Technical and Insight
Internal audit and the cloud
Understanding ‘the cloud’ and how internal auditors can address the risks it poses.

Understanding ‘the cloud’ and how internal auditors can address the risks it poses. 

Many of us, even if we are not familiar with ‘cloud computing’, may already be familiar with the cloud in our lives. Streaming movies from Amazon or Netflix, storing data and photos on Dropbox or iCloud, social messaging with Facebook or Twitter and using email such as Hotmail or Gmail. These are all examples of the cloud in everyday use. 

In a business context, the cloud has become mainstream. Many organisations routinely backup data to the cloud and use the cloud to process emails, payroll, HR or sales administration. With just a few clicks, an organisation can now easily connect to a new SAP or Oracle ERP system - something that previously would be costly and time consuming. 

What is ‘the cloud’? 
A dictionary definition from Google: 

cloud/kloud/ noun

  1. a visible mass of condensed water vapour floating in the atmosphere, typically high above the ground.
  2. a state or cause of gloom, suspicion, trouble, or worry.
  3. a network of remote servers hosted on the internet and used to store, manage, and process data in place of local servers or personal computers. 

It’s the last definition that’s relevant from a cloud computing perspective but the second definition is quite illuminating as it is how many of us see the cloud in terms of security and third party governance risks. 

The cloud is any service utilising on-demand shared computing resources (eg networks, servers, storage, applications) provided via the internet. Cloud services can be shared with many companies (ie a public cloud) but also can be for a single company as a ‘private cloud’. 

Other cloud concepts are Software as a Service ‘SaaS’ (where the cloud vendor provides software to the business), Platform as a Service ‘PaaS’ (where middleware systems are provided such as databases and integration systems) and Infrastructure as a Service ‘IaaS’ (where the core network and infrastructure are provided, linking middleware and software systems). 

Benefits of the cloud 
One of the key benefits of cloud computing is the ‘on demand’ nature. You pay for what you need and can avoid much of the set-up capital costs and operational costs of running your own data-centre and systems. When you do not need the cloud, you stop paying the rental costs. This means that businesses can be more flexible and agile, scaling-up quickly in times of need and back in less busy periods. The cloud can help organisations focus on core business activities while outsourcing non-core activities to the cloud (eg payroll).  

One of the selling points of the largest cloud service providers is their sheer size and economies of scale. A cloud vendor that manages IT systems for a number of businesses can spend more on leading edge security and disaster recovery systems. These benefits can be passed down to customers who only need to pay a (relatively) small monthly rental fee. 

What areas should internal audit focus on?
IA is in an ideal position to help their organisation ensure that adequate and effective controls are in the cloud, in the following areas. 

Evaluating the cloud strategy 
An appropriate business case should be established and reviewed by key people across the business and IT. The justification for moving to the cloud should be formally documented and aligned with the firm’s strategy and risk appetite. A detailed review of the risks, benefits and costs by IA is essential: 

  • what are the risks from moving data to the cloud? eg privacy, access requests, data retention and limitations of liability 
  • are there software or technical complexities to consider such as licensing, escrow, patching and support?
  • who will be responsible for the interfaces between you and the cloud provider?
  • what would be the impact if the cloud services failed? Can you easily recover to your own systems or to an alternative?
  • has management estimated the performance, volume and storage requirements and is this aligned with what the cloud vendor can actually provide? 

A full impact analysis of moving data and systems to the cloud needs to be undertaken and reviewed by IA. Many organisations do not fully understand the current state of systems and data - failing to understand risks at the start can prove disastrous once the cloud contract is signed. Internal audit has a key role to play given IA’s expertise in risks, processes and controls. 

Evaluating cloud vendors
Corporate procurement policies need to be complied with and these should include an assessment of the reputation, history and financial sustainability of the cloud vendor. A short-list of cloud suppliers should be reviewed by IA to ensure that the selection has an appropriate balance between benefits, risks, controls and costs.

The continuity arrangements of the cloud service provider should be clearly understood and such plans obtained. Most organisations will need to integrate cloud plans with their own continuity and insurance arrangements or may need to access their data directly from time to time. The timely recovery of proprietary systems and data in a suitable format should be provided. There are well documented examples where cloud vendors have ceased trading leaving no time for the business to retrieve their systems and data. 

One of the key considerations for IA is the adequacy of information security controls at the cloud vendor. Security risks should be assessed carefully in the following areas: 

  • where will your systems and data be located? Are there any local regulations such as privacy or taxation to be concerned about?
  • who will have physical and logical access to your systems and data? How will the access rights of employees, contractors and third parties be screened, authorised and periodically reviewed?
  • how will data and systems be segregated from other organisations (eg logically and physically) and will your data be encrypted?
  • how vulnerable are systems and data to inappropriate or unauthorised change or misappropriation while at the cloud service provider? Are full security audit trails enabled? Are security controls tested and effective? 

Many cloud service providers are key targets for cyber criminals – remember the celebrity photo hacks earlier in 2014? Access to one cloud provider could allow access to many organisations. The cyber-readiness of the cloud provider is a key area for IA to examine. There are several good frameworks that can be used including ‘cyber essentials’ from the UK government, which is designed to address the most common cyber-threats. 

Relevant certification reports should be obtained to assess the quality and security of each cloud vendor. These reports may include ISO certifications such as ISO 9000 (quality management) or ISO 27001 (information security) as well as payment card security certifications (if relevant for your organisation) such as PCI-DSS (payment card industry – data security standard). Cloud security should be designed to be consistent with best practice such as ISO 27001, the Data Protection Act or other local regulations such as FOI requests. 

Ultimately, the cloud vendor should be able to clearly describe their internal and external security controls. This should be supported by requesting relevant security policies, recent vulnerability and third party attestation reports (such as ISAE 3402, SSAE16 or Cloud Association STAR assurance reports). Where these reports are not available, you will need to obtain sufficient assurance that the cloud controls meets your needs. This may include implementing a ‘right to audit’ clause in the contract so that you can directly assess the cloud vendor’s control environment. 

Monitoring and service level management 
A robust service level agreement should clearly define the responsibilities of all parties and ensure effective and clear governance of the cloud. Single points of contact are needed for the coordination of activities and service level monitoring arrangements should be established to ensure compliance with service levels. Periodic security and service management reports (eg
new or emerging risks, systems issues and time taken to fix faults) should be obtained and procedures implemented so that invoices are reviewed and matched against service levels prior to being paid. 

As it is never possible to guarantee that problems will never occur, the cloud provider should have an adequate incident management and breach notification process, including provision of access to logs and audit trails if required. All security incidents at the cloud provider (whether resulting in a breach or not) should be notified promptly to allow the timely assessment of risks and to ensure management can react quickly if there is a security event arising. 

Cloud computing is continuing to be widely adopted by many organisations. The many benefits include leveraging the economies of scale of a cloud vendor and reducing capital expenditure. However, there are many risks including security and continuity that need to be fully understood if organisations are to take full advantage. IA should consider the risks outlined in this article and ensure they are closely involved in the cloud strategy at their organisation. 

Gavin Davey - IT Assurance Services, Insurance Industry Group, Moore Stephens LLP

Finance needs to be high performing!
Internal audit can help create a world class finance function. Dan Swanson explains how.

Internal audit can help create a world class finance function. Dan Swanson explains how. 

The finance function is a strategic one because it helps drive organisations to higher levels of performance by delivering information that enables key strategic decisions to be made. In addition to strategic planning, a well-run finance department supports sound financial management, organisational performance reporting, treasury-related activities, and financial reporting (and numerous other activities). 

It tells you how many dollars are coming and going and as important where they’re coming from and going to. Without that information, people are driving blindfolded, and the organisation will have a difficult time building and then sustaining long-term value. 

Finance, however, is more than just keeping track of the dollars; it’s also about ensuring that sources of funds are adequate and sustainable to fund the organisation’s operational requirements and allow the organisation to expand to meet the needs of its customers. The importance of the finance role is truly exploding – eg enterprise risk management, financial forecasting and management of the balance sheet, tax, mergers and acquisitions, IT investment management, encouraging adoption of new technologies, and on and on. 

At the end of the day, internal audits of finance should not be focused strictly on financial reporting. The many significant activities within the finance function should be assessed regularly so that key opportunities for growth and organisational improvement can be identified and addressed in a timely manner. 

Characteristics of a world-class finance organisation 
Where do you start? Build an understanding and agreement on what is the role and purpose of the finance function. Then obtain agreement on what the characteristics of a world-class finance function within your organisation should look like. Based on research published by the Government Accountability Office (GAO) ‘the finance department’ is best defined in terms of the significant business outcomes it can produce – outcomes such as improved business analysis, innovative solutions to business problems, reduced operating costs, increased capability to perform ad hoc analysis, and improved overall business performance. 

Audit finance to improve organisational performance
An audit of the finance department should determine whether or not the function’s current services are appropriate, whether organisational performance is regularly being optimised, whether management and finance are working together, and whether finance is helping the enterprise recognise and respond to new business opportunities as they arise. 

There are many issues worth exploring in an audit of finance; I discuss four of the important areas below. The audit team will need to complete a comprehensive audit plan to determine the correct focus and priorities for an internal audit of the finance function.

(1) Strategy development
Does the finance function help management define, and agree upon, strategy? Does it help with implementation of that strategy, including management’s recognition of, and response to, new and emerging business opportunities?

(2) Budgeting
Do budgeting processes support the assignment of management accountability and monitoring of performance? The audit team should investigate whether the finance function helps top management with forward-looking analyses of the numbers and by forging strong ties between accounting information, budget formulation and capital investment, and strategic planning and implementation. 

(3) Financial systems and processes
Are there appropriate systems, policies, procedures, and guidelines relating to financial management? How successful is the finance department in meeting business needs? 

Has the finance team done everything necessary to get a grip on the organisation’s preparedness and the organisation’s financial needs? While everyone is trying to forecast the next disaster to ‘handle’, in my view, process improvement and constantly strengthening the company’s key capabilities is a highly effective long-term approach to improving resilience and overall performance. 

(4) Accounting
Do the financial practices of the organisation meet generally accepted and industry-accepted financial management standards? Compliance with accounting and auditing standards is important, and an internal audit of finance should usually include a review of the organisation’s accounting policies and practices. Where departures in accounting policy or practice do arise – and sometimes an exception to common practice does make sense for a specific company – has that departure been explained and approved by the proper executives? 

Organisations must proactively improve capabilities
An internal audit of finance should foremost identify key improvement opportunities. The audit should confirm long-term finance needs (aka financial management and treasury management) are identified and being addressed. Equally important, the audit should make sure the finance department can track all the dollars floating around the company. Is cash management and recordkeeping strong? What can be improved?  

Lastly, the audit should investigate who is driving organisational capability improvement efforts and assess whether those efforts are working well. Finance is not only about internal control over financial reporting, nor is it only about quarterly and annual reporting; while these activities are very important, they do not significantly affect long-term value creation.

A good finance function is about much more than that. A good audit of the finance function is about much more than that, too. In closing, the resources highlighted below provide numerous insights regarding world class financial management and every finance and audit professional should study them closely – is your finance function ‘world class’?

Good luck in making a difference!

Dan Swanson – president, Dan Swanson and Associates, Ltd


GAO Executive Guide: Creating Value Through World-class Financial Management 
A world-class finance organisation can best be defined in terms of the business outcomes it produces: outcomes such as improved business analysis, innovative solutions to business problems, reduced operating costs, increased capability to perform ad hoc analysis, and improved overall business performance. 

Financial Insight: Challenges and Opportunities 
This joint report from ACCA and IMA suggests ways the finance function can improve current approaches to business partnering. It proposes nine pragmatic actions to improve partnering practices anchored in three core component parts: creating the mandate, fixing the information and deploying the talent. 

Building your Financial Capabilities: a Guide for Growing Businesses 
Effective financial management is a crucial part of running a growing business. Whatever your business, raising finance, managing cash flow and keeping records are all essential, but in a growing business you want financial management that also does more – helping you to make informed decisions, assess new opportunities and evaluate the success of your business strategy. 

The Rising Tide of Finance Challenges 
Most finance functions today are incredibly busy, with waves of work rolling in at a greater pace and frequency. The business activities they support are running red-hot amid improving, yet still volatile, marketplace conditions. 

The results of the 2015 Finance Priorities Survey from the Financial Executives Research Foundation and Protiviti confirm that finance functions are beyond busy. The sheer number of priorities they are addressing is at an all-time high. What’s more, the number of finance skills and capabilities that respondents view to be higher priorities compared to last year’s results has risen dramatically. 

As we reveal and discuss in our report, our findings suggest that finance executives and professionals are clear on what they’re trying to achieve through effective cash management, business intelligence and analysis, knowledge of changing tax and finance laws, and a renewed focus on ‘people’ skills.

Hello from Nepal!
How ACCA is playing a leading role in the development of Nepal's fledgling internal audit function.

How ACCA is playing a leading role in the development of Nepal's fledgling internal audit function. 

Biraj Pradhan is ACCA’s International Assembly representative for the Middle East & South Asia and is the head of internal audit for Kathmandu University in Nepal. Neville de Spretter, a member of ACCA UK’s Internal Audit Network Panel, caught up with Biraj over lunch (pictured right) when Biraj was in London for the annual ACCA International Assembly meeting and discussed a wide range of internal audit topics. 

Kathmandu University is the largest university in Nepal with schools in art, education, engineering, law, management, medical science and science. Its school of management – Kathmandu University School of Management (KUSOM) – recently signed a memorandum of understanding with ACCA and has good tie-ups with many international universities. The chancellor of the University is the Rt Honourable Prime Minister of Nepal, and the pro-chancellor is the Honourable Minister for Education. 

The value of governance
Governance has a special importance when you are going through change. Nepal is a growing economy and Biraj believes that good governance must form the main root of that growth. If internal controls are in place and internal audit is regarded as a business partner by the rest of the organisation – rather than just traditional 'policing' auditors – then they can provide a value added service. Building a robust system with good processes that employ, develop and improve on the best practices of the West will help the university to grow significantly. The university has previously followed traditional methods but Biraj is now helping to establish those good governance principles that will help the university build up its reputation further. 

As head of internal audit, Biraj reports to the registrar, who is the head of finance and administration. The registrar and vice chancellor were appointed in 2013 and are forward looking individuals – they hired a qualified accountant to be the internal auditor for the first time in the university’s history. This new higher management is taking on the bigger challenge and hiring and retaining qualified accountants to ensure that they get the best advice and level of service. 

The external auditor of the university is also ACCA qualified and works closely with Biraj to share knowledge and complement service. The internal audit function is part of the university and therefore subject to hierarchy and reporting lines, but the statutory auditor is independent and the close working relationship that Biraj has with him puts him in a strong position. The university is supported at the highest political level because of the importance of producing professionals to take the country forward – transparency is seen as critical in delivering those strategic objectives and consequently internal audit is in the spotlight. 

International standards 
Neville was delighted to hear that Biraj and the university are adopting such a modern approach. Neville’s own work with the British Standards Institute resulted in the publication of BS 13500 in 2013 – Code of Practice for Delivering Effective Governance of Organisations

Biraj explained that the university is an autonomous body so while they are incorporating international standards to a degree, they are taking a pragmatic approach and following the standards where they are in line with the aims of the university. Both men agreed that pragmatism and flexibility are needed. 

BS 13500 is the over-arching code applicable around the world. Its purpose is to clarify the fundamental requirements for delivering effective governance of organisational performance, and asks, for example, whether an organisation has a clear and understandable set of strategic objectives in place. Does the organisation understand the risks that would prevent the delivery of those outcomes, and what activities are in place to mitigate risks to a tolerable, desired, affordable or acceptable level? 

Biraj is very interested in the BS 13500 standard. He praised the drafting and oversight committees, saying 'It takes a lot of hard work to build these standards – I really salute the hard work behind all the experts who are brainstorming and doing all that research'. 

The value of the ACCA qualification 
With any growing economy, education is the key to progress. There are approximately 150 ACCA members residing in Nepal. Many other Nepalese ACCA members reside in the UK, Australia and Canada because the ACCA Qualification is effectively a passport for your career. Those members in Nepal are incredibly proud of the ACCA Qualification and are forming a panel to provide professional support to new members. Having the ACCA Qualification makes you eminently employable in Nepal. 

Differences between the UK and Nepal 
At Kathmandu University, Biraj’s open and productive relationship with the registrar has resulted in the streamlining of the accounting function and decentralisation. Random checks are used to ensure that processes are followed and there has been significant improvement in just 12 months but there is still a lot to do. 

Conversely Neville highlighted that in the UK, many organisations are going the opposite route of centralising the financial accounting function and using big data through ERP systems so that managers have immediate real time access to financial and other performance data for decision-making. Non-financial managers are being trained to make better use of the data. 

Biraj noted that in developed economies succ as the UK there is very good access to technology. He is familiar with the concept of big data but in Nepal they are still in learning mode so implementing the technology that would enable them to make use of big data will take time. 

Integrated assurance 
Integrated assurance is another area of difference between the two countries – Biraj understands that integrated assurance is about integrating and aligning assurance processes to maximise risk and governance oversight and control efficiencies, and optimise overall assurance for the organisation, incorporating not just financial but also non-financial information such as brand, strategy, objectives, transparency of data, etc . But in terms of the university’s need to strengthen and confirm the basics of internal control and risk management there are a lot of things to be done before they can contemplate integrated assurance. 

Biraj is in the early stages of following integrated assurance and getting the balance right between focusing on strategy and risk, and the need to ensure basics are in place and working effectively and robustly. Aligned to that is the need to make sure that there is effective working dialogue with all stakeholders, which Biraj achieves through weekly meetings with his chief executive (the registrar). It is an open and honest dialogue that is collegial and collaborative and consequently constructive. It ensures that the independent and objective remit of internal audit is fully recognised, understood and supported. 

Neville de Spretter - a member of ACCA UK’s Internal Audit Network Panel

About ACCA's International Assembly 
ACCA’s International Assembly was formed in 1997. Its remit is to provide input into ACCA's strategy and development, through an advisory role to Council, and to convey to Council comments and suggestions from members around the world. It has a large number of representatives from across ACCA's increasingly diverse membership and meets in November each year.

Auditing within a joint venture (JV) entity
We conclude our look at potential issues which may arise with the audit of JVs.

We conclude our look at potential issues which may arise with the audit of JVs.  

An article published in the June 2014 IA Bulletin addressed aspects from a shareholder governance perspective; this article examines some of the issues which may arise when auditing within the JV entity itself.  

Both of these articles address particular issues which may arise as a result of the relevant entity not having a controlling interest in the share capital of the JV or day to day control over its operations.  

Many JV specific issues arise from the need to conduct audits on a 'multi-venture' basis (ie involving representatives from more than one shareholder or partner). Having limitations placed on access to required information and relevant staff can also cause difficulties for audit teams. 

Multi-venture JV audits 
Where a JV entity has more than one shareholder or partner, it is likely that the JV management will expect the participants to conduct any audits or reviews they wish to undertake together on what is often termed a 'multi-venture' approach. This clearly makes sense from an efficiency point of view and is often a requirement of underlying JV or shareholder agreements. It can, however, lead to difficulties, some of which are addressed here.

Scheduling and planning the audit

  • Clarifying which entity will lead the audit is crucial and needs to be agreed early. It is this organisation which will typically be responsible for assembling the team, planning the work and agreeing the terms of reference (TOR). Very often responsibility to lead will rotate amongst the partners. Some partners may not wish to participate and others may wish to try and lead every time. The lead auditor will need to identify the appropriate network and clarify who within the JV partner organisations will be able to resource the team members. Unless the audit objectives / subject matter are relatively straightforward, it is likely that the lead auditor will have little time for audit work themselves. Managing staff will inevitably be more difficult and additional time will be spent communicating, cajoling and ensuring the maintenance of professional standards and convergence of the audit effort.
  • Attention to timing and planning is key. Timing is often dictated by terms set out in the JV / shareholder agreement as well as by JV management who will want to avoid known periods of peak activity. Planning processes will inevitably be perceived as worse in third party organisations! Start the planning process really early, particularly if you (as lead auditor) see the need to identify specialist resources.
  • Clarify the terms of reference (TOR) and in particular the audit scope (clarifying precisely the areas of the business to be addressed and the documents and data required) and objectives early. It is highly recommended to obtain 'sign off' from JV management to avoid subsequent misunderstanding.
  • It is surprising the frequency with which audit team members arrive from JV partners to conduct work without being aware of the critical aspects of the JV / shareholder agreement (often very lengthy documents) or matters arising from previous audits. It is good practice to assume these have not been seen and distribute them to the team members before the commencement of the work. 

Composition of the audit team

  • The TOR will dictate that certain skills are required to undertake the audit effectively. Obtaining staff with the required competences and actually being able to assign them to do the work may not always be straightforward. The lead auditor is reliant on competence assessments from third party organisations and particular partners often want to cover certain aspects that they have issues with.

 Execution of the JV audit

  • Conducting an audit with auditors sourced from different organisations will inevitably result in some lack of convergence, not least in the audit processes and methodology to be followed. Custom dictates that the lead auditor will primarily be responsible for providing guidance in this regard and negotiation may be necessary. Some smaller organisations may not have internal audit departments, perhaps relying on contracting in such services, and will be delighted to follow the methodology of the lead auditor organisation.
  • Construction of an agreed audit programme will also predominantly fall on the lead auditor. Professional, technical and ethical standards will vary. It is preferable therefore that overall responsibility is taken by one individual.
  • Transparency and openness of the process is paramount. Partners and shareholders will inevitably have differing priorities and there could well be single partner issues or disagreement over issues which need to be managed sensitively or impact on partners disproportionately. Particular sensitivities can arise when government or major contract holder representatives are present in the team.
  • Early identification, discussion and clarification of issues is key. Working in a team sourced from a variety of organisations / cultural backgrounds creates special problems and potential for misunderstanding and surprises. It is common practice to use 'information requests' as a tool to control requests for information from JV management. This is a useful tool as it clarifies what is being worked on and controls the flow of information between the audit team and the JV management. A daily round up session is a particularly useful tool with each auditor being invited to discuss progress and any potential emerging issues with the group. This way any sensitive aspects or any potential for distrust can be minimised. 

Finalising the issues and the required actions and assembling a report which all the stakeholders can agree on will typically be unusually challenging. The rating of findings, the opinion for the audit (if one is to be provided) and the actual language of the report will all require negotiation and agreement. It is not uncommon and probably preferable for audit reports to be issued without opinions. Individual participants can issue their own reports in their own style solely within their own organisations at a later stage.  Reports in different languages may also be required. 

Access to audit information and relevant staff will often be restricted and limited in scope by the JV / shareholder agreement or by negotiation with JV management. Confidentiality aspects and the need to retain audit evidence will need to be considered. Soft copy documents will often not be provided or can only be sighted and may be subject to binding confidentiality agreements (CA). This could have implications for audit working papers and the way partner / manager reviews are conducted. The precise wording of CAs, might require negotiation or clearance from relevant legal teams and should be considered before the commencement of work. 

All too frequently JV audit teams arrive to conduct their work finding that required documentation is not available or is in dispute. Absolute clarity in the TOR with respect to documentation requirements is crucial and the lead auditor needs to follow up diligently in advance of the audit. Short term rescheduling is highly undesirable and often not practical. 

Obtaining access to IT systems will often need special permissions or separate domains created / access provided. The audit team will need to consider and agree early how information is shared within the team as intranet / shared filing systems are unlikely to be available. 

Common themes arising in JV audits
There will almost always be contentious issues arising as result of conducting a JV audit on an entity of any significance. The following areas are often the most contentious and of particular relevance to JVs:

  • corporate overhead and head office costs are areas where the most common breaches of the underlying 'no gain no loss' principle arise. Generally JV and shareholder agreements will address the extent to which the entity responsible for managing the JV can legitimately charge costs. Very often this is not a simple formula and can represent a significant opportunity for disagreement
  • charges from subsidiaries or other affiliated companies. Many shareholder / JV agreements will specify the circumstances in which contracts with or payments to such entities may be made. Sometimes de minimis spend levels or reference to a more stringent authorisation process is specified. Suffice to say some JV managers will try and favour parent company affiliates and the team need to be alert to this
  • the allocation of common costs from other entities will require special scrutiny
  • contract management, both pre- and post-award processes, will always be a more sensitive subject if representatives of the approving or contract holding organisations are on the team
  • the financing of some JVs will be provided by periodic injections of cash or 'cash calls'. Care will need to be taken to ensure that the cash calls are funded appropriately and based on good quality forecasting, otherwise partner working capital will be unnecessarily tied up. 

Almost always the conduct of a multi-venture audit will involve compromise and higher than usual levels of frustration. But if planning lead times are realistic, communication is first class and the lead auditor is competent and patient, then there is no reason why acceptable audit outcomes cannot be achieved.

Steve Ilett - director of IFRMS ltd, a finance and risk management consultancy

Establishing accountability for your anti-fraud efforts
Take the lead and actively demonstrate methods of preventing fraud in your company.

Take the lead and actively demonstrate methods of preventing fraud in your company. 

Some companies have far lower levels of misappropriation of assets and fraudulent financial reporting than others. Why? Because they aggressively take steps to prevent and detect fraud, end of story. 

At these exemplary companies, management takes seriously its ethical responsibilities for designing and implementing systems, procedures, and controls to catch fraud and – along with the board of directors – for promoting a culture and corporate environment that demands honesty and ethical behaviour. 

How does your company stack up? Well, run through this checklist: 

  • does your organisation have a strong fraud oversight process at both the board and management levels?
  • does your organisation have robust and effective anti-fraud policies, procedures and controls?
  • does management regularly evaluate fraud risks and anti-fraud controls?
  • have the risks of management override and conflicts of interest been independently reviewed within the last 12 to 18 months?
  • would you say your workforce has a strong ethical culture?
  • does your company have a corporate policy that encourages whistleblowers to come forward? And do those would-be whistleblowers actually believe it? 

If you answered ‘yes’ to all of the above questions, great. You’re well on your way to a strong anti-fraud effort. Now answer three more questions that will help you get ahead of the crowd: 

  • what are the board’s and management’s roles regarding fraud?
  • what should the internal audit team’s role be regarding fraud?
  • how can the organisation best help the external auditor meet its responsibilities for evaluating fraud risks? 

To answer that last question properly, you need clear answers to two questions immediately preceding it. 

Specifically: The board is responsible for defining and approving the organisation’s overall strategic direction and system of internal control, as well as for setting the tone at the top (overall corporate governance). Management operates the business within the guidelines set by the board, periodically reporting on performance and progress toward key strategies and objectives. Management also monitors operations. That includes regular assessments of the effectiveness of the overall system of internal control against the requirements set by the board, as well as the company’s own ethical values and beliefs. 

As mentioned earlier, the board is accountable for ensuring an effective system of internal control is established to fight fraud; management is responsible for how that system is designed and enforced to fight fraud. Once you have that clear – and actually done – the internal audit department can contribute to those anti-fraud efforts. 

Internal audit’s job: helping fraud prevention efforts 
Today there is the belief that auditors are looking for – as well as investigating and stopping – frauds. After all, aren’t auditors the last line of defence in identifying crooked management? 

Well, no. The truth is that nobody can catch all fraud, and the internal audit department should address the misperception that this is internal auditing’s purpose. Everyone in the company has a role in fraud prevention and detection, and the primary responsibility lies with all members of management (and by that, I mean managers at every level of the company). 

An effective internal audit function improves the company’s ethical culture and control environment, both overtly through its audit work and in a more general sense by promoting good practices. Internal audits of anti-fraud activities provide valuable feedback to management and the board on where they can improve overall performance, which contributes in the long term to more effective fraud risk management efforts. It can also be a deterrent when employees know that the internal audit department employs persons with fraud detection knowledge, skills, and tools. 

Internal audit should design and plan audits specifically to detect fraud, which directly strengthens the organisation’s internal control system. The internal audit plan should be driven by an audit risk assessment (that is, the risk that an audit might miss something); likewise, efforts against fraud should be driven by a fraud risk assessment, because the greater the organisation’s exposure to fraud, the more antifraud audit effort must be allocated. And you must conduct fraud risk assessments thoughtfully, since it helps nobody to have your workforce believing the internal audit team distrusts everybody. 

Audit work should include evaluating the organisation’s efforts in fraud prevention, fraud detection, and fraud investigation. If ‘detective’ procedures are not in place, frauds that are discovered will require more investigative effort and result in greater loss. Over the long term, fraud prevention and deterrence efforts have the most impact on reducing fraud, so this should be a top management priority and be regularly evaluated by internal audit. 

Always remember that auditing provides only a reasonable level of assurance; auditors cannot, and will not, provide an insurance policy against every possible fraud. But because of their objectivity and integrity, internal auditors are able to reinforce an organisation’s anti-fraud effort by investigating reports of possible fraudulent behaviour. In fact, more and more corporate internal audit departments include trained forensic accountants. 

There are numerous fraud audit techniques today, and more should be incorporated into audit departments. Some simple examples of forensic exercises include: correlating employee names, addresses and other contact details against the supplier database to help identify suspect transactions; examining expenses claims closely; following up religiously on seemingly insignificant discrepancies in control totals; using data mining and computer audit techniques in general to craft and answer cunning questions; and always being aware of the possibility of collusion, deception, and fraud.   

There are many useful antifraud management practices, including:

  1. identifying potential indicators of fraud for your industry, company, or activities within your organisation
  2. communicating with experienced people to learn ideas about how frauds may be committed and best detected
  3. devising and routinely running tests to look for fraud indicators and data anomalies
  4. performing ad hoc inquiries as needed to dig into the source data underlying fraud indicators and data anomalies; and perform or include as part of control self-assessment sessions
  5. implementing continuous monitoring and continuous auditing. Norman Marks, a semi-retired chief internal audit executive and old hand at internal auditing at many large companies, recommends that internal audit periodically assess:
  • the adequacy of the control environment, including: the adequacy of the code of conduct and processes to ensure it is understood, the adequacy of the whistleblower and investigation processes, and the staffing and organisation of those responsible for the prevention and detection of fraud. Internal audit should go beyond traditional techniques such as interviewing or issuing a questionnaire only to senior management; a direct and more useful technique is to ask the workforce via surveys, interviews, and focus groups
  • management’s risk assessment as it relates to fraud and theft, including: whether the process is systematic and most conceivable fraud schemes identified, fraud risks adequately assessed, and appropriate strategies implemented
  • management’s monitoring activities, including: whether actual losses are monitored and compared to risk tolerances, and actual losses monitored to identify areas of concern, potential failing of controls, and opportunities for improvement
  • there will always be limits to an organisation’s antifraud capabilities. Your sample sizes can only be so large. Your budget is only so big. Fraudsters, meanwhile, are cunning people who work hard to conceal their activities and exploit weaknesses in controls. 

Organisations must be ever diligent 
An open discussion about the possibility of fraud (of serious fraud), and the necessary responses, is always beneficial. Ideally, your company should have that discussion before a serious fraud incident rather than afterwards. Setting clear expectations and defining everyone’s responsibilities regarding your antifraud efforts is half the battle. Being diligent in your efforts is the other half. 

To fight fraud, we need a firm policy, it must be enforced, and violators must be investigated and appropriate actions taken. Management must understand that it has the responsibility to design and implement antifraud activities, including the monitoring of the results. Internal auditors should also search for fraudulent activities and contribute to the organisation’s ‘no tolerance’ attitude toward fraud. 

Once your own house is in order (or perhaps are part of getting your house in order) also consider the potential fraud risks relating to your key business relationships. Whistleblowing by suppliers, partners, or customers is one of the most common ways of discovering fraudulent activities, and it cuts both ways. If a worker at one of your business partner companies wanted to report fraud at your company, would that person have the means (and the encouragement) to do so? What if one of your employees discovered fraud happening at one of your partners? How would you deal with it? 

Finally, many organisations have implemented and strengthened their Enterprise Risk Management (ERM) programmes over the past few years. Consider evaluating the organisation’s ERM efforts using a ‘fraud’ lens, ie do the organisation’s risk management efforts properly consider the risk of fraud and have appropriate risk management practices been implemented? It is endless. 

Two leading resources are cited below. Consider sharing these resources with the key stakeholders within your organisation as part of your ‘raising of the bar’ in fraud risk management. 

Good luck in making a difference! 

Dan Swanson – president, Dan Swanson and Associates, Ltd

The Role of the Board in Fraud Risk Management 
Civil charges against outside directors alleging negligence in the face of fraud serve as a sharp reminder for boards that ignorance of fraud risks and red flags is no excuse for inaction. 

Managing the Business Risk of Fraud: A Practical Guide 
This guide makes recommendations to key stakeholders on how to attempt to prevent fraud in an organisation. It provides guidance from well-respected authorities on establishing an effective fraud risk management programme including examples of programme components and resources used by different organisations. Areas covered are: 

  • fraud risk governance
  • fraud risk assessment
  • fraud prevention.
CSA and second lines of defence
Why CSA is an effective approach to evaluating business risks.

Why CSA is an effective approach to evaluating business risks. 

Approaches to self-assurance auditing – often referred to as control self-assessment (CSA) – can differ but the basic objectives and benefits of it remain the same across various methodologies.  

Put simply, CSA is a structured approach for an organisation to evaluate – and provide reasonable assurance on – whether its internal control environment is effective to support it to achieve its strategic objectives, given its assessment of internal and external risks.  

The key feature of CSA is that it is performed by individuals responsible for the organisation’s day-to-day operations (the first line of defence), rather than the second line, for example the risk and compliance functions, or the third line, internal audit. 

A programme of self-assessment will likely be conducted on an annual basis, but it can take place more frequently if, for example, the pace of change within the organisation – or outside of it – requires it. 

CSA supports the organisation’s governing body to discharge its corporate governance responsibilities.  In the case of companies subject to listing rules, these responsibilities are set out in the Financial Reporting Council’s UK Corporate Governance Code which states that boards should, at least annually, carry out a review of the effectiveness of the organisation’s internal control systems. This review can be delivered through a CSA programme, together with the work of the second and third lines of defence. 

Therefore, it is useful for the results of CSA to be reported using a consistent approach to that adopted by the second and third lines of defence, in particular in relation to risk categorisation, impact assessment and effectiveness measures for controls. This allows aggregation of data across assessments for reporting upwards and the governing body to take a broader view on risk and control. 

Good quality CSA can improve significantly the strength of an organisation’s internal control environment and the alignment of it to its objectives, not just through the CSA process itself but through fostering amongst first line management and their teams' understanding of, and accountability for, risks and controls, as well as actions to address identified control weaknesses. 

Valuable insight 
In an environment where there is an ever-increasing focus on the role of culture in the effectiveness of an organisation’s internal control systems, CSA can provide valuable insight. In its July 2013 publication Effective Internal Audit in the Financial Services Sector the Chartered Institute of Internal Auditors stated that‘internal audit should consider the attitude and assess the approach taken by all levels of management to risk management and internal control’ through, for example, management’s regular assessment of controls and actions it has taken to address known control deficiencies. 

Also, many soft controls lend themselves to being self-assessed and CSA can be used to gather information from teams about the ethics, integrity and attitude of management. From the perspective of internal audit’s work, where CSA is of good quality, it can reduce the time and effort it takes for the audit team to gather information on the area being audited and helps it to identify risks and controls where greater focus during the audit may be required.  It also provides information on local management’s awareness of the strength and weaknesses of the control environment for which it is responsible, which some internal audit functions take into consideration in their rating methodologies. 

The quality of CSA can vary; the more effective programmes receive support from senior management at the top of the organisation, not just in sentiment, but in the resources – people and time – allocated to the exercise and to considering the results. 

To add real value to an organisation’s risk management activities, those performing CSA need to be engaged and prepared to challenge themselves: are we identifying the right risks, including emerging risks, tail events and headline risks experienced at other organisations; could controls be improved; are the number of controls in place appropriate or could the control environment be leaner and still remain effective; and where there are weaknesses, how can we best deliver cost-effective and positive change? 

Second and third lines
In facilitating quality CSA, and in particular if workshops are used, the second lines of defence – and often the third line – play a key role. As such, they need to have relevant expertise, credibility and people skills to manage collaboratively group dynamics and maintain the first line’s focus on the assessment of risks and controls in the context of the organisation’s strategic objectives. Recognising the subjective nature of CSA, second lines should also review and challenge the results from the programme. 

The expectations of second lines of defence to identify, evaluate, manage and report risks have increased significantly since the financial crisis and subsequent recession.  Organisations continue to make enhancements to the capabilities of their second lines with the aim of creating high quality oversight functions that are respected across the organisation. 

Key challenges 
There are a number of key challenges to creating effective second lines of defence. 

  • First, the attraction of high calibre individuals who understand the organisation’s objectives, how it makes money, the risks being taken on and the potential impact the current and emerging economic, regulatory and political environment may have on the entity. 
  • Second, the existence of a culture that supports these individuals’ standing and authority within the organisation; where they can challenge on an equal footing the first line’s risk decisions, assessments and accountability. 
  • Third, a senior management team and governing body who empower those in the second line to be bold, to focus and report on fewer, strategically important risks rather than performing extensive – often falsely comforting and lesser value – risk mapping. 

To be truly effective, second lines of defence need clear direction and appropriate tools.  Quality risk management activities cannot be delivered in a vacuum: the governing body will first define its risk appetite and risk strategy for the organisation in a way which is capable of being easily measured and understood.  

Governing bodies also benefit from spending time with second line senior management to help it to understand its expectations with regards to risk reporting to support the preparation of reporting which is more insightful, relevant and succinct. However, reporting is limited by the consistency and transparency of risk terminology and reporting systems in use across the organisation. Therefore, organisations will need to continue to invest in these to align them as far as possible so that the second lines of defence can report an aggregate enterprise view on risks. 

And best in class second lines of defence will be those which tell their governing bodies not just what these risks are – their likelihood, potential impact and early warning indicators – but how well prepared the organisation is to respond promptly and effectively to these risks if they occur. 

Anna Thursby ACA – director of audit – risk, TSB Bank plc

Cyber attacks: are you ready for them?
Understand the current cyber threat landscape and how to mount an effective defence.

Understand the current cyber threat landscape and how to mount an effective defence. 

The advent of the internet has closed the gap between organisations and individuals and those who want to attack and damage them. 

Dr Darren Brooks – executive manager, Cyber Security Consulting, BAE Systems Applied Intelligence – told delegates at a recent ACCA UK Internal Audit Network event in London that the significance of this was underlined by NATO’s recent announcement that it saw no distinction between a cyber attack and a physical attack. 

Attach instigators 
So far, the most significant actors in the cyber-domain appeared to be nation states, he said, with many examples of their activities. Cyber attacks against the Ukraine, for example, were used some six to 12 months before the first shot was fired in its conflict with Russia.   

There is also an increasing crossover between criminal attacks on the corporate world and what was being seen from certain states, he added. Many sources cited China and Russia as aiming attacks at Western companies, with this behaviour now spreading to involve other groups from across the world. 

Turning to criminal, rather than nation state attacks, Dr Brooks said that the ‘bad guys’ had been trying to steal money from banks for as long as the banking system had existed. The internet had simply made it easier. Most of the criminal activities centred on harvesting bank account and credit card information, but corporate fraud was also increasing. 

‘The attacks we are seeing are generally on mid-sized companies where there is some confusion around the sign off of money, less robust procedures or procedures they can intercept,’ he explained. ‘Fraud is the most common motive for a cyber attack, but others include sabotage and market manipulation. 

‘In the case of corporate espionage, the targets are usually market information, IP and information around mergers and acquisition. People have always been after this sort of information but it’s now easier to steal it.’ 

The last group of people using cyber attacks were campaigners, who instead of camping out on corporate doorsteps to make their protests could now launch attacks from home that could disrupt organisations by taking down websites or putting messages up on them. 

Recent years have seen a proliferation of sophisticated cyber attack tools, such as steganography where a message, image, or file is concealed within another message, image, or file. This was effective because the intended secret message did not attract attention to itself as an object of scrutiny. Criminal organisations are also deploying pluggable tools, such as Shylock, that anyone can use. 

Alongside new techniques, there is a re-emergence of old technology, including a technique which invites people to click on a spurious link which bypasses all the controls and downloads software that allows the attacker to do whatever they want.  

Phishing and spear phishing is also rife. Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, while spear phishing – also an email spoofing fraud attempt – targets a specific organisation and seeks unauthorised access to confidential data. As with the email messages used in regular phishing expeditions, spear phishing messages appeared to come from a trusted source. 

‘We are seeing all these techniques being used and via lots of different channels,’ said Dr Brooks. ‘Using them in combination dramatically improves the success rate of the attacks.’ 

Mounting a defence
So what should organisations being doing to defend themselves? An awareness and understanding of the dangers is obviously paramount and this includes recognising that an attack can come through an organisation’s supply chain. 

‘It is particularly hard to stomach if a small company working on your behalf is hit,’ Dr Brooks pointed out. ‘Nobody cares if it was the printer who lost the details of your pensioners – it will be your brand name that appears all over the BBC. Those attacking you will usually focus on the weakest door, so review the controls your suppliers are putting in place for you and check how they are managing your data. This is absolutely vital when you have sensitive data on their systems.’ 

Dr Brooks shared his cyber attack management rules with his audience. ‘Be clear whose responsibility this is,’ he said. ‘It is not the IT department’s or even the security department. It lies with the board, which must manage the risk of doing business online and being part of the connected world. But it may need help in understanding what risk looks like and what is a good investment in terms of protection.’ 

Understanding cyber risk is specific to each organisation and is based on its history, where it is based, the sector it operates in and who it does business with. The risks are many and varied and included censure and embarrassment, client loss, direct fraud, sabotage and espionage. 

‘Take active decisions about cyber security and plan for resilience,’ Dr Brooks urged. ‘Be clear, in the event of an attack, should make the decisions, who should get involved in the clean up and who explains what’s happened to your client. 

‘Make sure that cyber security measures support the strategic priorities of the business because cyber security should never be a blocker to what the business is trying to achieve. Late decisions around security tend to offer a poor balance between costs and risk – get in early because shoe-horning them in later can be very expensive. Good risk management focuses your spend where it is needed most.’ 

Dr Brooks concluded by saying that auditors needed to ask themselves three key questions:  

  • how do we know we are being attacked?
  • have we got the right monitoring systems in place?
  • are controls blocking or delaying the organisation’s progress? 

By addressing these questions you’ll be able to play an active part in ensuring your company is protected from the threat of a cyber attack. 

Jill Wyatt is a business journalist 

You can watch a webcast of this ACCA UK Internal Audit Network event.

Welcome to your new look IA Bulletin
A brief explanation about the changes to IA Bulletin.
A brief explanation about the changes to IA Bulletin

As you can see, IA Bulletin has received a makeover. We have retained the same mix of high quality content designed to keep members working in internal audit informed of the latest news and technical developments facing them, while refreshing the look and feel of the publication. 

This new format is fully mobile-responsive, allowing you to view it on your desktop PC, tablet or mobile phone. The font size has been increased, making the articles easier to read and the presentation of the cover page in particular much easier to scan. 

Other features we know readers appreciate continue, such as the ability to share an article you particularly like via social media (Twitter or LinkedIn) and the option to 'print all' if you prefer reading a paper version (look for the button at the bottom of the cover page). 

We hope you will continue to enjoy reading IA Bulletin and welcome any feedback you may have; please email the editor
Connect via LinkedIn
ACCA has set up LinkedIn groups for each UK sector specific network, including the Internal Audit Network.

ACCA has set up LinkedIn groups for each UK sector specific network, including the Internal Audit Network. 

ACCA hopes that these groups will: 

  • stimulate discussion and debate by providing a forum to share ideas and discuss issues amongst members working in internal audit and associated fields
  • highlight current issues of interest to members working in internal audit
  • encourage discussion of policy and consultation documents. 

If you have not already done so, joining the group is easy!  

For members with an existing LinkedIn account: 

  • access the group here and click the ‘Join’ button on the top right hand corner of the page
  • an email will then be sent to your registered LinkedIn account email address asking for you to verify your membership details
  • follow these instructions and once your membership has been validated you will be admitted to the group.

 If you do not currently have a LinkedIn profile, you can register for a free account here

(Please note, this group is only open to ACCA members in the UK.)

Progress with ACCA
Do you have any staff or colleagues looking to do a professional qualification?

Do you have any staff or colleagues looking to do a professional qualification? 

We are providing FREE online sessions for any prospective students looking for further information on how to progress their careers and support your business better. 

Please see below for a list of upcoming dates. All sessions will be held at 12:30. 

  • 21 January
  • 18 February. 

What will the session cover? 
This session will provide a very useful overview of the ACCA qualification, giving information on exemptions, entry routes and how to sign up, and will incorporate some first-hand information on why others have chosen ACCA as their next step. 
The session will last no longer than 30 minutes and will provide an opportunity for those attending to ask questions. 

To book a place on any of the above dates, please contact us via email stating the preferred session with names, email addresses, and employer details for those who wish to attend.

Benefit from the ACCA Approved Employer Programme
Did you know that specific employers could be eligible to join ACCA’s Approved Employer programme?

Did you know that specific employers could be eligible to join ACCA’s Approved Employer programme? 

ACCA’s Approved Employer programme that recognises employers’ high standards of staff training and development has two levels of recognition - Gold and Platinum - that both confer a wealth of benefits. 

If your employer is committed to providing learning and development opportunities to its ACCA members then they may be eligible to join ACCA’s Approved Employer programme under the Professional Development Stream. If your employer is committed to providing learning and development opportunities to its ACCA trainees then they may be eligible to join ACCA’s Approved Employer programme under the trainee development stream as either a gold or platinum employer. 

What’s in it for them?

  • formal recognition and enhanced reputation as an employer
  • global benchmark to enhance your brand
  • fast-track specific ACCA business processes – your trainees and/or members can benefit depending on which approval stream you choose
  • discount from ACCA
  • discounts on ACCA’s online certificates
  • exclusive branding – to demonstrate your organisation's achievement. 

All of the employer benefits are detailed in this brochure which you can give to your employer. 

If your employer thinks that they may be eligible for either or both streams of approval, they should read the guidance and apply here.

Should social media be in your audit plan?
CPD article: is social media a big enough risk to warrant inclusion in your audit plan?

CPD article: is social media a big enough risk to warrant inclusion in your audit plan? 

Reading this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. 

What is social media? One definition is ‘the use of web-based and mobile technology to enable interactive communication between, across and about people, organisations and communities’. (1) 

The explosion of social media 
In one year alone, from 2012 to 2013 the number of social network users around the world rose from 1.47bn to 1.73bn (about 25% of the world’s population), an 18% increase. By 2017, the global social network audience is expected to total 2.55bn. (2) 

In addition, more than 72% of all internet users regularly access social networking sites; in the UK and US alone, people spend respectively 13 and 16 minutes every hour using social media. (3)

Perhaps more important is take-up of social media by businesses around the world. Among Fortune 500 firms, 77% now have active Twitter accounts, 70% have Facebook pages and 69% have YouTube accounts. (4) 

The proliferation of social media is extensive and impacts on both organisations and individuals. The online generation with the constant need to share information through sites such as Facebook and Twitter has led to a situation where users (both corporate and individuals) are not always aware of the risks of posting certain types of data. 

What about the risk? 
As with all technology there is an amount of inherent risk and one of the key areas which make social media risks very different from other types is the speed at which information spreads or goes viral. In some cases it can transition to conventional news media within minutes of a controversial statement. 

Social media is a completely open world which allows employees to speak to a very broad audience. This ability to hit a mass audience without sufficient controls in place could lead to potential disclosure of sensitive information, such as personal accounts, health information, intellectual property, customer data and personally identifiable information. This type of information leakage may result in loss of competitive advantage, brand damage and may even lead to legal or regulatory consequences. 

Risks associated with social media can be broadly split into the following areas: 

  • brand and/or reputational damage (a great example of this was a tweet by Tesco’s customer care team during the horsemeat scandal ‘It’s sleepy time so we’re off to hit the hay’)
  • regulatory, legal and compliance violations
  • data security
  • data leakage
  • viruses and malware.  

2013 Internal Audit Capabilities and Needs Survey Report white paper, 

Statistics have also shown that where employees are unaware of the risks of using social media at work, there is considerable risk beyond just lost hours of productivity; for example: 

  • 64% of people on social media sites click on links even if they do not know where the link will take them
  • >50% of users let a friend or acquaintance use their login credentials to social network sites
  • 47% of social media users have been victims of malware
  • 26% of social media users share files within personal social networks
  • 21% of social media users accept contact offers from people they do not recognise
  • 20% of social media users have experienced identity theft. 

Managing Privacy Risks in Social Media-Driven Society white paper,

From the above it is clear to see that employees do require awareness and training to understand basic IT security hygiene to ensure that users do not inadvertently expose themselves or their companies to vulnerabilities. 

Should it be on the audit plan?
In a word, YES – sort of!

Like everything in the world of audit, it all depends on the level of risk and how it is being managed. As the use of social media rapidly grows, it is becoming more pervasive and impacting on many parts of the business where there are dependencies on communication.  

It’s not really a case of whether it should be included within the audit plan but how much time and attention (based on the practices and the level of risk) should be dedicated to it. The majority of companies have realised that there is some value to social media. What is probably less clear to those companies is: 

  • how to quantify that value
  • how to measure it
  • how can it be effectively controlled and managed.   

Although some companies are advancing quickly and have developed processes to understand, monitor and manage social media risks, the majority of businesses are still playing catch up. As such, they have relatively immature processes and it is reasonable to suggest that the risks associated with social media may not be well articulated or captured within risk registers. This lack of understanding is also reflected in internal audit’s (IA) involvement, where the inclusion of social media within the audit plan has been relatively slow. 

This is further supported by a survey performed by Protiviti in 2013 which highlighted that social media risks will eventually be part of most audit plans, but currently it found the following IA responses:  

  • 20% stated that it is included in the current year audit plan
  • 35% stated that it would be included in next year’s audit plan
  • 45% stated that there were no plans to include it in the audit plan. 

The survey also found that Social Media was the highest ranked for the ‘need to improve’ category and the lowest marked in terms of ‘competency’ within IA departments. This is an interesting fact, as it suggests that IA departments may not have the resource or skills to understand the risks or how to engage with the business in order to effectively identify and test those controls that are being used to mitigate the risks.  

Below are some brief pointers for IA from understanding when they should be involved, types of questions to ask and what to audit. 

Knowing when to act 
IA should be looking at social media as soon as it sees the signs of significant usage of social media, where there has been significant activity within the business or within the industry. 

Some trigger points that could provide assistance on when to initiate a social media review may include: 

  • high profile issue within your sector
  • high profile internal incidents
  • new product or service launch
  • desire to know more about social media
  • thinking about or have just introduced an enterprise social network
  • benchmarking how well you are leveraging social media
  • going through a transformation.  

Social media governance: Harnessing your social media opportunity 

Within the UK financial services industry, the Financial Conduct Authority (FCA) which regulates the industry released a consultation paper in August 2014 titled Social media and customer communications. This paper specifically deals with financial promotions through the use of social media, advising on what is acceptable and what is not. The result of this consultation paper will be a definite push for those financial institutions that have yet to structurally challenge the social media risks. 

Key questions to ask
Although by no means a comprehensive list, some basic questions that IA could ask to help understand the current level and required level of involvement may include:  

  • does the business and IA conduct on-going risk assessments related to social media?
  • is there a social media strategy supported by a policy?
  • who, if anyone, performs the role in monitoring and ensuring compliance with the policy?
  • are there controls available or deployed to monitor employees' and the company’s social media activities?
  • is there a sufficient level of awareness within IT, as well as throughout the business, of the risks relating to social media?  

What to audit 
Some of the key areas to review as part of a social media audit may include: 

  • strategy
  • governance and compliance
  • processes, including
    • internal and external policies and programme execution
    • metrics and monitoring
    • third party relationship management
    • people
      • training and awareness
      • recruiting and work force management
    • technology
      • information systems operations
      • network management
      • third party management
      • information security and privacy.

Social media strategy and supporting governance processes are a key part in managing risks within the business and ensuring that there is alignment with the organisation’s objectives. Equally important is the culture that is adopted based on that governance and the tone from the top. The risk culture will also have an impact to some extent on external exposures; for example employees identifying and reporting negative or inappropriate comments, so that the business can take appropriate steps to respond.  

From experience there is a noticeable increase in the use of social media policies that have been implemented; some could even argue that the development was based on knee jerk reactions to ‘have something in place just in case’.  

However; this reaction to create a policy and get it out there generally lacks a strategy and governance to aid and support the social media policy. The risk here is that the use of the policy on its own will not provide sufficient control and will not identify if employees are complying with the social media policy requirements. 

Ideally as businesses look to include social media within their strategy, IA should be consulted by the business to assess the adequacy of the social media policy along with supporting the governance processes and procedures. Like all policies this should include a compliance requirement that IA will be testing from time to time to assess how the business is complying with the policy. 

Outside factors will also play a role in the assessment of the risk around social media, as discussed, the types of business and the industries will either increase or decrease that level of risk. The organisation’s culture will also be a difficult beast to grapple; however, businesses must tackle and improve the mind-set on dealing with social media.  

As discussed, the involvement of IA with social media has been previously muted or limited at best. IA departments in some cases feel inadequately trained to deal with the risks of social media; however, we are already starting to see changes as businesses are becoming more strategic with their use of social media. 

The result of these business actions will undoubtedly require IA to review the use of social media and for its inclusion within the audit plan. What is less clear is how much time and involvement will be needed. 

Bill Nagra - Risk Audit Security Limited


  1. W. Noel Haskins-Hafer - ISACA auditing social media v3.

Reading this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. 


Webcast - cyber security for internal auditors
Watch the first ever webcast of an Internal Audit Network event.

Watch the first ever webcast of an Internal Audit Network event. 

ACCA UK’s Internal Audit Network Panel is developing alternative ways to support a broader range of ACCA members working in internal audit. 

The first offering under this approach was a joint event with ISACA (formerly known as Information Systems Audit and Control Association) on 14 October 2014 on Cyber Security for Internal Auditors

Dr Darren Brooks, who leads BAE’s Systems Applied Intelligence’s cyber prepare activities for commercial and international customers, spoke on what the cyber threat landscape looks like, the attack trends and techniques that criminals are using. 

He also talked about how a business can defend itself, and the questions that internal auditors should be asking of its security business and of its board. 

View a webcast of this event now



Questioning techniques for internal auditors
Join us at this special event for internal auditors on 2 February 2015.

Join us at this special event for internal auditors on 2 February 2015. 

On the evening of Monday 2 February 2015, ACCA UK’s Internal Audit Network will hold an event in London on Questioning techniques for internal auditors – how to get your hands on the information you need

As an internal auditor you deal in information. To get to that information which will allow you to help your internal client, you need to pose questions – and that’s where the trouble can start. 

In this world there are three common types of responses when posed a question:  

  • the defensive: why are they asking me that response
  • the unexpurgated: let me tell you all I know and you don’t need to know response
  • the answer: an answer to the question you ask. 

None of them is perfect. The defensive response turns you into an interrogator, the enemy; the unexpurgated response means you are in danger of switching off before you get what you need to know, and the answer response answers only the question you asked which means the information is limited to your question. 

So what is the ‘right’ question to ask? It depends on your client. And that means you need to think through their mindset before posing your question and to be flexible in how you phrase it. You need a personal library of questions that will access the same information. The right question matched to the recipient is dynamite: it blasts open the information you need and creates a good working relationship. It can even turn around an interview that has started off badly. 

In one short session on 2 February 2015, Jane Allan of Jane Allan & Associates will give you the keys to set up your question library and the tricks to sidestep the three answer styles and get your hands on what you need to know: 

Title: Questioning techniques for Internal Auditors – how to get your hands on the information you need
Date: 2 February 2015
Time: 18.00-20.30
Location: ACCA, 29 Lincoln’s Inn Fields
Cost: Free 

Book your place now

Following the event, a webcast will be available on ACCA’s website for those unable to attend.


Save the date!
Plan ahead to attend ACCA UK's Internal Audit Conference 2015.

Plan ahead to attend ACCA UK's Internal Audit Conference 2015. 

ACCA UK’s 2015 annual Internal Audit Conference will take place on Wednesday 13 May in London, taking as its theme 'auditing the four horsemen of the apocalypse'. If you would like to register your interest then please send an email to our Professional Courses team.

Global survey on reputation risk
What’s your company’s reputation worth? Deloitte publishes report with some answers.

What’s your company’s reputation worth? Deloitte publishes report with some answers. 

What’s your company’s reputation worth? If the more than 300 business executives who participated in Deloitte’s global study on reputation risk are correct, a company’s reputation should be managed like a priceless asset and protected as if it’s a matter of life and death, because from a business and career perspective, that’s exactly what it is. 

The Reputation@Risk survey report examines what organisations around the world are doing to get in front of this critical issue.

Internal audit practitioner guides
A guide for audit resource management.

ACCA has produced a series of Internal Audit Practitioner Guides which can be found in its Internal Audit Virtual Learning Centre. These guides are easy to read and outline what internal auditing is like in practice and the pitfalls that often arise. The last eBulletin included a Guide for Assurance Planning. In this issue, we are including the Guide for Audit Resource Management.

To access the complete set of Guides, visit ACCA UK’s Virtual Learning Centre by logging in to your myACCA account and selecting the 'Virtual Learning Centre' link (in the 'Learning Opportunities' box). Then click on the 'Log in Now' button and accept the conditions of use and you will be taken to a menu page. Scroll down the menu page to select 'Internal Audit' and that will take you into the Virtual Learning Centre. The guides can be found in the ‘Guidance for Auditors’ part of the ‘Learning about Internal Audit’ section. This resource is only available to ACCA members and is free of charge.