Setting the 2021 Audit Committee Agenda Protiviti’s recent webinar was attended by over 250 participants, including Board & Audit Committee Members, Chief Audit Executives, C-suite executives and other Management levels across different industries in the MENA region. Protiviti had carried out a recent study to obtain insights from various Board & Audit Committee members on the mandate of the Audit Committee in 2021, which was the subject of the session. Protiviti conducted the webinar in collaboration with: Bahrain Internal Auditors Association; The Institute of Internal Auditors Kuwait; The Institute of Internal Auditors Oman; UAE Internal Auditors Association; and Accountants & Auditors Association UAE Topics Board Matters Internal Audit and Corporate Governance Protiviti acknowledges the support provided by the above organizations in conducting this event. The webinar was moderated by Brian Christensen, a member of Protiviti's Executive Leadership Team and the firm's Global Internal Audit and Financial Advisory Solution leader. The panelists comprised: Mr. Abdulqader Obaid Ali (CEO – Smartworld, UAE); Dr. Khalid Al-Faddagh (Independent Board Member, Kingdom of Saudi Arabia); Mr. Noorur Rahman Abid (Independent Board Member, Kingdom of Bahrain) The webinar kicked off with Brian providing an overview of the 2021 Audit Committee agenda. This was followed by a panel discussion comprising Board Audit Committee Chairmen/Members to discuss audit committees’ agendas, challenges, and opportunities. The key pointers for the Audit Committee to consider on their agenda in 2021 are as follows: Consider shifts in the risk landscape to establish an appropriate business context Work with the CFO to review the finance function’s resiliency Encourage the CFO to function as a strategic partner in addressing cybersecurity, privacy, and other priorities Work with the CAE to formulate appropriate imperatives for internal audit to ensure the function’s continued relevance Address accounting and reporting implications of operational adjustments during the pandemic and recession Assess COVID-19-related impacts on financial reporting assertions Evaluate the pandemic’s near-term and longer-term impacts on the internal control environment Key Takeaways The pandemic, along with the challenges, has ushered in opportunities for organizations Audit Committees are required to be increasingly adaptive to the changes Risk assessments carried out in the pre-pandemic era are no more relevant and require quick and immediate action by the internal audit function to address conduct of audits in the new norm Internal audit to enhance its value proposition by becoming a problem solver, rather than being viewed as a problem finder The importance of the communication between the CAEs and the Audit Committee has grown, with Audit Committees becoming more flexible and giving CAEs to introduce new ideas and mechanisms to carry out internal audits e.g., agile methods of auditing, dynamic risk assessment, next-gen reporting The new norm of remote working brings in new risks to organizations that should be effectively mitigated Unique Challenges with Endless Opportunities The pandemic led organizations to a new paradigm, throwing unique challenges for organizations to overcome. At the same time, the pandemic has ushered in multiple opportunities. Organizations that have been open and willing to accept and adapt to the changes and accept the new opportunities have been successful. Challenges to Audit Committees and Internal Audit functions Lack of skillsets to conduct audits in an automated environment; Rigidity to accept change; Dynamic updates to risk assessments. Opportunities for Internal Audit functions Enhanced role as a problem solver instead of the problem finder; Increased opportunities to play a consulting role to deliver value to management Implications of the Risk profile on the Audit Committee The panelists believed that the pandemic was a black swan event. It brought about new risks and opportunities to organizations. Audit Committees that had a focused and open mind treaded well through the pandemic. However, many Audit Committees across organizations have not reacted as well as they could have. This is the optimum moment for internal audit functions to do a post-event analysis. During this pandemic, Board Audit Committees have become increasingly flexible. In many organizations, CAEs were given full control to assess the risks within the organization an come up with alternatives processes to conduct audit. The pandemic saw the myth of rigidity being broken. Financial resilience – Financial resilience was key during this phase and organizations that were lean and mean suffered most. It was suggested that this is the right opportunity for organizations to perform extreme scenario-based stress tests. The discussion also highlighted that the pandemic has been a wake-up call for audit committees, internal audit functions and organizations as a whole. As opined, Covid-19 is the ‘best thing that happened’ to auditors as it gives them an opportunity introspect and embrace change. Audit Committees and CAEs have learned three important points as a result of the pandemic, namely; Alignment – There is a constant need for alignment between the CAE and the Audit Committees. Well aligned Audit Committee / CAE relationships have been able to tread the pandemic with success and been able to reap opportunities. Effective communication – Effective communication between the CAE and Audit Committee has gained importance. Further coordination and communication between the Internal Audit function and management is of prime importance. Challenges – Auditors were faced with multiple challenges during the pandemic. 99% of original risk assessments were no longer valid. Risk assessments were required to become more dynamic in nature. The pandemic gave internal auditors an enhanced opportunity to play the consulting role and deliver value to the organization. Further, COVID-19 helped organizations become more digital. Organizations where there was effective communication between the internal auditors, risk, compliance, and external auditors, gave the internal auditors a chance to shine. The days of long reports have passed and there is increased interest and need for auditors to provide inputs predictive in nature using analytics. If auditors do not adapt to this change, there is a risk of them losing relevance. 23% of the participants believed that the Audit Committee/ Board/ Management committee discuss emerging and disruptive risks and make changes in the Risk profile every quarter. In contrast, panelists thought that the IA plan should be dynamic and relevant. The panelist indicated the importance of having a dynamic risk assessment process. A point-in-time risk assessment is no more of value to organizations. Cybersecurity and its importance The discussion on the importance of cybersecurity as a key risk for organizations highlighted that cybersecurity remains a huge threat, as any cyberattack not only has financial impact but also reputational loss to the organizations. Cyber incidents have increased substantially in the previous nine months. Organizations need to realize that a one-time mitigation action will not be effective to mitigate this risk. This requires organizations to be active, robust and dynamic. Further, organizations are encouraged to use experts to assess such risks, which are emerging. 38% of the participants believed that organizations are well funded to mitigate cyber threats, provide awareness through various programs, and ensure the importance is understood across the organization, whereas an equal number believed that funding is a constraint, but the threat of cyber risks is fully understood. How are Audit Committees and Boards engaging other key constituents of the organizations such as CIO, CISO? The panelists opined that this is an evolving area. Audit Committees are no longer focused on the audit sphere. There is increased collaboration between audit and risk committees. There are regular joint meetings between these committees which gives an opportunity to assess how effective ERM is in providing effective inputs to the stakeholders. In a well-defined and dynamic ERM system, the CAE and Audit Committee will be the first beneficiary. The COVID-19 situation is a typical crisis management situation for organizations. Further, scenario analyses and stress testing have become increasingly important for the C-Suite, not only the CAE and Audit Committee. These are evolving trends as a result of the crisis. How imperative is it for CAEs to undertake transformation and innovative activities around internal audit? All the panelists concurred that it is imperative for CAEs to embrace technology and change in order to stay relevant. A lot of CAEs have minimal knowledge of a key risk such as cybersecurity risks. This applies to Audit Committees as well. One reason for this situation, is that technology is not their background. Accordingly, they are dependent on experts. Organizations need to spend on enhancing the culture of security in the organization. A key part of this is training people ‘what not to do’. Auditors are required to be multi-talented and tech-savvy. Finance processes are becoming increasingly automated. Auditors who are not open to transformation run the risk of becoming irrelevant. They need to constantly learn and not continue to do the same job, which will threaten their existence. Brian highlighted that, as part of a recent survey conducted by Protivit, 80% of CAEs are behind the digital maturity curve. This is both a challenge and an opportunity. 54% of the participants believed that Internal Audit Department needs improvement to effectively achieve appropriate risk coverage, agile responses to new and emerging risks, and efficient delivery of value-added insights regarding risk culture, risk management capabilities, and internal control environment. Environment, Social and Governance (ESG) is not a hype but a reality ESG is a reality, no more a hype. This has become a condition for assessing investments. Consumers are abandoning products that are not ESG-sensitive. There is increased focus by organizations to assess their carbon footprint and building strategies to improve. Environment impacts are considered as a key factor while assessing projects. It will become part of the fabric of strategy development, a fundamental area in future strategy development. One of the recommendations was that ESG should be considered in the implementation of a product not just for sustainability but also for looking at it from the point that it makes good business sense. 39% of the participants believed that organizations would be considering Environment, Social and Governance (ESG) in their strategy in the next 1 to 2 years as the MENA region follows the ESG trend. Resiliency cannot be stated, it has to be tested. It is not what you say, it is what you do Abdulqader Resilience is like having hardware and software. People is the key factor in successful resilience. Attention to people and personal feelings play an important in an organizations’ ability to sustain Dr. Khalid Engagement with people is important. The more resilient you are, the more you add value, the more you will be relevant Noor Thinking Ahead Dynamic risk assessment and agile audits, adapting to change is the way forward. Cybersecurity remains an important risk for organizations. ESG factors are gaining importance for organizations and are becoming a fundamental factor in strategy development. Internal Audit functions should look at enhancing their value to their organizations by playing a increasingly consulting role. Organizations should consider extreme stress test scenarios to be able to assess the impact of risks and accordingly develop effective mitigation plans. Successful organizations are those that have becoming increasingly collaborative. Increased collaboration between Audit Committees and Risk Committees will benefit the CAEs, the C-Suite and the organization as a whole. Auditors need to transform and embrace technology and digital advancements to stay relevant