Analytics (including forensics) tools – especially for 3^rd party compliance

Many audit teams have reported that they are asked to review 3^rd party compliance – including in relations to anti-fraud. And one of the issues they report is the access to 3^rd party information. Previously, they would select a number of suppliers, vendors, customers, etc. and review the contracts, the engagement and various communications individually, but this means a lot of manual work and maybe missing out, from the sample, 3^rd parties that could pose a risk. As a result, many audit teams are investigating data classification, evaluation and examination tools that will help them get a full picture and apply detection patterns to 3^rd party engagements.

Cybersecurity analysis – both relating to code, configuration and user behaviour

There’s no hiding it, cyber-attacks have drastically increased year over year. As a matter of fact, we’re even hearing of “Ransomware as a Service” provided by expert cybercriminals to neophytes making it all the easier for novices to launch an attack that would cripple a company’s system. Internal Audit is therefore regularly asked to include IT Security as an integral part of all its audits. Internal Audit therefore has 2 options – and they are not exclusive of course: onboard Cyber experts, or ramp-up colleagues on these complex topics. To be able to scale up, many audit teams are therefore investigating a 3^rd option: using cyber analysis tools that will “ingest” data and analyse it to be able to issue recommendations. This can range from deep-dive code review where the Cyber experts would then be involved to user behaviour where the auditor would act as an investigator to review patterns and decide whether there is indeed a cyber risk at play.

Promoting risk culture

At SAP, we have 5 principles on “How We Run”. One of them applies very well to what audit teams are trying to achieve here: Tell it like it is. I meet many teams that try to ensure that there is a risk aware culture within their organization. And this includes identifying emerging risks. But how can one achieve this if its employees are concerned that flagging potential issues could negatively impact them and their career? By telling it like it is, anyone in the 1^st line is able to report risks, including breaches to compliance or operational issues. And auditors can then use this information to identity what could pose a problem for the organization and suggest adequate mitigation strategies.

Identifying (internal) talents

Especially at times like now when borders are being shut making it difficult to recruit offshore talents, identifying talents withing the organization is of the utmost importance. And this includes Internal Audit as well!

Audit is often asked to help companies adapt to business change – hence advise the business on digital business transformation and efficiency gains (including how to best use existing technology) and cash flow optimization but also supply chain resilience. This requires new talents to be added to the audit team and identifying internal talents is one of the keys to success.

Sustainability

With less than a decade to meet United Nations’ 2030 Sustainable Development Goals, Sustainability is at the heart of many organizations. Most audit teams have been tasked with supporting companies to get on the right track by reviewing the programs and their progress of course, but more importantly, by highlighting best practices across the business that can be leveraged.

Securing Remote Work

This is not a new topic I know, but this trend that started many years ago has been accelerated 10-fold with the continued health crisis and its impact on office restrictions. As a matter of fact, I had released a dedicated blog on the matter back in April last year: GRC Tuesdays: Securing Remote Working in the Digital Age. With continuously evolving threats to be solved for efficient and secure remote work, Internal Audit is fully supporting the 1^st line in ensuring that this can scale up if and when needed.

Data Protection and Privacy Regulations

I have also addressed this topic in a previous blog: GRC Tuesdays: Cybersecurity & Data Protection – Securing the Digital Economy

As I am sure you know, data protection has become a key focus area for companies worldwide not only due to new regulations such as the General Data Protection Regulation (GDPR) in Europe, the California Privacy Act (CCPA) in the USA or Singapore’s Personal Data Protection Act (PDPA) as well as many others, but more importantly thanks to public attention – where consumers react very rapidly to data breach type incidents and do place a great level of importance on how companies use their data. Like many of their colleagues, auditors are therefore part of the critical chain to protect the “Digital Trust” – the tacit contract between an organization and its consumers, partners and employees to protect and secure their data and their privacy.

More widely: Information Security

The simple fact that 5 of the top 10 risks that have been raised by Board and Executives in 2021 involve cybersecurity and data protection suffices to make this topic a no-brainer for any Internal Audit team. In addition, I think it’s fair to say that cyber attackers are no short of creativity when it comes to attack patterns. As a result, audit teams also need to be “creative” when reviewing the company’s policies and procedures to ensure it adequately protects its valuable IT assets and the wealth of information they hold.