The events of the past two years have not made for a smooth journey for corporations' internal audit teams, which in 2022 face numerous steep challenges.
Any job usually has some sleepless nights built into it (and this is in no way advocating or promoting unhealthy sleep habits for this or any other position). So, it’s little surprise that there are expected to be a record number of audits this year — and your own internal audit may give you a few sleepless nights.
Given the confluence of events over the last 24 months — global pandemic, climate change, labor shortages, supply chain disruptions, cyber-threats, and political and social upheaval — the work level of internal auditors has greatly increased. Worse yet, while each event has its inherent risk to a business, collectively, their impact could be devastating.
Areas of concern
We’ve identified four areas of top concern among internal audits and several possible ways they can mitigate these challenges. While these concerns are not listed in any particular order of importance, each issue, or some combination of them can create significant risk to the organization.
ESG
In November 2021, the International Financial Standards Board announced the formation of the International Sustainability Standards Board (ISSB).
Its creation was to offer auditors a standard way to provide guidance around procedures and reporting (even suggesting wording from the ISSB website) around environmental, social, and corporate governance (ESG) issues. The need for this board was because “often no two companies were reporting in the same manner, and therefore it was difficult to assess a standard or framework,” said Steven Wilkerson of accounting and auditing firm BKD, adding that companies in the same industry would use different reporting boundaries, accounting methodologies, metrics, measurement units, and reporting formats.
With the formation of ISSB, however, companies will have to adhere to many reporting factors, not just environmental (such as carbon footprint), social and political justice, and diversity, equity & inclusion (DEI) to name a few. Internal audit teams are now tasked with proactively helping the business determine if it is complying. For most, the challenge will be identifying who within the organization is responsible for adherence to its ESG plan — and working in partnership with this group or team is essential.
Third-party vendors
With the rapid changes in technology, most companies find it difficult to keep up completely, and often rely on third-party vendors to keep them up to date. “Outsourcing is a common feature of the 21st-century business environment, and there are many benefits such as reducing costs, focusing on primary goals, and obtaining service from experts in relevant fields,” wrote Abdul Subhani, CEO of Centex Technologies, in a recent article.
As much as companies need to use these vendors, however, they can also present an inherent risk. More than one-half of businesses faced one or more third-party risk incidents since the beginning of the pandemic, according to a Deloitte survey conducted in 2021.
In fact, “if there is a cybersecurity breach with a vendor, most likely the company’s data is compromised.” Although it may be safe to assume that most vendors are honest and will notify the company of any breach within their own ranks, the company can only hope this is always true for all of their vendors. To help with mitigation of third-party vendor risk, internal auditors could get more involved with the vendor selection process and provide insights into what additional questions should be asked of the vendor, even if this hasn’t been within the traditional scope of an auditor previously.
Mergers & acquisitions
More than 60% of US dealmakers expect M&A activity to return to pre-pandemic levels within the next 12 months, according to the 2022 M&A Trends Survey: The Future of M&A, another Deloitte survey.
There is no question that a lot of due diligence takes place after the Transaction Service Agreement is signed; and there are standard checklists designed to cover legal, commercial, financial, human resource, intellectual property, information technology, environmental, health and safety, tax and compliance, and regulatory matters. These checklists are a great way to determine what information should be gathered, but with tasks then emerging — such as tracking all of the IT systems of the acquired company — numerous examples of risk to the purchaser will appear.
However, involving the audit team early in the M&A process, allows the team to provide value-added assistance by conducting a risk assessment, including assessing the corporate strategy process, especially as it relates to growth by acquisition. Often both the purchasing and target companies are enthused about getting the deal done and in so doing, auditors may find there were things that were missed. By having the internal audit team at the table, it can allow the team to offer an independent and unbiased assessment of what has been or should be discovered.
Technology
Despite the risks associated with using advanced technology to aid in the audit process, there is a lot of benefits as well, especially when it is used by a competent, trained professional. Indeed, you could say there is risk in not utilizing advance technology — the risk of more human error, higher costs, and more wasted time.
Leveraging robotic processing automation, artificial intelligence, and data analytics, internal audits teams can spend more time and have more information to conduct deeper evaluations of their processes, which allows them to provide better insights and information to executives and the board. Further, “more than 74% of corporate finance executives says their auditors use advanced technologies and 94% believes that it improves audit quality.”
Today, the internal audit team has much more to review and process to mitigate any risk to the business than before. This makes the stakes higher, and so teams will have to rely on technology to assist data accuracy to help them be successful.