Audit executives concerned about emerging risks
Most chief audit executives are confident in their organization’s ability to identify and assess emerging or unusual risks, according to a new report by the Institute of Internal Auditors, but management is nevertheless all too often caught off guard by new risks.
The IIA’s annual "Pulse of Internal Audit" report found some troubling examples of misalignment between the identification and management of risks in several important areas, including cybersecurity, data privacy and third-party relationships, as those areas are tested by changing geopolitical environments, shifting economic conditions and disruptive technology.
The report encourages chief audit executives to communicate clearly with C-suite executives and board members whenever risks are not being sufficiently addressed and gives them some resources they can use to help them understand the changing risks.
IIA President and CEO Richard F. Chambers is urging chief audit executives to do better at communicating about risks with management and board members. “Internal audit, as a risk-centric function in an organization, has got to be adept at following the risks, and a very important source of insight on those risks is the perspectives of management and the board,” he told Accounting Today. “The survey results found some areas where board members and members of management may have differing perspectives on risks than internal audit does. The whole thrust of the piece is how important it is for internal audit to maintain alignment with these perspectives in the dynamic environment we’re looking at right now.”
The report is based on a survey of more than 500 internal audit executives and identifies four key risk areas:
Cybersecurity and data protection: Reputational damage related to cyber breaches is still a top concern for chief audit executives in North America at 70 percent. Even though three-year trending data reflects steady increases in the allocation of audit efforts to cybersecurity and information technology, it still lags behind efforts focused on operational, financial reporting and compliance, especially among publicly traded companies.
“The report talks about cybersecurity, data protection and the fact that often internal audit is not dedicating the level of resources to those risks that management and boards see present, and that becomes a gap that really should be addressed,” said Chambers. “It's not just a lack of desire. Sometimes it’s talent. Sometimes it's support within the company. If they're not looking at those areas, then there's vulnerability there. It will often lead to the question of ‘where were the internal auditors’ if something happens.”
Third-party risks: Chief audit executives have major concerns about how the organizations where they work deal with the risks associated with selecting and monitoring third-party vendors. Nearly half of the survey respondents perceive organizational oversight of third-party relationships as weak.
“There have been plenty of examples in recent years of companies who may have been doing an adequate job of managing their own risks, but then they were engaged with third parties through contract relationships and so forth, and those third parties ended up getting in trouble or having a data breach or you name it,” said Chambers. “Then of course that interconnected risk damages the first company. What we say is that internal auditors should not just limit their perspectives to the risk that their companies face. They should also be keeping an eye on risks that are created by third parties so that they're not caught by surprise. We saw examples a few years ago of a couple of big retail chains who had data breaches. It turns out after the investigations were done that the cybercriminals actually gained access to the retail companies’ data through their heating and air conditioning contractors because those contractors had access to their systems that are interconnected. You just never know where your vulnerabilities are if you're not keeping your eye open to it.”
Emerging and atypical risks: While 80 percent of chief audit executives indicated they’re confident in their organization’s ability to identify and assess emerging or atypical risks, the reported frequency of management being surprised by these risks belies that confidence.
“Internal auditors need to be able to identify emerging risks,” said Chambers. “Being able to see those risks approaching from far enough out can help the organization recognize that those risks are there, and help internal audit be better prepared to address those risks when they come to fruition, or if they do. There are some practical approaches that internal audit should be using to help management and the board focus on what are the emerging risks and make sure that those risks don't catch the organization by surprise.”
Board and management activity: According to 85 percent of the survey respondents, internal audit rarely or never provides assurance on management information sent to the board. Variations in reporting structures could be holding back internal audit findings and insights from getting through the board in key risk areas.
“Boards have indicated that the quality of information they often get from management is not of really high caliber and yet internal audit is not really providing assurance to boards that the information they're being provided is accurate and reliable,” said Chambers. “We point out the opportunity to do more of that and better strengthen what internal audits support is to management.”
The internal audit function also needs to work with the outside auditing firm to ensure the financial statements and controls are correct. “I think the external auditors have the ultimate responsibility,” said Chambers. “If they put out an audit report that provides assurance on the accuracy and reliability of the financial information, they've got to be accountable for that. On the other hand, when it comes to the work within the company to ensure that there are good solid controls, I think that's an internal audit responsibility. Each of them has their respective responsibilities.”
Problems can also develop with the chain of command inside the organization. “Internal audit having an administrative reporting relationship to the CFO is not an ideal reporting relationship administratively,” said Chambers.
The survey found that internal audit reports functionally to the audit committee or the overall board over 90 percent of the time. “That's really good because that indicates that the board has direct access to, and line of sight over, what internal audit does,” said Chambers.
On the other hand, the survey also found that 75 percent of publicly traded companies’ internal audit departments work for the CFO. “That’s a problem,” said Chambers. “It’s not necessarily prohibited, but there’s a perception issue of how can internal audit be objective. Even if it is objective, how can a third party assume they’re objective if they're focusing on risk and controls that are under the direct responsibility of the person they’re working for? That's not even the biggest issue. What we've seen in the past is when internal audit works for the CFO, the CFO often has them working more in their area of responsibility. We’ve seen that internal audit that works for a CFO is going to spend much more time on average looking at Sarbanes-Oxley controls, and in reality those may not be the biggest risks for the company. But if they’re the biggest risk for your boss, then you tend to go there. That’s another issue that I think this report exposed a little bit and we’ll probably be talking and commenting more about it in the coming weeks.”
The 2019 "North American Pulse of Internal Audit: Defining Alignment in a Dynamic Risk Landscape,” report can be downloaded from the IIA Audit Executive Center’s (AEC) website. A presentation of the findings and analysis will be provided to AEC members just ahead of the IIA General Audit Management conference in Dallas-Fort Worth on March 11-13.