Home / Resources / ISACA Journal / Issues / 2021 / Volume 6 / Differentiating Internal Audit in Supply Chain Risk Management

Differentiating Internal Audit in Supply Chain Risk Management

Author: Kevin M. Alvero, CISA, CDPSE, CFE
Date Published: 30 October 2021
Related: Audit Oversight for Onboarding Vendors | Digital | English
中文

Bracing consumers for looming supply chain disruptions has become a repetitive task for the news media in the wake of the COVID-19 pandemic. In early 2021 alone, consumers were told to prepare for shortages of everything from gasoline to chlorine and chicken to computer chips.

Naturally, organizations are looking to get a better handle on the risk factors that can affect their ability to receive and deliver the products and services that are critical to their business models, and they are looking to technology to help them do that. Software tools are proliferating in the supply chain risk management space, and…

[N]ow that the value of artificial intelligence, predictive analytics and prescriptive analytics is well documented, it is only a matter of time before this technology becomes the new norm.1

There is little doubt that the depth, breadth and immediacy of insight into supply chains provided by high-tech tools can help organizations reduce unwanted surprises and gain precious time to respond to emerging risk. At the same time, it may also cause organizations to consider how to get the best value out of the internal audit function where these tools are being used. Therefore, internal audit needs to be proactive in asserting its ability to provide useful, objective assurance and advice on the controls designed and implemented by management, and the assessment of areas of residual supply chain risk.

Social Compliance in Supply Chains

It may seem that areas such as environmental and social responsibility are natural places where human auditors are best suited to differentiate themselves from monitoring technologies in controlling supply chain risk. However, a 2019 research study by Deloitte showed that even in areas such as ethical labor practices and environmental responsibility, organizations are looking to tools and technology that can support and monitor socially responsible supply chain practices and environmental sustainability.2 Furthermore, the study noted that, in some cases, organizations were de-emphasizing the traditional internal audit approach and seeking to repurpose audit resources into technology tools because audits, while still the dominant practice in social compliance audits, were perceived to be “insufficient and ineffective” due to a variety of factors.3 These factors include scope limitations, the burden of multiple audits on employees, and the potential for corruption in the system of auditing and third-party certification.

Therefore, as greater emphasis is placed on monitoring technology, it is critical that internal audit position itself as an indispensable complement to these monitoring tools and technologies to remain relevant and deliver value in the supply chain risk management space. There are a number of ways internal audit can differentiate its value.

Points of Differentiation

Although it may seem that monitoring tools perform a facsimile of the audit process, monitoring, compliance testing and identifying nonconformities make up only part of the mission of the audit function. At its core, internal audit’s purpose is to help the organization achieve its business objectives, and as it relates to supply chain risk, there are multiple ways internal audit can differentiate its value while creating synergy with supply chain monitoring processes.

Assigning Meaning
As supply chain monitoring tools and technologies proliferate, they are generating large volumes of information about the organization’s supply chain. The organization’s decision-makers need help understanding the implications of that information, particularly at the big picture level. By integrating its efforts with technology-enabled monitoring activities, internal audit should be able to devote more of its resources to assigning meaning to monitoring data and converting meaning into actionable recommendations that support the organization’s strategy, mission and core values.

With its independence and access to a broad range of stakeholders, internal audit can impart value by ensuring that supply chain monitoring information is thoroughly and accurately disseminated to the appropriate stakeholders so they can make informed decisions.

Evaluating Organization Policies
For supply chain monitoring processes to be effective, organizations must have policies in place that define what is desirable or undesirable and acceptable or unacceptable. Material specifications, delivery time frames and environmental impact thresholds are just a few examples of the many aspects of the supply chain for which parameters must be established. These parameters must be updated over time, based on marketplace conditions and regulatory changes, and internal audit should also provide assurance to the organization that the criteria the supply chain monitoring tools are using are current, accurate and appropriate.

INTERNAL AUDIT SHOULD HELP ENSURE THAT THERE IS WIDESPREAD UNDERSTANDING OF POLICIES AND PROCEDURES RELATED TO SUPPLY CHAIN FUNCTIONS ON THE PART OF INTERNAL PERSONNEL.

Internal audit should be engaged with management to ensure that supply chain monitoring processes are operating on the most up-to-date information about the organization’s needs, constraints and business conditions. To do this, it may be beneficial for auditors to ask questions of managers across the various aspects of the supply chain such as:

  • Have relevant regulatory requirements changed?
  • Has the organization added or subtracted vendors or third parties?
  • Can the organization’s monitoring, assurance and audit resources support the existing supply chain?
  • Are policies still aligned to the business model, strategic objectives, customer/stakeholder expectations and core values?
  • Are there gaps in the existing system of controls?

Communication
Communication, which is a critical aspect of managing supply chain risk, occurs at several levels.

Internal audit should help ensure that there is widespread understanding of policies and procedures related to supply chain functions on the part of internal personnel. Interviews, compliance testing and evaluation of training activities can provide a picture of how well employees understand their requirements.

Internal audit should also consider whether there are ongoing communication activities that are educating vendors, prospective vendors, regulators, external auditors, the public and other stakeholders about the organization’s requirements, expectations and quality assurance activities.

For example, one of the difficulties cited by respondents who were interviewed in the Deloitte report was the number of audits that were being requested of them by various external stakeholders such as clients, customers and regulatory bodies, with each party bringing varying audit needs and expectations to the table.4 This can lead to rework and audit fatigue within the organization. However, if supply chain monitoring tools and technology can be leveraged to efficiently answer certain requests and provide assurance to external parties, then internal audit, with its expertise around the audit process and standards compliance, should be able to provide guidance in making sure audits are being done effectively.

Accountability
With its independence and its responsibility to the board of directors, internal audit performs a critical function in ensuring that management is accountable for effectively and responsibly managing supply chain risk. Internal audit can determine whether management is making effective use of information and insights gleaned from supply chain monitoring tools. Internal audit can then follow through on audit recommendations aimed at improving the efficiency, reliability and regulatory compliance of supply chain operations.

Emerging Risk
Effective supply chain risk management must include efforts to enable the organization to navigate emerging risk. Emerging risk includes newly developing risk areas that cannot yet be fully assessed but that could, in the future, affect the viability of an organization’s strategy.5 According to research published by KPMG in 2020, identifying existing and emerging risk is perceived by executive stakeholders as a key part of internal audit’s role but not to the extent that internal audit perceives itself this way.6 The report states that “a modern IA function should understand the organization’s key risks and proactively identify emerging risks in order to add value to the organization.”7 To do this, internal audit must be bold enough to question existing assumptions about the supply chain from a holistic perspective, including its inputs, processes and outputs; the policies and regulations that govern it; and the socioeconomic contexts in which it operates.

Auditing Technology Tools
Although technology tools can provide powerful insights into the supply chain’s efficiency, security and compliance, they cannot audit themselves. As noted, supply chain monitoring tools and technologies generate large amounts of data. As such, it is critical that an effective system of data governance be in place over supply chain monitoring technology, and internal audit should provide valuable assurance in this regard. Internal audit can provide insight into whether supply chain monitoring data is secure, if technologies are functioning as intended and if the data created by these tools are being used ethically and responsibly.

Conclusion

Nearly two decades ago, Protiviti published a report stating that traditional, compliance-focused audits, “While as important as ever…alone cannot provide optimum value for supply chain and procurement leaders and other stakeholders in the procurement process.”8 Today, with supply chain disruption near the top of many organizations’ risk rankings and business leaders seeking new methods of supply chain control, internal audit must strike a balance. Internal audit must integrate its efforts with high-tech supply chain monitoring tools so that it is not seen as an alternative to such tools. But, at the same time, internal audit must distinguish its value from that of technology tools so that it is understood to be an essential complement to them. By doing this, internal audit can help ensure that senior management continues to perceive internal audit as a foundational function in supply chain risk management.

INTERNAL AUDIT MUST BE BOLD ENOUGH TO QUESTION EXISTING ASSUMPTIONS ABOUT THE SUPPLY CHAIN FROM A HOLISTIC PERSPECTIVE.

Endnotes

1 Bonner, H.; “Managing Risk With Supply Chain Risk Management Software,” Riskpulse, 4 June 2020, https://riskpulse.com/blog/managing-risk-with-supply-chain-risk-management-software/
2 Deloitte Monitor Institute, Responsible Supply Chain Tools: Understanding the Market Opportunity, April 2019, https://www2.deloitte.com/content/dam/Deloitte/us/Documents/about-deloitte/us-about-deloitte-humanity-united-responsible-supply-chain-tools.pdf
3 Ibid.
4 Ibid.
5 Protiviti, Board Perspectives: Risk Oversight, Issue 23, USA, January 2011, https://www.protiviti.com/US-en/insights/board-perspectives-risk-oversight-issue-23
6 KPMG, 20 Key Risks to Consider by Internal Audit Before 2020, January 2020, Switzerland, https://assets.kpmg/content/dam/kpmg/ch/pdf/key-risks-internal-audit-2018.pdf
7 Ibid.
8 Op cit Protiviti

Kevin M. Alvero, CISA, CDPSE, CFE

Is senior vice president of internal audit, compliance and governance at Nielsen Company. He leads the internal quality audit program and industry compliance initiatives, spanning the enterprise’s Global Media products and services.