Chief Audit Executives (CAEs) continuously assess how to successfully deliver on internal audit’s objectives in this new reality, to earn and keep the trust of both shareholders and stakeholders. Critical to this success is considering signals pointing to changing risks faced by their organizations and, in turn, changing the focus of assurance and advisory projects on the Internal Audit (IA) plan. Our complementary piece, On the CAE Agenda for Q2 2021, provides a view on higher-priority risks CAEs are currently considering on their plans.
Signals of change
Over the last few decades, organizations have been under extreme pressures to improve their operating margins. Organizations have implemented strategies and policies which have created leaner, more complex supply chains that are dependent upon global networks with a high reliance on low cost country sourcing. These changes, by reducing redundancy and flexibility, have reduced companies’ abilities to rapidly respond to uncertainties and to address increased customer expectations.1
COVID-19 has revealed how an organization’s supply chain can be one of its largest sources of vulnerability if its risks are not managed proactively. Impacts of the pandemic will continue to affect and test organizations’ commercial, operational, and financial resilience, while exposing fault lines that have existed for some time.
At large, “Organizations are facing more supplier disruptions and are adopting new technology and sourcing strategies to build resilience.”2 There are four past truths, or practices, which if an organization is still holding on to, will pose risk to this resiliency.
- Believing in the benefits of trade liberalization and global interdependency, as supported by rules-based institutions such as the World Trade Organization and European Economic Community.
- Reflecting long-standing labor-arbitrage and cost-of-doing-business differentials that encouraged offshoring of select operations and sourcing through lower-cost-third-party suppliers.
- Benefiting from tax-code provisions, such as exemptions for foreign-source income and offsets for taxes paid overseas.
- Assuming inventory buffering as a primary line of defense against supply risk, based upon historic consumption patterns and ability to effectively manage long lead times.1
Questions for the Chief Audit Executive to ask
- How, and how often, is your supply chain organization validating underlying business assumptions – such as those noted above – that are baked into your supply chain networks and operating models?
- How are advanced risk techniques, such as dynamic risk assessment and war-gaming, being used by your supply chain organization to stress test their risk assessments?
- How is your supply chain organization re-weighting efficiency and low-cost versus risk exposure, supply alternatives, tax considerations, and channel complexity?
- How is your internal audit organization helping your supply chain organization assess its end-to-end supply chain visibility?
- How does your supply chain organization assess and leverage emerging technologies, such as digital twin and control tower capabilities, to monitor supply chain risks and create actionable insights to support decision-making?