• Luka Zupan, Partner |

This four-part blog discusses the major questions that an Internal Audit function (IA) should address as the global COVID-19 situation continues to challenge the corporate world. It is separated into four distinctive parts: (1) the future positioning of IA function in an altered environment (i.e. operating model), (2) with what sort of people an IA should perform its assignments (i.e. talent management), (3) what sort of risks could be relevant in the coming two to four years and (4) how Internal Audit’s own processes need to be adjusted (i.e. execution).

While we addressed the question of impact and people in the first two blogs we examine the relevance as to the questions of key risks in this entry.

Perception of key and emerging risks

Before addressing potential risks that could matter to an organization in the coming 6 to 12 months, we should first emphasize that in the end, it is always the professional judgment of board committees, executive management and the assurance functions (i.e. 2nd and 3rd line of defense) that define what should be considered key and what not.

This article observes common trends regarding the perception of key risks. However, each organization has its own specific priorities, organizational culture, governance maturity, etc.

Secondly, the term “emerging risks” should be understood as circumstances:
 

  • that are developing (or already existing),
  • which could have a significant impact on the business and the organization,
  • that could result in material losses (i.e. damages, fatalities, shortfalls, etc.),
  • that are difficult to identify, assess or track
  • that, due to the high level of uncertainty, are ambiguous and vague regarding the underlying information and therefore lack transparency.

Thus, while emerging risks are difficult to identify, they are even more demanding to assess, which makes it all the more challenging for an Internal Audit (IA) function to effectively address them as part of their assurance mandate.

While we have come up with some examples of emerging risks which we observe in practice, this outline should be treated as food for thought and not considered as a complete or exhaustive list. Naturally, the individual circumstances of an organization may provide a completely different picture regarding the risk situation.

Also, our outline focuses on emerging risks that could arise from the lockdown/extended home-office regime with a relatively short-term focus. For long-term risks, i.e. those that will affect organizations over the coming 12-24 months and for a general assessment of relevant topics / risks for the year 2021, a good reference is the current KPMG publication, "Internal Audit: Key Risk Areas 2021" that addresses topics such as business resilience, talent management, third party management, CSR, digitalization or data management.
The list below shows the potential risks and the possible tasks that may arise for IA. We structured the list according to the following categories:
 

  • Finance & Reporting
  • Governance
  • Performance and Process Excellence
  • Information Technology

Finance & Reporting

This section addresses key questions and risks, which the current circumstances had on the financials of organization and the related reporting procedures. It should be noted that below outline is in no way comprehensive and especially does not address risks around regulatory requirements, GAAP standards of other financial statement auditing criteria that may need to be considered. For those aspects, we strongly recommend aligning auditing activities between the internal and external audit function in order to avoid the duplication of work.

Potential Risk
 Potential Assurance and Consulting tasks (non-exhaustive)
  • Budgeting: budgets and plans for upcoming quarters may include many uncertainties, ambiguities, budgetary gaps (e.g. built-in cushions) or targets that may be too stretched.

  • The computation process may be inadequate (e.g. erroneous selection of key drivers or models, wrong assumptions), incomplete (not coordinated with other plans, e.g. liquidity, production, etc.) or unaligned with the performance goals (e.g. underestimated revenues, overestimated expenses)

  • Rolling forecasts could be compiled erroneously, incompletely or do not include the right assumptions
  • Provide independent assurance of the computation process for budgets and forecasts, i.e. review whether
    • Control design to validate numbers is effective and properly executed,
    • Targets are aligned with those of the organization’s management and oversight committees (e.g. excessive expectations vs. low-balling, etc.)
    • Applied models have been validated for accuracy of used formulas and calculations
    • Budgets reflect the organization’s potentially adjusted short to mid-term strategic objectives
  • Review budgeting methodology and assess whether the used methods are adequate for the organization’s current situation (e.g. incremental budgeting vs. zero-based-budgeting vs. ABC-budgeting, etc.)
  • Provide assurance of interim forecasts and assess whether assumptions and going-forward indicators realistically reflect organization’s business situation
  • Assess whether overall budget is fully aligned and validated with sub-budgets, i.e. liquidity and financial planning, production and related procurement planning, staffing, etc.
  • Internal Control System: design and effectiveness of ICS/COSO-framework may no longer be fully aligned to the current modus operandi due to imposed lockdown/extended home-office regime/Covid-19 precautionary measures;

  • Processes and procedures may have been adjusted while control design remains in legacy mode, resulting in governance and control standards annulled or new emerging risks not effectively covered.
  • Advise on identifying, assessing or validating the impact of emerging risks arising from the amended modus operandi, such as:
    • furlough process and compliance with governmental support rules,
    • short-term workflows, user access and SoD adjustments,
    • impact of home-office regime on governance frameworks,
    • diffusion and access to personal or confidential data and compliance with local GDPR guidelines,
    • procedures around budgeting and forecast accuracy
    • global/group-wide enforcement of COVID-19 measures
  • Verify control environment awareness within organization using soft control assessment methods
  • Conduct extended control testing (aligned with external audit) to assess control effectiveness as well as potential workarounds and related compensating controls (i.e. control activities around approvals, authorizations, verifications, reviews)
  • Support design and implementation of continuous auditing and monitoring activities using know-how and experience from past audits (use risk/impact/materiality measures to assess which processes should be considered most)
  • Expense compliance: there may be a lack of automated tools for expense registration, review and approval as well as continuing home-office regime resulting in control design failures regarding expense assurance.

  • Existence, completeness, documentation, SoD and approval of expense claims may be ineffective
  • Support Accounting / HR / Controlling in their development of automated procedures to register, document, review and approve expense claims (incl. alignment with expense policies and regimes) and reducing physical paper trail (i.e. replacing these with online tools).
  • Conduct extended, longitudinal designed expense reviews, taking especially into consideration reduced needs for travelling, extended home-office regime as well as more sophisticated review and approval cycles

Governance

Governance addresses key questions concerning the oversight and adherence to internal and external rules, guidelines, and regulations.

Potential Risk
 Potential Assurance and Consulting tasks (non-exhaustive)
  • Furlough: Ad-hoc design of short-time work procedures and government aid (e.g. definition of rules, imposing and communication of regime, recording, calculation, submissions, etc.).

  • Procedures and controls used to calculate, validate and apply for short-term work compensation may be ineffectively designed or incomplete, and documentation inaccurate, incomplete, not reviewed and approved or not submitted on time
  • Advise on process and control design to ensure existence, accuracy, completeness, timeliness of timesheet reporting and compliance with rules and regulations regarding the recording, calculation and settlement of short-term work hours
  • Assess time registration and reporting process for productive (working) hours and short-term work hours (i.e. validation of hours, completeness and accuracy, approval)
  • Validate design of monitoring controls around adherence to governmental regulations (i.e. SECO)
  • Assess completeness, quality, content and quick availability of short-term work documentation for selected sample of employees including monthly / annual wage statements
  • Verify if potential fraudulent schemes occurred where staff was asked to report furlough while at the same time completing work-related tasks
  • Operating disruption: measures taken around lockdown and extended home-office regime may have resulted in undocumented / unapproved workarounds outside accepted governance standards

  • Existing monitoring activities may have been rendered ineffective, increasing potential fraud-risk
  • Analyze impact of home-office regime on existing internal corporate governance framework (i.e. delegation of authority guidelines, request/review/approval procedures for OPEX/CAPEX, joint signatory authorities, KYC vetting, financial closing and reporting, compliance with tax regime, etc.)
  • Validate design, approval process and level of implementation of defined actions as part of the home-office regime (e.g. providing improved IT infrastructure to allow working from home; design and approval of potential workarounds to ensure continuance of operations; adjusting automated control/checks and balances/procedures to allow working from home; alignment with internal rules and guidelines)
  • Assess design and effectiveness of compensating controls to make sure workarounds do not jeopardize basic corporate governance standards (e.g. monitoring activities, extended reviews, upholding minimum standards)

Performance & Process Excellence

Performance and process excellence addresses key questions and risks of the impact that current circumstances could have on the overall performance of the organization, effectiveness and efficiency of processes as well as the possible adoption of non-standard workflows.

Potential Risk
 Potential Assurance and Consulting tasks (non-exhaustive)
  • Productivity/delivery disruption: The lockdown/home-office regime may result in inefficiencies due to ad-hoc adjustments to procedures as well as roles and responsibilities (e.g. temporary abolishment of oversight and governance, negative impact on productivity due to more manual adjustments)

  • Potential for unauthorized workarounds could increase (e.g. use of end-user-applications instead of ERP workflow, verbal instead of documented approval).
  • Advise on process mapping and identification of key interfaces where designed and implemented processes and procedures are unable to function due to current circumstances (i.e. lockdown, home-office regime and changes in roles and responsibilities, etc.)
  • Use process mining tools to identify potential increase of alternative steps or procedures performed by users (i.e. new or alternative patterns, increase of complexity and/or manual interventions)
  • Assess whether the alternative patterns impact overall outcome regarding efficiency (i.e. throughput time, “operational waste”) and governance (i.e. effective monitoring and controlling)
  • Validate impact by comparing blueprint vs. actual to identify potential gaps / inefficiencies / shortcomings; assess whether proper monitoring of efficiency is in place and respective actions have been taken in case of negative KPI trend
  • Assess whether alternative patterns potentially violate corporate governance rules and guidelines (e.g. data privacy, KYC standards, etc.)
  • Validate whether current performance improvement and process excellence initiatives within the organization continue to be executed, audit level of completion (i.e. objectives vs. actual implementation and impact level), assess long-term sustainability of achieved goals (i.e. continuing improvement of situation, avoiding yo-yo effect)
  • Robotics / BOTS: implemented robotics / bots may not operate as intended or adjustments are not fully validated due to adjusted or newly defined workflows, procedures and roles and responsibilities

  • Automation scripts may provide inaccurate, incomplete or erroneous output/results
  • Advise on compiling a comprehensive repository of designed and implemented robotics/bots and how they could be impacted by the changed information flow, adjusted processes and procedures, etc.
  • Validate robotics/BOT scripts for functionality, completeness (of covered transactions), exception reporting and implemented adjustments due to current circumstances/adjusted processes
  • Perform end-to-end walkthroughs of BOT script development and implementation and review adherence to generally accepted IT standards for quality, code validation and testing and assess whether extended home-office regime has not resulted in potential failures in control design due to lack of 4-eye-principle, effective SoD, etc.
  • Residual costs: due to lock-down and home-office regime, additional costs for infrastructure as well as operations may incur

  • Following the phase-out of the lock-down measures, the residual costs may remain within the existing overhead budget and may not be taken out / reversed.
     
  • Validate the level of implementation of defined actions that are part of the home-office regime (i.e. providing IT infrastructure for working from home, adjusting automated control/checks-and-balances, alignment with internal rules and guidelines)
  • Assess design and effectiveness of compensating controls (i.e. monitoring activities, extended review, upholding minimum standards)
  • Maverick buy: due to urgency and adjusted operating model, the risk of maverick buys from unauthorized or unvetted counterparties may increase

  • Maverik buys could result in unfavorable terms and conditions for the overall organization, unapproved purchases or ambiguity over outstanding liabilities / obligations
  • Analyze impact of home-office regime (i.e. delegation of authority guidelines, requisition/review/approval procedures for OPEX/CAPEX, joint signatory authority, KYC vetting, financial closing and reporting compliance with tax regime etc.)
  • Conduct end-to-end process walkthroughs and assess control design and effectiveness during extended home-office regime (ERP-based workflows, review and approval processes, compliance with internal and external regulations)
  • Evaluate strategic supply chain management during lock-down phase, assess potential impact of supply shortages (i.e. supplier management, delayed shipping, short-term price increases) and assess lessons-learned process of procurement
  • Assess with data analytics the following:
    • purchase volume for each cost center, including variance analysis of budget vs. actual vs. prior year
    • cross-reference counterparties to approved procurement supplier list
    • low-value purchases using alternative procurement methods (i.e. credit cards, expense claim procedures)
    • potential approval violations according to DoA (delegation of authority guideline)
    • purchases with extended volume of amount variances, including related review and approval process
    • ratio of purchase transactions through automated workflows vs. manual interventions, including comparison to pre-covid situation

Information Technology (IT)

IT addresses key questions and risks concerning the impact of the extended lock-down and home-office regime on IT infrastructure, security and management.

Potential Risk
 Potential Assurance and Consulting tasks (non-exhaustive)
  • Assurance map: transparency of the risk assurance for IT security may be incomplete, inaccurate or non-existing thus exposing the company to an increased risk of potential security breaches, attacks or general IT inefficiencies (e.g. downtime, slow-response, unproductive IT tools) due to ad-hoc adjustment to the IT operating model as part of the lockdown.

  • BCM measures: To ensure continuance of operations, short-term business decisions, shortcuts and temporary suspension of IT standards during extended home-office regime could result in:
    • extended security hazards, e.g. firewall misconfiguration to allow faster access from home, short-term access-rights expansion to compensate for home-office regime, unfavorable balance between SaaS availability vs. response-time vs. security standards, etc.
    • increase of governance and compliance risks, i.e. insufficient software license monitoring or ambiguity over actual availability, misconception of SLA agreements regarding rights and duties, revoked SCADA standards due to extended home-office regime
    • productivity trade-offs against security governance standards, e.g. cloud responsiveness vs. security standards, annulment of data classification within cloud environment due to extended access, extended use of endpoint devices
    • surge of cyber threats and reduced detection capabilities
Initial remarks: overall, we see IA functions increasingly focus on the topic of IT security including assurance as well as advisory-related reviews and services. However, there seems to be little to no transparency over the variety and diversity of the topic, resulting in the fact that certain key aspects/risks are insufficiently covered in assurance-related audits. As such, IA functions should compile an assurance map that specifically deals with the wide area of potential topics considering the outline of possible IT security areas below:
 
  • General cyber risk: support the computation of an overview of the information security governance and information security management system (ISMS); work out a (risk-based) testing plan for future years (incl. coordination with other assurance functions).
  • Network security: evaluate the effectiveness of the design and implementation of security measures, incl. zoning, defense, firewall and security gateway configuration, remote access, network access control
  • IT cloud: evaluate control effectiveness of Software-as-a-Service (SaaS) usage, considering compliance (contractual agreement), information risk management and data protection incl. GDPR compliance.
  • Cyber incident response: assess cyber incident response capabilities covering dedicated preparation with procedures, plans, exercises and continues improvement measures.
  • Information risk management: evaluate improvements regarding effective information security risk management
  • Secure software development / SDLC: assess risks regarding software development (i.e. robotics /BOTS); evaluate design and implementation of controls along software lifecycle especially regarding ad-hoc adjustment due to lockdown situation.
  • Security with third-party management: assess risks related to vendors and suppliers, considering requirement management and selection, agreements, contracts and SLAs, effective enforcement, monitoring and reporting on security
  • SCADA / ICS / OT security: assess Industrial Control System (ICS) security considering the specific ICS challenges of production assets
  • Wi-fi: assess security of wireless networks (architecture, design, configuration review, penetration testing)
  • Mobile / endpoints: assess effectiveness of the security concept and standards for mobile / endpoint devices (notebooks, tablets, phone) used to process organizational data
  • Human factor / training / resilience: evaluate effectiveness of security trainings and awareness measures (resilience) by assessing staff behavior (handling of malicious e-mails, USB sticks, etc.)
  • Cyber detection, vulnerability management, threat intelligence: assess design and effectiveness of vulnerability, threat and attack detection capabilities and conduct enhanced penetration tests
  • Data classification/protection/compliance: assess effectiveness of data management within the Group, focusing on implementation of data classification (procedures, technical implementation) as well as appropriate handling to comply with information security and data protection requirements (GDPR)
  • Application security testing: identify high-risk applications across the organization and conduct penetration testing

Our services and further information

Tags: