Internal audit executives and risk managers have a new report from Protiviti to consider, one that might help you better understand how well your team is — or is not — transforming itself to stay current with next generation of risks swirling around large corporations today.
The 2019 Internal Audit Capabilities and Needs Survey polled more than 1,100 audit executives about how much they’re embracing new technologies so they can sharpen their risk assessment capabilities. That might sound arcane, but actually it’s crucial. As business operating units keep racing ahead with digital transformation, boards are freaked out that their risk management approaches aren’t keeping pace.
So audit functions either need to transform along with the rest of the business and demonstrate their value to the board — or they’ll end up demonstrating that they don’t add value. We all know what happens to those audit functions come budget season.
The Protiviti survey reached four major conclusions, shown below. Let’s take each one in turn.
First is the news that 3 out of 4 audit functions say they are innovating or transforming somehow. That’s welcome news in theory, but it still means that 1 out of 4 are not innovating. Nor do we know exactly how much innovation those first three audit are undertaking. Protiviti did devise a “Digital Maturity Scale,” shown below —
— but the vast majority of survey respondents are almost equally allocated among digital beginner, digital follower, and digital expert. That doesn’t really tell us much.
Then again, the second point finds that audit’s adoption of next-generation technology is still in early stages. If that’s the case, then suddenly our first statistic above looks less rosy; maybe those 3 out of 4 audit functions are innovating, but are still stuck closer to the beginning of the maturity curve than the end of it.
The Audit Disconnect
More troubling is the third point, that most audit committees aren’t that interested in the audit function’s innovation and transformation efforts. Deeper into the report are the actual numbers: 47 percent of respondents said their audit committees aren’t at all interested, and another 27 percent said interest is only middling at best. That’s a total of 74 percent who believe their audit committees are a big “meh” on this issue.
That’s alarming, because Protiviti also published a survey in December that asked boards and senior executives about their top concerns — and the threat of disruption from more nimble digital competitors topped the list.
These two findings, taken together, don’t compute.
If we have boards sitting around paranoid about digital transformation, cybersecurity, inability to use data analytics, and the rise of disruptive technologies; and we also have audit executives who believe their boards aren’t terribly interested in how the audit function is transforming to keep pace with exactly those challenges — something is off.
After all, the nature of risk to organizations is changing. Digital transformation does improve efficiency and agility, but it also embeds more risk into ongoing processes. Boards are going to need better risk assurance, something more akin to continuous risk monitoring. Internal audit provides risk assurance, so internal audit’s capabilities will need to evolve too, toward that agile risk assessment and continuous risk monitoring.
It may well be that some board directors don’t grasp that connection, between audit’s transformation and their own swiftly tilting landscape of risk. In that case, perhaps the chief audit executive needs to talk more plainly, or even more urgently, with the audit committee about what your function is doing to innovate, and why that matters.
Because getting this innovation in risk assessment right matters more and more every day. Soon enough, it’s going to matter a lot.