A comprehensive risk-based Internal Audit plan determines the success of an IA function as a value-adding, strategic business partner. This summary of key risks aims to stimulate discussion during the annual planning process and identify potential emerging topics relevant to your IA function.
Within the increasingly global and transforming economy, organizations are exposed to a broad spectrum of risks. As the business environment evolves, so must organizations and their assurance functions within.
Conventionally, Internal Audit (IA) has focused on topics related to internal control systems (ICS) and compliance. Today however, a modern IA function must have a broader awareness of the key risks and opportunities that are relevant, and use this knowledge to direct the focus of its internal assurance and advisory activities.
To better focus on risks that matter, we have introduced the concept of a Risk Radar that clusters potential key risks by visibility (emerging vs. established) as well as cycle consideration (recurring vs. exception / one-time).
It aims to provide guidance to IA functions on how to address specific key risks using the following four dimensions:
- Recurring: Dominant risks that should be considered on a recurring basis
- Exceptional: Risks without previous audit history within the organization; IA should aim to provide initial assurance to the key stakeholders as to how these risk are addressed (i.e. enhance control system, introduce new guidelines or processes etc.)
- Emerging: Risks and opportunities that may not yet have the clear attention of the organization but may soon become of material importance
- Established: Risks that are clearly considered to be key to the organization and should dominate the IA audit plan and assurance agenda
Some examples of key risks to be considered include:
Digitalization, Industry 4.0 & the Internet of Things: Increasing investments in digitalization is driving a new form of business transformation, referred to as Industry 4.0. Benefits (i.e. efficiency) must be balanced against risks (i.e. data security) in the business plan. IA can provide assurance to the Board if the digitalization business plan is on track and meets targeted objectives of transformation.
Cloud Computing (CC): Cloud computing services are being widely adopted due to their flexible delivery models, scalability and customization. Alongside potential benefits, organizations must also consider increased risks relating to data security and regulations or exposure to the risks faced by the cloud vendors themselves. IA can provide assurance in auditing i.e. the CC concept, the implementation and roll-out project or the compliance of SLA agreements with IT security standards.
Cybersecurity: A KPMG Switzerland Survey of 60 companies found that 42% of respondents suffered from successful cyberattacks which resulted in financial losses. 82% of cyber response plans do not cover incidents such as attacks against suppliers or business partners and 44% of respondents have no instruments to enforce their control framework on their suppliers. IA can provide assurance along the lines of Penetration (PEN)-testing, concept review and roll-out, long-term sustainability of the program etc.
EU General Data Protection Regulation (EU-GDPR): The EU-GDPR is the biggest change to privacy and data protection requirements in recent history. It introduces a range of new requirements for data protection to which organizations need to comply to. IA can provide assurance in assessing the level of compliance, the completion of the roll-out and long-term sustainability of the internal EU-GDPR program.
Treasury Management: Due to the development of increasingly sophisticated payment systems; the introduction of new technology in payment processing (e.g. Blockchain and Instant Payments) and new financial market regulations such as FMIA, the role of Group Treasury is evolving towards that of a strategic business partner. To provide assurance over the expanding role of Group Treasury, IA can conduct independent reviews over financial risk management processes, payment systems, cash management and banking relationships.
Net working capital management (NWC): The effective management of NWC is a key measure of financial maturity. Whilst efficiency of NWC has long been a key success measure, growing focus may also be linked to increasing financing costs due to poor solvency ratios of many organizations and growing pressure to meet market analysts’ expectations. IA can provide assurance in conducting an initial assessment of the relevant indicators and variables that impact the NWC, how it is managed/processed and what checks and balances are in place.
Digitalization, cloud computing, cyber security, EU-GDPR, net working capital management, business continuity and crisis response are but a few of the trending, emerging topics that can represent significant risks and under-utilized opportunities within an organization.
To read more, please refer to our publication 20 key risks to consider by Internal Audit before 2020.