Organisations must have one eye on the present and the other on new threats and opportunities, however Internal Audit can help get them on the front foot.
Organisations are continually facing new pressures, with sector disruption, cyber attacks, conduct risk and fraud among the most potentially damaging. The last decade is littered with examples of companies that failed to prepare for these and other emerging risks – such as photography giant Kodak which folded thanks to its inability to adapt to digitisation, and communications company WorldCom which disintegrated to bankruptcy due to fraud. Internal Audit can serve as a line of defence, helping companies to understand emerging risks and to ensure control mechanisms are in place to help mitigate them.
Emerging risks can arise from many sources – economic or demographic shifts, changes in the competitor landscape, technology advances or customer preferences, for example, internal audit can create a conversation around assuring the organisation is aware of, and responding to, those emerging risks.
It can be surprising how little time leadership have available to spend focusing on emerging risks and controls.
There is often an awareness of emerging issues – but simultaneously a tendency on the part of senior management to assume everything is OK, that risks such as fraud or cyber-attacks won’t happen to us, and that the controls are effective and will prevent these future risks from materialising.
Internal Audit is most beneficial if it broadly considers future risks from a macroeconomic viewpoint. Internal audit can consider where the organisation sits in its competitive environment, its markets, customers, or supplier alliances. It can delve into the organisation’s strategy in view of the macroeconomic changes and trends, and link these trends back to management frameworks. KPMG uses an approach called Dynamic Risk Assessment (DRA) for this purpose.
Traditional risk analysis is done on a two-dimensional basis – looking at likelihood and impact of each risk individually, but with DRA, we can recognise that when things go wrong it is not normally your top rated risks followed by the second and the third items sequentially – but something could happen to impact risk 14 that impacts risks 12, five and one all at the same time.
DRA aims to prove interconnectivity among risks. This visibility can help management put in place ways to mitigate the risks collectively, rather than just dealing with one risk on its own. Smout says the importance of this approach is evidenced by the shorter lifespan of companies today compared to previous eras, when corporates often operated for 50 to 70 years.
Now, a lot of the company’s lifecycles are less than 10 years. The average age of a US listed company is about 8 years. Look at Google and Amazon – they are now among the biggest businesses by market capitalisation and they didn’t exist 10 years ago.
In addition to risks from far and wide, it is vital to recognise that a lot of risk, particularly fraud or cybercrime, is often perpetrated by existing employees or other ‘insiders’. Therefore, when analysing risk, Internal audit must consider an organisation’s culture, its people and their potential for misconduct.
With rapidly developing technology, many forms of misconduct are easier and quicker to engage in. However, technology can and should play an increasing role in prevention and detection.
Internal fraud can often come from well-liked, long term and well-connected employees that are deeply ingrained in processes, and therefore can identify and seize opportunity.
They understand the unique controls and can therefore find ways to operate around them.
People often commit fraud when they become disgruntled, perhaps due to emerging changes that could impact their career progression, or a lack of financial reward. If they intend to commit fraud, they will find a loophole and will often self-justify their actions.
Areas more vulnerable to fraud, especially those where collusion can exist, such as contracting and procurement environments, need to be closely monitored.
In addition to helping organisations be alert to internal risk, a key part of the detection process is to ensure there are safe options for whistle-blowers who wish to report on issues that they witness. If they saw misconduct happening, would they recognise it and do they know what the reporting channels are?
Exploring aspects of psychology could also help internal audit to mitigate internal risk, Gill says. The KPMG Australia Forensic unit is engaging in research into the psychology of a fraudster to see what insights it can yield.
We can consider, why do certain people behave so badly in organisations and commit fraud or engage in other forms of misconduct? What makes them tick? Wouldn’t it be useful to know the propensity for someone to commit fraud before you employ them? It doesn’t mean you wouldn’t employ them, but if you were aware of the risk you could manage it better.
When it comes to preparing for emerging risk, financial services companies are generally in a good position, while less-regulated sectors are somewhat behind.
In some sectors, organisations are just starting to look at this. Some corporates aren’t looking at all.
If organisations aren’t considering emerging risks for at least 3 to 5 years ahead, their chances of long-term success are minimised. When you look up, it is too late, you have hit the wall.