17 June, 2021
As more and more organisations undergo digital transformations, Internal Audit (IA) should not be left behind. In fact, it can’t afford to.
The answer? You need to modernise your company’s IA function to align with your other risk functions. This is essential when it comes to implementing digital tools and boosting your IA team’s technology acumen.
There is work to be done. In a survey of auditors conducted by PwC at The Institute of Internal Auditors General Audit Management conference in early March, only half reported that their organisation has pilot-tested analytics and visualisation tools to reduce manual testing in certain parts of the audit life cycle.
Many IA teams have yet to integrate technologies throughout the audit life cycle. This is an ideal way to enhance the IA function’s ability to provide the assurance that stakeholders require and the insights that can help inform business strategy.
Which of the following options best describes IA’s experience of implementing continuous monitoring techniques?
Internal audit functions are modernising their processes and integrating technology tools and techniques. They are motivated to do this so they can enhance their ability to identify risk and fine-tune the scope of the audit. This is being driven by an ever-changing regulatory environment and stakeholder expectations, as well as the unpredictable economic climate and the need to deliver greater value to the business.
IA should be looking to move away from a reactive, control-centric approach. Various tech tools can help proactively identify risks and manage the company’s risk exposure. Greater collaboration between the first and second lines will certainly help here.
Making the move to an integrated risk framework with shared risk models in coordination with other lines to provide insights and near real-time audit requires the company as a whole to have robust analytics capabilities, a common risk taxonomy and alignment with the Chief Risk Officer (CRO) and other compliance functions.
The events of the past year have taught business leaders that identifying risk earlier is key to turning risk into opportunities and allowing for timely focus on risk mitigation strategies. Advanced analytics and automation can allow IA teams to tackle time-consuming data collection tasks. It allows them to take on a broader array of activities with a higher level of precision and provide greater risk coverage.
While many organisations are already using analytics in fieldwork and helping select samples, most IA functions have yet to truly change the way they audit or assess risk. According to the auditors we surveyed, the two biggest challenges to adopting a data-driven risk assessment and audit approach were a lack of data and technology, and the ability to upskill existing employees.
Overcoming these challenges requires organisations to evolve both strategically and operationally by:
It’s important to thoroughly assess your organisation’s risks and rank them in order of importance. That way you can dedicate technology and resources to mitigating risks that could have a greater impact on your operations. Regardless of how far along an organisation’s transformation has progressed, they should take a proactive risk focus. By embedding a continuous risk-sensing process across all three lines of defence or even just the most critical risks can help accelerate your transformation.
Organisations have spent the past few years investing in data analytics and other technology platforms. But they have often failed to expand the use of those capabilities across functions. IA can interrupt this trend by identifying and taking advantage of common sources of data, tools, infrastructure and analysis capabilities across the three lines of defence. For instance, IA can leverage data sources and key risk indicators identified by the cybersecurity function to help enhance risk monitoring activities in that space.
In the digital age, not all auditors must be data scientists. You can start to digitally upskill your IA staff by hosting learning sessions on the skills that need a deeper understanding. The next-gen auditor should have deep auditing skills, industry and regulatory knowledge, and a basic understanding of data sources and data quality. Auditors should be given the opportunity to develop skills around cybersecurity, cloud computing and automations. Embrace a culture of digital learning, explain to your people why you are all going on this journey together, and recognise that upskilling a large, global organisation will take time.
Identify risks proactively through the use of data and scope audits to find ways to pinpoint risk or eliminate traditional audit procedures. Think about moving toward continuous risk monitoring and shifting resources to the risks that matter most. Unlock value for all stakeholders by using data, knowledge of process and discussions with management to drive insights.
Transformation takes time. Collaboration across the three lines of defence should be guided by a formal plan that can help your team successfully integrate new tools and processes into business as usual. The world of business is constantly changing. IA should change along with it. The time is now for IA to start its modernisation journey.
As you develop your digitalisation strategy and continue to integrate technology in your business, we are ready to talk to you about how to transform your IA function. Contact us today.