More Boards Count on Internal Audit to Identify Risksby
Corporate board members now rank reputational risk an even bigger overall concern than they have in the past three years, according to the sixth annual Concerns About Risks Confronting Boards survey from CPA firm EisnerAmper LLP.
But board members â the strategy-setters for organizations â often take little action to manage various types of risk, and 71 percent of public company directors say they rely on internal audit to identify risks, the survey reveals. The traditional use of internal audit, however, is evolving into âoperational auditâ to monitor overall risks rather than just âthe books.â
While risk management may fall to daily operations, âthere seems to be little happening at the board level to encourage addressing the risks in a more comprehensive fashion,â the survey states.
âReputational risk is a severe threat to all companies, yet responses from board members indicate that reputational risk is so broad in scope â highly impacted by other risks like financial, product, cyber, and more â that it is difficult to sufficiently address and prepare for the many types of reputational threats,â Steven Kreit, an audit partner at EisnerAmper who leads the survey project, said in a prepared statement.
Further, only 6 percent of board members think they have a handle on social media risk, yet social media and cybersecurity are directly tied to company reputations, and boards should consider both among the most important risks to monitor, said EisnerAmper CEO Charly Weinstein.
However, a majority (70 percent) of respondents on public company boards do recognize cybersecurity as a key specific risk.
âIt is becoming increasingly evident how connected reputation, cybersecurity, and social media are in relation to risk,â Weinstein said.
So, where does internal audit enter the picture?
Naturally, the majority of public company board members indicated they have an internal audit function, though 22 percent said they didn't. But almost half of private and not-for-profit organizations said they didn't have an internal audit function.
Many respondents associate âauditâ with the more traditional financial audit and not with company operations. Yet, it's operational internal audit that can cover far more company risks than financial audit, the survey states.
âWhile financial regulation may have dominated many companies' audit concerns for the past decade or two, stemming from headline news like Enron and Madoff, growing operational risk should evolve boardroom discussions to consider the scope of their organizational audits and the need to review operations,â the survey states. âThe new generation of crises may impact financials, but they will likely not originate in âthe books.'â
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.