Posts Tagged “audit rotation”
Amidst issues like supply chain complexity, economic uncertainty, and increased digitalization, Audit International are finding many organizations are adding vendors or changing their existing relationships with those they currently conduct business with.
Working remotely has prompted many companies to add cloud vendors. Supply chain backlogs might have prompted your business to switch to local vendors. Or maybe you’ve added marketing agencies or other types of consultants that have flexible capacity, rather than increasing headcount.
These decisions can help businesses adapt to changing conditions and build resilience, but working with vendors may also introduce new risks. While you might feel like you have a handle on issues like in-house data security processes, you need to be sure that vendors also align with your needs in these areas.
Internal audit teams can play an important oversight role when it comes to vendor risk management. While they might not be making specific vendor management decisions, they can still be involved in making sure proper due diligence is followed when selecting vendors. And once vendor relationships are in place, internal audit teams can monitor these arrangements to ensure organizations aren’t opening themselves up to new risks.
What are the top vendor risk management issues?
Working with third parties like software vendors, managed service providers, cleaning companies, etc. can help businesses fill gaps in current capabilities, increase efficiency, and more. Yet, internal audit teams also need to make sure that their organizations are accounting for any and all potential risks:
Cybersecurity: Internal audit teams should review vendors’ cybersecurity practices to assess whether these meet your organization’s expectations, for example, data security controls and remediation capabilities.
Compliance: Third-party vendors can also create compliance risks, such as improperly storing customer data or engaging in illegal business practices. Even if these vendor issues do not lead to legal action against your organization, internal auditors should aim to get ahead of these issues to avoid reputational damage.
ESG: Environmental, social, and governance (ESG) scrutiny is increasingly extending into supply chains and can also create reputational risk. Internal auditors will want to assess how vendors align with their own ESG goals. This may in turn lead to implementing additional controls, for example, around data sharing practices so that your organization will be able to verify issues like vendor emissions.
Quality: Don’t automatically assume that vendors will provide the quality you’re expecting, even if they come recommended or are widely known. Internal auditors need to ensure that their organizations still conduct proper due diligence to see whether working with that vendor will provide the quality of work you’re expecting. Managing risk can also include looking at vendor performance controls to see if existing third-party vendors maintain appropriate quality standards.
These are just some of the many critical risks that can come from working with third parties. Keep in mind that vendors may also have their own networks of third parties, which could ultimately affect your organization.
While it might not be possible to know every connection point that your vendors have with other third parties, you would likely want to assess what their own third-party risk management practices look like.
How can internal auditors improve third-party risk management?
Internal auditors shouldn’t be the only ones responsible for vendor risk assessments, but they should be mindful of the aforementioned vendor risk management issues and collaborate with other departments to stay on top of these risks.
For example, internal auditors can collaborate with IT leaders to create a vendor security due diligence checklist. From there, internal audit controls can make sure that this checklist is used across all vendor reviews.
Internal audit leaders can also integrate analytics into audit processes, such as collecting performance metrics on third-party vendors, to assess whether they meet your organization’s quality expectations on an ongoing basis.
Too often, however, adding analytics to audit reports is a manual, labor-intensive process that can create its own risks, like data errors. TeamMate Audit Benchmark found 79% of internal audit teams manually leverage data from other applications.
Audit tools like TeamMate+ can help internal auditors get the third-party data they need through automated API exchanges with other platforms, which makes continuous monitoring of risk more feasible. They can then create automated reports to share insights with other departments to stay on top of third-party risk.
By aligning with these steps and staying on top of evolving vendor management risks, internal audit teams can help their organizations stay safe while getting the most out of their third-party partnerships.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Transit systems. Healthcare facilities. Financial services firms. What do they all have in common? Organizations within these sectors — and essentially all industries, for that matter — have been hit by ransomware, a type of malware where cybercriminals demand a ransom payment to unlock access to your private and confidential systems and files.
While many cybersecurity risks exist, ransomware is often one of the more pressing challenges. Not only can it bring operations to a screeching halt, but it can also cause issues like data leaks and reputational damage. A global survey by cybersecurity software company Sophos finds that 66% of surveyed organizations suffered ransomware attacks in 2021. “It took on average one month to recover from the damage and disruption,” Sophos adds.
Given the severity of ransomware risk, internal auditors should aim to help their organizations reduce these threats, along with overall cybersecurity risks. How? As Audit International will examine in this article, internal audit departments can take steps such as conducting IT/cybersecurity audits and using technology like internal audit management software to improve internal controls and collaboration.
Review IT practices and controls :
Even though internal auditors generally aren’t responsible for choosing cybersecurity software and establishing employee training to recognize ransomware risks, they can still provide assurance over IT practices and controls, such as with an IT audit.
When IT teams conduct phishing tests to see whether employees are tricked by email scams that can cause ransomware issues, internal auditors are then able to review those results and ensure that the organization is meeting a sufficient standard to prevent social engineering. If the results demonstrate gaps in employee preparedness on ransomware risk or other cybersecurity risks, then internal auditors would likely want to communicate that risk to other stakeholders, like boards and senior management.
Internal audit leaders might also review remote work policies to ensure that IT teams are appropriately managing these with ransomware risk in mind, rather than just focusing on the functionality of work-from-home environments. While internal auditors often rely on guidance from IT leaders, they can still audit areas like access logs to ensure that only approved devices, with the appropriate threat intelligence and data protection technologies, are connecting to their networks.
Align key stakeholders :
Improving ransomware protection also means internal auditors need to align key stakeholders, rather than just collaborating with IT. That means pulling together information from multiple departments to make sure everyone’s on the same page.
Internal auditors should check with finance teams to see how they’re accounting for the potential costs of a ransomware attack, and then ensure that other key stakeholders, like boards and senior management, understand and agree with this approach. Otherwise, issues like not having a sufficient budget to recover from a ransomware attack may arise.
“Regardless of their size or revenue, organizations should assume they will be targeted with ransomware, and they should examine their prevention, detection, mitigation, response, and recovery measures,” notes Zachary Ginsburg, research director for the Gartner Audit and Risk practice, in a Gartner press release.
Leverage internal audit management software :
Internal auditors can mitigate ransomware risk by leveraging internal audit management software. Many technologies are designed to assist with cybersecurity risk management, but from an audit perspective, internal audit management software is important for gaining assurance.
Overall, internal audit teams have an opportunity to make a significant impact when it comes to ransomware risk management. Planning ahead and focusing on internal alignment can go a long way toward reducing ransomware attacks and other cybersecurity risks.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
This week Audit International are taking a look at the 4 ways how Internal Audit can get a seat at the table.
When it comes to risk management and compliance, most organizations operate on a 3 Lines of Defense (3LOD) model, in which operational management, compliance, and internal audit work together in tandem to assess and mitigate risk and manage controls and compliance.
This model may be successful in theory, but as the risk management and compliance functions have grown more complex, it doesn’t always work as well as you might hope. Given the rising sophistication of cybersecurity threats and incidents of fraud, and the increasing compliance requirements posed upon organizations of all sizes, it can be difficult to keep an organization-wide pulse on threats and breaches in compliance as they arise.
The problem is, the three branches don’t always collaborate effectively, which may leave internal audit out of the loop and unable to provide much value to the organization. They may not have access to the data they need to generate effective recommendations. The internal audit team’s focus may be simply on checking boxes and ensuring compliance, rather than providing strategic insights that will help your organization understand and take steps to mitigate new threats.
If you want your internal audit team to move the needle at your organization, you need to get the ear of executives who can advocate for your work. By partnering with leadership, you’ll be able to spearhead new initiatives and gain critical access to data that will help your organization save money and reduce risk, proving your team’s value.
Here are four strategies for doing that effectively:
Identify the key people who can support you, and make a plan to build relationships with them
Your audit team will naturally be in touch with the managers who can provide key information needed to conduct your audits—but by focusing only on these contacts, you’re missing out on building relationships with the leaders who will be able to help you gain a more visible role in the organization. Build a plan for conducting periodic outreach to higher-level executives within your organization, such as your chief risk officer or your CTO. You can solicit feedback from them on any open questions they may want your team to review in your audits, or provide high-level executive briefs showcasing work that you’ve done and issues they may want to explore in further detail. Make sure that they know you and your team are available to support them and open for feedback.
Proactively address organization-wide trends
Rather than focusing solely on issues identified in individual audits, start looking at your audit results in aggregate to identify trends. Is a single department or office location having trouble resolving a specific compliance issue, or is it an across-the-board trend that should be shared with your executive team? Review your data frequently to understand risks that should be mitigated, and come up with step-by-step action plans for how they should be addressed, including who’s responsible and what the benchmarks for success are.
Pay close attention to third-party risks
Many audit teams take an insular view of risk management, failing to uncover the external risks brought on by vendors and technology partners. Make sure that you have policies in place to carefully vet and automate compliance on your third-party vendors, pulling in external data that will alert you to any financial or legal issues they may face. Regularly track all of your solutions and technology partners for red flags, and ensure that you have a strategy for mitigating them. You can showcase your findings in sessions with executives and other partners throughout the business, and collaborate to come up with a plan for any of your scenarios. Keep in mind that risks from big providers such as Amazon or Facebook may impact a lot of your customers or partners as well, so ensure that you map out all of the variables that may impact your company’s business model across the board.
Use best-in-class GRC technology to automate compliance and analyze data
In order to provide the most useful insights to your leadership team, it’s important to integrate your entire risk management function across an easy-to-use GRC platform. Your GRC platform should come with pre-built content that will help you automate your controls framework, regardless of your industry. It should make it easy to monitor compliance status and risk levels across the organization at any given time, with triggers prompting action when control levels are not being met. You should be able to easily drill down into your data and generate executive dashboards, so that you can share insights to justify recommendations and help your leadership team make better informed business decisions.
By building a cohesive strategy for integrating with the 3LOD, backed by in-depth data analytics, real-time data feeds, and workflow automation, your audit team will be able to generate insights that can help to identify new risks, and develop new strategies for mitigating risks across the entire organization. This will help you to become a highly visible, influential, and trusted partner to the business.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International have been thinking recently about what internal audit should know about ESG risks, and where best to start but with the E, which is for Environmental.
In this, the first in a series of three articles, we will drill down on Environmental risk and explore how internal audit can have an impact by focusing on key risks.
Environmental risks :
There’s no single taxonomy of environmental risks. Consider what categories your organization uses and what is used elsewhere in the sector. The following should all be covered, at a minimum, but may be described in different ways using different terminology:
Climate change :
This should include the effect of greenhouse gas (GHG) emissions – we usually talk about carbon dioxide but there are seven gases covered by the GHG protocol
Pollution from emissions and discharge (i.e., water, soil, air)
Biodiversity loss and deforestation
Waste management
Resource use – impacts of raw materials, production, transportation, and distribution (consider water, energy, and other natural resources)
Hazardous materials
There is clearly an interplay between these risks, but as they represent the major environmental impacts, this offers a good starting point.
This should fit neatly into your existing risk assessment process. Typical impacts for the organization will be reputational, legal and regulatory, financial, operational, and ultimately strategic. All things we are very familiar with.
Getting started – Determining the key risks
Every organization is different. You will need to start with a risk assessment to determine the key risks, potentially using the list above. To do this, you will need to understand the main environmental issues in your business, considering a number of factors:
What sector(s) you are in, and what are the main impacts of that sector. Search out industry guidance from standard setters such as GRI (Global Reporting Initiative), international business groups, such as the World Economic Forum, and thought leaders, such as McKinsey. It is important to consider all the main parts of your business, from the environmental impact of the raw materials you source, through transportation, production, and sales. Although focus on your immediate impacts may be easier, the impacts outside your organization’s immediate control are often more significant. For example, a significant environmental impact of electronics is the extraction of rare earth metals essential for their production.
Where your business is based, the places in which you operate, where you source materials from, and where you sell to. This is important for a number of reasons. It drives the nature and extent of legal and regulatory risk that the organization faces. It also influences the attitudes of stakeholders, such as customers and consumers, as these may vary significantly. But bear in mind, that these factors can change quickly and this needs to be built into any risk assessment.
Requirements of your customers. This may be contractual for government or corporate procurement, or the preferences and attitudes of consumers. This is also partly based on location (as mentioned above), but in global markets, it is never that simple.
All of this (and more) should have been considered by the business (first or second line) and internal audit should leverage their work, effectively challenging and validating. If this has not been done, internal audit needs to be taking a step back and conducting a more basic evaluation of the maturity of the organization’s risk assessment process.
Some types of environmental impact will be universal and significant no matter what your business activity. These include climate change and waste, which Audit International will dig a little deeper into later in the article. Others may apply to a much greater extent in certain industries, such as those in extractive industries (oil and mining for example) and heavy manufacturing (where there may be high levels of resource use – both raw materials as inputs and energy and water in the production process).
How internal audit can make an impact :
As with any aspect of audit planning, the greatest value internal audit can bring will depend on the major risks identified. But we can’t just consider the inherent risks, we need to understand what other sources of assurance are in place and, most importantly, what activities are contributing to both the risk and the assurance. Think about the following:
What do we know about environmental management processes that are in place? What is the scope of these systems and processes?
What reporting is in place? Are external reports assured? Which stakeholders use and rely on these reports?
Are environmental factors (risks and costs) incorporated into project evaluation and capital decisions?
A common factor across many environmental risks is availability and the quality of the data. Process and controls for environmental data are generally less mature and systems are not always equipped or configured to meet the complexities and nuances of this data. This is often a great opportunity for internal audit to add value, both by providing assurance over processes and systems, and by validating the data itself. Both leverage core internal audit skills.
We can also go further, confirming that reports meet whichever standards are being applied, that management reports or projects evaluations fairly, and that these completely reflect risks as well as opportunities. However, this may require more specialized knowledge.
Some examples :
Climate change
All organizations need a response to climate change, and so while the specific needs will differ, this is an issue increasingly relevant for everyone. How can internal audit add value? Let’s look at two potential opportunities:
Has the business considered the potential physical and transitional impacts of climate change? Best practice suggests this should be done using scenario analysis that includes a range of realistic scenarios. Physical vulnerabilities may result from gradual, long-term changes in climate (chronic risks), or short-term (acute) risks, such as storms and fires during heatwaves. These potentially impact the cost-of-capital, the availability and cost of insurance rates, and cause operational disruption. Transitional impacts include changes in legislation, markets, technology, and stakeholder expectations. Internal audit can review the process used to establish scenarios and determine the impacts and, more importantly, assess actions to improve resilience, mitigate risk, and maximize opportunities.
Many corporations are now publishing disclosures under TCFD (Task Force on Climate Related Disclosures). These are becoming mandatory in some countries and are an increasing expectation from investors. External assurance, if any, is usually very limited in scope. Internal audit can provide assurance over the processes to collate data and support assertions made in the disclosures. It can also audit the data and assess the evidence supporting those assertions. Other organizations may provide (voluntarily or by regulation) data on, for example, energy use or emissions. Again, internal audit can provide similar assurance over these processes or this data, as any external assurance will generally be limited.
Waste :
Waste is an issue for all organizations, although the specific impacts will be very different across businesses. As well as the environmental impact, businesses have a cost-incentive to reduce waste, as it is increasingly expensive to treat and dispose of. Internal audit can add value in a number of ways.
Here are some examples:
– Assess whether policies support the organization’s waste strategy. Are they specific to the business and relevant for the types and locations of waste produced? Do they take into account legislation and regulation in each jurisdiction? Are they effectively implemented, understood, and followed?
– Companies often report waste information, either in annual reports or to different public authorities. How is this validated? For example, how do we know that waste is recycled or reused? Are there controls to independently verify how the waste has been treated? In many countries, responsibility for safe disposal rests with the waste producer, not the waste contractor.
To summarize, we have described the importance of environmental risk to all organizations and have shown how internal audit can respond to some of those risks. Internal audit can use existing tools and skills to get started, and leverage widely available sources of knowledge to find out more.
Keep an eye out for our next blog, discussing the S in ESG, which of course stands for ‘Social’.
We will explore how internal audit can address important social risks.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Internal audit functions need to be adaptable, technologically savvy, and future-focused.
This week Audit International are taking a look at how we can ensure the future of Internal Audit.
As COVID-19 spread across the world, it changed the entire landscape of life on both personal and professional levels. The changes it brought about have lingered and become the new normal, not only for the past three years but for the future.
While most organizations have implemented new short-term priorities to combat its effects, the internal audit function also needs to become future-oriented. As it supports operational effectiveness in an increasingly dynamic risk landscape, internal audit must consider the pandemic’s long-term impacts — with new risks arising from remote work and other pandemic changes, and old risks such as cybersecurity becoming an essential priority rather than simply a buzzword on the risk register.
While internal auditing’s focus on assurance of business process risks and controls remains an integral part of its role, the profession needs to be equally agile and adaptable as risks multiply and evolve — just like the Covid-19 virus.
The following actions are but a part of the changes and evolution that internal audit functions and leaders need to undertake, but they are a good start.
1. Identify changing work environments and tailor the internal audit approach to deliver value within them. Starting with the basics, notions such as segregation of duties and asset safeguards need to be revaluated for their suitability to the new work environments. The nature of work processes, especially under a remote work environment, or even an office-based environment that is increasingly reliant on digital collaboration tools, is fundamentally changing. Physical oversight and simple written signature approvals as controls will no longer be effective (and let’s be realistic, they are severely outdated and time consuming). Audits and auditors will need to employ a much higher level of rigor and detail in their reviews. Information technology applications need to be a basic skill for the traditional auditor, not a unique skillset of the sole IT auditor on the team, and information security risks need to be considered in absolutely every audit and process, not just IT audits.
2. Leverage emerging audit technologies. With auditors being involved in virtually every function of the business, and with every function in the business being interconnected through digital collaboration tools, the audit function, which is also a part of the organization (a fact that is often forgotten), also needs to be part of the organization’s digital ecosystem. Audit cannot preach digitization and evolution of the organization while remaining stagnant in paper trails by their own rights. Leveraging the increased access to data all over the company, and utilizing the many advanced data analytics functions embedded with them should be a basic tenant of the audit function. This is a blessing in disguise, as while initially implementing it might be a change and a challenge, it will allow audit functions to increase sample sizes, or even test whole populations, allowing the audit function to provide management with an unprecedented level of assurance (but let’s remember to stay within the realm of reasonable assurance as audits are not infallible).
3. Adopt an agile audit approach. It truly is a nice notion to be able to audit everything all the time. Time constraints are one of the biggest challenges to the audit function in providing coverage across the organization and balancing costs and benefits. With speed of doing business increasing at an exponential base, the speed of the audit function needs to evolve to keep pace. However, it is important to remember that this speed needs to be balanced with the rigor expected of the audit function. Luckily, the increasing use of technology also enables audit to be almost ever-present. Continuous audit programs and integrated red flags within information technology systems allow audit work to be more present rather than historically focused, largely enhancing the value auditors can contribute to their organization. Agile methodologies are not about employing traditional audit methods and producing “half baked” audit results; they are about leveraging emerging technologies such as automation and artificial intelligence within data systems to enhance operations and maximize shareholder wealth.
While this is by no means a comprehensive list, an audit function that is adaptable, technologically savvy, and present- and future-focused is definitely on the right track, steering ahead to the future. These tenants are the some of the essential foundations of the future of internal audit.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit contracts are changing hands rapidly since the FRC and Competition Commission published their separate recommendations to enforce more frequent tendering of FTSE 350 audits. But recently KPMG managed to hang onto the Standard Chartered audit contract after it went out to tender in August of last year. Read more in our previous blog BIG 4 firm KPMG retains Standard Chartered audit
KPMG have been the banks auditor for 40 years and the big 4 firm earned around £9m last year from the audit.
Continue reading »
The European Parliament’s legal affairs committee have approved a draft agreement for EU audit reform in the hope that it will open up the EU audit services market beyond the dominant Big Four firms.
The EUs legal affairs committee voted in favour of the measures agreed in December. Read more in our previous blog Preliminarily agreement reached on the EU audit reform . These measures will force large-listed companies to change the firms that audit their accounts on a regular basis.
Continue reading »
The UK Competition Commission has put on hold its audit reform consultation process. The delay could last up to six months.
The delay is because of recent developments at a European level. The Commission had been aiming to be at the informal consultation stage but this stage won’t begin for the next four to six months.
Talks over the EU 10 year audit rotation have been on-going for some time and only recently were put on hold because of disagreements over the package of legislative measures. Read more in our previous blog Talks over the EU 10 year audit rotation have been put on hold
Continue reading »
The EU member states have preliminarily agreed the EU audit reform but this will mean auditors will be banned from offering certain non-audit services to their clients.
EU member states preliminarily agreed the EU audit reform on Tuesday. Read more about this in our previous blog Preliminarily agreement reached on the EU audit reform
Continue reading »
Finally a framework of EU audit reform was preliminarily agreed yesterday. A last minute deal was reached between politicians saving the reform from more setbacks.
The framework of EU audit reform was preliminarily agreed yesterday during the final discussion between the Lithuanian EU Council presidency and the European Parliament, which will see companies forced to change their auditors every ten years, with the possibility of audit tenures extended if certain criteria are met. It is still subject to a final agreement by member states later in the week. The European Parliament is optimistic that the majority of member states will approve the audit reform.
Continue reading »
