Articles Neil Hodge Jul 12, 2023
Emerging industries such as cannabis and fintech are an opportunity for audit leaders to build internal audit functions, but practitioners will need to prepare for a wider range of responsibilities and regulations than they have faced before.
Providing management assurance can be tough enough for internal auditors at the best of times, but trying to do so in an emerging industry where regulations are still developing can be a whole new challenge. The nascent cannabis industry in the U.S., for example, is one in which newly established businesses are operating under a regulatory environment that creates significant obstacles.
As the production and sale of cannabis is only legal in individual states and not at the federal level, cannabis companies need to ensure that the sale of their products is strictly limited to within the state in which they are produced. They also must have measures in place to ensure that the product conforms to safety guidelines and is not contaminated with other substances that may impact its strength.
Moreover, cannabis companies face a range of other rules that demand strong compliance. Cannabis is a cash-only business — credit card transactions are banned — so providers need to ensure they have robust anti-money laundering controls in place, as well as strong physical security measures.
Despite such obstacles, internal auditors who have opted to work in the sector say they have taken the right career path. Meridith Klein, senior director of risk and control at Miami-based cannabis company Ayr Wellness, joined in May 2021 because she was excited by the opportunity to work in a company that had just gone public and was part of a new, growing industry. But that meant it needed to comply with legal and financial reporting requirements such as the U.S. Sarbanes-Oxley Act of 2002.
“Few — if any — companies in the cannabis industry had gone through such a process,” she explains, “So it was a great opportunity for me to set up an internal audit function from scratch, get Sarbanes-Oxley compliance in place, and be part of a growing company in a fast-paced environment.”
Making a move to a company in a new industry such as cannabis isn’t for the faint-hearted, Klein says. “There are challenges day-to-day,” she says. “Internal audit’s involvement is spread wider than in a traditional company.”
For example, Klein’s team not only focuses on financial controls and reporting, but also physical asset protection and security, insurance, money laundering, and cash risks, where there is a heightened risk of misappropriation. “The upside of our involvement in these areas is that we get to see how impactful internal audit is to the business and the value we’re adding,” she says.
Jennifer Isquith, CAE at cannabis company Verano in Chicago, says joining the company was a chance to put her stamp on internal audit. “There was no audit function when I joined and no real experience of Sarbanes-Oxley compliance or an internal control environment, so I was able to set it up from scratch to meet the needs of the business and reflect what I thought was a best in class internal audit department,” she says. “That’s a real opportunity.”
Isquith says internal auditors who want to work in new industries need to be prepared to go above and beyond. “It’s hard work and constantly challenging,” she says. “Your focus can shift quickly depending on what needs to be done.”
For example, Isquith says internal auditors at cannabis companies must be aware of increased risks in the industry, such as compliance with state and local regulations, and limited access to big banks and credit card networks. Also, third-party service providers — especially public accounting firms — are reluctant to engage with cannabis companies because of the lack of federal legislation.
CAEs also need to have good communication and interpersonal skills, Isquith says. “People in these new industries don’t tend to have much experience with internal audit or knowledge of what it does,” she notes. “You need to engage with them, tell them what you’re there for, and explain what internal audit can do and where you can help.”
Isquith adds that internal auditors also should be aware of some of the disadvantages that might surround a new industry — starting with finding and retaining staff. “Some people have conservative views about the cannabis industry, for example, and are put off by the fact that it is not legal nationally,” she explains. “You can therefore be working with people who lack industry experience or experience of working in a publicly listed company, which can make the job of internal audit and building a culture of compliance tough.”
Sharon Blanchette is a compliance audit director at mortgage servicing firm Cenlar FSB headquartered in Yardley, Pa. However, her previous roles involved providing banking and consulting services to fintech start-ups. Fintech is an industry that regulators say is renowned for developing products that are in danger of outpacing regulation and where compliance can come second to securing funding and gaining market share.
In her experience, Blanchette says disrupter companies, or companies with new business models, tend to have less developed risk frameworks than their traditional counterparts and may not have a clear delineation among the lines of The IIA’s Three Lines Model. Their internal audit function also is likely to be outsourced initially. As such, she says, the “credible challenge” responsibilities of the second and third lines might be “less developed.”
“In a sense, banks that provide services to these disrupter companies act like regulators,” Blanchette says. That is because banks must obtain specific information about a company’s policies, procedures, risk assessments, financials, business plan and strategy, management team, and approach to compliance and risk management.
“Banks ask for this information because the banks’ regulators ask them for it during examinations,” she explains. “I’ve seen onboarding questionnaires that run to 30 pages with up to 300 questions, and if a fintech or crypto firm skips some questions, they likely won't obtain a banking account.”
Blanchette says because regulation and industry oversight of sectors such as fintech and crypto are in their infancy, internal auditors may find it even harder to convince management that effective risk management and internal controls are necessary.
“Those in the second and third line can educate management on the importance of these disciplines,” she says. “Chief risk officers and CAEs may find they need to educate boards about the importance of internal audit and internal controls to get their support and buy-in, as well as get the resources necessary to do their jobs.”
Internal auditors working in new industries or in disruptive companies may find it a difficult and fast-moving environment in which to get themselves established. But the challenges can result in career-defining highs — building an audit function while being hands-on in an industry pioneering company surely stand out on any resume.
Sharon Blanchette, Jennifer Isquith, and Meridith Klein will be panelists at The IIA’s Emerging Business Models and the Role of Internal Audit rapid response webinar on July 20.