In an increasingly volatile and disrupted world, Chief Audit Executives and Internal Audit teams must remain agile in the context of a rapidly changing risk landscape. Drawing from KPMG’s Australian publication Keeping us up at night – the big issues facing business leaders in 2022 our recommended key areas of focus for FY23 planning tailored for Australia are outlined in this report.
Key areas of focus
The strength of recovery in the global economy, spending patterns switching towards goods and away from services, and COVID-19-related disruptions in logistics networks have generated significant inflationary pressures. Economic recovery is very visible in the labour market, with the unemployment rate currently just 4.2 percent. Limited spare capacity is putting upward pressure on wages, as firms compete to secure the talent they need. With the economy closing in on a full recovery from the pandemic, the RBA is likely to begin raising interest rates in the second half of the year.
When it comes to the ongoing situation in Ukraine it is important to consider various commercial, logistical, legal and broader geological impacts (including the complex sanctions regime). From cutting off the supply of key inputs, to financial market spikes caused by the freezing of global assets, to threatening the distribution of key energy stocks – sanctions of all kind are creating new day-to-day risks in the commercial agenda of global organisations.
Internal Audit response
Consider how the first and second lines are identifying and assessing where these risks and pressures are likely to impact the organisation. Internal audit should also review third party suppliers exposed to economic shifts, and more broadly consider organisational capital planning and capital management, net interest margins, credit/default risk and debt recovery, claims management and businesses cases for future investment.
Internal Audit can also play a role in identifying and assessing potential immediate gaps or control weaknesses in relation to compliance with the current international sanctions regime and ensuring there is a robust framework which includes appropriate risk mitigation measures that can be applied on an ongoing basis to help remain compliant.
Whilst specific ESG reporting is not yet mandatory in Australia, there is a rapid movement towards this. For example, in November 2021 APRA produced a Prudential Practice Guide CPG229 Climate Change Financial Risk, as a framework to assist in managing climate risks. ASIC is also encouraging companies to ensure they have appropriate governance structures to respond to ESG, and to provide reliable and useful information on their ESG risks and opportunities. ASIC is encouraging the use of the framework from the Financial Stability Board’s Taskforce for Climate Related Financial Disclosures (TCFD).
Coupled with this, expectations are increasing from investors, regulators, shareholders, customers and employees for organisations to operate with an ESG lens on all that they do. Internal Audit should play a key role in supporting all organisations to effectively manage ESG risk.
Internal Audit response
For organisations at an early stage of their ESG journey, internal audit should provide advisory support in understanding ESG risk, supporting the design and development of robust governance frameworks and control environments.
For organisations further progressed on their ESG journey, internal audit should provide assurance over relevant governance frameworks, organisational strategies, commitments, policies and plans, including the integrity of ESG reporting. Compliance with ESG risk management and relevant legislative requirements should also be considered.
The availability and retention of talent remains a key risk post the COVID-19 pandemic, together with the legacy of associated border closures. Employee wellbeing remains severely impacted, increasing the risk of loss of talent, fatigue and associated productivity impacts, together with the erosion of purpose and culture.
Internal Audit response
Assess the organisation’s workforce and future skill demand planning, talent sourcing and talent retention strategies. These should include succession planning, capability management, remuneration benchmarking, wellbeing programs, and training and development.
Remote working and the speed at which new technologies are adopted, coupled with global players increasingly using cyber disruption as a critical tool in their arsenal, means organisations must remain hyper vigilant to their cyber security risk . This accentuates the need for greater scrutiny of IT security and workforce awareness to malicious and non-malicious threats.
Further, the Security Legislation Amendment Bill 2020, coupled with the proposed Security Legislation Amendment (Critical infrastructure Protection) Bill 2022, increased the range of organisations that now fall within the expanded definition of critical infrastructure assets. Additional cyber security obligations may need to be considered, including a risk management program, cyber incident reporting requirements, and information reporting.
Internal Audit response
Assess the veracity of controls to mitigate cyber security risk, and consider applying the NIST Cyber Security Framework : Identify, protect, Detect, Respond and Recover. Example reviews could include Cyber Security governance, Identity Management, Awareness and Training, Security Assessment of Cyber Controls (including detection and response management), Cyber Security Health Check, Post COVID-19 New Ways of Working Review, Data Security practices, Incident Response and Recovery strategies.
In a data-driven world powered by digitisation and remote working, regulators continue to increase their vigilance, and privacy and data protection risks continue to pose significant challenges to organisations. The imminent Australian Privacy Act reforms and expansions, coupled with the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Billl 2021 (Online privacy Bill) broaden privacy requirements and create a binding Online Privacy Code for social media and other online platforms.
Internal Audit response
Assess privacy and data protection controls related to how and what data is being collected, used, stored, secured, retained and disposed of, in line with regulatory requirements and industry-leading practices. Consider the management of organisational data which third party providers have access to. Perform a gap analysis against proposed legislative reforms, or a maturity assessment against the current Australian Privacy Principles.
Many Australian organisations are now more vulnerable to fraud and corruption than they were before the pandemic and there is no indication the risk is subsiding. The increased vulnerability stems from extended periods of remote working, cost-cutting or diverting resources during the pandemic and seemingly an increase by employees to rationalise the act of committing fraud. 2021 also saw the release of the new Australian Standard 8001:2021 Fraud and Corruption Control which can assist management and Boards to benchmark their fraud and corruption control programs.
Internal Audit response
Assess the organisation’s fraud and corruption control framework, fraud and corruption risk assessment procedures, together with fraud and corruption detection and response capability. As we emerge from the pandemic, consider fraud detection measures, including targeted data analytics to identify indicators of fraud and misconduct.
The pandemic continues to impose significant strain on global and domestic supply chains, from production delays and labour shortages, to continued shutdowns of major ports and associated shipping disruptions, increased commodity pricing, failure of third-party suppliers through to Modern Slavery and ESG considerations.
Internal Audit response
Assess scenario and contingency plans, including in supplier contracts and service continuity within these. Assess end to end procurement, with a specific focus on sourcing and third-party risk, and the distribution of that risk across suppliers. Review supply chain logistics and continuity processes, including third party cyber security risk management in their operating environments.
Digital disruption, transformation and adoption of new technology have accelerated through the pandemic, including AI, Predictive Analytics, Cognitive Computing and Robotic Process Automation. These bring new risks such as those relating to data and cloud storage, usage and privacy.
Internal Audit response
Assess the digitisation strategy and program together with associated risk management controls, provide assurance over specific digitisation projects, including AI design integrity, algorithm testing, exception management and remediation, change management controls, third party provider and software vendor management. Provide advice on governance and control frameworks to ensure long term AI and bot risks (post implementation) are monitored and mitigated.
In response to recent Royal Commissions and government enquiries, community expectations have rapidly increased in regard to the way organisations protect children and vulnerable people. Safeguarding governance and control structures can be preventative, participatory and detective, promoting an environment that keeps people free from abuse, exploitation and harm.
Internal Audit response
Focusing on where the risks to consumers lie, Internal Audit should assess preparedness and compliance against:
- Standards and/or legislation
- Commission recommendations
- Safeguarding policy
- Child safety or vulnerable people governance practices
- Safeguarding culture
- Incident management
- Complaints management.
A review of a safeguards framework should consider preventive, participatory and detective safeguards.
Post COVID-19, a mergers and acquisitions boom accelerated through late 2021 with global mergers and acquisitions hitting new record highs. In Australia, this is also reflected in the speed of consolidation in the wealth management and superannuation industry. Mergers and acquisitions pose unique ‘delivery’ and ‘delivered’ risks during this period of rapid change and the need to realise the benefits of the transaction.
Internal Audit response
Develop an integrated merger risk assurance strategy and plan. This will allow informed decisions and awareness of the types of assurance the merger will obtain during its lifecycle, from real-time assurance through to ‘go’ / ‘no-go’ live assurance. A range of focus areas could include control due diligence of the target entity and remediation plans, governance and integration reviews, IT roadmap planning, supply chain consolidation and business case achievement.
