On the Frontlines: Future-proofing Internal Audit
Blogs Hassan Khayal, DBA, CIA, CRMA, CFE Jun 30, 2022
As COVID-19 spread across the world, it changed the entire landscape of life on both personal and professional levels. The changes it brought about have lingered and become the new normal, not only for the past three years but for the future.
While most organizations have implemented new short-term priorities to combat its effects, the internal audit function also needs to become future-oriented. As it supports operational effectiveness in an increasingly dynamic risk landscape, internal audit must consider the pandemic's long-term impacts — with new risks arising from remote work and other pandemic changes, and old risks such as cybersecurity becoming an essential priority rather than simply a buzzword on the risk register.
While internal auditing's focus on assurance of business process risks and controls remains an integral part of its role, the profession needs to be equally agile and adaptable as risks multiply and evolve — just like the Covid-19 virus.
The following actions are but a part of the changes and evolution that internal audit functions and leaders need to undertake, but they are a good start.
- Identify changing work environments and tailor the internal audit approach to deliver value within them. Starting with the basics, notions such as segregation of duties and asset safeguards need to be revaluated for their suitability to the new work environments. The nature of work processes, especially under a remote work environment, or even an office-based environment that is increasingly reliant on digital collaboration tools, is fundamentally changing. Physical oversight and simple written signature approvals as controls will no longer be effective (and let's be realistic, they are severely outdated and time consuming). Audits and auditors will need to employ a much higher level of rigor and detail in their reviews. Information technology applications need to be a basic skill for the traditional auditor, not a unique skillset of the sole IT auditor on the team, and information security risks need to be considered in absolutely every audit and process, not just IT audits.
- Leverage emerging audit technologies. With auditors being involved in virtually every function of the business, and with every function in the business being interconnected through digital collaboration tools, the audit function, which is also a part of the organization (a fact that is often forgotten), also needs to be part of the organization's digital ecosystem. Audit cannot preach digitization and evolution of the organization while remaining stagnant in paper trails by their own rights. Leveraging the increased access to data all over the company, and utilizing the many advanced data analytics functions embedded with them should be a basic tenant of the audit function. This is a blessing in disguise, as while initially implementing it might be a change and a challenge, it will allow audit functions to increase sample sizes, or even test whole populations, allowing the audit function to provide management with an unprecedented level of assurance (but let's remember to stay within the realm of reasonable assurance as audits are not infallible).
- Adopt an agile audit approach. It truly is a nice notion to be able to audit everything all the time. Time constraints are one of the biggest challenges to the audit function in providing coverage across the organization and balancing costs and benefits. With speed of doing business increasing at an exponential base, the speed of the audit function needs to evolve to keep pace. However, it is important to remember that this speed needs to be balanced with the rigor expected of the audit function. Luckily, the increasing use of technology also enables audit to be almost ever-present. Continuous audit programs and integrated red flags within information technology systems allow audit work to be more present rather than historically focused, largely enhancing the value auditors can contribute to their organization. Agile methodologies are not about employing traditional audit methods and producing "half baked" audit results; they are about leveraging emerging technologies such as automation and artificial intelligence within data systems to enhance operations and maximize shareholder wealth.
While this is by no means a comprehensive list, an audit function that is adaptable, technologically savvy, and present- and future-focused is definitely on the right track, steering ahead to the future. These tenants are the some of the essential foundations of the future of internal audit.