The end of the calendar year is customarily a time to reflect on one’s personal and professional accomplishments. It also offers me the opportunity to look back on the year’s events that had direct implications for the internal audit profession.
As I reviewed key events in 2017, I was reminded of a fundamental truth that all internal auditors should take to heart: Effective risk management, internal controls, and corporate governance are pursuits fraught with continuous obstacles. From culture-driven scandals, to continued brazen cyberattacks, to geopolitical and socio-economic unrest, this year provided vivid examples of how fleeting successful risk management, control, and governance can be.
The bad news is that cybercrime continued to thrive in 2017. The worse news is that the biggest hacks were easily preventable but still happened.
Even in an era when mega-size data breaches have become routine, Equifax’s disclosure in September that the personal information of 143 million of its customers was compromised was breathtaking. In a single, massive hack, the names, Social Security numbers and other personal data of more than 40 percent of the U.S. population were exposed.
The attack exploited a known weakness in software on Equifax’s network for which a patch was available to protect against hacks. But the patch reportedly had not been applied. Similarly, a simple phishing scheme earlier in the year was behind the successful Wanna Cry ransomware attack that crippled computers in 150 countries.
IMPLICATIONS: These examples show internal audit must remain ever vigilant to identify weaknesses in cybersecurity controls and must seek out and sustain positive and supportive relationships with cyber risk managers, including, CSOs, CISOs, and CROs.
While the world-shaking fallout predicted as a result of 2016’s Brexit vote and U.S. presidential election haven’t materialized, there is a quiet revolution occurring in regulatory and enforcement strategies that impact risks in the United States.
The list includes delays in implementing some anticipated rules (e.g., the U.S. Labor Department’s fiduciary rule on financial advisors is delayed 18 months, until July 2019); policy reversals (e.g., net neutrality); and leadership and board changes that may alter enforcement philosophies at the U.S. Securities and Exchange Commission, Public Company Accounting Oversight Board, Environmental Protection Agency, and Consumer Financial Protection Bureau.
IMPLICATONS: No matter one’s political bent, it is important to recognize that such changes, both high profile and subtle, impact risks and may require rethinking/reprioritizing internal audit priorities.
A new revenue recognition standard published by the Financial Accounting Standards Board in 2014 was hailed as a significant step toward improving financial reporting. The deadline for publicly traded companies to meet the new standard came and went last week (Dec. 15).
The standard’s intent is to allow users of financial reports to “understand the nature, amount, timing, and uncertainty of revenue and cash flows arising from contracts with customers.” While the objective is laudable, the challenge in successfully meeting the new standard is in determining just how much detail to provide.
One of the standard’s provisions is to provide “a level of detail necessary to satisfy the disclosure objective and how much emphasis to place on each of the various requirements.” It also warns against obscuring useful information by including “a large amount of insignificant detail or the aggregation of items that have substantially different characteristics.”
IMPLICATIONS: Organizations that have not already invested resources toward adhering to the standard could struggle, which could present a significant challenge for internal audit to provide assurance on compliance.
For the second consecutive year, private data on tax havens were leaked to the media. In 2017, the so-called Paradise Papers exposed tax strategies for major firms such as Nike, Apple, and Avianca. The 13.4 million confidential electronic documents relating to offshore investments were leaked to two German reporters, who then shared them with the International Consortium of Investigative Journalists.
Around the world, other unexpected threats underscored how quickly risks can emerge and explode.
IMPLICATIONS: Ideally, internal audit should be positioned to provide assurance in all areas, but limits on resources and expertise makes that a challenge in most organizations. Still, we must be prepared to proactively intervene in times of crisis and be attuned to what unexpected risks may emerge when organizations stray outside of customary roles or take extraordinary steps to achieve goals.
Not all headlines from 2017 were negative. Indeed, internal audit practitioners received updated standards and tools that better position them to meet growing stakeholder demands.
New IIA International Standards for the Professional Practice of Internal Auditing went into effect on Jan. 1, adding important components to the International Professional Practices Framework (IPPF), including a new list of Core Principles. The Core Principles help internal audit demonstrate how it aligns with the organization’s objectives, particularly the principle for internal audit to be insightful, proactive, and future-focused.
Focusing on the future also was what drove the update to COSO’s Enterprise Risk Management—Integrated Framework, published in September. The updated framework responds to the evolution of enterprise risk management, providing guidance to meet the demands of an increasingly dynamic business environment that includes shifts in economic markets, evolving technologies, and changing demographics.
IMPLICATIONS: History shows internal audit has been adept at pivoting to changing risk landscapes and growing stakeholder demands. It now has two new instruments to help it accomplish its increasingly complex task. It warrants mentioning here the significance of conforming to the Standards. The beauty and value of the IPPF is its ability to bring uniformity and consistency to how the profession is practiced around the world. However, its capacity to do this relies on practitioners embracing and strictly conforming to the Standards.
Brutal is the only word to describe 2017 for the darling of the upstart business world. It began in February with allegations of unaddressed sexual harassment and discrimination complaints at the San Francisco-based company. The bad news continued with the subsequent firing of 20 employees in a related investigation. In May, Uber agreed to pay $20 million in back wages to settle a U.S. Federal Trade Commission lawsuit. By June, Uber’s wunderkind founder, Travis Kalanick, resigned as CEO. In September, Uber was banned from operating in London. Then, in October, Bloomberg news reported that the company faces no fewer than five criminal investigations by the U.S. Justice Department.
IMPLICATIONS: The Bloomberg report’s description of Uber’s culture as having “a tendency to ignore rules” summarizes the root cause of the company’s governance issues. Such a free-wheeling culture in any organization drives risk tolerance to a high level, making good governance and risk mitigation much more complex and daunting.
This year in review reflects the variety of risks and the speed at which they emerged and impacted organizations large and small. It should serve as a reminder that organizations must be ready to embrace the tools and resources at their disposal, prepare for the unexpected, and boldly address the risks they can identify and manage. It was also another year in which we learned the valuable lesson of trying to anticipate the unexpected.
As always, I look forward to your comments.