This not only requires the requisite auditing skills, experience and domain knowledge, but also an understanding of the external operating environment, as well as an understanding of the information technology and data management capabilities of the organization and third-party participants. It’s also helpful to have knowledge of fraud investigation in line with the guidelines of the Association of Certified Fraud Examiners.

The perspective and context provided by this combined view enables internal auditors to not only examine traditional financial, operational and strategic risks and control mechanisms, and fact-based information, but also to take into consideration other emerging factors that are apt to contain hidden risks.

Continue reading ...

Internal auditors work with information technology experts to assess threats to an organization's data. (Photo: iStock)

Digitization

Many emerging risks within the commercial sector are related to the increased application of digitization in just about every aspect of business. For insurance organizations, this is especially significant in two related areas: The interaction with customers and third parties, and cyber threats and security.

Interaction with customers and third parties is increasingly taking place via enhanced web and social media capabilities, supported by underlying advanced analytics and algorithms that often replace human interaction. These interactions provide potential opportunity for the using parties to act improperly. Perhaps more important, these interactions are increasingly being used by cyber criminals via social engineering techniques as points of entry (that is, attack vectors) into an organization’s data resources.

To assess potential risks related to these risk vectors, internal auditors must collaborate with information technology experts that can provide insights into the usage patterns and security mechanisms of their own organization and the organizations of third parties.

A note about social engineering

Social engineering is an attack vector technique facilitated by web and social media usage that essentially involves tricking people into breaking normal security procedures. Three common techniques, used individually or in combination, include:

• Seemingly legitimate emails meant to share desirable information or clicking a link that installs malware.
• A call or e-mail pretending to need selected information in order to confirm a person’s identity.
• Various tricks to entice the download of content presumed to be helpful by the targeted user in order to install malware.

Weaknesses in risk governance and management can increase the exposure and potential for the success of such attacks. Penetration tests by security teams can help identify the types of user most likely to fall prey to such attacks, thus facilitating the efforts of internal auditors in pointing out the need for additional education and training of personnel.

Related: Does your Commercial Crime policy cover loss from an imposter's fraud?

Continue reading ...

Internal auditors test disaster recovery plans to make sure they will work. (Photo: iStock)

Disaster recovery and business resilience

The increase in natural and man-made risks, and the linkage within organizations to a variety of diverse third-party players, has brought the need for improved operational risk management to the forefront of regulators, boards and executives. Assessing cross-border risk and recovery capabilities within one’s own organization and across supply chains is a highly complex process requiring the specialized skills of accredited and experienced practitioners.

Nonetheless, internal auditors need to assess the effectiveness and risks and controls inherent within any related disaster recovery plans and implementation capabilities, including third-party resources that may be involved. It is not sufficient to assume that controls are in place because a disaster recovery document exists. Disaster recovery plans need to be tested in order to uncover hidden risks, to identify modifications needed and to validate that they work as intended.

Related: Here are 5 ways to protect your business from natural disasters

Advanced analytics

The increased application of advanced analytics within organizations provides both benefits and risks. On the one hand, analytics provides insights needed to improve performance, predict future scenarios, and uncover risks. On the other hand, analytics may introduce risks related to the data, algorithms and models used.

Internal auditors can address data quality risk by assessing the strength of data governance and the processes for assuring usage of high quality data, as defined by ISO 9000:2015: complete, valid, accurate, consistent, available and timely.

To assess risks related to algorithms and models, internal auditors must “stress” the algorithms and models under various assumptions and scenarios that can uncover near and longer term integrity and reliability issues.

Continue reading ...

Internal auditors help build a "risk-aware culture" inside an organization. (Photo: iStock)

Organizational culture

Regulators understand the important role that a “risk-aware culture” has in the organization’s ability to manage risk. Internal auditors also understand this and recognize that any deficiencies in C-suite risk management directives, training and other support, and “tone at the top” messaging can affect the organization, weakening the organization’s overall risk management and control framework and processes.

Any such weakness creates an overarching organizational red flag issue for internal auditors, but especially as it relates to those persons having any influence over the altering of data or control processes. In addition, a weak risk-awareness culture can increase the potential for successful attacks via social engineering techniques, as discussed previously.

An organization’s culture can often be perceived simply by “walking, talking and observing,” providing insights that indicate the need for further exploration.

Use of advanced tools by internal auditors

The assessment of risks in traditional functions of the organization and those mentioned previously can be facilitated by use of advanced semantic search and analytics tools available within the organization or via third parties.

These tools enable internal auditors to pose and obtain answers to a wide variety of questions related to business processes, controls and individual performance. Answers to initial questions can be used in refining analytics to uncover anomalies in patterns of behavior that warrant further examination.

Continue reading ...

Audit committees for company boards are relying more on internal auditors. (Photo: iStock)

The expanding role of internal auditors

Continuing economic and regulatory pressures are requiring boards to assume more responsibilities for risk assessment in support of strategy development, regulatory compliance, and improvements in financial and operational performance. As a result, because of their depth of exposure to these requirements within the organization, audit committees are being called upon to play a larger role.

Accordingly, audit committees are requesting that internal auditors translate their knowledge of risk management and control processes, and their findings from internal audits into an expanded role, helping educate and train audit committee members, increase their focus on strategic risks and provide risk management consultative services.

The ability of internal auditors to uncover hidden risks provides strong assurance to the board that their risk-related decisions are sound. Accordingly, it seems likely that internal auditing will gain in stature as a business partner in helping the organization fulfill its strategic objectives.

Wendy Shapss is a senior managing director and co-leader of for global insurance services for Washington, D.C.-based business advisory firm FTI Consulting. Elaine Lehnert is a managing director in FTI Consulting's global onsurance services division.

Related: Here come the accountants — the codification of cyber risk

Have you Liked us on Facebook?