Part 16 in the “Controls and Risk Management” series
PWC’s Global Crisis Survey 2019 is cited by Peter Jones, CEO of the Institute of Internal Auditors, in his IIA News blog from April 2020: “Nearly seven out of 10 leaders (69 percent) have experienced at least one corporate crisis in the last five years, and companies with over 5,000 employees are likely to have experienced more than five crises – an average of one a year.” Clearly, we are heading for a world where crisis management will be part of the usual business function.
What I also found key in this blog is Peter Jones’ conclusion: “As businesses adapt to the crisis, internal auditors have a critical role to play in advising management on emerging risks and the implications on internal controls.”
What is clear is that the digital world is expanding at unprecedented speed, and companies are facing challenging environments that change rapidly: public health crises like the one we are currently experiencing, but also changes in regulatory environments with stringent legislation being enforced. Don’t forget changing competitive landscapes with new players entering previously untouched markets and quickly gaining market share, thanks to their ability to harness technology. Think of SpaceX, for instance. Who would have thought even 10 years ago that a private company could be a key player in an industry that required things that only governments could afford?
The new role of internal audit
As we all understand, the role of internal audit is to provide independent assurance that an organization’s risk management, governance, and internal control processes are operating effectively. But there is another facet to the role: internal audit has to act as a trusted partner to the business. As a matter of fact, some of their findings will lead to business processes improvements. In short: internal audit is not only here to act as internal regulators, so to say; they are here to identify best practices and detect early warning signals that could indicate the emergence of a threat for the organization.
And internal audit is uniquely positioned to do that since auditors see and review the organization in its entirety, without geographical or functional silos!
Overcoming the challenges
One of the challenges that internal audit faces, though, is that some of the information is not readily located in a single shared drive, nor is it well structured or even referenced. That is, there is no file called “Top Emerging Risks That No One Ever Looked At.xlsx” or “Process Failures That We Prefer Remain Hidden.doc.” The latter would simply be opened to find all the answers, but that would be too easy, right? Information is all over the place!
Looking at this issue with only a negative lens might discourage some. But what if I told you this challenge can actually be overcome with the use of technology?
Delivering continuous assurance across the enterprise
First, many organizations have now rolled out centralized internal-control solutions where controls and procedures are documented by the second line of defense and automatically sent to the users in the first line of defense. The same goes, of course, for risk assessments.
Being able to tap into these solutions helps internal audit kill three digital birds with one digital stone:
- Review any control self-assessment of their choice. By applying the selection criteria of their choice (controls with the most issues, controls with the highest-ranked risks, etc.), internal audit can access any control result instantly – regardless of where in the world it has been performed. They can also compare the results with other business units to identify best practices and then not only raise a potential finding but also already suggest an improvement to solve the issue.
- Go from scope to full audit. Instead of selecting a sample of data to test, auditors can have technology work for them and identify anomalies and raise them automatically. As with most departments, internal audit has limited resources. Being able to launch detection patterns and then focus on the areas that have raised most concerns will help this function focus its efforts on the danger zones.
- Act as the lighthouse for the business. By combining information from risk assessments, key risk indicators, control results, incidents, near-misses. and many more, auditors will be able to flag those emerging risks that could threaten the organization. They could then, as mentioned by Peter Jones, suggest a new course of action to mitigate these new risks and, by the same token, suggest improvements to the existing business-continuity plans and the internal control framework. This way, issues are caught earlier and, when a crisis occurs, the organization is better prepared to face it.
The last area I want to highlight relates to collaboration. I had a brief audit experience many years ago. Those were the days where you would go from site to site with a very heavy briefcase (or a trailer with boxes in the car, more likely) and record everything on paper. This was not the best way to find the needle in the haystack and even worse, to foster collaboration between colleagues working on the same program (if you have ever seen my handwriting).
Where technology can also help internal audit is in information-sharing and consolidation. With access to the same digitalized work program, auditors can leverage the work of one another, especially the findings and test plans, to perform their audit mission. Should one auditor have performed a successful test plan, it can immediately be shared with colleagues to be applied on other audits.
The world then truly becomes a village, as they say.
As business processes will continue to evolve, technology will increasingly have an impact on driving emerging business practices, helping organizations comply with constantly changing regulatory environments, and managing future potential disruptions.
The challenge for the internal audit function will be to assess the effectiveness of internal controls that may be manually governed temporarily or permanently. With the right automation supporting internal audit, routines can be effectively automated, and efforts can be diverted to activities involving more interpersonal collaboration and judgments. This will ensure a seamless flow of data and information across the three lines of defense.
If you are interested in hearing more about this directly from experts, I recommend registering for the on-demand Redefining Internal Audit Practices in The Virtual World webinar delivered jointly by the Institute of Internal Auditors (IIA) India and SAP.
I look forward to reading your thoughts and comments on Twitter @TFrenehard.
This article originally appeared on SAP Community and is republished by permission.