2021 Internal Audit Hotspots and Focus Areas
2021 INTERNAL AUDIT HOT SPOTS AND FOCUS AREAS
Author: Oupa Mokgoantle [IAT (AAI), CISA, CRISC & CGEIT (ISACA)]
The global COVID-19 pandemic (GCP) has without a doubt defined 2020 and significantly altered the risk landscape. While a “known-risk”, the GCP event was a surprise event of global magnitude, with many unexpected consequences. This event has however provided internal auditors with an unusual opportunity to adapt quickly to these rapid changes and help their organisations to make sense of the significantly changing risk landscape.1
As we enter more waves of COVID-19, the role of internal auditors should be strategic and proactive in its approach to direct their organisations clear during this continuously evolving and changing risk and control landscape by providing key assurance, and value-adding advice to senior management and the boards. 2
As reported in the Bulletin, Protiviti’s Review of Corporate Governance, Vol 7, Issue 9, with 2020 a not to-be-forgotten memory, the board members should be ready for any surprises that, may lie ahead in 2021. The global COVID-19 has laid bare many non-resilient systems. Resilience is no longer hypothetical; it is essential. The path forward has never been clearer for the board members. Accordingly, they must plan and balance organisational efficiency with resilience and agility in 2021 and beyond. 3
The author has conducted a research study across the web; through each of the Professional Services Firms (e.g., KPMG & Deloitte), Thought Leadership sites [e.g., International Institute of Auditors (IIA) & Protiviti] and attended webinars and roundtables conducted by Industry Experts (e.g., Gartner and Wolters Kluwer) to find out what they all consider to be the top risks/ focus areas for internal auditors in 2021.
1 KPMG – COVID-19: Enhancing Internal Audit Effectiveness (A practical guide for agile internal audit)
2 Deloitte – Internal Audit Considerations in Response to COVID-19 (Navigating change: an unprecedented challenge
3 The Bulletin – Protiviti’s Review of Corporate Governance, Vol 7, Issue 9
In this article, the author shares with you the outcome of this study. The risks described below should be regarded as universally relevant, regardless of an organisation’s size, industry, complexity, or type. However, the list below does not cover all the significant risks in every organisation and industry. 4
They are:
· Employee well-being (work-life convergence) and Talent Management:
Additional waves of global COVID-19 handicaps recovery and return-to-work plans, create dynamic labour conditions, and digitalisation (incl., tech-savvy Millennials and Gen Z-ers) redefines the future of work, including integration of employee well-being (incl., employee burnout) the design of work. This risk evaluates challenges that organisations are facing in keeping their employees safe and informed, identifying, acquiring, upskilling, and retaining the right talent to achieve their objectives.
· Cybersecurity and Data Privacy: COVID-19 pandemic, remote working and POPIA hard compliance deadline of 1 July 2021 have heightened cybersecurity, and business interruption risks and regulatory compliance fears. The growing sophistication and variety of cyberattacks continue to disrupt the organisations’ brands and reputations, often resulting in disastrous financial impacts. This risk examines whether organisations are sufficiently prepared to manage cyber threats that may cause business disruption and reputational harm.
· Bribery, Corruption, Fraud (and other Financial Crimes): Fraud, bribery and corruption tend to thrive in chaos. The COVID-19 pandemic has made the business world a breeding ground for a range of risks, with vulnerabilities seeping across several industries. A large factor is increased pressure to organisations and their employees as they struggle to meet the challenges of a declining economy. Budget cuts also impact the organisation’s ability to implement a comprehensive anti-fraud program effectively. This risk examines the pandemic’s ill-effects on the organisations.
· Business and Operational (incl., IT) Resilience: Organisations face significant existential challenges, from cyber breaches and pandemics to reputational scandals and succession planning. This risk examines organisations’ ability and capability to prepare, react, respond, and recover.
· Third-party Management: For an organisation to be successful, it must maintain healthy and fruitful relationships with its external business partnerships and vendors. This risk examines organisations’ ability and capability to select and monitor third-party relationships, including supply chain capabilities and vendor solvency.
4 IIA OnRisk – A Guide to Understanding, Aligning, and Optimizing Risk (2021)
· Risk Culture and Decision Making: As regulators, investors, and the public demand stronger board oversight, boards place greater reliance on the information they are provided for decision-making purposes. This risk examines whether the boards feel confident that they are receiving complete, timely, transparent, accurate, and relevant information.
· Climate Change and Environmental Sustainability (the next crisis?): The growth of environmental, social, and governance (ESG) awareness increasingly influences organisational decision-making purposes. This risk examines organisations’ ability and capability to establish strategies to address long-term sustainability issues and challenges.
· IT Strategy and Governance: With the increasing prevalence of technology and, most importantly, the digitalisation of business operations, the requirement for a strong link between information technology and business strategy is vital. This risk examines controls implemented over IT strategic alignment, resource utilisation (incl., IT value delivery), IT risk and performance measurement.
· Digitalisation and Intelligent Automation: COVID-19 will likely spark a period of innovation and market disruption, fuelled by accelerated adoption of technology, and possibly leading to regulatory changes. This risk examines whether organisations are prepared to adapt to and/or capitalize on disruption.
· Economic and Political Volatility: National elections, multinational trade agreements, new or extended protectionary tariffs, and uncertainty around the timing of routine macroeconomic cycles all create volatility in the markets in which organisations operate. This risk examines the challenges and uncertainties organisations face in a dynamic and potentially volatile economic and political environment.
· Financial (incl., budget cut & cost-saving), Capital and Liquidity Risk: This risk examines the organisation’s ability to remain solvent as the world enters a recession. Amid depressed demand, financial, capital and liquidity risks have jumped up the board’s agenda.
· Data Management and Governance: Organisations’ reliance on data is expanding exponentially, complicated by advances in technology and changes in regulations. This risk examines organisations’ overall strategic management of data: its collection, use, storage, security, and disposition.
· Supply chain risk and disruption: Global COVID-19 pandemic has added to existing pressures to rethink supply chains, which in recent decades have become increasingly global and complex. This risk examines an increase in the severity of business disruptions due to reduced stock levels and increased reliance on fewer suppliers and IT vendors.
As the risk landscape continues to evolve in 2021, internal auditors can no longer rely on traditional, monolithic audit approaches. Today’s dynamic environment demands new thinking, new skills, and new capabilities. To address these changes successfully, keys to this new era includes more than just proactive communication among the internal and external stakeholders, but also a continued collaboration along with tools that supports a more iterative (agile and dynamic) approach so that audit engagements can adjust as needed to deliver as expected. 5
Outlined below, are some of the recommendations aimed at addressing the impacts of the global COVID-19 pandemic in your 2020/2021 Internal Audit Plans. They should be considered, in part or in whole, while keeping in mind the specific circumstances of your organisation and the industry type.
Improve assurance by increasing the focus on altered risk control landscape – By evolving to become more data-enabled, internal audit function will be able to provide internal and external stakeholders with relevant, timely and impactful results on the effectiveness of risk management and controls.
Make internal audit more efficient – Internal auditors should drive towards data- and technology-enabled audit processes, to deliver increased efficiency and quality risk assurance.
Provide deeper and more valuable insights from internal audit’s activities and processes – Internal audit function should assist business in making better decisions not only by managing and controlling the current risks but also by illuminating the risks and unforeseen consequences inherent to its long-term digital transformation and growth strategies.
Identify and prioritise which backlogged audits still need to be completed: In the wake of the pandemic’s onset, many internal audit functions were requested to defer prescheduled audit activities on the back burner due to rapidly changing priorities and redeployed resources.
Assess resource capacity and competencies: The right skills, capabilities and capacity are essential in ensuring that you can assure risks that are changing at an increasing velocity. Resources have been put to the test during the global COVID-19 crisis. There are instances where internal audit staff were moved to the first line to provide support with global COVID-19 response and customer service activities, thereby contributing to delays in prescheduled audit work. Staff retrenchments have also impacted internal audit functions.
5 Protiviti: Returning Internal Audit to ‘Business as Usual’ in a New World
Finally, while the Employee Appreciation Day is in March of every year, showing your gratitude to employees all year-round is important, especially during these stressful and uncertain days amid the global coronavirus pandemic. Employers should encourage their employees to catch up on family time and to recharge and reflect, promote a flexible work environment when possible, and make sure to establish frequent touchpoints with co-workers, both as a team and individually.
About the Author
Oupa Mokgoantle [IAT (AAI), CISA, CRISC & CGEIT (ISACA)]
Oupa Mokgoantle is the Head of Risk Assurance and Advisory Services (RAAS) and Chief Information Officer (CIO) at The Shard. Oupa is also an active volunteer in support of the information technology, governance, internal auditing, and accounting professions.
References:
Institute of Internal Auditors (IIA), (2020). OnRisk - A Guide to Understanding, Aligning and Optimizing Risk (2021). Lake Mary, Fla, United States of America.
Deloitte (UK), (2020). Internal Audit Considerations in Response to COVID-19 (Navigating change: an unprecedented challenge). London, England & Wales, United Kingdom.
Craze, R. (KPMG) (2020, June 18). COVID-19: Enhancing internal audit effectiveness (A practical guide for agile internal audit). Brisbane, Australia.
Protiviti. (2020). Setting the 2021 Audit Committee Agen. Toronto, Canada. Protiviti. (2021, January 01). protiviti.com. Retrieved from www.protiviti.com: https://www.protiviti.com/ZA-en/insights/whitepaper-returning-internal-audit-businessusual-new-world
