Five risk hot spots: the challenge and opportunity for internal auditors
Digitisation is at the top of internal audit's agenda, but what other risks are at the forefront of chief audit executives’ minds and what can they do about them, asks Ian Beale.
Over the past five years, the risks that companies face have changed and evolved rapidly. While few risks are considered “easy” to manage, chief audit executives (CAEs) are now confronted with risks that are more complex and interconnected than ever before. This may be why three of the five top risks that CAEs are including on their audit plans this year relate to digitisation and the rapid proliferation of technology. However, the implications affect the entire organisation and so can be addressed only through coordinated remediation efforts.
Five hot spots
- Technological vulnerabilities. To achieve growth in an increasingly digitised economy, organisations are developing new technologies and finding different ways to leverage existing ones. However, the pace of development often means upgrades are made without considering the impact to security.
Organisations seek the benefits of integrating all their technology assets – including valuable operational technologies that detect or control physical devices, processes and events in the enterprise – but they risk revealing significant technological vulnerabilities that can be targeted by cyber attackers. Internal audit needs to review the organisation’s IT systems and software and application governance to ensure that roles and responsibilities for managing security are clearly defined and meet required standards.
- Data privacy. As the strategic value and volume of data collected by organisations increase, companies face increased pressure from regulators and customers to ensure adequate protection of confidential information. However, nearly half of data privacy functions do not believe their organisation is adequately managing its data.
As new regulations come into force, technology produces more data that needs to be managed and competitive pressures mount, public scrutiny on data privacy will only increase. Audit teams should review the requirements associated with new regulations to ensure their organisation is effectively meeting its obligations. They should also evaluate how personally identifiable information is used throughout the organisation to certify that all vulnerabilities are accounted for and adequately protected.
- External threats. External attacks on organisations are appearing with increasing speed and becoming more sophisticated and the motivations behind such attacks are becoming more diverse. Reliance on emerging technologies—such as the Internet of Things and cloud services— to strengthen a company’s defence actually intensifies these threats by creating new vulnerabilities and entry points. Failing to respond to these threats effectively damages customer confidence, brand reputation and the organisation’s ability to execute strategic goals.
Internal audit needs to ensure that IT security teams have comprehensive systems in place to track cyber threats. It is also critical that they ensure the board and senior management are adequately informed of external cyber threats and maintain sufficient investment in risk mitigation efforts.
- Pace of innovation. Rapid digitisation has increased pressure on organisations to innovate their products and business models in order to remain competitive. However, rigid silos, misallocation of research and development budgets and organisations’ efforts to become lean severely restrict their ability to innovate. At the same time, digitisation is making it cheaper and easier for rivals to develop and replicate ideas and products, which has increased the threat of new competitors entering the marketplace.
Internal audit can play an important role in ensuring that innovation projects are successfully managed and that project reviews account for competitive threats and new technology. Internal auditors should ensure that competitive intelligence efforts throughout the organisation are mapped and used as inputs for innovation and digitisation decisions as well as for budgeting decisions regarding research and development and capital expenditure.
- Change fatigue. The number of change events that the average employee experiences today has increased more than 70 per cent since 2011. The frequency and volume of organisational change – which executives believe will only accelerate – is causing widespread change fatigue in many workforces. If employees are already working to their maximum capacity, change fatigue can mean that productivity decreases putting strategies at risk.
Internal audit needs to work with management to ensure the organisation has processes and procedures in place to identify and manage change fatigue, both during and after strategic change initiatives. This should include all aspects of change initiatives, whether externally or internally driven, and cover the full life cycle, from project formulation to rollout and beyond.
The challenge and opportunity for internal audit
These wide-ranging risks vastly increase the difficulty for CAEs to provide comprehensive assurance to the board. However, they also present a great opportunity for internal audit teams to use their unique holistic view of the organisation and evidence-based guidance to spot risks earlier and find systemic risk trends that help to fulfil their mandate.