The tops risks that chief audit executives face, as identified by a new report, are likely to be familiar foes for most internal audit leaders.
Chief audit executives (CAEs) are unlikely to be alarmed by a new report listing the top five risks confronting internal audit; they’ve been battling them for years.
A recent survey by the Institute of Internal Auditors lists the top risks that threaten both internal audit as a department and the organization as a whole. They are: talent management, data analytics, cybersecurity, regulations, and responding to disruption.
None of these risks, of course, should be news to CAEs, but certainly the dynamics have changed. In few cases the risk has ebbed some, such as on the regulatory front, but for the most part, the risks have only intensified. Despite the long battle to manage these risks, little progress has been made on many of them and some of these concerns have become bigger threats to the health of internal audit departments and many companies.
For internal audit departments themselves, finding the right individuals to fill crucial roles, for example, has only gotten harder. Indeed, most internal audit shops say that filling key roles with well-qualified candidates is a tall order these days. In addition, internal audit is under greater pressure to use data analytics in more audits and in advanced ways. At the intersection of both of these risks, many internal audit departments are striving to find individuals who have data analytics expertise … and missing the mark.
On the organizational side, despite a massive and pricey campaign to secure data and systems, cybersecurity remains one of the top problems companies face—if not the top problem—and it’s one that doesn’t look to be solved anytime soon. By most accounts, key corporate digital assets are less secure than ever. And then there is responding to disruption. New technologies continue to endanger big companies, and many have responded poorly to the threat.
Who’s to Blame?
That’s not to say CAEs have been lax in identifying and managing these risks. In some cases, the risks are growing due to forces beyond the control of internal audit leaders. The difficulty finding talent, for example, has more to do with the overall unemployment rate and the shifting needs of internal audit departments than any failure of the hiring processes at most companies. Disruptive technologies, to cite another set of uncontrollable forces, aren’t getting any less disruptive and the pace of change has only quickened.
In other instances, however, at least some internal audit departments deserve blame for being slow to respond. Thought leaders and experts in internal audit circles have preached the need for better use of data analytics in audit work and other analysis for years. Yet, according to a recent survey by consulting firm Protiviti, many are still far behind the curve. “The maturity of using analytics in the audit process remains relatively low,” the report concluded. “Many audit functions are likely using analytics tools as point solutions as opposed to part of broader initiatives to leverage analytics throughout the audit process.”
Indeed, internal audit must step up to the challenges of a fast-moving environment where technology is rapidly changing and the goal of internal audit has also shifted somewhat. Internal audit needs to adapt to those changes or risk falling further behind. “Worldwide, organizations rely on internal audit, and its assessments. To remain relevant and to be recognized as a trusted advisor, internal audit has an obligation to consider risks to the achievement of its own objectives, as well as the objectives of the organization,” the IIA wrote in its report on the top risks facing CAEs. “Because of this, internal audit must be results-focused and committed to improving its abilities for the benefit of the organization as a whole.”
Talent Management
To say that companies are having a difficult time finding quality candidates for open internal audit jobs is a massive understatement. An informal search on Indeed.com found just shy of 70,000 open positions containing the words “internal audit” in the United States. With unemployment at around 4 percent, the candidates to fill these positions will likely need to be poached from existing jobs at other companies, creating a war for talent, fostering disruptive turnover and inflating internal audit pay. In fact, Indeed.com estimated that more than 11,000 of the open internal audit positions paid in excess of $105,000.
Talent management ranked as the risk identified by the most CAEs that IIA surveyed. A full 79 percent identified talent management as the top “extremely or very important” risk to the internal audit profession. “For the last few years, CAEs have agonized over finding candidates with the skills necessary to fill new roles and address new and existing risks,” the report’s authors wrote. “Plainly, there is a limited pool of candidates with the skills to fill internal audit’s evolving needs.”
The changes that are taking place in internal audit, including the greater use of technology and the trend toward auditing processes beyond the traditional areas heavy on finance and accounting, are making it easier and more difficult at the same time to find the right people to fill internal audit positions: More difficult because the modern internal auditor must possess a wider array of skills, including analytical abilities and creativity. Easier, because the profession is now looking beyond the traditional CPA to those with technology and other types of backgrounds, widening the pool of candidates.
Still, managing the talent base, both existing and needed, is a tough task for CAE’s. And getting it wrong presents a big risk. Internal audit shops that don’t fill talent gaps and align the skills the department possesses with the skills sets needed to fulfill internal audit’s mandate will only continue to struggle.
Data Analytics
There are a host of risks that surround data analytics, including the risks of using it improperly and not using it enough or at all. The report identifies several of these risks, including: data and information quality risk, data compliance risk, data governance risk, improper use of analytics risk, ethics risks, and others.
Data analytics has evolved from the hot buzzword of five years ago or so to an absolute must-have for internal audit functions that want to add value to the organization. Most internal audit teams are under intense pressure to improve their analytic capabilities and many are finding success in meeting that demand. But those who ignore data analytics may be taking the greatest risk of all.
Those that are low on the maturity curve risk falling hopelessly behind as the technology continues to advance at a rapid pace. Despite these dangers and the big successes many internal audit shops have enjoyed by adopting advanced analytics, many
companies are still well behind the curve, as the Protiviti study indicates. It’s also likely that those internal audit departments that fail to adopt advanced data analytics programs will also fail to make use of other more advanced technologies such as artificial intelligence, robotics, blockchain, and augmented reality.
“Technology changes the world we live in at a lightning pace, and the consequences of that speed of change is frustrating, to say the least, if we are not properly prepared,” the IIA report’s authors wrote. “Technology generates much larger amounts of data, and internal audit can use it to evaluate risks more thoroughly, improve the delivery of audits, and potentially increase the level of assurance provided.”
Cybersecurity
As traditional approaches to cybersecurity continue to fail, companies are expanding the fight to secure their systems, data, digital processes, and digital intellectual property (IP). They are also increasingly enlisting internal audit departments and IT audit teams to join the battle by auditing processes involved in cybersecurity and beefing up related internal controls.
Yet some companies lack even the basic “must-have” defenses to respond to cybersecurity. A recent poll of IT security professionals conducted by advisory firm Baker Tilly found that nearly 20 percent of respondents know their organization does not have an established incident response plan in place to address a cyber-breach.
“Attackers can hold an advantage over organizations that do not rigorously test their defenses,” says Ken Zoline, manager with
(Continue to the next page below.)
Interesting that Talent Management is #1..it doesn’t surprise me as a recruiter and former HR leader who supported one of the best IA shops in the country. I recruit a ton of talent of IA shops in the country. I don’t see a lot of people talking about how to improve. One of the best ways to attract talent to Internal Audit is to have a robust rotational development program – IT is the ONLY way we can get A Player talent to consider Internal Audit. Then you must live up to it and not hold on to talent. You have to have leaders who develop talent. So it may take upgrading your current talent and also you will need a ton of support from the business to provide you opportunity to do non SOX work, but you need to earn it.