of demand, millennials lean significantly towards sustainable investments. A survey by EY found that millennials are twice as likely to invest in a fund or stock if social responsibility is a component of the value creation narrative. (Might I remind you millennials are the demographic soon to be society’s primary wealth holders.)
In terms of risk, the liability to banks is two-fold. First, banks are subject to the same sustainability scrutiny as other businesses — customers want to bank with sustainably responsible banks. And second, banks face similar challenges to investors: lending to companies that aren’t sustainable could also pose threats to their business. Will a coal mine be able to repay its debts when sustainable alternatives take over? While banks might not be in this scenario just yet, in the future, it’s possible that businesses could see requests for funding denied if they don’t prove to be sustainable enough.
In terms of reward, again, we see companies with strong ESG performing better than those with weak ESG. An analysis completed by global investment manager BlackRock found that up to 88% of sustainable funds outperformed their non-sustainable counterparts between January 1, 2020, and April 30, 2020. Why would a wealth manager allocate funds to an unsustainable stock when a more sustainable and equally (if not more) profitable alternative exists? Why choose to lose/win when you could choose to win/win?
Regulators
Incoming! A stampede of regulations is making its way into the ESG reporting arena. Two regulations of note are:
The EU’s Corporate Sustainability Due Diligence (CSDD)
In February 2022, the European Commission published a draft of the CSDD. If passed, the CSDD would require companies to disclose the impacts of their operations on human rights and the environment.
The US’s new climate-related disclosures
In March 2022, the SEC proposed expansive new climate-related disclosures related to greenhouse gas emissions, climate risks, transition plans, and governance.
Sullivan and Cromwell LLP has a great round-up of the latest (up to May 2022) ESG regulatory advancements here. The bottom line: ESG is being written into everything from litigation to financial institutions, disclosure and governance, and law. While your particular flavor of ESG regulation will be subject to your jurisdiction and industry, you can bet on increased regulatory scrutiny coming your way soon.
Consumers
B2C companies find themselves with a consumer who cares about their product, how it’s made, and who’s making it. Recent PWC research found that:
Consumers aged 17 – 38 years are almost twice as likely to consider ESG issues when making purchasing decisions than others.
Over half of consumers surveyed said that a company’s purpose and values played a role in their purchasing decisions.
49% of consumers and 66% of millennials use the internet to learn more about a company’s ESG practices before buying a product or service.
From this, we can conclude a few things. The future of the sales will be dependent on ESG performance. And consumers aren’t satisfied with marketing promises — they want the ESG evidence, and your reports will be front in center of their investigations.
Everyone’s looking at ESG
Don’t make stakeholders struggle to seek out your ESG performance. By using a corporate performance management approach to ESG reporting, you can tell your sustainability story, disclose according to multiple new and evolving frameworks, and connect financial outcomes, operational activities, and ESG performance to ensure sustainability is always tied to doing good for the earth, people, and your bottom line.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International have put together a brief guide to strategic audit planning and resourcing.
Managing your audit requires strategic planning whilst ensuring that all internal resources are appropriate and effectively deployed.
Strategic audit planning
An audit needs assessment (ANA) exercise should be undertaken to inform the development of the organisation’s internal audit strategy (IAS). This ANA should be regularly updated and the IAS amended as necessary to reflect the changing assurance needs of the organisation.
The ANA should be updated at least annually but, increasingly, organisations are seeking to achieve more organic strategies that evolve more frequently to reflect the increased speed of change which many are experiencing – particularly fuelled by technology and competition. This requires continuous monitoring of the internal and external environment, and frequent and meaningful dialogue with both senior management and the audit committee.
The ANA represents a critical ingredient in the provision of an adequate, relevant and timely internal audit. It should be used to direct internal audit resources to those aspects of the organisation that represent the greatest risk to the achievement of its objectives, and where internal audit can aid management of those risks.
The ANA process should include:
-Review of the organisation’s risk register / board assurance framework
-Review of performance management data
-Review of previous audit opinions and progress on actions
-Review of other second and third line sources of assurance
-External major incidents/risks and other factors such as industry issues
-Planned organisational changes or major projects
-Reports from regulators
-Discussion with senior management, audit committee and external audit
All of the above should be considered in the context of organisational risk appetite, current risk exposure and acceptance of risks.
In organisations which have moved their risk management arrangements on to reflect the board assurance framework, this is a useful tool in the ANA process. This approach starts with strategic objectives, the risks to achieving those objectives, and then typically the ‘three lines of defence’ within the organisation which aim to manage risk to within appetite.
The first line of defence is the internal control environment recognising the policies, procedures and processes put in place by management. The second line of defence is management’s own monitoring and risk assurance processes including those escalated up through the governance framework. The third line of defence is independent assurance, providing a position statement for internal audit within organisations.
When considering the focus of the organisation’s IAS, the board assurance framework can help internal audit identify where it can provide assistance in its ‘consulting’ role surrounding business critical risk exposure beyond risk appetite. It can also help identify where ‘independent’ assurance will add most value by focusing upon those controls which the organisation believes are managing business critical risks within risk appetite.
The IAS should prioritise reviews over a particular timeline. The timing of reviews will be driven by a number of factors such as:
-Priority for each area of coverage, in terms of the level of risk exposure and risk appetite
management or audit committee concerns regarding a particular area.
-Degree of stability in respect of systems, staff and other organisational change
-Time since last audit and audit outcomes
-When specific risks are considered likely to materialise and impact
The audit resources necessary to deliver individual assignments will be driven by a number of factors such as:
System complexity:
-Factors such as number of locations, transactions and frequency
-The assurance which can be brought forward from previous audits
-The envisaged scope and objectives of the proposed audit
The IAS and the annual plan (year 1) within it will normally be subject to audit committee review and approval, with changes in subsequent years approved as appropriate in accordance with agreed protocol.
Resource management
Few managers have a blank cheque when it comes to budgets. Internal audit is no different.
Internal audit will typically adopt a medium timeline for strategic planning purposes allowing the chief audit executive (CAE) to balance assurance needs and resources within a defined budget envelope to provide reasonable assurance to audit committee and senior management. Short term or specific skills gaps can be bridged through recruitment, training or co-sourcing.
Where the budget of the department is insufficient to meet the assurance needs of the audit committee and senior management, the CAE will need to raise such concerns and explain the impact of such limitations upon the assurance they are able to provide. The audit committee can direct a review of resources and approve as required to meet its needs.
In determining and managing the resource need:
-Identify the number of individuals, skills mix and specialist skills necessary to deliver the approved IAS
-Analyse your current resources against this need to identify resource shortfalls and skills gaps based upon realistic target -Utilisation / efficiency levels
-Allocate audits based upon skills and experience to in-house team members
-Identify how resource shortfalls will be met – recruitment, out-source or co-source
-Ensure that planned audits are delivered in accordance with the approved budgets to identify and take timely action in -Respect of any deviation to keep delivery of the audit plan on-track
When managing co-sourced or out-sourced relationships to support the audit plan:
-Tender for specialist work suitably balancing cost and quality considerations
-Ensure robust and clear contracts are in place with: requirements, pricing, confidentiality, data security, ownership of -Intellectual copyright and working papers, dispute resolution, and exit terms
-Establish clear operating procedures and approval processes within a service level agreement to ensure that each assignment is delivered in accordance with expectation
IT solutions may enable more efficient and effective internal auditing. However, this will be dependent upon a number of factors such as the size of the audit plan, size of the respective team, geographical spread and degree of standardisation or repetition within the audit plan.
Increasingly, internal audit is utilising a risk based approach to audit strategy, rather than simply providing coverage of the audit universe on a set cycle. Some of the value within traditional IT solutions can be limited and not justify their cost. Therefore as with any system acquisition you should undertake a detailed needs analysis and review the product offering to determine if it will meet those needs and provide value for money.
Likewise with increased functionality within common office IT products, there is the ability to utilise existing software to automate elements of the audit documentation and facilitate analysis of large volumes of data if it can be extracted in a common format from the organisations core management information systems.
Knowledge management
The internal audit function must develop the skills, experience and knowledge within its team members. Importantly it must also ensure that as team members change, their knowledge is retained as far as possible or transferred to other team members. Effective audit management systems, notice periods, team working and knowledge sharing practices will assist in minimising associated key person risks.
The following techniques may assist in acquiring and developing in-house skills:
-Structured appraisal and performance management
-Informed training programmes at both a team and individual level
-In-house training programmes to deliver common training needs
-Procure external training for specific specialist training needs
mentoring programmes
-Joint delivery of reviews with co-sourced providers to facilitate knowledge transfer
effective knowledge management systems.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
One of the biggest issues every successful company face in today’s business world is the prevention of fraudulent activities committed by employees. Over a decade ago the Sarbanes-Oxley Act (SOX) Compliance was introduced which requires that all publicly held companies must establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud. However with increasing new technologies is this enough to protect companies in 2017?
In a recent study conducted by one of the Big4- on average global companies lost over 5% of revenue to fraudulent actions- the majority of this done by current employees. The reason for this was due to lack of internal controls and no risk management in place. Furthermore the cost to strengthen such internal controls is a considerable investment whether it be in hiring new staff such as internal auditors or specialist fraud and forensic audit professionals. However the cost of such professionals is far less than the loss of earnings suffered by companies due to fraudulent activities conducted by employees.
Companies must also face the costly burden of implementing new software such as Governance Risk and Compliance packages. Combine this with the cost of hiring new talent in the IT Audit arena to process, analyse test and review these controls.
Using new technologies such as the cloud has allowed companies to analyse risk management procedures which look for unusual patterns such as access frequencies, duplicate payments, and splitting invoices
These cloud tools automate controls that uncover these types of preventable risks, but they can also help companies develop a road-map for identifying strategic risks.
It is vital that organisations continue to develop their internal controls, invest in technology and most importantly specialized fraud and forensic audit professionals to mitigate the increasing number of preventable risks which untimely leads to higher profit margins.
Audit International, the leading specialists in Internal and External Audit Recruitment across Europe, the US and Asia have known that in 2014 PwC’s total fee income was £2.539bn, some £224m ahead of Deloitte (£2.315bn) according to the Financial Reporting Council’s 2014 Key Facts and Trends in the Accountancy Profession.
PwC also earned the highest fee income from audit (£571m) and from non-audit work for audit clients (£332m). This compares with Deloitte’s audit fee income of £486m.
Third-placed KPMG had total fee income of £1.874bn of which audit contributed £438m. Therefore, the research shows that mentioned two firms were well ahead of their Big Four firm rivals.
Meanwhile, EY earned £1.868bn, including £341m from audit services. Compared to the mid-tier firms and even if the next three largest firms (Grant Thornton, BDO and Baker Tilly) were to merge, the combined total of their fee income would still be £727m less than EY’s.
However, during 2014 the mid-tier saw a major boost to their overall fee income which on average grew by 15.1% compared to the Big Four’s 4.3%. Their audit fee income rose by 9.5% (Big Four 0.1). Their non-audit work for non-audit clients also grew on average by 18.7% compared to the Big Four’s 6.3%.
The Financial Reporting Council’s statistics show that all the firms’ audit fee income is shrinking as a percentage of overall fee income. This is more gradual among the Big Four where the percentage has gone down from 24% in 2010 to 21% in 2014. In the same period the mid-tier firms have seen their audit percentage drop from 34% to 28%.
For jobs with some of the leading international consulting firms across the world as well as tier one multinationals, please contact Audit International on 0041 4350 830 95 or else email your current cv to info@www.audit-international.com
Audit International, the leading specialists in Internal and External Audit Recruitment across Europe, the US and Asia have known that The Institute of Internal Auditors and the Association of Chartered Certified Accountants have signed a memorandum of understanding aimed at advancing internal auditing and accounting practices globally.
The main part of the collaboration is a one-time challenge exam open to ACCA members toward receiving the IIA’s Certified Internal Auditor, or CIA, certification.
The CIA certificate, launched in 1973, identifies the individual as a committed and competent professional and provides recognition and status among peers and principal stakeholders.
Recently, IIA president and CEO Richard F. Chambers said “We are eager to make the challenge exam available to qualified ACCA members because earning the CIA represents an important level of achievement for internal audit practitioners,” He also added: “The rigorous requirements for ACCA membership reflect the high standards of professional attainment that we expect of all of our CIA certificate holders.”
The ACCA certification identify members as qualified accountants and show their commitment to high ethical standards, professional values, and lifelong learning. To get the ACCA is mandatory to pass ACCA qualification exams and a professional ethics module, a three-year practical experience requirement and more.
We have also learnt that ACCA-member recipients of the CIA will have to meet continuing professional education requirements beginning in January 2017 to retain the certification.
Finally, has been known that the organizations will help build awareness of respective initiatives and programs, including the ACCA’s recognition of the IIA’s International Standards for the Professional Practice of Internal Auditing.
For jobs with some of the leading international consulting firms across the world as well as tier one multinationals, please contact Audit International on 0041 4350 830 95 or else email your current cv to info@www.audit-international.com
Audit International, the leading specialists in Internal and External Audit Recruitment across Europe, the US and Asia have known that KPMG retains audit crown in latest Adviser Rankings in terms of overall stock market client numbers with 404 accounts, according to the latest research from Adviser Rankings.
According to the Corporate Advisers Rankings Guide, in the latest quarterly BDO retained the lead on London’s junior market by client numbers – ahead of KPMG, by just one client, while BDO managed to ease on to the podium through the collective worth of its clients.
Both Smith & Williamson and Crowe Clark Whitehill made solid additions to their rosters, in eighth and tenth place, respectively.
Regarding to the largest audit companies, PwC remained the largest auditor of FTSE 100 businesses with 39 clients, nearly double that of Deloitte, which moved into third position.
Finally, in the industrials sector, Welbeck Associates entered the rankings in joint 11th position with three clients while in oil & gas Nexia Smith & Williamson retain 8th position with five clients, after a gain of one.
For jobs with some of the leading international consulting firms across the world as well as tier one multinationals, please contact Audit International on 0041 4350 830 95 or else email your current cv to info@www.audit-international.com
Audit International, the leading specialists in Internal and External Audit Recruitment across Europe, the US and Asia have known that the global leader firm providing audit, consulting, financial advisory, risk management, tax, and related services to select clients Deloitte, has promoted 75 new partners and added 35 new equity partners in the largest ever annual intake to the firm’s UK partnership.
Taking into account that nearly a third of the newly promoted partners are female (ten of whom were equity partners) at the minute, 17% of all Deloitte’s partners are women, up from 15% in 2014. The firm, has made a commitment that 25% of its partners will be female by 2020. A quarter of its executives and board members are female.
Chief executive and senior partner at Deloitte UK David Sproul, announced the launch of a new ‘return-to-work’ scheme which aims to attract more senior female leaders back into the workforce. Mr Sproul declared: “It is positive that this year, a higher proportion of our new partners are women” He also said: “We are committed to continuing to do more to create more opportunities in Deloitte for women at a senior level.”
Mentioned ‘return-to-work’ scheme will run from September to December. It will offer a 12-week paid internship to women who have been out of the workforce for between three and six years. In the first year, it will be open to Deloitte alumni and the ambition is for 80% of participants to take up longer-term roles with the firm at the end of their internship.
At the beginning of the year, Deloitte’s US arm appointed Cathy Englebert as its first female chief executive. The American Institute of Certified Public Accountants hailed the appointment as a “momentous occasion for the profession”.
For jobs with some of the leading international consulting firms across the world as well as tier one multinationals, please contact Audit International on 0041 4350 830 95 or else email your current cv to info@www.audit-international.com
