Internal audit as a defensive tool

Internal audits have always played a key role in mitigating cyber risks and protecting organizational assets. Moreover, recent advancements in auditing processes have expanded its capabilities beyond traditional methods. Now, internal audit teams can leverage innovative technologies to adapt quickly to evolving cyber threats.

Key recommendations for internal audit teams:

• Continuous monitoring: Use automated tools and analytics to monitor network activity, detect anomalies, and identify potential security breaches in real time.
• Enhance cyber security skills: Invest in ongoing training and professional development to keep up with emerging threats and best practices.
• Integrate data analytics: Use data analytics to improve risk assessment and detect suspicious activities by analysing large data sets for patterns and anomalies.
• Collaborate with IT and security teams: Work closely with IT and security departments to understand the organisation’s IT infrastructure and vulnerabilities, tailoring audit procedures to the risk profile.

Ethical artificial intelligence

A strong understanding of ethics and a robust corporate culture are crucial for protecting organizations against cyber threats. Additionally, internal audits can help management monitor and support organizational culture. Consequently, this ensures all employees understand expected behaviors regarding cybersecurity and ethics. This fosters good decision-making and strengthens governance and controls.

With the rise of AI in decision-making and automation, ensuring transparency, accountability, and bias-free systems is essential. Furthermore, internal auditors can aid in implementing ethical AI practices by auditing AI algorithms and ensuring regulatory compliance. Early involvement in AI initiatives allows auditors to advise on risks and suggest solutions.

Components cyber preparedness

Preparation is key in combating cyber threats. Establishing enterprise cyber preparedness involves governance, strategy, incident response, and employee training.

• Governance and strategy: Internal audit should support and advise on effective cyber security management, helping to establish clear policies, procedures, and accountability structures. Defining roles, responsibilities, and strategic objectives aligned with business goals is crucial.
• Risk assessment: Regular risk assessments help identify and prioritise cyber risks, allowing for efficient resource allocation and targeted mitigation strategies.
• Incident response: Organisations need a formal incident response plan with designated teams and regular training exercises. Proactive measures like threat intelligence monitoring and incident detection systems are essential for swift and effective responses.
• Employee training: Educating employees on cyber threats and best practices is vital, as human error remains a common cause of incidents. Regular training on phishing, password security, safe internet usage, and security awareness campaigns fosters a culture of vigilance.

Internal audit preventing incidents

It’s difficult to find examples of internal audits preventing cyber security incidents, as “near misses” aren’t publicised. However, successful cyber attacks often highlight how effective audit practices could mitigate or prevent breaches.

In the automotive industry, the 2023 Tesla data breach affected over 75,000 individuals due to an “inside job” by two former employees. This incident underscores the importance of comprehensive employee training, stringent access controls, regular audits, and whistleblower policies to detect unauthorised access and risky behaviour.

In the financial services sector, the March 2017 Equifax data breach, which affected nearly 150 million people, resulted from attackers exploiting IT system vulnerabilities. Additionally, while external attacks are complex to prevent, internal audit teams focusing on robust cyber security measures, data management practices, and internal controls can help detect breaches quickly and ensure swift damage mitigation and notification.

Mailchimp, a provider of email marketing services, has faced numerous data breaches due to social engineering attacks on its employees, resulting in compromised user accounts and customer data exposure. Internal audits should ensure employees receive adequate cyber security training and assess the implementation of two-factor authentication and practical identity management practices. Additionally, policies and systems must be in place to detect and mitigate vulnerabilities swiftly and promptly address breaches.

As technology evolves rapidly, so do the associated risks. Internal audit must adapt its practices and utilise technology advancements, such as AI, data analytics, and machine learning, to proactively identify potential vulnerabilities and predict emerging threats. Internal audit teams capable of foreseeing future risks can provide valuable guidance to management, positioning the organisation optimally to respond to inevitable cyber-attacks.

Author: Ricardo Gameroff, Partner, Kreston BA Argentina, Argentina

Reposted from: https://www.kreston.com/article/internal-audit-in-age-of-cyber-threats/

What is an IPO window?

The IPO window refers to the period when market conditions are favourable for companies to go public. Investor optimism, stable economic conditions, and a receptive stock market characterise it. During this window, companies can achieve higher valuations and receive a warm welcome from investors. Timing the market correctly is crucial, as the window can close due to economic downturns, regulatory changes, or shifts in investor sentiment.

Preparing for the IPO window

Key steps to financial readiness

1. Assemble the right team early

Before embarking on the public path, it’s imperative to gather a team capable of managing the new demands of public company operations, including SEC filings, financial projections, and audits. In an inflationary environment, starting early with the right advisors can save costs and build a strong foundation for your public journey.

2. Enhance financial reporting and compliance

Transitioning to public company standards requires a rigorous approach to financial reporting. Closing the books with precision and preparing for SEC filings demand a level of accuracy and timeliness unfamiliar to most private companies. Implementing software tools and conducting dry runs of reporting processes can smooth the transition.

3. Secure accurate and timely data

For a company preparing to go public, the integrity of its data is paramount. Efficient systems and reliable APIs are crucial for managing the volume of post-IPO data and ensuring accurate forecasting and reporting to the market.

4. Communicate effectively with the market

A successful IPO is not just about the numbers; it’s about telling your company’s story compellingly. Aligning key metrics with the narrative of your business’s current and future success is essential for engaging investors and underwriters.

5. Explore strategic growth opportunities

The period leading up to an IPO is an ideal time to explore growth strategies and cost-saving measures. Balancing the pursuit of growth with the necessity of profitability and positive cash flow is vital in today’s cautious investment climate.

The importance of long-term strategy

“Preparing for an IPO isn’t just about getting it right for day one,” notes Bradley Coleman, underscoring the importance of strategic planning for the days following the IPO. A successful transition to a public entity involves a continuous commitment to strategic growth, operational excellence, and financial integrity.

Conclusion

As the IPO window reopens, the readiness of your company plays a critical role in seizing the opportunities ahead. By focusing on financial fundamentals, strategic planning, and effective communication, businesses can navigate the complexities of going public with confidence. Gary Klintworth’s insights provide a valuable roadmap for companies aiming to thrive in the public market.

Author: Gary Klintworth

Reposted from: https://www.kreston.com/article/ipo-window/

For global networks, dispersed across countries and regions, and composed of independent firms, maintaining consistency and excellence presents unique challenges. A commitment to quality by global and firm leadership is essential to set the standard, demonstrate a tone at the top, and encourage (and require) appropriate behavior.

Critical elements of quality management

1. Culture, culture, culture

Leadership must emphasise the importance of quality at all levels of the network, develop a culture of quality, and communicate expectations for behavior. It must also encourage a culture of continuous improvement. This means creating an environment where staff feel comfortable identifying and reporting problems and where there is a process for addressing those problems.

It also requires those in authority within the firm to “walk the talk” (i.e., “tone from the top”) and not to ignore those who either believe themselves to be exempt from the standards that apply to others, or whose moral compass does not point to true north. Such inaction is very visible to staff and will undermine the effectiveness of a firm’s stated and/or documented policies and procedures, however good they may be.

2. Overcoming resistance to change

For most organisations, global or domestic, resistance to change can hinder the successful implementation of any initiative, including a quality management system. To overcome this, the organisation and its leadership must foster a change management culture by involving stakeholders at all levels and at all stages in the process, providing clear communication about the benefits of the new system(s), and demonstrating its positive impact on quality, firm success ad reputation, and client satisfaction.

3. Standardisation and harmonisation

One of the key factors in promoting effective quality management across a global network of independent firms is the establishment of standardisation and harmonisation protocols. Developing a set of standardised processes, methodologies, and best practices ensures uniformity in service delivery, documentation, and work performance. This can be achieved through the implementation of a global quality management system, which outlines the framework for quality objectives, procedures, and responsibilities. It should also encompass continuous improvement initiatives, regular performance reviews, and quality audits. While non-standardised methodologies and policies can still result in quality performance of services, standardisation permits effective resource sharing, scalability of operations, and consistent documentation frameworks.

In a diverse network of independent firms, there will always be aspects of quality management that need to be firm-specific for maximum effectiveness, but alignment of policies and procedures will often be beneficial and cost effective. The introduction of ISQM1 has helped accelerate this process for global firm networks.

4. Training and development

Investing in comprehensive training and development programs is vital to enhancing the capabilities and competencies of professionals within the network. Providing regular training sessions, workshops, and certifications not only strengthens technical skills but also cultivates a culture of continuous learning. Additionally, sharing knowledge and best practices among member firms through online platforms and collaborative forums fosters innovation and improvement across the network.

A focus on efficiency through these types of training and collaboration initiatives can also indirectly contribute towards audit quality. Streamlining processes and cutting out unnecessary work and/or documentation frees up staff to focus their time and effort on more important (i.e., riskier) matters.

5. Key Performance Indicators (KPI)

KPIs, sometimes known as Audit Quality Indicators (AQIs), play a vital role in measuring and monitoring quality across the network. It is important to define meaningful KPIs that align with the organisation’s overall objectives and values. These indicators should include both qualitative and quantitative metrics, such as client satisfaction ratings, adherence to industry standards, results of inspections or quality reviews, and employee training and development.

6. Client engagement and feedback

Quality management should extend beyond internal processes to include effective client engagement and feedback mechanisms. Regular communication channels should be established to capture client expectations, needs, and satisfaction levels. Implementing client feedback surveys, conducting post-engagement reviews, and actively seeking client input helps identify areas for improvement and enhances client relationships. This feedback loop is crucial for maintaining high-quality services and driving continuous improvement efforts.

7. Technology and automation

Leveraging technology and automation tools plays a vital role in streamlining processes, minimising errors, and maximising efficiency. Implementing next-generation accounting and auditing software systems (including artificial intelligence applications), data analytics tools, and workflow automation platforms can significantly improve the ability to analyze data, reduce work times, and enhance the quality of work performed. For example, dashboarding tools such as Caseware Sherlock can automatically measure and report on KPIs such as time to lock down the file, number of review points raised etc.

Regularly assessing and adopting emerging technologies ensures that the network remains at the forefront of industry advancements and accesses effective and efficient methodologies for performing engagements.

8. Monitoring and review

The network must have a system for monitoring and reviewing the quality of its work. This system should identify areas where improvement is needed and permit the network to take steps to address those areas.

Collaboration and peer review processes foster a culture of accountability and continuous improvement. These encourage cross-firm and cross-border collaboration, and allow firms to learn from one another, share best practices, and review each other’s work. Implementing robust peer review mechanisms helps identify areas for improvement, rectify errors, and ensure adherence to quality standards. The feedback received from these reviews should be used to refine processes, address gaps, and strengthen the overall quality management system.

Whilst the main objective of a global quality review program will always be to ensure that member firms can refer their clients to other member firms with confidence, the program should also aim to provide objective, constructive and friendly advice and recommendations to firms based on the reviewer’s own experience and best practices seen elsewhere within the network.

Constraints and overcoming the challenges

While pursuing quality management objectives, several constraints may arise. Identifying and overcoming these challenges is essential. Here are some common constraints and suggested approaches to overcome them:

1. Geographical and cultural diversity

The global nature of networks may introduce variations in language, cultural practices, and legal frameworks. Overcoming this constraint requires promoting cross-cultural understanding, establishing clear communication channels, and conducting regular cultural training sessions. Adaptation to local regulatory requirements while maintaining global quality standards is also crucial.

While a baseline framework is essential, it must be flexible enough to accommodate variations arising from local regulations, industry practices, and cultural norms. Encouraging local participation in the development of quality standards ensures that the quality management system is adaptable and relevant to different contexts.

Whilst challenging, diversity within the network can also have a positive benefit, providing firms with new perspectives and insights from those firms who take a different approach. Collaborating internationally can generate ideas and ways of thinking that can unlock innovative solutions to problems and challenges.

2. Resource allocation

Unequal distribution of resources and varying levels of expertise among member firms can hinder quality management efforts. Addressing this constraint involves developing resource-sharing mechanisms, fostering collaboration, and conducting knowledge transfers among firms, recognising that when accomplished, the network as a whole is stronger and all benefit. Centralised resource pools, mentorship programs, and secondment (i.e., outsourcing) opportunities can help balance expertise and optimise resource allocation.

3. Compliance and regulatory challenges

Different countries may have different compliance requirements and regulatory frameworks, making it challenging to maintain consistent quality practices. Overcoming this constraint necessitates establishing an understanding for such differences and incorporating them into the design of any quality management system. Standardising core compliance processes while allowing for necessary local adaptations ensures compliance while preserving quality standards.

With a global network also comes the requirements to monitor services provided to clients across the network to minimise the risks of breaches of the independence rules on financial interests, mutuality of interest, and scope of services. This has been a significant emphasis on the part of the largest global firms and their networks, especially as related to their public clients, but it also is important for mid-sise networks and even associations. These risks can be overcome by effective communications among network member firms, awareness of services being provided by member firms, and, as often practiced by the larger global networks, the designation of a lead client relationship partner for the client whose responsibilities include monitoring and improving services to be provided by the network before engagement. Firms have also made significant investments in technology to track global services being provided by member firms.

4. Technology maturity of firms

Unequal technological infrastructure and varying levels of technological maturity can impede effective quality management. Overcoming this constraint involves providing adequate technical support, training, and access to essential technologies, providing standardised tools and systems while allowing flexibility to accommodate local IT infrastructure and preferences. Encouraging knowledge-sharing among member firms regarding technology implementation and providing incentives for adopting new tools can drive technological advancement throughout the network.

Conclusion

Developing, implementing, and enforcing a quality management system for independent firms within a global network is a daunting, yet achievable, task. With the support of senior leadership and the board, and the support and will of the leadership of member firms, however, it is doable – and will maintain and enhance the network’s reputation, protect the public interest, ensure client satisfaction, attract and retain top talent, and build a competitive edge.

[1] Note the recent enforcement actions by the U.S. Public Company Accounting Oversight Board and Securities Exchange Commission, the UK’s Financial Reporting Council, and other regulatory bodies against public accounting firms relating to lapses in their engagement performance and firm-level quality management systems.

Authors: Jenny Reed, Director of Quality and Professional Standards at Kreston Global, and Herbert M. Chain, MBA, CPA (USA), Director, CBIZ Marks Paneth, and Shareholder, Mayer Hoffman McCann P.C.

Reposted from: https://www.kreston.com/article/quality-without-borders-quality-management-in-a-global-network-of-firms/