The fundamental role of internal auditors is to evaluate andhelp boards and executives improve the effectiveness of governance,risk management and control processes.
|This statement captures the intent expressed in the guidelinesof various professional organizations and regulations, such as theInternational Internal Audit Standards Board, the Institute of Internal Auditors, the AmericanInstitute of Certified Public Accountants, the Information Systems Audit and Control Association, theInternational Accounting Standards Board, the Sarbanes-Oxley Act of2002 and Solvency II.
|These organizations and regulations place strong emphasis on theoverarching frameworks that guide, influence and control howorganizations perform, recognizing that weaknesses in theseframeworks foment hidden risks.
|Hidden risks are apt to be more prevalent within modern, complexoperating environments. In such organizations, internal auditorsmust gain insights from the nexus of internal and externalenvironments and information flows, often across borders.Accordingly, to be effective, internal auditors need to have aholistic view of the organization and its external operatingenvironment, while maintaining a laser focus on specific functionalcomponents under examination.
|This not only requires the requisite auditing skills, experienceand domain knowledge, but also an understanding of the externaloperating environment, as well as an understanding of theinformation technology and data management capabilities of theorganization and third-party participants. It’s also helpful tohave knowledge of fraud investigation in line with the guidelinesof the Associationof Certified Fraud Examiners.
|The perspective and context provided by this combined viewenables internal auditors to not only examine traditionalfinancial, operational and strategic risks and control mechanisms,and fact-based information, but also to take into considerationother emerging factors that are apt to contain hidden risks.
|Continue reading ...
||
Internal auditors work withinformation technology experts to assess threats to anorganization's data. (Photo: iStock)
|Digitization
Many emerging risks within the commercial sector are related tothe increased application of digitization in just about everyaspect of business. For insurance organizations, this is especiallysignificant in two related areas: The interaction with customersand third parties, and cyber threats and security.
|Interaction with customers and third parties is increasinglytaking place via enhanced web and social media capabilities,supported by underlying advanced analytics and algorithms thatoften replace human interaction. These interactions providepotential opportunity for the using parties to act improperly.Perhaps more important, these interactions are increasingly beingused by cyber criminals via social engineering techniques as pointsof entry (that is, attack vectors) into an organization’s dataresources.
|To assess potential risks related to these risk vectors,internal auditors must collaborate with information technologyexperts that can provide insights into the usage patterns andsecurity mechanisms of their own organization and the organizationsof third parties.
|A note about social engineering
Social engineering is an attack vector technique facilitated byweb and social media usage that essentially involves trickingpeople into breaking normal security procedures. Three commontechniques, used individually or in combination, include:
- Seemingly legitimate emails meant to share desirableinformation or clicking a link that installs malware.
- A call or e-mail pretending to need selected information inorder to confirm a person’s identity.
- Various tricks to entice the download of content presumed to behelpful by the targeted user in order to install malware.
Weaknesses in risk governance and management can increase theexposure and potential for the success of such attacks. Penetrationtests by security teams can help identify the types of user mostlikely to fall prey to such attacks, thus facilitating the effortsof internal auditors in pointing out the need for additionaleducation and training of personnel.
|Related: Does your Commercial Crime policy cover loss froman imposter's fraud?
|Continue reading ...
||
Internal auditors test disaster recovery plans to make surethey will work. (Photo: iStock)
|Disaster recovery and business resilience
The increase in natural and man-made risks, and the linkagewithin organizations to a variety of diverse third-party players,has brought the need for improved operational risk management tothe forefront of regulators, boards and executives. Assessingcross-border risk and recovery capabilities within one’s ownorganization and across supply chains is a highly complex processrequiring the specialized skills of accredited and experiencedpractitioners.
|Nonetheless, internal auditors need to assess the effectivenessand risks and controls inherent within any related disasterrecovery plans and implementation capabilities, includingthird-party resources that may be involved. It is not sufficient toassume that controls are in place because a disaster recoverydocument exists. Disaster recovery plans need to be tested in orderto uncover hidden risks, to identify modifications needed and tovalidate that they work as intended.
|Related: Here are 5 ways to protect your business fromnatural disasters
|Advanced analytics
The increased application of advanced analytics withinorganizations provides both benefits and risks. On the one hand,analytics provides insights needed to improve performance, predictfuture scenarios, and uncover risks. On the other hand, analyticsmay introduce risks related to the data, algorithms and modelsused.
|Internal auditors can address data quality risk by assessing thestrength of data governance and the processes for assuring usage ofhigh quality data, as defined by ISO 9000:2015: complete, valid,accurate, consistent, available and timely.
|To assess risks related to algorithms and models, internalauditors must “stress” the algorithms and models under variousassumptions and scenarios that can uncover near and longer termintegrity and reliability issues.
|Continue reading ...
||
Internal auditors help build a"risk-aware culture" inside an organization. (Photo:iStock)
|Organizational culture
Regulators understand the important role that a “risk-awareculture” has in the organization’s ability to manage risk. Internalauditors also understand this and recognize that any deficienciesin C-suite risk management directives, training and other support,and “tone at the top” messaging can affect the organization,weakening the organization’s overall risk management and controlframework and processes.
|Any such weakness creates an overarching organizational red flagissue for internal auditors, but especially as it relates to thosepersons having any influence over the altering of data or controlprocesses. In addition, a weak risk-awareness culture can increasethe potential for successful attacks via social engineeringtechniques, as discussed previously.
|An organization’s culture can often be perceived simply by“walking, talking and observing,” providing insights that indicatethe need for further exploration.
|Use of advanced tools by internal auditors
The assessment of risks in traditional functions of theorganization and those mentioned previously can be facilitated byuse of advanced semantic search and analytics tools availablewithin the organization or via third parties.
|These tools enable internal auditors to pose and obtain answersto a wide variety of questions related to business processes,controls and individual performance. Answers to initial questionscan be used in refining analytics to uncover anomalies in patternsof behavior that warrant further examination.
|Continue reading ...
||
Audit committees for company boards are relying more oninternal auditors. (Photo: iStock)
|The expanding role of internal auditors
Continuing economic and regulatory pressures are requiringboards to assume more responsibilities for risk assessment insupport of strategy development, regulatory compliance, andimprovements in financial and operational performance. As a result,because of their depth of exposure to these requirements within theorganization, audit committees are being called upon to play alarger role.
|Accordingly, audit committees are requesting that internalauditors translate their knowledge of risk management and controlprocesses, and their findings from internal audits into an expandedrole, helping educate and train audit committee members, increasetheir focus on strategic risks and provide risk managementconsultative services.
|The ability of internal auditors to uncover hidden risksprovides strong assurance to the board that their risk-relateddecisions are sound. Accordingly, it seems likely that internalauditing will gain in stature as a business partner in helping theorganization fulfill its strategic objectives.
|Wendy Shapss is a senior managing director and co-leader offor global insurance services for Washington, D.C.-based businessadvisory firm FTI Consulting. Elaine Lehnert is a managingdirector in FTI Consulting's global onsurance servicesdivision.
|Related: Here come the accountants — the codification ofcyber risk
|Have you Liked us on Facebook?
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
- Educational webcasts, resources from industry leaders, and informative newsletters.
- Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
