Increased focus on organizational culture and technology will help internal auditors rise to the level of trusted advisors in their companies, according to a new report from the Institute of Internal Auditors (IIA).
“While the profession is making clear strides, there remain opportunities for improvement as internal auditors work to more comprehensively address technology risks associated with cybersecurity and big data, as well as the risks associated with culture,” IIA President and CEO Richard Chambers said in a prepared statement.
But the report, Global Perspectives and Insights: Emerging Trends, makes clear that it won’t be easy. The majority (68 percent) of internal audit practitioners who responded to an IIA survey said their staffing level isn’t increasing, and more than half (56 percent) said neither is their budget. And 74 percent of chief audit executives (CAEs) said they aren’t responsible for other functions.
“Continuing the evolution from an arguably antiquated focus on accounting controls to true enterprise-wide risk-based auditing has been a major leap forward for the profession,” the report states. “As well, the next maturation of the profession has been CAEs making strides to ensure an alignment of internal audit’s plan with the organization’s strategic priorities, and providing insights on the ability (or inability) of an organization to successfully achieve its strategic objectives.”
But that’s not enough, the report states. Internal audit needs to be considered the company trusted advisor to be truly effective.
“Yet, in many cases, internal audit is still asking to gain the coveted ‘seat at the table’ (if it gets one at all) – the place where the most pressing organizational issues are being discussed and executive decisions are being made,” the report states. “In turn, a true trusted advisor gets the seat at the table by virtue of the value everyone accepts as a given. They don’t ask to be involved – they get invited.”
So, let’s take a deeper look at the two emerging issues included in the report: culture and technology.
While most survey respondents said they don’t audit corporate culture, “evidence is beginning to suggest that internal audit is becoming more acutely aware of culture issues as an underlying potential cause of long-term harm to organizations,” the report states.
What’s considered in auditing culture? At the top of the list is compliance issues, followed by human resources practices, alignment of organization behavior with core values, culture-related training, stakeholder satisfaction, and hotline/help line/speak-up arrangements.
The top three departments that internal audit would work with in assessing culture are human resources, risk management, and compliance.
Too few internal audit departments are involved in auditing technology risks associated with cybersecurity and big data, the report states.
“The challenge will be for internal audit to ensure it has access to the skills, knowledge, resources, and tools in an ever-changing and dynamic risk environment,” the report states. “Leveraging co-sourcing arrangements by bringing in the appropriate subject-matter expertise may prove to be imperative to many internal audit functions going forward.”
In short, internal audit has to up its IT geek quotient. Indeed, when asked why they don’t audit big data, more than half (61 percent) of survey respondents said they lacked the tools to do it, while almost half (46 percent) said they lacked the skills and know-how.
For those internal auditors who do audit big data, most assess the controls over the availability and security of it. That’s followed by assessing risks involved with its use, its accuracy and validity, and its value to the organization.
As for cybersecurity, there’s no question that auditors are keenly aware of its importance. The majority (74 percent) of respondents said it’s a high-risk element in organizations, and 63 percent said the CAE or head of internal audit raised the issue during annual audit planning.
But only 27 percent of respondents said they were on a team to provide guidance on cybersecurity performance and implementation plans.
And that goes back to the lack of IT know-how. Because to actually audit cybersecurity, internal audit has to look at controls for how online systems store and process data, the business continuity plan, risk assessment process and prevention measures, and incident response and crisis management plans.