Unique Challenges with Endless Opportunities
The pandemic led organizations to a new paradigm, throwing unique challenges for organizations to overcome. At the same time, the pandemic has ushered in multiple opportunities. Organizations that have been open and willing to accept and adapt to the changes and accept the new opportunities have been successful.
Challenges to Audit Committees and Internal Audit functions
- Lack of skillsets to conduct audits in an automated environment;
- Rigidity to accept change;
- Dynamic updates to risk assessments.
Opportunities for Internal Audit functions
- Enhanced role as a problem solver instead of the problem finder;
- Increased opportunities to play a consulting role to deliver value to management
Implications of the Risk profile on the Audit Committee
The panelists believed that the pandemic was a black swan event. It brought about new risks and opportunities to organizations. Audit Committees that had a focused and open mind treaded well through the pandemic. However, many Audit Committees across organizations have not reacted as well as they could have.
This is the optimum moment for internal audit functions to do a post-event analysis. During this pandemic, Board Audit Committees have become increasingly flexible. In many organizations, CAEs were given full control to assess the risks within the organization an come up with alternatives processes to conduct audit. The pandemic saw the myth of rigidity being broken.
Financial resilience – Financial resilience was key during this phase and organizations that were lean and mean suffered most. It was suggested that this is the right opportunity for organizations to perform extreme scenario-based stress tests.
The discussion also highlighted that the pandemic has been a wake-up call for audit committees, internal audit functions and organizations as a whole. As opined, Covid-19 is the ‘best thing that happened’ to auditors as it gives them an opportunity introspect and embrace change. Audit Committees and CAEs have learned three important points as a result of the pandemic, namely;
Alignment – There is a constant need for alignment between the CAE and the Audit Committees. Well aligned Audit Committee / CAE relationships have been able to tread the pandemic with success and been able to reap opportunities.
Effective communication – Effective communication between the CAE and Audit Committee has gained importance. Further coordination and communication between the Internal Audit function and management is of prime importance.
Challenges – Auditors were faced with multiple challenges during the pandemic. 99% of original risk assessments were no longer valid. Risk assessments were required to become more dynamic in nature. The pandemic gave internal auditors an enhanced opportunity to play the consulting role and deliver value to the organization. Further, COVID-19 helped organizations become more digital. Organizations where there was effective communication between the internal auditors, risk, compliance, and external auditors, gave the internal auditors a chance to shine. The days of long reports have passed and there is increased interest and need for auditors to provide inputs predictive in nature using analytics. If auditors do not adapt to this change, there is a risk of them losing relevance.
23% of the participants believed that the Audit Committee/ Board/ Management committee discuss emerging and disruptive risks and make changes in the Risk profile every quarter. In contrast, panelists thought that the IA plan should be dynamic and relevant. The panelist indicated the importance of having a dynamic risk assessment process. A point-in-time risk assessment is no more of value to organizations.
Cybersecurity and its importance
The discussion on the importance of cybersecurity as a key risk for organizations highlighted that cybersecurity remains a huge threat, as any cyberattack not only has financial impact but also reputational loss to the organizations. Cyber incidents have increased substantially in the previous nine months. Organizations need to realize that a one-time mitigation action will not be effective to mitigate this risk. This requires organizations to be active, robust and dynamic. Further, organizations are encouraged to use experts to assess such risks, which are emerging.
38% of the participants believed that organizations are well funded to mitigate cyber threats, provide awareness through various programs, and ensure the importance is understood across the organization, whereas an equal number believed that funding is a constraint, but the threat of cyber risks is fully understood.
How are Audit Committees and Boards engaging other key constituents of the organizations such as CIO, CISO?
The panelists opined that this is an evolving area. Audit Committees are no longer focused on the audit sphere. There is increased collaboration between audit and risk committees. There are regular joint meetings between these committees which gives an opportunity to assess how effective ERM is in providing effective inputs to the stakeholders. In a well-defined and dynamic ERM system, the CAE and Audit Committee will be the first beneficiary.
The COVID-19 situation is a typical crisis management situation for organizations. Further, scenario analyses and stress testing have become increasingly important for the C-Suite, not only the CAE and Audit Committee. These are evolving trends as a result of the crisis.
How imperative is it for CAEs to undertake transformation and innovative activities around internal audit?
All the panelists concurred that it is imperative for CAEs to embrace technology and change in order to stay relevant. A lot of CAEs have minimal knowledge of a key risk such as cybersecurity risks. This applies to Audit Committees as well. One reason for this situation, is that technology is not their background. Accordingly, they are dependent on experts. Organizations need to spend on enhancing the culture of security in the organization. A key part of this is training people ‘what not to do’. Auditors are required to be multi-talented and tech-savvy. Finance processes are becoming increasingly automated. Auditors who are not open to transformation run the risk of becoming irrelevant. They need to constantly learn and not continue to do the same job, which will threaten their existence.
Brian highlighted that, as part of a recent survey conducted by Protivit, 80% of CAEs are behind the digital maturity curve. This is both a challenge and an opportunity.
54% of the participants believed that Internal Audit Department needs improvement to effectively achieve appropriate risk coverage, agile responses to new and emerging risks, and efficient delivery of value-added insights regarding risk culture, risk management capabilities, and internal control environment.
Environment, Social and Governance (ESG) is not a hype but a reality
ESG is a reality, no more a hype. This has become a condition for assessing investments. Consumers are abandoning products that are not ESG-sensitive. There is increased focus by organizations to assess their carbon footprint and building strategies to improve. Environment impacts are considered as a key factor while assessing projects. It will become part of the fabric of strategy development, a fundamental area in future strategy development.
One of the recommendations was that ESG should be considered in the implementation of a product not just for sustainability but also for looking at it from the point that it makes good business sense.
39% of the participants believed that organizations would be considering Environment, Social and Governance (ESG) in their strategy in the next 1 to 2 years as the MENA region follows the ESG trend.