Internal auditors are facing a host of risks during the COVID-19 pandemic in business continuity, crisis management, cybersecurity and other areas, according to a new report.
The report, released Monday by the Institute of Internal Auditors, follows up on a similar report released last year, and discusses the top 11 risks facing organizations. For the report, the IIA surveyed members of corporate boards, executive management teams and chief audit executives.
The report found that 93 percent of CAEs rated business continuity/crisis management as highly or extremely relevant, compared to 87 percent of board members who ranked those risks as highly or extremely relevant. Far fewer members of the C-suite identified them that way, with only 63 percent describing business continuity/crisis management as highly or extremely relevant. Members of corporate boards and C-suites who responded to the survey rated their level of personal knowledge lowest when it comes to cybersecurity.
Patrick McCoy is the Director of Finance at the Metropolitan Transportation Authority (MTA) in New York where he manages the Authority's debt portfolio (currently $35 billion) and directs the issuance of over $2 billion in tax-exempt municipal bonds annually under the Authority's multi credit borrowing structure. The MTA is an active issuer of debt obligations to finance the bond funded portion of MTA's Capital Program. Pat has previously served as the Executive Director of the New York City Municipal Water Finance Authority, a public benefit corporation of the City of New York that provides capital financing for the City's water and sewer system. Pat was Executive Director of New York Water from January 2007 through August 2008.Previous positions include:Deputy Director of Finance for the MTA, 2002 through 2004, and Director of Finance, 2004 — 2007.Manager of Investor Relations for the NewPower Company, a publicly traded retail energy provider headquartered in Purchase, New York. Mr. McCoy was involved in NewPower's initial public offering and listing on the New York Stock Exchange. 2001 — 2001.Manager of Investor Relations for the New York City Municipal Water Finance Authority, the Transitional Finance Authority (TFA) and TSASC, Inc. (Tobacco Securitization), 1994 — 2000. Pat created the first investor relations program for the Authority.Senior Budget Analyst, Office of Management and Budget, Community Development Unit. 1991 — 1994.Pat currently serves on the Board of Directors of the Westchester County Health Care Corporation and on the Executive Board of the Government Finance Officer'sAssociation of the United States and Canada (GFOA).Pat holds a M.S. Degree in Urban Policy Analysis and Management from the New School University in New York, and a B.A. from St. Ambrose University in Davenport, Iowa.
Leslie M. Norwood is Managing Director and Associate General Counsel of the Securities Industry and Financial Markets Association. She has served the Association or its predecessor organizations for over 10 years. As the Co-Head of the Municipal Securities Division, Ms. Norwood is responsible for the legal, regulatory and market practice initiatives of the Association relating to all municipal securities products.Prior to joining the Association, Ms. Norwood was an Associate in the Corporate and Securities department at Greenberg Traurig. She also spent 6 years as an Associate in the Public Finance department of Sidley Austin LLP (formerly known as Brown & Wood LLP) where she represented bond issuers, borrowers and underwriters in fixed and variable rate transactions; general obligation, subject to appropriation and revenue bond (public power, education, health care and cultural institutions) transactions; and transactions with credit enhancement. Ms. Norwood received a B.A. from the University of California, Berkeley and her J.D. from Boston University School of Law. She is a member of the New York, New Jersey and California Bars.
Other risks discussed in the report include sustainability, disruptive innovation, economic and political volatility, third-party risks, board information, data governance, talent management, and culture.
“This is the second year we’ve done this survey,” said IIA president and CEO Richard Chambers. “The most revealing headline was that boards thought their organization was in a lot better position to address risk than management. That’s a little bit unsettling.”
This year, the COVID-19 pandemic exposed risks to business continuity and crisis management in particular. “The most revealing insight was that COVID and the aftermath is front and center in how management, boards and auditors are seeing risks in their organizations,” said Chambers. “Business continuity and crisis management are very high on their list of the key risks. Two years don’t make a trend, but it doesn't surprise me that there is closer alignment between management and auditors on the risks their companies are facing. When everybody is focusing on a looming storm, you’re more apt to have agreement. From that standpoint, COVID and the crisis we’re facing with the pandemic has allowed for management and auditors to see risks in much the same way.”
Talent management and innovation are seen as big risks by management. “Management has insights into the risks they face, but I also recognize that management isn’t always forthcoming about the risks they face because it could be a reflection on how well they’re managing,” said Chambers. “You can’t always get a candid assessment.”
That’s why it’s especially important for internal auditors to keep corporate boards informed about such risks. “I’ve always been one who believes that internal auditors can be the eyes and ears for the board when they’re not around,” said Chambers.
Cybersecurity has become even more of a risk for many companies with so many of their employees now working from home, with access to corporate systems available around the clock and few eyes watching other workers in their remote offices. Cybercriminals can also take advantage of the remote access if it’s not secured.
“When the workforce is distributed, people are working from home, and people are not as careful with the data they are sharing,” said Chambers. Cybersecurity also ranked high in last year’s survey, but he sees a clear correlation between COVID-19 and why cybersecurity risks are seen as even higher this year.
The IIA issued the report at a time when many internal audit teams are making their audit plans for next year. “We think it will be very revealing to them and a good source of information as they look at their own risks in their companies,” said Chambers.
