Audit & Risk

News round-up

We round up the latest business and regulatory news to affect the internal audit profession.

in News.

Article Image

Disruptions to supply chain grow

The number of organisations that have experienced more than ten supply chain disruptions has tripled in the past year – up to 22 per cent this year compared with just 7 per cent in 2015.

According to the Business Continuity Institute’s (BCI’s) latest Supply Chain Resilience Report, supply chain disruptions that have increased in impact include loss of productivity (68 per cent in 2016, up from 58 per cent in 2015), increased cost of working (53 per cent, up from 39 per cent), and damage to the brand or reputation (38 per cent, up from 27 per cent).

The research found that 43 per cent of organisations do not insure these losses, and only a quarter of respondents (27 per cent) report top management commitment to supply chain resilience (down from 33 per cent in 2015). 

Furthermore, only three-quarters of respondents (73 per cent) report having business continuity arrangements in place to deal with disruptions to supply chain.
Download the report at bit.ly/bcireport

Boards must set cybersecurity agenda

If businesses fail to take cybersecurity seriously in their business planning, regulators may do it for them, the ICAEW has warned. Richard Anning, head of the ICAEW’s IT Faculty, said boards must grasp the nettle and deal with it as a priority. “Despite years of warnings, many still regard cybersecurity as an optional extra,” he said. “This is why we are increasingly seeing more data breaches that harm consumers and businesses alike. Cybersecurity is integral to digital business.”

The ICAEW’s latest report “Audit Insights: Cyber Security” – based on input from external auditors from the top six audit firms – said that high-profile data breaches and the slow pace of cybersecurity progress means that unless boards take control of the agenda, governments may decide to legislate.

The report says that cybersecurity needs to be a boardroom issue, especially as the EU has unveiled new rules that specifically place on them a responsibility to manage the risk. The General Data Protection Regulation (GDPR) updates and replaces the existing regulatory framework around the protection and use of personal data, while the Network Information Security (NIS) directive specifies obligations regarding cybersecurity in certain industry sectors, largely associated with critical national infrastructure and major information processing activities.

The ICAEW’s guidance suggests that boards should see cyber risks as real and dynamic, take behavioural change seriously and recognise cybersecurity as a precondition for operating. 

FRC expects to see Brexit narrative in annual reports

The UK’s corporate governance regulator has said that companies need to address risks surrounding Brexit and its impact on the business within their annual reports.
The Financial Reporting Council (FRC) has issued a letter that highlights “key issues and improvements that can be made to annual reports in the 2016 reporting season to help foster investment in the UK”.

The regulator says that “in an era where cyber risk, climate change and Brexit pose economic,social and environmental uncertainty, the FRC encourages companies to consider a broad range of factors when determining principal risks and uncertainties facing the business andperforming their analysis for the viability statement.”

Paul George, the FRC’s executive director for corporate governance and reporting, said: “Annual reports are the main source of information for investors who need to understand how the company is performing to allow them to judge the long-term prospects for their investment.”

He added: “In the light of Brexit, it is imperative to promote strong investment in UK markets, and to do so there must be constructive engagement between investors
and companies.”

Organisations fail to update their plans for data breaches

While most organisations have a data breach preparedness plan in place, research indicates that executives are not updating or practising the plan regularly and lack confidence in its effectiveness, according to a study conducted by the Ponemon Institute and sponsored by Experian Data Breach Resolution.

The fourth annual study – called “Is Your Company Ready for a Big Data Breach?” – shows that the number of organisations that have a plan increased from 61 per cent in 2013 to 86 per cent in 2016. 

However, 38 per cent of organisations surveyed have no set time period for reviewing and updating their plans, and 29 per cent have not reviewed or updated one since it was put in place. Furthermore, only 27 per cent of organisations surveyed were confident of their ability to minimise the financial and reputational consequences of a breach, and 31 per cent lacked confidence about dealing with international incidents.

The report also found that only 39 per cent of organisations surveyed practise their plan at least twice a year.

Staff who “flout” security pose biggest IT risk

Nearly two-thirds of IT decision-makers believe employees regularly circumvent company security policies, leaving their organisations open to cybersecurity risks, according to disaster recovery specialist Databarracks’ latest Data Health Check report.

The survey found that 61 per cent of IT executives believe that employees in their organisations carry out lax security practices, such as taking company data offsite, fabricating or omitting information on sign-in sheets, or keeping written records of passwords at least once a month, with over a quarter (28 per cent) saying employees do this daily. 

Such findings are particularly worrying when one considers that only two-thirds
(59 per cent) of organisations have invested in safeguards in the past 12 months to protect against cyberthreats such as malware, viruses
and phishing attacks. 

Customers ready to ditch breach-hit brands 

Four out of five people in the UK would either cut back or decide never to use an organisation’s products or services following a data breach, according to research by cybersecurity specialist Thales e-security.

Only 16 per cent of respondents said that they would continue to use their products or services as usual, while 20 per cent said they would stop using their products or services completely.

“It’s important for companies to recognise just how much of their customer base might be lost in the wake of breach incidents,” said Sol Cates, the company’s vice-president of technology strategy. 

The survey also questioned respondents on what they would be most concerned about following a breach of their personal information. The results showed that theft of money from bank accounts and identity theft were the primary concerns.

ISO boosts firms’ bribery defences 

UK standard-setter BSI has launched a standard for detecting and preventing bribery in organisations. BS ISO 37001, Anti-bribery management systems: requirements with guidance for use, helps organisations to put the right controls in place to comply with the 2010 UK Bribery Act.

The IIA: find out more

Visit the main IIA site

Jobs

Senior Auditor

Ref: HE/3188
Directorate: Finance & Business Services
Location: Nationwide
Salary: £40,188 - £44,208
Number of Positions: 5
Full-time

Principal Auditor

Salary: £36,937 - £39,660
Permanent – 37 hours
Location: Westgate Plaza One, Barnsley, South Yorkshire

Careers advice

Destination designation

The Chartered IIA is keen to work with organisations that want to ensure all their internal auditors have the right skills to succeed in today’s industry. One of these is Citigroup, which recently launched a training scheme accredited by the institute and put 20 senior internal auditors through the Chartered by Experience route to achieve CMIIA. So what does this look like in practice?
Words: Ruth Prickett

Gold standard – the value of recognition

Being chartered demonstrates your skills and competence and gives you influence within both your organisation and the wider profession. All dedicated internal auditors should aspire to it, writes Ian Peters, chief executive of the IIA.

Chartered by Experience

There is a new route to becoming a chartered internal auditor: Chartered by Experience.

Training & Development

Destination designation

The Chartered IIA is keen to work with organisations that want to ensure all their internal auditors have the right skills to succeed in today’s industry. One of these is Citigroup, which recently launched a training scheme accredited by the institute and put 20 senior internal auditors through the Chartered by Experience route to achieve CMIIA. So what does this look like in practice?
Words: Ruth Prickett

Gold standard – the value of recognition

Being chartered demonstrates your skills and competence and gives you influence within both your organisation and the wider profession. All dedicated internal auditors should aspire to it, writes Ian Peters, chief executive of the IIA.

PwC launches cyber-breach simulation game for executives

Big four consultancy PwC has launched "Game of Threats" – an interactive game to teach senior executives the risks of cyber-attacks and encourage them to test how they would respond in real time.

Tools

Harnessing the power of technology in ERM: driving a continuous and verifiable process

Sponsored content
Some of the greatest strides in the formalisation of enterprise risk management (ERM) have occurred within the past decade – prompted by problems such as the global financial crisis and the increasing threat of cyberattacks. So how do organisations effectively focus on a formalised risk management structure? Workiva's white paper "Harnessing the Power of Technology in ERM: Driving a Continuous and Verifiable Process" suggests some answers.

You asked us

Our technical helpline provides valuable advice to members on a host of professional issues. Here are some of the questions you’ve recently asked.

Raising Standards

IIA Global is introducing two new professional Standards and updating some of its existing Standards with effect from 1 January 2017. So what are the changes?