'Companies remain fundamentally bad at risk management'
by Edmund TadrosThe COVID-19 pandemic has highlighted gaps in the way many organisations deal with risks in their business, especially around cyber security and the internal audit function, according to a risk management expert.
Macquarie University professor Elizabeth Sheedy has also questioned the growing trend of companies outsourcing their internal audit function to consultants instead of using their own staff to carry out this critical policing role.
Professor Sheedy, who is currently writing a book about risk governance, said the COVID-19 downturn showed "companies remain fundamentally bad at risk management".
"Management at all levels are too overconfident. [For example,] COVID is throwing up more cyber risk. Criminals are taking advantage of this by using scams that take advantage of people while they are working at home," she said.
“A crisis of the magnitude of COVID-19 exposes many of the internal issues that have been swept over, and worrying information about a firm’s culture that has not been taken seriously or simply ignored," she said.
"When risk, compliance or internal audit budgets are under pressure, there is a lack of investment in systems, high-quality people resources and their professional development."
On internal auditing, Professor Sheedy says it "can just smell bad" if a consultant is also doing other work while acting as internal auditors at the client.
Internal auditors are the experts who ensure the non-financial systems within a company operate as expected.
“To me, the amount of outsourcing of internal audit that goes on is surprising," she said.
"There’s obvious advantages in having an internal function so someone who is employed in the company is doing the work and has a stake in its long-term success.
“The problem with an outsourced party is that they don’t bring the same commitment to the company, they are going to cut corners, they are going to try to keep their costs down and they don’t really know the culture."
The independence of Ernst & Young was questioned earlier this month by a Senate committee after partners admitted the firm assessed Alinta Energy's compliance with conditions imposed by the Foreign Investment Review Board while also performing internal audit at the energy company.
Conflict of interest
EY has also carried out internal audit work at ANZ, while advising the bank on multiple projects. The firm has defended its multiple roles at Alinta and ANZ as complying with accounting ethical standards.
Professor Sheedy would not comment directly on EY's internal audit work at either company but said that these types of arrangements made her uncomfortable.
“The conflict of interest is another huge issue here. That’s another reason against outsourcing because of the potential conflicts if the external firm is doing other work as well. It can just smell bad. I’m not comfortable with it," she said.
The CEO of the peak body for internal auditors, the Institute of Internal Auditors in Australia, defended the practice of companies using consultants as internal auditors.
Peter Jones said consultants could act as internal auditors if the role was done with the appropriate safeguards, including ensuring that the consultants did not internally audit work they had performed.
"For example, if an internal audit team is asked to perform a risk assessment, it cannot later provide an opinion on the effectiveness of that work as it would impair their unbiased judgment," Mr Jones said.
Professor Sheedy sits on the Financial Services Committee of the institute, a professional body that also counts big four consulting firms partners and employees as members. She has done extensive research into the interaction between risk governance, pay and culture.