Posts Tagged “big four”

In this final article of the series, Audit International focus on the third element of ESG- Governance risk. This differs from the first two elements – Environmental and Social – in that several governance risks have long been recognized and included in our audit plans. However, many more have recently gained prominence. Therefore, it is important that internal audit understands these risks and is well positioned to provide assurance.

Governance risks :

Some governance risks are broad in nature. Others, are very narrow. Some have little in terms of universal benchmarks, while others have well-established frameworks or regulations. Here are some of the main risks that should be considered:

– Shareholder rights and engagement – are there any limitations on certain classes of shareholders, and does the business engage effectively on important issues?
– Board structure and diversity – are there independent directors, and does the board have sufficient diversity of experience, style, and background? Increasingly, neurodiversity is a consideration, and in some countries a workers’ representative is a requirement.
– Executive compensation – is this structured to be in line with corporate objectives, and is it consistent with peers in comparison to the wages of other staff?
– Anti-bribery and corruption – many countries have a comprehensive legal framework.
– Tax transparency and policy – what is the organization’s approach to tax, and particularly the jurisdictions it operates and pays taxes in?
– Ethics and culture – a broad topic, ethics encompass all the above and more. Culture has become a hot topic over the past 15 years with the link between a strong organization-wide culture and performance becoming increasingly apparent.
– Data protection – often also included as a social risk, good information governance is relevant here as well.
– Typical impacts for the organization will be reputational, legal and regulatory, people, financial, and ultimately strategic.

Getting started – Determining the key risks :
Compared with environmental and social risk, it is much more difficult to take a holistic approach to governance risk, given the breadth of topics. However, it is likely that many activities and risks are already in your audit universe. A governance code may have been adopted by your organization, although these may only cover some of the issues described above. Understanding the relevant governance code(s) –mandatory or optional – is a good starting point. This will depend on jurisdiction(s), market listings, regulators, and industry practices. Governance codes can be principle-based or more prescriptive, and will typically define some or all of the following, often on a “comply or explain” basis:

– Clarity of purpose
– Leadership
– Integrity
– Board composition and division of responsibilities
– Board effectiveness
– Decision making
– Risk management, internal controls, and audit
– Accountability, transparency, and reporting remuneration

In understanding governance risks, you should also take into account what specific legal or regulatory requirements there are around any of these issues. This may include reporting requirements around diversity or executive pay or matters which must regularly be reported and considered by the board. Also, consider what other stakeholder expectations are relevant. This is likely to focus on investors, as they have been increasingly vocal and prepared to vote against boards that do not adequately address specific issues.

With this background information, along with your consideration of the issues highlighted earlier in this article, you can ensure your risk assessment incorporates relevant governance risks.

How internal audit can make an impact :
As always, we should leverage work done by the first and second lines in considering where we can make the biggest impact. We should consider our risk assessment alongside any new information we have about regulatory changes, emerging issues in our sector, or jurisdictions, and investor interest.

Some Examples :
– Governance framework
– Governance codes were mentioned earlier in this article. Whether your organization has adopted a code in full or developed its own framework, it will need to produce a regular (typically, annual) report of compliance with the code. Assessing the processes supporting this reporting is often a good way to execute broad audit coverage of governance risks. Such reports are expected by regulators, provide assurance to the board, and are sometimes published (at least in part in the annual report). – Therefore, it is important that they give an accurate picture.

Reports may take many forms and will often include qualitative assertions and specific data or examples. It is important that any data reported is accurate, but equally as important that narrative assertions or examples are supported by evidence. Internal audit can provide assurance over the processes to collate this evidence, ensuring it is complete and accurate and that the right oversight controls are in place. We can also review the report and verify that the conclusions reached fairly reflect the evidence available. Generally, we take a combined approach to provide comprehensive and broad assurance.

Board composition :
Board composition has been under the spotlight, and while practices have improved there is often still a lack of transparency in recruitment, objective evaluation, and diversity. This is a sensitive audit which needs to be conducted by experienced auditors. When done well, it provides real insight and impact.

It is important not to make this about the individuals currently serving on a board, but about the effectiveness of processes around recruitment, structure, skills-determination, and performance evaluation. Consider some or all of the following:

Is there an evaluation of the skills required on the board and an up-to-date skills matrix? Is this specific enough to ensure the board members possess the right range of skills and experience but sufficiently flexible to attract a diverse pool of candidates?
Do recruitment processes include defining an ideal candidate profile, pre-determined selection criteria, and stakeholder involvement in the exercise? Are candidates sourced in a way that ensures a wide pool of candidates, recognizing that there may be a need for confidentiality?
How are conflicts of interest identified and managed?
What are the rotation policies/term limits for non-executive board members?
How is board performance evaluated? Is there a self-assessment process and a periodic independent assessment?
Is there a training plan for the board and individual board members? Is there an individual appraisal process?
Does the committee structure support effective delegation but ensure the board maintains its responsibility for strategy and oversight?
How effective is the relationship between executives and non-executives? Does the structure facilitate both support and challenge?
Is there an effective process for succession planning?
Do boards allow time for open discussions and strategic thinking, as well as formal meetings?
Some of this can be done by document review — including board papers and minutes, skill matrix, recruitment process documents, etc. But much of this will also require interviews with board members and those who support the board, such as the corporate/company secretarial or corporate governance team.

This article concludes the series on what internal audit should know about ESG risks. If you missed the first two articles, be sure to go back and read our previous blogs, to get you up to speed on our suggestions on how internal audit can approach environmental and social risks.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

A recent study revealed that 82% of finance and business leaders must comply with sustainability requirements or ESG regulations. Even without mandatory regulatory standards in place, Audit International would bet their bottom dollar that more companies would voluntarily take on sustainability initiatives and thus, produce ESG reports.

Why? Because more stakeholders are looking.

The number of parties with vested interests in ESG performance has dramatically increased. The tendency is to think of investors as the sole consumer, judge, and jury of ESG reports, but that’s changing, especially as other stakeholders find themselves subject to ESG expectations.

So, who’s really looking at your ESG reports? And why do they care?

Investors
Let’s start with the obvious: investors! Today’s investors want to ensure their money supports organizations that align with their values. Increasingly, those values are moving further and further away from brown stocks. Investors are leaning away from companies that might risk damaging the environment, operate with inequities, or are vulnerable to corruption.

While sustainable investing is value-based for many investors, it’s also the safer, more lucrative investment in many cases.

A study by Nordea Equity Research reported that, over three years, companies with high ESG ratings outperformed the lowest-rated companies by as much as 40%.

A Bank of America Merrill Lynch study found that firms with a healthier ESG record yielded higher three-year returns. They were also more likely to become high-quality stocks, less likely to experience significant price drops, and less likely to go bankrupt.

All this to say, an ESG score isn’t just a number. It indicates to investors that your company is a proactive, forward-thinking entity that will satisfy the investor’s need for ROI and their conscience.

Internal stakeholders
Many stakeholders within a business can benefit from ESG performance data.

For example:

Sales and marketing can use ESG data to showcase a company’s sustainability performance in their efforts to entice new customers.
IR and PR teams can tout ESG successes to improve the company’s reputation.
HR reps can use social data to attract talent.
Finance teams and chief executives can use ESG insights to improve profitability, contain costs, identify new business opportunities, and recognize areas of investment and divestment when ESG data is connected to financial performance.
Organizations can put ESG performance data to work in many ways. Regarding business value, ESG reports can give every department leverage in furthering the growth and goodwill towards an organization.

ESG scoring bodies
A good ESG score is a golden ticket to a favorable ESG reputation. To receive one, you’ll have to complete surveys or create reports designed by third-party providers, who then calculate ESG scores based on the metrics and ESG performance you reported. Like a credit score or a bond rating, an ESG score demonstrates your company’s ability to meet its ESG commitments, performance, and risk exposure.

Notable ESG scoring organizations are Bloomberg ESG Data Services, Sustainalytics, ESG Risk Ratings, JUST Capital, MSCI, Refinitiv, Dow Jones Sustainability Index Family, and RepRisk.

Banks and financial institutions
Banks, capital markets, and wealth managers are moving towards ESG agendas. This is not just an ethical move but one of demand, risk, and reward.

In terms of demand, millennials lean significantly towards sustainable investments. A survey by EY found that millennials are twice as likely to invest in a fund or stock if social responsibility is a component of the value creation narrative. (Might I remind you millennials are the demographic soon to be society’s primary wealth holders.)

In terms of risk, the liability to banks is two-fold. First, banks are subject to the same sustainability scrutiny as other businesses — customers want to bank with sustainably responsible banks. And second, banks face similar challenges to investors: lending to companies that aren’t sustainable could also pose threats to their business. Will a coal mine be able to repay its debts when sustainable alternatives take over? While banks might not be in this scenario just yet, in the future, it’s possible that businesses could see requests for funding denied if they don’t prove to be sustainable enough.

In terms of reward, again, we see companies with strong ESG performing better than those with weak ESG. An analysis completed by global investment manager BlackRock found that up to 88% of sustainable funds outperformed their non-sustainable counterparts between January 1, 2020, and April 30, 2020. Why would a wealth manager allocate funds to an unsustainable stock when a more sustainable and equally (if not more) profitable alternative exists? Why choose to lose/win when you could choose to win/win?

Regulators
Incoming! A stampede of regulations is making its way into the ESG reporting arena. Two regulations of note are:

The EU’s Corporate Sustainability Due Diligence (CSDD)

In February 2022, the European Commission published a draft of the CSDD. If passed, the CSDD would require companies to disclose the impacts of their operations on human rights and the environment.

The US’s new climate-related disclosures

In March 2022, the SEC proposed expansive new climate-related disclosures related to greenhouse gas emissions, climate risks, transition plans, and governance.

Sullivan and Cromwell LLP has a great round-up of the latest (up to May 2022) ESG regulatory advancements here. The bottom line: ESG is being written into everything from litigation to financial institutions, disclosure and governance, and law. While your particular flavor of ESG regulation will be subject to your jurisdiction and industry, you can bet on increased regulatory scrutiny coming your way soon.

Consumers
B2C companies find themselves with a consumer who cares about their product, how it’s made, and who’s making it. Recent PWC research found that:

Consumers aged 17 – 38 years are almost twice as likely to consider ESG issues when making purchasing decisions than others.
Over half of consumers surveyed said that a company’s purpose and values played a role in their purchasing decisions.
49% of consumers and 66% of millennials use the internet to learn more about a company’s ESG practices before buying a product or service.
From this, we can conclude a few things. The future of the sales will be dependent on ESG performance. And consumers aren’t satisfied with marketing promises — they want the ESG evidence, and your reports will be front in center of their investigations.

Everyone’s looking at ESG
Don’t make stakeholders struggle to seek out your ESG performance. By using a corporate performance management approach to ESG reporting, you can tell your sustainability story, disclose according to multiple new and evolving frameworks, and connect financial outcomes, operational activities, and ESG performance to ensure sustainability is always tied to doing good for the earth, people, and your bottom line.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Having considered how internal audit can address environmental risks in the first article in this Audit International series, this article turns to the second element of ESG, social risk. This can be a sensitive area, and many risks are hard to quantify. But over the last decade, expectations of organizations have evolved significantly, and internal audit has a key role in providing assurance over the risks that this presents.

Social risks :
Social risk can be viewed from several perspectives. While we traditionally look at business activities, here it can also be helpful to look through the lens of different stakeholders to ensure all risks are captured and completely understood. For example, consider impacts on the organization itself, staff, customers, suppliers, investors, other third parties, and the wider communities in which you operate. Below are some of the key risks – not an exhaustive list — but those that outline the main risk areas you will want to capture:

– Health and safety – consider both workplace and customer safety.
– Labor standards – your own and those throughout your supply chain. This goes beyond compliance with legislation and international protocols to include issues such as well-being, benefits, and employee engagement.
– Equality, diversity, and inclusion (EDI) – very important to staff, customers, and the community, this is a significant topic in and of itself
– Sales practices – important to your customer base and the wider community, poor practices can quickly damage a reputation.
– Data privacy – sometimes considered a social risk, given its impact on staff, customers, and other partners.
– Community engagement – how effective is your organization in working with local (and broader) stakeholders to maximize the positive and minimize the negative impacts on the community. This started with CSR (Corporate Social Responsibility) but often goes much deeper.
– Other broad, but important, issues such as human rights and the rights of indigenous peoples.
– Typical impacts for the organization will be the same as for many other ESG risks – reputational, legal and regulatory, financial, operational, and ultimately strategic. Other than potentially using different stakeholder perspectives when considering risks, this fits well into your risk assessment process.

Getting started – Determining the key risks :
Your risk assessment should always be the starting point. In order to do this, you will first need to go through several steps to get sufficient background context:

Understand your organization’s approach to social risk. Given the variety of risks and the number of stakeholders, it is likely that it will sit across the organization with many different risk owners. For example, staff-related risks and issues will be owned by Human Resources, whereas supply chain risks will be owned by the relevant business unit or a procurement function. Are there anywhere these risks are also considered and assessed together or across the organization, such as part of a risk function?
Consider who the key stakeholders are. Some will be common to all organizations – staff and customers for instance. Others will be specific to your business – such as a community close to a quarry.
As always, consider key sector and industry risks, drawing on industry guidance, frameworks, and other resources, and on standards such as GRI (Global Reporting Initiative).
Pay attention to your supply chain, particularly if sourcing (directly or indirectly) from jurisdictions where labor or safety standards may not reflect those in your home country.
Understand legal and regulatory requirements in all jurisdictions in which you operate.
With this background information, you can start to include social risks into your risk assessment, leveraging work done by the first and second lines, and begin to provide assurance over these key risks.

How internal audit can make an impact :
Clearly, we should be focusing on the biggest risks for the organization. However, we often need to consider the impact on stakeholder groups in aggregate, rather than just for each risk. Staff is a good example. We should certainly consider risks around compliance with labor laws but understanding the impacts on staff also requires the inclusion of wellbeing, health and safety, benefits, employee engagement, and EDI to assess the potential risk around staff as a group. Internal audit can add value by looking at risk in this way and provide more holistic assurance over risks relating to specific stakeholders.

Internal audit can also take a broader look at the organization’s approach to social risk. As I suggested earlier, it is often a distributed responsibility, but the risks do not exist in isolation. Some questions you can ask:

What is the organization’s attitude towards social risks? Are social factors (collectively or specific issues) considered in strategic planning or discussed at the Board level?
Have key stakeholders been identified? Do these make sense given what you know?
Is social impact considered in decision-making, particularly investment decisions and project evaluation? For government and social-purpose organizations, this will often be a core part of the decision-making process. But even in commercial organizations, evaluation of social risks and impacts will often be built in.
Are there targets and performance metrics in place? For key risks there often are metrics, but they may not be evaluated as a whole – which could be acceptable if they have sufficient prominence. As for other ESG risks, the availability and quality of the data may be a challenge as standards, systems, and processes are evolving. This provides an opportunity for internal audit to make an impact by evaluating systems and processes and by validating the data.
Some examples
Labor standards
The subject of labor standards is broad, but if we consider it in two parts, it may help. First there are fundamental rights at a global level which most countries are adhering to as members of the International Labour Organization. These cover issues such as forced labor, child labor, maternity, working hours, discrimination, health and safety, and unionization rights. Second, there are expectations beyond this, which often vary by country and include benefits, well-being, and employee engagement. There are many ways for internal audit to make an impact here. I will address two very different audit examples:

An organization’s own employment activities have always been part of an audit universe. There is an opportunity to take this further, providing insight and assurance into, for example, employee wellbeing and engagement. Most large organizations conduct surveys covering one or both, but how effectively do they select, track, and use metrics? Also, how effective are follow-up plans? These are sensitive areas, but this is largely about how data is collected and used, and how effectively plans are defined and implemented. All are very well aligned to core internal audit skill sets.
The broader issue of labor standards risk incorporates many parts of a business. As well as an organization’s own employees, we need to consider those in the supply chain, service companies, and any other partners. The focus of an audit is likely to be on procurement and contract management processes. Do contracts stipulate appropriate measures (which vary on the size and nature of the organization)? What independent verification is available that standards are complied with? What monitoring is in place within the organization to highlight emerging issues? All questions internal audit is well-positioned to consider and provide assurance over.

Sales practices :
Sales practices have been under the microscope at various points over the last century. Often it relates to providing dishonest or misleading information, or selling products or services are known not to be in the best interest of the buyer. The banking crisis of 2008 highlighted unethical practices which led to a significant shift to providing services based on the customer. Earlier examples are tobacco and baby formula, the health impacts of which were not accurately portrayed. In both cases, poor practices continued in parts of the developing world long after they were prohibited in the West.

Risks are primarily reputational, but often there are legal and regulatory considerations that can be substantial. Let’s look at two ways in which internal audit can make an impact in this area:

The first is not about the sales process itself, but about whether organizations are considering the customer in the products and services they sell. All jurisdictions have regulations about product quality or the types of services that can be sold to different groups of consumers. Examples range from food standards to complex financial products. In addition, there are overarching responsibilities to ensure customer health and safety (whether on-site or through the products or services they are using) that should be considered. This could be as obvious as ensuring products don’t cause a choking hazard or more complex such as the danger posed when providing social media platforms to young people. Internal auditors should understand the relevant regulations, and any voluntary codes, to provide assurance that there are appropriate controls over these risks, often as part of an existing audit. But you can also go further by considering the more complex aspects of risk and raising concerns if these have not been appropriately considered as customer needs and welfare are an integral part of product/service design and production.
Internal audit can provide assurance over the sales process itself. In any setting and for any customer group, there should be defined processes for marketing, customer communications, and best practices and guidelines a salesperson should consider when making the sale. For complex products such as insurance, this may be very structured, whereas a very light touch would be expected for simple products. Controls may include guidelines, review, and approval for marketing materials, standard templates for communications, and certifications and training for sales. When auditing, we need to be mindful of having realistic expectations for the type of products and services being sold but also be prepared to challenge when processes are insufficient or not well-evidenced. Additional considerations include data privacy, avoidance of discrimination, and the need to look at practices in all relevant jurisdictions.
To summarize, we have shown the variety of social risks within ESG and how internal audit can use their skill set to make an impact by providing assurance over some of these key risks. There are good sources of information freely available to understand different issues in more detail to help assess how social risks may impact your organization and your audit response.

The third and final article in this series will focus on the “G” (Governance) in ESG which covers a broad range of corporate activities. It is important to understand these risks as they provide the foundation for effective ESG program management.

Have you ever had one of those days where you were determined to write that audit report? So you block off the time on your calendar, go into your office, shut the door, remove any and all distractions and breathe. Because now is the time to take all of those thoughts and perfect phrases running wild in your head and put them on paper. You sit down at your desk ready to make it happen. And you come up with nothing.

You decide to invite a colleague in to assist. Because after all, two heads are better than one. The two of you discuss the issues thoroughly, but nothing seems to sound right.

Writing objective observations takes time, skill, and tact. And if you’re like any other auditor, the audit issues sound wonderful in your head. But by the time you formulate the right words, reach for your pencil and place it on paper, that wonderful wording has become a distant memory. It’s worse if you’re in a group setting because you now become frustrated as the group begins asking you to repeat what you said. Unable to remember words uttered only seconds prior, it is only then that you realize how old you truly are.

If you’ve ever faced this situation, do not fear. There are several tools and techniques you can use to speed up and improve your report writing. But first, we must address the five big problems with writing reports:

1. We think faster than we write
2. Our million dollar thoughts come at the wrong time
3. We believe in writer’s block
4. We look for perfection in the first paragraph
5. We don’t understand and/or appreciate the writing process

5 Problems with audit report writing
We think faster than we write
We’ve all been there. Browsing through our cabinets trying to make a mental grocery list. Then you reach the point where there are too many items to remember. You decide to write a list. You reach for your paper and before the pen touches the pad, you’ve already forgotten the five items you wanted to write.

Our brains are fascinating. I can remember where I was in the summer of 1989, but I cannot remember what I ate for breakfast this morning. It is that forgetfulness that can derail your report writing.

Our million dollar thoughts come at the wrong time
Worse yet is when you have this wonderful idea, but then realize that it is 5:00 o’clock and you are stuck in traffic. There is no way you can capture that great thought without causing a pile up. So you try other techniques. You turn off the radio and repeat whatever it is over and over. You hope to continue this until you get home, or at least until you get to a stopping point. Of course something interrupts your thought and you forget what you were trying to remember.

We believe in writer’s block
Some people believe that writer’s block is a thing. I’m here to tell you, it is not. At least in the context of business writing or internal audit reports. Wikipedia define writer’s block as follows:

“Writer’s block is a condition, primarily associated with writing, in which an author loses the ability to produce new work or experiences a creative slowdown. This loss of ability to write and produce new work is not a result of commitment problems or lack of writing skills. The condition ranges from difficulty in coming up with original ideas to being unable to produce a work for years. Writer’s block is not solely measured by time passing without writing. It is measured by time passing without productivity in the task at hand.”

As you can see, writer’s block is a primary concern for creative writers. Our audit reports are, or should be, factually based non fiction. We are taking a series of facts, placing some logic and order to those facts, and providing management with a conclusion. What we are not doing, is creating new characters or developing plots and story lines. We know the beginning, middle and end of the story. Therefore, we know what to say. The problem is how do we say it so that it has the best impact given within the culture of the organization.

We look for perfection in the first paragraph
Because audit report writing is simpler than creative writing, we believe that we should be able to sit down and create the perfect prose in minutes. After all, we know the beginning, middle and end of the story. When we finally put pen to paper, our initial draft is usually not good. We then become frustrated. But I believe that frustration is because we don’t understand the writing process.

We don’t understand and/or appreciate the writing process
All the magic happens in the editing. Any writer will tell you this. Ernest Hemingway famously once said that “The first draft of anything is ****” (insert a very bad word here). As someone who has had articles published, I can tell you this is true. I can recall the first time I sent something to an editor. I thought it was an okay piece. But what came back was a magnificent manuscript. I fined tuned it a little and the result was something we were all pleased with. The writing process does not require perfection at the start. Your initial goal is to get something on the page. After that, trust the process and let the magic happen in editing.

3 tools you can use
Google voice typing
Because our brains seem to signal our mouths to speak faster than our hands can write, voice typing is the perfect shortcut to getting those wonderful words out of your head and on paper. For those unfamiliar with voice typing, you talk, it types. It’s as simple as that. Well, sort of.

The best free voice typing tool I’ve found is through Google. Log in to your account. Then, access Google Docs and open a document. Go to Tools, then Voice Typing (or you can press Ctlr+Shift+S).

You will see a microphone that may say Click to Speak. Click it, talk to it, and watch the magic happen. You will need to learn certain commands like period, comma and new paragraph. But other than that, if you speak clearly, it will recognize most speaking voices and words.

Your Cell Phone voice recorder
If barking out commands to your computer isn’t your thing, you’re in luck. There’s another option. If you’re like me, your cell phone is probably within arms reach. Grab your phone and go to your favorite app store. Search for a voice recorder. You should see several. Download one that piques your interest.

You can now record yourself talking about the audit issues. Now you will never miss that wonderfully worded paragraph that would sound great in an audit report. Once recorded, you can listen to the recording and pull out the impactful paragraphs.

Transcription
If you truly believe the recording represents your best work ever, you can have it transcribed. Yes, you heard me, transcribed. It’s not as bad or as expensive as you think. Before I get into that, I must say that I am not being paid by nor am I endorsing these specific products. there are several transcription services that I have used. Some use live transcribers while others use automated engines.

Summary

Writing audit reports can be a daunting task. But it has to be done. Nowadays we have a lot of tools that can help streamline the process. Many of the biggest issues start with us. Writer’s block is only as real as we allow it to be. Sit down and put something on paper. Use some electronic tools to get your words on paper. Almost any words will do. Afterall, the magic happens in the editing.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International have been thinking recently about what internal audit should know about ESG risks, and where best to start but with the E, which is for Environmental.

In this, the first in a series of three articles, we will drill down on Environmental risk and explore how internal audit can have an impact by focusing on key risks.

Environmental risks :
There’s no single taxonomy of environmental risks. Consider what categories your organization uses and what is used elsewhere in the sector. The following should all be covered, at a minimum, but may be described in different ways using different terminology:

Climate change :
This should include the effect of greenhouse gas (GHG) emissions – we usually talk about carbon dioxide but there are seven gases covered by the GHG protocol
Pollution from emissions and discharge (i.e., water, soil, air)
Biodiversity loss and deforestation
Waste management
Resource use – impacts of raw materials, production, transportation, and distribution (consider water, energy, and other natural resources)
Hazardous materials
There is clearly an interplay between these risks, but as they represent the major environmental impacts, this offers a good starting point.

This should fit neatly into your existing risk assessment process. Typical impacts for the organization will be reputational, legal and regulatory, financial, operational, and ultimately strategic. All things we are very familiar with.

Getting started – Determining the key risks
Every organization is different. You will need to start with a risk assessment to determine the key risks, potentially using the list above. To do this, you will need to understand the main environmental issues in your business, considering a number of factors:

What sector(s) you are in, and what are the main impacts of that sector. Search out industry guidance from standard setters such as GRI (Global Reporting Initiative), international business groups, such as the World Economic Forum, and thought leaders, such as McKinsey. It is important to consider all the main parts of your business, from the environmental impact of the raw materials you source, through transportation, production, and sales. Although focus on your immediate impacts may be easier, the impacts outside your organization’s immediate control are often more significant. For example, a significant environmental impact of electronics is the extraction of rare earth metals essential for their production.
Where your business is based, the places in which you operate, where you source materials from, and where you sell to. This is important for a number of reasons. It drives the nature and extent of legal and regulatory risk that the organization faces. It also influences the attitudes of stakeholders, such as customers and consumers, as these may vary significantly. But bear in mind, that these factors can change quickly and this needs to be built into any risk assessment.
Requirements of your customers. This may be contractual for government or corporate procurement, or the preferences and attitudes of consumers. This is also partly based on location (as mentioned above), but in global markets, it is never that simple.

All of this (and more) should have been considered by the business (first or second line) and internal audit should leverage their work, effectively challenging and validating. If this has not been done, internal audit needs to be taking a step back and conducting a more basic evaluation of the maturity of the organization’s risk assessment process.

Some types of environmental impact will be universal and significant no matter what your business activity. These include climate change and waste, which Audit International will dig a little deeper into later in the article. Others may apply to a much greater extent in certain industries, such as those in extractive industries (oil and mining for example) and heavy manufacturing (where there may be high levels of resource use – both raw materials as inputs and energy and water in the production process).

How internal audit can make an impact :
As with any aspect of audit planning, the greatest value internal audit can bring will depend on the major risks identified. But we can’t just consider the inherent risks, we need to understand what other sources of assurance are in place and, most importantly, what activities are contributing to both the risk and the assurance. Think about the following:

What do we know about environmental management processes that are in place? What is the scope of these systems and processes?
What reporting is in place? Are external reports assured? Which stakeholders use and rely on these reports?
Are environmental factors (risks and costs) incorporated into project evaluation and capital decisions?
A common factor across many environmental risks is availability and the quality of the data. Process and controls for environmental data are generally less mature and systems are not always equipped or configured to meet the complexities and nuances of this data. This is often a great opportunity for internal audit to add value, both by providing assurance over processes and systems, and by validating the data itself. Both leverage core internal audit skills.

We can also go further, confirming that reports meet whichever standards are being applied, that management reports or projects evaluations fairly, and that these completely reflect risks as well as opportunities. However, this may require more specialized knowledge.

Some examples :

Climate change
All organizations need a response to climate change, and so while the specific needs will differ, this is an issue increasingly relevant for everyone. How can internal audit add value? Let’s look at two potential opportunities:

Has the business considered the potential physical and transitional impacts of climate change? Best practice suggests this should be done using scenario analysis that includes a range of realistic scenarios. Physical vulnerabilities may result from gradual, long-term changes in climate (chronic risks), or short-term (acute) risks, such as storms and fires during heatwaves. These potentially impact the cost-of-capital, the availability and cost of insurance rates, and cause operational disruption. Transitional impacts include changes in legislation, markets, technology, and stakeholder expectations. Internal audit can review the process used to establish scenarios and determine the impacts and, more importantly, assess actions to improve resilience, mitigate risk, and maximize opportunities.

Many corporations are now publishing disclosures under TCFD (Task Force on Climate Related Disclosures). These are becoming mandatory in some countries and are an increasing expectation from investors. External assurance, if any, is usually very limited in scope. Internal audit can provide assurance over the processes to collate data and support assertions made in the disclosures. It can also audit the data and assess the evidence supporting those assertions. Other organizations may provide (voluntarily or by regulation) data on, for example, energy use or emissions. Again, internal audit can provide similar assurance over these processes or this data, as any external assurance will generally be limited.

Waste :
Waste is an issue for all organizations, although the specific impacts will be very different across businesses. As well as the environmental impact, businesses have a cost-incentive to reduce waste, as it is increasingly expensive to treat and dispose of. Internal audit can add value in a number of ways.

Here are some examples:

– Assess whether policies support the organization’s waste strategy. Are they specific to the business and relevant for the types and locations of waste produced? Do they take into account legislation and regulation in each jurisdiction? Are they effectively implemented, understood, and followed?
– Companies often report waste information, either in annual reports or to different public authorities. How is this validated? For example, how do we know that waste is recycled or reused? Are there controls to independently verify how the waste has been treated? In many countries, responsibility for safe disposal rests with the waste producer, not the waste contractor.

To summarize, we have described the importance of environmental risk to all organizations and have shown how internal audit can respond to some of those risks. Internal audit can use existing tools and skills to get started, and leverage widely available sources of knowledge to find out more.

Keep an eye out for our next blog, discussing the S in ESG, which of course stands for ‘Social’.
We will explore how internal audit can address important social risks.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International have been following this news closely for the past few months and we are all interested to see what will unfold for the Big4 giant over the next few months and perhaps years. Just this week, the EY bosses have approved the radical split in largest shake-up of Big Four accountants in decades, with the Big4 Auditor planning to create ‘two distinct, multidisciplinary organizations’ amid regulatory pressure.

Bosses at EY have agreed to push ahead with a split of its audit and consulting arms in the biggest shake-up of a Big Four accounting giant in decades.

The firm said on Thursday that it will ballot its partners on a plan to separate the 312,000-strong business into “two distinct, multidisciplinary organizations” following a strategic review.

EY’s partners will vote on the proposal in the coming months, with the process set to conclude in early 2023, the firm said.

The voting rules will vary by country, but in the UK, the firm will require 75pc of its partners to back the plan if it is to be ratified.

Hywel Ball, EY’s UK chairman, said: “The needs of our clients, people and stakeholders are changing and I’m proud that we are reviewing the shape of our business in the UK and globally so that EY is well positioned to build on its success into the future.

“We believe the creation of two strong, independent businesses would help us to better meet the needs of our clients; create compelling careers for our people; and serve the public interest by providing greater choice in the market and a global response to regulatory concerns.”

The plan could see EY publicly list its advisory division or sell a partial stake in the 312,000-strong firm in a move that would result in bumper payouts for partners, similar to Goldman Sachs’ flotation in 1999 and Accenture’s in 2001.

However, Mr. Ball said no decisions have been made about how the split might occur.

EY is proposing the split amid severe pressure from regulators worldwide over concerns around conflicts of interest at the Big Four firms.

EY, Deloitte, KPMG and PwC have been heavily rebuked by regulators in the UK and US over a perceived lack of independence in their auditing divisions because of the fees they also earn from advisory work.

In the UK, the Big Four have already been forced to start ringfencing their audit and consulting arms in a bid to reduce conflicts of interest following major corporate collapses such as Carillion and BHS.

The Financial Reporting Council has given the firms a deadline of 2024 to operationally split their audit arms from the rest of their advisory businesses.

A decision on the split at EY has been held up for months due to disagreements over how billions of dollars of liabilities should be split and regulatory issues in certain countries, including China.

Earlier this week, it was revealed that senior staff at EY were seeking to defect to rival firms in a sign of growing internal strife over its proposed break-up.

KPMG and PwC are among firms that have seen a significant increase in the number of applications from senior managers, directors and even new partners at EY in recent months.

In July, EY held a briefing on the proposed split for its UK partners at the five-star Royal Lancaster hotel near Hyde Park in west London.

Mr. Ball said views expressed in that meeting showed that partners were “proud” that EY was the first Big Four firm to try and split, adding: “We’ll redefine the profession in the coming years.”

Deloitte, KPMG and PwC have said they have no plans to engineer a similar split of their advisory and audit arms.

Separately, Deloitte posted record revenues on the back of a boom in tech consulting last year.

The firm reported revenues of $59.3bn (£51.5bn), a jump of nearly 20pc on the previous year.

Whatever happens with the split, Audit International will be following this story very closely and bringing you the latest updates on it.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Since the introduction of new auditing rules throughout Europe, many auditing firms are now reviewing how they tender for contracts. Under the new rules large listed companies are required to tender their audit contracts once every ten years. The new audit reforms were introduced to generate more competition between audit firms. Already following these new measures there have been a lot of audit contracts changing hands.

Also introduced was the decision to cap the fees companies can pay their auditors and prohibit the provision of certain services that auditors also provide. It is these issues that are causing the problem on auditors tendering strategies. The new audit reforms have imposed a 70% cap on fees generated by firms for non-audit work, while certainnon-audit services, such as tax advice have been banned altogether. The fee cap will be calculated based on the average of fees paid in the last three consecutive financial years for the statutory audit.

Continue reading »

KPMG have managed to retain their audit contract with Greggs, the pie and sandwich chain. The Big 4 firm has been Greggs’ auditors since the retailer listed on the London Stock Exchange in 1984. Greggs have not put their audit contract out to tender since 1984.

It was announced in the company’s annual report in 2013 that the tender process would begin in March of this year. KPMG managed to retain it audit contract with Greggs. Last year it was reported that KPMg was paid more than £160,000 for their work.

A number of audit tenders have arisen in the past 12 months, many driven by revised UK governance rules and impending EU-backed legislation to create more competition in the market and increase quality.

Continue reading »

Many companies are changing their long term auditors as a result of the new audit rules that have been put in place. The new audit rules state that companies must change their auditors every 10 years. The aim of these new rules is to prevent longstanding and cosy relationships between corporate clients and their auditors as well as having more competition within the audit market.

There have already been a lot of changes in the audit market recently with more and more changes happening.

Some of the most recent changes include Barclays bank where PWC have been the banks auditors for 117 years. The bank is considering when to start the tender process. Last year the Big 4 firm was paid a total of £44m for their services to the bank.

Continue reading »

The European Parliament has passed new audit rules to address investor concerns over the excessive volume of non-audit services, long tenure of audit relationships and the quality of audit communication and this is likely to impact New Zealand subsidiaries and branch operations of these EU companies.

The new rules see:

– capping non-audit services at 70% of the audit fee

– restricting some of the tax and advisory services that a company may obtain from its auditor

– requiring audit rotation at least every 10 years but in certain circumstances this can be extend

– requiring more informative audit reports, and reports by the auditor to the audit committee.

It is thought that while these new laws will help European investors, it will also impact other countries around the world including New Zealand.

Continue reading »