The document outlines emerging risks and focus areas for internal audit across several topics:
1) Cybersecurity risks include basics not being covered, lack of policies, confusing compliance with security, human errors, and constantly evolving threats. Internal audit should assess frameworks, response plans, and third-party providers.
2) Third-party risks include operational, compliance, reputation, strategic, and credit risks. Internal audit should evaluate methodologies for identifying risks, provide oversight of management programs, and conduct risk-based reviews.
3) Other risks covered include product security, tax reform, mergers and acquisitions, anti-bribery, data governance, and intellectual property protection. Internal audit can help assess controls and compliance across
4. Cybersecurity Risks
Failure to cover cybersecurity basics.
Lack of Cybersecurity Policy
Confusing compliance with Cybersecurity
The Human factor – the weakest link
Bring your own device (BYOD) & the Cloud
Lack of Security training
Constantly revolving risks
5. Focus Area for Internal Audit
Top-down risk assessment using industry as a guide.
Review existing processes and controls.
Review the organization’s cybersecurity framework with regulatory expectations.
Assess implementations of revised technology security models.
Evaluate the organization’s security incident response and communications plans.
Assess third-party security providers.
8. Focus Area for Internal Audit
Evaluating the methodology the organization uses to identify third parties,
including segmentation and classification, and the risks associated with them.
Providing insight and feedback on the organization’s third-party management
program, including vetting, due diligence and monitoring.
Executing risk-based third-party reviews that include procedures tailored to
address the specific risks a third-party presents.
Investigating anomalies identified as a result of the organization’s third-party
vetting process.
11. Focus Area for Internal Audit
Evaluate
encryption
processes for
at-rest and in-
motion content
and leveraging
industry
standards as a
guide.
Analyze role-
based product
access
policies to help
ensure
compliance
with
regulations.
Top-down risk
assessment
on vulnerable
OS, database,
and
application
level ports.
Evaluating the
regulatory
compliance of
each product
Assess
existing
product
continual
monitoring and
effective
logging
processes.
13. BEPS & Global Tax Reform Risks
Global tax expense and effective tax rate volatility due to rapid
and significant change in international tax norms.
Reputational damage to the organization due to new regulatory
requirements for enhanced tax transparency and country-by-
country reporting.
Tax compliance risk related to the proliferation of anti-BEPS
regulatory requirements across multiple countries
14. Focus Area for Internal Audit
Assist the company and
its tax function in
preparing a BEPS
readiness assessment
and developing an
action plan.
Advise on the
enhancement or
development of a
corporate tax code of
conduct and supporting
tax controls.
Assess the company’s
readiness for
compliance with the
array of transparency
measures.
Evaluate the
effectiveness of
automated compliance
programs for tax
transparency reporting
and enhanced transfer
pricing documentation.
16. M&A Risks
Failing to move the discovery process along expeditiously
Poor Due Diligence
Absence of security over information
Paying substantially more than the Fair Value
Failure to create focus during the integration process and involve front-line operating personnel.
Lack of transparency during the integration process.
17. Focus Area for Internal Audit
Perform “post mortem”
reviews on prior deals or
divestitures to assess the
effectiveness of
procedures and
playbooks
Assess the adherence to
accounting and internal
control due diligence
checklists that address
key deal areas (i.e.,
quality of earnings and
assets, cash flows,
unrecorded liabilities).
Understand the
communication
processes between
finance, internal audit,
and deal teams to assess
control implications of
executing business
process change during
active integrations or
divestitures.
Conduct a project risk
assessment review of the
business integration or
divestiture process,
focusing on potential
risks, integration success
metrics, and information
systems
20. Focus Area for Internal Audit
Support management in designing a global anti-bribery compliance strategy.
Update internal audit programs to ensure they contain suitable anti-bribery and corruption procedures.
Facilitate management’s bribery and corruption risk assessment activities.
Collaborate with the business and other compliance teams on awareness and education campaigns,
especially on a global scale.
Enhance existing anti-bribery and corruption programs, including third-party risk management, due
diligence, and advanced data analytics.
Assist the company to help ensure it meets the requirements/guidance provided by the Department of
Justice.
23. Focus Area for Internal Audit
Guiding third-party risk
assessment and
compliance specifically
related to IP
agreements with third
parties.
Conducting a process,
gap and risk
assessment of the
internal IP process as
it relates to the IP
lifecycle.
Aiding with the draft of
consistent compliance
standards and, once
approved,
communicating these
to relevant individuals
through a training and
awareness program.
Assist with the
implementation of
control to help improve
the integrity and
security of critical
business data.
Perform an audit of IT
access and security
around the company’s
IP to determine if any
potential areas of risk
are present.
25. Focus Area for Internal Audit
Risks of Data
Leaks
IP strategy not
aligned with the
product strategy
IP Management
processes not
aligned with
compliance
requirements.
Higher Costs
due to errors
and Litigation
Buy or Create IP
difference cost
risk
Obsolesce
Risks
26. Focus Area for Internal Audit
Perform an audit of IT access and security around the
technology company’s IP.
Assist with the implementation of control to help improve
the integrity and security of critical business data
Aiding with the drafting of consistent compliance
standards.
Conduct a process, gap and risk assessment of the
internal IP process as it relates to the IP lifecycle
Guide third-party risk assessment and compliance
specifically related to IP agreements with third parties.