Internal Audit Survey-Palooza
Spring is the season for surveys about the internal audit world, so today we have three recent studies to help audit and compliance executives understand the concerns driving that particular function right now.
No surprise: those concerns are data and technology, all the way down.
First we have PwC’s 2018 State of Internal Audit report, published last week. Polling more than 2,500 audit executives, CFOs, and board directors, PwC identified eight emerging technologies that will transform business operations in the next decade or so: everything from blockchain to artificial intelligence to 3-D printing to the Internet of Things.
New technologies and operations, of course, bring new business risk. So the rest of the report dives into how internal audit will need to work more closely with operating units to address those new risks; and the changes in audit technology that internal audit departments themselves will need if they want to fulfill that mission.
Second is Protiviti’s latest IT Audit Benchmarking Survey, released on Tuesday. This one polled 1,300 audit executives specifically about the IT audit function. That’s the team that examines the systems a company has to manage and guard its information — and as one might surmise from cybersecurity headlines these days, IT audit is becoming ever more important to companies of every size and industry.
One of the most notable details in the Protiviti report is simply the number of organizations that now have an IT audit function: roughly 50 percent, up from 30 percent five years ago. That’s testament to growing awareness of the need to get technology and data governance right, since technology and data are permeating every operations process an organization has. Granted, most companies still only bring IT audit into a technology project after implementation, rather than during planning or design phases — but hey, it’s progress.
Third is the Institute of Internal Auditors’ latest Pulse Survey, released last month at the IIA’s General Audit Management conference. (Disclosure: I sometimes do paid work writing editorial material for the IIA; I did not write this report.) The IIA report delved into ideas such as “the agile audit function” and innovation that audit leaders should embrace to meet the risk management challenges rapidly coming your way.
Cynics might dismiss agility and innovation as cliche buzzwords, but they raise a good point here: audit executives want to be more responsive (two-thirds of the IIA respondents said they consider agility important), even if they struggle to be agile (only 45 percent said they were). The goal on the horizon is fairly clear; the path forward from where we are to the horizon is what’s tricky.
Key Themes in Internal Audit Today
First, responding to business risks means more engagement between audit and the business operating units. That’s new. For the last 15 years, internal audit spent much of its time performing financial audits or helping the company manage Sarbanes-Oxley compliance. The job was about collecting financial data and testing internal controls over financial reporting — or, just as likely, building internal controls over financial reporting because your company didn’t have effective ICFR.
Companies with mature SOX compliance functions can now move on to more complex challenges, and the modern business landscape has no shortage of them. The more technology transforms business processes, the more important it will be to govern those processes well since sloppy processes could lead to data breaches, intellectual property theft, fraud, operational disruption, or lord knows what else. Which brings us to our next point…
This will all be about data analytics. The upside to technology taking over every business process we can find is that you can extract data from the process to see how it’s running. Then you analyze the data to determine how much the process is, or is not, operating according to the controls or risk tolerances your organization already has. The challenge for internal audit and operations executives will be to identify the right issues to analyze, that bring the most benefit to the organization and its strategic objectives.
For example, many retail organizations monitor their call centers to study average time customer service reps spend on the phone with unhappy customers. A wiser approach would be to study average call time and what subjects the customers are complaining about. You might then discover that customers want more time because the product is too complicated for them to understand; or they’re using it in some way you didn’t expect; or lord knows what else. The point is that a more sophisticated approach could uncover new insights about product development. That could lead to all sorts of long-term benefits for the company.
We’ve explored this idea before on a subject dear to compliance managers’ hearts, too: hotline metrics. Tracking the single statistic of calls or emails to the hotline is nearly useless. Identify the right metrics to study about those calls, however — like metrics about retaliation — and suddenly the hotline can give insights about corporate culture and training effectiveness.
The more technology transforms business processes, the more important it will be to govern those processes well since sloppy processes could lead to data breaches, intellectual property theft, fraud, operational disruption, or lord knows what else.
The People Question
Is it internal audit’s job to devise new strategies for product development or whistleblower hotlines? No. But it will be your job to help those managers in the first or second lines of defense to improve their processes. The ability to extract and analyze data will be critical.
That brings us to the last theme of all these reports: audit leaders are struggling to find the talent to pull off all these ideas. I know chief audit executives at hospitals who recruit nurses, CAEs at banks who prowl the call centers for customer service reps. They know the operational ins and outs of whatever business process is in your analytics crosshairs.
We still need the IT and analytics expertise, too — and so does everyone else. Maybe you’re contracting with outsiders; maybe you’re wooing the IT function; maybe you’ve charmed the CFO and audit committee to give you enough budget for your own IT audit or analytics team. More likely, you’re fighting for good data analytics talent and tiptoeing slowly into the analytics projects we outlined above, because the manpower just isn’t there yet.