Last year, as COVID-19 disrupted lives and businesses around the world, internal auditors quickly shifted the focus of their audit plans to the critical risks posed by the virus, identifying and reviewing management’s assessment of those risks as well as related remediation plans and controls. Audit committee members we surveyed in June–July 2020 said that, by and large, that shift was successful, and internal audit plans proved flexible.
Internal auditors face a similarly difficult challenge in 2021: to identify the emerging risks that are critical to the company’s reputation, strategy, and operations while ensuring that their audit plans are risk-based, flexible, and dynamic amid continuing disruption and uncertainty. How is the company’s risk profile changing in light of COVID-19 developments, the recession, trade and geopolitical tensions, and other megatrends?
Making those assessments will require:
To help frame and focus its work, internal audit should ask:
Based on our survey work and discussions with audit committee members and internal auditors, we identified emerging risks that internal auditors should have on their radars as they adapt their internal audit plans in the months ahead.
Cybersecurity and data governance risks. It’s no surprise that cybersecurity remains a top risk given the shifts to remote work, digital transformation, online customer engagement, and the growing sophistication of cyberattackers, including nation-states. The SolarWinds cyberattack increased concerns about the risks posed by third-party vendors. Among the questions internal audit should ask: Does the company’s data governance framework make clear how and what data is being collected, stored, managed, and used—and who makes decisions regarding these issues?
Culture, ethics, and compliance risks. COVID-19 has increased the reputational costs of an ethics or compliance failure, particularly given the changed control environment, increased fraud risk, and pressure on management to meet financial targets.
Evolving COVID-19 risks. Leaders are grappling with reopening their businesses safely, managing remote workforces, accelerating digital transformation, building more resilient supply chains, and strengthening connections with customers. Navigating the uncertainty will require a sharp focus on people, liquidity, operational risks, and contingencies while keeping sight of the broader strategy.
Longer-term risks posed by accelerating megatrends and the new normal. From climate risk to cyber threats, scenario planning will be critical as companies adjust to their new normal. It’s critical that internal audit has a seat at the table.
ESG risks. COVID-19 is accelerating shifts in stakeholder views of corporate performance and how companies oversee and disclose ESG risks. Internal audit should understand the company’s ESG strategy to provide assurance and advise on controls.
Climate change risk. “Climate change is one of the greatest challenges facing the planet today, and we believe businesses are an essential part of the solution,” said Doug McMillon, president and CEO of Walmart Inc. and chairman of Business Roundtable, in a statement last September.1 In his 2020 letter to CEOs, BlackRock Chairman and CEO Larry Fink called climate change a “defining factor in companies’ long-term prospects” and predicted that “we are on the edge of a fundamental reshaping of finance” as investors seek “to understand both the physical risks associated with climate change as well as the ways that climate policy will impact prices, costs, and demand across the entire economy.”2 The Biden administration has made climate a key priority on its policy agenda, and the SEC has made corporate disclosure requirements concerning climate change a top priority,3 creating an enforcement task force focused on climate and ESG issues.4 In this environment, internal audit will want to prioritize climate risk and assess whether management’s ERM processes include an appropriate focus on the risks that climate change poses to the company’s strategy, operations, and reputation.
Human capital management risks. COVID-19 and social unrest have amplified the importance of human capital management to a company’s performance and reputation, driving demand for better disclosure of how the board oversees human capital and talent development programs and their link to strategy.
Risks posed by the federal agenda. What risks will the Biden administration’s policy initiatives pose in 2021 and beyond? Internal audit should focus its attention in coordination with the company’s enterprise-wide response to near-term policy initiatives, such as the economic stimulus package, tax reform, infrastructure, the SEC’s regulatory agenda (particularly potential new disclosure rules regarding ESG issues), trade policy, and climate-related regulation. The risks posed by reregulation, new regulation, and stepped-up regulatory enforcement must also be considered.
Crisis readiness. Companies’ crisis response plans must focus on resilience—maintaining operations in the face of a disaster. How robust are management’s plans? Is the company prepared for the worst-case scenarios—e.g., extended periods of supply chain disruption, substantial sustained reduction in sales and revenue, and the loss of key personnel?
In assessing these and other risks, the details and the data are critical. But given the unprecedented complexity and uncertainties ahead, it has never been more important for internal audit—as the audit committee’s eyes and ears—to help paint a holistic picture of the company’s vulnerabilities and opportunities to help it keep sight of the big picture.
1 Business Roundtable: Market-Based Solutions Best Approach to Combat Climate Change, Business Roundtable press release, September 16, 2020.
2 Larry Fink’s 2020 letter to CEOs, BlackRock, Inc., 2020.
3 Statement on the Review of Climate-Related Disclosure, Acting SEC Chair Allison Herren Lee, February 24, 2021.
4 SEC Announces Enforcement Task Force Focused on Climate and ESG Issues, March 4, 2021.