Boards, audit committees, senior executives, risk managers and the business need internal audit’s best efforts in today’s environment of ongoing disruption and increasing risk. These stakeholders also need internal audit’s objective, enterprisewide perspective and its rigorous observational and analytical skills in more areas than ever. If the characteristics innovative, efficient or creates business value are not among the top thoughts that pop into your mind when you hear the words “audit” or “internal auditor,” here are some tips that may help to change that perspective.
The key to increasing internal audit’s impact, influence and value is not to do more, but to do more of the right things and to do them well. The right things relate to the risk and challenges that are most important to internal audit’s stakeholders. Here are some considerations to increase your audit team’s ability to provide value, motivate change and inspire efficiency:
- Define your audit services in a compelling manner—How are you currently describing or defining your audit services and your internal audit team? If you are using something similar to this narrative: “We are an independent, objective assurance and consulting activity designed to add value and improve an organization's operations,” or “We provide overall assurance on the effectiveness of internal controls and risk management,” you may want instead to try something such as:
- We improve operations and look for more effective ways of working.
- We help protect assets and corporate brands.
- We give advice to chief executive officers (CEOs), chief operations officers (COOs), chief information security officers (CISOs), chief information officers (CIOs) and other senior leaders to enable better decision-making.
- We thwart nefarious fraudsters.
- We act as change agents for the organization. Yes, change agents. We really do have interesting jobs and there is not much in an enterprise that we do not review, evaluate, investigate or otherwise touch at one point or another.
- Align internal audit priorities with organizational strategic priorities—How are you supporting the organization to move forward and innovate? Think about what types of advisory services in cyber, risk and new technologies you can provide to support the enterprise strategy. Your impact is tied directly to your ability to influence. Effective influence begins by building a base of credibility. New technologies such as blockchain, machine learning and artificial intelligence (AI), are starting to support or replace certain decisions rather than just replace human effort the way earlier automation has. That factor introduces a new realm of opportunity—but also risk—and the need for thinking differently about controls. To adapt, internal audit departments must shift their underlying methodologies to more ongoing, continuous or real-time modes of audit that require a deeper understanding of the business and operations. If your organization is an “order to cash” type of environment, it would be good to understand the critical end-to-end processes of each step of the delivery of a service or product.
- Assess the scope and breadth of the current risk assessment or risk and control self-assessment (RCSA) process—A first step in this consideration is to understand if the organizations’ risk assessment process is holistic and provides management with a thorough understanding of the risk landscape in which the enterprise operates. Remember that cyberthreats do not respect organizational boundaries. Most business leaders would agree that preventing a realized risk is better than dealing with the impact after the fact. If the current risk assessments are done at an asset or business unit level, but are not done holistically, consider the broader risk landscape and external environment; there may be an opportunity for audit to help change this view.
- Assess the organization’s operational fitness in relation to its enterprise strategy—Does your internal audit shop perform operational improvement assessments that are not audits?
- If your organization is a technology business, invest in skills needed to assess the particular type of technology and make sure that the intellectual property (IP) of the organization is protected in contracts, by escrow, etc.
- If your organization is a service business, look into processes that can be improved for efficiency and cost reductions (e.g., hospitality and healthcare).
- If your organization is a knowledge worker organization, look for manual processes that can be automated or productized into a standard repeatable process. Having a template (and possibly a set of technology control boundaries) to guide manual data input serves as a quality control element to reduce errors and save time.
- If there is heavy investment in physical or tangible assets (e.g., healthcare, energy, automotive, manufacturing, shipping), perform a stress test on the current property and casualty insurance or other risk transfer portfolio against the potential cyberloss exposure scenarios.
- If privacy is a chief concern, perform an analysis of the privacy policy on the customer-facing website with the actual security practices that are in place to ensure customer privacy.
- Assess the internal audit staff skillsets—Determine what skills your employees need and how you are going to deliver that training or understanding. Look beyond technology itself. Yes, some employees might need training in data analytics and coding, but they also need to learn design thinking, empathy maps to better understand customers or users, and how to turn data into business insights. Does your team have the skills to extract the data needed from the operational and financial systems that underpin the organization, e.g., the enterprise resource planning (ERP) or governance, risk, and compliance (GRC) systems? Demonstrating these skills increases the demand function for internal audit’s services, which strengthens influence in the long run.
There are no quick fixes or easy buttons when it comes to changing people’s perception of internal audit, but there are opportunities, techniques and solutions that should be considered to make a difference.
Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.