The COVID-19 pandemic has affected many aspects of both professional and non-professional life, and its impact on internal audit has been unmistakable. In fact, a recent survey found that more than half of governance, risk management, compliance (GRC), and internal audit professionals say that their workload has increased significantly since the start of the pandemic.
The survey, conducted by GRC software provider Galvanize and titled The State of GRC 2021, also found that an increasing number of companies are adopting cloud-based GRC technologies to handle the increased workload.
While remote work resulted in reduced workloads and relaxed schedules for some industries, that was not the case for GRC professionals, including internal auditors. More than half (53 percent) of respondents stated that their workload has noticeably increased as the country exits the pandemic. The most prominent contributors to this were remote work (58 percent), budget restrictions (41 percent), and changing regulations (35 percent).
As GRC professionals have become more valued in the eyes of their organizations, the scope of their responsibilities has widened along with the increased workload. The changing landscape is not ubiquitous across the profession, however. Just 39 percent of those who rely on GRC software reported an increased workload, compared to 61 percent of those who rely on Microsoft Office applications to carry out their work and 89 percent who use multiple point solutions.
“Much like we saw in the Roaring Twenties of 100 years ago, the biggest post-pandemic concern is a return to the new normal,” said Dan Zitting, chief executive officer of Galvanize, which was recently acquired by Diligent. “The fastest route is through technology—especially for the GRC industry. The data shows indisputable benefits: more visibility into risk, decreased workload, and more efficiencies. It’s promising to see the strides GRC practitioners are taking to implement cloud-based technology so they can maintain their position as strategic advisors to their organizations.”
Greater Visibility into Risks
According to the report, GRC professionals are almost four times as likely to say they are more risk-focused than before the pandemic, but their level of visibility into the risks their companies face varies greatly depending on their technology of choice. Nearly two-thirds (63 percent) of integrated GRC software users report having greater visibility into their organization’s risks, compared to 47 percent of multiple point solution users and 32 percent of those who rely on the Microsoft Office suite.
Although organizations choose to utilize different platforms within their office, there is relative unanimity on what type of risks will receive the most attention during the rest of the year. The top three areas of focus for GRC professionals in the coming months include IT compliance, security, and privacy (47 percent); cybersecurity (43 percent); and fraud and corruption (29 percent). Hackers and digital information leaks can wreak havoc on organizations and their customers, justifying the heightened focus on this area of risk. The recent ransomware attacks on the Colonial Pipeline and meatpacker JBS USA Holding, for example, serve as stark reminders of the risks associated with cybersecurity.
And while the pandemic appears to be subsiding, many companies are looking to boost their disaster recovery and business continuity capabilities. Many GRC professionals were underprepared for the sudden necessity of remote work that COVID-19 demanded. While the biggest change that remote work introduced was the inability to collaborate cross-functionally according to 48 percent of the survey’s respondents, 38 percent claimed that the pandemic most altered their focus on risk.
Technology Usage and Data Access
A surprising consequence of the pandemic that has increased the importance of technology is the reduction of resources. Nearly a third (32 percent) of GRC professionals report having fewer resources now than at the onset of the pandemic. The combination of an increased workload, widened scope of responsibilities, and fewer resources only further emphasizes the value of cloud-based advanced technology.
With 45 percent of professionals reporting that Microsoft Office is still their primary method of managing critical GRC initiatives and documents, regardless of its shortcomings when it comes to scale and visibility, only 36 percent report using GRC integrated software. Moreover, 40 percent say that their tools could be more efficient. These inefficiencies result in challenges, particularly in areas related to IT, such as IT governance, IT audit readiness, and IT vendor oversight.
Technology plays a crucial role in assisting organizations on executing their respective strategies. When asked what the biggest obstacles are when it comes to execution, respondents noted time and technology as the first and second most common responses, respectively. Not surprisingly, the two go hand-in-hand. Increased workloads, coupled with inefficient technology, is a recipe for disaster, the report’s author’s assert. GRC integrated software, when implemented correctly, can help to mediate this problem, the study concludes.
The free access of information is critical when it comes to the internal audit and GRC functions. Unfortunately, 79 percent of respondents report finding it “extremely,” “very,” or “somewhat” challenging to access the data they need. The top offenders are data security (20 percent), compliance issues (16 percent), and legacy systems (15 percent).
Looking Forward
The emphasis on data is opening the eyes of many organizations to the possibility of adopting more advanced technology. Cloud-based GRC solutions also focus on the security and fraud concerns that have become heightened in the wake of the pandemic. Such technology solutions help teams strengthen compliance and monitor and mitigate threats by enabling greater visibility, stronger controls, and easier access to data, the survey claims. About 41 percent of GRC professionals are taking action to adopt cloud-based technology, and 30 percent regularly use it already. Only 7 percent never implement such solutions, while another 23 percent find it poses challenges and require a strong business need to act.
As North America and the world emerges from what has been a challenging and draining year, GRC professionals find themselves adjusting to the post-pandemic realities. COVID-19 has changed many practices, demands, and expectations. Now many are considering the adaptation of cloud-based technologies as way to address these new challenges and opportunities.
Michael McGee is assistant editor at Internal Audit 360°.