An Ounce of Prevention is Worth a Pound of CureRisk Management | 3 Min Read |16 February 22|by Suneel Sahi
Up, Up & Away
Last week I boarded a transatlantic flight from London to the U.S. and apart from the security checks that we have all become accustomed to, the guidance from the airport ground staff and the mumbled voice projected over the ear-crackling speakers were very conversant (once you could hear them). Let me explain! The airport would have had to update its processes and controls in line with the virus and additional COVID-19 tests that passengers need to adhere to before they can even step foot on a plane.
Just to be clear, I am not someone who wanders through airports leisurely looking for flawless instructions. I usually drift through with a coffee in one hand while wrestling a stubborn suitcase in the other, as the four wheels disobediently spin in all directions.
Airports have had to pivot their operations to survive the pandemic and adopt the everchanging guidelines that have been imposed by governments. Without the implementation of a solid internal control framework, they may not have been allowed to operate efficiently in the pandemic and continue their business.
Internal controls are essential to the survival of an organization. I recently had the opportunity to listen, learn, and moderate a session on this very topic titled “Internal Controls for the New Norm.”
Some of the discussion points included:
- The effectiveness and risk assessment of current internal controls in a changing workforce dynamic
- Evaluating the impact of cyber issues on internal controls and systems
- Identifying elements of how technology has and will continue to impact the design and development of internal controls.
Watch the Webinar: Internal Controls for the New Normal
Below are the highlights from my conversation.
2 years into the COVID-19 pandemic and much has changed. Although on the medical front various concepts have advanced, the chaos caused to organizations and their professionals resulting from lockdowns and mandates has impacted every aspect of compliance, operations, and financial reporting. It goes without saying that internal controls have also been impacted.
This all comes at a time when the requirements outlined by Sarbanes-Oxley have not changed and other regulatory requirements on internal controls have stayed static. However, we must ask if management has maintained a consistent focus on control processes. At the same time, controls over financial reporting have deteriorated in many cases because of the dynamics of a remote work environment including:
- Timelines for financial reporting have been stretched
- Simple processes such as approvals and reconciliations have had to adapt
- Availability to personnel and auditors has changed
Then there are things that have changed including:
- Technology has advanced but many professionals have not advanced their knowledge with the times
- Cyber security has become an increasingly important issue
- Fraud risks have increased during this time
Ultimately, changes in the workforce, remote working, and in the business as a result of COVID-19 may increase control deficiencies making Risk assessment more important than ever.
In today’s environment, consider some of the following risk areas and how they may impact your organization.
- Revenue, supply chain, technology, and other infrastructure disruption
- Processes that are reliant on select few resources and may require updates to the delegation of authority
- Processes that are highly manual
- Areas that are susceptible to fraud
- Areas where resources have been significantly impacted
- Information technology controls
You can’t control the wind, but you can adjust the sails
At MetricStream, we can navigate you in the right direction, as we focus on continuous risk monitoring.
Our solution updates the audit universe and libraries periodically in response to changes in the organization’s business, operations, programs, or systems. There is better collaboration across resources to create dynamic audit plans.
We focus on cyber security by
- Cyber risk quantification
- Continuous control monitoring and automatic evidence gathering
- Risk treatment and response
With ConnectedGRC, we enable collaboration between different lines of business. We integrate GRC to achieve the common ultimate objective. With a federated data model and a common risk and control language, our cross-product insights make information sharing easy and effective.
This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.
Read his most recent blog for a quick recap on “moving from risk to resilience and making your organization anti-fragile.” Check out Suneel’s other ‘Instagram of Risk’ ’blogs on the key takeaways from the Charted Institute of Internal Auditors event in London, the European Compliance Week event, and the October 21 MetricStream GRC Summit held in London, Copenhagen, and Zurich.