control, and governance
Cross-border legal and regulatory constraints present a host of issues for internal auditors.
Risk assessment constitutes one of the foundations of leading practice internal auditing. At the broadest level, a risk-based approach enables auditors to prioritize activities in the internal audit "universe" - that is, the complete range of auditable activities that an internal audit function encounters. A risk assessment of that universe's individual elements permits internal auditors to prioritize activities and thereby focuses the audit effort on topics that most warrant attention.
Once a topic within the audit universe has been selected through a high-level risk assessment, auditors typically apply a more detailed risk assessment to further define the scope of a related internal audit assignment. For instance, if a high-level assessment highlights the organization's consumable inventories, the auditors may apply a narrower assessment to determine which areas of inventory the audit should focus on - fast-moving lines of inventory, for example, or high-value or attractive items.
When the audit universe includes an international dimension, internal auditors face a unique range of risk considerations. These risks may either intensify existing risks or present entirely new ones. Examples of risks introduced by international business activities include economic and foreign currency risks, taxation risks, linguistic and communication challenges, and differences among countries' generally accepted accounting principles.
One area of particular concern to auditors of international activities is legal and regulatory risks. Auditors need to understand the general nature of these risks, as well as the methods commonly used to manage and mitigate them. Only then is the practitioner in a position to address the specific concerns he or she may face.
The differences among legal systems around the world can have a material impact on the activities of an organization that operates internationally, and the audit function may need to factor these considerations into its planning processes. At a conceptual level, contrasts may be drawn along the significant differences between the common law systems typical of English-speaking countries and continental European legislative systems that derive from - or have been influenced by - the French Napoleonic Code. In turn, both these legal cultures may be contrasted with Islamic legal systems.
Unfamiliarity with a specific legal culture may have serious repercussions, including the imposition of unnecessary legal actions and loss of court cases. Typical areas in which legal approaches vary around the world include freedom of contract, insolvency laws, the enforcement of property rights, the treatment of creditors, anti-corruption laws, and data privacy laws. In particular, the pragmatic, precedent-driven development of common law systems can lead to legal decisions far removed from the principle-driven, statutory nature of the Napoleonic legal cultures. More notably, in contrast to both the common law and Napoleonic systems, charging interest on loans is considered illegal in some countries with Islamic legal systems.
In addition to the risks embedded in the philosophy or culture of a legal system are those related to the manner in which a legal system functions. In some parts of the world, unreliable courts and legal processes that move at a lumbering pace present serious risks to organizations with international operations. A pressing court case - for example, an allegation of copyright infringement - may take years, or even decades, to be resolved in some legal systems.
In extreme cases, an organization can avoid or eliminate some legal risks by refraining from doing business in a particular jurisdiction, or by disengaging from existing activities within a jurisdiction. For an organization that chooses to confront these legal risks, however, common risk management strategies include the development of formal, written objectives and policies for the planning, monitoring, management, and reporting of all legal compliance matters; the identification of responsible officials accountable for this compliance; training courses in legal topics for employees; and the use of in-house or external legal expertise.
Organizations also frequently use joint ventures as a method of international risk transfer, tapping local expertise to assist in navigating the sometimes choppy waters of local legal complexities. Of course, organizations can also minimize international legal risks by undertaking internal audits to review these areas. Depending on their institutional significance, the internal auditor may need to review the effectiveness of such risk management strategies.
Compliance with regulatory demands in an international context can often be an organizational headache. In many countries, heavily bureaucratic administrative and regulatory structures are entrenched in areas such as import and export licences. Extremely important considerations may flow from such matters - restrictions on items that can be brought into and out of a country, as well as processing delays, might even make or break an organization.
Anti-competitive and protectionist trade policies are also a reality in many countries, and in some specific markets within otherwise economically liberal counties. Protectionism can take many forms - tariffs and quotas on imports and exports, the manipulation of exchange rates to make exports internationally attractive, and the use of regulatory powers of doubtful justification to block certain imports artificially. In fact, many examples of the latter have occurred in recent years, with the application of questionable, or even spurious, politically motivated "safety" precautions that block the importation of medicines and foods to a country.
Capital controls, or limitations on the free international flow of money or assets, may also be of interest to international organizations and their internal audit practitioners. The existence and severity of capital controls broadly correlate with the extent to which a specific country encourages or discourages international trade. Capital controls may cause severe problems for organizations - restrictions on cross-border payments, the free exchange of currencies, and the repatriation of profits, for example, can represent a serious obstacle to international activities.
Environmental compliance issues can also be problematic within international settings, particularly given the fast pace of regulatory change in this area. From the 1992 United Nations' Framework Convention on Climate Change, to the Kyoto Protocol of 1997, to subsequent promulgations in the early 21st century, environmental regulation has undergone significant development. And adhering to these standards can be a major challenge. Environmental controls in some countries may be heavily prescriptive, and compliance may be expensive and cumbersome. Moreover, public awareness of environmental matters represents an important parallel phenomenon. Actions such as large-scale oil spills that lead to degradation of the environment can cause immense damage to a multinational organization's international reputation, irrespective of the degree of formal compliance with environmental standards.
Obtaining timely and relevant intelligence on regulatory matters is a common risk management strategy for organizations with international activities. By monitoring and understanding the regulatory environment, an organization can interpret that environment and respond timely to any changes. Nonetheless, monitoring does have its limitations - unexpected regulatory changes are sometimes introduced with relatively short notice, often driven by political considerations that may not be anticipated by normal monitoring routines. To help manage these types of risks, organizations often use either in-house or external expertise. Organizations could also consider lobbying for congenial regulatory systems, though this strategy may entail some political risks.
Internal auditors whose remit includes international activities should be aware of the potential complications and dangers that arise directly from operating in an international context. The legal and regulatory environments in which organizations operate internationally may be extremely varied, from the very light to the highly onerous. The pace of change in these areas may also be a risk in itself, as keeping up with shifting international laws and regulations can be difficult for organizations.
Whether assessing international risks at the level of the audit universe, or at the level of an individual assignment, the internal auditor should reflect carefully on the possible impact of legal and regulatory constraints. Best practice internal auditing uses a risk-based approach, and international activities are particularly risk-rich.
The author provides fuller discussions of international risks in his book, Auditing International Entities - Second Edition, published in December 2009 by The IIA Research Foundation.
David O'Regan, CIA, FCA, is auditor general in the Office of Internal Oversight and Evaluation Services at the Pan American Health Organization in Washington, D.C.