Rajat Mohan, Swati Ghoshal
Traditionally, IA function has mostly focused on topics related to compliance and internal control systems wherein the Key role of the Internal Auditors has been of providing core assurance over business process risk & controls. Providing insights & adding value on the key risks of an organization has generally not been a key priority of IA. But with the advancement of the world towards the fourth industrial revolution era with new technologies, digitalization & artificial intelligence catalyzed by the recent unprecedented crisis challenges like the global pandemic, the global business landscape is changing dramatically. This in turn is compelling the organizations to adapt to & drive into an increasingly technology-driven, innovation-oriented, complex & highly uncertain business environment model.
The evolution of a new generation Internal Audit Function to adopt a new generation internal audit mindset is being emphasized, encouraged & advocated among the Internal Audit Communities since the last couple of years which has now become ‘need of the hour’ for the Internal Auditors so as to confidently embrace the wave of transformation & innovation underway in the organizations & the overall market.
An effective risk-based IA plan is one of the most important components for determining the Internal Auditor’s success as a value-adding and strategic business partner. The Institute of Internal Auditors (IIA) Standard ‘2010 – Planning’ document emphasizes the Chief Audit Executive’s role in establishing a risk-based plan to ascertain the priorities of the internal audit activity & aligning the same with the organization’s goals.
The New generation IA function should understand the organization’s key risks and proactively identify emerging risks in order to add value to the organization. This enables IA to help the organization in allocating its resources efficiently and effectively to mitigate risks and thereby playing an insightful key role in the overall strategy development process.
As per the IIA Strategic Framework, IIA vision 2030 envisages a vision for the profession wherein the ‘Internal Audit professionals are universally recognized as indispensable to effective governance, risk management & control.’
Based on the recent surveys on this line, this Article highlights at a broader level, the Top 4 categories of Key Risks that IA should consider in the development of their upcoming strategic audit plans & also how they can contribute throughout the process & enhance their role as a strategic and value-adding business partner within the organization.
Snapshot of Key Risk areas & IA Role therein
1) Technology advancements, innovations & disruptions:
COVID-19 is accelerating the digital transformation of almost every business sector. Businesses know they must rapidly innovate, take advantage of new digital tools, and leverage cloud services to emerge from the crisis sooner than their competitors with momentum for the major futuristic transformation of their business in the altered global economic landscape. This innovation has a lot of positive points to its credit but as this rapid, unplanned digitization spreads its roots deeper, it also increases the risk and impact of cyber-attacks.
The World Economic Forum’s COVID-19 Risks Outlook found 50% of enterprises were concerned about increased cyber-attacks due to a shift in work patterns alone. Hasty and unplanned decisions related to digital transformations are very likely to add to the existing cybersecurity issues. This huge scale unplanned digitization supported by flexible but relatively immature business models and operations is causing quite a bit of challenge for global security.
2) Business Continuity & Crisis Response (including COVID 19 Crisis):
The purpose of a business continuity plan is to ensure that the business is ready to survive a critical incident. It permits an instantaneous response to the crisis so as to shorten recovery time and mitigate the impact. This pandemic has conferred an unprecedented “critical incident” for the globe. With unknown reach and period, worldwide implications, and no base for accurate projections, we are very much into unchartered territories.
Many organizations used to develop a disaster recovery plan and business continuity procedure that was rarely put to the test in a real crisis situation. With the arrival of newer risks e.g. cyber-attacks, data transfer confidentiality issues struggle with maintaining supply levels, workforce management, physical losses, operational disruptions, change of marketing platforms, increased volatility and interdependency of the global economy, etc. the traditionally accepted Business Continuity & Crisis Management Models are getting continuously & constructively challenged rapidly.
Therefore, organizations need adequate planning resulting in immediate response, better decision-making, maximum recovery, effective communications, and sound contingency plans for various scenarios that may suddenly arise.
3) Complex & Uncertain Regulatory Change & Compliance:
Regulatory risk is the risk that a company or industry or any organization will face due to change in regulations or legislation. Companies must abide by regulations set by the concerned governing bodies. Therefore, any modification in rules & regulations can cause a considerable impact across industry.
Regulations may increase costs of operations, introduce legal and administrative roadblocks, and sometimes can even sometimes put business restrictions on organizations. For example, Tax policy reforms can affect the bottom line for businesses and individual investors alike. Any change in income tax law directly affects the financial status of the respective parties and poses a new regulatory risk. Changes in international trade policies might have a substantial impact on companies that regularly export and import goods. They may also affect investors that engage in foreign direct investments.
In an increasingly regulated world & with the continuously evolving governance, risk management, and compliance (GRC) landscape, organizations are facing greater scrutiny than ever and in the upcoming years, the focus on compliance is anticipated to continuously increase.
The threat posed to an organization’s financial, operational, or reputational credentials due to any violation of law, rules & regulations, organizational policies & procedures, codes of conduct, etc. is referred to as Compliance Risk. Companies across all industries are continuously diving through numerous regulatory requirements, stakeholder expectations, and business model changes. Improved Regulatory Compliance leads to create robust Corporate Governance
4) Third-Party Relationship Management Risks:
In order to support fast-growing multidimensional business expansion models & rapid boosting of productivity and efficiency, organizations are increasingly relying on third parties to carry out their various business functions. For instance, Shared Service Centers (SSC) has grown exponentially in the past decades. The major benefit of these delegations is that the organizations are able to concentrate better on their key activities and optimize costs without compromising the effectiveness and efficiency of their internal processes. However, third-party relationships have a high probability of exposing organizations to new risks and potential compliance failures that may result in lawsuits, fines, or reputational damage. Such compliance failures may arise due to:
- Due to the increasingly customized, voluminous, and variety of services being outsourced, the complexity of outsourcing or third-party agreements may be challenging to manage.
- Granting the third parties accesses to organization networks further enhances the chances for data security breaches.
- Third parties may operate in areas of uncertainty & criticality broadening the nature of risks that the organization is exposed to.
As risks grow and become increasingly complex, internal audit’s role is anticipated to expand in areas like risk governance, sustainability, cultural & environmental impact considerations and other non-financial measures. Stakeholder recognition of the importance of internal audit has also been on a rising trend. As a result, the expectations of internal audit with respect to risk assurance and the provision of insights continue to increase in lock-step. The challenge for the internal audit department, today, is to seize this unprecedented opportunity to establish & enhance its value proposition and position itself as a critical element in the overall governance ecosystem.
Rajat Mohan is Senior Partner and Swati Ghoshal is Partner at AMRG & Associates. Views expressed are the authors’ personal.