Many recent studies show that internal audit has not yet fully embraced digital transformation and is therefore not making use of the full potential of analytics. In this blog post, I’d like to offer my thoughts about the potential benefits for internal audit on leveraging enterprise-wide risk management and compliance platforms. These go under different names, but in essence, I am referring to these software tools that capture risk and controls information, including key indicators, and reflect them together side-by-side rather than in separate silos.
By reviewing the business, operational, and strategic risks associated with the company’s objectives, and by comparing the residual risk level against the documented risk appetite, internal audit can focus its attention on what matters the most for the business.
Even if the risk levels aren’t critical, if internal audit can focus on the risks that would seriously endanger important objectives, then it no longer has to be considered a super firefighter. Instead, it can serve as a true business partner with the very same purpose as all business owners: making the company run better and sustainably.
In this approach, internal audit becomes more proactive, but only with the support of complete risk and control profiles can it really achieve this objective.
Now, what can happen when internal audit unleashes the full power of governance, risk, and compliance (GRC) integration and of data analytics?
The icing on the cake: preventative auditing
“Preventative” is a term more familiar to those who have worked in asset-intensive companies where “preventative maintenance” – mending a machine before a failure is even detected – is the ultimate goal. That’s not just because the cost of doing so is less than a full-blown repair, but also because it prevents unplanned shutdowns.
I believe this concept can be applied to auditing to prevent business disruptions. In this case, it isn’t linked to a deficient asset, but to a deficient process or a negative context.
Internal audit could, in my opinion, focus as much on key risk indicators as it does on risk levels. Indeed, internal auditors are extremely knowledgeable about the business and the context in which the organization operates. They can detect that key risk indicators are demonstrating signs of a “pattern of failure.”
Risk indicators taken in isolation might not make it easy to detect what this means for the organization. But consolidated and aggregated at the department, business unit, or even company level, it could signal clear and existing danger.
Using all the information available in risk and control solutions, along with its own knowledge of the business, puts internal audit in a perfect position to help the organization navigate to less troubled waters. It would also put internal audit in the role that I personally believe it deserves: true strategic partner.
Do auditors in your company already leverage the wealth of risk and control information to plan their next audits? If not, are there any plans to do so in the near future?
Learn more about how to digitize your business processes; read the in-depth report Unlock Your Digital Super Powers.