For the last 11 years, I have paused at the end of each year to recognize events that impacted the internal audit profession. At AuditBoard’s invitation, I will continue that tradition starting with the headlines from 2021 that defined the year for internal audit.
As the second year of the COVID-19 pandemic draws to a close it is a sobering thought to realize that 263 million have contracted the virus, and the world has lost over 5 million people to this once-in-a-century airborne pandemic. Every time we think we have seen a light at the end of the tunnel, we instead see a new variant develop from a different region of the world. While the evolving virus kept us on our toes, COVID-19 was not the only event that impacted our profession in the past year, but it was the catalyst for several derivative risks that yet again caught us off guard.
As we look back over the past year, these are the headlines I think influenced internal auditors’ focus in 2021.
The continual rise and fall of new variants have schooled us on risk volatility. The omicron variant was first detected in South Africa, and within one week, it was detected in more than 20 countries. Borders were closed, quarantines announced, and financial markets disrupted. Take heed as a profession, and recognize that this is the new normal. It does not take a great deal of skill to predict that another highly transmissible, more deadly variation of the virus is likely to affect the world in 2022.
The scope of issues we have experienced from COVID-19 was only the start as this primary risk has given birth to risks in other areas. COVID is unique in that regard — every time we collectively have gotten arms part way around it, it evades our ability to contain it and creates secondary and tertiary risks.
At the pandemic’s start, we saw global shortages of specific products. Cleaning products, hand sanitizers, and toilet paper disappeared from shelves in stores worldwide. It took a long time for panic buying to calm and supply levels to normalize, but supply chains were hit harder in 2021 when lockdowns were lifted and demand skyrocketed. Suppliers could not keep up with requests, especially those in developing nations struggling through labor shortages with sick employees unable to work. Now we have entered uncharted territory with supply chain disruptions reaching an unprecedented level in highly developed nations that cannot unload supply ships fast enough.
Internal auditors should partner with risk management to understand and assess the supply chain management process and how it impacts your organization. Understanding the risks in your supply chain will give management the chance to make critical business decisions to plan for shifts in product availability, react to logistical changes, and avoid bottlenecks that could stretch your supply chain to the breaking point.
During the COVID-19 pandemic, we saw multiple challenges to a record decline in employment: jobs lost during the lockdown, work/school from home, and the great resignation. Each of these events impacted organizations and the overall economy.
In the US, the unemployment rate shot up from 3.5% (Feb 2020) to 14.8% (April 2020). Interestingly, in 2021 the unemployment numbers have improved, but many people who lost their jobs have decided not to return to work. For some, the challenges of having children home all day trying to attend school online have made it impossible to return to working outside of the home or leading to burnout when attempting to work and parent at the same time. This scenario hit lower-wage earners, women, and minorities the hardest. Some people could not return to work, and some decided to retire early. For others, working from home or losing their job allowed them to reconsider the type of work they were engaged in before the pandemic. They enjoyed the change of pace and flexibility that came from working from home.
Whatever the underlying factors driving their decision, many workers have joined in the exodus from their jobs in what is now dubbed “the great resignation.”
As internal auditors, the great resignation impacts us in two ways. First, internal auditors (as employees) have had to change how we work. Many of us worked in offices or traveled to different sites for fieldwork. Our work changed, some departments were dissolved, and we had to balance work and home life just like everyone else. On the other hand, we address the great resignation as a risk to our organizations. We have had to monitor changes as senior managers, process owners, control owners, and others left their positions, adding stress and creating risks in the control environment.
Inflation is a word we generally associate with emerging markets, not developed nations, but several factors have contributed to global inflation in the past year.
- Ongoing supply chain issues have led to decreased supply during a period of increased demand
- Stimulus money is being pumped into the economy
- Labor shortages are contributing to decreased output
- Wage increases to retain or attract talent
With these factors in mind, we see prices increase as companies adjust costs to offset their internal expense increases.
Auditing in a time of inflation is not a topic most internal auditors are comfortable discussing. The last significant inflationary periods in the US were in the 1970s and 80s. We can draw a parallel with auditing during a recession, but the risks and controls may be somewhat different. During inflation, organizations can quickly lose control of expenses, overcorrect in pricing for goods or services, damage their reputation when addressing cost increases, or make incorrect decisions with employee layoffs. As someone who served as an internal auditor during periods of high inflation, I can’t emphasize enough the value a strong internal audit function can be.
Ransomware attacks are happening so often that an entire industry has formed around how to respond when it occurs. Recent years have seen a rise in attacks on high-profile targets like hospitals and government agencies, but in 2021 the list of targets included infrastructure. In particular, the Colonial Pipeline that brings gasoline to the southeastern US was attacked in May. The announcement of the attack led to panic buying, fuel shortages, and price spikes along the east coast.
Colonial Pipeline paid a $5 million ransom to the hackers. When testifying before Congress, the head of the company explained that hackers could exploit the company’s network through a single password. The password was tied to a legacy VPN account with a single-factor authentication.
Internal audit has been on high alert related to cyber security for several years now, but incidents like Colonial Pipeline are constant reminders not to let your guard down. Cybersecurity guidance is being published and refreshed from multiple sources, with regulators and external auditors holding management accountable for resilience in their networks. We have every reason to expect cybersecurity to remain a hot topic within the internal audit community, with more resources dedicated to addressing this risk to come.
Corporate fraud and scandals brought down major companies and an external auditing firm in the US-led creation of the Sarbanes-Oxley (SOX) Act nearly 20 years ago. Now the UK is contemplating steps to implement regulations similar to SOX. The Department for Business, Energy & Industrial Strategy (BEIS) has issued a white paper titled Restoring trust in audit and corporate governance to socialize the intent to establish the regulation and solicit feedback from those impacted. The publication emphasizes how risk and control failures in publicly traded companies have undermined faith in corporate oversight and how critical our economic systems are to restoring trust in capital markets.
Scandals at companies such as Wirecard (Germany), Carillion (UK), and Steinhoff (South Africa) continue to raise alarms for internal auditors. Our role is critical in ensuring trust in both the companies we work for and in capital markets as a whole. Much of the corrosion of trust has been directed at external audits as they are implicated in scandals or when they missed red flags. We should remain diligent and heed these cases so we are not painted with the same brush.
Top Headlines — and Risks — Are All Connected
The pandemic led to the great resignation that exacerbated supply chain chaos, and the supply chain issues contributed to inflation. Fraudulent actions by hackers launching ransomware and corporations committing financial misstatement pushed regulators to scrutinize organizations and enforce requirements to act in ways that build public trust in their operations.
The headlines addressed in this article should stay top of mind as we launch into 2022. As Winston Churchill said: “those that fail to learn from history are doomed to repeat it.” We must not not fall into that trap. Leverage the headlines discussed in your 2022 risk assessment and bring these up in conversation with senior management. Next year is undoubtedly going to continue the chaotic emergence of new risks. Next month I will share Internal Audit Resolutions for 2022 to leverage the lessons from 2021 and help you prepare for what’s to come.