The Internal Audit function occupies an enviable position in Nigerian Banks, from the provision of assurance on the systems of internal controls, governance and management risk, maintaining mutually beneficial relationships with various stakeholder groups.
While it has become increasingly perilous to predict any patterns to the economic outlook in 2020; the microeconomic assumptions seemed to have changed negatively.
The entire world has continued to battle with the current plague – COVID-19; a virus that has subjected everyone to ‘a new world order and norm’.
The unstable patterns of microeconomic assumptions had impacted negatively on the economy, social activities and general survival across the globe with particular reference to the Nigeria nation.
These microeconomic assumptions include amongst others the following: Unemployment, Inflation, Monetary policy, Manufacturing output, Official exchange rate, Bank autonomous credit expansion, Oil prices, 2.0 2.1 Internal Audit Role (assurance, Advisory Consulting) Development finance credit expansion, National geopolitics.
The Internal Audit role continues to change in approach and scope as activities and events begin to change the business dynamics across the globe with immense risks and uncertainties a The Internal Audit role has become elevated in view of the changes to economic and business tides with multiple risks and opportunities becoming heightened.
The Institute of Internal Audit (IIA) defined ‘internal auditing’ as ”an independent, objective assurance and consulting activities designed to add value and improve organisations’ operations”
This definition did not envisage critical events that could occur and take the Internal Auditors’ roles beyond the provision of assurance and advisory roles.
In the face of the unpredicted outlook of the dynamics of doing businesses across the world; the roles of the Internal Auditors seemed elevated in scope; thus, my re-coined perspectives below:
What Is The Assurance And Advisory Roles Of The Internal Auditor At Such A Time?
An Internal Auditor (IA) is a trained professional and an individual saddled with the responsibilities of providing independent and objective evaluations of company financial and operational business activities.
They are employed to ensure that companies follow proper procedures and execute functions that would minimise income leakage, that policies are duly followed, assets and human resource are safeguarded; defined processes are closely monitored as established by Management in orde r to reduce the impac t of s ys tem vulnerabilities.
Internal audit operates within a demanding regulatory and legislative regime that can limit innovation for today’s risk techniques and approaches.
The Internal Auditors of today (2020 and beyond) need to be able to resolve to learning and adapting expertise and unique skillsets in developing other detective solutions that will better meet stakeholders’ needs in view of their elevated roles.
WHAT IS YOUR ID? IT IS ‘MyID’ 1 CONNECT using ‘MyID 2 3 Emergent Risks (COVID-19, Cybersecurity) IT and business innovation provide endless possibilities for internal auditors to better serve their clients and improve audit quality. Even though technology can automate audit procedures, people are crucial to interpret data, provide ethical judgement and strategic advice – Thus, only an internal auditor that nurtures the belief that ‘learning is a journey’ would continue to be relevant in view of the emergent risks (COVID-19, CYBERSECURITY).
What Are The Emerging Risks And How Do The Risks Elevated The Roles Of Internal Auditors?
The COVID-19 pandemics has continued to shape transaction patterns in Nigeria and all over the world. Business decisions have been taken differently by those charged with governance of entities as a result of the impact of ‘social distance rules’ established by different countries; the ‘work from home orders’ etc; the current dispensation thus makes it impossible to conclude transactions using physical contacts from beginning to the end.
Transactions are majorly driven by electronic or online channels, thus creating more vulnerabilities for individual and entities who get attacked by electronic fraudsters and hackers.
The emergent risks have therefore increased in leaps and bounds as highlighted below:
Shift in attack targets – attacks have shifted to cloud-based systems and internet of things – (IoTs);
Shift in attack magnitude – Number of attacks have increased due to increase in online channels
Shift in identification and authorisation – increase in attempts to steal credentials
Shift in monitoring – Increase in the use of artificial intelligence for monitoring people and organisations. µ
Shift in regulatory oversight – Regulators will tighten regulatory requirements and ensure safeguards arounds Data Privacy (DP).
The emergent business protocol designated as ‘the new normal’ has become households’ lyrics across the globe as the COVID-19 pandemic has created an abrupt need for companies’ entire workforce to be relocated out of their corporate facilities and into virtual environment to aid remote working arrangement.
The roles of the Internal Auditors became tweaked to mirror current business dynamics and realities; thus, ‘auditing remote workstations techniques’ (ARWT) also became prominent amongst Chief Audit Executives (CAEs) within banks in Nigeria and across the world.
The elevated roles of the Internal Auditors manifested as their security focus has shifted from companies’ perimeters to devices outside their networks in order to provide assurances on enterprise resources as well as safeguard customers transactions on online platforms when faced by any of the underlisted vulnerabilities µ Phishing µ Insecure wireless-fidelity (WIFI) µ Data leakage and privacy µ Attacks on remote infrastructure Unauthorised insecure devices Misconfigured cloud infrastructure.
There are opportunities and challenges to the current world order which organisations have described as the biggest event that have slowed economic indices and halt so many businesses; however, it also came with some opportunities.
Let’s dwell on challenges, opportunities and actions to take by Internal Auditors in combating these challenges:
Cost of no service/business shutdown Organizations most times shut down their systems to contain the effect of attack during this period and as a result, earnings were lost.
Direct monetary loss – This is the loss that occur as a result of cyber-attack or cost of increasing the defensive mechanism (fire walls) as a result of persistent cyber threats (successful and unsuccessful attempts).
Cost of investigation – This is the cost of paying experts like (Internal Auditors) to investigate a cyber incident. ª
N o n – m o n e t a r y i m p a c t – S u c h a s reputation/brand value loss and probable loss of customer loyalty.
Increased operational overhead costs – These costs include amongst others: (1) regulatory costs (2) legal costs, (3) repairs and rebuilding costs (4) marketing and public relations costs.
Combating Challenges By The Internal Auditors
Perform security assessment on remote working infrastructure.
Implement and monitor minimum security baseline for remote devices. Examples: multiple factor authenticator; robust encryption and antivirus.
Review and communicate remote BYOD agreement. BYOD stands for ”bring your own device” staff members working remotely could decide to use their own computer machines; a corporate agreement should be prepared by the Legal Department in concurrence with the Information Technology Group.
Staff members working remotely with their personal devices 4.0 Opportunities (digitilisation Etc) would be required to execute such agreement; excerpt of the agreement should automatically become part of the remote working policy (RWP).
Review and ensure that business continuity plans and business resilience strategies are periodically updated.
Check to ensure that platforms are in place for staff to institute and communicate measures for staff to report cyber security incidents.
Review SLAs with cloud providers as it relates to business continuity and backups.
Develop strategy for cloud and perform security assessment on cloud infrastructure.
Institute staff awareness jingles timeframe to aid security awareness for all staff and assess evidences of internal combinations against set time-frame – ensure that contents of internal communications are reviewed and that it conveys current security trends and threats.
Review configuration of third-party services – (e.g. Microsoft teams, zooms, drobox etc) to aid data privacy. ª Review data leakage and loss prevention solution periodically.
Opportunities Arising From Digitalization of Business Processes
The current wave of COVID-19 pandemics has also brought a hype in businesses digitization processes. This has created opportunities for entities to see the new normal from the other side of the coin.
These opportunities include amongst others the following:
1) Reduction in the costs of erecting bricks and mortals Online transactions are consummated anywhere without customers visiting offices or branches of companies. Companies do not need to spend scarce resources on erecting structures for the sake of either housing their staff members or customers. Millions of naira are being saved with the advent of this era, with businesses being closed successfully at remote locations like never before.
2) Comfort and convenience of conducting businesses online real timeransactions are consummated at the comfort of ones’ room remotely without attributable costs of getting such businesses done without hazzles as well as total elimination of high turnaround times as these businesses are done online real time. All transactions are therefore designated as ‘spot in nature’.
3) Greater reduction in the conveyance of cash instruments Digitization has brought lots of conveniences to business landscapes across the globe; currencies are no longer being conveyed in abundance as physical contacts with persons have been greatly reduced by the ‘social distance rules’ initiated by the governments of different jurisdictions.
4) Electronic payments solutions as aids to foreign exchange rates computations. Payments for goods and services could be done remotely without recourse to ascertaining or computing the exchange rates, rates are automatically computed and charged to customers’ accounts as a result of digitization. Electronic master cards etc have indeed paved way for this; businesses are concluded remotely with the aid of this means of payment.
5) Remote trainings possibilities and elimination of cost overheads Trainings across all parts of the world are now being done seamlessly without physical presence. This is made possible by digitization. Companies overheads on trainings have been grossly reduced; as foreign trainings would involve huge costs such as airfares, staff benefits-in-kinds like per diem and other factors such as feeding and hotel accommodations. Prior to the advert of COVID-19 pandemics, companies do not believe that value added trainings could be implemented successfully via virtual platforms such as zooms, Microsoft teams etc.
6) Remote working capabilities across the Globe The use of virtual private network (VPN) was not this echoed, current events had shown that workplace is no longer designated to one location; majority of the organisations have their staff members working remotely from homes, and this has proven to be very effective with most entities clamouring that this might just be the way forward whether the pandemics goes or stays.
The use of VPN, intelligent CCTV cameras, wireless networks for guests’ access have paved ways for remote working capabilities.
7) Broaden the e-commerce horizons effectively Digitalization has quite broadened the horizons for electronic commerce, meetings such as annual general meetings, extra ordinary general meetings of customers, board committee meetings with such meetings appearing as if they were physically held. Passengers are onboarded into flights electronically while internet of things have continued to pave way for broader sophistication of the e-commerce horizons; the use of artificial intelligence to aid business decisions and carry out some domestic tasks have continued to be improved upon.
8) Increase use of internet of things (Iots) The current dispensation has created a greater learning curve for persons who perhaps have taken for granted the importance of technology. Board of entities have committed funds towards creating awareness and building tech-skills amongst her staff members. Lots of companies/individuals have deployed electronically operated devices to resolving daily challenges at work places and homes respectively with less human intervention.
The Internal Auditors would have to do lots of reading and researches on how best to mitigate threats; Data privacy protection is pivotal to the Internal Auditors of today than before – relaxation of data protection practices while using online collaboration tools and techniques (Example video calls, online meetings, online drives) to share personal data could lead to exposure, any online meeting without a password is a target for hackers.
Risks associated with remote audit executions should be the basis for all internal audit engagements in the current dispensation. To this end, attacks on remote infrastructure had led companies to create new infrastructure for remote working, deployment of VPN-servers, moving internal applications to the demilitarized zone (DMZ) by expanding their internet facing perimeters.
It is therefore a wake-up call to the Internal Auditors, CAEs, Board Audit Committees of entities to note that the roles of Internal Auditors have been elevated with the emergent of these risks and opportunities embedded in COVID-19 pandemics.