For internal audit leaders, the new normal is to expect nothing to be normal. Transformation, especially as a result of technology, is inevitable.
That’s the state of affairs based on a spate of new intelligence emerging from the annual General Audit Management conference of the Institute of Internal Auditors. The IIA’s “pulse of the profession” study calls on internal auditors to transform their operations to remain relevant to stakeholders and improve their responses to constantly evolving business disruption.
According to the IIA’s survey of more than 600 chief audit executives, directors, and senior managers, two-thirds regard agility and adaptability to change as important to the profession, yet less than half consider their departments to be highly agile. Less than half say they are fully or partially prepared to anticipate and react to disruption.
Audit leaders see some big obstacles to agility, like inadequate resources, organizational complexity, and “overly traditional” expectations of the internal audit function on the part of executive management. Yet, the survey group doesn’t give itself particularly strong marks on innovation activities that might improve agility, says Jim Pelletier, vice president at the IIA.
Only 13 percent strongly agree, for example, that their internal audit functions quickly adapt to new technologies or processes. Only 32 percent strongly agree that their particular department challenges the status quo, and only 36 percent strongly agree that they seek new ways to gather audit evidence. “We’re talking a lot about innovation and agility,” says Pelletier. “It’s an internal audit transformation imperative. There are growing expectations of the internal audit function, so it’s an opportunity for internal audit to play a more critical role in the organization in support of the board.”
PwC’s annual “state of internal audit” study calls on internal auditors to get more comfortable with technology—both understanding how it produces risk for the entity and how internal auditors can better leverage it to identify and help mitigate those risks. The firm’s poll of more than 2,500 audit professionals and audit stakeholders indicates a good number recognize emerging technologies that will be key to their operations in the future but haven’t adopted them yet.
“We as humans tend to rely on the status quo, but people need to become comfortable at being uncomfortable. We have to innovate, identify problems, and solve problems.”
Brian Christensen, EVP, Protiviti
One-fourth, for example, believe robotics will have a significant impact on the organization over the next three years, but only 2 percent of internal audit functions are using robotics, and 20 percent plan to adopt the technology in the next few years. In addition to robotics, PwC identifies seven other categories of technology that deserve more attention from internal auditors in the near future, including drones, three-dimensional printing, artificial intelligence, blockchain, virtual reality, augmented reality, and the internet of things.
Innovation is a reality in most companies today, says Lauren Massey, a partner in risk assurance at PwC, and velocity of change and innovation only compound the imperative. The study identifies internal audit functions that are most advanced in their journey toward adopting new technologies as those that are also most valued by their stakeholders.
Meanwhile, Crowe Horwath and the Internal Audit Foundation focused their recent poll on cyber-security and the extent to which internal auditors are keeping pace with the demands. The report describes cyber-security as one of the most significant risks facing business today.
Gauging internal audit engagement on cyber-risks, the survey found 78 percent of internal auditors have visibility into the organization’s information security plan looking one to three years out, and two-thirds are part of a formal information security steering committee. More than half of internal audit teams, however, do not have adequate access to information security assessment results and incident-related information.
The results also suggest that it may stem from a lack of connection with information security and information technology functions in organizations. The data showed internal auditors have stronger relationships with compliance and risk management offices, but not as much of a working relationship with information security or IT staff.
Analytics in auditing is a game changer
Protiviti asked respondents to its “Internal Audit Capabilities and Needs Survey” to rate on a scale of 1 to 10 (10 a high level of value and 1 little or no value) the level of value that their internal audit department receives from utilizing data analytics as part of the audit process.
Top 8 audit plan priorities for 2018:
Fraud risk management
Vendor/third-party risk management
Enterprise risk management
New revenue recognition standard
Agile risk and compliance
Auditing corporate culture
Chris Wilkinson, a principal at Crowe Horwath and co-author of the white paper, says survey results also suggest internal audit functions have made strides in helping organizations build up controls designed to prevent cyber-breaches, but have made less progress with detective controls and even less in incident response. “As internal audit professionals, we need to focus on all three,” he says. “They all play an important part in the overall cyber-security posture of the organization.”
Internal audit teams have been increasing their capabilities internally to deal with cyber-risks, says Wilkinson. But finding internal audit talent, especially in the technology areas, has been an ongoing challenge for chief audit executives. The data suggests one way audit leaders can leverage talent internally is by working on relationship building with the IT and information security functions, he says. “Building more collaborative relationships is absolutely essential to this process,” he says.
Data analytics, another technology hot button, also garnered significant attention in this year’s crop of internal audit studies. Protiviti’s newest annual study says internal audit is making some inroads in adopting advanced analytics technologies, but the overall maturity level is considered low. The firm says its results suggest many audit functions are likely using analytics tools as “point solutions” rather than as part of a broader initiative to leverage the technology throughout the audit process.
Brian Christensen, executive vice president at Protiviti, says he sees firsthand the need for internal auditors to advance along the technology curve. Based in the Phoenix area, he’s a witness to self-driving cars in his own neighborhood, the risks of which became obvious enough after a recent pedestrian fatality involving a driverless car. “This is what’s happening,” he says. “This is the pace of change.”
Auditors are under increasing pressure to provide actionable insight to boards of directors and executive management, which suggests a need for faster audit outcomes, or even continuous auditing, says Christensen. “The high-level results say we’re not moving fast enough,” he says. “The pace of change in the internal audit function is not meeting the expectations. That’s provocative.”
Finding and leveraging talent remains a big obstacle, Christensen acknowledges, which makes it a high priority for audit leaders. “That’s the call to action that’s challenging our profession,” he says. “We as humans tend to rely on the status quo, but people need to become comfortable at being uncomfortable. We have to innovate, identify problems, and solve problems.”
A new book by Grant Thornton and the Internal Audit Foundation tackles the challenges of data analytics in even greater depth. The very title promises to provide a roadmap to help internal auditors expand their capabilities in analytics, exploring how to harness the technology to address risks and controls.
Meredith Murphy, a director at Grant Thornton and co-author of the book, says this particular survey found more than 90 percent of internal auditors agreeing on the value of data analytics, yet less than 40 percent actually leveraging analytics. As such, the book puts some emphasis on how internal auditors can build the case internally for increased uptake in organizations, whatever the obstacles or barriers audit leaders might face.
“The most critical component to drive analytics success is people,” says Murphy. “Data holds insight, but it’s people that ensure the data generates value.” The book tells audit executives it’s up to them to understand the stakes and forge the path forward.