News round-up: January 2021

Internal audit vital to fight post-pandemic risks

Over a third of internal audit professionals believe that the risk of fraud in their business has increased since they shifted to remote working last spring – while a further ten per cent say it has increased “significantly”, according to research by risk-management specialists Kroll. These concerns are compounded by the fact that a third of the audit professionals surveyed believe a shortage of financial resources is likely to hinder efforts to mitigate such risks. Lack of organisational education about the value of internal audit in fraud risk management was cited as the biggest barrier to controlling these risks by 29 per cent of respondents.

“Our research has made it very clear that internal audit plays a vital, but often undervalued, role in fraud risk management,” said Matthew Weitz, associate managing director at Kroll. He acknowledged that this has always been a problem, however he added that the issue has  been brought into sharper focus because the challenges for internal auditors and their firms have grown over the course of the pandemic.

“Empowering internal audit has always been important, but it is now vital to the continued fight against fraud,” Weitz said.

Click here to read Kroll’s earlier report on the role of internal audit in fraud management.


New guide to cyber and ERM

US IT standards-setter the National Industry of Standards and Technology (NIST) has released a new guide aimed at promoting greater understanding of the relationship between cyber security risk management and enterprise risk management. The guide also highlights the benefits that can be gained by integrating measures to manage and mitigate both types of risk. 


Organisations prioritise supply chain resilience after COVID-19

Supply chains in more than 80 per cent of organisations have been negatively affected by the COVID-19 crisis and many will require further changes in the near future, according to research by consultancy the Capgemini Research Institute. It found that nearly two-thirds of organisations believe that increasing supply chain resilience is now a priority.

The report, “Fast forward: rethinking supply chain resilience for a post-Covid-19 world”, found that the pandemic has forced organisations to prioritise supply chain resilience – two-thirds of respondents said that their supply chain strategy will need to change significantly in order to adapt to the new normal. Only 14 per cent of organisations expected to return to business as it was before the crisis, while 68 per cent believed the pandemic had forced them to adapt their business models.

More than half (55 per cent) of organisations said it has taken them between three and six months to recover from supply chain disruptions in 2020, while another 13 per cent expect their recovery to take six to 12 months. 


FRC spells out what it wants in company reports in 2021

The UK’s corporate governance watchdog has laid out what it expects to see in company reports in 2021. Top of the list is COVID-19 and the impact of the pandemic on corporate operations and the bottom line.

The Financial Reporting Council (FRC) has stated that investors and other business stakeholders will expect reports to explain clearly how much cash the company has at its disposal, and what the longer term effects of the pandemic could be on its business model and strategy.

The regulator also wants to see what key actions management has taken – and is planning to take – to mitigate the business risks associated with COVID-19, as well as the board’s assessment of the company’s future viability and an explanation about how it has reached those conclusions.

In addition, the FRC wants companies to discuss in detail the probable effects of Brexit on their business.

When it comes to climate change, another major concern, the FRC is asking companies to provide more meaningful disclosure than it has often seen in the past. Significantly, it says that it wants to see strategic reports that “clearly describe their environmental policies, rather than simply naming or listing them”. It is also calling for reports that lay out more distinctly the way in which climate risks affect different parts of the business, and what boards are doing to mitigate these.

Other areas where the FRC says corporate reporting needs to improve include cashflow and liquidity, directors’ duties, the tenure of boardroom chairs and workforce engagement. 


Leadership falters under COVID-19

Just 25 per cent of employees feel there is an obvious plan when asked whether their company’s leaders know what they are doing to help steer the business through the pandemic.

According to research by consultancy Paul Furey, a third of respondents said that it was not always clear whether an action plan existed, and five per cent said they thought management “didn’t have a clue”.

One in ten said there was no longer a clear strategy to cope with the crisis, and respondents added that communication was poor and trust had been damaged. 


IT governance tops Gartner’s 2021 risk list

Heads of audit have listed IT governance as the top risk for 2021, according to IT consultancy Gartner. Analysts say that the pandemic is giving rise to new sets of risks while exacerbating long-standing vulnerabilities.

Gartner conducted interviews and surveys across its global network of client organisations to identify the top 12 risks, or “Audit Plan Hot Spots”, facing boards, audit committees and executives in the year ahead.

The Audit Plan Hot Spots Report revealed that concerns about IT governance have displaced those about data governance, which was the top entry in 2020 and is in second position for 2021.

Other risks that make the list for this year include cyber vulnerabilities, business continuity/disaster recovery, talent resilience, risk culture and decision-making, and supply chain risks. 


SMCR “failing” to hold executives to account

Low numbers of investigations and even fewer penalties imposed by the UK’s financial services regulator means that it is failing to hold individuals to account and that the regime introduced four years ago to improve oversight and enforcement is not working, according to financial regulation consultancy Bovill.

The company’s research highlighted that the Financial Conduct Authority’s (FCA’s) senior managers and certification regime (SMCR) has led to just 34 investigations and one successful enforcement action since it was introduced in March 2016. Moreover, 11 of these investigations were closed without action.

The only successful enforcement action was against Barclays Bank chief executive Jes Staley, who was fined £642,430 in 2018 for trying to unmask a whistleblower.

In December 2019, the scope of the SMCR was extended to cover a further 48,000 solo-regulated firms, bringing a total of around 50,000 firms under the FCA’s scheme.

However, the FCA argues that penalties are not a true test of the regime’s success. “The real measure of SMCR is not the volume of enforcement cases, but whether the threat of enforcement raises standards. We think SMCR has raised governance standards in firms and the threat of personal liability has helped to drive this,” it said. 


Firms cut back on cyber risks

Fewer companies took steps in 2020 to mitigate cyber risks than did so in the previous year, even though the level of concern about these threats has increased during the COVID-19 pandemic.

According to the 2020 Risk Index by insurer Travelers, fewer than half of the survey respondents said their organisation had used hacker intrusion detection software, undergone a cyber risk assessment on their company or vendors, or written a business continuity plan that could help them respond to a cyber attack in the past year.

Travelers said the findings were especially concerning given that nearly a quarter of respondents said their company had fallen victim to a cyber event, the highest percentage since the survey began in 2014. 

This article was first published in January 2021.