EY in A Digital World Do You Know Where Your Risks Are Sa Final
EY in A Digital World Do You Know Where Your Risks Are Sa Final
EY in A Digital World Do You Know Where Your Risks Are Sa Final
Table of contents
Introduction
6 Anti-corruption
8 Blockchain
10 Cloud computing
12 Commodities
16 Cybersecurity
24 Global trade
26 Indirect tax: value added tax (VAT) and goods and services Tax (GST)
30 Intellectual property
32 IT governance
34 Leasing
36 Mobile computing
42 Revenue recognition
44 Risk culture
48 Social media
50 Supply chain
56 Treasury
1
Mark J. Perry, “Fortune 500 firms 1955 vs. 2016: only 12% remain, thanks to the creative destruction that fuels
economic prosperity”, 13 December 2016, accessed at http://www.aei.org/publication/fortune-500-firms-1955-
v-2016-only-12-remain-thanks-to-the-creative-destruction-that-fuels-economic-prosperity/.
4 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 5
Audits that have an impact Key questions to consider
Risk assessment • Does the organization assess the risk of FCPA violations in international business
activities?
Objective: conduct an analysis to help
the company assess the risk of FCPA • Are interactions with foreign government officials evaluated in the context of customers
violations in international business (government contracts and buyers), regulators (statutory regulations such as licenses)
activities and providers (receiving services from state-affiliated entities)?
• Are significant risks against anti-corruption program, policies and procedures identified?
Anti-corruption audits • Does the organization have an effective anti-corruption program that considers employee
training and certifications, third-party due diligence procedures, escalation protocols
Objective: assess the effectiveness
surrounding high-risk transactions, financial controls over cash and other types of
of anti-corruption program
payments?
and compliance with program
requirements • Does the organization have a mechanism to conduct substantive testing of higher-risk
Anti-corruption activities to identify corruption red flags and detect potential violations?
Forensic data analytics • Does the organization use advanced data analytics techniques such as data visualization,
In many places around the world, corrupt payments that associated with the violation. Civil fines and other remedies,
text mining and transaction risk scoring in its anti-corruption audit program?
personally benefit those in power are a cultural norm. including injunctions, cease-and-desist orders, accounting Objective: evaluate the effectiveness
of advanced data analytics and • Does the organization have monitoring capabilities in areas such as payments to
However, as business has become more global and disgorgement and a ban against doing business with the US
monitoring agents, gift giving, travel, meals and entertainment expenses, petty cash and charitable
developing countries more prosperous, a movement has Government are also possibilities. donations?
grown against the culture of corruption. The US, European Anti-corruption audits act as a powerful motivator to promote
nations and many other countries view corruption as perhaps compliance with anti-corruption program requirements, as
the principal obstacle to free and fair trade, ultimately well as detect and deter potential improper activity. Anti-
impeding economic growth, faith in government and the corruption audits also assist in evaluating the effectiveness
quality of life of societies around the world. of the anti-corruption program, raise awareness, provide The SEC and DOJ have provided guidance to companies defining the 10
The US Government has made significant investments to powerful feedback on how the program is working and elements of an effective program:
combat bribery and aggressively enforce the Foreign Corrupt often uncover new risks not previously identified or fully
Practices Act (FCPA). We have seen companies pay tens and appreciated. Hallmarks of an effective compliance program
hundreds of millions of dollars in fines, as well as individuals For many companies, anti-corruption audits are the primary
found guilty and serving prison time. FCPA enforcement method for anti-corruption monitoring. They should have two 1. Commitment from senior management and a clearly articulated
continues at increasing levels and global companies need main focuses: policy against corruption
to assess their risk and take action. This is not just because 2. Code of conduct and compliance policies and procedures
the bribery of foreign government officials is morally • Audit for compliance with the various requirements and
3. Oversight autonomy and resources
indefensible, illegal and a very serious violation of US law. It’s controls within the anti-corruption compliance program
4. Risk assessment
because the FCPA is more than an anti-bribery statute. • Test high-risk transactions for substantive compliance with 5. Training and continuing advice
Companies need to be proactive. The risks of doing nothing the FCPA requirements 6. Incentives and disciplinary actions
7. Confidential reporting and internal investigation
are just too great. Anti-corruption compliance begins with
8. Third-party due diligence
setting the proper tone at the top. Employees need to know in 9. Pre-acquisition due diligence and post-acquisition integration
no uncertain terms where management stands when it comes 10. Continuous improvement by period testing and review
to issues of integrity and following the law.
FCPA violations often result in significant fines and penalties
paid to the Government. Criminal fines to companies Source: “A Resource Guide to the FCPA — US Foreign Corrupt Practices Act — By the Criminal Division of the US Department of Justice and
the Enforcement Division of the US Securities and Exchange Commission,” accessed at https://www.justice.gov/sites/default/files/criminal-
can be up to $25m per violation or twice the gross gain fraud/legacy/2015/01/16/guide.pdf
6 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 7
Audits that have an impact Key questions to consider
Blockchain implementation • Are the organization’s structure, roles, responsibilities and controls pertaining to
governance segregation of duties monitored?
Objective: evaluate the organization’s • Are project management processes and controls developed?
strategy for governing the • Is the steering committee or leadership involved in key project decisions?
implementation of blockchain usage
• Is the proposed project delivery and project risk profile aligned?
8 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 9
Cloud computing
Cloud computing is more than a buzz phrase: it enables applications and services) that can be rapidly provisioned
Audits that have an impact Key questions to consider
organizations to shed their complex internal IT structure, and released with minimal management effort or service
allowing them to focus on strategy rather than operations provider interaction. Cloud computing is evolving rapidly, Cloud strategy and governance • Are cloud policies integrated with legal, procurement and IT policies?
and respond quickly to changing marketplace conditions. giving companies a variety of choices; however, like most Objective: evaluate whether the • Are supporting policies including legal, governance and compliance in place?
Cloud computing is a model for enabling convenient, on- technology changes, the cloud presents its share of risks and organization’s cloud strategy is aligned • Are cloud services applications aligned to overall company objectives?
demand network access to a shared pool of configurable challenges that are often overlooked or not fully understood. to overall business objectives
computing resources (e.g., networks, servers, storage,
Cloud security and privacy • Are procedures for periodic security assessments of the cloud provider(s) in place to
Some of the common cloud computing-related risks that management should address include: evaluate internal security measures taken to protect company information and data?
Objective: assess the information
security practices and procedures of • Does the organization apply secure authentication protocols for users working in the
the cloud provider cloud?
Infrastructure and • These risks arise if providers do not achieve performance requirements that
architectural risks organizations and the providers have defined and agreed to at the outset of the • Are the cloud provider’s Service Organization Control (SOC) 1, 2 or 3 reports provided
contract. to the organization?
• Does the organization utilize security service level agreements (SLAs) or conduct on-
site vendor audits?
Standards and • It is vital that the organization’s systems and those of the provider can
• Have security safeguards been established in the contracts with the provider covering
interoperability risks communicate with one another.
their implementation, including Payment Card Industry-Data Security Standards (PCI
DSS), data privacy and regulatory compliance?
10 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 11
Commodities
Market price risk Audits that have an impact Key questions to consider
Given the historic level of commodity price fluctuation, inadequate market risk
management controls may lead to unacceptable market price risk. Business transformation risk • How have policies and controls been adapted to manage the risks of new business
Companies with commodity production, activities — are more robust policies and controls required to keep up with more complex
merchandising and marketing, trading Objective: Assess current state and
activities?
future state processes and controls
or hedging operations routinely
Fraud and rogue-trader risk • How have organizational changes impacted the segregation of duties across key front,
operate in financial and physical middle, and back-office processes?
The risk of fraud and rogue-trader activities is ever-present; inadequate controls across
commodities markets to manage the commodity transaction life cycle may enable fraud and rogue-trader activities.
commodity risk and to drive financial
performance. This is commonly
achieved by using a variety of Credit and liquidity risk
strategies that are fit-to-purpose for Commodity trading and risk • Has the CTRM’s full suite of native control functionality been assessed for applicability to
The challenging economic environment in commodities markets has impacted the management (CTRM) system the future state processes and controls?
the individual company. credit and liquidity standing of companies and their counterparties; inadequate implementation risk
controls may lead to unacceptable credit and liquidity risk. • Have future state processes been reviewed, both system- and non-system-based, for risk
Objective: Assess the risks in the and control implications?
However, persistent risks associated future state of business processes and
the use of a CTRM package’s native
with commodity market activities Model risk functionality to support the design of
are embedded throughout the Complex spreadsheet models are widely used as operational tools within the system future state controls
commodity transaction life cycle and landscapes of commodities market participants; inadequate controls may lead to the
may result in significant economic, use of incorrect data when transacting in markets and monitoring the related risks.
financial, regulatory or reputational
consequences if they are not properly Cybersecurity risk • Have the CTRM, key spreadsheets and other sensitive transaction data been secured
Business transformation risk from both internal and external threats?
controlled. Objective: Assess the process and
Business transformations driven by the dynamic economic environment can create technology controls to protect data • Have the risks of a cybersecurity incident been considered for both the ability to transact
process and control gaps and introduce risk in otherwise well-controlled organizations. in the CTRM and related technology competitively in markets and the ability to operationally manage transactions across the
Internal audit functions are also ecosystem transaction life cycle?
increasingly focused on addressing a
number of related high-profile risks. Commodity trading and risk management (CTRM) system implementation risk
The implementation of a CTRM system may introduce significant risks through the Full-scope front-to-back-office • Do the front, middle and back-office controls reflect industry practices?
inadequate implementation of system-based or system-enabled controls. review • Are policies being complied with and are the related controls designed and functioning as
Objective: Assess design or management expects?
operational effectiveness of the
Cybersecurity risk processes and controls across the
Critical and proprietary financial and operational data is maintained in CTRM systems; transaction life cycle
inadequate cybersecurity controls may lead to financial and operational risks.
12 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 13
Audits that have an impact Key questions to consider
Governance and controls • Are the organization’s structure, roles and responsibilities, and controls pertaining to
segregation of duties monitored?
Objective: assess the policies,
processes, controls, systems and • Are project management processes and controls developed?
reporting utilized in the management • Is the steering committee or leadership involved in key project decisions?
Each year, organizations allocate significant dollars to build, • Dynamic programming requirements: competing Procurement and contracting • Is the organization in compliance with applicable policies and procedures?
update, expand or maintain facilities to support business stakeholder demands, aggressive project completion process • Is there a process to identify potential bidders, solicitation and selection?
imperatives and operational needs. These capital investments schedules, changes in the regulatory environment or Objective: assess the adequacy and
are critical components of an organization’s strategic goals market changes can impact the ability to effectively • Is the contracting strategy in line with the owner’s risk profile?
integrity of the procurement and
and objectives. More often than not, organizations lack the manage scope and quality. contracting process • Are controls evaluated during the initial project phase and updated at every phase of the
internal capacity and capability to adequately monitor and project life cycle?
• Fraud, waste and abuse: insufficient or ineffective oversight
mitigate the risks impacting their capital program efficiency. and controls can lead to misappropriation of program or
Many factors, both internal and external, can impact the project costs and resources, resulting in cost overruns and
success of a capital program or construction project: schedule slippage. Contract compliance • Are compliance of construction costs incurred and invoiced with the contractual
provision?
• Macroeconomic risks: fluctuations in raw material prices or • Stand-alone systems, processes and controls: limited Objective: assess the costs
the availability of labor, material and equipment can have integration with organizational systems and a lack of real- incurred, as well as the processes, • Are change orders documented and approved?
methodologies and reporting for a
substantial impacts on schedule and budget performance. time data sharing impacts the ability to effectively monitor • Are the contractor’s obligations with regard to oversight, management and control
construction project in relation to the
and control key transactions and accurately report program monitored?
• Capital program governance: limited transparency into applicable contractual requirements
capital program performance and integrity issues with data, or project progress.
metrics and reporting can impact the ability to proactively Management of risks and oversight of capital investments
identify and mitigate variances. and transactions are critical to achieve capital program
Project cost and schedule • Are costs incurred properly supported and allowable under the terms and conditions of
objectives. the contract?
Objective: perform a detailed
Potential benefits of performing capital program assessments can help clients address: evaluation to determine whether the • Are the project schedule, integrity testing including logic and duration, and assessment
costs incurred are properly supported of critical path changes over time monitored?
and allowable under the terms and
Optimized governance and controls • Are project delays supportable and justifiable?
conditions of the contract
Enhanced transparency and reporting
Proactive risk management
Improved process and control efficiency Construction processes • Are key processes in compliance with operating guidelines and aligned with leading
Robust compliance monitoring Objective: evaluate the execution of industry practices?
Real-time auditing of project transactions key processes for compliance with • Are construction payments reviewed and approved?
Detection and prevention of fraud, waste and abuse operating guidelines and alignment • Are change, quality, budget, schedule and risk management considered and monitored?
with leading industry practices
Alignment of capital program and organizational objectives • Was construction project reporting and closeout complete and accurate?
14 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 15
Audits that have an impact Key questions to consider
Governance and risk assessment • Does the organization’s risk management framework address cyber risks?
Objective: evaluate the processes and controls • Does the organization have the specialized skills necessary to identify and
over the structure and oversight of the entity’s constantly evaluate cyber risks?
cybersecurity risk management program, including
the processes for identifying risks facing the entity
Security awareness • Do training programs exist for employees to better identify unauthorized
physical or logical access to the organization’s information and systems?
Objective: evaluate the processes and controls
over the training of users to heighten their • Are these training programs constantly updated for new risks and required
awareness and sensitivity to attempts to gain to be taken by all employees?
unauthorized physical or logical access to the
entity’s information and systems
Cybersecurity Identity and access management • Are the following processes and controls in place?
Objective: evaluate the processes and controls • Identification of authorized users
over the identification of authorized users and the
Cybersecurity threats continue to evolve and grow • New and quickly changing technologies • Addition, modification and deletion of user access to the entity’s systems
addition, modification and deletion of user access
with seemingly no rules or restrictions as to who can and applications
• Complex accounting and regulatory requirements to the entity’s network
unpredictably be attacked. Users no longer need to gain
physical access to a facility to cause harm to an organization. • Rapidly changing cyber environments requiring changes in
Threat management • Are the appropriate processes and controls in place to provide early
They can now gain access through malware or phishing policies and procedures
identification of potential or evolving threats?
Objective: determine if processes and controls are
attacks, connections with third parties, new technologies, • Increased need for specialized skills and competencies to in place to provide early identification of potential
and other new and evolving paths. identify and mitigate risks or evolving threats against the organization
Organizations must focus on IT security and information • Proactive assessment of new and emerging risks
security to avoid falling victim to cyber threats by developing Vulnerability management • Do the following processes and controls exist?
a cyber audit program that addresses the following: Objective: determine if processes and controls are • Identification of vulnerabilities with the technology assets connected to
in place to address the entity’s vulnerabilities the entity’s network
• The need to mature existing cybersecurity risk
• Implementation of solutions to address the vulnerabilities
management processes
Vendor risk management • Can the organization provide a listing of all its vendors?
The digital world offers many benefits and opportunities; however, the risks may have been underestimated. Objective: evaluate the processes and controls • Is the purpose of the relationship with each vendor understood?
over third-party service and supply chain vendors • Are processes and controls in place to properly procure vendors?
Cybersecurity • Is a risk assessment performed for each vendor to understand potential
vulnerabilities the relationship may cause?
Incident response • When unusual activity is detected, does the organization have processes
developed to timely identify the incident and properly address the issues?
Objective: evaluate the processes and controls
over the response procedures management • Do processes exist to address the weakness that led to the incident?
employs when unusual activity is detected
16 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 17
Technology Policy and strategy
Regulatory
compliance
compliance
Derivatives usage touches multiple
functional areas within a company. Robust
Process processes and controls across business
Legal and Treasury functions are needed to manage the risk of
controls
material misstatement.
Accounting
and reporting Execution
Tax Valuation
Counterparty
management
18 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 19
Environment, health and safety, and sustainability (EHS&S) significant environmental and social impacts. Factor in rising
matters are quickly making their way to the center of how demand from stakeholders (e.g., customers, shareholders
companies strategically think about and address risk. and others) for transparency regarding how companies are
According to The Global Risks Report 2017 of the World addressing EHS&S risks, and the mandate for thoughtful
Economic Forum, environmental-related risks alone have action becomes even more pressing.
been featured among the top global risks for the past seven IA plays a key role in helping the company identify
years of the report.2 The 2017 findings carried this trend and respond to EHS&S risks. In teaming with the EHS,
forward, with environmental-related risks (e.g., water crises sustainability, legal, compliance and finance functions, IA
and the failure of climate change mitigation and adaptation) can play a central role in helping the organization to uncover
placing in the top five globally in terms of likelihood and the EHS&S risks it faces, understand their impacts on the
impact. What’s more, while recent extreme weather events business and operations, and determine steps to address
have shone an even brighter light on environmental risks, the these risks as part of an IA plan or broader enterprise risk
broader universe of EHS&S risks continues to expand into management (ERM) program. In doing so, IA can help
social, reputational, health and safety, and other matters. the company reduce the risk of: damage to the brand,
This poses challenges to companies with global footprints market share, revenue and operations; and penalties from
with operations that rely on natural resources or create noncompliance.
Environment, health and safety, and sustainability
Audits that have an impact Key questions to consider
Program planning and execution • Do EHS&S programs and processes address the following?
Objective: assess EHS&S programs • Governance of EHS regulatory compliance
High Medium and processes • Identification, compliance and monitoring of regulatory requirements
• Internal EHS&S processes and procedures
Scarcity of natural resources
Noncompliance with regulations, e.g.,
and raw materials
Evironmental Protection Agency (EPA),
Food and Drug Administration (FDA),
Dilution of market share, Occupational Safety and Health Administration Regulatory compliance • Are specific regulatory compliance issues or concerns assessed to support the following?
revenue or share price due to (OSHA)
a weak sustainability message Objective: assess regulatory • Deep dive into compliance with selected sustainability related regulatory
or program vs. competitors Compliance compliance issues or concerns
Strategic Violations of laws or corporate requirements globally, e.g., Environmental Protection Agency (EPA), Occupational
Exposure to unforeseen risks policies tied to labor, human rights or Safety and Health Administration (OSHA), Department of Transportation (DOT), the
following acquisitions sustainable procurement
Food and Drug Administration (FDA), and other bodies and regulations
Lega/liability risk, cost of Monitoring and reporting required by
compliance EHS permits and regulations
Trade and marketplace risk Environment, Lack of compliance with and Information Technology • Are data collection processes consistent across business units and geographies?
monitoring of international
health and safety, directives and regulations Objective: assess IT enablement • Are permitting and compliance reported in a timely, accurate and efficient manner?
and sustainability leveraged to support operations and • Are internal reporting and dashboards complete and accurate?
key risks compliance activities
Ineffective “check-the-box”
supplier audits
Sustainability reporting • Do the controls over the public reporting of non-financial information address the
Demand for transparency Rising energy and
following?
from shareholders, transportation costs Objective: assess the controls over
customers, employees the public reporting of non-financial • Governance, policies and procedures
Business and supply chain Operational information
Reputational Emerging reporting standards disruptions due to extreme • Data
and local laws weather, permit delays • Materiality of key performance indicators
Social license to operate Management/disposal of • Reporting procedures per recognized reporting standards
hazardous waste
Inaccurate sustainability • Content including the report’s affirmations and assertions
reporting and the inability to Operational risks tied to the H
“keep brand promises” environment and safety
2
World Economic Forum, The Global Risks Report 2017, 12th edition, 2017, http://www3.weforum.org/docs/GRR17_Report_web.pdf.
20 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 21
Audits that have an impact Key questions to consider
GDPR program design review • What are the key inputs to be considered (e.g., existing capabilities, control
22 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 23
Audits that have an impact Key questions to consider
Governance • How is your global trade function organized? Centralized or decentralized? Globally,
Objective: assess the organization’s regionally or locally?
existing structure, procedures and • Do you have roles specifically assigned to manage import and export processes?
policies to assess adequacy and
effectiveness • Is management aware of customs and export risks?
• Do you have documented policies and procedures on customs and export processes?
• Do you have metrics to assess effectiveness of the global trade operations?
Global trade • What are the defined objectives and strategy of the function?
Global trade consists of complex laws related to the Companies that pay high customs duties or excise taxes
movement of goods, software and technology across borders or utilize free-trade agreements or other duty reduction
Import processes • In which countries do you act as importer of record or declarant for customs purposes?
including customs, export controls, economic sanctions, free- techniques to reduce customs duties and taxes also have
trade agreements, preferential duty savings programs and higher risks. Global trade risks often become more visible Objective: assess effectiveness of • What are your import volumes by country? And what are your global customs duty costs
customs processes and compliance by country?
anti-dumping. Some of these laws are harmonized at a global as the business changes, through acquisition or divestiture,
with customs regulations
level, allowing for common processes and controls; others are reorganization, or entry into new markets. • Do you realize duty reduction, elimination or deferral by utilizing special trade
unique to local jurisdictions. The regulatory environment for global traders is very agreements or through the use of special trade programs (inward or outward processing,
Companies that are involved in moving goods across borders dynamic, requiring skill sets that cross multiple functions as bonded warehouses, drawback)? What is the amount of duty avoided or deferred?
have inherent global trade risks, but certain factors trigger well as across multiple countries. It can be difficult for internal • Do you conduct and track results of post-entry audits?
even greater risk. Global trade risks often arise through teams to accurately assess their company’s global trade
• Have you been audited or do you have an ongoing dispute with customs authorities in any
inadequate global processes and controls around import and footprint. However, with effective planning, use of subject-
jurisdiction?
export functions. The nature of a company’s products and matter resources and use of data analytics it is possible for
technology may increase the risk, including heavily regulated IA teams to more accurately assess their company’s level of • Do you import products from related entities? If yes, do you have intercompany
military, aerospace, chemical or technology products. compliance. agreements (e.g., a royalty or procurement service agreement) or payment
arrangements with these entities?
• Do you make any additions to (i.e., assists, commissions, royalties) or deductions (i.e.,
Global trade internal audit process freight charges, installation charges) from your import value?
Current state vs. leading practices
Qualitative • Global trade organization setup • Obtain import and export
Quantitative
analyisis • Internal processes and controls data from government analyisis
• Business structure, product, • Analyze trade flows Export processes • In which countries do you act as the exporter of product or provision of services outside
Assess risk and customer information • Test qualitative analysis Import and
export data Objective: assess effectiveness of the country?
areas against quantitative results
Quantitative
Qualitative
export processes and compliance • Do you have transactions with embargoed or sanctioned countries?
Current-state with export control and sanctions
processess and Global trade Data analytics regulations • Do you sell through distributors or direct to customer, or both?
organization
• Understanding of client compliance • Leverage global
• Do you have a process for screening internal and external partners against various
GTM operations and EY team
Current state organization Benchmarking denied party lists?
• Consistent global
vs. leading key metrics
• Baseline organization’s process
practices
ability to manage the risk
• Do you have an export classification and licensing process?
• Identify savings
• Identify areas for oppurtunities • Does the company have any export-controlled technical data or technology?
improvement
• Do you export products that are dual-use items controlled for national security?
24 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 25
direction and guidance related to indirect taxes, the of VAT returns and remittance of VAT. It requires a
transactions being executed by the business drive thorough understanding of transactions, business
compliance, and organizations often do not have the processes and their indirect tax implications and
right processes and controls in place to connect the how all that culminates in a VAT or GST return and
dots between transactions occurring in the business other reporting obligations. Identifying the right
and their indirect tax impact for which the tax structure in the business to manage VAT and other
department should take responsibility. Indirect tax indirect taxes is a complex issue companies continue
compliance does not just entail the timely submission to assess.
Indirect tax: value-added tax and goods Audits that have an impact Key questions to consider
and services tax Tax data • What data and related resources are the most critical to efficient and effective tax
compliance within the organization?
Objective: evaluate the nature,
availability and completeness of data • Where does lack of data availability, completeness or accuracy create inefficiencies (from
While greatly accelerating the pace of all their tax legislation, process inefficiencies or a lack of available data for tax and related resources a cost or time standpoint) for the organization?
the world’s governments have relied most heavily on indirect purposes all emerge as concerns for the organization. • What is the impact of those inefficiencies, and why do they exist?
taxes for extra revenue. As a result, there is increased 2. Lack of availability of data — tax is one of the largest • How can the gaps be addressed, and what would be the benefits of addressing them?
risk that taxpayers will be caught unprepared. Some 165 consumers of data within any organization. A lack
countries operated a value added tax (VAT) at the time of the of accurate and accessible transactional data for tax
completion of the International VAT and goods and services purposes is a top root cause of tax compliance issues, not VAT and GST (indirect taxes) • Is the data needed for indirect tax purposes captured accurately and completely?
tax (GST) Guidelines in 2016, more than twice as many as 25 to mention a driver of inefficiencies and excess cost for Objective: assess the processes in • Are controls in place to determine if VAT is calculated accurately?
years before3. The failure to comply with a country’s indirect the organization. place for effectiveness and efficiency • Who is responsible for VAT processes, and do they have the necessary skills to perform
tax legislation may result in fines or penalties being imposed compliance activities?
by the government. The following tax topics are receiving 3. VAT and other indirect taxes — transactional taxes
continue to create risk due to the fact that, as they are • Are there opportunities for cost savings related to VAT?
attention across the enterprise and should be considered
during the risk assessment and potentially in the audit plan: being levied on a transaction-by-transaction basis,
they can give rise to non-US indirect tax obligations
1. Failure to integrate indirect tax in large global when there is nexus in a VAT jurisdiction, even where Tax compliance • How efficient is the process to complete data for the tax provision?
initiatives — large initiatives such as moves to a shared there is no physical presence in the jurisdiction Objective: evaluate the processes • Is there global visibility into the process?
service environment, implementation of enterprise (e.g., US-based software companies with overseas and controls related to compliance • Are controls related to compliance designed and operating effectively?
resource planning (ERP), supply chain or operating model customers or US-based clients selling, purchasing or for design adequacy and operating
transformation are all examples of initiatives that are effectiveness • Are there opportunities to increase the efficiency of controls?
moving goods outside the US). Moreover, heavy reliance
critical for indirect tax to be considered up front. Where is placed on the accuracy of information in the business
indirect tax is not considered, tax compliance issues, to comply. While the tax department can provide
3
OECD (2017); International VAT/GST Guidelines, OECD Publishing, Paris
26 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 27
Insurance risk management key risks High Medium
Risk identification Not identifying all the essential risks of the business
and valuation Understanding business operations’ contingent risk exposures
Over- or undervaluing a risk or the magnitude of the risk frequency
Risk retention or Over- or undervaluing the retention/limits, leading to inefficient use of insurance dollars
transfer strategy Choosing the appropriate risk transfer products or vehicles
Claims Lack of data or data integrity may lead to incorrect or delayed claims decisions
management The decisions (or indecisions) of claims administrators may have a negative financial impact
Key controls around data to confirm accuracy and adherence to established claims management processes
Risk management Roles and responsibilities not clearly defined, documented or sufficient to facilitate accountability
department staffing Inefficient use of resources and capital to service risk management function
Compliance The risk of loss resulting from inadequate or failed internal processes, people, systems or external events
Failure to comply with regulatory compliance
A third party’s inability to perform as per contract
Insurance risk management Audits that have an impact Key questions to consider
Insurance program assessment • Are limits, retentions and premiums benchmarked with those of peer companies?
Objective: identify gaps in an • Has an insurance coverage adequacy and gap analysis been completed?
Insurance is constantly changing, causing companies to face The chief financial officer (CFO) or his or her department insurance program structure • Is the insurance risk department operating in accordance with formalized process and
uncertainty when answering the following questions: typically covers insurance risk management duties, but often and department and provide controls?
there is no dedicated staff. The insurance risk management recommendations based on
• Where are the company’s insurance dollars going? benchmarking of an organization’s
department exercises good faith when using information insurance program
• Is the company’s insurance program complete? provided to them by the insurance community and tends
• Are all risks assumed covered by insurance? not to perform sufficient due diligence on the material.
The insurance risk management function often operates Vendor management • Are insurance provisions within contracts and agreements accurate?
• Are vendors related to insurance risk management
independently within a company and is not formally reviewed Objective: review vendor • Do vendor contracts adhere to contract provisions?
providing the right service at the right costs?
or understood. management process, conduct gap • Are there opportunities for cost reduction and process efficiency?
• Are there adequate controls in place to confirm that the analysis and recommend areas for
function is being managed appropriately? improvement
Claims management • Is there a claims cost review completed to identify claims cost savings?
Companies need to confirm that their assets, liabilities and people are protected and hedged appropriately Objective: review claims management • Are losses being managed effectively?
through insurance. They can do this by: processes, conduct gap analysis and • How does the organization determine the reasonableness and appropriateness of
1. Identifying and validating risk recommend areas to reduce leakage outstanding liabilities?
2. Evaluating risk retention and transfer strategy
3. Assessing claims and management losses Captive insurance company • Are premium transfer pricing and capital structure and loss reserve adequate?
Objective: there are two options as it • Are there gaps in captive and investment management services?
4. Reviewing vendor management
pertains to captive insurance studies: • Are captive taxation and taxation benefit, if applicable, in line with current state and IRS
5. Assessing risk management department staffing 1. Conduct a captive feasibility guidelines?
6. Reviewing compliance analysis where there is no captive
insurance vehicle in place
2. Conduct a captive utilization
analysis where a captive insurance
vehicle is in place
28 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 29
Audits that have an impact Key questions to consider
Governance and risk assessment • Do the organization’s policies and procedures properly address IP risks?
Objective: evaluate the processes • Does the organization have the specialized skills necessary to identify and constantly
and controls over the structure evaluate IP risks?
and oversight of the entity’s IP
management and strategy program
Employee IP Lack of employee IP knowledge and awareness leading to the ineffective execution of policies and Security monitoring • Are processes and controls in place sufficient to detect anomalies and other unusual
knowledge and procedures and the inability to identify, capture and properly protect company IP behavior to indicate an unauthorized user has gained or is gaining system access to IP?
Objective: evaluate the processes
awareness
and controls over the monitoring of
Reputational Damage to brand or company reputation from the mismanagement and/or lack of protection and network and application activity
harm exposure of company or third-party IP
Software-open Use of software and code obtained from open source communities with unfavourable terms and Incident response • If an incident is identified would an employee know the appropriate person to whom the
source conditions can result in the loss of IP and company developed code incident should be reported?
Objective: evaluate the processes and
controls over the response procedures • Would an employee know the appropriate method to report the incident to mitigate
Intellectual Inappropriate or unapproved use of third-party IP such as trade secrets and patented technologies (infringement)
property that management employs when additional risk?
Loss of intellectual property rights (IPR) through inappropriate management and protection
unusual activity is detected
Governance IP strategy not aligned to business requirements
and strategy Lack of a structured and well-thought-out strategy as an organization develops and leverages IP
30 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 31
Audits that have an impact Key questions to consider
Complex systems represent complex risk profiles and IT effectiveness, longevity and relevance of the IT risk
IT risk assessment • Is there a comprehensive risk assessment performed to identify all IT risks?
professionals are expected to develop and implement systems assessment framework, in light of rapidly evolving
and applications under tremendous time pressure. Often technologies? Objective: evaluate IT’s risk assessment, • Is the IT risk assessment process effective?
remediation plans and progress against those
times, the risk profiles associated with such complex systems • How can the process be enhanced?
plans to address issues noted
may not be fully understood, or may be underestimated I► T internal auditors should stay abreast of technology • Do remediation plans include enough detail and is progress monitored by
or under-reported. Additionally, the overall IT risk and its developments and associated risks and should be proactively management?
impact on the company’s operations and potentially the involved in implementation projects early on. Only then • Is there a road map to initiate improvements?
corporate brand may not be fully understood at the C-suite will internal audit organizations be positioned to bring the
level. Companies should consider adjusting their mindset and required subject-matter knowledge and business insights
approach toward IT risk to address a new normal as the IT to provide an objective assessment of how well current IT Technology enablement • Is a governance, risk and compliance (GRC) software package used within
risk profile and threat landscape rapidly changes and risks governance structures and processes are providing direction the organization? If so, how effectively is it being used, (e.g., maturity level,
Objective: assess the need for or use of a
increase. More than ever, there is a need for the board, audit and monitoring. governance, risk and compliance software package use of functionality and risk reporting?)
committee, executive management, general counsel and for effectiveness and reliability
Focused reviews and audits of IT systems and risks at the
chief risk officer to work alongside IT leaders, including the
implementation level are effective and impactful ways of
information security and privacy officers, to fully understand
helping management mitigate risk.
and address the organization’s risk exposure, approach and
32 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 33
Inventory
of leases not
complete and
accurate
Poor Inadequate
end-of-lease tracking
management of leased
Key risk assets
associated Considerations for evaluating the organizational effect of
with lease
administration the lease guidance
and lease
accounting Inaccurate
Incorrect tax
accounting
treatment
treatment
Ineffective
financial
statement
disclosures
Lease accounting
Audits that have an impact Key questions to consider
In 2016, the Financial Accounting Standards Board (FASB) Business processes: Management will need to reassess
issued an Accounting Standards Update (ASU) intended to the entity’s current processes and controls for tracking Lease contract data administration • How does management collect information about leases and what IT
improve financial reporting about leasing transactions. The new, existing and modified contracts that are or contain a Objective: Assess current state for the lease systems or processes are in place?
ASU will take effect for public companies for fiscal years, lease. In addition, key judgments, processes and controls contract data administration, IT systems, policies • What is the anticipated effect of the new standard on the company’s
and interim periods within those fiscal years, beginning after are necessary to identify when certain reassessments are and business controls businesses, processes and financial reporting?
15 December, 2018. For all other organizations, the ASU required (e.g., a lessee’s reassessment of lease payments, • What are the company’s plans for communicating with stakeholders for
becomes effective for fiscal years after 15 December, 2019, lease term, change in the amount that the lessee is probable changes in entity’s accounting and reporting policies, IT systems and
and for interim periods within fiscal years beginning after 15 of paying under a residual value guarantee). business processes to meet the new requirements?
December, 2020. Tax: A lessee’s recognition of “right-of-use” assets and lease • If the entity operates in a decentralized environment and has leases that are
subject to different processes at different locations, how does management
The new lease accounting standard will require entities to liabilities on its balance sheet may affect its deferred tax
plan to analyze them and determine whether any new processes, internal
do more than simply reflect lease assets and liabilities for calculations. Companies may need to revise their processes controls or systems are necessary?
what today are lessee’s operating leases. For both lessees and data collection tools to capture new deferred tax assets
and lessors, the new standard will require changes to the and liabilities, including their assessment of the recoverability
policies, processes, controls and IT systems that support of deferred tax assets.
lease accounting, marketing and lease procurement, lease Controls assessment • What are the controls implemented by management for areas of
IT: Applications may need to be modified. As a result of misstatements such as:
administration and tax. Companies may also want to consider implementing the new standard (including its disclosure Objective: Identify and assess risks of material
the implications for financial statements and metrics as they misstatement in a contract that is or contains a • completeness of the population of contracts that is a lease or contains a lease
requirements), entities may need new data points that are not lease
negotiate contracts that are, or may contain, leases. These currently captured in any IT system. For example, an entity may • separation of lease and non-lease components and allocation of contract
activities will require involvement from a variety of departments need to enhance its systems and processes to allocate contract consideration
throughout the organization. The new standard also requires consideration if lease and non-lease components are identified. • determination of the lease term, including the commencement date of the lease
certain judgments and estimates that will necessitate additional
or expanded management review controls. Legal: Enhanced communication between the legal and • lease classification, modifications and appropriate disclosures
accounting departments may be required. At a minimum,
Following are some of the significant changes: the legal department will need to understand the accounting
• What is the source of the information (e.g., contract) used to account for the
lease?
Accounting and finance: Accounting policy updates will be implications of key lease terms in the standard (e.g., the
• How do you make sure that the source information is (1) correctly entered
required along with timely dissemination of these updates definition of a lease, the identification of lease and non-lease
into the IT application and (2) completely and correctly downloaded (e.g.,
throughout the organization. Management will need to make components and variable lease payments). from an IT application) or manually input into an end-user computing tool
more estimates and judgments than under current guidance. Human resources: If the standard’s effect on the entity’s (e.g., Excel)?
To evaluate the effects of these changes, management must arrangements is significant, the entity may need to allocate • How do you make sure that any changes to, or manipulation of, the data in
identify areas for which key judgments and estimates will be additional resources to the implementation effort. The entity Excel are complete, accurate and appropriate?
required. will also need to assess whether existing personnel are
sufficiently trained and supervised to implement the standard.
Source: FASB Accounting Standard Update- No 2016-02, February 2016
34 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 35
What are the benefits of mobile computing?
Improving productivity: improving Enabling employees: enabling Enabling new business: targeting
employee productivity by extending employees via new or more efficient new markets or offering clients new
reach of existing apps, e.g., mobile time business processes. processes, e.g., products or services, e.g., mobile
sheets mobile field support, mobile CRM commerce apps
36 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 37
When to focus: all across the corporate life cycle
Risk
• Internal audit
• Enterprise risk
management
• Remediation
Mergers/ Divestitures
acquisitions Carve-outs/spin-offs
Performance
improvement
• Shared services center
implementations
IPOs/other capital • Finance transformation
markets activity • New enterprise resource
planning systems
Incorporation
A number of triggers can turn a lingering worry about the that frequently occurs with large, geographically dispersed
state of your policies and governance processes into a critical and decentralized organizations.
Deployment readiness • Do existing platforms deploy policies and procedures to the organization to identify
improvement opportunities?
Objective: assess the organization’s
ability to effectively deploy policy and • Do policy training deployment methods and frequency align with similarly situated
procedure changes to personnel companies?
• Are findings summarized from the review, highlighting gaps and opportunities for
improvement?
38 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 39
Audits that have an impact Key questions to consider
Project management methodology • Has the program methodology and governance framework been established
including planning and execution approach, the right team composition,
Objective: assess the program management
monitoring and communication protocols?
methodology
• Have controls been included in the methodology to deliver the project on
time and on budget?
• Is there a process to measure whether intended benefits were achieved?
40 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 41
Audits that have an impact Key questions to consider
Revenue recognition readiness assessment • What is the anticipated effect on the company’s businesses, processes and
financial reporting?
Objective: assess current state for the new
standard implementation efforts and evaluate • What is the process to monitor and consider organization readiness relative
Revenue recognition
readiness relative to people (organizational), to people, process and technology?
processes, systems and control considerations • Have company personnel been trained?
using agreed criteria
• What are the company’s plans for communicating with stakeholders?
Companies have been hearing about the new revenue razor thin for some organizations.
recognition standard for years, and as the effective But the good news is that amidst all this change, there may
date approaches, they are evaluating the state of their be opportunities. In the case of revenue recognition, a
implementation efforts. Many companies were relieved when thoughtful implementation may produce new efficiencies, Revenue accounting process review • What are some important challenges and opportunities with the current
the effective date was deferred to 2018 for calendar-year enhanced systems, processes and controls, and more robust state revenue accounting processes that could represent areas for potential
public entities, but now they are ensuring they have the Objective: identify areas of improvement in
order to cash automation. The benefits could improve a improvement in implementing the new standard (e.g., manual workarounds,
current revenue accounting process for complying
ability to get things under control in a limited amount of time. company’s business and not just transform its accounting. spreadsheet tracking separate from transaction processing systems)?
with the requirements of the new standard
Many organizations are finding that implementing the The core principle of the new standard is to recognize • What is the cycle time for the current state process from the time of
new revenue recognition standard issued by the Financial revenue to depict the transfer of promised goods or services deal closure through the setup of the appropriate revenue accounting
Accounting Standards Board (FASB) requires more effort to customers in an amount that reflects the consideration to approaches required for the financial reporting process (sometimes referred
than they anticipated. With just a few months until the which the entity expects to be entitled in exchange for those to as the “revenue allocation” process)?
standard’s effective date, public companies likely need to goods or services. Companies will need to exercise judgment
accelerate their work to complete their implementation. when considering the terms of the contract(s) and all of the • Are common processes executed for operations (e.g., sales, fulfillment and
invoicing) and revenue recognition? Are these operations centralized in a
A great deal is on the line, since the new standard could facts and circumstances, including implied contract terms.
shared service center, center of excellence (COE) or distributed?
affect investor perceptions of company performance. Now is They will also have to apply the requirements of the standard
the time to focus sharply on continuing to prepare for the new consistently to contracts with similar characteristics and in • Are data objects (e.g., products, materials and customers) managed via a
revenue recognition standard. The truth is that the difference similar circumstances. master data management solution or manual processes?
between complying on time and falling behind is going to be
he Controls assessment • What are the controls implemented by management for the period of
revenue w
5
ation
each oblig adoption related to:
is satisfied Objective: identify and assess risks of material
misstatement related to adoption • Revenue stream identification and scoping?
Step three
Determine
3
n
transactio • Contract analysis?
e price
Identify th
Step one
1
)
• Accounting policies (for all revenue streams even if no transition effect)?
contract(s
omer e
with a cust Allocate th
Step four
4
e
price to th
obligations • How are significant changes communicated and reported for Sarbanes
Identify th
e Oxley (SOX) Section 302 disclosures for material modifications or
Step two
2
ce
performan omissions?
in
obligations
ct
the contra
42 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 43
How can an organization improve its risk culture?
Risk culture framework • Are the organization’s mission, vision and values clearly aligned and
communicated throughout the organization?
Objective: assess if the organization has the
Risk culture is the behavior in an organization that influences A shift from a tone at the top corporate culture to tone in the policies, processes and incentives in place to • Do corporate values consider desired behaviors (good and bad), are they
the management of risk. Risk culture connects the broader middle and at the bottom is needed to present a clear view support its mission, vision and strategic objectives communicated across the organization, and are they well-understood at the
culture of an organization with its risk-taking and risk of desired risk behaviors. Organizations should focus on top, middle and bottom of the organization?
control activities. Regulators globally have highlighted having forward-looking metrics in place to measure both
that culture has risen higher on their agenda as part of financial and nonfinancial risks. Risk appetite should be
addressing what they perceive to be major conduct and consistent with the firm’s business strategy and embedded
Risk culture assessment • Is the message consistent, well-understood and accepted throughout the
control failures that could have a systemic impact if not into decision-making. organization? Is it reinforced periodically?
addressed properly. This creates practical challenges in Objective: assess the organization’s overall risk
Organizations should also consider a shift from a strong focus culture including leadership actions and incentives; • Is the board periodically apprised of the results of management’s
implementation, and mandated time scales may require on financial incentives only, to include nonfinancial incentives. identify and evaluate gaps between desired and assessment of the risk culture framework?
short-term, tactical solutions. Talent management, including recruiting, onboarding actual behaviors, determine root cause and • Are metrics and incentives designed to drive the expected behavior?
Enhancing the behaviors of an organization requires careful and exiting, should be designed so that employees share the provide recommendations
• Does management periodically assess the organization’s acceptance of and
consideration of other aspects of the risk governance firm’s values and desired risk culture. alignment to the mission, vision and values?
model. To achieve a sound risk culture, organizations need The alignment of an organization’s board, leadership team • Is assessing culture driven by compliance with regulatory expectations or a
to express guiding risk culture principles and articulate the and business units, globally, around a common understanding genuine desire to understand “how we do what we do”?
desired behaviors individuals are expected to emulate. Risk of risk culture is crucial to changing, monitoring and • Is broad risk training carried out across the organization?
culture is not something that can be designed and executed; managing behavior. Risk management, the board, senior
it must be proactive, and everyone — board, management and • Is risk appetite appropriately factored into the organization’s risk culture?
management and IA all have a role to play in developing and
individuals — must understand that they have a responsibility • How are compensation and risk-taking behaviors linked?
maintaining the desired risk culture.
for their own risk behavior and that they should proactively • Does the culture support risk transparency and enable concerns to be voiced?
report the unacceptable behavior of others. • How are whistle-blowers treated?
• What regulatory requirements are currently imposed? What is likely to
influence regulators or boards in setting desired risk culture?
44 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 45
Audits that have an impact Key questions to consider
While robotics helps companies automate manual labor within The below risks and controls should be considered • Processes
warehouse operations, software robotics, or robotic process by an organization’s internal audit department when • Are relevant components of change management including organizational,
automation (RPA) promises to transform the cost, efficiency process and technical aspects included in the governance framework?
developing an RPA risk analysis and audit program:
and quality of executing many of the back-office and customer- • Do processes exist to manage the implementation, testing and support
1
facing processes that businesses rely on people to perform. requirements for robotics across the organization?
A lack of robotics governance can lead to
However, this automation does not come without its own set • Are robotics change and development needs properly documented and
ineffective and inefficient process automation
of risks. IA should be involved from the beginning and must be mapped to business needs?
and an inability to support and meet business
able to identify and advise management on how to mitigate requirements. • Are automation problems and errors continually evaluated and corrected?
risks quickly as technology continues to rapidly change.
More than one of the issues outlined below is often present or
linked, creating a significant multiplier effect. It takes sufficient
2 Robotics access management is ineffectively
managed leading to the compromise of systems,
applications and their associated data.
forethought or outside help to mitigate these issues. Investments • Are robotics investment decisions properly evaluated, approved and
3
Unfortunately, if more than one of these issues occurs — which Process automation requirements are not
prioritized?
accurately identified and documented leading Objective: assess whether the organization has
is common — there’s a significant multiplier effect that can lead defined key performance indicators with the ability • Has the company defined approved robotics vendors?
to robotics developments that do not meet
to loss of belief in RPA or cause the project to stop.Whether business needs or support the business/IT to deploy suitable monitoring related to robotics • Do the organization’s measurements include regulatory and legal objectives,
an organization is embarking on its RPA journey or is already strategy, resulting in a negative impact on process governance return-on-investment (ROI) and robotics performance?
well on its way, it is likely that RPA will become an integral business processes and financials.
4
part of key business processes. It is vital for an organization
Robotics implementations are not appropriately
to establish an RPA strategy that includes comprehensive
designed and tested, leading to requirements not
governance, risk and control practices, and IA can bring being met or a negative impact on production
business, risk and internal control insights to that strategy. systems, resulting in a negative impact on the User access • Does the organization have a comprehensive strategy to protect its robotic
business and financial losses. assets?
Organizations may bring in IA after implementation to assess Objective: evaluate the organization’s strategy to
5
how well the process and controls are operating but what they Automation problems are not identified in a determine if it defines 1) how access is provisioned • Are controls in place to prevent unauthorized users from accessing the
fail to understand is the value IA can provide before, during timely manner and managed, leading to a delay to robotics capabilities, 2) how the organization robots?
and after RPA implementation. IA can help management in their resolution and resulting in a negative protects its robotics assets, and 3) the method the • Has the organization developed an access provisioning or deprovisioning
impact to business processes. organization uses to determine its security risks
navigate each stage of RPA implementation by providing an strategy that allows robots to interact with IT production systems in a
related to the use of robotics controlled manner?
independent evaluation and strategic advice. The financial
6
Risks are not effectively mitigated for robotics
and reputational implications of waiting to act and getting it vendor relationship and outsourced services,
wrong are steep. IA can help chart a course for success. leading to financial and reputation exposure.
46 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 47
Social media
Audits that have an impact Key questions to consider
Social media creates a powerful marketing tool for • Brand and reputational damage Risk assessment • Has the organization developed a comprehensive social media strategy?
organizations to build greater awareness of their brands, • Greater risk of hacking or fake executive accounts across Objective: evaluate the risk assessment • Has the organization established a methodology and framework pertaining
create customer loyalty and increase efficiencies and social media platforms methodology and framework pertaining to social to social media?
connectivity between corporate employees and their media; review the social media activities that • Are the organization’s risk management and regulatory compliance
respective customer base. The speed, spontaneity and deep • Greater risk of viruses, malware and phishing create the highest levels of risk exposure expectations effectively communicated by management and well-
penetration of social media into routine and daily business • Employee improper use or misuse of social media understood by employees?
operations have transformed the relationship between platforms
companies and their customers, employees, suppliers and • Employee payments to external parties via social media
regulators. Governance • Has the organization established social media policies and procedures that
platforms
Companies have taken advantage of social media to: address:
A robust social media strategy should: Objective: evaluate social media policies and
• Strengthen their brand procedures, including a review against leading • Strategy alignment to operations and values
• Align social media use to organizational strategies and practices; identify gaps or weaknesses in the
• Build customer loyalty • Governance structure and controls
corporate values policies and procedures
• Grow market share • Employee and vendor compliance
• Develop, execute and communicate social media
• Increase efficiencies in their supply chains compliance directives to employees • The appropriate level of security
Lack of a robust and comprehensive social media strategy • Rapidly identify, mitigate and monitor current and emerging • Key performance indicators
gives rise to potentially significant and unforeseen business risks due to the constantly changing IT and social media • Licensing
risk. Companies should consider various organizational environment
and cultural aspects of their social media usage along with
technology platforms and infrastructure as they seek to • Protect company and customer data and reputation Operations • Has the organization effectively integrated business and social media?
mitigate their risks. • Quickly respond to social media incidents Objective: assess robustness of business • Are employee activities evaluated and monitored against social media
Without a social media strategy in place the following • Monitor information disclosed by employees through social integration and identify gaps in alignment between policies and procedures?
risks may arise: media business operations and social media • Are appropriate tools and infrastructure in place to monitor employee
activity on social media?
• Inadvertent leakage of confidential information by Internal audits of social media are effective and impactful
company employees ways of helping management mitigate risk. • Is the policy effectively communicated to employees?
• Intentional transmission and distribution of confidential • Does the organization provide training and assess employee awareness of
information by an external party social media policies and procedures?
48 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 49
Audits that have an impact Key questions to consider
Supplier risk management • Does the organization have established policies, processes and internal
controls in place to evaluate the risk of global suppliers?
Objective: evaluate the organization’s policies and
application of policies to manage supplier relations • How are suppliers selected and onboarded?
and reduce supplier risk • Is there consistency in the application of the supplier risk management
processes across the organization?
• Is there a standard supplier scorecard for direct materials suppliers?
• Do processes and controls exist to evaluate suppliers for direct and
indirect purchases?
Transportation and logistics • Are there monitoring and management processes in place for transportation
and logistics expenses?
Objective: evaluate the organization’s strategies
and policies to mitigate transportation risk and • Are there opportunities to reduce transportation and logistics costs?
identify cost savings opportunities • Do service level agreements (SLA) exist with vendors and are they
monitored on a regular basis?
• Does the organization properly understand and monitor regulations?
Sales and operations planning • Are formal policies and procedures to integrate sales, supply chain and
50 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 51
Supply chain (continued)
Audits that have an impact Key questions to consider Audits that have an impact Key questions to consider
New product launch • Are failure modes and effects analyses (FMEA) performed during the NPD Quality • How well-understood and documented are product and process
process? Is there a feedback loop in place so that FMEAs are updated? specifications?
Objective: assess the new product development Objective: evaluate the effectiveness and
(NPD) process and procedures for effectiveness • Is the current spend on research and development, and NPD activities efficiency of the organization’s approach to quality • Have there been recent product recalls and how were those managed?
understood?
• What are some of the root-cause identification techniques in place?
• At what stage of the NPD process do sourcing and procurement,
• Are quality KPIs standard across the enterprise?
manufacturing, and quality become involved?
• Do enterprise systems gather non-conformance data?
• Have there been recent product recalls, and how were those managed?
• What is the portion of overall quality costs incurred in each of the following?
• To what extent have enterprise software solutions been deployed to support
NPD? • Process failure
• Appraisal and inspection
Asset reliability and total productive • Is an enterprise level asset reliability strategy documented?
• Prevention
maintenance • Is the workforce involved in autonomous maintenance?
Objective: evaluate strategy and practices Inventory management • What are levels of slow moving, obsolete, damaged or lost inventory?
• What predictive maintenance techniques are used?
regarding asset reliability and maintenance
• Is a computerized maintenance management system (CMMS) in place to Objective: assess inventory management practices • How is inventory planned?
support maintenance? Is the enterprise software used to its fullest extent? • How frequently are physical counts performed?
• Is the consumption rate of spares for equipment used to plan preventive • How do the inventory turns compare with those of peers in the sector?
maintenance work?
• How are inventory transactions recorded in the enterprise resource
• Do standard equipment commissioning and decommissioning processes planning (ERP) software?
exist?
Spare parts and service management • Are spare parts and service management managed by a third party or the Production and manufacturing • Are procedures and processes clearly mapped and up to date?
original equipment manufacturer (OEM)?
Objective: assess the approach to spare parts and Objective: evaluate the efficiency and • Are work instructions clear and in electronic format? How are they
service management • Is service customer segmentation performed? effectiveness of the policies, procedures and updated?
• Are spare parts planned and procured via their own process or together practices • Do the facilities use visual management boards or monitors?
with regular production parts?
• Are the conditions safe for operators?
• What key performance indicators (KPIs) are used to measure service
• Do material shortages delay production’s actual start times?
management, and how are those used to improve service and spare parts
performance? • Do defective or nonconforming raw materials impact production?
52 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 53
Audits that have an impact Key questions to consider
54 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 55
Audits that have an impact Key questions to consider
Regulation and compliance review • Are the processes and controls adequately designed to comply with
Objective: assess the processes and controls in government regulations and internal policies (e.g., European Market
place to comply with governmental regulations and Infrastructure Regulation (EMIR), Report of Foreign Bank and Financial
internal policies Accounts (FBAR), cash management, external borrowing, policies and
procedures)
Control framework and SOX compliance audit • Are processes and controls in place to properly manage bank account
Treasury fraud and investigation • Are key operational processes and controls in place and operating
Policy and governance: effectively to determine the likelihood of fraud in the organization in the
Objective: review the effectiveness of key
• Insufficient oversight of treasury activities (e.g., no treasury committee, insufficient reporting) operational processes and controls to determine following areas?
• Exposure to fraudulent transactions due to a lack of fraud controls the likelihood of fraud and to assess remediation • Cash management
• Outdated or incomplete treasury policies strategies and level of relevant trainings
• Treasury roles and responsibilities not clearly defined, raising risk of segregation of duties violation • Bank account management
Cash liquidity management: • Treasury technology and governance framework
• Treasury does not have complete visibility and control of all cash in the global organization • Have remediation strategies been developed and are they being followed?
• Insufficient monitoring of liquidity risks
• Has the organization provided the necessary fraud training and is it
Funding and capital market:
effective?
• Insufficient monitoring of potential financial covenant breaches and lack of disclosure (commitments
and contingencies)
• Unauthorized trading due to control weaknesses or inadequate platform
Treasury management assessment and • Are treasury management activities consistent with industry standards or
Financial risk management: maturity model comparable organizations?
• Unhedged exposures (related to FX, interest rate or commodity positions) leading to earnings “surprises” Objective: assess treasury management activities • How effective are the treasury activities in the following areas?
• Insufficient monitoring of credit risk, e.g., relating to derivatives or collateral against industry standards and comparable • Bank account management
Accounting and valuation: organizations
• Financial risk management
• Incorrect valuation methods (models) or input parameters
• Incorrect or incomplete treasury reporting, leading to incorrect decision-making • Cash management
• Insufficient or no hedging documentation • Intercompany transactions
• Hedge effectiveness not tested properly
• Interest rate risk management
Treasury technology:
• Technology
• Outdated legacy treasury systems leading to financial reporting risks (including MS Excel)
• Inadequate treasury application controls
56 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 57
Audits that have an impact Key questions to consider
Regulation and compliance • Documentation: has documentation been evaluated or created around the tag selection
Objective: review XBRL exhibits for for the financial statements, including the face of the statements, notes and schedules to
compliance with the SEC’s rules verify that it narrowly and accurately reflects what is being disclosed and clearly describes
to the user and the SEC what the tags represent?
• Document completeness: have amounts and concepts in the financial statements, notes
to the statements and Regulation S-X schedules been evaluated for completeness? Have
items that may not be included at all required levels been identified? Do items that are not
tagged (if any) include a documented reasoning for not tagging?
• Tag selection: has there been assessment of selection of tags and identification of
potential alternative elements and dimensions that have definitions similar to the elements
and dimensions chosen and the financial concepts for properties not conforming to XBRL
guidance?
• Structural and consistency compliance of the instance document: has the XBRL
exhibit been assessed around structural or consistency errors, focusing on the EDGAR
manual requirements that the SEC has identified as more frequent violations in initial
XBRL submissions, including compliance around the correct signage (negative vs. positive
values), decimal attributes, unit types, certain contexts and calculation relationships?
eXtensible business reporting language Governance, policy and internal • Is there a formalized XBRL implementation and review process?
control processes
• Has there been a comparison of the current state of key implementation, review process
Objective: assess the quality and and procedure areas with leading practices?
efficiency of the governance,
Preparing eXtensible Business Reporting Language (XBRL) • Improperly excluding XBRL exhibits with non-initial public policies and related controls over • Are there sufficient XBRL implementation processes, governance, policies and internal
exhibits to comply with the Securities and Exchange offering registration statements the company’s creation of its SEC controls processes and applicable documentation to sufficiently comply with the SEC XBRL
Commission (SEC) mandate can be challenging. Many • Not establishing robust controls XBRL exhibits (including compliance rules and disclosure controls and procedures requirements?
companies rely on external production vendors to handle with the SEC XBRL rules)
the XBRL process, without first appreciating the complexity To produce high-quality, compliant documents, companies
and breadth of the SEC rules. It is critical for management to need to understand all of the technical requirements, exercise
understand those requirements to make informed decisions diligence in the selection of appropriate tags and verify that
during the creation and review of XBRL-tagged financials. all details in the existing filings are accurately captured in the Why should registrants care about their XBRL exhibit?
XBRL submissions.
The SEC staff continues to identify serious recurring errors
Companies should consider the following concerns related to Complexities and observations Risks
in XBRL exhibits, is starting to contact companies about
issues and has issued “Dear CFO” letters on the requirement XBRL: • Separate SEC XBRL requirements included in the SEC EDGAR Filer • Financial reporting goodwill and reputation risk
to include calculation relationships in XBRL exhibits. As a Manual
• The SEC continues to make modifications and observations, • The same liability as the traditional formatted filing
result, dozens of companies have amended their SEC filings typically updating the XBRL requirements quarterly. • Filed errors identified by XBRL-US’s consistency suite (e.g., Forms 10-Q, 10-K) and potential civil liability
to resubmit XBRL exhibits and correct mistakes. • SEC issued written comments and data quality reminders • Resubmission, prospective changes or other SEC actions
• The volume of SEC guidance (e.g., EDGAR Filer Manual,
Common XBRL issues of noncompliance include: FAQs, SEC staff observations) is significant; moreover, the • Information excluded by hundreds of companies, according to • Within the scope of “disclosure controls and procedures” in complying
• Improperly selecting broadly defined tags or extending tags guidance is often complexly worded. XBRL-US with Exchange Act Rules 13a-15 and 15d-15 and Item 307
(rather than using standard tags) • Many registrants do not fully understand the complexities • Amended Forms 10-K and 10-Q due to issues and errors in the • Lack of acceptance by the SEC (i e., won’t upload through EDGAR)
involved in detail tagging. original XBRL exhibits if it fails validation tests
• Not tagging all required levels and amounts, e.g., parenthetical
amounts and amounts in the notes and schedules • The SEC has reiterated that controls over the preparation • Standard operating procedures, principles and criteria issued by • “Dear CFO” letters from the SEC and calls to companies about errors
of XBRL exhibits should be a component of the issuer’s the American Institute of Certified Public Accountants (AICPA) to that resulted in dozens of amended filings
• Using incorrect signs, i.e., positive and negative address complexities
disclosure controls and procedures. • Aspects of XBRL exhibits leveraged by the SEC in comments included
• Having problems with reporting dates, decimals, units and • XBRL data used in SEC’s Accounting Duality Model to flag in the Division of Corporation Finance (DCF) comment letter process
missing calculations Internal audit can bring the required subject-matter companies that require closer inspection
knowledge and business insights to provide an objective
assessment of the current state and offer guidance on
developing an efficient and effective internal process over
XBRL reporting.
58 | In a digital world, do you know where your risks are? In a digital world, do you know where your risks are? | 59
EY | Assurance | Tax | Transactions | Advisory To find out more about how our Risk Advisory services could help
your organization, speak to your local EY professional or a member
of our global team, or go to ey.com/advisory to ey.com/advisory.
About EY
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we
deliver help build trust and confidence in the capital Global and Americas Advisory Risk Leader
markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises
to all of our stakeholders. In so doing, we play a critical role Amy Brachio +1 612 371 8537 [email protected]
in building a better working world for our people, for our
clients and for our communities. Americas Advisory Internal Audit Leader
EY refers to the global organization, and may refer to
one or more, of the member firms of Ernst & Young Lisa Hartkopf +1 312 879 2226 [email protected]
Global Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company limited by Americas Advisory Region Risk Leaders
guarantee, does not provide services to clients. For more
information about our organization, please visit ey.com.
Central
Ernst & Young LLP is a client-serving member firm of Ernst
& Young Global Limited operating in the US. Kevin Janes +1 312 879 5400 [email protected]
West