As CFOs and other leaders expect internal audit teams to be strategic, focusing more on the risks and issues of the future than only those of the past, just 28 percent of surveyed chief audit executives (CAEs) believe their functions have a strong impact and influence within their organisations.
Heading into 2018, it will therefore be important for CAEs to chart paths toward impacting and influencing their organisations. But to enhance their performance, value, and influence, internal audit groups need to be ready to address a number of high-impact issues with leadership in the year ahead.
In my view, four of the most pressing concerns for internal audit in 2018 will hinge around cybersecurity preparedness, contemporising internal audit amidst rapid business innovation, culture risk management, and new regulatory reporting compliance.
What should internal auditors be ready for in terms of managing cyber risk in 2018?
This is one of the most asked questions I encounter in my conversations with CAEs, other c-suite executives and boards. Regulatory bodies such as the Federal Financial Institutions Examination Council (FFIEC) and Office of the Comptroller of the Currency (OCC) are beginning to review organisations’ cyber auditing plans, underscoring the urgency in 2018 to periodically and rigorously audit cybersecurity risk management and governance capabilities.
Importantly, internal audit teams must understand that cybersecurity is not just about being prepared for a breach. Internal audit’s role is complex and constantly evolving because it’s impossible to fully eliminate cyber risk. However, there is a tendency among some internal audit teams to close the book on cyber readiness after completing just one attack and penetration audit or computer control exercise.
With the increasing diversity in types of cyberattacks, it’s more important than ever that internal audit teams develop a well-thought strategy that includes doing an IT and cyber risk assessment on their organisation to understand where the business falls on the maturity preparedness model. Cybersecurity risk assessment guidance, such as the framework recently established by the AICPA, can then help internal audit shed light on where more clarity is needed, such as more IT governance, a better crisis response plan for when an attack occurs, and even emerging cyber talent needs across the business.
Ultimately, internal audit needs to be ready to serve as the board’s cyber referee and be ready to throw a yellow flag out whenever weaknesses are identified during the periodic and ongoing cyber audit process.
Is internal audit contemporising its approaches to keep-up with the broader organisation’s innovation and disruption efforts?
As businesses continue the push the bounds of disruption, internal audit must also adapt to anticipate stakeholders’ potential moves to new technologies, strategies, and business models so they can ready themselves and the organisation for those moves. However, the ability to stay ahead of the curve requires internal audit to contemporise its approach to audit and assurance.
The good news is that there are a number of new technologies and approaches in the market today to help companies become more efficient and effective in navigating disruption happening elsewhere in the business. In the year to come, internal audit can look to a range of emerging technologies and approaches – including robotic process automation (RPA), analytics, and Agile internal audit methodologies – to help produce more dynamic and automated risk assessments to help with efforts as fundamental as Sarbanes-Oxley control.
One approach that can be particularly effective in helping contemporise internal audit to the innovation happening across a business is the Agile internal audit method. Derived from Agile software principles, Agile methods foster rapid response to emerging issues, closer collaboration with stakeholders, faster delivery cycles, and streamlined reporting. Good candidates for Agile internal audit are areas with a need for more responsive and relevant reporting – such as high-stakes projects like IT installations or merger integrations – and where internal audit groups need to do more with less.
How prepared is internal audit to manage culture risk?
Regulators and boards are increasingly focusing on risk culture because culture drives behavior: it largely determines decisions, conduct, and risk-taking within an organisation. However, many organisations continue to treat it as a compliance issue rather than as a driver of conduct and organisational performance.
As an internal audit matter, risk culture is a gray, soft and subjective area reliant upon non-traditional audit methodologies to monitor intangible drivers of risk. It is not a matter of reviewing risk-related policies and procedures; it is a matter of developing an understanding of people’s approach to managing risk as they do their jobs. Accordingly, a company’s management processes, behavioral norms, internal and external statements, and reward systems should be audited and aligned to promote the right risk-related decisions and risk management behaviors.
There are distinct ways that internal audit teams can approach auditing risk culture, and they must also determine whether it should be evaluated as part of their audits, or if a separate culture audit is better-suited to their organizations’ needs.
What should internal audit know about the business complying with new regulations and standards?
Internal audit teams are also increasingly being asked by leadership to weigh-in with their assessments on new regulations and associated reporting requirements that could affect the business – and provide their opinions on the business’ level of readiness to comply with new reporting requirements, such as providing clarity on accountability, responsibility, and level of preparedness.
This is critically important for 2018 given the number of high-stake regulations and accounting standards going into effect over the next 12 months, including but not limited to new revenue recognition and lease accounting standards issued by the Financial Accounting Standards Board (FASB) and International Accounting Standards Board (IASB), as well as the European Union’s General Data Protection Regulation (GDPR).
Take the GDPR as an example: internal audit must be ready to evaluate the business’ awareness of the GDPR and understand what the risks are to the business, how ready it is to implement, and what the business’ governance model is in terms of roles and responsibilities. At the end of the day, boards and c-suite executives want assurance that there is a sufficient response mechanism in place for a GDPR failure or breach.
Of course, there are myriad other high-impact areas that internal audit teams will need to evaluate, including third-party risk management, integrated risk and sustainability assurance, strategic and emerging risk monitoring, strategic planning, and media audits.
While not every company will be impacted by the same issues in the next twelve months, it will be important for internal audit teams across industries to analyse which emerging risks could be the most impactful to their organisation and ready themselves and the business to prepare and respond accordingly. In this way, internal auditors can work toward driving value, impact and influence in the year ahead.