RILA recently hosted its 2020 Annual Internal Audit Committee Meeting. Due to the COVID-19 pandemic, the meeting was held virtually for the 1st time! To accommodate the overall content and the member participants’ schedule, the Virtual Meeting was broken down into two parts: Part 1 (September 29, 2020) and Part 2 (October 6, 2020). Industry and retail experts spoke on seven (7) key retail internal audit topics over the 2 Day Meeting.
Day 1 – September 29, 2020U.S. Securities and Exchange Commission and the PCAOB Updates and Enforcement Trends - Darren DeStefano, Partner, Cooley discussed SEC Rules regarding control as well as recent PCAOB observations on remote work; increased auditor communications; and enterprise risk management and culture. He also highlighted COVID-19 legal risks and securities disclosure and trends.
- SEC Guidance Topic 9 - COVID-19 (March 25, 2020) and SEC Guidance Topic 9A - COVID-19 Disclosure Considerations Regarding Operations, Liquidity and Capital Resources (June 23, 2020) are “essential reading” for SEC reporting during 2020.
- The SEC and multiple external parties are keenly focused on the behaviors and responses of public companies to the COVID-19 pandemic. Disclosures and actions will be evaluated with the benefit of 20/20 hindsight.
- BEST PRACTICE TIPS -
- Management should proactively identify and monitor COVID-19 risks, including government orders and legislation, with acute focus on new and evolving “mission critical risks.”
- Companies should consider best practices designed to protect the health and safety of employees, customers, and vendors.
- Risk “red flags” should be raised to the Board or Audit Committee and meeting discussion topics well-documented.
- COVID-19 has significantly accelerated adoption of remote risk analytics.
- BEST PRACTICE TIP - Factors and observations to consider when using a “virtual audit”:
- Updating risk assessment,
- Consider any history of control deficiencies related to inventory counts or other controls over inventory quantities when factoring totals,
- Technological abilities and reliability, and
- Effectiveness of virtual observations of facilities.
- BEST PRACTICE TIP - Eight (8) key cloud audits risk considerations:
- Organization Strategy and Architecture,
- Information Security,
- Data Governance,
- Governance, Risk and Compliance Management,
- Availability and Continuity,
- Tech Operations,
- Vendor Management, and
- Business Operations.
- BEST PRACTICE TIP - Key pillars of a comprehensive cultural audit should include:
- Leadership Action,
- People Practices,
- External Environment, and
- Organizational Design.
Day 2 – October 6, 2020Privacy and Cyber /Data Protection Through an Internal Audit Lens Privacy and Cyber/Data Protections – A panel of EY experts, Angela Saverice-Rohan, Americas Privacy Leader, Mindy Dragisich, Partner, Adam Wright, Managing Director, Advisory Services, detailed how the current COVID pandemic has accelerated cybersecurity and privacy risks, including data collection, data processing, sale of data, third-party service providers, data requests, data accuracy, emerging risks, data security, and data privacy notices.
- BEST PRACTICE TIP - Retail internal auditors can leverage external cybersecurity and privacy frameworks (e.g., NIST Cybersecurity Framework, NIST Privacy Framework, 2013 COSO Framework & SOX Compliance) as starting points to develop or evaluate a company cybersecurity and privacy risk framework.
- BEST PRACTICE TIP - There are four (4) agile values to keep in mind when conducting scrum audits:
- Individuals and interactions over processes and procedures,
- Business impact over comprehension documentation,
- Customer collaboration over negotiating findings, and
- Responding to change over following a plan.
- BEST PRACTICE TIP – Leading retailers are using their internal audit teams and data analytics to develop comprehensive, fact-based narratives detailing their companies’ ESG goals, metrics, performance, and business impact.
For more information on RILA’s Internal Audit Committee, please contact Kathleen McGuigan, EVP & Deputy GC at firstname.lastname@example.org or Tom Casey, VP Legal Affairs at email@example.com.
Legal Affairs & Compliance