Management of privacy & cyber security risks

The current and emerging set of regulations relating to data protection have pushed the internal audit function into the world of cybersecurity. Consequently, it was not surprising to find 58% of our respondents rate management of privacy and cyber security risks as the most important area of focus for their internal audit plans for 2023.


While cyber fraud has been in existence from the time of the internet boom, intensity of its current and emerging nature has led to the wide adoption and strengthening of cyber laws - from only 12 countries with relevant legislations in 2000 to 156 countries that have currently opted for cyber protection laws and codes. Several organizations are finding it extremely challenging to disentangle a growing number of legislative, regulator, and internal requirements to demonstrate compliance.


The Information Technology Act of 2000, as amended by the Information Technology Act, 2008 and read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, currently regulates electronic commerce, criminalizes digital and internet crime and establishes a strict data protection and privacy regime for Indian and foreign companies operating in India. While the right to privacy was deemed a basic right under the umbrella of life and liberty in Article 21 of our Constitution by India’s Supreme Court in a landmark decision issued in 2017, it is expected that a new data protection regulation, modelled on the lines of the General Data Protection Regulation will be adopted in India, during calendar year 2023.


In light of the foregoing and with the expectation of enhancement of privacy regulations in 2023, your internal audit function needs to stay informed of these changes and develop a better understanding of potential privacy risks, so it can be more actively involved in identifying appropriate controls to mitigate those risks. It must also be understood that while internal auditors are not expected to be cyber security and data protection experts, they must be aware of the applicable data protection and privacy regulations and take into consideration the adequacy of internal controls and procedures for identifying cybersecurity risks and incidents as part of the design and effectiveness of a company’s disclosure controls, data security policies, plans and procedures.


Consequently, you may consider having your internal audit charter incorporate your organization's risk exposure to cyber-attacks and also determine the extent to which your current security framework has been able to ring-fence your exposure to data leakage.

Management of fraud risks

Predicting the volatility of events that have taken place over the last 3 years was next to impossible - a global pandemic, political polarization, extreme weather conditions, market volatility; and finally, looming fears of yet another pandemic-like situation and another recession.


Unequivocally, no account can accurately state which curveballs lie ahead, however, if there is one element of certainty then this relates to demands from stakeholders for greater transparency, accountability and sustainability from businesses in the period ahead. This brings a sharp focus on the development of an effective internal audit charter for the upcoming financial year - one that can proactively and comprehensively integrate the management of critical fraud risks in delivery.


The Institute of Internal Auditors ('IIA') has, in its International Standards for the professional practice of internal auditing, addressed the internal auditor’s role in detecting, preventing and monitoring fraud risks and addressing those risks in audits and investigations.


By way of reference, these include the following:

  • IIA’s Standard 1200 on Proficiency and Due Professional Care 1210.A2 | This standard requires internal auditors to have sufficient knowledge to evaluate the risk of fraud and the manner in which the fraud prevention program is managed by an organization.
  • IIA’s Standard 2120 on Risk Management 2120.A2 | This standard sets out the expectation from the internal audit team in evaluating the potential for occurrence of fraud and the effectiveness of the organization’s fraud risk management framework. 
  • IIA Standard 2210 on Engagement Objectives 2210.A2 | This standard calls for the internal auditor to consider the probability of significant errors, fraud noncompliance, and other exposures when developing the engagement objectives.


With nearly one-third of the respondents to our poll highlighting the importance of managing fraud risks as part of internal audits, it becomes pertinent to bring to the fore the role and expectations from internal auditors in this context. The IIA has also specified that the internal audit function should not be viewed as an expert, whose primary responsibility is detecting and investigating fraud. We appreciate the practicality of setting this expectation and believe that the internal auditor must be vigilant in terms of sighting signs and possibilities of fraud or fraud risks, which can be taken up for separate investigations by experts if deemed necessary.


With the management and the boards being held responsible for fraud detection, prevention, and reporting, they need to establish clear expectations from the internal audit function and consider supplementing their skills with those of a forensic specialist, as may be required.

Management of environmental, social and governance (‘ESG’) risks

Despite being a fast emerging area for board-level attention, only 11% of the respondents rated management of ESG risks as the top priority in the internal audit agenda for their organizations. While internal audits may not have directly played a part in ESG efforts or reporting, they can serve as a strong line of defence in evaluating an organization's readiness to comply with the existing and emerging ESG reporting guidelines across the globe.


Regulators in many jurisdictions have also increased their focus on ESG risks with initiatives related to climate change, executive pay, diversity and inclusion, working conditions, human trafficking, and product content, among others. These jurisdictions have mandated greater disclosure of sustainability practices and risks, and several major stock exchanges are instituting similar requirements. 

 

ESG considerations can be factored into internal audit approaches in several ways. Standalone reviews can help to highlight policies, controls, and responsibilities with respect to ESG strategies and tactics at specific points of time. More focused ESG reviews can provide a deeper dive into specific ESG areas, such as where stakeholders have heightened concerns or where risk appetite may be low. Internal audits can also adopt an integrated approach, incorporating assessment of ESG risk areas into broader audit plans to provide a pulse check on the business. This approach can help highlight the extent to which ESG-related activities are being identified, considered, and documented throughout the business. Given their broad purview across the enterprise, internal auditors are well placed to assess an organization’s ESG risk from multiple perspectives and help connect the dots.

With best wishes,

Markets team

MGC Global Risk Advisory

About MGC Global Risk Advisory 

Recognized as one of the '10 most promising risk advisory services firms' in 2017, as the 'Company of the Year' in 2018 &, 2019' (both in the category of risk advisory services), one of the 'Top Exceptional Companies to Work For’ in 2020, amongst the ‘Top 25 Customer Centric Companies’ in 2020 and 'The Consultant of the year' in 2021 (in the category of risk advisory services); MGC Global is an independent member firm of the US$ 4.6 billion, Atlanta headquartered - Allinial Global.


MGC Global provides services in the areas of enterprise wide risk management, control assessments (SOC, IFCR & SOX), internal audits, process re-engineering, governance frameworks, IT risk advisory, GDPR, cyber security, CxO transformation and forensic services. Our Firm has the capabilities to service its clients through its offices in Bengaluru, Mumbai, NCR; and has service arrangements in all major cities in India.

About Allinial Global

Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately USD 4.6 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It currently has member firms in 99 countries, who have over 26,000 professional staff and over 4,000 partners operating from 688 offices across the globe.

 

Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management. 
MGC Global Risk Advisory LLP | 323, 324 & 327, Square One Building, Saket District,
 New Delhi, 110 017 India
Unsubscribe monish.chatrath@mgcglobal.co.in
Update Profile | Constant Contact Data Notice
Sent by contactus@mgcglobal.co.in powered by
Trusted Email from Constant Contact - Try it FREE today.
Try email marketing for free today!