Business Trends
GRC Tuesdays: What is Internal Audit Focusing On?
If you read this blog and are part of an Internal Audit team, you will most likely have the answer to the question in the title.
But, if you simply collaborate with Internal Audit on an off-cycle – or maybe you work in audit but are interested in hearing about what other peers are focusing on, then this blog might just be right for you!
Since I am regularly asked by colleagues, customers or analysts about what is top of mind for many of the companies SAP works with in terms of Governance, Risk, and Compliance (GRC), I decided to summarize the feedback I have most often heard based on my discussions with audit teams across various geographies in these last few months.
Focus on (Emerging) Technologies for Own Usage
It won’t come as a surprise, as for many other departments, Internal Audit is asked to scale up and further support the business. Most often without additional resources thought.
As a result, I have seen most Internal Audit teams investigate how to best leverage technology to achieve the objectives that have been set for them.
![]() |
Analytics (including forensics) tools – especially for 3rd party compliance
Many audit teams have reported that they are asked to review 3rd party compliance – including in relations to anti-fraud. And one of the issues they report is the access to 3rd party information. Previously, they would select a number of suppliers, vendors, customers, etc. and review the contracts, the engagement and various communications individually, but this means a lot of manual work and maybe missing out, from the sample, 3rd parties that could pose a risk. As a result, many audit teams are investigating data classification, evaluation and examination tools that will help them get a full picture and apply detection patterns to 3rd party engagements. |
Cybersecurity analysis – both relating to code, configuration and user behaviour
There’s no hiding it, cyber-attacks have drastically increased year over year. As a matter of fact, we’re even hearing of “Ransomware as a Service” provided by expert cybercriminals to neophytes making it all the easier for novices to launch an attack that would cripple a company’s system. Internal Audit is therefore regularly asked to include IT Security as an integral part of all its audits. Internal Audit therefore has 2 options – and they are not exclusive of course: onboard Cyber experts, or ramp-up colleagues on these complex topics. To be able to scale up, many audit teams are therefore investigating a 3rd option: using cyber analysis tools that will “ingest” data and analyse it to be able to issue recommendations. This can range from deep-dive code review where the Cyber experts would then be involved to user behaviour where the auditor would act as an investigator to review patterns and decide whether there is indeed a cyber risk at play. |
![]() |
Focus on Soft Skills
![]() |
Promoting risk culture
At SAP, we have 5 principles on “How We Run”. One of them applies very well to what audit teams are trying to achieve here: Tell it like it is. I meet many teams that try to ensure that there is a risk aware culture within their organization. And this includes identifying emerging risks. But how can one achieve this if its employees are concerned that flagging potential issues could negatively impact them and their career? By telling it like it is, anyone in the 1st line is able to report risks, including breaches to compliance or operational issues. And auditors can then use this information to identity what could pose a problem for the organization and suggest adequate mitigation strategies. |
Identifying (internal) talents
Especially at times like now when borders are being shut making it difficult to recruit offshore talents, identifying talents withing the organization is of the utmost importance. And this includes Internal Audit as well! Audit is often asked to help companies adapt to business change – hence advise the business on digital business transformation and efficiency gains (including how to best use existing technology) and cash flow optimization but also supply chain resilience. This requires new talents to be added to the audit team and identifying internal talents is one of the keys to success. |
![]() |
![]() |
Sustainability
With less than a decade to meet United Nations’ 2030 Sustainable Development Goals, Sustainability is at the heart of many organizations. Most audit teams have been tasked with supporting companies to get on the right track by reviewing the programs and their progress of course, but more importantly, by highlighting best practices across the business that can be leveraged. |
Focus on New Risk Areas
I’m sure you expected it from this blog: there are also new(ish) risk areas that Internal Audit is increasingly turning its attention to:
Securing Remote Work
This is not a new topic I know, but this trend that started many years ago has been accelerated 10-fold with the continued health crisis and its impact on office restrictions. As a matter of fact, I had released a dedicated blog on the matter back in April last year: GRC Tuesdays: Securing Remote Working in the Digital Age. With continuously evolving threats to be solved for efficient and secure remote work, Internal Audit is fully supporting the 1st line in ensuring that this can scale up if and when needed. |
![]() |
![]() |
Data Protection and Privacy Regulations
I have also addressed this topic in a previous blog: GRC Tuesdays: Cybersecurity & Data Protection – Securing the Digital Economy As I am sure you know, data protection has become a key focus area for companies worldwide not only due to new regulations such as the General Data Protection Regulation (GDPR) in Europe, the California Privacy Act (CCPA) in the USA or Singapore’s Personal Data Protection Act (PDPA) as well as many others, but more importantly thanks to public attention – where consumers react very rapidly to data breach type incidents and do place a great level of importance on how companies use their data. Like many of their colleagues, auditors are therefore part of the critical chain to protect the “Digital Trust” – the tacit contract between an organization and its consumers, partners and employees to protect and secure their data and their privacy. |
More widely: Information Security
The simple fact that 5 of the top 10 risks that have been raised by Board and Executives in 2021 involve cybersecurity and data protection suffices to make this topic a no-brainer for any Internal Audit team. In addition, I think it’s fair to say that cyber attackers are no short of creativity when it comes to attack patterns. As a result, audit teams also need to be “creative” when reviewing the company’s policies and procedures to ensure it adequately protects its valuable IT assets and the wealth of information they hold. |
![]() |
What about you, what does your internal audit team focus on? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard