Internal Audit Committee Virtual Meeting 2020

Day 1 – September 29, 2020

U.S. Securities and Exchange Commission and the PCAOB Updates and Enforcement Trends - Darren DeStefano, Partner, Cooley discussed SEC Rules regarding control as well as recent PCAOB observations on remote work; increased auditor communications; and enterprise risk management and culture. He also highlighted COVID-19 legal risks and securities disclosure and trends.

• SEC Guidance Topic 9 - COVID-19 (March 25, 2020) and SEC Guidance Topic 9A - COVID-19 Disclosure Considerations Regarding Operations, Liquidity and Capital Resources (June 23, 2020) are “essential reading” for SEC reporting during 2020. 

• The SEC and multiple external parties are keenly focused on the behaviors and responses of public companies to the COVID-19 pandemic. Disclosures and actions will be evaluated with the benefit of 20/20 hindsight.

• BEST PRACTICE TIPS -

  • Management should proactively identify and monitor COVID-19 risks, including government orders and legislation, with acute focus on new and evolving “mission critical risks.”
  • Companies should consider best practices designed to protect the health and safety of employees, customers, and vendors.
  • Risk “red flags” should be raised to the Board or Audit Committee and meeting discussion topics well-documented.

• COVID-19 has significantly accelerated adoption of remote risk analytics.

• BEST PRACTICE TIP - Factors and observations to consider when using a “virtual  audit”:

  • Updating risk assessment,
  • Consider any history of control deficiencies related to inventory counts or other controls over inventory quantities when factoring totals,
  • Technological abilities and reliability, and
  • Effectiveness of virtual observations of facilities.

Auditing the Cloud: Framework and Challenges- Ivor O’Neill, Director, KPMG detailed how retailers are increasingly relying upon a variety of cloud services to support critical retail operations. Retail internal audit teams are challenged to help companies identify, monitor, and manage cloud-related risks.

• BEST PRACTICE TIP - Eight (8) key cloud audits risk considerations:

  1. Organization Strategy and Architecture,
  2. Information Security,
  3. Data Governance,
  4. Governance, Risk and Compliance Management,
  5. Availability and Continuity,
  6. Tech Operations,
  7. Vendor Management, and
  8. Business Operations.

Cultural Audit Frameworks - Sarah Martin, Chief Audit Executive, Abercrombie & Fitch Martin discussed the process for developing a cultural audit framework and how it can be used to identify and prioritize audits of key components.

• BEST PRACTICE TIP - Key pillars of a comprehensive cultural audit should include:

  • Leadership Action,
  • Communication,
  • People Practices,
  • External Environment, and
  • Organizational Design.

Day 2 – October 6, 2020

Privacy and Cyber /Data Protection Through an Internal Audit Lens Privacy and Cyber/Data Protections – A panel of EY experts, Angela Saverice-Rohan, Americas Privacy Leader, Mindy Dragisich, Partner, Adam Wright, Managing Director, Advisory Services, detailed how the current COVID pandemic has accelerated cybersecurity and privacy risks, including data collection, data processing, sale of data, third-party service providers, data requests, data accuracy, emerging risks, data security, and data privacy notices.

• BEST PRACTICE TIP - Retail internal auditors can leverage external cybersecurity and privacy frameworks (e.g., NIST Cybersecurity Framework, NIST Privacy Framework,  2013 COSO Framework & SOX Compliance) as starting points to develop or evaluate a company cybersecurity and privacy risk framework. 

Reimaging the Audit Function, Getting by with Less: Effective Use of Scrum Agile – A Deloitte team comprised of Kate Ferrara, Advisory Principal, Burke Willis, Advisory Senior Manager, Collin Loomis, Advisory Senior Manager, Lauren Shaw, Advisory Senior Manager, discussed how retail internal audit teams can effectively use iterative scrum agile auditing.

• BEST PRACTICE TIP - There are four (4) agile values to keep in mind when conducting scrum audits:

  1. Individuals and interactions over processes and procedures,
  2. Business impact over comprehension documentation,
  3. Customer collaboration over negotiating findings, and
  4. Responding to change over following a plan.

Retail Internal Audit's Role in Environmental, Social & Governance (ESG) Reporting – Bob Hesselgesser, Partner, Carolyn Holcomb, Partner, and Richard Gilchrist, Sustainability Director, PWC highlighted how in response to increased demands for transparency, activist investors and investment advising firms, as well as recent high-profile company scandals and compliance issues, companies are redefining their corporate values, business goals and priorities to include ESG.

• BEST PRACTICE TIP – Leading retailers are using their internal audit teams and data analytics to develop comprehensive, fact-based narratives detailing their companies’ ESG goals, metrics, performance, and business impact.

Each meeting day, members engaged in robust peer-to-peer benchmarking sessions sharing experiences, challenges, hurdles and successes on selected topics: Internal Audit Department Operations, Audit Plans and Risk Assessments, and COVID-19 and Remote Work-Related Issues. Using virtual platform technology, members were able to rekindle long standing relationships as well as start building new ones.

For more information on RILA’s Internal Audit Committee, please contact Kathleen McGuigan, EVP & Deputy GC at kathleen.mcguigan@rila.org or Tom Casey, VP Legal Affairs at tom.casey@rila.org.

Tags

• Finance
• Legal Affairs & Compliance