In my past blogs, I have talked about the rapid pace of change and disruption. When discussing the top risks other auditors are addressing, it is an entirely natural reaction to feel uncomfortable addressing some of those topics. No one can be an expert on every topic. To help you navigate the second half of 2021, I want to point you in the direction of a few resources that could equip you to tackle the risks in the report I created with AuditBoard on Internal Audit’s Top 7 Risks for the Remainder of 2021. These resources from a variety of sources provide detail about the risk topics that should be on your radar and will undoubtedly stimulate your thought process as you continuously update your internal audit plan for the remainder of 2021 and begin to hammer out your initial plan for 2022.
We have been dealing with cybersecurity issues for many years, but the COVID-19 pandemic exposed cyber vulnerabilities most organizations did not anticipate. As pointed out in The Risky Six, a whitepaper I co-authored with colleagues from The IIA and EY, “The pandemic didn’t create new vulnerabilities; it simply brought existing ones to light,” like those associated with a global workforce attempting to work from home.
The Risky Six provides a timely six-step tool to guide conversations with board members and senior management through the complexities of cybersecurity control. The paper then goes into greater detail about each of the risks that led to the six questions. Since a cybersecurity control environment relies on a series of complementary controls, your evaluation should address all six of the questions presented thoroughly.
2. Data Privacy/Protection
Data is one of the most valuable assets an organization owns, so protecting this asset is critical. Even beyond the obvious need to protect the data for competitive advantage, international regulations require companies to protect their customers’ data from exposure. Amazon was recently fined $886 million for alleged noncompliance with GDPR, a data privacy regulation. An article from ISACA titled IS Audit Basics: Auditing Data Privacy provides a practical framework for performing a data privacy audit.
Similar to The Risky Six, IS Audit Basics lists a series of questions for auditors to consider when evaluating data privacy risks. Each question relates to the privacy principles ISACA included in the commercially available Privacy Principles and Program Management Guide. The responses to the questions help the audit team develop a risk-based audit plan for reviewing data privacy.
3. Third-party Risk Management
Third-party risk management is not a familiar area for most internal auditors. Luckily, The IIA has created a practice guide for its members on Auditing Third-Party Risk Management. The resource is comprehensive and covers the entire third-party lifecycle from sourcing to contract termination.
A beneficial element within the practice guide are the “Audit Considerations” sprinkled throughout the document. For example, one of these tips advises auditors to “be wary of contracts that auto-renew” since “the timing of auto-renew and termination notice periods may conflict or not match.” These best practices can make the difference between a cursory process review and a value-added audit.
4. Economic Conditions
Economic conditions are currently rated as a top risk, but this concept is too high level for performing an audit. The economy encompasses market fluctuations, inflation, recession, talent shortages, increased competition, and a list of other factors. Of these factors, cost management is one of the more definable risks, and one of the more common areas auditors are asked to review — particularly when there is pressure on the bottom line.
A good resource for more information on cost management is a blog from Internal Audit 360 titled How Internal Audit Can Strengthen Cost Management. One of the most interesting tips in the blog is to audit the quality and availability of the data analysis managers use to make decisions about budgeting and spending. The article also suggests reviewing the procurement process, which ties back into the third-party risk described above.
5. Regulatory Changes
Generally speaking, we have no shortage of information about how audit can assess compliance risks. Regulatory compliance impacts nearly every organization, which is why audit plans inevitably must include assurance over compliance risks.
The paper Compliance Risk Assessments, from Deloitte, is a useful resource for assessing compliance risks and a great starting point for internal auditors in industries facing regulatory scrutiny. The writers provide guidance on developing a cross-functional approach to compliance risk assessment that includes internal audit, ERM, and compliance. One section of the paper includes nine leading practices to apply if you are interested in creating a world-class compliance risk assessment.
6. Talent Management
Talent management is a common denominator for organizations in every industry and sector. Nearly all organizations engage in hiring, developing, and terminating employees. Since the pandemic started, it is harder to find qualified talent and even more challenging to manage a distributed workforce. Risks associated with talent management also impact internal audit departments directly as we struggle to staff our teams with high-quality auditors.
KPMG published an excellent, comprehensive view of risks titled 20 Key Risks to Consider by Internal Audit Before 2020. While this resource is valuable for internal auditors as they tackle a variety of risks, I found the the discussion on auditing talent management risks (#11 of 20) to be particularly useful for those internal auditors approaching the topic for the first time. The paper includes seven different assessments internal audit can perform in assessing the effectiveness of talent risk management. As I mentioned, internal auditors also face this risk directly. To get ahead of this threat, AuditBoard’s article on Winning the Talent War explains five changes we can make to our audit departments to minimize the impact of talent risk.
7. Business Continuity/Crisis Response
Early in the pandemic, business continuity rocketed to the top of the risk rankings. Organizations scrambled to create long-term, work-from-home models that addressed business needs, regulatory requirements, and cybersecurity concerns.
The IIA created for its members a Business Continuity Management practice guide to assess our organizations’ business continuity plans. A key highlight of the practice guide is a section on internal audit’s role before, during, and after a crisis. Considering the constant barrage of crises we currently face, this resource should be considered required reading for all internal auditors.
It is essential to note the connections between each of these risks. We can even play out a scenario that incorporates all seven risks. While we are operating during the pandemic, your business continuity plan mandated employees work remotely. Due to the COVID-induced recession, your organization had to implement cost-cutting measures. Unfortunately, not all of the employees are receiving consistent training on your policies and procedures. The combination of tense economic conditions and inconsistent expectations increases pressure to choose a low-cost vendor. Onboarding a third party with a flawed control environment could lead to data exposure through a cyber breach. Exposing customer or employee data makes you liable for a regulatory issue such as GDPR. The resulting fines, bad press, and loss of customers deepen the economic pressure even more, and the cycle continues.
The seven risks I addressed in this article may not apply to every organization. Given the rapid pace of change, these may not be the risks we face next year. I want you to take away that there are a multitude of resources to help you navigate unfamiliar risk topics. As you plan for the near future, the resources described above will better prepare you to tackle the most urgent risks facing your organization.
For a deeper dive into the top seven risks with actions internal auditors can take to help organizations confront these risks strategically and effectively, download the full report, Internal Audit’s Top 7 Risks for the Remainder of 2021.
Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Internal Audit Advisor at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.