Welcome to a world of change, innovation, and uncertainty
A global pandemic. Political polarization and unrest. Extreme weather. Global demands for greater transparency, accountability, and sustainability.
On a long enough timeline, the probability of any crisis is infinite. But four generationally significant events in a calendar year certainly is not.
No one could have predicted the events of 2020 and 2021 — and nobody knows for sure what curveballs the fates will throw in the years ahead. The following insights seek to explore some possibilities based on the explosion of risk wrought by the pandemic, advancements in technology, changing attitudes, and pervasive uncertainty about what happens next.
A common refrain of many leaders over the past year has been to never waste a good crisis. There’s much to learn from extreme events: warnings to heed, mistakes to avoid, and opportunities to do things better.
Whether it’s the following trends that come to fruition, or something else, one thing is certain: no risk can be judged in isolation, and the future will only grow more complex, dynamic, and unpredictable. However, through the lens of opportunity, Internal Audit may be able to add value in helping its organization manage through the associated risks.
Contents
- Pandemic impacts
- Workforce disruption
- The future of work
- Risks and opportunities with digital technologies
- Cyber security and privacy
- Environment, social, and governance
- Global uncertainty
- Conclusion
Pandemic impacts
Vaccines have made a significant difference, but they’re not a panacea
Vaccines were supposed to liberate the world and bring the virus to heel. So far, they’ve yet to restore complete confidence or stability.
That the first vaccines cleared clinical trials and were more than 90 percent effective against the original COVID-19 virus was an incredible feat of science and human will. This is a long-forgotten achievement given the social, political, and logistical issues that have followed.
For one, there is a sizeable disparity in vaccine access which follows long entrenched lines of global wealth and privilege. Even as some nations have fully inoculated 60, 70, and 80 percent of its eligible population, others are struggling to reach 10 percent with a first dose. With less than a third of the world’s population fully protected, the opportunity for increasingly virulent and vaccine resistant variants remains a serious concern.
The other major challenge is the growing divide between those for and against vaccines. Pressure is mounting for educational institutions, retailers, venues, employers, and governments to set clear rules (or not, depending on one’s position) around vaccines and who can patronize certain locations. Depending on either stance, employees and customers may be lost and it is important to consider what the impact of this loss is on the business.
Questions to ask – what's the opportunity?
Has Internal Audit assessed the short-term and long-term potential risk related to a disruption in workforce, the impact of remote working, or the impact of ordering people to return to work? Also, based on your organizations position on vaccines, has your Internal Audit function considered the risk related to your organization taking a public stance on vaccines? Is your organization sufficiently creating risk scenarios as part of your Enterprise Risk Management (ERM) program?
Change related to COVID-19 driving fraud opportunity and rationalization
The Association of Certified Fraud Examiners has continuously instructed that every incident of fraud shares three common themes: opportunity, pressure, and rationalization. While the definitions of fraud and its underlying causes have evolved over time, the fraud triangle has held true.
There’s no question the COVID-19 pandemic has dramatically increased all three corners of the fraud triangle in various cases for many people and organizations. Opportunity can come in the form of a remote workforce, a reduced workforce, or owners and managers focused less on operational concerns and more on business continuity. Loss of income due to layoffs or furloughs can increase the pressure to commit financial fraud — and perhaps even rationalize those actions as well.
It’s fair to assume most employees and vendors will not act on the opportunity to commit fraud, even when the pressure to do so is present and they can rationalize their actions. But history has shown many will. Even this small minority can cause serious financial, legal, and reputational damage — especially if the incident in question is ongoing or goes undetected for months or longer.
As the pandemic, economy, and work environments continue to evolve, it is critical that internal audit, boards, and organizational leaders stay vigilant about the risk of fraud. While other trends may dominate the conversation, the need for annual fraud risk assessments and continuous high risk transaction monitoring remain two of the most important priorities.
Questions to ask – what's the opportunity?
Has Internal Audit assessed if your organization has new fraud opportunity exposure due to COVID restrictions and/or employees working remotely? Has anything changed in the last year that may cause excessive pressure to exist that might influence people to violate your code of conduct or commit fraud? Does Internal Audit or your organization have any means of continuously monitoring fraud risk indicators, or using data analytics to detect possible wrong doing early?
Has the impact of COVID-19 created permanent change in corporate culture?
Culture plays a prominent role in everything from productivity and profitability to employee engagement and overall brand equity. It’s also extremely fluid. People, leaders, strategy, technology, and societal trends are all driving forces behind how it evolves and changes over time. This has become increasingly apparent in recent years, as many organizations have taken significant steps to build a culture that reflects their values, contributes to their mission, and ultimately benefits the bottom line.
The pandemic has significantly challenged the culture of many organizations. From a logistical standpoint, it’s been much more difficult to create a sense of community and shared identity when everyone is connecting virtually rather than in person. Communicating via video and instant messaging simply cannot re-create the spontaneity and serendipity of bumping into one another in the lunchroom.
Even worse is the divide that has grown in those organizations where some of the workforce can perform their role remotely and others must attend the workplace in person. Beyond the obvious feelings of resentment that can percolate, there’s also a risk the culture is evolving down two distinct paths, with both groups forming their own concepts about the organization and their place in it.
Yet another hurdle is coming as many organizations are looking to return to the office. Some team members will feel excited about the idea. Others will be hesitant — either because they don’t feel safe, or they genuinely prefer working from home. Ordering people back to the office could risk harming goodwill and engagement of employees who prefer to stay remote. A poorly executed hybrid approach risks further fragmenting the culture. In either respect, its unlikely the workplace that existed before the pandemic will be restored to the same going forward.
Boards and leaders need to feel confident that what-ever culture exists, that it will enable and not prohibit strategic success. Internal audit teams can help boards, executives, and human resources to assess cultural risks and opportunities to ensure whatever shape the culture takes will fit the organization’s — and its’ peoples — needs in a distinctly different world.
Questions to ask – what's the opportunity?
Has Internal Audit assessed organizational culture in the past? Did this effort identify any areas of concern where your culture might be working against your ability to achieve your strategy? Has Internal Audit assessed the risk of culture change in your organization since COVID began?
Workforce disruption
The war for talent – consider your future needs
Organizations are constantly trying to recruit technically savvy resources and new graduates if possible. Unfortunately, many new graduates do not have all of the skills required and those who do are often already employed. Internal audit has historically focused on recruiting team members with leadership potential, strong communications skills, and some form of subject matter expertise (e.g., accounting, business administration, cyber security, etc.). These skills alone will not be sufficient to understand the risks and opportunities organizations will face in a post-COVID environment — and the challenge is certainly not unique to internal audit alone.
Throughout the pandemic, businesses invested heavily in digital transformations to survive and thrive in a completely novel environment. There is no backtracking on these changes. More likely, the pace of technological change will only continue to accelerate as the potential future benefits become clearer and capabilities more accessible. Demand for skilled workers who are both capable of leveraging current technologies and have the vision to understand what’s ahead is far outpacing the talent currently available to fill these roles.
This may not be a short-lived challenge, either. Even post-secondary institutions, which have long been bastions of innovation and progress, are struggling to keep pace with growing automation, digitization, artificial intelligence, and machine learning capabilities. Assuming things were to change right now, it would be several years before new graduates emerge with the most sought-after skills and technical knowledge. As for providing internal audit resources the training and experience needed, auditors will continue to utilize many different sources of professional development, and external co-source partnerships.
The onus will be on organizations to upskill their workforce as new capabilities and opportunities become available. Some larger organizations are already experimenting with their own mini universities to provide the ongoing training, skills, and structure employees need to succeed in their role and re-invent themselves professionally.
Beyond the sheer cost, however, there are also obvious questions around how to balance work and academics and preserve productivity. Also, organizations need to consider the risk of investing in someone’s education only for them to leave for a competitor or to pursue a completely different career path if the need for lifelong learning becomes too overwhelming.
Questions to ask – what's the opportunity?
Has Internal Audit evaluated the average time it is taking you fill critical roles in your organization? Are some critical roles more and more challenging to find anyone and if yes, what risk does this pose to your organization? What skills and capabilities will your internal audit team need to adequately evaluate and advise on risk in the years ahead? Are those currently in high demand? Do the skills and capabilities even exist? How will you recruit, develop, and retain that talent before your competitors do?
The big resignation among millennials and retiring baby boomers
As organizations across Canada welcome workers back to the office in autumn 2021, many labour experts anticipate we may also be on the cusp of the largest mass resignation of all time. Pandemic-related fears, months of remote work, and significant changes to job descriptions over the past 18 months have been overwhelming and given employees a lot to think about. Many of those in their 20s and 30s are seeing this latest paradigm shift as an opportunity to reset, start fresh, and move on to a different employer, a different industry, or different profession altogether.
The timing and potential magnitude of these exits couldn’t be worse. Canadian businesses are already experiencing an unprecedented volume of turnover as baby boomers increasingly age out of the workforce — and that too may be about to accelerate. The youngest baby boomers are roughly 55 years old – the age where Older professionals who successfully navigated the pandemic are now questioning whether the nine-to-five lifestyle is worth sacrificing time with loved ones and pursuing long neglected life goals. For many, the answer could be no.
With millennials and baby boomers the most likely to depart, organizations face a troublesome prospect: The younger end of that spectrum possesses the very skills and insights needed to navigate technological change. The elder workforce will include key executives, board members, and decades worth of institutional memory. If it comes to fruition, this brain drain could deplete precious human capital; increase costs to recruit, onboard, and retain new talent; and destabilize hard-won cultures.
Questions to ask – what's the opportunity?
Has your organization factored retirements, resignations, and turnover into its human capital and resource risk assessments? How have employee engagement and satisfaction surveys throughout the pandemic influenced these analyses? What steps is the organization taking to scenario plan and prepare?
The future of work
Creating an environment where humans and robots can co-exist
History has consistently confirmed two truths about technology: (1) Capabilities will continue to improve at an exponential pace. (2) The barriers to access these sophisticated capabilities will exponentially decrease as they become more scalable. The possibility that enterprise-level, robotics, artificial intelligence, and machine learning tools may not be such a far-flung idea.
Imagine, people working side by side with a robot rather than using a computer to do their work. What are the implications?
Proponents of this perhaps not so distant future see all sorts of benefits of an automated workforce. For one, machines won’t call in sick or succumb to distractions like their human counterparts. They’d be faster, more accurate, and could work around the clock. Humans could offload menial or repetitive tasks to the machine, too, making more time for the work they enjoy — and perhaps even providing better work-life balance and overall engagement in their job as a result.
The flip side, of course, is the long-held fear that the machines will eventually put everyone out of a job. From the introduction of the Unimate robot on the General Motors assembly line in 1961, concerns have abounded that robots were putting humans out of work. Now artificially intelligent online bots are replacing customer service call centres, self-driving cars loom large over the taxi industry, and artificially intelligent writers are even nipping at journalists’ heels.
While experts are divided on whether people will truly be wholly replaced by machines, these remain heady ethical and reputational concerns organizations will seriously need to consider. How would people adapt to having a machine as a colleague, or even more shockingly, a manager?
There’s also the question of how well machines will take instruction from executives, senior leaders, or even co-workers. Will its programming compel it do to what is algorithmically best for the organization or what its decidedly more fallible — but perhaps more intuitive — boss tells it to do? If it’s designed to follow instructions even when it knows these are wrong, can it really deliver the promised benefits of accuracy and infallibility after all?
Questions to ask – what's the opportunity?
Has Internal Audit assessed the use of robots in your organization? Will these robots create risks, based on not being able to adapt to change or human error (e.g., being provided incorrect data or instructions)? Are there any areas in your organization where processes are highly repetitive, predictable, and ongoing that robotic process automation could do more effectively to reduce risk of human error and generate efficiencies?
Risks and opportunities with maturing digital technologies
Digital transformation has been underway for decades, from the introduction of the first desktop computers, Internet, and email, to today’s increasingly sophisticated analytics, cloud, and machine learning tools. Many organizations have accepted continuous technology change as a matter of course. But not everyone has been so quick to replace obsolescent controls, policies, and update training programs to match contemporary skill requirements and risk exposures.
New technologies don’t merely make work easier or more efficient — they’re redefining the very nature of certain jobs. Roles that didn’t exist five or 10 years ago are now integral to many organizations’ current and future success. There have been many newly-created job descriptions, but many new responsibilities have simply been tacked onto legacy job descriptions without deference to the unique challenges, complexities, or risk exposures that go in hand.
In a world of constant technological change, it’s helpful for Internal Audit to step back and completely re-evaluate the organizational design and related roles, policies, procedures, and systems of controls as if you were designing the company from scratch to optimize strategic success.
Questions to ask – what's the opportunity?
Has Internal Audit assessed the risk of internal resources not having sufficient capability or training to utilize new and changing digital technology to achieve planned benefits to the organization? Has the level of change management been assessed in your organization, in relation to digital transformation? Has Internal Audit assessed all policies, procedures, control documentation, and training that may no longer be accurate or usable due to digital transformation and changes made (i.e. new ERP implementation)?
Cyber security and privacy
The post-pandemic transition could be a haven for hackers, outside and inside your organization
Hackers love extreme situations and change. People tend to become distracted, make fear-based decisions, and grow increasingly prone to errors. Organizational leaders will often divert resources from core functions (e.g., security and monitoring) toward the crisis at hand. This can quickly create fissures in an otherwise well controlled cyber security posture.
The early phases of the COVID-19 pandemic underscored both how quickly these cracks can form and how easily cyber criminals can scale up their attacks. Virus- and lockdown-related phishing attacks were staggeringly effective. Hastily adopted remote collaboration tools became a key gateway for attacks. There are indications internal threats also increased, as disgruntled employees used the cover of working from home as an opportunity to access and leak internal files.
As the pandemic shifts into a new phase, it’s important to recognize we’ve merely crossed the threshold from one period of intensive change to another. The disruptive and dynamic nature of the situation remains high — and, in many respects, this next shift may prove to be even more chaotic and challenging than the last.
Organizations welcoming employees back to the office need to assume past disciplines around locking devices, protecting passwords, printing documents, and discussing sensitive matters may not be top of mind. There will also be resourcing challenges for those embracing a hybrid/permanent remote model moving forward. Along with a more complex security environment to manage, plans must also weigh the human factors involved with disengaged team members or those who otherwise feel slighted by their work arrangement. This may lead to insider cyber security and privacy risk being one of your greatest risk exposures.
Questions to ask – what's the opportunity?
Has Internal Audit and your organization re-assessed its cyber risks as part of return to the office planning? What additional resources and capabilities will security teams require to manage the increased workload of a hybrid workforce? Has your organization updated its policies and training modules to effectively prepare team members to better understand changing cyber risks?
Digital identity and the growing data privacy risk
There has been increasing discussion in recent months about the risks and benefits of vaccine passports. Many public and private sector organizations believe these are necessary both to reduce the overall risk to the community and sustainably re-open the economy. While there are merits to the conversation, it raises important legal and logistical questions around personal rights, data privacy, and security. These are only magnified by the likelihood such passports will be hosted on a digital platform.
As the Government of Canada continues to collaborate with the provinces on a vaccine passport for international travel, organizations are wise to take a measured approach if they plan to incorporate these in their return to office plans. Given the growing sensitivity around information collection and privacy in recent years, requiring employees to disclose personal information — especially health and biometric data — is likely to invite dissent and potentially legal challenges. Even aside from the unvaccinated contingent, many groups are concerned such a platform is prone to abuse and will be a vector for cyber attacks. Others worry it will unfairly discriminate against those who cannot be vaccinated or marginalize those who otherwise choose not to participate in the passport system.
Organizations considering creating their own vaccine passport systems will likely face even more challenges. Namely, how to create a robust platform that includes all the relevant data to verify employees and contractors are vaccinated but does not capture any more information than necessary. Tools like facial recognition, retinal, or fingerprint scanners can certainly help to build trust in the system’s validity; but these same measures could become a legal and reputational minefield in the event of a breach. Any viable system would be financially costly to produce, monitor — and a poor rollout or onboarding process could irreparably fracture already strained organizational cultures.
Questions to ask – what's the opportunity?
Has Internal Audit assessed employee privacy, security and data related risks, especially with the emergence of vaccine passports and internal records that may track who has been vaccinated? Privacy data breaches, whether intentional or unintentional are incredibly costly, both financially and regarding the impact on your organization's reputation.
Managing the growing reliance on third-party relationships, and the related risks
As recently as 10 years ago, most if not all enterprise software and hardware were hosted in-house on local networks. A business purchased a license for its operating systems, customer relationship management database, human resource management application, etc. The vendor may have offered downloadable updates and software patches — but that was about it.
There were two major downsides to this arrangement: (1) The organization would be forced to purchase the latest version of the software to get the best features and functionality. (2) The organization was fully responsible for keeping the software up to date and securing the platform against any cyber risks.
The rise of cloud capabilities and software as a service (SaaS) offerings have revolutionized the technology landscape. Organizations of all sizes can now get a perpetually updated version of their enterprise software, spread the cost of that software over an annual subscription, and access it from anywhere in the world. Economies of scale also mean many cloud service providers provide much more robust cyber security controls than most organizations could afford on their own. But that peace of mind comes at a cost.
With the on-premises software model, organizations were vulnerable to an attack on their network. Poor cyber security controls or a skilled hacker could easily bring down the entire house of cards. With a growing number of SaaS and cloud services, organizations are now vulnerable to any number of their vendors getting breached. Any one of those attacks could trigger the same breach reporting requirements, result in the same loss of sensitive private or proprietary information, and cause the same legal and reputational consequences as if the organization itself were breached. It’s also possible the attacker could use a vendor breach to gain backdoor access to any of its clients.
The pandemic precipitated a flood of digital transformations as organizations sought to adapt to new business models and a remote working reality. Given the urgency of these changes, it’s likely many of these new relied on vendors did not include a thorough third-party risk assessment or specify in contracts who is accountable for these risks, such as a breach. This must be a priority for internal audit teams and chief information officers heading into 2022.
Questions to ask – what's the opportunity?
Is Internal Audit effectively assessing the risk of reliance on third parties? Internal Audit needs to continuously evolve the way it audits third-party relationships. There are different approaches for vendors offering a one-time service versus those your organization places a material reliance on long-term to meet targets and strategy. Both can be audited using data analytics, and both have opportunity to mitigate risk by effectively designing contracts upfront. Though the greater the reliance on the vendor or materiality of their work, the more in-depth the risk assessment should be.
Environment, social, and governance
The risk of doing nothing, trying to do too much, or exaggerating
For many leaders, it may seem as if the global focus on environment, social, and governance (ESG) emerged overnight. Suddenly everyone’s racing to catch up on their strategies, initiatives, and reporting. Those feeling pressure from regulators, investors, consumers, and employees to prioritize ESG risk falling into two equally troublesome traps:
The first is attempting to immediately achieve excellence in ESG — and thereby failing to achieve meaningful progress by setting targets that may not be achievable. Each organization will have specific ESG metrics which are well established with reliable data, will be easier to report on, and represent quick wins. These are the best areas to focus on initially, as they will deliver the greatest initial return on investment and provide a strong foundation to progressively mature ESG initiatives.
ESG is not about being perfect, it’s about recognizing where an organization may be falling short in its transparency or its duty to various stakeholder groups. Factors will evolve as the organization grows; adopts new models, methods, and strategic plans; and expands into new markets. Internal audit can play a central role in guiding leaders and boards by advising on relevant ESG risks and opportunities and how these are changing over time.
The other trap is so-called greenwashing — exaggerations or potential fraud — related to ESG reporting. Whether due to ignorance, hopeful thinking, or a genuine desire to manipulate the facts, there’s growing concern some organizations are overstating the extent or impacts of their ESG efforts. This isn’t just a brand or reputational issue either. Regulators are increasingly monitoring ESG reporting with the same scrutiny as any assurance document or financial audit. The potential consequences of an investor relying on information that turns out to be greenwashing could be similar to the Enron scandal that made internal controls over financial reporting a critical requirement today. Internal auditors therefore must take a proactive role to ensure that doesn’t happen in their organization.
Questions to ask – what's the opportunity?
Has Internal Audit assessed the risk related to ESG activities, and reporting within your organization? Does your organization understand the opportunity and risk related to ESG? There is a great opportunity for Internal Audit to play a proactive role in educating your organization (i.e. advisory engagements). Does your organization know how it compares in terms of ESG maturity, in relation to competitors?
Global uncertainty
A different world in 2022 and beyond
The new normal has overstayed its welcome as the pandemic’s most overused buzz-phrase. It first emerged as a declaration of optimism: “Things are bad now,” so the thinking went. “But surely this will give us a chance to do away with the worst of the world we knew before; and preserve the best of our institutions and ideals in the decade ahead.”
This seemed all too feasible through the initial thrust of COVID. However, the longer the crisis persisted, the faster that optimism faded away. It’s becoming increasingly apparent the post-COVID world likely won’t feel anything close to normal for quite some time, and we’ll likely never go back to the world we knew before.
Concentrating capital and power
Small and medium-sized businesses have by far felt the worst impacts of the past 18 months, with many recording significant losses and permanent closures through the various lockdowns. The longer it takes to achieve a sustained economic re-opening, the more future economic wealth will concentrate in the hands of large national and multinational corporations. This in turn will make it even harder for owner-managed businesses to compete.
In the short term, this may seem rather favourable for bigger firms. For the time being, this remains an open question. One thing that’s certain is it will have definitive effects on the risk/opportunity landscape. Will there be more consolidation? A decisive shift away from bricks and mortar? Accelerated automation and less need for unskilled labour?
Changing communities and economies
Tourism-based economies have been severely impacted under travel bans. It’s hard to say if and/or when people will feel comfortable flying, cruising, and visiting distant locations once again. The longer the current situation remains, the harder it is going to be for some places to retain the people and businesses required to sustain a community — or at least the community that was.
For the first time since the mid twentieth century, manufacturing and logistics capabilities are also returning to Canada and the U.S. This re-shoring is largely a response to supply chain disruptions early in the pandemic along with concerns that it will be increasingly difficult to get products across borders. As some communities seek to combat their decline, others face questions around how to scale up to meet this likely demand. International businesses will need to determine whether to prioritize their business in other countries, at home, or whether it’s possible to retain a truly global presence.
Finally, it’s also important to consider the living habits of a remote workforce. Will people stay put if they no longer need to live downtown or within easy access to transit infrastructure to do their work? How will this possible flight to the suburbs or even more rural locations impact local economies for better or worse? Might this be a passing trend or a permanent fixture — and how would that impact how organizations grow and structure their presence in emerging communities?
Questions to ask – what's the opportunity?
Has Internal Audit assessed the strategic scenario planning being done by your organization to understand the variables and options your leaders are evaluating in order to navigate the changing communities and economies going forward? Is your organization able to anticipate and respond to its changing environment on a real-time basis? The current uncertainty and potential need for (material) change is unprecedented - bringing both great opportunity and creating risk. It is critical that Internal Audit ensure your organization is actively evaluating and monitoring its ever changing external environment and responding appropriately.
Conclusion
In conclusion, the risk trends facing organizations that internal audit must assess have become so integrated and uncertain that it is more important than ever to embed continuous risk assessment. No one knows exactly what 2022 and beyond will look like, but we certainly will see constant innovation, dependence on technology, a growing focus on ESG, more reliance on partnerships (co-sourcing), and never-ending educational needs. Uncertainty is the new norm, and therefore risk management has become more critical for success than any other time in history. This is a great opportunity for Internal Audit functions to step up and not only be a trusted advisor helping leadership and the Audit Committee, but also to bring proactive risk assessment and foresight that will bring material value to your organization.