PWC’s Global Crisis Survey 2019 is cited by Peter Jones – CEO of the Institute of Internal Auditors in his IIA News blog from April 2020: “nearly seven out of 10 leaders (69 per cent) have experienced at least one corporate crisis in the last five years, and companies with over 5,000 employees are likely to have experienced more than five crises – an average of one a year”. Clearly, we are heading for a world where crisis management will be part of the usual business function.
What I also found key in this blog is Peter Jones’ conclusion: “as businesses adapt to the crisis, internal auditors have a critical role to play in advising management on emerging risks and the implications on internal controls”
What is clear is that the digital world is expanding at an unprecedented speed, and companies are facing challenging environments that change rapidly: health crisis like the one we are currently experiencing with COVID-19, but also changes in regulatory environments with stringent legislations being enforced, without forgetting changing competitive landscapes with new players entering previously untouched markets and quickly gaining market shares thanks to their ability of harnessing technology. Think of SpaceX for instance. Who would have thought even just 10 years ago that a private company could be a key player in an industry that so far required means that only governments could afford?
The New Role of Internal Audit
As we all understand, the role of Internal Audit is to provide independent assurance that an organization’s risk management, governance and internal control processes are operating effectively. But there is another facet to the role: Internal Audit has to act as trusted partner to the business. As a matter of fact, some of their findings will lead to business processes improvements. In short: Internal Audit is not only here to act as internal regulators so to say, it is here to identify best practices and detect early warning signals that could indicate the emergence of a threat for the organization.
And Internal Audit is uniquely positioned to do that since auditors see and review the organization in its entirety. Without geographical or functional silos!
Overcoming the Challenges
One of the challenges that Internal Audit faces though, is that some of the information is not readily located in a single shared drive, nor is it well structured or even referenced. I.e. there is no file called “Top Emerging Risks That No-One Ever Looked At.xlsx” or “Process Failures That We Prefer Remain Hidden.doc”. The latter would simply be opened to find all the answers but that would be too easy, right? Information is all over the place!
Looking at this issue with only a negative lens might discourage some. But what if I told you this challenge can actually be overcome with the use of technology?
Delivering Continuous Assurance Across the Enterprise
First of all, many organizations have now rolled-out centralized internal control solutions where controls and procedures are documented by the second line of defense and automatically sent to the users in the first line of defense. The same goes of course for risk assessments.
Being able to tap into these solutions helps Internal Audit to kill 3 digital birds with one digital stone:
- Review any control self-assessment of their choice. By applying the selection criteria of their choice (controls with the most issues, controls with highest ranked risks, etc.), Internal Audit can access any control result instantly – regardless of where in the world it has been performed. They can also compare the results with other business units to identify best practices and then not only raise a potential finding, but also already suggest an improvement to solve the issue;
- Go from scope to full audit. Instead of selecting a sample of data to test, auditors can have technology work for them and identify anomalies and raise them automatically to them. As for most departments, Internal Audit has limited resources. Being able to launch detection patterns and then focus on the areas that have raised most concerns will help this function focus its efforts on the danger zones;
- Act as the lighthouse for the business. By combining information from risk assessments, key risk indicators, control results, incidents and near-misses and many more, auditors will be able to flag those emerging risks that could threaten the organization. They could then, as mentioned by Peter Jones, suggest a new course of action to the business to mitigate these new risks and could by the same token suggest improvements to the existing business continuity plans and the internal control framework so that issues are caught earlier and, when a crisis occurs, that the organization is better prepared to face it.
The last area I wanted to highlight in this blog relates to collaboration.
I had a brief audit experience many years ago, and these were the days where one would go from site to site with a very heavy briefcase (or a trailer with paper boxes in the car more likely) and record everything on paper… Not the best to then find the needle in the haystack and even worse for collaboration between colleagues working on the same work program if you have ever seen my handwriting.
Where technology can also help Internal Audit is in information sharing and consolidation.
With access to the same digitalized work program, auditors can leverage the work of one another – especially the findings and test plans, to perform their audit mission. Should one auditor have performed a successful test plan, it can immediately be shared with colleagues to be applied on other audits.
The world then truly becomes a village as they say.
As business processes will continue to evolve, technology will have increasingly an impact in driving emerging business practices, helping organizations comply with constantly changing regulatory environments, and managing future potential disruptions.
The challenge for the Internal Audit function will be to assess effectiveness of internal controls that may be manually governed temporarily or permanently. With the right automation supporting Internal Audit, routines can be effectively automated, and efforts can be diverted to activities involving more of interpersonal collaboration and judgements. This will ensure a seamless flow of data and information across the Three Lines of Defense.
Would You Like To Hear More About The New Role of Internal Audit In the Virtual World?
If you are interested in hearing more about this directly from experts, I would recommend registering to the Redefining Internal Audit Practices in The Virtual World webinar delivered jointly by the Institute of Internal Auditors (IIA) India and SAP on April 30th.
During this event, Nikhel Kochhar – Chief Advisor IIA India will present the current challenges and the opportunity that it presents to redefine audit practices.
Experienced Internal Audit professionals from the industry will then share their perspectives and insights on this matter.
Finally, Rohit Jaipuria – Digital Transformation Office Finance and Risk practice, SAP Indian Subcontinent will illustrate how the right set of technology can help in effectively collaborating and executing the audit function.
You can register free of charge and the event will, of course, be recorded in case you can’t attend in person.
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
Note about the author:
Thomas is part of the Global Centre of Excellence for Finance and Risk solutions where he has a focus on Governance, Risk, and Compliance topics.
Prior to that, he was a Director in the Governance, Risk, and Compliance Solution Management team. His particular responsibility was with Risk Management but other functional areas of focus were in Internal Control & Compliance Management and Audit Management.
He is also a regular contributor on social media (Digitalist Magazine, GRC Tuesdays Blog, Twitter) and presenter at various SAP and non-SAP conferences on GRC matters