control, and governance
How Do I ... Audit International Business Risk
When the audit universe includes an international dimension, internal auditors face a unique range of risk considerations. These risks may either intensify existing risks or present entirely new ones. Examples of risks introduced by international business activities include economic and foreign currency risks, taxation risks, linguistic and communication challenges, and differences among countries' generally accepted accounting principles.
One area of particular concern to auditors of international activities is legal and regulatory risks. Auditors need to understand the general nature of these risks, as well as the methods commonly used to manage and mitigate them.
LEGAL SYSTEMS AND PHILOSOPHIES
Unfamiliarity with a specific legal culture may have serious repercussions, including the imposition of unnecessary legal actions and loss of court cases. Typical areas in which legal approaches vary around the world include freedom of contract, insolvency laws, the enforcement of property rights, the treatment of creditors, anti-corruption laws, and data privacy laws. In particular, the pragmatic, precedent-driven development of common law systems can lead to legal decisions far removed from the principle-driven, statutory nature of the Napoleonic legal cultures. More notably, in contrast to both the common law and Napoleonic systems, charging interest on loans is considered illegal in some countries with Islamic legal systems.
MANAGING LEGAL RISKS
In extreme cases, an organization can avoid or eliminate some legal risks by refraining from doing business in a particular jurisdiction, or by disengaging from existing activities within a jurisdiction. For an organization that chooses to confront these legal risks, however, common risk management strategies include the development of formal, written objectives and policies for the planning, monitoring, management, and reporting of all legal compliance matters; the identification of responsible officials accountable for this compliance; training courses in legal topics for employees; and the use of in-house or external legal expertise.
Obtaining timely and relevant intelligence on regulatory matters is a common risk management strategy for organizations with international activities. By monitoring and understanding the regulatory environment, an organization can interpret that environment and respond timely to any changes. Nonetheless, monitoring does have its limitations - unexpected regulatory changes are sometimes introduced with relatively short notice, often driven by political considerations that may not be anticipated by normal monitoring routines. To help manage these types of risks, organizations often use either in-house or external expertise. Organizations could also consider lobbying for congenial regulatory systems, though this strategy may entail some political risks.
PROCEED WITH CAUTION
Internal auditors whose remit includes international activities should be aware of the potential complications and dangers that arise directly from operating in an international context. The legal and regulatory environments in which organizations operate internationally may be extremely varied, from the very light to the highly onerous. The pace of change in these areas may also be a risk in itself, as keeping up with shifting international laws and regulations can be difficult for organizations.
Adapted from "International Business Risk" by David O'Regan (Internal Auditor, "Back to Basics," April 2010).
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.