Posts Tagged “audit reform”
Audit International know the common expression, “you only get one chance to make a good first impression.” For internal audit, this chance often comes during the kickoff meeting. This introductory meeting will often set the tone for the entire audit. Its primary objective is to align the auditors and auditee on the audit’s scope, objectives, timeline, and expectations. The meeting provides an opportunity to establish clear lines of communication, clarify roles and responsibilities, and build rapport between the audit team and the auditee.
Here, Audit International will provide a step-by-step guide on how to conduct an effective internal audit kickoff meeting, highlighting its importance, objectives, key participants, and necessary preparations.
Preparing for the Internal Audit Kickoff Meeting
There are several steps internal auditors can take to prepare for the kickoff meeting. They include:
- Define the Audit Objectives: Clearly articulate the purpose and goals of the audit. Identify the specific areas or processes to be examined and the desired outcomes.
- Determine the Scope: Define the boundaries and limitations of the audit. Specify the time frame, departments, locations, or functions to be included.
- Assemble the Audit Team: Select auditors with the relevant expertise and knowledge. Assign roles such as lead auditor, documentation reviewer, and subject matter experts as necessary.
- Conduct Pre-Meeting Research: Familiarize yourself with the auditee’s processes, policies, and applicable regulations. Review previous audit reports, findings, and corrective actions.
- Prepare an Agenda: Outline the topics to be discussed during the meeting. Allocate sufficient time for each agenda item and prioritize critical issues.
- Send Invitations: Distribute meeting invitations to the key participants, including auditors, auditee representatives, management, and any other relevant stakeholders. Provide the agenda and any reading materials.
The Internal Audit Kickoff Meeting Process
If you have prepared well for the kickoff meeting it should go smoothly. Keep in mind that auditees may have some anxiety about the upcoming audit. They will often have preconceived notions that they audit may be an exercise in the internal auditors trying to play “gotcha!” It’s important to alleviate these fears and clearly communicate the purpose of the audit.
They may also have concerns about the schedule of the internal audit work and see the audit as a distraction from their day-to-day duties. Indeed, we all have busy schedules and they may view the audit as providing extra work on top of their already full days. For this reason, it’s also important to be transparent about the scheduling of the audit work and to work to make the audit as painless as possible for the process or unit that is being audited.
The following are some steps to take during the kickoff meeting to help allay these fears, set expectations, and communicate clearly to the auditees:
- Introduction and Opening Remarks: a. Welcome all attendees and introduce yourself and the audit team members. b. State the purpose of the meeting and the audit’s importance to the organization. c. Outline the meeting’s agenda and expected outcomes.
- Review of Audit Objectives and Scope: a. Present the audit objectives, scope, and expected deliverables. b. Provide an overview of the audit methodology and explain any unique approaches or tools to be used. c. Discuss the audit timeline, key milestones, and any dependencies.
- Roles and Responsibilities: a. Clarify the roles and responsibilities of the audit team members. b. Define the roles and expectations for auditee representatives, including the provision of requested documentation or information.
- Communication and Information Sharing: a. Establish channels and protocols for communication throughout the audit process. b. Discuss the frequency and format of progress updates, status meetings, and any interim reporting requirements. c. Specify the confidentiality of information shared during the audit and any data protection measures.
- Document Review and Access: a. Discuss the documents, records, or systems that auditors may require access to during the audit. b. Explain the need for auditee cooperation in providing necessary documentation promptly. c. Address any concerns regarding sensitive or confidential information.
- Q&A and Discussion: a. Provide an opportunity for auditees to ask questions or seek clarification. b. Encourage open dialogue and address any concerns or challenges raised. c. Seek input from auditees regarding specific areas of focus or potential risks.
- Closing Remarks: a. Summarize the key points discussed during the meeting. b. Reiterate the importance of cooperation and commitment from all parties involved. c. Establish the next steps and confirm any follow-up actions or meetings.
Post-Kickoff Meeting Actions
Congratulations, you’ve conducted a great internal audit kickoff meeting. The internal audit team and the auditees are now on the same page and everyone knows what do expect during the audit. The initial work involving the kickoff meeting isn’t done, however. To set the upcoming audit on the right path there is still some work to do. Post-kickoff meeting activities include:
- Documentation and Reporting: Document the meeting minutes, including the key discussions, decisions, and action items. Distribute the minutes to all attendees for review and confirmation.
- Follow-up Actions: Assign responsibilities for any action items identified during the meeting. Set deadlines and establish accountability to ensure timely completion.
- Ongoing Communication: Maintain regular communication with auditee representatives to address any queries or provide clarifications as needed. Share progress updates and adhere to the agreed-upon reporting schedule.
Conducting a well-executed internal audit kickoff meeting is a crucial step towards a successful audit process. It establishes a foundation for effective communication, collaboration, and understanding between auditors and auditees. By clearly defining the audit objectives, scope, roles, and responsibilities, the kickoff meeting ensures a focused and efficient audit process. Preparing adequately, following a structured meeting agenda, and documenting the discussions and action items contribute to a productive engagement. By leveraging the guidance provided in this article, organizations can maximize the value derived from internal audits and drive continuous improvement within their operations.
If you have executed the kickoff meeting well, the auditees will be all smiles when you arrive to conduct the actual audit.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc. across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com
A few weeks ago, Audit International met with a self-described “introverted” business leader. This business leader confided to us that introverted individuals have a harder time climbing the corporate ladder. The individual went further in claiming that recent research shows that it is worst for women, as introverted women are seen as less assertive and lacking in leadership traits.
Conversely, the business leader pointed out that recent research also shows that introverted individuals actually make better leaders, but because they are not as assertive as their extroverted counterparts, they are not equally represented in leadership positions. That took a minute for us to reflect on. It was one of the most thought-provoking discussions we’ve had in recent weeks.
Curious by the proposition and wanting to see what statistics we could get on the topic ourselves, we set out to create several online polls. Initially, we just asked a simple question:
Do you consider yourself an introvert or an extrovert? Here are three things we learned from asking that and some follow-up questions:
People Do Not Like Binary Options on Personality Traits
In two separate polls across different platforms, we received similar feedback:
“No room for those who don’t fall into these binary groups?” was one of the first responses.
“Some people vary based on their environment,” and “I believe there should be space in between the two,” were two responses that quickly followed.
“Do you have a definition of introverts and extroverts?” was the last question.
Even when we tried to foolishly define the terms we were met with a big, “it depends.”
Lastly, we received the one-word response that took my approach in a different direction: “ambivert.”
The Power of the Ambivert
A full 70 to 80 percent of internal audit professionals considered themselves introverts when only given two choices on the introvert vs. extrovert spectrum. However, in follow-up polls, when the ambivert option was introduced, the results were different. Vastly different. Nearly half of the introverts from the initial polls now classified themselves as ambiverts. Ambiverts were now, in two separate polls, the largest group.
So, what does that mean?
Maybe we’re being foolish again, but here is our theory: Introverted ambiverts are those who usually keep to themselves and don’t brag about their accomplishments, but when the stars align and the spotlight is on them, they shine.
When Audit International first started in the internal audit profession, we worked with two introverted gentlemen. They generally kept to themselves in the day-to-day audit process. But, when they led projects, they had absolute killer instincts.
In that group, they audited the Latin America region, so depending on the country visited they would switch from English to Spanish or Portuguese and back to English with pure finesse. Audit clients would be at ease with their approach and communication style. Anyone who had only known them for that period would swear they were extroverted individuals. But they were not. They were ambiverts.
And that is the power of the ambivert: Killer instincts when it matters.
Extroverts Are Disproportionately Represented in Leadership Positions
Back to the business leader’s proposition that introverted individuals get the short end of the stick when it comes to leadership positions. Was that the case? Based on my poll results, yes.
Extroverts represented approximately one-fourth of the sample population of internal audit professionals. However, they represent one-third of those professionals in leadership positions. Introverts, excluding those with ambivert traits, represented over a third of the sample population of internal audit professionals, but only 10 percent of those in leadership positions. These statistics can be even more accentuated when it comes to female leaders.
A burning question then came to mind. Do extroverts make better leaders? Would that be the reason they are overrepresented in those positions?
Audit International set out to attempt to answer that by asking the community about their experience with their previous leaders. Were their best leaders introverts or extroverts? For this last poll, we purposefully left the ambivert option out.
The results? Extroverts were slightly at an advantage, 53 percent versus 47 percent. In other words, the “best” leader being an introvert or extrovert had close to the same likelihood as the flip of a coin.
How come we don’t have more introverted leaders if they are just as good as extrovert ones?
We don’t have any statistics there but, in my opinion, it’s likely because extroverts are seen as better communicators, and being a good communicator is a sought-out trait in effective leaders.
Should Introverts Lose all Hope?
No. Introverts in some circumstances may have an advantage over extroverts. Another reason is that in [internal audit], passion for the role is important to the impact that you can have on the organization. An introvert has to put a bit more effort into the work than an extrovert does, and I’ve seen several times where this translated to the level of commitment and effectiveness to the role.”
It might even be concluded that an introvert displays more active listening skills and empathy, which is also essential in leadership roles.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc. across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com
There is currently a misalignment in the world of Internal Audit. As Richard Chambers and AuditBoard’s 2023 Focus on the Future Report reveals, there are key areas where significant gaps exist between risk levels and planned efforts. The ability to attract and retain top talent, macroeconomic factors and geopolitical uncertainty, and business model disruptions due to the evolving risk landscape were all listed as top concerns for major organizations, yet only 13-20% of businesses have meaningful plans to devote substantial resources to these issues. Internal audit teams need to be ready to identify and address this kind of disconnect to ensure that their organizations are positioned for success in 2023. In this article, Audit International will identify three top internal audit trends, the challenges they present, and how internal audit teams can leverage software solutions to deploy team resources strategically against the most pressing concerns — setting themselves, and their business, up for success.
Trend 1: Velocity of Risk and Technology Change
Teams must continually provide assurance while adapting to evolving risks, digital disruption, and regulatory changes. Today we’re seeing significant contributions from the digital revolution, climate change, and stakeholder expectations, as the speed of decisions, the amount of connectivity, and the availability of data have all increased. Companies are learning that they have to balance pressures regarding what’s coming from governments, investors, and society as a whole. Stakeholders expect companies to act legally and with a conscience, and regulators are focusing on things like climate change, data privacy, and security.
Challenges in this area hit in numerous ways. First, there is an expanded purview required from emerging technologies and related risks. Second, there are repeated shifts to audit scope that put new burdens on teams. Third, there is an increased depth and breadth of data that brings along associated issues — including data reliability, related required team efforts, and resource constraints.
Technology can help audit teams develop solutions for these issues. Audit planning software accelerates risk and change responses from teams. With this preparation, teams can create risk-based audit plans with risk metadata to allow for efficient execution and continuous assurance.
Trend 2: Growing Internal Audit Talent Gap
Staff shortages, changing attitudes towards work, and a pre-existing skills gap are increasing talent risk and influencing how internal audit teams approach their work. Many teams are reporting that they are losing talent and struggling to replace them. Meanwhile, for the remaining team members, expectations are growing. They want to do more, and we need to keep them engaged. We have to support the folks that we have and give them opportunities to work in cybersecurity, sustainability, and other areas of interest.
The challenges created by the talent gap are as expected. Due to greater cost-cutting and efficiency demands often put in place by organizational leadership, teams are being asked to do more with less as headcount may be frozen or cut. There are the aforementioned difficulties retaining people and improving their skills, plus there are increasing specialization and training needs for team members.
A technology solution in this area is software with resource planning capabilities. This can help teams manage, optimize and retain talent by deploying resources more strategically, and it allows teams to improve individual and overall skills, efficiency, and experiences.
Trend 3: Align With the Business Objectives
The highly competitive corporate landscape and economic disruptions are driving the internal audit profession to refocus efforts on improved strategic alignment. Richard Chambers speaks often about auditors needing to become agents of change. When contemplating initiatives like cybersecurity, diversity, equity, inclusion, and third-party risk management, executive teams and audit committees all want better strategic alignment from internal audit teams. Internal audit must understand and embrace stakeholder needs and challenges so that we can better support their strategic initiatives.
The challenge for internal audit teams in this area is aligning audit with business priorities, which isn’t always as simple as that might seem. Plus, there is an increased requirement to validate internal audit resources. We have to start thinking in new ways, provide more value propositions, and be able to deliver more in less time.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
In 2023, organizations may face new and expanded cybersecurity and compliance mandates, which could vary from location to location and from one industry to the next. As a result, your organization may be looking to obtain a certification or will need to pass an audit for a specific set of standards or requirements.
While recognition for demonstration compliance or receiving certification is a great reason to celebrate, the process leading up to that is often time-consuming and sometimes dreaded, especially if you must undergo an audit first.
But audits don’t have to be as frustrating as they once were. With the right resources and tools, you can pass your next audit with ease. Here are five tips from Audit International to help:
Know your current program state.
Don’t wait until the audit is underway to find out where you might have gaps or weaknesses. Go ahead and assess your current compliance state so you know what you need to address before your real assessment gets underway. Consider using a cybersecurity compliance platform that automates these assessments for you and look for a platform that gives you real-time compliance scoring, so you’re never caught off-guard if something isn’t functioning as you intended or you’ve overlooked an important control or other security measures.
Document and evidence.
You can do everything correctly and score 100 on your current assessment, but if you don’t have a document repository that puts everything you need right at your fingertips in one place, or if you can’t supply all the necessary proof and evidence an auditor may want, you likely won’t get credit for what you’re doing right. Put away those binders of dusty old printouts you haven’t looked at since your last audit. Instead, use a cybersecurity management platform to track and retain all of your evidence and documentation all in one place for easy, shareable access with your auditors.
Put teamwork to work for you.
Instead of chasing down who’s responsible for which compliance requirement and trying to understand what they’re doing and how well they’re doing it, use a compliance management platform to help you automate task assignments, track progress, send alerts when those tasks are complete, and assign new tasks as they pop up. A platform like Apptega can even externally alert your auditor when your team has completed an evidence request or other necessary task.
Communicate across your organization.
One of the challenges in building a compliance culture is often that program managers speak industry lingo and not the same language that people in different roles within the organization can understand and relate to their day-to-day responsibilities. Instead of scrolling through hundreds, maybe even thousands of rows of data to find what you need for your next compliance conversation, consider using a compliance management platform that has a pre-built library of reports you can quickly draw on for your next engagement, whether that’s your C-suite, an auditor, or your tech team.
Don’t go at it alone.
While you can meet all the requirements on an audit prep checklist, the reality is when you work on a program, it’s easy to overlook issues an outside eye might catch. Before your next audit, go beyond a self-assessment and consider working with an outside compliance consultant to take a closer look at your existing program and help you seek out and address issues before your auditor finds them.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International are stating the main Risks and Actions companies are putting on their 2023 internal audit plans. The past year concentrated attention and shone a spotlight on the increasing fragility of organizations. With a complex set of risks manifesting simultaneously, audit committees are prioritizing some of the most serious implications resulting from the ongoing war in Europe and a triple squeeze of supply chain, workforce and inflation pressures.
According to data from Gartner’s 2023 Audit Plan Hot Spots report, which identifies the key risks and recommended actions for Audit to benchmark their efforts against in the coming year, 81 percent of Chief Audit Executives polled have cyberthreats on their agenda to cover in audit activities over the next 12-18 months, with an additional 13 percent tentatively planning to do so. Even in a year with a high number of varied and seemingly imminent risks facing organizations, cyberthreats remained an agenda topping item for Audit Committees and senior executives as the drivers of the risk shifted from a generalized focus on inadequate security controls to specific need to prepare for highly sophisticated state-sponsored cyberthreats and new cyber breach disclosure requirements. Even as some risks remain perennial threats, shifting drivers can change the nature of the risk and need for updated mitigation and coverage plans.
Cyberthreats, however, are not the only vulnerability an organization faces in an increasingly fragile world. In developing this year’s report, the need for Audit to support their organizations through rethinking their approach to resilience in the face of growing fragility became evident as a key theme underlying several top organizational risks. These risks are generally under-covered in audit plans for 2023, in some cases less tangible and immediate than the category of risks that have been urgently prioritized as a result of the headline events of this year.
Resilience-related risks are manifesting with real world and high-velocity consequences all the same, and Audit needs to understand the risk indicators, urgency drivers and the right questions to ask the business to ensure that rethinking resiliency is on the agenda in 2023.
Below I review three such risks and strategies for Audit on how to approach them.
Climate Degradation
Nearly six in ten CAEs have no specific plans to provide assurance over climate degradation next year. This in and of itself is a key risk indicator for most organizations, as a failure to refresh business continuity plans related to climate risks puts an organization at higher risk for a key infrastructure failure and related loss of productivity among other risks.
While CAEs generally express limited confidence in their climate coverage plans, rethinking resilience means going beyond sustainability reports and identifying vulnerable assets. Audit departments need to incorporate in their plans the inevitability of increasingly severe weather events and mitigation strategies for the loss of key infrastructure, both their own and that of key third parties, such as suppliers.
Culture
Even more challenging for Audit is culture, traditionally a key source of resilience for many organizations that now is fraying under the weight of new working models (hybrid/remote), social and political polarization and a general lack of connection felt by employees who are reporting witnessed misconduct at rates 30 percent lower than pre-pandemic.
Despite such challenges, only 16 percent of CAEs are revisiting culture in light of shifting sociopolitical expectations of their workforce, investors and the media for next year, and just 10 percent report they are highly confident in providing assurance in this area. Internal Audit needs to push the business on reassessing how employee expectations and engagement are monitored in a hybrid and remote world, while policies related to political and social issues need to be formulated now and not in real time during a crisis.
Organizational Resilience
Ultimately, rethinking resilience means covering organizational resilience as a dedicated risk that is part of the audit coverage plan. Organizational resilience, broadly defined, is an organization’s ability to withstand shocks. This is likely to become ever more important in the face of new and ongoing geopolitical tensions, which can abruptly trigger a set of interconnected but differentiated risks to manifest simultaneously. While refreshing scenario planning and mitigating against change fatigue are necessary steps in this process, building true organizational resilience requires a view into the interconnected risks facing an organization and developing resilience-related initiatives across the enterprise.
With less than half of CAEs definitely planning to cover organizational resilience next year and just 32 percent highly confident in providing assurance specifically on matters of resilience, it’s clear there is more work to do in establishing this as a top audit priority. Chief Audit Executives can regain momentum by launching activities that encourage collaborative discussions between business units on interrelated risks and reviewing plans to address change fatigue within their organizations at a time when events over the past two years have likely dramatically diminished capacity in this area.
While these resilience-related risks feel less tangible and urgent than mitigating against “clear and imminent” dangers like supply chain vulnerabilities and state-sponsored cyberthreats, they are important and increasingly acute risks in their own right. Viewing them through the lens of rethinking what it means to be a truly resilient organization can be a useful framework for starting the right conversations within the Audit Committee and formulating effective coverage in next year’s audit plans.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Amidst issues like supply chain complexity, economic uncertainty, and increased digitalization, Audit International are finding many organizations are adding vendors or changing their existing relationships with those they currently conduct business with.
Working remotely has prompted many companies to add cloud vendors. Supply chain backlogs might have prompted your business to switch to local vendors. Or maybe you’ve added marketing agencies or other types of consultants that have flexible capacity, rather than increasing headcount.
These decisions can help businesses adapt to changing conditions and build resilience, but working with vendors may also introduce new risks. While you might feel like you have a handle on issues like in-house data security processes, you need to be sure that vendors also align with your needs in these areas.
Internal audit teams can play an important oversight role when it comes to vendor risk management. While they might not be making specific vendor management decisions, they can still be involved in making sure proper due diligence is followed when selecting vendors. And once vendor relationships are in place, internal audit teams can monitor these arrangements to ensure organizations aren’t opening themselves up to new risks.
What are the top vendor risk management issues?
Working with third parties like software vendors, managed service providers, cleaning companies, etc. can help businesses fill gaps in current capabilities, increase efficiency, and more. Yet, internal audit teams also need to make sure that their organizations are accounting for any and all potential risks:
Cybersecurity: Internal audit teams should review vendors’ cybersecurity practices to assess whether these meet your organization’s expectations, for example, data security controls and remediation capabilities.
Compliance: Third-party vendors can also create compliance risks, such as improperly storing customer data or engaging in illegal business practices. Even if these vendor issues do not lead to legal action against your organization, internal auditors should aim to get ahead of these issues to avoid reputational damage.
ESG: Environmental, social, and governance (ESG) scrutiny is increasingly extending into supply chains and can also create reputational risk. Internal auditors will want to assess how vendors align with their own ESG goals. This may in turn lead to implementing additional controls, for example, around data sharing practices so that your organization will be able to verify issues like vendor emissions.
Quality: Don’t automatically assume that vendors will provide the quality you’re expecting, even if they come recommended or are widely known. Internal auditors need to ensure that their organizations still conduct proper due diligence to see whether working with that vendor will provide the quality of work you’re expecting. Managing risk can also include looking at vendor performance controls to see if existing third-party vendors maintain appropriate quality standards.
These are just some of the many critical risks that can come from working with third parties. Keep in mind that vendors may also have their own networks of third parties, which could ultimately affect your organization.
While it might not be possible to know every connection point that your vendors have with other third parties, you would likely want to assess what their own third-party risk management practices look like.
How can internal auditors improve third-party risk management?
Internal auditors shouldn’t be the only ones responsible for vendor risk assessments, but they should be mindful of the aforementioned vendor risk management issues and collaborate with other departments to stay on top of these risks.
For example, internal auditors can collaborate with IT leaders to create a vendor security due diligence checklist. From there, internal audit controls can make sure that this checklist is used across all vendor reviews.
Internal audit leaders can also integrate analytics into audit processes, such as collecting performance metrics on third-party vendors, to assess whether they meet your organization’s quality expectations on an ongoing basis.
Too often, however, adding analytics to audit reports is a manual, labor-intensive process that can create its own risks, like data errors. TeamMate Audit Benchmark found 79% of internal audit teams manually leverage data from other applications.
Audit tools like TeamMate+ can help internal auditors get the third-party data they need through automated API exchanges with other platforms, which makes continuous monitoring of risk more feasible. They can then create automated reports to share insights with other departments to stay on top of third-party risk.
By aligning with these steps and staying on top of evolving vendor management risks, internal audit teams can help their organizations stay safe while getting the most out of their third-party partnerships.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
In this final article of the series, Audit International focus on the third element of ESG- Governance risk. This differs from the first two elements – Environmental and Social – in that several governance risks have long been recognized and included in our audit plans. However, many more have recently gained prominence. Therefore, it is important that internal audit understands these risks and is well positioned to provide assurance.
Governance risks :
Some governance risks are broad in nature. Others, are very narrow. Some have little in terms of universal benchmarks, while others have well-established frameworks or regulations. Here are some of the main risks that should be considered:
– Shareholder rights and engagement – are there any limitations on certain classes of shareholders, and does the business engage effectively on important issues?
– Board structure and diversity – are there independent directors, and does the board have sufficient diversity of experience, style, and background? Increasingly, neurodiversity is a consideration, and in some countries a workers’ representative is a requirement.
– Executive compensation – is this structured to be in line with corporate objectives, and is it consistent with peers in comparison to the wages of other staff?
– Anti-bribery and corruption – many countries have a comprehensive legal framework.
– Tax transparency and policy – what is the organization’s approach to tax, and particularly the jurisdictions it operates and pays taxes in?
– Ethics and culture – a broad topic, ethics encompass all the above and more. Culture has become a hot topic over the past 15 years with the link between a strong organization-wide culture and performance becoming increasingly apparent.
– Data protection – often also included as a social risk, good information governance is relevant here as well.
– Typical impacts for the organization will be reputational, legal and regulatory, people, financial, and ultimately strategic.
Getting started – Determining the key risks :
Compared with environmental and social risk, it is much more difficult to take a holistic approach to governance risk, given the breadth of topics. However, it is likely that many activities and risks are already in your audit universe. A governance code may have been adopted by your organization, although these may only cover some of the issues described above. Understanding the relevant governance code(s) –mandatory or optional – is a good starting point. This will depend on jurisdiction(s), market listings, regulators, and industry practices. Governance codes can be principle-based or more prescriptive, and will typically define some or all of the following, often on a “comply or explain” basis:
– Clarity of purpose
– Leadership
– Integrity
– Board composition and division of responsibilities
– Board effectiveness
– Decision making
– Risk management, internal controls, and audit
– Accountability, transparency, and reporting remuneration
In understanding governance risks, you should also take into account what specific legal or regulatory requirements there are around any of these issues. This may include reporting requirements around diversity or executive pay or matters which must regularly be reported and considered by the board. Also, consider what other stakeholder expectations are relevant. This is likely to focus on investors, as they have been increasingly vocal and prepared to vote against boards that do not adequately address specific issues.
With this background information, along with your consideration of the issues highlighted earlier in this article, you can ensure your risk assessment incorporates relevant governance risks.
How internal audit can make an impact :
As always, we should leverage work done by the first and second lines in considering where we can make the biggest impact. We should consider our risk assessment alongside any new information we have about regulatory changes, emerging issues in our sector, or jurisdictions, and investor interest.
Some Examples :
– Governance framework
– Governance codes were mentioned earlier in this article. Whether your organization has adopted a code in full or developed its own framework, it will need to produce a regular (typically, annual) report of compliance with the code. Assessing the processes supporting this reporting is often a good way to execute broad audit coverage of governance risks. Such reports are expected by regulators, provide assurance to the board, and are sometimes published (at least in part in the annual report). – Therefore, it is important that they give an accurate picture.
Reports may take many forms and will often include qualitative assertions and specific data or examples. It is important that any data reported is accurate, but equally as important that narrative assertions or examples are supported by evidence. Internal audit can provide assurance over the processes to collate this evidence, ensuring it is complete and accurate and that the right oversight controls are in place. We can also review the report and verify that the conclusions reached fairly reflect the evidence available. Generally, we take a combined approach to provide comprehensive and broad assurance.
Board composition :
Board composition has been under the spotlight, and while practices have improved there is often still a lack of transparency in recruitment, objective evaluation, and diversity. This is a sensitive audit which needs to be conducted by experienced auditors. When done well, it provides real insight and impact.
It is important not to make this about the individuals currently serving on a board, but about the effectiveness of processes around recruitment, structure, skills-determination, and performance evaluation. Consider some or all of the following:
Is there an evaluation of the skills required on the board and an up-to-date skills matrix? Is this specific enough to ensure the board members possess the right range of skills and experience but sufficiently flexible to attract a diverse pool of candidates?
Do recruitment processes include defining an ideal candidate profile, pre-determined selection criteria, and stakeholder involvement in the exercise? Are candidates sourced in a way that ensures a wide pool of candidates, recognizing that there may be a need for confidentiality?
How are conflicts of interest identified and managed?
What are the rotation policies/term limits for non-executive board members?
How is board performance evaluated? Is there a self-assessment process and a periodic independent assessment?
Is there a training plan for the board and individual board members? Is there an individual appraisal process?
Does the committee structure support effective delegation but ensure the board maintains its responsibility for strategy and oversight?
How effective is the relationship between executives and non-executives? Does the structure facilitate both support and challenge?
Is there an effective process for succession planning?
Do boards allow time for open discussions and strategic thinking, as well as formal meetings?
Some of this can be done by document review — including board papers and minutes, skill matrix, recruitment process documents, etc. But much of this will also require interviews with board members and those who support the board, such as the corporate/company secretarial or corporate governance team.
This article concludes the series on what internal audit should know about ESG risks. If you missed the first two articles, be sure to go back and read our previous blogs, to get you up to speed on our suggestions on how internal audit can approach environmental and social risks.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Here at Audit International this week, we are are all talking about the Chartered Institute of Internal Auditors dropping their ‘Risk in Focus 2023’ report. The report compiles the results of 9 in-depth interviews, 4 round table events with 39 participants, and responses from 834 Chief Audit Executives (CAE)’s from across 15 European countries. In a nutshell, the report has some solid contributors, meaning, the top 10 areas which are concerning other CAE’s, might be worth you thinking about also – especially as you prepare your 2023 annual plan.
The Risk in Focus 2023 report has had a great refresh and shows the movement of each of the risks over the years. This year’s report shows 15 categories worth consideration:
– Mergers and acquisitions
– Health, safety and security
– Communications, reputation and stakeholder relationships
– Fraud, bribery and the criminal exploitation of disruption
– Organisational culture
– Organisational governance and corporate reporting
– Financial, liquidity and insolvency risks
– Supply chain, outsourcing and ‘nth’ party risk
– Business continuity, crisis management and disasters response
– Climate change and environmental sustainability
– Digital disruption, new technology and AI
– Changes in laws and regulations
– Macroeconomic and geopolitical uncertainty
– Human capital, diversity and talent management
– Cybersecurity and data security
The report finds that the greatest movers, in terms of focus / attention given to this particular topic by CAE’s, found the following four categories had the most increased attention and focus since 2020:
– Macroeconomic and geopolitical uncertainty
– Human capital, diversity and talent management
– Supply chain, outsourcing and ‘nth’ party risk
– Climate change and environmental sustainability
This years report also highlights the impact the war in Ukraine has had on many of the businesses and risks highlighted in the report.
For each of the risks, the report provides suggestions on how Internal Audit can help the organisation.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
A recent study revealed that 82% of finance and business leaders must comply with sustainability requirements or ESG regulations. Even without mandatory regulatory standards in place, Audit International would bet their bottom dollar that more companies would voluntarily take on sustainability initiatives and thus, produce ESG reports.
Why? Because more stakeholders are looking.
The number of parties with vested interests in ESG performance has dramatically increased. The tendency is to think of investors as the sole consumer, judge, and jury of ESG reports, but that’s changing, especially as other stakeholders find themselves subject to ESG expectations.
So, who’s really looking at your ESG reports? And why do they care?
Investors
Let’s start with the obvious: investors! Today’s investors want to ensure their money supports organizations that align with their values. Increasingly, those values are moving further and further away from brown stocks. Investors are leaning away from companies that might risk damaging the environment, operate with inequities, or are vulnerable to corruption.
While sustainable investing is value-based for many investors, it’s also the safer, more lucrative investment in many cases.
A study by Nordea Equity Research reported that, over three years, companies with high ESG ratings outperformed the lowest-rated companies by as much as 40%.
A Bank of America Merrill Lynch study found that firms with a healthier ESG record yielded higher three-year returns. They were also more likely to become high-quality stocks, less likely to experience significant price drops, and less likely to go bankrupt.
All this to say, an ESG score isn’t just a number. It indicates to investors that your company is a proactive, forward-thinking entity that will satisfy the investor’s need for ROI and their conscience.
Internal stakeholders
Many stakeholders within a business can benefit from ESG performance data.
For example:
Sales and marketing can use ESG data to showcase a company’s sustainability performance in their efforts to entice new customers.
IR and PR teams can tout ESG successes to improve the company’s reputation.
HR reps can use social data to attract talent.
Finance teams and chief executives can use ESG insights to improve profitability, contain costs, identify new business opportunities, and recognize areas of investment and divestment when ESG data is connected to financial performance.
Organizations can put ESG performance data to work in many ways. Regarding business value, ESG reports can give every department leverage in furthering the growth and goodwill towards an organization.
ESG scoring bodies
A good ESG score is a golden ticket to a favorable ESG reputation. To receive one, you’ll have to complete surveys or create reports designed by third-party providers, who then calculate ESG scores based on the metrics and ESG performance you reported. Like a credit score or a bond rating, an ESG score demonstrates your company’s ability to meet its ESG commitments, performance, and risk exposure.
Notable ESG scoring organizations are Bloomberg ESG Data Services, Sustainalytics, ESG Risk Ratings, JUST Capital, MSCI, Refinitiv, Dow Jones Sustainability Index Family, and RepRisk.
Banks and financial institutions
Banks, capital markets, and wealth managers are moving towards ESG agendas. This is not just an ethical move but one of demand, risk, and reward.
In terms of demand, millennials lean significantly towards sustainable investments. A survey by EY found that millennials are twice as likely to invest in a fund or stock if social responsibility is a component of the value creation narrative. (Might I remind you millennials are the demographic soon to be society’s primary wealth holders.)
In terms of risk, the liability to banks is two-fold. First, banks are subject to the same sustainability scrutiny as other businesses — customers want to bank with sustainably responsible banks. And second, banks face similar challenges to investors: lending to companies that aren’t sustainable could also pose threats to their business. Will a coal mine be able to repay its debts when sustainable alternatives take over? While banks might not be in this scenario just yet, in the future, it’s possible that businesses could see requests for funding denied if they don’t prove to be sustainable enough.
In terms of reward, again, we see companies with strong ESG performing better than those with weak ESG. An analysis completed by global investment manager BlackRock found that up to 88% of sustainable funds outperformed their non-sustainable counterparts between January 1, 2020, and April 30, 2020. Why would a wealth manager allocate funds to an unsustainable stock when a more sustainable and equally (if not more) profitable alternative exists? Why choose to lose/win when you could choose to win/win?
Regulators
Incoming! A stampede of regulations is making its way into the ESG reporting arena. Two regulations of note are:
The EU’s Corporate Sustainability Due Diligence (CSDD)
In February 2022, the European Commission published a draft of the CSDD. If passed, the CSDD would require companies to disclose the impacts of their operations on human rights and the environment.
The US’s new climate-related disclosures
In March 2022, the SEC proposed expansive new climate-related disclosures related to greenhouse gas emissions, climate risks, transition plans, and governance.
Sullivan and Cromwell LLP has a great round-up of the latest (up to May 2022) ESG regulatory advancements here. The bottom line: ESG is being written into everything from litigation to financial institutions, disclosure and governance, and law. While your particular flavor of ESG regulation will be subject to your jurisdiction and industry, you can bet on increased regulatory scrutiny coming your way soon.
Consumers
B2C companies find themselves with a consumer who cares about their product, how it’s made, and who’s making it. Recent PWC research found that:
Consumers aged 17 – 38 years are almost twice as likely to consider ESG issues when making purchasing decisions than others.
Over half of consumers surveyed said that a company’s purpose and values played a role in their purchasing decisions.
49% of consumers and 66% of millennials use the internet to learn more about a company’s ESG practices before buying a product or service.
From this, we can conclude a few things. The future of the sales will be dependent on ESG performance. And consumers aren’t satisfied with marketing promises — they want the ESG evidence, and your reports will be front in center of their investigations.
Everyone’s looking at ESG
Don’t make stakeholders struggle to seek out your ESG performance. By using a corporate performance management approach to ESG reporting, you can tell your sustainability story, disclose according to multiple new and evolving frameworks, and connect financial outcomes, operational activities, and ESG performance to ensure sustainability is always tied to doing good for the earth, people, and your bottom line.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International have been thinking recently about what internal audit should know about ESG risks, and where best to start but with the E, which is for Environmental.
In this, the first in a series of three articles, we will drill down on Environmental risk and explore how internal audit can have an impact by focusing on key risks.
Environmental risks :
There’s no single taxonomy of environmental risks. Consider what categories your organization uses and what is used elsewhere in the sector. The following should all be covered, at a minimum, but may be described in different ways using different terminology:
Climate change :
This should include the effect of greenhouse gas (GHG) emissions – we usually talk about carbon dioxide but there are seven gases covered by the GHG protocol
Pollution from emissions and discharge (i.e., water, soil, air)
Biodiversity loss and deforestation
Waste management
Resource use – impacts of raw materials, production, transportation, and distribution (consider water, energy, and other natural resources)
Hazardous materials
There is clearly an interplay between these risks, but as they represent the major environmental impacts, this offers a good starting point.
This should fit neatly into your existing risk assessment process. Typical impacts for the organization will be reputational, legal and regulatory, financial, operational, and ultimately strategic. All things we are very familiar with.
Getting started – Determining the key risks
Every organization is different. You will need to start with a risk assessment to determine the key risks, potentially using the list above. To do this, you will need to understand the main environmental issues in your business, considering a number of factors:
What sector(s) you are in, and what are the main impacts of that sector. Search out industry guidance from standard setters such as GRI (Global Reporting Initiative), international business groups, such as the World Economic Forum, and thought leaders, such as McKinsey. It is important to consider all the main parts of your business, from the environmental impact of the raw materials you source, through transportation, production, and sales. Although focus on your immediate impacts may be easier, the impacts outside your organization’s immediate control are often more significant. For example, a significant environmental impact of electronics is the extraction of rare earth metals essential for their production.
Where your business is based, the places in which you operate, where you source materials from, and where you sell to. This is important for a number of reasons. It drives the nature and extent of legal and regulatory risk that the organization faces. It also influences the attitudes of stakeholders, such as customers and consumers, as these may vary significantly. But bear in mind, that these factors can change quickly and this needs to be built into any risk assessment.
Requirements of your customers. This may be contractual for government or corporate procurement, or the preferences and attitudes of consumers. This is also partly based on location (as mentioned above), but in global markets, it is never that simple.
All of this (and more) should have been considered by the business (first or second line) and internal audit should leverage their work, effectively challenging and validating. If this has not been done, internal audit needs to be taking a step back and conducting a more basic evaluation of the maturity of the organization’s risk assessment process.
Some types of environmental impact will be universal and significant no matter what your business activity. These include climate change and waste, which Audit International will dig a little deeper into later in the article. Others may apply to a much greater extent in certain industries, such as those in extractive industries (oil and mining for example) and heavy manufacturing (where there may be high levels of resource use – both raw materials as inputs and energy and water in the production process).
How internal audit can make an impact :
As with any aspect of audit planning, the greatest value internal audit can bring will depend on the major risks identified. But we can’t just consider the inherent risks, we need to understand what other sources of assurance are in place and, most importantly, what activities are contributing to both the risk and the assurance. Think about the following:
What do we know about environmental management processes that are in place? What is the scope of these systems and processes?
What reporting is in place? Are external reports assured? Which stakeholders use and rely on these reports?
Are environmental factors (risks and costs) incorporated into project evaluation and capital decisions?
A common factor across many environmental risks is availability and the quality of the data. Process and controls for environmental data are generally less mature and systems are not always equipped or configured to meet the complexities and nuances of this data. This is often a great opportunity for internal audit to add value, both by providing assurance over processes and systems, and by validating the data itself. Both leverage core internal audit skills.
We can also go further, confirming that reports meet whichever standards are being applied, that management reports or projects evaluations fairly, and that these completely reflect risks as well as opportunities. However, this may require more specialized knowledge.
Some examples :
Climate change
All organizations need a response to climate change, and so while the specific needs will differ, this is an issue increasingly relevant for everyone. How can internal audit add value? Let’s look at two potential opportunities:
Has the business considered the potential physical and transitional impacts of climate change? Best practice suggests this should be done using scenario analysis that includes a range of realistic scenarios. Physical vulnerabilities may result from gradual, long-term changes in climate (chronic risks), or short-term (acute) risks, such as storms and fires during heatwaves. These potentially impact the cost-of-capital, the availability and cost of insurance rates, and cause operational disruption. Transitional impacts include changes in legislation, markets, technology, and stakeholder expectations. Internal audit can review the process used to establish scenarios and determine the impacts and, more importantly, assess actions to improve resilience, mitigate risk, and maximize opportunities.
Many corporations are now publishing disclosures under TCFD (Task Force on Climate Related Disclosures). These are becoming mandatory in some countries and are an increasing expectation from investors. External assurance, if any, is usually very limited in scope. Internal audit can provide assurance over the processes to collate data and support assertions made in the disclosures. It can also audit the data and assess the evidence supporting those assertions. Other organizations may provide (voluntarily or by regulation) data on, for example, energy use or emissions. Again, internal audit can provide similar assurance over these processes or this data, as any external assurance will generally be limited.
Waste :
Waste is an issue for all organizations, although the specific impacts will be very different across businesses. As well as the environmental impact, businesses have a cost-incentive to reduce waste, as it is increasingly expensive to treat and dispose of. Internal audit can add value in a number of ways.
Here are some examples:
– Assess whether policies support the organization’s waste strategy. Are they specific to the business and relevant for the types and locations of waste produced? Do they take into account legislation and regulation in each jurisdiction? Are they effectively implemented, understood, and followed?
– Companies often report waste information, either in annual reports or to different public authorities. How is this validated? For example, how do we know that waste is recycled or reused? Are there controls to independently verify how the waste has been treated? In many countries, responsibility for safe disposal rests with the waste producer, not the waste contractor.
To summarize, we have described the importance of environmental risk to all organizations and have shown how internal audit can respond to some of those risks. Internal audit can use existing tools and skills to get started, and leverage widely available sources of knowledge to find out more.
Keep an eye out for our next blog, discussing the S in ESG, which of course stands for ‘Social’.
We will explore how internal audit can address important social risks.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
