Disruptive Changes and Emerging Risks within

Internal Auditing Profession: A Review from South Africa



Job Dubihlela1, Leon Gwaka2



Abstract: The pervasive advances in information technology, coupled with environmental changes and the gruelling real-time stakeholder demands consistently challenge the auditing profession. Modern-day complex interconnected business networks, are progressively making the true nature of emerging risks difficult to assess. Some of these emerging risks are like ticking time-bombs that can erupt rapidly and dramatically without cautionary. Emerging risks are concealed risk exposures with potential to trigger unanticipated and disconcerting shocks. As a result, organisations are more frequently turning to their internal auditing departments to help with the task of identifying emerging risks and guiding risk management protocols consistent with the dynamic risk landscape. The auditing professionals are increasingly being judged and evaluated for their ability to adapt and be forward-looking in matters of risk assessment. For that reason, internal auditors are forced to adopt laterally think and adapt to emerging risks. Several examples in recent years have shown the immense responsibility that internal auditing professionals must carry, and the present paper is to be seen as a contribution to understanding the implications of the changing risk landscape on the internal auditing profession. The qualitative thematic analysis identifies the overwhelming need for agility within the internal auditing profession, that emerging risks are engraining business operations, and remain significant determinants of governance and accountability. The results of the study have several policy implications and ignites pertinent future research propositions.

Keywords: South Africa; emerging risks, auditing profession; disruptive technology; competencies; environment

JEL Classification: M40



1. Introduction

The past decade has seen many rapid changes within the global business environment such as the introduction of technologies and emergence of new business models (Botha, Kourie & Snyman, 2014). These changes have been necessitated by vicissitudes in global trends such as global population growth, migration (voluntary and forced) and the ubiquity of technologies among many other factors (ibid). Furthermore, the changes within the business environment have occurred (and/or continue to occur) in both developed and developing countries, affecting businesses of all sizes (small, medium and large), across different industries (Botha et al., 2014). Admittedly, a shift in the social, cultural, physical and technological dynamics in the global business environment creates new opportunities for businesses but also expands the risk spectrum of businesses for instance, by complicating the already existing risks and creating new risks (Doppelt, 2017). This expansion of the business risks spectrum creates an important challenge for the internal audit professionals whose responsibilities, as sanctioned by different professional guidelines, include ensuring that an organisation’s risk management strategy is functioning efficiently and effectively (Coetzee & Lubbe, 2014, p. 115).

For many years, most businesses, especially small and medium, have only been concerned with internal risks and yet, in the 21st century, there are several risks at different levels (internal and external) with the potential to inhibit businesses of all sizes from achieving their objectives. For instance, recent global (such as the 2008-9 global recession) and national (national strikes in SA) events mean that there are increasing risks at both country level and industry level which can affect businesses. In addition to this, the risks facing businesses in recent years are complex, often cross cutting, thus, require a change in approach from the internal auditing professionals and their customers, business managers (Yee et al., 2008). Cognisant of these modern-day risk dynamics, Bruwer et al. (2017) recommend continuous internal auditing and risk management processes towards mitigating the emerging risks.

To keep up-to-date with the evolving risks (as well as other business trends) and meet the changing business needs, the internal audit profession has also evolved over the past years (Chambers & Odar, 2015, p. 49). For instance, the roles of the internal audit professionals have advanced from being inspectors to being business associates (Soh & Martinov-Bennie, 2015). Furthermore, despite the profession’s perceived association with financial controls only (monitoring), in recent years, the internal audit function is expected to increasingly become involved in non-financial risks such as social and environmental risks. Thus, internal auditors are now expected to “achieve a balance as an inspector and a trusted advisor to provide value-added services” (Kofke in Yadao, 2015, p. 24). In this regard, Chambers and Odar (2015) believe that the internal audit professionals continue to face a challenge of clarity about their duties.

For the internal audit professionals to provide value-adding services, these professionals need to understand the changing business dynamics and risks. This also means that, since risk is a moving target, it is critical for the internal audit professionals to keep track of the risk landscape. This goes beyond the traditional listing of risks to the consideration of how the management and internal audit professionals react to the emerging risks. With this foregoing, the purpose of this study, through a review and analysis of purposively selected white papers, consultancy documents and reports is to develop critical insights on the changes within the risk landscape and consider the implications which these changes in the risk landscape have on the internal audit profession. Specifically, the study seeks to contribute towards suggestions on what needs to change within the auditing profession to be able to continuously provide value-adding services to organisations. The study’s presumption is that such a futuristic (proactive) approach is critical in development risk responses since most businesses are reactive to risks which allow risks to materialise before responding to them.The recent pandemic perhaps was the biggest wake up call that we have for the need of a proactive approach – and consideration of risks which businesses normally perceive as unlikely. For educational institutes (such as universities) this study can be useful towards rethinking the curriculum design specifically to absolve from fixating the learning as well as diversifying the research focus.



2. Study Context and Approach

Byrnes et al. (2018:285) indicate that, “auditing is at a critical juncture”, but this postulation has been made several times at different points within the profession’s history. Undeniably, changes in the global trends such as the ubiquity of technological advances – ICTs – and digitisation of business processes have triggered profound changes in the way businesses operate/function and in turn, these changes are creating diverse risks and opportunities. It is concerning that “levels of risk detection are outpaced by risks” (PricewaterhouseCoopers, 2018, p. 16) thus, organisations remain reactive to risks than being proactive. Therefore, this study is framed in the context that, for the internal audit professionals (include those in the academic) to be prepared to take on emerging risks (Yadao, 2015); they need an appreciation of the changes within the risk landscape (current and futuristic risks) to ensure a proactive and not reactive approach to risk management.

To achieve this, the study borrows frameworks - the adaptive management and systems thinking –from natural sciences (i.e. ecology studies). The adaptive management approach can be applied to “support action in the face of limited knowledge” thus, prompts “learning by doing” (reference). In addition to this, the systems thinking approach is applied to show the interconnectedness of risks since these risks “seldom occur in isolation” (IRMSA, 2017). In the context of this study, it is argued that with the frequency and magnitude of changes in the business environment (specifically technological advances, political decisions), existing risks are amplified while new risks emerge. As a result, a holistic (systems thinking) and dynamic risk management approach is needed.

3. Literature Review

3.1. Global Business Environment Changes

In recent years, globalisation processes have gained momentum through technological advances. Countries across the globe are increasingly depended on one another even though in recent years, political tensions are also contributing to the fragility of interdependence e.g. Brexit in Europe and Nigeria’s refusal to sign the Africa Continental Free Trade Area agreement. Despite the cases of fragility, interdependence between and among countries have increased. With emerging technologies, e.g. internet and subsequently social networks, new forms of businesses have emerged and new firms (disruptive) are entering various industries with improved products and services at lower costs. The customers are also increasingly becoming aware of potential alternative suppliers thus, the customer needs and requirements are also changing. In the past decade, business practices have shifted from being location-based with advances in technologies creating techno-spaces conducive for conducting business regardless of location. Even employees are being allowed to work remotely, with no need of being physically present in office.

In addition to this, other major changes across the world are the increase in pressure groups – strikes (national actions) as well as employee mobility.

While the discussed businesses are just a few of the many on-going changes, many businesses, especially small businesses, perceive global changes to have less effect on their sustainability, but the interconnectedness and complexities of these global shifts impact all businesses. This study argues that businesses (of any size) do not operate in a vacuum thus; global business environment changes should always be a concern for nay business, including small businesses. The analysis of business environment changes needs to be done from a systems perspective which entails understanding interconnectedness of elements.



3.1. The Changing Risk Landscape

The global business changes discussed in the previous section create both opportunities and risks for businesses. For instance, the increasing connectedness of countries, businesses and people across the globe also mean that a business’s exposure to risks and/or threats extends beyond the business to include those interconnected to the business. However, this has been observed in early studies on globalisation. Of interest in this study is how the risk landscape has changed in recent years. The nature of risks which an organisation is exposed to is dependent on several aspects including the country-specific, industry-level and individual risks. For instance, companies in the agriculture sector are more likely to be impacted by environmental risks than those in education.

In a recent study, Rezaee et al. (2018) indicate that digital technologies have altered the way business is conducted e.g. more transactions are conducted online, communication channels have broadened, and all these changes pose a significant threat to businesses. However, the transition for businesses to provide services and products online has potential risks e.g. the severity of risks has intensified – data losses – can be up to devastating amounts. Steinhoff, loss of value can be huge.

In addition to these internal changes, businesses are interconnected (business to business) thus; a risk to one business also concerns another business. In the IRMSA 2017 report, respondents indicated that organisations in SA were least prepared in the risk area relating to Brexit. The interconnectedness of the businesses has several implications. Serving a global audience or customers has increased possible organisational exposures for most businesses.

Another major change in the risk landscape has been the frequency of transformation. In modern-day businesses, transformations are occurring at much faster pace – e.g. newer technologies are always being introduced. For instance, over the past five years – technological innovations which businesses need to be concerned with are many. Social media, digital currency and blockchains issues, recurrent droughts as well as cyber security (CRS-UoC, 2017). Organisations have recently experienced new records of cyber incidents, escalation in the security-costs, changes in technologies for both offensive and defensive and shifts in risk profiles, control activities, and risk protagonists.

In all this, it is evident that the sources of risks for businesses have expanded in the past decade and businesses need to be aware of these. While some risks may seem not to affect businesses, the interconnectedness of businesses means that organisations may be affected remotely.

3.3. Internal Auditing in Times of Uncertainty

Following the economic crisis in 2008, many questions emerged on the contribution of the internal audit profession towards the crisis. Chambers and Odar (2015) show that due to internal audit duties (expected duties), the internal audit profession also shoulder responsibility for the crisis since the internal audit profession has been duped a critical line of defence.

The risks landscape has been changing over the years and studies on changing roles of internal auditors exist from many years e.g. Gupta’s (1992), XLM (2002), KPMG (2007) and Ernst and Young (2017).

Rezaee et al. (2018) further suggest that as business processes get complicated continuously, internal audit research on continuously improving audit approaches (e.g. continuous audit) is necessary.



4. Methodology

4.1. Document Analysis

This study focuses on developing insights on the changing risk landscape in South Africa. The study uses a document analysis approach (Bowen, 2009) and data used for the study were obtained from purposively selected documents. The study purposively selected publicly available documents e.g. on the websites (internet) of purposively selected key consulting organisations (cf. Friederici et al., 2017). The selection of the research method was based on the need to achieve a “rich description of the single [risk landscape] phenomenon” (Bowen, 2009:29). The organisations from which documents used in the study were obtained include; KPMG, PWC, World Bank, IRMSA, IIA and University of Cambridge’s Centre for Risk Studies. In total, 29 documents were used in this study. Table 1 provides a summary of some of the documents used for the study.

Table 1. Summary List of Some Document Sources

Organisation

Title

Year

Shorthand in paper

IRMSA

IRMSA Risk Report South Africa Risks (3rd Edition)

2017

IRMSA (2017)

PWC

Africa risk in review

2015

PWC (2015)

World Economic Forum

The Global Risks Report 2018

13th Edition

2018

WEF (2018)

KPMG

Top Risks for Retail Companies in

South Africa – 2017

2018

KPMG (2018)

Aon

2017 Risk Maps: Aon’s guide to political risk, terrorism and political violence

2017

Aon (2017)

Centre for Risk Studies:

University of

2017 Cyber Risk Landscape

2019

CRS-UoC (2019)

Cambridge






4.2. Selection, Coding and Data analysis

Over the past years, many reports have been developed by leading consulting organisation on risks in businesses. These reports offer information on risks including sources, mitigation approach and progress. The process of documents selection was led by the consideration of whether the report has the following keywords; (names of top global think tanks) + top + risk + South Africa e.g. (search engine: PWC top risks in South Africa). Using this approach, documents were further narrowed to only those produced between 2015 and 2018 to ensure that only recent information is presented. In analysing the documents, skimming was conducted followed by in-depth reading (to gain deeper understanding) and interpretation of the document information.



5. Thematic Analysis of Selected Documents

From the reports reviewed, the study has identified changes in the business environment, emerging risks (complication) and risk responses by the different businesses in different countries and industries. This section of the study presents some of the findings from the review.

Table 2. Selection of the Key Themes

Key Theme

Description & Selection

Technological advances, digitisation

-New ‘disruptive’ technologies that are being quickly adopted, and potentially with more agile new businesses and services emerging from technological advances

-Use of technologies in business and for personal purposes

Global Environmental changes

Emerging environmental risks which can affect employees’ well-being

Geo-political instability

Organisations are increasingly worried about the disruptive impact of wars, upheaval or terrorism that potentially affect operations, supply chains, human capital or assets directly or indirectly

Following the selection of the key themes, presented in Table 2, the next section of the study ties the themes to the selected documents, presenting extracted text from these documents.

5.1. Technological Advances

Without a doubt, one of the major trends in the past years has been the integration technologies (digital tools) in business. Technology (production, supply) has developed to be brisk business. In just a decade, business organisations (of all sizes and in all industries) have moved from being sceptical about digital technologies (CRS-UoC, 2017) to embracing these technologies for business activities including customer engagement. For instance, in the PWC (2014).

Today, we view social media as coexisting alongside traditional media. By 2020, social media will be the primary medium to connect, engage, inform and understand your customers (from the mass ‘social mind’ to the minutiae of each and every individual), as well as the place where customers research and compare banks’ offerings. And, as today, information and opinion (good or bad) can be amplified, creating new risks and opportunities. Mastery of social media will be a core competency requisite within business environments (p. 14)”.

Even though studies on social media have been conducted – businesses are increasing the use of social media. Further to this, KPMG (2017:2) suggest that. “Brand and reputation damage is closely linked to social media because of the ease of public opinion as no cost is then immediately felt by any retailer, either in a positive or negative way”

5.2. Global Environmental Change

In addition to digitisation, another major risk is global environmental changes – resulting in climate change. In the context of SA, IRMSA, in the 2017 and 2018 reports identified droughts as a major risk (high impact and likelihood). In the past years, the threats of climate change to humanity (through food insecurity) have been well documented. However, these threats have been treated as industry-specific. For instance, the risks of climate change have only concerned those in the geography, biology and social science departments. A systems perspective however suggests that the threats of climate change – drought and water shortages are also threats to business. For instance, water shortages in Cape Town can have implications on businesses.

5.3. Geo-political Instability

In addition to the digitisation and global environmental risks, another complex risk is the global political instability. McKellar (2017:3) defines political risk as “potential harm to a business operation arising from political behaviour” and the IRMSA (2017) ranked political instability as one of the top country level risks in South Africa. However, small organisations may claim that political instability only affect larger organisations, but the ripple effects of political risk are also felt in the industry specific risks. As McKellar (2017) demonstrates, politics is pervasive, thus, affects business regulations, markets and all these impacts individuals and businesses of all size. For instance, political instability results in increasing strike action (identified as one of the main risks, IRMSA, 2017). Social activists Further to the above, the GRR (2018:37) shows that in recent years, another major risk facing countries, and inherently businesses, is an increase in the changing international relations and countries’ domestic political conditions. A major global example has been the United Kingdom’s exit from the European Union – commonly known as Brexit. On the domestic level and in the context of the study, reports (e.g. IRSMA, E&Y) show that the political dynamics are threatening the functioning of the markets – and the Rand’s strength often hinges on political decisions.

McKellar (2017, p. 8) argues that “business managers are seldom trained in how to integrate it [political risk] into strategic or operational decisions or how to apply corporate resources to mitigate it” and this justifies IRMSA (2017) findings that businesses are least prepared to respond to this risk. With managers ill-prepared, it is the internal auditors’ duty to help management with mitigation of the risks.

Apart from geopolitical instability impacting the markets, organisations also need to be concerned with the impacts on attracting and retaining skilled personnel. The emergence of attractive destinations such as the UAE mean that skilled personnel are likely to consider politically stable countries compared to geopolitically instable. However, this could also save as an opportunity – e.g. companies to attract skilled personnel.

It may be argued that geopolitical risks are higher levels especially for small and medium businesses. However, consider the following: potential suppliers and customers



6. Implications for the Internal Audit Profession

So far, the study has outlined trends in the business environment (changes) and the complex risks which organisations may be exposed to currently or potentially in future. Gwaka (2015) suggests that any risks which have the potential to impact a business (i.e. hinder the business from the achievement of the business objectives) should be a concern for the internal audit function. However, based on IRMSA’s assessment of risk readiness among South African organisations, most organisations were unprepared for some of the complex risks such as droughts (71% unprepared) and international political instability (80% unprepared). In the IRMSA report, it is evident that the business environment will continue to change – as new technologies emerge, consumers’ tastes change and so forth. These changes will continue to complicate the risk spectrum in the organisations. This has many implications for the IA, driving the need to approach internal auditing engagement and activities with totally divergent and innovative mind-set and techniques.

6.1. Staying Ahead of the Risk Curve

Reactive risk management approaches are costly to business organisations, as these approaches allow risks to manifest before measures are put in place. However, proactive risk management measures allow businesses to put in place risk mitigation measures reducing the chances of risks materialising in organisations. PWC (2015, p. 2) demonstrates that. Typically, risk analysis remains anchored in historical data. To be more meaningful, risk needs to preview far more the future implications, and stay ahead of the education format. It is undeniable that predicting the nature of risks likely to emerge from the changes in the business environment is complex, but internal audit professionals need to stay ahead of the risk curve. In other words, effective risk management requires understanding more about the hidden projected risks than the known risks. In particular, internal auditors must recognise when new risks are emerging. Too often, risk assessments plot the usual “common knowns”, leaving management and directors underwhelmed by a process that seemingly re-iterates only what is already known.

6.2. Internal Auditing Education and Risk Ownership

In the changing landscape of risks, the training and staffing of the internal audit function need to be reconsidered. With the nature of risks which internal audit professionals are required to advise management on, there is increasing need for internal audit functions to diversify the skills of the IAF? For instance, internal auditing functions need to accommodate individuals with other skills such as environmental scientists, political analysts. Furthermore, documents reviewed in this study have shown a growth in digitalisation of the business environment. Increased reliance and/or use of technologies to perform audits (auditing research). To this end, Ratzinger-Sakel and Gray (2015) recommend continuous evaluation of the convergence or divergence of audit practice and education (p. 97). Competent staff as risk owners, analyse macroeconomic trends, evaluate the likely direction of drifts over time, and design effective risk-mitigation measures to deal with potential impact of emerging risks on the organisation’s strategy and performance.

6.3. Systems-based Thinking

In the reports reviewed in this study, it was evident that some of the risks (ranked as top) may previously have not been on the audit plans of majority small and medium organisations, even large organisations. These risks include global environmental changes. However, if internal audit professionals are to add value in contemporary businesses environments, they must also consider the risks and opportunities manifesting from the interconnectedness of elements. For instance, the recent water crises in Cape Town, Therefore, it is submitted that the systems thinking (holistic approach) be adopted by internal audit to obtain a big-picture which can improve the value addition exercises within organisations.

6.4 Adaptive and Agile Organisational Thinking

Adaptive and agile organisational thinking refers to capacity to respond effectively to turbulent business environments and changing risk landscape. Internal auditors must develop an agile mind-set and implement agile risk assessment amd monitoring practices. In addition to systems approach, this study suggests that internal audit professionals will be required to espouse adaptive thinking and/or adaptive management strategies. According to the IRMSA (2017, p. 8). “Flexibility is a key requirement for South Africa, as well as for organisations operating within its borders, to remain resilient and thrive in an ever-changing context and associated risk landscape”.



7. Conclusion

This study set out to explore the changes in the business environment and the changes in the risk landscape as well as understanding the implications of these changes on the internal audit profession. Considering the various changes in the business environment, the study employed a discourse analysis approach to explore publicly available reports from purposively selected consulting organisations. One of the major findings of this study is the exponential increase of non-traditional risks such as environmental threats (climate change, droughts) and political risks (instability – e.g. Brexit). In addition to this, technological innovations continue to pose significant risks to business e.g. emergence of new services which can disrupt traditional businesses. It is recommended therefor, that internal auditors use more divergent and innovative techniques that focus on interdependencies among risks to identify emerging risk themes germane to dynamic organisational systems.

It is evident that internal auditors are faced with a major challenge to keep abreast these risks considering that risks – in an ever-changing business environment - are a moving target. For this study, it was evident that internal audit professional need to keep abreast these changes and to do so, there are several changes which may be needed. The study suggested that adopting systems approach towards examining the business environment. As the business environment changes, not only should internal audit professionals be focusing on risks – but they should also consider opportunities for adding value to the business organisations. Admittedly, the use of document analysis only for the study presents a potential limitation to this study which can be improved through additional research methods such as triangulation to improve the credibility of the study.

However, as the internal audit roles within organisations continues to change, it is always critical to understand that “legitimate areas do exist where internal audit and risk management functions can overlap, but care needs to be taken to manage these situations” Deloitte (2013:8) to ensure that internal audit function maintains independence and objectivity while helping the organisation achieve its objectives. To this end, future research, focusing on examining the advance of the internal auditing profession, in the context of the presented risks landscape, will be critical (Byrnes et al., 2018).



References

Botha, A.; Kourie, D. & Snyman, R. (2014). Coping with continuous change in the business environment: Knowledge management and knowledge management technology. Elsevier.

Bowen, G. A. (2009). Document analysis as a qualitative research method. Qualitative research journal, 9(2), pp. 27-40.

Byrnes, P. E.; Al-Awadhi, A.; Gullvist, B.; Brown-Liburd, H.; Teeter, R.; Warren Jr, J. D. & Vasarhelyi, M. (2018). Evolution of Auditing: From the Traditional Approach to the Future Audit 1. Continuous Auditing: Theory and Application, pp. 285-297. Emerald Publishing Limited.

Chambers, A. D. & Odar, M. (2015). A new vision for internal audit. Managerial Auditing Journal, 30(1), pp. 34-55.

Coetzee, P. & Lubbe, D. (2014). Improving the efficiency and effectiveness of risk-based internal audit engagements. International Journal of Auditing, 18(2), pp. 115-125.

Doppelt, B. (2017). Leading change toward sustainability: A change-management guide for business, government and civil society. Routledge.

Ratzinger-Sakel, N. V. & Gray, G. L. (2015). Moving toward a learned profession and purposeful integration: Quantifying the gap between the academic and practice communities in auditing and identifying new research opportunities. Journal of Accounting Literature, 35, pp. 77-103.

Rezaee, Z.; Sharbatoghlie, A.; Elam, R. & McMickle, P. L. (2018). Continuous auditing: Building automated auditing capability. Continuous Auditing: Theory and Application, pp. 169-190. Emerald Publishing Limited.

Jurisch, M. C.; Rosenberg, Z. & Krcmar, H. (2016). Emergent risks in business process change projects. Business Process Management Journal, 22(4), pp. 791-811.

Soh, D. S. & Martinov-Bennie, N. (2015). Internal auditors’ perceptions of their role in environmental, social and governance assurance and consulting. Managerial Auditing Journal, 30(1), pp. 80-111.

Yee, C. S.; Sujan, A.; James, K. & Leung, J. K. (2017). Perceptions of Singaporean internal audit customers regarding the role and effectiveness of internal audit. Asian Journal of Business and Accounting, 1(2), pp. 147-174.



1Cape Peninsula University of Technology, South Africa, Address: Cape Town, South Africa, Corresponding author: dubihlelaj@cput.ac.za.

2Cape Peninsula University of Technology, South Africa, Address: Cape Town, South Africa, E-mail: gwaka@law.upenn.edu.

AUDŒ, Vol. 16, no. 3/2020, pp. 143-154