INTERNAL AUDIT AND CURRENT BUSINESS RISKS
02 May 2022
Senior Manager : Internal Audit (FIIASA, CIA,CIDA) at Kreston Pretoria
The world as we know has changed significantly over the last two (2) years, in turn, altering the way we live, the way we do business, and the way we react to emerging business risks (i.e. “the exposure a company or organisation has to factor(s) that will lower its profits or lead it to fail. Anything that threatens a company’s ability to achieve its financial goals is considered a business risk.”). We have had to learn to adapt, and we had to do it quickly, with little or no preparation time.
Two (2) years ago, it was inconceivable to most organisations that the world soon be at a complete standstill. Few could have anticipated that a global pandemic would emerge as the primary threat that affects the ability of organisations to meet their financial goals.
Not only did the Covid-19 pandemic force businesses to reassess their financial goals: it required organisations to implement remote working policies and new technologies to ensure minimal interruption to business operations and service delivery.
The State of Internal Audit Trends Report 2022 as published by CaseWare (which is an annual survey conducted by CaseWare) elaborated on the top challenges experienced by a total of 3926 businesses with Internal Audit Responsibilities from around the world:
Figure 1: Extract from the State of Internal Audit Trends Report 2022
It is evident that digitisation and innovation are a top concern for the businesses surveyed. But how does this affect Internal Audit?
In the years leading up to the emergence of COVID-19, there had been an uptick in the need for audit automation, including continuous auditing and monitoring, and a further need to move away from traditional audits to “exception auditing”, where data analytics is leveraged to channel scrutiny towards areas where exceptions are identified or most probable.
This trend continued through the start of the pandemic, where implementation of digital transformation strategies at short notice changed the priorities of organisations in a manner that underscored the value of adaptable and innovative internal audit functions. Vanilla, operational internal audits gave way to reviews that assisted the business in successfully implementing and managing the digitisation of their organisation, including the review of productivity of staff that were required to work remotely in lockdown. This not only assisted organisations in the short run, but also supported the need for changes to the “normal” way of working, to make businesses more adaptable and efficient.
With the digitisation of organisations and implementation of remote working policies, businesses were also more exposed to cyber breaches and attacks. Most organisations will have this type of business risk on their risk register, however, the likelihood of this risk occurring is normally low as the controls in place to mitigate the risk was centrally managed by the organisation. With COVID-19, people were required to work remotely, which increased the risks for cyber breaches and attacks.
The 2021 Cyber Security Threat Trends Report published by Cisco “reflects a continuation of the trend we [Cisco] have been seeing toward more complex, multi-staged attacks that involve multiple threat types. Typically, in the attack chain, we’re seeing things like a trojan begat an information loader, which begat a ransomware demand. “
The diagram below highlights the findings of a trend analysis performed by Cisco which shows that majority of the organisations included in this analysis experienced cyber related issues like phishing, unsolicited cryptomining and malicious browser ads.
Cryptomining is defined by PC Mag as “The competitive process that verifies and adds new transactions to the blockchain for a cryptocurrency that uses the proof-of-work (PoW) method. The miner that wins the competition is rewarded with some amount of the currency and/or transaction fees.” (Please follow this link to read more about blockchain — https://idea.caseware.com/blockchain-crucial-internal-auditors/ )
The article, “How Covid-19 is Dramatically Changing Cybersecurity”, by Prashant Deo, Geetali Raj and Santha Subramoni from the TATA Consultancy Services, explains the reason for the increase in cybersecurity risks during the pandemic: “The information technology on which they have long depended – their data centers, cloud systems, departmental servers, and the digital devices their now-remote employees used to stay connected to each other and to the company’s data – becomes even more vital. Overnight, the demands placed on the digital infrastructure have skyrocketed. Such technology also becomes a much bigger and more lucrative target for cybercriminals. Cybersecurity efforts need to be upgraded to prevent a second crisis from emerging: on the digital devices and networks that have become infinitely more vital to companies…”
To ensure that businesses address this risk, consideration must be given to how digital devices and networks are safeguarded against cyber threats. The necessary time and money should be spent on improving the IT Controls. During the past 12 months, we noted that there has been an increase in requests for certain specialised internal audit reviews, that will give the required assurance to management that they are protected against possible cyber threats, most commonly:
- IT General and Application Controls;
- Network Vulnerability Assessments;
- Network Penetration; and
- Network Security.
Much of South Africa has settled into a “new normal” that assumes that Covid-19 has now become a long-term matter, thus allowing a shift of focus to other key business risks that affect the growth of companies and the economy. Some of these business risks include, to name a few:
- Environmental risks, such as the flooding recently experienced in Kwa-Zulu Natal;
- Corruption at all levels, in both public and private sector;
- Stability of electricity supply; and
- Geopolitical risk arising from the conflict between Russia and Ukraine, and the resultant effect on fuel and food prices.
Internal Audit can be of immeasurable valuable to any organisation, big or small and should be considered an essential dimension of an organisations’ management capability, even if it is not mandatory for businesses to have an Internal Audit Function. This is supported by the article: “The Characteristics of Highly Successful Internal Auditors” by Joseph McCafferty on Internal Audit 360°  which states: “To perform well in their jobs, they must have a set of skills and characteristics that are typically uncommon in one person.” He mentioned that these six (6) skills are critical for internal auditors:
- Great Communication Skills
- Unyielding Curiosity
- Technological Savvy
- Ability to Work Independently and in a Team
- Drive to Be Life-Long Learners
- Integrity and Courage
Internal Audit is critical to the successful identification and assessment of business risks, as well to assist management to recommend mitigating controls for these risks, that will ensure that organisations are prepared for the unknown, and to provide assurance in uncertain times for unexpected events.