Tax evasion – minimising risks
Internal audit is ideally suited to minimise the risk of facilitating tax evasion.
Internal audit is ideally suited to support organisations in minimising the risk of facilitating tax evasion.
Any business entity will be automatically liable if it fails to prevent tax evasion by an employee or an associated person, even if it was not directly involved in the act or was unaware of it. A prosecution could lead to a criminal conviction and unlimited penalties.
Criminal liability may be avoided if a business already has reasonable prevention procedures in place, or if it can demonstrate that it would have been unreasonable or unrealistic to have had procedures in place. So what are reasonable prevention procedures? And how can internal audit support their organisations to minimise risk associated with facilitating tax evasion?
Internal audit is in a unique position to help as it will already have sufficient knowledge of its own organisation’s risks, controls and potential weaknesses. It can provide strong support to ensure that appropriate procedures to minimise exposure are in place.
The Criminal Finances Act 2017 (CFA)
The CFA was given Royal Assent on 22 April 2017. It is intended to address some perceived weaknesses in existing legal frameworks and strengthen the powers of law enforcement in four key areas: unexplained wealth orders, interim freezing orders, the Suspicious Activity Reports (SARs) regime and failure to prevent facilitation of tax evasion.
Although some of these changes only affect regulated firms, failure to prevent the facilitation of tax evasion by ‘associated persons’ applies to any business entity, whether regulated or not.
What are the key provisions of the Act?
The Act sets out two new offences:
- failure to prevent facilitation of a UK tax evasion offence
- failure to prevent facilitation of a foreign tax evasion offence.
These two new offences criminalise three types of behaviour:
- a UK-based body failing to prevent those who act on its behalf from criminally facilitating UK tax evasion
- a non-UK based body failing to prevent those who act on its behalf from criminally facilitating UK tax evasion
- a UK-based body failing to prevent those who act on its behalf from criminally facilitating tax evasion overseas where such evasion is a criminal offence under local law.
What is the difference between tax avoidance and tax evasion?
Tax planning entered into with an honest belief that it is a legal method of reducing tax liability is not tax evasion provided there has been no dishonest misrepresentation or non-disclosure to HMRC. Tax evasion is the unlawful non-payment of taxes that are legally due, such as a deliberate, intentional failure to declare income on investments held offshore or payments of falsified expenses to an offshore structure to dishonestly create deductible expenditure.
What is meant by the facilitation of tax evasion by ‘associated persons’?
Associated persons has a broad definition and is defined as an employee, agent or other person who performs services for or on behalf of the business entity. This could include suppliers, contractors, sub-contractors, intermediaries, agents, subsidiaries, distributors, joint ventures, business partners, related entities and advisers.
Facilitation can include examples such as when an employee is persuaded by a client to re-issue an invoice to a foreign/offshore company to avoid incurring VAT, or a tax adviser approved by a financial institution to assist with a customer’s tax matters knowingly assists the customer to evade tax. There are many potential scenarios depending on the nature of the business and the type of transactions it conducts. Large, international corporations with complex, disparate business structures and operations are likely to be at risk.
What are the common risk areas?
Some examples include the following:
- customers – background and probity of customers, such as non-residents
- countries – tax jurisdictions that turn a blind eye to tax evasion
- business sector – financial/tax advisers giving advice to clients, legal advisers and accounting firms operating offshore
- transactions – contrived to evade tax
- opportunity – dishonestly exploiting business structures and environments, such as projects involving many parties or multi-jurisdictions and intermediaries
- product – high value, small in size (eg mobile phones, computer chips) often used in facilitating VAT carousel frauds
What are ‘reasonable prevention procedures’ to prevent facilitation of tax evasion?
Businesses are not expected to be able to eliminate all conceivable risk of an associated person facilitating tax evasion, only to be able to demonstrate that the procedures they adopt are reasonable for their business environment. If put to the test, it would be for the courts to determine what was reasonable. HMRC guidance puts forward six guiding principles as to what constitutes ‘reasonable prevention procedures’:
- Top level commitment: The guidance expects senior management to drive the design and implementation of procedures. This should include clear and genuine board-level commitment to preventing the facilitation of tax evasion.
- Risk assessment: HMRC guidance describes a risk assessment as ultimately requiring the assessors to '"sit at the desk" of their employees, agents and those who provide services for them or on their behalf and ask whether they have a motive, the opportunity and the means to criminally facilitate tax evasion offences, and if so how this risk might be managed'.
- Proportionality of risk-based prevention procedures: HMRC has indicated that they are not expecting the procedures to be unnecessarily burdensome, but they should be realistically proportionate to the identified risks.
- Due diligence: Businesses will be expected to undertake due diligence into ‘associated persons’ in sufficient depth to identify potential risks and mitigate them accordingly. The guidance warns against adapting existing due diligence procedures for any new risks identified.
- Communication (including training): HMRC expects all staff to be made aware that they are expected to have a zero tolerance attitude to the facilitation of tax evasion. Clear communication and training are important to ensure that procedures are fully understood and properly implemented.
- Monitoring and review: Risks must be kept under constant review. As risks evolve within the business, procedures should be reviewed and updated. This could involve anything from discussions with staff to a formalised feedback procedure.
How should I start the assessment?
Establish, if necessary with the support of tax specialists, any schemes, transactions or business arrangements in the UK and overseas that have been facilitated by ‘associated persons’:
- identify the types of tax evasion scenarios that associated persons could instigate that may affect the business – to include motives, opportunities and means
- identify the network of ‘associated persons’, number and their role in the business
- assess all potential risk areas (eg country, business sector, supply chain, etc.)
- establish the existing level of internal controls and assurance around the probity of people, schemes, transactions, business arrangements and tax advice facilitated by ‘associated persons’.
What risk mitigation steps should I consider?
Proportionate procedures, if needed, depend on the scale of potential risk. These could include:
- board communication to employees
- clauses in contracts with employees and external contractors requiring them not to engage in facilitating tax evasion, and to report their concerns
- staff training to recognise and prevent fiscal crime
- staff bonuses that encourage reporting and discourage pursuing profit to the point of ignoring tax evasion
- provision of a confidential whistle-blowing channel
- designing new controls for areas at risk
- regular monitoring procedures, especially for high risk operations
- reviewing risks associated with finance, billing and invoicing
- regular reviews of existing preventative controls.
What should my priorities be to ensure compliance with this new legislation?
Protiviti has put together a four-point plan:
- Understand how the new legislation affects your business and its commercial relationships: Many of its provisions relate to increasing transparency and information sharing, preventing suspicious money trails from going any further, and tackling financial crime. Some businesses are likely to be more vulnerable, including those with complex and non-transparent company structures; tax planners and private clients with large asset holdings in low tax offshore jurisdictions; and entities such as religious organisations and charities, which may be used as a vehicle for money laundering.
- Review and update policies and procedures: Senior management need to ensure that policies and procedures are updated and communicated in a clear and practical way. Firms will be expected to demonstrate that they have ‘reasonable prevention procedures’ in place to combat the facilitation of tax evasion and should consider whether new or additional procedures are necessary, including those for associated persons, depending on risk levels and potential exposure.
- Prepare and train staff: Identify staff likely to be affected by the new legislation, such as customer-facing teams, compliance and internal audit. Provide training to ensure that they are aware of legislative changes and the impact on their role. Circulate regular communications to reinforce the company’s policy and staff responsibilities.
- Review existing commercial relationships: Consistent with taking reasonable prevention procedures, firms should adopt a risk-based approach to dealing with the assessment of their existing relationships. This might include a review of those that could expose your organisation to the risk of tax evasion. Regulated firms may already be covered as part of their periodic review of know your customer information for anti-money laundering purposes.
John Cassey – UK forensic director, Protiviti
Are you anchored to your sector?
Internal audit can open up considerable career opportunities – are you making the most of them?
Internal audit can open up considerable career opportunities – are you making the most of them?
Internal auditing is often promoted as an ideal training ground from which to launch your career within an organisation. A key selling point is that it exposes you to many business disciplines from finance through to purchasing, production and sales. This cross-organisational involvement gives internal auditors an insight into the business as a whole that few other careers can offer, outside of joining a well-structured graduate trainee scheme.
Normally, in tandem with pursuing a professional accounting or auditing qualification, after a few years an internal auditor will have a set of skills and business understanding that will equip her or him to move out of audit and into other another position, be it finance, operational management, risk or a project oriented role. Indeed there are numerous examples of internal auditors rising through the ranks to become CFO or CEO.
While this traditional view of how an audit trainee may progress still holds true in many instances, internal auditing has moved on considerably in the past ten years and it has now clearly established itself as a profession that can offer a challenging career in its own right. We have seen internal audit teams develop from a more generic group of reviewers to an increasingly diverse team of professionals with specialist skills in specific business and technical areas. This has been particularly noticeable in highly regulated businesses such as banking and financial services, where the complexity and detail needed to understand risk and its mitigating controls can require very specific skills.
Broadening across all sectors
This is a trend, however, that is broadening across all industries and so we may see requirements for specialists in areas such as outsourcing, project management or data analytics. To a certain extent such changes have opened the auditing profession up to non-audit specialists who can bring very specific talents gained within another discipline to contribute to the audit team.
This may be seen as increasing the competition for certain roles, but the more forward thinking organisations have for some time organised secondment schemes that will rotate auditors out into the business and specialists back into audit, so broadening the skill base of all involved, which will in due course enhance their future marketability in the job market.
While the increased requirement for specialist skills in some areas may limit the opportunities for those that don’t have them, perhaps a more common concern amongst job seekers is that they are limited by the industry specific experience that is often requested.
As a recruiter, my clients frequently ask for candidates who can demonstrate experience gained in their particular sector, or even sub sector. Some industries are demonstrably more demanding in this requirement than others, including banking, insurance, the oil industry and telecommunications. Some of this may be down to genuine necessity, where lengthy training may be required to understand the risks of that industry which a line manager hasn’t the time to give.
Often it may be due to regulatory pressures with teams closely scrutinised to ensure they have the competencies a regulator may expect. Most often it is because there may be a relatively large pool of auditors servicing a particular industry and, given the opportunity to ask for industry knowledge, an employer simply will do so because it is likely they will find it.
It is not surprising that an internal auditor seeking a new role in a different industry may become disheartened, feeling stuck in the sector that they are currently working in. But is industry experience really the key competency that chief audit executives are looking for? Many recent surveys, including our own, would suggest that, while industry knowledge is a factor that is considered, it is rarely at the top of the wish list.
The Institute of Internal Auditors has compiled a list of top competencies required by internal auditors. By a clear margin the most relevant competency is ‘communications skills’ and while most recently this has been followed by ‘knowledge of industry and regulatory skills’, close behind are ‘problem identification and solution skills’, ‘business and commercial acumen’ and ‘IT frameworks, tools and techniques’.
This said, a similar poll by the IIA in 2012 put ‘analytical and critical thinking’ in top place, ‘communication skills’ in second and ‘industry-specific knowledge’ down in seventh place. It is clear that modern internal audit roles require a whole suite of skills and many of these are highly transferable.
This is backed up by a recent survey in our Internal Audit 2018 Market Report. Employers were asked to state the greatest challenges they faced in recruitment. While 39% stated the biggest challenge was finding suitable technical skills, a significant 29% said that finding those with appropriate interpersonal skills was most difficult.
Moving between industries will be easier for candidates who can demonstrate a range of skills outside of industry knowledge, ideally those highly prized by chief audit executives. Karen Connell, audit director at Prudential, in an interview for the report noted that the key things she looks for in a CV are ’examples of senior client engagement, people leadership, committee presentations and innovation'.
Also, she was not tied to relying on industry experience so long as candidates could demonstrate a good appreciation of risk and that she could get a sense of their motivations and passion for what they do.
Be well prepared
This leads on to an important point for those looking to change sector. If candidates are going to outweigh any relevant industry skills with other transferable skills then they must be well prepared. They must understand what skills will be relevant to the role, either by having studied a job description or having reviewed a company website to glean any information available. Many interviews may be guided by the organisation’s values and applicants should be clear on what these values are in advance.
But it is not enough just to relay your appreciation of values, or to explain that you have strong communication skills, business acumen, people management or problem solving skills. Employers will want you to give them real examples of when you have utilised these skills and any issues you faced or overcame in the process. They want to see that that you appreciate that they are important skills to have and that you know how to use them in the workplace.
In the same way, if the ideal candidate has industry skills that you are missing, then you must be able to demonstrate how you would compensate for this: what experiences do you have that can offer an alternative approach; show how you have undertaken training in the past to cover gaps; or how you have assimilated quickly to new environments.
Despite the trend for auditors with industry specific skills, many employers will place greater value on those auditors who can interface with stakeholders on different levels. In these cases, skills such as the ability to influence, emotional intelligence, change management and relationship management will be highly sought after. For candidates who are well prepared and ready to demonstrate their transferable skills to prospective employers, moving to a different industry sector is certainly possible.
Tim Sandwell is a director of Barclay Simpson, international specialists in internal audit and corporate governance recruitment. Download their internal audit market report 2018 now.
Agile projects – a whole new world
The Secret Internal Auditor shares some thoughts on the internal audit of agile projects.
The Secret Internal Auditor shares some thoughts on the internal audit of agile projects.
If you are new to the internal audit of agile projects, as I was, my advice would be to approach with caution. The initial reaction would likely be ‘are they trying to blind me with science or completely baffle me?’
You will have to learn a whole new lexicon and are likely to think you have stepped into a parallel universe where ‘Pi’ has nothing to do with the circumference of a circle, or that you have joined some sort of bizarre fitness class when the ‘scrum master’ starts to talk about the latest ‘sprint’. If you take a look in the SAFe glossary you will find definitions for over 90 words and phrases, so that tells you that this is less of an extension of the language, more like a new language.
Reference materials tell you that the benefits of agile projects are transparency and alignment (business with IT), but transparency does not work if the language is not understood. Once you penetrate the language fog it will start to make sense, but it is no bad thing to keep in mind what the equivalent would be in the more familiar ‘Waterfall’ or ‘Prince’ approach - after all you are probably being asked to provide assurance that the project will deliver on time and in budget and you should not lose sight of that.
A good starting point is to consider how the project is being reported to the steering committee (although this may have a different name in the agile world) and upwards, and if that reporting is not in simple business language, using terms that are understood by all, then you need to ask whether the recipients of these reports, particularly those that are the decision makers in the company, speak ‘agile’.
For a more in-depth look at the agile methodology, take a look at this month’s CPD article, written by Chris Wright.
The Secret Internal Auditor works in internal audit in financial services somewhere in the UK
Agile audit of agile projects
CPD article: Christopher Wright offers advice and tips for auditors of agile projects.
CPD article: Christopher Wright offers advice and tips for auditors of agile projects.
Reading this article and these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.
As an auditor I need to know what agile really is, how it works in practice, the audit principles, so that I can plan and do my work. I will achieve this when:
- I understand agile principles and how they differ from other approaches
- I have the confidence to undertake an audit of agile projects
- I know where to go for further information
- I can pass the MCQ CPD test.
What is ‘agile’?
Agile is one of the most misused buzz words in modern organisations. It is often taken to mean low cost, cavalier, with little or no need for governance or controls. This is not true; the best definition is from the 2001 Agile Manifesto:
‘We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:
- individuals and interactions over processes and tools
- working software over comprehensive documentation
- customer collaboration over contract negotiation
- responding to change over following a plan
- that is, while there is value in the items on the right, we value the items on the left more.’
Unlike some other approaches (eg Prince2) the emphasis is more on the actual outputs – deliverables and improving collaboration team work to achieve it. There is less emphasis on the inputs (tools used) or the process (relying on a plan). As auditors the last sentence is particularly important as it emphasises that there is still value in documentation etc. Interestingly, many organisations omit this sentence when copying the manifesto (BTW – this infringes the manifesto authors’ copyright).
The manifesto is supported by 12 principles. These can be summarised as:
- focus on early, frequent, continuous deliverables (based on business priorities) of useful product
- welcoming change as the project progresses
- business people and developers working together
- motivation of self-organising teams with feedback and improvement
- keeping it simple but still paying continuous attention to technical excellence.
Unlike a traditional waterfall type approach, the focus is on getting a product in use (a ‘minimum viable product’) and then refining it. A waterfall project completes all requirements, design, build, testing and release for a phase together. At any one time in agile, different products for the project may be at different steps of development. There is also an emphasis on change – the project may change in response to changing business needs or technical developments. Waterfall projects are less flexible – they are not agile.
If a waterfall project is abandoned after say six months, you will probably have only some expensive documentation to show for it. If an agile project is abandoned after six months there should be some useful deliverable that is being used by the business to derive benefit, and information will have been gathered to help with future projects. The real risk is that the waterfall project may not have been identified as a potential failure after just six months and may have consumed even more resources. Agile is about daring to ‘fail quickly’.
There are times when a waterfall approach may be better than agile – for example if there is unlikely to be significant change of requirements or technology, or if there are significant regulatory or compliance requirements for the project. Organisations should set policies as to how each approach is used. Sometimes a hybrid approach will be used (‘wagle’ – or cynically called ‘fragile’). Agile and Prince2 are not mutually exclusive. Prince2 Agile™ has been developed to combine the requirements for governance with the need for flexibility and responsiveness (see references below).
How do you ‘do’ agile?
Now we know what agile is – but how do we do it? Agile should be considered as an approach rather than a strict methodology. Agile can be applied not only for software development projects but is also used in civil engineering and in planning and even in conducting audit and assurance reviews. The most commonly used approach to applying agile for these is the ‘scrum approach’ – the principles are similar in some of the other approaches.
In scrum multiple, independent small teams organise themselves to work intensively (usually in sprints of about 30 days) to produce useable deliverables. We will consider the main steps in the approach and key players.
Key sprint steps
- Vision / idea
- As with all projects, there needs to be a vision – some perception of business benefit that can be achieved. This will include a high-level risk assessment and estimation of costs and benefits to be achieved - it may also consider whether the agile / scrum approach is best for this project.
- Requirements are stated in user stories (see example ‘as an auditor’ at the top of this article). Each user story states the user, what is to be achieved, why and the acceptance criteria. These are summarised in a prioritised product backlog.
- Sprint planning
- Requirements from the product backlog that are to be delivered in that sprint are known, selected and finessed.
- Sprint iteration
- Procedure for selecting requirement will be designed, built, tested and deployed.
- Daily sprint
- A short daily meeting to identify any blockages and seek their resolution.
- Often a show and tell – where the product is demonstrated to key stakeholders.
- The retrospective
- A private team meeting for lessons learnt during the sprint and how these can be applied top future sprints
- Start next sprint (Step 3 above).
Key sprint players
- Product Owner (PO)
- The main business representative – embedded within the team who owns the product backlog / deliverable, sets priorities and is responsible for ensuring actual return on investment or business benefit is achieved.
- Scrum Master
- Acts as a team coach to help the PO and team with applying the scrum approach, ensuring resolution of risk and issues.
- Scrum Team
- Provide the technical delivery capability and subject matter experts.
How do you audit ‘agile’?
Like all audits, an agile project audit will have the following main phases:
- preparation and planning
- fieldwork and evidence gathering
- QA review
- report publication.
However, the timing and conduct of each of these may differ for an agile project.
Preparation and planning
The auditor should become familiar with their organisation's agile approach / policy, methodology / standards etc (even if only in the form of training materials). This will inform the audit and provide an authority for any findings, including compliance with this process – if these artefacts are not covered – there’s your first audit finding.
Next perform a risk assessment of the project to identify the key audit objectives. The standard risks for any project still apply; however, the impact and likelihood for these will be different:
- cost – in theory agile fixes the costs and any new functionality should only be added when functionality with a lower benefit is removed. Early releases will give an indication of the accuracy of the effectiveness of delegation of budgets
- timing – by looking at planned dates and lengths of scrums etc the auditor will be able to see if releases are effective. Also, as each release is made a burn down rate will show how the product backlog is being cleared by the iterations to date
- quality of deliverable – by discussion with the product owner and review of functionality delivered the auditor will be able to confirm that useable products are being generated.
In addition to the above the auditor may wish to consider:
- agility risk – is there evidence of flexibility in approach to meet changing requirements?
- technical debt - have some parts of the functionality been delayed to a later stage (including security and control features) – which may result in hidden costs?
Finally agree the terms of reference, including the timing and reporting arrangements. A waterfall audit approach will likely be based upon the key stage gates of the project (eg end of design, pre-go live). For an agile project these will be at different times for different releases / iterations or sprints. By the time the last sprint has started detailed planning or design most of the product should be issued and available. Hence a different approach is required – one based on little and often auditing.
Fieldwork and evidence gathering
As the auditor can expect less documentation there is a need for greater observation and judgement. Evidence may take the form of whiteboards (a camera is useful), slide packs of show and tell sessions, emails of meeting findings.
It is important for the auditor to ensure that this includes all regulatory, control or security issues – if they are not included they are unlikely to be built – which could lead to unnecessary risk issues or delays later.
These can often delay an audit – we need to be agile in our own approach. For example, if we discuss the factual accuracy of the findings with scrum master and product owners, with sufficient caveats, they will probably start to implement these during this or the next iteration – thereby making our audit more effective even before the report is issued.
The report should be brief and ideally in a format to follow the audit approach (for example, user stories can help convey requirements).
Christopher Wright BSc(Hon), CISA, MBCS, MAPM
A certified ScrumMaster, Chris has over 35 years’ experience of providing audit and IT advisory and risk management services, and is a qualified accountant. Sector specialisations include aviation and travel, oil and gas and the public sector. For the past 12 years he has been an independent consultant specialising in GRC for major enterprises. During this time he has seen a significant change from traditional to agile project management and has developed a number of techniques and tools to provide effective audit, control and governance frameworks within these revised approaches.
He has run agile audit training for a variety of organisations, has spoken at a number of UK and international conferences on agile and has published books including Agile Governance and Audit.
- Scrum Alliance
- Agile Manifesto
- Agile Governance and Audit, Christopher Wright
ITGP, 2014 (ISBN 9781849285872)
- A Guide to Assurance of Agile Delivery, APM
2017 (ISBN 9781903494707)
- Agile Project Management for Government, Brian Wernham
- Prince2 Agile™
Axelos 2015 (ISBN 9780113314676)
- Prince2 Agile™ An Implementation Pocket Guide, Jamie Lynn Cooke
ITGP, 2016 (9781849288071)
Should we worry about disruptive technology?
Internal audit is all about managing risk. What impact can new technology have on that?
Internal audit is all about managing risk. What impact can new technology have on that?
Our technology driven world moves faster than ever, so you have to be aware of disruptive technology whatever sector you work in. But do you need to change how you have always audited?
With or without disruptive technology, you need to identify risks, decide whether to accept them and also mitigate them. Is the risk more dynamic with disruptive technology?
What is disruptive technology?
Disruptive technology is generally defined as innovation that creates an entirely new market and value proposition, disrupting the old established market and significantly altering the way businesses operate.
Netflix almost singlehandedly destroyed companies such as Blockbuster over only a few years by delivering content as opposed to physical product. Uber tackled the taxi industry without owning any cars or hiring any drivers by purely offering logistic and payment services.
Open banking has the potential to dramatically change the financial marketplace by allowing companies to offer financial services traditionally only offered by banks, and allowing customers to choose how their finances and data from multiple providers is managed.
Banking itself has moved away from the traditional bricks and mortar bank buildings towards digital offerings, and for some digital banks, no physical presence at all.
Cryptocurrencies, while still speculation in the main currently, have taken over certain payment functions, and are seen by many as an effective way to avoid regulation or existing financial services. P2P services of all kinds are springing up, including peer to peer lending, delivery services, sales, payments – and other decentralisation services are further set to disrupt industry.
Pace of change
These all bring revolution to an industry or business area. Disruption has come to industries throughout the ages, just think of the internal combustion engine, or flight, or the telegraph, but the technological age is dramatically accelerating all change.
Computers allowed much more accurate and rapid calculation, modelling and storage of data. The internet allowed an unprecedented level of connectivity with other businesses and customers. And now the advent of cloud services and ways to connect globally has dramatically increased the pace of change recently.
Companies that are comfortable with high levels of risk are often able to realise the potential of disruptive technologies and can speculatively build innovative processes in order to gain business advantage, while companies that are more risk averse and leave innovation to others may find the cost of being late to market outweighs the risk if the disruption is significant.
Changed business models lead to a range of problems for audit and risk teams. Process maps for traditional ‘bricks and mortar’ businesses are well understood, and risk areas can be identified through quantitative and qualitative methods with a reasonable degree of confidence.
New technologies bring new or changed concerns:
- methods that may have previously identified high risk processes may no longer work
- key control deficiencies may not be evident, and in fact gaps in controls may be difficult to identify
- reconciliation of ledgers against inventory may be impossible if any inventory sits with third parties.
Of critical importance to the examples listed above, and countless others, are connectivity and big data. If your key data processing is handled ‘in the cloud’ and you rely on it real-time, then connectivity is essential. Single points of failure, whether internet points of presence or third parties providing processing, analysis or storage as a service, should be assessed for criticality.
Volumes of stored data are considerably larger than ever before, and moving the value proposition towards analysis of metadata brings new points of interest, especially when looking at security or privacy controls.
While the core requirements for protecting data at rest are broadly understood, with the move towards analysing that data, using tools based within an organisation, at third parties, or in the cloud, the metadata, analysis results or aggregate store may now be the ‘crown jewels’ for an organisation. Protecting the crown jewels appropriately to ensure confidentiality, integrity and availability are maintained often requires a change in focus when disruptive technologies are implemented.
Where should your focus be?
Auditing technical controls?
Many technical controls remain the same, or at least similar to those used in organisations with traditional technology. Access controls, user permissions, security controls, single points of failure and so on can be assessed using the same methodologies and tools as previously used.
Ledgers will still exist, so should be audited accordingly, whether they sit in-house, with third party service organisations, or distributed amongst end points or in the cloud.
Managing technical risks?
An obvious question here is, ‘Do you understand the process changes with any new technologies?’ For example, if no one in your audit or risk teams is experienced in the mathematics underlying cryptocurrency or blockchain, how will you assess the implementation?
Instead, look at the controls mitigating the risk of an error in implementation, such as code review and validation, development frameworks, penetration testing and so on.
Managing innovation risks?
As mentioned, innovative organisations tend to tolerate higher risk in order to innovate. Often this risk tolerance is endemic to the organisation, or at least to innovation teams, so a company with a high acceptance of risk may require reviewing governance processes more closely across the entire audit and risk universe.
Understanding process flow?
If the company doesn’t have an end to end model for new business processes, understanding and assessing the risk from them is going to be considerably more onerous. Working with the business to map this out is essential, but will require experienced team members or consultancy – this is unlikely to be a simple, checklist-based exercise.
Policy often doesn’t keep up with the pace of change of disruptive technology – auditing against policy is one part of the picture, but as a professional, assessing the policy against industry and regulatory standards, as well as leading practice, may be more useful to your organisation, highlighting weaknesses that require remediation in policy.
Do you need to worry about it?
You do need to understand the changes to existing risk management techniques and methods, and invest where needed to boost capability.
Understanding the risk from disruptive technologies requires significant additional focus on technology elements, changes to business processes, risk appetite and policy, but current controls should continue to be assessed using existing methodologies.
Treat audits of disruptive technology as significant complexity and staff accordingly, drawing on highly technical teams, or investing in training and development of audit plans to cover these new and disruptive areas.
And as I mentioned before, the pace of change of technology continues to increase, so building in a continuous development and assessment process for your audit capability is useful.
Rory Alsop, FInstISP, CRISC, C|CISO, CISM, CIPM – director, Information Security Forum; research director - ISACA Scotland and deputy chair - Scottish Branch of the Institute of Information Security Professionals
Internal audit conference 2018
Early bird discount available on our unmissable IA conference.
The theme of ACCA UK’s annual Internal Audit Conference this year is Internal Audit in a Changing World. Benefit from our early bird offer and pay just £189 for a whole day of learning from our panel of expert speakers.
ACCA UK Internal Audit Conference 2018
Tuesday 15 May 2018 | 10:00 –16:45
Crowne Plaza NEC, Birmingham
Early booking discount: Save £20 and pay just £189
when you book before 15 April 2018
Book your place online now
Alternatively, download a paper booking form here
The internal audit landscape has changed hugely over the last 30 years, moving from the internal control questionnaire (ICQ) approach, through systems-based auditing and into risk-based approaches. It has seen a sea change from internal audit being defined as 'a service to management' to today’s widely accepted definition of an 'independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations…accomplish its objectives…and improve the effectiveness of risk management, control and governance processes'. (Source: International Professional Practices Framework (IPPF), The Institute of Internal Auditors.)
The transformation continues, at seemingly ever increasing pace with, among other things, new technology, demands from stakeholders for better and predictive assurance on business delivery, new business models, greater regulation, and, whether it’s seen as a threat or an opportunity, the advent of AI. Internal audit needs to continue with developing agility, integration, transparency and the prognostic approach that together demonstrate its value to stakeholders, and the Conference will explore these ideas. Key sessions will include:
- coping with modern technology (automation and agile)
- leadership – the role of a leader within an audit
- what does a CEO/chairman look for from internal audit?
- internal audit relationships – are they really effective in your organisation?
- the medium to long term future of internal audit and the macro-economic environment.
Webinars: big data and how to use it
Webinar series: Big data and how to use it.
Webinars: De-mystifying IT audit for business auditors
Webinar series: Big data and how to use it.
ACCA UK's Internal Audit Network is running a series of four webinars on Big data and how to use it in 2018. The series will run from March to May and will feature different speakers for each webinar. The webinars will cover what big data is, the legislation around it including GDPR, assurance from an audit perspective, and how internal audit can use data to provide assurance.
You can register for any or all of these webinars here.
Webinar series (7 CPD units): De-mystifying IT audit for business auditors - stop being afraid of the black box.
Webinar series: De-mystifying IT audit for business auditors - stop being afraid of the black box.
ACCA UK's Internal Audit Network held a series of seven webinars on de-mystifying IT audit for business auditors in 2017. The series started in May and concluded in November with a webinar about the General Data Protection Regulation (GDPR). It featured three main presenters - Vincent Mulligan FCCA (IT Audit Consultant at Eisteoir Consulting Ltd), Mike Hughes CISA, SGEIT, CRISC and Steve Connors CISM, FIPA, FFA (both partners at Haines Watts).
You can watch any of these on demand - get 7 CPD units if you watch them all - by registering here.
The webinars covered:
As accountants and auditors, we recognise the importance of Information technology (IT) on organisations and that the examination of the management controls over IT and the management of information is an essential part of a review of those organisations. In this introductory session, we will consider some of the ways we organise ourselves and the approaches we adopt to conduct these reviews.
IT general controls
ITGC or General Computer Controls (GCC) are controls which relate to the environment that supports our IT applications and which are therefore applicable to all applications. In this session, we will consider the nature of these ITGC, the challenges we face reviewing them and the approaches we can use to audit them.
Application audit review
Application controls are controls that we have implemented over our application systems to ensure they operate as intended and ensure the accuracy and completeness of the data, calculations and records. In this session, we will consider the types of these controls and the approaches we can use to audit them.
Infrastructure audit review
IT infrastructure consists of the hardware, software, network resources and IT management services that we leverage to deliver the IT environment that supports our organisations. As the complexity of our IT environment increases and our dependence on IT grows, providing assurance on the effectiveness of the controls over these assets and services is critical to management and other key stakeholders. In this session, we will consider how we can effectively review IT infrastructure and the organisations and processes we have put in place to manage it.
Integrating IT audit into the business audit
We use our Information Technology to support our business processes, therefore it is logical that we consider the key controls we have implemented to manage the financial, operational, organisation, IT and other key risks that impact on that business process or function. Integrated reviews which leverage the skills and experience of multi-discipline teams allow us to provide assurance across these key risks. In this session, we will consider how we can effectively organise and implement integrated audits.
How to audit cybersecurity
As our organisations take advantage of the opportunities of the internet and digital technologies and implement ever-greater connectivity with our customers, vendors and other stakeholders our exposure to a wide range of cyber threats grows. As the expectations grow of our key stakeholders, including our boards, management and regulators, for assurance over the effectiveness of the controls managing these risks, we will consider how we can deliver the cybersecurity audits.
General Data Privacy Regulations
The EU general data privacy regulations (GDPR) were adopted on 27 April 2016 and will become effective in 25 May 2018 after a two-year transition period. This will replace the current 1995 directive and will affect organisations that process EU citizens' data. As the deadline for compliance approaches we will consider how you can understand the impact of this regulation on your organisation and assess your organisation’s compliance readiness.
To register to watch any of the webinars in this completed series, click here.