News round-up: July/August 2021

Report highlights IA’s role in times of financial stress

Economic uncertainty will continue to test organisations’ financial sustainability for the foreseeable future, so it has never been more crucial for businesses to prepare for the next crisis. 

In line with this, the Chartered IIA has published a new financial stability report, 'Avoiding the blind spot: Supporting financial stability and resilience'. This report explores the role of internal audit in helping organisations to manage and mitigate financial, capital and liquidity risk, and to identify opportunities in the post-pandemic recovery.

The researchers aimed to find out how internal audit functions across a range of sectors managed and mitigated financial, capital and liquidity risk over the past 18 months.

Six sector-specific roundtable discussions with 39 chief audit executives from sectors including financial services, hospitality, aviation and travel, retail, public sector and the third sector explored how internal audit could reimagine its approaches to financial stability and sustainability, and help businesses to highlight the opportunities.

Internal audit can play a vital role in supporting organisations’ financial stability and resilience. The report offers a guide for navigating financial, capital and liquidity risk and aims to inspire new work in this critical risk area.

Click here to download the report.


Cyber security control failures top new risk list

Cyber security control failures was rated as the top emerging risk in the first quarter of 2021 by two-thirds of respondents in a global poll of 165 senior executives. Gartner’s Emerging Risks Monitor Report found that the executives questioned were most concerned about potential cyber security control failures caused by the hasty implementation of remote working practices during the pandemic and consequent business lockdowns.

The four risks that were cited as the next highest priorities were: the “new working model”, remote talent management, organisational cultural degradation, and strategic corrections. 


Internal audit teams slow to utilise next-gen technology

Most internal audit leaders and their teams are still in the early stages of – or have not even begun – implementing next-generation tools and strategies into their audits, according to consultancy Protiviti’s 2021 Next-Generation Internal Audit Survey. 

Only 14 per cent of respondents rated their internal audit function as a “digital leader”. Interviewees said that the areas of next-generation internal audit capabilities that they believe are at the lowest level of digital maturity are machine learning (ML) and artificial intelligence (AI), process mining, automation and advanced analytics. 


Lessons learnt from 40 years of crises

Organisations must recalibrate their approach to risk and crisis in a highly volatile world, according to a new study by risk consultancies Aon and Pentland Analytics that details the impact that crises have on reputation and shareholder value.

Called Respecting the Grey Swan, the study examines the impact of extreme but uncommon events such as the 9/11 attacks, the 2008 financial crisis and, most recently, the COVID-19 pandemic. Using data from 300 corporate crises that occurred over the past 40 years, it highlights how crises remain a major risk for organisations globally and the effect they have on shareholder value, while also identifying drivers of recovery.

Evidence from the research suggests that organisations should focus on three specific areas to build resilience. It advises them to: reimagine the risk landscape by undertaking a broader risk assessment; acknowledge the severity of impact and focus their investment on risk preparedness and crisis management; and translate understanding into action to foster a responsive and agile culture. 


Companies fear rising data leaks 

The pandemic has fuelled concerns about increased risks of corporate data leaks and deliberate insider breaches, according to research by Forrester Consulting. It found that 74 per cent of companies are more concerned about insider risk management now than they were before the pandemic.

It said that, while 66 per cent of respondents experienced data leaks caused by insiders at least monthly, there were significant barriers to implementing prevention policies. 


Firms must focus on risk resilience

Risk resilience gives organisations a competitive advantage, according to consultancy Marsh’s inaugural Risk Resilience Report. However, the researchers warned that risk management functions often prioritise short-term threats over those that are high severity, but lower frequency. This leaves their organisations vulnerable to immediate and long-term disrupted operations, assets and revenue streams.

The report identified a “risk-resilient organisation” as one that can anticipate risk, minimise losses and quickly resume business as usual following an event. 


Third-party failure caused risk incidents  for most organisations in Covid pandemic

More than half of organisations (51 per cent) faced one or more third-party risk incidents while responding to the COVID-19 pandemic, according to a survey by Deloitte into extended enterprise risk management (EERM). It found that 13 per cent of incidents were considered “high impact”, severely compromising financial performance and profitability and customer service. In some instances, this also led organisations to breach regulations.

The survey also found that a quarter of organisations (27 per cent) that had not adequately invested in third-party risk management before the pandemic faced a high-impact incident in this period, compared with just two per cent of those that had.

The move to remote working helped to make digital risk the top priority area for 71 per cent of organisations. Despite this, 42 per cent of respondents were concerned that their organisation did not invest enough in cyber security. 


Top tips to prepare for ransomware attacks

The rise in both frequency and severity of ransomware attacks has prompted information security standards setter ISACA to draw up its top tips to help organisations prepare for attacks and their consequences.

Top of the list is the need for organisations to understand their risk profile so THAT they can determine the areas that need better controls or more attention. It also advises managers to ensure that employees download the latest software security patches as soon as they are alerted. In addition, security policies should be regularly reviewed and updated, controls tested, and cyber security roles and responsibilities should be assessed regularly. 


Risk matrix breaks down blockchain complexity

Blockchain technology offers companies many benefits while saving costs, but it also creates risks that internal auditors need to understand and be aware of.

A new risk matrix, called Blockchain Risk: Considerations for Professionals, developed jointly by a working group comprised of ISACA, the American Institute of Certified Public Accountants (AICPA) and the Chartered Institute of Management Accountants (CIMA), aims to describe and contextualise several specific risks associated with the implementation and operation of blockchain.

The matrix is constructed around five main risk domains – governance, infrastructure, data, key management and smart contracts, and their relevant subdomains. 


EU proposes rules for trustworthy AI 

The European Commission has unveiled proposals aimed at increasing trust in the use of artificial intelligence (AI). These would apply to all companies that use such technology, not just the large tech-sector firms.

The proposed rules would apply to the developers and users of AI and would have an extraterritorial reach if the AI system is used in the EU, or affects people located in the single market.

The commission is proposing a risk-based approach in terms of oversight by national authorities, with four risk levels: unacceptable, high, limited and minimal. The penalties for non-compliance would be steep, with a maximum sanction of up to 30m or six per cent of the total worldwide annual turnover of the preceding financial year (whichever is higher) for infringements on prohibited practices or non-compliance with requirements on data. 

This article was published in July 2021.