We live in a time of change. Digitization, machine learning, the Internet of Things – all of these are causing absolutely all companies to reconsider risks, take measures to adapt internal control systems and improve approaches to internal audit.
According to the annual Global Risk Management Survey in the Banking Sector, in 2019, for the third year in a row, companies ranked information security risks as the top priority for their operations, surpassing even the financial risks inherent in the banking sector.
Four years have passed since the first study by experts in the field of internal audit, internal control, risk management and compliance in government-owned companies, and it has been marked by perhaps the most significant changes in these areas in the last decade and possibly since the beginning the 2000s:
- Regulation is getting stricter. The state is paying more and more attention to tools that make it possible, through risk management, effective internal control, internal audit and compliance, to improve management efficiency in state-owned enterprises, improve their financial and economic activities and gain reasonable confidence in the achievement create your goals.
- The methodological basis is constantly being improved.
In this study, we present a comparative analysis of the current degree of organization of internal audit, internal control, risk management and compliance in state-owned companies, considering the metrics from 2015 (when the first study on this topic was published) as up-to-date development trends in these areas, as well as the requirements of regulators and standards, some of which have been published or updated since the publication of the first study.
The study included companies in which the state holds more than 50% of the share capital, as well as controlled companies. The companies surveyed represent various sectors of the economy, notably oil and gas, transportation, electricity, telecommunications, banking and other industries.
The results of the study showed that the degree of participation of the board of directors of state-owned companies in internal audit activities is at a fairly high level.
Boards of Directors Involvement in Internal Audit Activities of the companies that responded to the survey note that the Board of Directors approves a candidate for the position of chief internal auditor, approves and also reviews the annual internal audit activity plan the activity report of the internal audit at regular intervals.
Organizations are increasingly relying on internal audit to gain the greatest possible insight into a variety of emerging risks.
The automation of internal audit processes still leaves a lot to be desired, but a significant proportion of those surveyed stated that their companies want to introduce modern methods of automation and digitization in the foreseeable future.
New areas are regularly added that are included in the perimeter of internal auditing that many companies would not even have thought of 5-10 years ago. Today, more than half of companies conduct business continuity audits, strategic initiative audits, and sustainability audits.
One of the vectors for the development of internal audit is its transformation into a continuous process, which makes it possible to monitor indicators and track changes in the company’s processes in order to respond to them in a timely manner. The introduction of data analysis and reporting visualization tools significantly reduces the time spent conducting audit procedures, as well as preparing and submitting reports on the results of audits to stakeholders, and the use of robotic tools (RPA) in test procedures can enable the overall Test population in 24/7 mode. Tracked trends incl. In this study they say that over time the number of audits will increase and their duration will decrease. Today, three out of four companies conduct fewer than 50 audits per year, and the duration of the audits varies between 5 and 10 weeks for more than half of the companies surveyed.
Risk Management and Internal Control
The Board’s involvement in risk management issues underscores the importance of considering risk when making important decisions. The survey found that in three out of four companies the board of directors or an authorized committee of the board of directors regularly reviews risk management reporting, and in about two out of three companies the board of directors or an authorized committee also regularly reviews and approves the risk register and the board of directors Results of the effectiveness assessment of the risk management system.
One in two companies has an approach to identifying and revising risk appetite, the value of which is approved at the board level in just under half of companies.
The results of the study showed that in a small part of the companies, statistics are still available for a fully-fledged quantitative risk assessment and therefore most companies mainly use qualitative risk assessment methods.