What Three Things Should Internal Audit Departments Consider

Published: Feb 15, 2022
Share

By Sahajanand (Seju) Dave

Over the last two years, the COVID-19 pandemic has impacted all aspects of the business world. While 2022 may be the first year we consider to be post-pandemic (fingers crossed), let’s take a look at some of the key items that internal audit (IA) departments should be considering as they develop and refine their audit plans for the year.

Remote Work and the Impact to Cybersecurity

Due to the pandemic, remote work has become the norm and has created different cybersecurity risks and headaches for companies. According to a global industry study by Tenable, “67% percent of business-impacting cyberattacks targeted remote employees.”¹ As companies move to a more hybrid work environment, there are more opportunities for issues related to cybersecurity to arise.

IA should assess the risks over the firm’s cybersecurity program, related policies, procedures, and how the firm is communicating and training team members to increase awareness of cyber risks. If no program or capabilities exist in-house, firms should consider engaging a third party to assist in setting up a foundation for a cyber risk program.

Great Resignation/War for Talent

While we’ve had multiple vaccines for COVID-19 for over a year, they were not able to get the world back to ‘business as usual’ as quickly as we had hoped.

The pandemic has also caused a stir in the labor market with the Great Resignation, with over 4 million employees leaving their job in December 2021² and a historically low unemployment rate of 3.9%.³ With this being an employee’s market, employees feel empowered to change jobs or renegotiate the benefits and compensation of their existing job. These changes in personnel in key positions at companies is shifting responsibilities to newer employees, creating potential threats to existing control environments.

However, a bright spot is that more countries are beginning to remove COVID-19 restrictions as part of their efforts to get back to some semblance of normalcy.

IA needs to determine the impact of these changes to the workforce on operations and their processes and controls environment. Additionally, IA can assess whether management is doing enough to attract and more importantly retain their workforce.

Environment, Social, and Governance (ESG) Programs

ESG has become a more prevalent topic amongst businesses in the last few years, in part due to increased investor focus on ESG-related disclosures. Additionally, in March of 2021, the SEC announced an Enforcement Task Force focused on climate and ESG issues that will have an initial goal “to identify any material gaps or misstatements in issuers’ disclosure of climate risks under existing rules. The task force will also analyze disclosure and compliance issues relating to investment advisers’ and funds’ ESG strategies.”⁴

In terms of developing an ESG program, companies should develop ESG guidelines noting their values and their ESG initiatives. An example of this may be a supplier code of conduct that must be adhered to by any suppliers from who the firm sources its products, demonstrating the respective supplier is following sustainable and environmentally friendly processes. Additionally, a firm should have a monitoring system in place to oversee compliance with these guidelines.

IA can assess the risks and maturity of the firm’s ESG program. Specifically, an IA can perform audits to identify processes and controls that should be included in the ESG program as well as assessing any system risks for applications used for the ESG program (as ESG procedures may include collection of sensitive data from the firm). These internal audits can provide recommendations to the firm to strategically enhance their existing ESG program.

As we look ahead to 2022, IA teams should consider these risk areas for their audit plans, as they will continue to grow in importance this year. Additionally, they should ask whether the IA team has sufficient expertise to perform effective audits over these areas or if training is required and third parties need to be engaged to assist.

¹ https://www.tenable.com/press-releases/seventy-four-percent-of-organizations-attribute-damaging-cyberattacks-to
² https://www.bls.gov/news.release/jolts.t04.htm
³ https://www.bls.gov/news.release/archives/empsit_01072022.htm
⁴ https://www.sec.gov/news/press-release/2021-42

Our Current Issue: Q1 2022