internal audit objectives
A new focus for Audit International and our clients is ESG. But there is one thing all of us are perhaps not considering as much : ESG’s impact on the workplace.
Environmental, Social, and Governance (ESG) factors are changing how companies conduct business in many ways, including:
– New ESG or climate-related disclosure regulations to comply with, especially in Europe.
– The need to effectively identify and manage ESG risks (including compliance, financial, and reputational risks), and integrate them within the existing enterprise risk management framework.
– Bringing a host of environmental and social metrics at par with financial information, especially with regards to data quality. There is a growing need for investor-grade ESG data.
– Ensuring that ESG factors give you a competitive edge in attracting investors, customers, and talent.
But there’s another change brought by ESG that’s not getting enough attention: The effects on workplace interactions.
– Firms that ‘get ESG right’ understand that ESG isn’t the responsibility of only one person. You can’t simply appoint a Vice-President or Director of ESG, or just place ESG under the Chief Financial Officer or Chief Sustainability Officer.
– Also, different departments can no longer work in their own little world with occasional collaborative efforts across functions. The important changes brought by ESG will also bring fundamental changes to the workplace.
The ESG team :
ESG is a team sport. People from different departments will have to work together as part of a single team.
You may be in Finance, Legal, Risk, HR, EHS, Sustainability, Operations, IT, or Procurement, but now, in addition to your regular teams and colleagues, you will also be part of the ESG team.
And your company’s ESG team will play a critical role because strong ESG performance drives corporate performance.
This represents a significant shift because suddenly key employees will have to align with a new set of stakeholders. They will have to work together with colleagues they might not have worked with before, or even knew. Here’s a sample of the types of interactions to expect:
EHS will have to provide key metrics to Finance for combined financial and ESG (or non-financial) reports.
EHS will also have to show to Finance and auditors (internal or external) how they provide limited or reasonable assurance on the data.
Procurement will seek guidance from EHS and the Sustainability team on how to capture greenhouse gas emissions data to calculate Scope 3 emissions.
HR will be asked to provide more tangible metrics on DEIB to Finance for inclusion in the combined financial/ESG report.
Did you bring together key stakeholders across departments as part of your ESG strategy?
Have you recruited members of your ESG team yet? If this is a topic you are actively hiring for, then please get in touch with us here at Audit International to assist you with any hiring needs you may have.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Our journey discussing the benefits of auditing organizational culture is coming to an end. Audit International began this series by introducing initial cultural auditing concepts in the first article. Then, in the second article, we continued by more closely examining the first half of the top ten tips that were outlined. In this, the final article of the series, we wrap up with the second half of that list and conclude our analysis.
Auditing culture-
Auditing culture requires involving a wide range of stakeholders and will require you to consider alignment of the desired culture to the actual activities of many people. As we have seen, the leadership in the organizations and the people within the business are clearly very important. To get a true sense of culture you will also need to consider organizational partners and outside service suppliers.
If culture is the way things are done more informally, then this impacts everything in your entire organization’s wider sphere. In this context, procurement may be an important stakeholder to engage with in any cultural audit to better understand their selection methodologies, allowing you to form a view, for example, on how they consider cultural fit in the selection of any third-party suppliers. It also goes beyond the selection of suppliers to how we treat them once they are in place. Does the organization treat them fairly, or is the focus on cost at the expense of other, more important matters?
Ensure that you consider both design and operating effectiveness –
Auditing work should be examining both design and operating effectiveness. Cultural reviews are no different but have the tendency to focus on design at the cost of operating effectiveness. As with all audit work, you would typically begin with a risk and control assessment which can be developed in line with the cultural levers you have identified. Typically, an auditor would then request documents, allowing some desktop analysis ahead of the interviews. Interviews with management can focus on whether they understand the desired culture and can clearly articulate this, while also identifying which levers they see as being particularly important for ensuring the culture is real and lived on the front line. Interviews should also probe the extent to which management role model the desired culture every day and ensure their teams’ activities are in line with the culture.
However, understanding operating effectiveness requires a wider approach and talking to a wider range of employees. Focus groups or surveys can be effective to gather data from employees and may provide more diverse views. If focus groups are operated, they will require additional skill, with the lead needing to manage the group so that a fair range of positive and negative views are heard.
Despite the limitations of cultural measures these too should be requested for each of the levers to understand the extent to which the organization has cultural measures and whether the results are acted upon. Measures that you may wish to consider typically involve people management activity, such as employee turnover, exit interview data, grievances raised by employees, whistleblowing information, and absence data. Other areas should also be explored, such as customer complaints data. However, collecting these may present a challenge. If culture is important in the organization, then it will be available and likely reviewed. If not, there is the potential your first audit finding on the need for management to have appropriate measures in place to track whether the desired culture is being delivered in practice.
In Audit International’s experience, there is no, single best way of conducting cultural audits. Rather, you need to form a view of what is right for your organization. One aspect you will need to consider is whether you conduct specific cultural reviews in your audit plan, have it as a component in all audits that you conduct, or draw out cultural consideration into an off-plan piece of work. I’ve seen all aspects of all three of the options successfully implemented.
Don’t go for a grand plan –
It is important that you consider how you introduce cultural auditing into your program of work. It’s a sensitive topic, and management will often be wary of audit getting too involved. Your internal audit colleagues may also be nervous about whether an area like culture can, in fact, be meaningfully audited. The best advice being — don’t go for a grand plan, but rather start small, test, and learn as you go. This includes building support from the Board and executive leadership by demonstrating, as you go, the insights gained from the cultural examination you have completed and the possibilities to go further with increased resources and business buy-in to this challenging area.
This lends itself to the suggestion to start with a pilot, or a proof of concept, where you identify an area of the business to work with and look to introduce the concept of auditing culture at this point. This should be an area where you know you have a senior auditee who is an advocate of internal audit and willing to work with you to make the pilot a success. Audit International have found that success breeds more success and considerable momentum can be delivered in this manner. Early on, it is also good to share examples of your work and the value it is bringing. I call this the “test, share, and impress approach.”
Collaborate with your business colleagues –
It is also very important to work with the business. The tip here being: Collaborate with your business colleagues – independence is a mindset. Audit International have spent time with many auditors who have been reluctant to collaborate in any deep manner with the business, citing the audit charter and the need for full independence from first-and-second-line activity. We agree, our independence as internal auditors is very important. We need to be objective in all we do to avoid threatening this. However, Audit International don’t believe independence means that we cannot work closely with the business where it makes sense to do so.
One such area, for example, is the identification of the cultural levers discussed earlier – an organization-wide conversation on this is helpful in building appropriate understanding and support for the examination you wish to conduct. Also important is the identification and quick access to relevant data for your cultural work, both at an organization-wide level, but also in divisional units of your business. There is likely to be shared interest in this area, particularly with your HR function. Given this shared interest, it makes sense for all those interested in cultural understanding to come together to share ideas and data for the benefit of the business. For example, this may mean developing a shared data area that all can access. Identify across your business who is interested in this space and join with them to share, learn, and progress.
Upskill all auditors at all levels –
Finally, ensure that the program of work you want to introduce is a sustainable approach to auditing culture. Find a way to get your people behind this approach. At heart, we are a people business and any push to audit this challenging area on a sustainable and systematic basis will depend on the skills and knowledge of your teams.
This leads to the final tip to upskill all auditors at all levels. As we identified earlier, your impact is likely to be much higher if your teams integrate consideration of cultural levers and impacts throughout your audit work and not just in any standalone audit you may do. Understanding the nuances of culture is not simply reserved for HR and psychologists but is a core competency for all auditors. This should be reflected in the recruitment and development approach for your team.
This is likely to mean that if you are going to make cultural assessment a core part of your internal audit work you will need to provide training to the audit team. This will need to cover the organizational cultural levers that you have identified, the data that can help you understand these levers, and the interviewing techniques that will need to be employed to get to actual, as well as espoused, culture. Be honest with yourself and acknowledge where you don’t have the skills that are needed. You will likely need to draw on other sources of expertise, including business and external consultancy support. These can allow you to supplement both the capacity and capability of your team.
And, of course, think carefully about how you organize to deliver this challenging area of work. Our current view is that a multidisciplinary (sometimes called Hybrid) approach is most successful. This is all about how you set up your operating model to deliver your cultural audit work. Some larger functions have established dedicated, well-resourced teams to examine culture in their organization and have staffed this with a blend of expertise, including behavioral psychologists. This group of specialists work alongside and coach front-line auditors who are then encouraged to consider cultural levers in all their audit work as we discussed earlier. Clearly, this is more relevant for larger organizations, but even in smaller functions, you may choose to appoint a cultural lead (or champion) with the responsibility to support and drive the integration of cultural aspects into all your audit work.
Conclusion –
There is no silver bullet for the successful development and implementation of a cultural audit program. Hopefully, the tips that Audit International provided throughout this series of articles will be a useful catalyst for your work in this space as you consider the conditions needed for you to achieve momentum around the idea of auditing culture in your organization.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International now bring you the second part in this three part series – Having introduced the initial concepts of what is involved with auditing organizational culture in the first article of this three-part series, we now can begin the process of drilling down and more closely examining the first five of the top ten tips to conduct a culture audit.
Identify your cultural levers:
The first step to successfully conducting a cultural audit is to identify the daily management activities that occur throughout the organization – your cultural levers. These levers look to align the culture we desire with the day-to-day activities of everyone in the organization. If we understand what leaders focus on to deliver this alignment, then we have a starting point for identifying what to test to provide our opinion on the effectiveness of culture.
Cultural levers often vary from organization to organization, so you need to work with management to identify what is influencing behavior within your specific organization. However, there are areas that I would expect to see. Published value statements are significant and an indication of what should be happening. Leadership is also significant, not just at the top but cascading throughout the organization at all levels. In this context, the organization’s approach to people management is vital with the impact this has on encouraging the behaviors that are needed for success. However, culture goes much deeper and is present in the management of other resources, including areas such as customer engagement, complaints handling, supplier management, corporate responsibility, risk management structures and profile, and internal and external communication.
This may appear daunting, but a well-organized approach to assessing each lever can quickly identify areas that are not truly aligned with the espoused values; a clear indicator that desired culture is not operating as expected.
The next four tips examine these cultural levers more closely to illustrate what they mean and to help inform you about the questions you might want to consider testing in order to arrive at an opinion on the organization’s culture.
Reputation:
Employees watch what leaders and key individuals in organizations do and how they operate. They see the dissonance between what the organization is saying, both in its external and internal communication, and their lived experience of working there. Assessing whether there is alignment is a key aspect of any audit of culture. This is even more important given the increased focus over recent times on aspects of corporate and social responsibility and the push for Environmental, Social, and Governance (ESG) activity from investors. Acquisitions of ‘greenwashing’ in your communications can be hugely damaging. This means that it is important to pay attention to external reputation and its alignment with internal messaging and should be considered across all social media.
Leadership:
The third tip is all about the examination of leadership’s role in owning and managing the culture in the organization. In internal audit, we need to examine whether this is occurring both at design and operational effectiveness levels. We are there to check that the activities of leaders are aligned with the espoused values and are supporting the delivery of the business strategy. In our audit work we should be looking for a consistency of message and actual managerial behavior. Leaders play a pivotal role in managing the business such that there is consistency across activities and that they work toward delivering the required culture for success. To do this practically, we need to build audit programs that look for evidence of areas such as misalignment in leadership actions and customer-centric examples that manifest in the practical activities of front-line colleagues. Leadership should be able to clearly demonstrate actions that they have conducted that help move the organization closer to accurately living the culture and evidence-measurement activity that supports this.
In this context, during an audit, I would expect leaders to be able to articulate how they ensure the culture is embedded through their team’s day-to-day activities, including examples of how they role model the culture in their own activities and interactions. Interviews will form a significant part of assessing these. However, data analytics can also be used to examine areas such as communications from leaders over a period of time looking for references to culture.
Simply put, what you are looking to establish here is whether the fine words on a page have a living connection with reality and link through to a real impact on the delivery of the organization’s strategy.
People management:
This leads us to the next cultural lever – people management. The key here, as with all aspects of cultural audit, is alignment. Across the entire employee lifecycle the behaviors we need to exhibit for the business to be a success need to be front and center. This starts with the employment brand, which should signal to potential recruits what the organization’s values are and includes the testing of new recruits against this. Objectives need to be set not only about what is needed to be delivered in terms of financial results, for example, but also how these results will be achieved.
Performance management needs to be expertly conducted to explore the colleague’s contribution to delivering organizational success in the way we want it delivered. This should be a continual process and include ongoing dialogue, not just an annual form-filling event. Promotion decisions should clearly consider this aspect and signal to all colleagues how behaving in the right way counts for personal success.
In developing your audit program, you need to consider all aspects of the employee lifecycle: attraction, reward, management, development, and exiting colleagues. In reviewing all these aspects, you need to be cognizant as to where the controls are operated. In most organizations, while the Human Resources function is likely to have a key role in the design of many of the practices mentioned, the management of the risk and operation of the controls largely sits within the business units of the organization. That is the place you need to be testing reality, not just within the HR function.
Identify key processes and assess alignment:
Next, we move on to two heavily connected cultural levers: process and change. When reviewing your organization, a key step is to identify the processes that are critical to the management of the organization’s culture. From this, you can review whether their operation is consistent with the outlined culture. In this case, we mean the culture promoted not only to your employees but outside your organization through your brand and external image to customers and other important stakeholders.
Employees, in their scanning of the organizational environment, will spot processes that do not sit well with declared ideal behaviors and values, where potentially the organization is looking to put short-term gain before longer-term goals. If these exist, it sends a huge signal to customers and colleagues that leadership does not really mean what they say. Included in these key processes are likely to be many of the internal processes around people and supplier management, but, most significantly, processes around how you deal with customers and how you respond to their feedback and complaints.
Alongside this, consideration needs to be given to how the organization’s change programs identify how changes they are looking to enact to systems and processes promote the desired culture. Change programs are a key touch point where the organization can ensure that the culture is being reflected in operating practices. However, they can also be a point of risk. Delivering efficiencies, while at the same time undermining the desired culture, can create problems that are hugely difficult to unpack.
Next up, in the third and final installment of this article series, Audit International finish identifying and discussing the remaining top ten tips to audit culture and conclude the journey that set out to help you deliver cultural insights within your organization. We hope you’ll stick with us.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
At Audit International, we understand auditing organizational culture is a challenging area for internal audit. Culture is dynamic, and regularly changing. Successful auditing of culture requires a holistic approach across the internal audit function covering the development of internal auditor skills, adjustment to audit methodology, and buy-in from the business regarding the value insightful culture auditing can bring.
In this first article of a three-part series, Audit International examine and discuss the various factors for successfully auditing and influencing culture in your organization.
What is organizational culture, and why does it matter?
Before looking at how you audit culture, it’s necessary to first have a good understanding of what you mean by culture and why it’s important to organizational success.
The classic definition is around the phrase coined by Charles Handy, “the way things are done around here”. While helpful for us to gain insights into auditing culture, we need to unpack this further. Culture is about the interaction between values and behaviors and how these are seen in the organization’s activities and interactions with the range of stakeholders it has (e.g., employees, customers, suppliers, and society).
Top ten tips:
Given the fact that you are reading this article, hopefully you are already convinced that internal audit has a role to play within the organization when it comes to assessing culture. You may already be on this journey delivering cultural insights through your work to your Board, or you may simply be interested in learning more about how to begin this journey. Whichever stage you find yourself, the following top 10 tips will provide you with some initial and practical thoughts that provide a view on culture and the direction needed to influence both management and the Board.
1 – Identify your cultural levers
2- Reputation, Identify whether the organizations actions and messaging, internal and external, are aligned
3- Leadership, Do they own and manage the culture?
4- People Management, Is desired culture integrated into people-management activities?
5- Identify key processes and access alignment.
6- Auditing culture, is this holistic approach being considered by a wide range of stakeholders?
7- Be sure that you consider both design and operating effectiveness.
8- Don’t go for a grand plan.
9- Collaborate with your business colleagues, independence is a mindset.
10- Upskill all auditors at all levels.
In the coming second and third articles of this three-part series on auditing culture, Audit International will take a closer look and provide a more in-depth examination of each of these suggested ten tips. These follow-up articles will offer examples and provide opportunities to more successfully audit and influence the culture at your organization.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
There is currently a misalignment in the world of Internal Audit. As Richard Chambers and AuditBoard’s 2023 Focus on the Future Report reveals, there are key areas where significant gaps exist between risk levels and planned efforts. The ability to attract and retain top talent, macroeconomic factors and geopolitical uncertainty, and business model disruptions due to the evolving risk landscape were all listed as top concerns for major organizations, yet only 13-20% of businesses have meaningful plans to devote substantial resources to these issues. Internal audit teams need to be ready to identify and address this kind of disconnect to ensure that their organizations are positioned for success in 2023. In this article, Audit International will identify three top internal audit trends, the challenges they present, and how internal audit teams can leverage software solutions to deploy team resources strategically against the most pressing concerns — setting themselves, and their business, up for success.
Trend 1: Velocity of Risk and Technology Change
Teams must continually provide assurance while adapting to evolving risks, digital disruption, and regulatory changes. Today we’re seeing significant contributions from the digital revolution, climate change, and stakeholder expectations, as the speed of decisions, the amount of connectivity, and the availability of data have all increased. Companies are learning that they have to balance pressures regarding what’s coming from governments, investors, and society as a whole. Stakeholders expect companies to act legally and with a conscience, and regulators are focusing on things like climate change, data privacy, and security.
Challenges in this area hit in numerous ways. First, there is an expanded purview required from emerging technologies and related risks. Second, there are repeated shifts to audit scope that put new burdens on teams. Third, there is an increased depth and breadth of data that brings along associated issues — including data reliability, related required team efforts, and resource constraints.
Technology can help audit teams develop solutions for these issues. Audit planning software accelerates risk and change responses from teams. With this preparation, teams can create risk-based audit plans with risk metadata to allow for efficient execution and continuous assurance.
Trend 2: Growing Internal Audit Talent Gap
Staff shortages, changing attitudes towards work, and a pre-existing skills gap are increasing talent risk and influencing how internal audit teams approach their work. Many teams are reporting that they are losing talent and struggling to replace them. Meanwhile, for the remaining team members, expectations are growing. They want to do more, and we need to keep them engaged. We have to support the folks that we have and give them opportunities to work in cybersecurity, sustainability, and other areas of interest.
The challenges created by the talent gap are as expected. Due to greater cost-cutting and efficiency demands often put in place by organizational leadership, teams are being asked to do more with less as headcount may be frozen or cut. There are the aforementioned difficulties retaining people and improving their skills, plus there are increasing specialization and training needs for team members.
A technology solution in this area is software with resource planning capabilities. This can help teams manage, optimize and retain talent by deploying resources more strategically, and it allows teams to improve individual and overall skills, efficiency, and experiences.
Trend 3: Align With the Business Objectives
The highly competitive corporate landscape and economic disruptions are driving the internal audit profession to refocus efforts on improved strategic alignment. Richard Chambers speaks often about auditors needing to become agents of change. When contemplating initiatives like cybersecurity, diversity, equity, inclusion, and third-party risk management, executive teams and audit committees all want better strategic alignment from internal audit teams. Internal audit must understand and embrace stakeholder needs and challenges so that we can better support their strategic initiatives.
The challenge for internal audit teams in this area is aligning audit with business priorities, which isn’t always as simple as that might seem. Plus, there is an increased requirement to validate internal audit resources. We have to start thinking in new ways, provide more value propositions, and be able to deliver more in less time.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
In 2023, organizations may face new and expanded cybersecurity and compliance mandates, which could vary from location to location and from one industry to the next. As a result, your organization may be looking to obtain a certification or will need to pass an audit for a specific set of standards or requirements.
While recognition for demonstration compliance or receiving certification is a great reason to celebrate, the process leading up to that is often time-consuming and sometimes dreaded, especially if you must undergo an audit first.
But audits don’t have to be as frustrating as they once were. With the right resources and tools, you can pass your next audit with ease. Here are five tips from Audit International to help:
Know your current program state.
Don’t wait until the audit is underway to find out where you might have gaps or weaknesses. Go ahead and assess your current compliance state so you know what you need to address before your real assessment gets underway. Consider using a cybersecurity compliance platform that automates these assessments for you and look for a platform that gives you real-time compliance scoring, so you’re never caught off-guard if something isn’t functioning as you intended or you’ve overlooked an important control or other security measures.
Document and evidence.
You can do everything correctly and score 100 on your current assessment, but if you don’t have a document repository that puts everything you need right at your fingertips in one place, or if you can’t supply all the necessary proof and evidence an auditor may want, you likely won’t get credit for what you’re doing right. Put away those binders of dusty old printouts you haven’t looked at since your last audit. Instead, use a cybersecurity management platform to track and retain all of your evidence and documentation all in one place for easy, shareable access with your auditors.
Put teamwork to work for you.
Instead of chasing down who’s responsible for which compliance requirement and trying to understand what they’re doing and how well they’re doing it, use a compliance management platform to help you automate task assignments, track progress, send alerts when those tasks are complete, and assign new tasks as they pop up. A platform like Apptega can even externally alert your auditor when your team has completed an evidence request or other necessary task.
Communicate across your organization.
One of the challenges in building a compliance culture is often that program managers speak industry lingo and not the same language that people in different roles within the organization can understand and relate to their day-to-day responsibilities. Instead of scrolling through hundreds, maybe even thousands of rows of data to find what you need for your next compliance conversation, consider using a compliance management platform that has a pre-built library of reports you can quickly draw on for your next engagement, whether that’s your C-suite, an auditor, or your tech team.
Don’t go at it alone.
While you can meet all the requirements on an audit prep checklist, the reality is when you work on a program, it’s easy to overlook issues an outside eye might catch. Before your next audit, go beyond a self-assessment and consider working with an outside compliance consultant to take a closer look at your existing program and help you seek out and address issues before your auditor finds them.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International are stating the main Risks and Actions companies are putting on their 2023 internal audit plans. The past year concentrated attention and shone a spotlight on the increasing fragility of organizations. With a complex set of risks manifesting simultaneously, audit committees are prioritizing some of the most serious implications resulting from the ongoing war in Europe and a triple squeeze of supply chain, workforce and inflation pressures.
According to data from Gartner’s 2023 Audit Plan Hot Spots report, which identifies the key risks and recommended actions for Audit to benchmark their efforts against in the coming year, 81 percent of Chief Audit Executives polled have cyberthreats on their agenda to cover in audit activities over the next 12-18 months, with an additional 13 percent tentatively planning to do so. Even in a year with a high number of varied and seemingly imminent risks facing organizations, cyberthreats remained an agenda topping item for Audit Committees and senior executives as the drivers of the risk shifted from a generalized focus on inadequate security controls to specific need to prepare for highly sophisticated state-sponsored cyberthreats and new cyber breach disclosure requirements. Even as some risks remain perennial threats, shifting drivers can change the nature of the risk and need for updated mitigation and coverage plans.
Cyberthreats, however, are not the only vulnerability an organization faces in an increasingly fragile world. In developing this year’s report, the need for Audit to support their organizations through rethinking their approach to resilience in the face of growing fragility became evident as a key theme underlying several top organizational risks. These risks are generally under-covered in audit plans for 2023, in some cases less tangible and immediate than the category of risks that have been urgently prioritized as a result of the headline events of this year.
Resilience-related risks are manifesting with real world and high-velocity consequences all the same, and Audit needs to understand the risk indicators, urgency drivers and the right questions to ask the business to ensure that rethinking resiliency is on the agenda in 2023.
Below I review three such risks and strategies for Audit on how to approach them.
Climate Degradation
Nearly six in ten CAEs have no specific plans to provide assurance over climate degradation next year. This in and of itself is a key risk indicator for most organizations, as a failure to refresh business continuity plans related to climate risks puts an organization at higher risk for a key infrastructure failure and related loss of productivity among other risks.
While CAEs generally express limited confidence in their climate coverage plans, rethinking resilience means going beyond sustainability reports and identifying vulnerable assets. Audit departments need to incorporate in their plans the inevitability of increasingly severe weather events and mitigation strategies for the loss of key infrastructure, both their own and that of key third parties, such as suppliers.
Culture
Even more challenging for Audit is culture, traditionally a key source of resilience for many organizations that now is fraying under the weight of new working models (hybrid/remote), social and political polarization and a general lack of connection felt by employees who are reporting witnessed misconduct at rates 30 percent lower than pre-pandemic.
Despite such challenges, only 16 percent of CAEs are revisiting culture in light of shifting sociopolitical expectations of their workforce, investors and the media for next year, and just 10 percent report they are highly confident in providing assurance in this area. Internal Audit needs to push the business on reassessing how employee expectations and engagement are monitored in a hybrid and remote world, while policies related to political and social issues need to be formulated now and not in real time during a crisis.
Organizational Resilience
Ultimately, rethinking resilience means covering organizational resilience as a dedicated risk that is part of the audit coverage plan. Organizational resilience, broadly defined, is an organization’s ability to withstand shocks. This is likely to become ever more important in the face of new and ongoing geopolitical tensions, which can abruptly trigger a set of interconnected but differentiated risks to manifest simultaneously. While refreshing scenario planning and mitigating against change fatigue are necessary steps in this process, building true organizational resilience requires a view into the interconnected risks facing an organization and developing resilience-related initiatives across the enterprise.
With less than half of CAEs definitely planning to cover organizational resilience next year and just 32 percent highly confident in providing assurance specifically on matters of resilience, it’s clear there is more work to do in establishing this as a top audit priority. Chief Audit Executives can regain momentum by launching activities that encourage collaborative discussions between business units on interrelated risks and reviewing plans to address change fatigue within their organizations at a time when events over the past two years have likely dramatically diminished capacity in this area.
While these resilience-related risks feel less tangible and urgent than mitigating against “clear and imminent” dangers like supply chain vulnerabilities and state-sponsored cyberthreats, they are important and increasingly acute risks in their own right. Viewing them through the lens of rethinking what it means to be a truly resilient organization can be a useful framework for starting the right conversations within the Audit Committee and formulating effective coverage in next year’s audit plans.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
With businesses facing the strongest economic headwinds in years, the Chartered Institute of Internal Auditors is urging internal auditors to embrace data analytics to navigate more risky, uncertain, and volatile times ahead.
To support their call to action the Chartered IIA, a professional organization for internal auditors in the U.K. and Ireland, in partnership with AuditBoard has published a new report “Embracing data analytics: Ensuring internal audit’s relevance in a data-led world.” The report is aimed at encouraging internal auditors to fully embrace data analytics in the age of systemic risk.
The aftermath of the pandemic, the war in Ukraine and now a recession has all magnified and exacerbated a multitude of business-critical risks. These major risk events are having compounding downstream effects on supply chains, inflation, growth, costs, Forex rates, cybersecurity, and workplace mental health. Creating an adverse business risk environment of a kind not seen for decades. Making it challenging for boards to keep pace with the myriad of risks they now face.
“Data is key for organizations to navigate more risky times ahead and it is key for the future of internal audit. Understanding what the data shows about risk resilience in today’s complex environment will help ensure organizations’ success. We urge businesses and internal audit to embrace data analytics,” says John Wood, Chief Executive of the Chartered Institute of Internal Auditors.
However, in these challenging times harnessing and embracing the power of data analytics can enable internal audit to deliver faster and more incisive insights on fast moving risks, that boards can then act upon swiftly. Helping organizations to quickly identify, manage, and mitigate emerging risks during rapidly evolving situations.
Needs Improvement
The report is based on a survey of 298 internal audit executives from the private, public, and third sectors across the UK and Ireland. The survey revealed:
60% of internal audit functions are already using some for of data analytics, an additional 7% having advanced to AI. However, this still leaves a third yet to adopt data analytics.
The top three risk areas for using data analytics are financial (62%), fraud (17%), and legal and compliance (6%).
The top three benefits of using data analytics include greater level of assurance (48%), 100% audit coverage (21%) and enhanced efficiency (14%).
The top three barriers to fully embracing data analytics include lack of skills (49%), lack of resources (24%) and lack of time to implement (12%).
Only 17% expressed concern that internal auditors could be replaced by robots in the future. Instead, data analytics and AI can free up internal auditors’ time to focus on strategic and systemic risks that could be coming down the track.
The report makes several recommendations for boards and internal audit, including:
– Boards and internal audit should ensure that senior management has defined the organization’s top five risks, and that the data support this view and is correct and reliable.
– Boards and internal audit should ensure that the organization has its own data strategy in place.
– Boards should work with internal audit to identify what data is available to improve risk assurance, and how data analytics could be applied to this data to improve assurance coverage across the organization.
– Boards and internal audit should work together to champion a data analytics culture and promote a data-first mindset.
“Given the warp speed at which risks can emerge and wreak havoc, embracing data-analytics is non-negotiable for boards and internal audit if they are to stay on top of the multitude of risks that organizations are now wrestling,” says Richard Chambers, Senior Internal Audit Advisor of AuditBoard, and former President of the Global IIA. “Data analytics enables faster and higher quality assurance for boards to then act on. In stormy economic times a data-led approach has never been more urgent.”
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International believe effective communication of information on risks associated with hazards and control measures, is an essential and integral component within the risk assessment process. The fundamental goal to communicate the outcome of your risk assessment thereafter to the rest of the organization, contributes to the health and safety of your (peer) employees.
A risk assessment is usually executed by you as a safety professional, being part of the safety department of an organization. For you, the outcome of the risk assessment is often quite clear and simple to follow. However, struggles do arise to communicate about risk outside the safety department. How do you communicate to different organizational levels effectively? How do you make sure everyone in your organization is not only aware of, and but also understands the risks they are dealing with? Audit International have these tips.
In this short blog, we will focus on the Communication and Consultation step. You must communicate about your risks and its treatment, but how do you handle this? If you communicate too much no one will know what to listen to nor remember it. If you communicate too little, no one will understand the context or details of the information. Use the tips below to overcome such struggles.
Tips for effective risk communication:
1. Have a common ground
Before talking about risks, people need to understand the basic concepts of safety. Do not assume that everyone is on the same page regarding risks. Define concepts clearly to avoid confusion. Make sure that there is a common definition of risk established, so employees manage risk based on the common concept and view of what constitutes as risks. Inform your organization about the nature of the risk management and why you are doing it.
2. Make sure everyone can understand
As you communicate to different levels and departments in de organization, it is convenient to tailor your message to the one who receives the message. One of the goals for risk communication is to provide meaningful, relevant, and accurate information in clear and understandable terms. Be aware that these criteria can be different for people on the operational work floor than for higher management. Adjust your information to your target audience, so everyone in the organization knows their role in managing the risks they face. This will help you filter the information effectively.
3. Consider the form of communication
How often do you want to communicate to your colleagues? Depending on which colleagues, this could be every day, every week, monthly, or yearly. If the frequency is yearly, writing a report will not be too much trouble. If the frequency is weekly, writing a report will likely be too time-consuming to create and read. It won’t be long before your employees are demotivated which will likely lead to less clear communication – or worse, confusing communication! Think about other ways of communication, such as videos, posters, or interactive means. A one-sided communication strategy is likely to be less effective.
4. Build a sense of inclusiveness and ownership
You know that managing risk is not a one-person job. This process involves different departments and colleagues. It is impossible to manage risk effectively if there is no communication and consolation with each colleague that is involved – with each stakeholder. To optimize the communication and consultation you need to make sure that each stakeholder understands, knows and agrees what is expected from them in relation to the management of risk.
By communicating on risk management, you will involve your colleagues and create inclusiveness and ownership. Ownership is important, because let’s face it: risks that are not owned are often not managed. Clarity on personal responsibilities is very important to prevent incidents from happening. There is no need to have accidents that could have been prevented through effective communication between stakeholders.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International recommend five ‘Under the Radar’ Areas to Audit that May Not Be on the Audit Plan.
As internal auditors, we all have a “spidey sense” of what we should be auditing.
Sure, we should, of course, conduct comprehensive risk assessments that drive our audit plan, and many of the usual suspects will end up on that plan: cybersecurity, regulatory compliance, financial reporting, third-party relationships, and you know the rest.
But there are things, we would strongly profess, that should be audited, even if we aren’t formally auditing them and they never make it to the actual audit plan. Just by being aware—casting that web, if you will—you should constantly informally “audit” a few critical areas.
What might be some of those things we should (lower case) audit, even if we aren’t (upper case) Auditing them? Here’s Audit Internationals take on five:
1
Culture: Are Disconnects, Even if Subtle, Surfacing?
So much has been written and said about doing culture audits and internal audit’s potential role in doing such a review. Perhaps, however, your organization doesn’t support internal audit doing a full-blown culture audit. Does that mean you throw your hands up and do nothing with the topic? Heck, no!
Look, we are among the very few in the organization who have the benefit of both grasping the desired culture and viewing the entire company because of our day-to-day work. So, why not leverage that and tune into what is going on around us and notice the organizational behaviors, actions, and attitudes that are consistent with, as well as (importantly) counter to, the desired culture.
So, what’s an internal auditor to do?
Some caveats, though. First, be sure you completely understand the desired culture, both what is formally stated through things like the organization’s listed core values as well as what is implied in the “how things are done around here” subtleties. The formal and the informal culture are equally important. Then, as you go about your work in various departments and interact with people at all levels of the organization, be cognizant of behaviors, language, demeanor, protocols, and other elements that seem inconsistent with what you expected.
Now, if you witness such imbalances, and you’ll know because it will make you a bit uncomfortable, talk with close colleagues or discuss it amongst your team. If something seems amiss, continue to keep your eyes and ears open and provide your internal audit function leadership with examples of what you are witnessing. If there are culture issues in a particular area of your organization, it is likely manifesting itself in a number of other issues as well. Your internal audit function leadership will guide you on what to do and may provide guidance on the next course of action. Chief audit executives will need to consider when and how to elevate such delicate issues. Yes, it’s a sensitive topic, but something that might be critical to address. Your spidey sense will guide the way.
2
Employee Engagement: Are People Checking Out?
While it has been a topic in the corporate world for more than 20 years, at least since the Gallup Organization and their Q12 employee survey instrument brought it into the lexicon, “employee engagement” has re-emerged these days. By now, we’ve all heard the new buzz phrase “quiet quitting.” While it’s a catchy label that has been slapped on what is, in essence, just disengagement, it’s not to be taken lightly. Employees who have become disengaged in your company’s mission, vision, and values don’t have passion to do their best. This should be deeply problematic to executive leaders and, in turn, to you. It is a significant and costly drain on everything your organization does.
So, what’s an internal auditor to do?
Just like with the culture topic, we, as internal auditors, interact with more of the organization across all levels (along with HR) than most anyone else in the entire organization. Therefore, we have our finger on the pulse when it comes to engagement and its evil twin, disengagement. Do we have a general sense though the course of our internal audit work that people care or if they are they just going through the motions? Sure, we do.
We don’t need to be scientific about it, and we don’t have to call anyone or any function, department, or location out, per se, but if we see that there is a trend developing toward greater levels of disengagement, let it be known. Make it a part of what we absorb about the organization on a daily, weekly, and monthly basis. Elevate the concerns, whether to HR, department levels, or even the senior management. In other words, don’t ignore it.
3
The Physical Facilities: Are Things in Disrepair?
As much as we may not all be going into a physical office as much anymore, many employees will still spend at least some time in the office or at company facilities. And, the physical state of the office location, branch, facility, or building space is important. Not only can facility disrepair be unhealthy or unsafe, but it can also just negatively affect employee psyche or customer impressions. Pay attention to what things look like and what is the state of the physical environment around you. It may signal deeper problems or an overall neglectful view of the business.
We all have stories about what we’ve witnessed. I remember walking past a locked closet and smelling a damp odor. I could have just ignored it, thought it was just me, or figured that someone else was probably aware of it. Instead, I decided to mention it to the facilities manager of the location. And, lo and behold, behind the rightfully locked door a roof leak had infiltrated the space and it was a wiring closet. It could have been a big problem if it were ignored for any length of time.
So, what’s an internal auditor to do?
Keep your eyes and ears open as you go about your work. Does something seem amiss regarding the physical location? Mention it to someone who could do something about it. What’s the worst that could happen? They tell you “thanks, we are aware of it.” At best, you help address an issue before it gets out of hand. Sometimes we all become blind to our physical surroundings because we’ve just been there for so long. But a fresh set of eyes and ears might just help the organization out and make employees and customers even more appreciative of the physical space they show up to and that the organization spends so much money on. Internal audit can have a unique perspective of noticing what gets unnoticed.
4
The Parking Lot Check: Is Fraud Hiding in Plain Sight?
Closely related to the physical state of the facilities is the state of the employees. Ever see a change in someone’s habits that don’t sync-up with what has gone on in the past, and you wondering “what’s up with that?” Perhaps someone is showing up to the office in a new luxury car, expensive clothes, or talking about some lavish vacation they went on?
Most often, there is a great explanation, and it is none of our business. But, also, any of us who have been around the block a few times will also know that, occasionally, these changed behaviors are clues that something is amiss and that someone may be on the take. You could call this “doing a parking lot audit.” So many frauds and embezzlements have left a trail of these clues as the perpetrator wanted to channel their ill-gotten gains into the fruits of luxury and apparent success. It’s not an outright indicator or fraud, of course, but it might be a red flag to dig deeper, especially if things weren’t adding up already.
So, what’s an internal auditor to do?
Just keep your eyes and ears open, being observant to uncharacteristic behaviors, purchases, and chatter could provide clues to someone who is taking advantage of their position and situation to pilfer from your company. No, don’t go around accusing people of things where you have no proof, of course. But eyes open and be vigilant. And, if you see something, say something to a trusted colleague within your internal audit department. If necessary, elevate it within your department and, if warranted and approved, do some follow-up in a clandestine manner. You may just catch something in its preliminary stages and head it off at the pass, so to speak. Most people steal from the company in small increments, and it escalates from there if they feel they are getting away with it undetected. But, in hindsight, there were usually always clues … perhaps no further away than in the parking lot.
5
Hotline Activity: Is Volume Up, or Has Volume Decreased?
Most internal audit functions have some role in monitoring their organization’s whistleblower hotline for employees, and sometimes also third parties, to file complaints. This may seem like a no-brainer, but you’d be surprised how often small complaints (that point to bigger problems) go unnoticed. Your internal audit function may have complete ownership of managing what comes though, you may partner with someone else in the organization, such as compliance, human resources, or legal, or you just get things passed to you for review or investigation as needed from one of these organizational partners. Regardless, you need to have some role in monitoring the volume of activity. What types of activity are coming through? Are there recurring issues? What are the trends? It doesn’t take an audit, but it does take awareness. Changes in volume can be very telling, and that could be changes in either direction (increased or decreased volume).
Increases in activity might spell some brewing issues of a more macro sense and, alternatively, decreases in volume may spell a level of distrust in the confidentiality of the hotline or a perceived lack of seriousness with which reported items might be getting addressed.
So, what’s an internal auditor to do?
It doesn’t have to be you, so long as someone in your internal audit function is attuned to the trends, both in terms of volume and types of activity. And, if there are notable changes in the trends, up or down, it might be time for a deeper understanding of what might be going on. This could be a signal of troubles brewing that are inconsistent with the desired culture.
—-
To be clear, internal auditors don’t need a formal audit plan initiative to keep abreast of important developments in the organization. It’s not easy, I know, as the formal audit plan has us busy enough, but a little observation may go a long way. Head up, eyes and ears open, use all your senses and leverage your well-honed intellectual curiosity and professional skepticism. Do some ad-hoc auditing of things you might not be able to (upper case) Audit and don’t necessarily make it to the formal audit plan. The organization will be better for it, and you will enhance your engagement and contributions innumerably.
As popularized in the Spiderman comics of yesteryear and said in more recent movies, “with great power comes great responsibility.” Wield it judiciously!
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
