S1EP5 - Internal Audit and the Risk of Regulatory Change Artwork

Ideagen Insights

Welcome to Ideagen Insights, Ideagen’s official audit and risk management podcast channel! In each episode our host, Stephanie Jones, is joined by experts in the audit and risk management industry. Stephanie is Ideagen’s Audit Product Manager. She has more than 12 years of Internal Audit experience and was recently named one of the nine District Advisors for the IIA in North America. Together, Stephanie and our guests explore and evaluate topics that are of interest to audit departments and are key business risks to organizations across the globe. Visit www.ideagen.com to learn more.

All Episodes

Ideagen Insights

S1EP5 - Internal Audit and the Risk of Regulatory Change

December 16, 2020 • Ideagen plc • Season 1 • Episode 5

Welcome to Ideagen Insights, Ideagen’s official Podcast Channel. In this series, we are focussing on the biggest issues faced by Internal Auditors across Europe and North America in the past year. In our fifth episode, Stephanie is joined by Gordon McKeown, Head of Product for Audit, Risk and Compliance at Ideagen, to discuss Internal Audit and the Risk of Regulatory Change.

Join Gordon and Stephanie as they discuss;

The impact of COVID-19 on regulation
The dangers of slackening off on regulatory obligation
The importance of maintaining anti-money laundering and anti-trust laws
How the Three Lines of Defence can protect businesses against the risk of regulatory compliance failings

Stephanie Jones 0:00
Hi everyone and welcome to Ideagen's official Podcast Series focusing on the biggest issues facing internal auditors across Europe and North America in 2020. My name is Stephanie Jones and I am the product manager for Pentana Audit here at Ideagen. In each of these episodes, we look at a specific topic identified as a key business risk by European and American chapters of the Institute of Internal Auditors, and evaluate the impact that these risks will have on internal audit departments as they work with their organisation to recover and rebuild after COVID-19 and also help put in place a strategy that minimises the effects of any unforeseen future risk events. This is our final episode of the 2020 series, and I'd like to thank all of you listeners for tuning in to our podcast this year. And joining me here today on this podcast is my direct manager Gordon. Gordon, could you please introduce yourself and your role here at Ideagen?

Gordon McKeown 1:05
Hi, Stephanie. Yep, I am Gordon McKeown, I am head of product for audit, risk and compliance solutions at Ideagen. Been here for six years, and really enjoyed working with you during that time. And I love these podcasts! So, pretty excited to actually participate in one.

Stephanie Jones 1:25
Thank you so much, I think we saved the best for last! All right, so at the start of the year, regulatory change was high on the priority list of Chief Audit Executives in both Europe and the US, and was identified as being a top risk to their organisation in 2020. Of course, since then, the world has completely transformed as we all know - priorities have massively shifted, and regulators are providing some temporary relief and supervisory forbearance in a number of areas. So, how cautious do you think internal audit should be of businesses taking this as a sign that they can maybe relax some of their regulatory compliance efforts?

Gordon McKeown 2:08
It's a big question and a great question. But, you know, first of all, I'll come right up front and say, I don't really like the language of "regulatory burden". Yeah, I agree that, you know, regulatory risk is one of the- it's always a top three risk these days for, you know, senior execs and board members. And the risk of non compliance with legal regulations is, you know, it's as much a risk for any organisation as the risk of being caught speeding is for in our cars is for any of us, as individuals. But, the thing about regulation is that it's part of the rule of law, and therefore, it's actually a really good thing. So I don't think it should ever be seen or talked about as a necessary evil or a chore. I know, that's the language that's often used.

But, you know, here at Ideagen, we have customers all over the world, in, you know, in some places that aren't necessarily as safe as the country that we're fortunate enough to be in. And where auditors and compliance officers, quite literally, you know, risk their lives to promote and enforce ethical behaviour; sometimes in a climate or culture that's corrupt. And, you know, where criminality is involved. So, yeah, I think regulation is part of the rule of law. It protects us from harm: harm to the environment, personal harm through health and safety regulations. You know, in the last decade, financial services regulation has matured greatly to protect the economy and to help industry to thrive. So, yeah, it's good to be good.

And to address your question, you know, should we consider that the relaxation we've seen during the past year is likely to continue? No, I doubt it very much. I think more to the point it should be seen as - we should be looking at any slackening off as an opportunity to get our houses in order and, you know, to focus on compliance systems and the management of our controls.

Stephanie Jones 4:37
Yes, that's a very good point, Gordon. And I think that as more time has gone on in 2020, and this year, that maybe at first, no one really knew what to expect. And it's not like we know what to expect now, but at first, it was such a shock. The pandemic was such a shock - people were starting to work from home, schools were closed everything was cancelled - maybe some of that temporary relief might have made more sense. But as more time is going on, you're exactly right; those regulations are there for a reason.

And so as more time is going on, and we're getting used to this new normal and still unexpected normal, but as time is going on, I think that we need to make sure and take this as an opportunity to, like you said, get our house in order. This year has certainly been one where it's given everyone a chance to kind of look at things maybe in a new light, and the same can be applied to regulation as well.

Gordon McKeown 5:36
Totally. In fact, working from home, you know, it's interesting that you mentioned that as one of the specific- as one of the big effects of the pandemic. But it's, you know, it's increased the level of hazard in various areas. You know, in terms of even, you know, health and safety, but especially around ethics and conduct. You know, so home is not a controlled environment in the way that an office is. And we can often forget that we are actually at work and in a professional context when we're, you know, sitting in the in the snug or the kitchen or the back bedroom or wherever.

Surveillance is quite a heavy word, but you know, surveillance of transactions, for example, and communications in a financial services context are challenged, difficult. So, for example, you know, you and I are on a team's call right now, yeah? And we're about 4000 miles- it's amazing, the technology, isn't it? I mean, one of the things that we've, you know, just talked about a lot with customers is how, you know, fortunate we are that we have the technology that we do to continue our work. But, we're on a team's call. And, you know, we're talking about one thing and another, but I could be holding, you know, there's a video link, and I could be holding up a message that is completely at odds with what I'm saying.

Now, that's kind of a humorous idea in the context of this podcast, but what if I was your banker, or your stockbroker, you know? And we're talking about a particular transaction. My employer doesn't necessarily know that I'm, you know, holding something up that's, you know, telling you to, you know, buy this or that or whatever.

A related subject is, you know, many young people who work in say, banks or, you know, other financial services businesses, work in expensive places like the City of London, where they may be, you know, houseshare with other colleagues who perhaps work at other organisations. So the whole area of confidentiality is also very challenged.

Stephanie Jones 7:49
And that's a very good point, Gordon. And even prior to this year, and all that has been a part of this year, looking at the risk and focus report for 2020, which came out in late 2019. Even at that point, nearly one third of those interviewed said that anti money laundering, anti bribery, corruption, anti trust and kind of what you're going- what you were leading into - just some of that corruption, even prior to this year, that was still an area of particular concern for their business.

So now, of course, this year has brought on all different kinds of other issues as well. But why do you think this is so high priority these days? And what do you think that internal audit can do to help support companies when it comes to these areas of concern?

Gordon McKeown 8:46
Well, why are these high priority areas? Well, I think any area of regulation becomes high priority, because often there's public awareness, and therefore, you know, political attention, and for good reason. So, you know, let's talk about money laundering first, you know, why is it a high priority? Because there's been a lot of crime committed, you know, in the last couple of decades. There are - we touched on it earlier - there are countries around the world, in particular, in Africa, Central Asia, former Soviet Union, where you see quite a bit of corruption. You get dual systems that, you know, there's there's certainly, upfront there's a normative state where the rule of law appears to apply but you also get so-called prerogative states where you know, where individuals/officials are above the law. You get gangsters, you get bad behaviour from oligarchs, and so on. And when the assets of the state are stripped, are looted, the next thing the looteds do is they need to move their ill gotten gains to a safe place in the West where the rule of law does apply and where that property will be protected. The challenge they have is they need to launder it through front companies, real estate deals, or, you know, offshore shelters. And to do that they need the help of specialist banks and investment professionals.

So, sadly, as we know, London, New York, you know, these cities have been centres of this activity, or locations where it's taken place in the last couple of decades. And that's entered popular culture. I'm not saying anything that we don't know. You know, there have been high profile prosecutions, there have been scandals, there have been, you know, banks that have been around for 150 years have gone to the wall, huge fines have been handed out, and you know, the media is full of this. I mean, if you look at the work of people like Tom Burgess at the FT you know, he's written a couple of fantastic books about money laundering which I would recommend: The Looting of Africa is one, Kleptopia is another. And there's, you know, Misha Glenny and McMafia, you know, everyone's seen that.

So this is really high profile, and justly so, because it's a big problem. So, the FCA and the PRA rules on, you know, knowing your customer, anti money laundering, combating the financing of terror, terrorism - these are really important elements of the rule of law. And it's right that they're high profile, and it's right that they are enforced vigorously.

Stephanie Jones 11:35
Yes, definitely agree Gordon, And the fines are certainly increasing in both in number and in volume of fines. So,

Gordon McKeown 11:45
Yeah, I mean, completely. Yeah. Yeah. I mean, you mentioned antitrust, as well. Sorry, I didn't address it. But, you know, the fines are colossal in that area. I mean, you know, last year, Google was fined what, 5 billion by the EU? Qualcomm - I think it was around about a billion in the same year for the kind of the, the chip supply locking up thing that they did with Apple. You also had, you know, drugs companies like Servier - half a billion for you know, delaying market entry. Telefonica, Microsoft, Busch, the brewer last year in Belgium.

And another interesting thing is China's signalling its intention to be more rigorous and stringent around regulation, like, you know, the big thing last month around the last minute, stopping the Ant IPO, and you saw about the effect that that had on, you know, the market capitalization of some of China's biggest companies like Alibaba and Tencent was, was huge, you know, so, antitrust is very current, and very big.

You know what, it's gonna be even bigger and even more significant next year, when you see the catastrophe that the pandemic has inflicted, you know, on industry, and certain industries, for example, retail, makes some organisations even more powerful than they were before in their, you know, apparent monopsonies and cornering of certain industries. So, it's definitely a very significant risk for those organisations, and it's, you know, set to increase, I would say.

Stephanie Jones 13:39
Absolutely agree. So, what do you think internal audit and compliance teams can do to work together to help mitigate this risk that we're talking about? You know, how can internal audit support their organisations and compliance support their organisations in having their organisations be prepared to address these regulations that come up or that have already come up? Or maybe after fines have been levied against them?

Gordon McKeown 14:06
Well, I mean, dare I say it - it's our old friend the Three Lines of Defence? Good operational risk management processes and structures. What we find in talking to our customers during the past year, is that those who had just good hygiene, good practice in operational risk management, were able to react faster.

So I guess up front, it made them more robust. But then they were also able to recover more rapidly. They were more resilient. In terms of things like business continuity, and, you know, identifying what the threats from the pandemic really were early on, like, for example, all our staff are going to have to work from home. Are we equipped for that? Do we have the right infrastructure? Can we deal with that logistically? Taking a risk-based approach to that seems to have been quite effective for some organisations.

So that's, you know, the ORM piece of it - the audit team can be supportive of that in, certainly in a risk advisory capability, but also, when the landscape has changed, the response to that risk means that we change the way we do business - that then needs to be controlled. And, you know, it's the audit of that control structure, that control universe, that is where the audit team can really add value as well.

Stephanie Jones 15:50
I agree. And I think that's sometimes challenging for internal audit teams and compliance teams to know where that line is drawn. Internal Audit is not responsible for the company's compliance, it's really the job of the compliance team to do that, because they're the second line, like you mentioned, but what internal audit can do is really get that evidence that compliance is addressing risks and new regulations that might come in, how are they handling that? What is happening? How are they making sure that the house is in order like you mentioned before.

Gordon McKeown 16:27
Yeah, I mean, we've talked about that before. In fact, I think we did a white paper about it at one point - 'who owns enterprise risk'. And certainly in organisations where there's maybe not a Chief Risk Officer, but there is an audit team, that kind of risk oriented professionalism adds huge value.

Stephanie Jones 16:51
Yes. And I saw in the risk in focus report, and you you likely saw this as well, Gordon, that firms can spend up to 10% of their annual revenue on compliance. And it's so high, because obviously, there's especially for global companies, there's a lot of maybe divergent regulation. So one, you know, one part of the organisation needs to worry about how you handle regulations in one area of the world, and then another area of the world might be very different. So it costs a lot to maintain that. And those costs might include things like having a separate compliance department, and also the software that goes along with it.

And I think that's really where Ideagen can help out. You know, we have software that can be used to help manage those risks. So when you think about the personnel required to manage all of this compliance function, how can companies like Ideagen help to provide those efficiencies and provide them with the tools that they need so they're not spending hours and hours and hundreds of hours on manual processes and managing it that way?

Gordon McKeown 18:06
First of all, I would go back to something I said earlier, which is, you know, it's good to be good. You know, and compliance is something that you get better at. So, you know, the big benefits of compliance, you know, aside from avoiding, you know, the pratfalls of non-compliance, are around efficiencies. You know, the better you get at compliance, the more it drives efficiency in the business. You know, compliance is about taking a risk based approach to governance in whatever the area of compliance is, you know, whether it's health and safety or conduct or environmental hygiene, it's the golden thread, you know, it's a path to operational excellence, you get your strategy implemented, you know, the board and the executive gets visibility through the organisation of the, you know, the processes that are implementing their strategy.

So, your processes and your policies improve, and ultimately, you get better at execution, doing whatever it is the organisation does. And, you know, it also feeds into reputation and brand and that's not just with your customers, but also your staff. I mean, people don't want to buy goods and services from or work for organisations associated with pollution or corner cutting or safety or lack of privacy. So, you know, compliance. It's not a necessary evil, you know, it's a real path to operational excellence.

Okay, so your question was really, you know, how should you approach mitigating the risk of regulatory change because it's not just that there is a large amount of regulation. Part of the problem is that it's a moving target - it's constantly changing. Well, okay, what I said before, good operational risk management structures and processes. Absolutely, that's fundamental. But, you know, we think a lot about dynamic compliance with our customers. And it's dynamic, because it's about monitoring regulations - the regulations that affect your organisation, monitoring those for change, and then adjusting your policies and your management controls in accordance with those changes.

You know, it's kind of a form of situational awareness, which is fundamental in risk management. One of the things that you can do is you can subscribe to a respective regulatory digest of requirements. So, for example, we have a product called Q-Pulse Law - it's a subscription service for environmental regulatory requirements across I think we're way past 100 jurisdictions now. And that's kind of a comprehensive view of environmental regulatory obligations. We're also about to launch a conduct and ethics requirements service together with our partner, JWG. That's initially going to cover accountability regimes, you know, SMCR, and training and competency in the UK, but also, you know, Singapore, BEAR in Australia, Hong Kong, and Ireland. So that will provide to our customers real time awareness of any changes in those regulations. Because you know, our customers are using our control solutions like Pentata Compliance in order to manage their compliance with those regulations. So it's an extra layer of value that we believe we will provide them with.

Stephanie Jones 22:02
Yes, I agree completely. And thank you that you bring up some very good points and a good resource to stay on top of that. I think we can both agree, we're certainly living in an era of globalisation, like we've talked about and regulation is changing to suit this current state of being in a more globalised world. So what do you think that internal audit can do specifically to deal with sometimes these conflicting nature of regulations and laws, given the fact that this is a global environment?

Gordon McKeown 22:34
Well, the obvious answer is, you know, audit is the third line of defence - as such, take a global view. And a big part of that global view is protecting your organisation from crimes that are committed in, or you know, misdemeanours in another jurisdiction. So, increasingly, we're working for globalised organisations, right? And our organisations are beholden in whatever jurisdiction they're operating to- to local, financial, environmental health and safety regulations and so on. So, you know, couldn't help but notice, recently, I think last month, Goldman Sachs' Asian subsidiary was fined by the Hong Kong regulator, the Securities and Futures Commission, for acts that took place in Malaysia. For the same thing, they were also fined in the United States. And I think that the fine there was nearly $4 billion. So, that's a global organisation that you know, has sustained damage because of activities of some staff in a subsidiary of a subsidiary really.

So, how can an internal audit organisation help protect a globalised organisation from that kind of thing? Back to risk management: the golden thread, your risk universe, the audit universe is global. It's not just local. It's about risks and controls, but also entities and having a globalised audit universe. So the control structure and the audit universe spans the jurisdictions that apply. And you know, let's stick with that example of banking, you know, as accountability and ethics is going global, which which it absolutely is, an organisation needs a mature, globalised approach to risk management that encompasses the controls for conduct and competence and, you know, like we just talked about, a dynamic approach to compliance that monitors and tracks the changes in the local regulations. But you know, when you step back from this, you know, these are foundations for an audit team that can be built upon to create a culture of doing the right thing, regardless of where.

It comes back to culture, almost always. Culture, reputation and brand. You know, and at that point, compliance, corporate culture and overall business strategy are completely aligned. And, you know, if you have a culture of excellence and ethical behaviour, then yes, you do need to track local regulations, but you're, you know, if you're auditing for those kind of universal behaviours of doing the right thing, then you're off to a good start.

Stephanie Jones 25:50
Yes, I agree that it really boils down to that. And if that's in place, if that culture is in place, starting at the top, and filtering its way down, then it makes all of this, it ties everything together and makes staying on top of this regulatory, you know, the fines and things that could come as a result of bad behaviour, if that culture is in place of doing the right thing. Again, starting from the top and going all the way down through the organisation, then it just prevents some of that from happening in the first place.

Gordon McKeown 26:24
Completely. And, you know, audit can be part of the propagation of that culture, you know, to provide leadership, ethical leadership in an organisation.

Stephanie Jones 26:34
All right, Gordon, so, as we've talked about accountability is going global. So what do you think that firms really need to do to address this conduct regulation?

Gordon McKeown 26:44
Kind of like ethics in an age of COVID? A lot of it is just, you know, good operational risk management practices. But when it comes to senior management responsibility, which is a major focus... there's two focuses really with accountability and conduct. One is you can have data on senior management and the other is, you know, the competence of frontline staff, for example, in call centres or what have you. But what firms need to do is, you know, become better at record keeping, and ensuring that, you know, things like statements of responsibility are up to date, and that, you know, senior management roles are properly mapped. Policies relating to behaviour need to be distributed and complied with. Staff obviously need to behave competently and ethically, and training - you know, we're human beings, we don't, we don't necessarily all automatically behave competently and ethically. So, training is a big deal. And training needs to be systemized and records need to be kept and a certain amount of automation needs to be put into that.

And then audit comes in here because you need to inspect and check and control that people are behaving as they have been trained to behave as expected of them. And risks and controls need to be regularly assessed, you know, in this area, as in any other, they need to be well managed, kept up to date in line with requirements. So you fundamentally, you need to be good at operational risk management. And yeah, sure, in one sense, that's a burden. But as we've said, it's a driver for excellence as well.

Stephanie Jones 28:28
Yes. And I think, Gordon, you just outlined a pretty solid audit programme that auditors can go through to ensure that firm's do have all those things in place. So I was trying to write them down as you said them. And it'd be interesting for those listening to this podcast to say, "hey, are we doing- are we incorporating those steps and tests within our audit programmes to ensure this?"

What about things like new methodologies, such as maybe taking a more agile approach to auditing? How do you think that can help? Or do you think that could help?

Gordon McKeown 29:03
I know that can help. You know, I've got a good example of that. A customer that we both know, I won't name them, but a large financial services business based in the UK. You know, I spoke to the Chief Risk Officer, I think it was back in June, about how the pandemic had affected them. And they were actually in quite a good place. You know, I was concerned, because I know, they've got, you know, a lot of staff in call centres and so on. So this is an organisation that has, you know, around about 50 significant risks. They have a Chief Risk Officer and a team of risk specialists, but those risks are all distributed through the organisation with you know - they've got a fantastic system of, you know, business risk owners, who line up into, you know, from a risk perspective into risk committees. They have several risk committees by category for example, health and safety, conduct, business continuity and so on.

What happened was that we all suddenly became aware of the pandemic around about February, I always remember there was a front page of the Economist that had a picture of the virus and "it's going global". You know, so mid February, we were starting to question it, they looked at it, and they looked at these 50 risks, and they didn't have a risk that- didn't have a pandemic risk, right? So what they did was - and you talk about agile - they identified the risk model that was closest to it, which in their case was an act of terrorism, right? So you know, they've got all the staff in city centre locations where such an event could transpire. And so they took that risk, and they remodelled it quickly to reflect pandemic, and that kind of risk basis, and that modelling and assessment of the situation, made them realise what the threat was for them, and what the potential consequences could be, which gave them a head start in, for example, purchasing 5000 laptops, for, you know, staff to take home and work from home, rather than the big workstations that are located in the offices.

So, they were able to equip themselves, you know, from a business continuity perspective to handle the situation by the middle of March. If they had left it any later, then they could have been in a lot worse situation. So, you know, does agile auditing and agile risk management have an impact here? Yeah, absolutely 100%. That good process, gave that organisation a kind of an absorptive capacity to learn quickly, and respond to the situation, which ultimately made them more resilient.

Stephanie Jones 31:50
Definitely. And I think that's a great example - here we are all these months later, and had they not taken that pivot and the ability to address in an agile manner, what was going on, it would have been a much different scenario for them.

And I think that that's happening all over in so many different companies. And one thing that I believe this year is as crazy as it's been is, it's really allowed a lot of organisations and people and families and teachers and everyone else to really step up to the plate and shine, if you will, just in the handling of a situation that could have gone much differently.

Well, Gordon, I think like I said, that was a great example of just showing how one organisation and many others have really taken not just this year and the pandemic, but even before that, just the risk of regulation and how companies are addressing regulation and for internal audit, I believe, it boils down to, like you mentioned, just good solid internal audit risk-based approach auditing. For the internal audit team, for organisations, it's having that culture in place of doing the right thing. And if those are in place, then I think that firms have a very good position to address regulations as they occur.

Gordon McKeown 33:20
Absolutely, Stephanie.

Stephanie Jones 33:21
Thank you. So Gordon, definitely, I appreciate your thoughts on this and your input and feedback. I've certainly learned a few things and I hope that especially the auditor's listening to this have some good tips and book suggestions, and all kinds of good feedback that they can take away with them. So again, thank you all for listening, and thank you Gordon for your time today!