Baker Tilly’s risk, internal audit and cybersecurity practice. “Organizations should proactively perform cyber-attack simulations and rehearse incident breach response procedures to help manage and defend their attack surface.”
It’s no wonder cybersecurity concerns are keeping internal audit executives up at night. Another study by the Ponemon Institute found that a whopping 82 percent of respondents surveyed say it’s either “likely” or “very likely” that their organizations failed to detect a security breach involving knowledge assets, up from 74 percent when the study was first conducted in 2016. It gets worse: The percentage of respondents who say it is likely that their company’s knowledge assets are in the hands of competitors increased from 60 percent in 2016 to 65 percent now.
Clearly, companies have a lot of work to do on cybersecurity, and internal audit can play a bigger role. “Leading the charge, internal audit can strengthen management’s understanding of the effectiveness of cybersecurity controls in all areas, even at the level in which an organization’s culture impacts requirements, processes, and capabilities,” the IIA report’s authors wrote.
The report offers some action points for CAEs to help combat cybersecurity. Among them are:
- Assess organizational culture with regard to cyber-resilience.
- Perform risk assessments of security models and cybersecurity processes and make recommendations for improvement.
- Perform data penetration testing with IT and third-party contractors to assess the third party’s ability to comply with the established protocols.
- Conduct cyber-resilience gap analyses, recommend remediation, and follow up on remediation activities.
Regulation
Regulation may be one of the few areas where the risk seems to be declining slightly, but even that assessment is debatable. Upon taking office, the Trump administration promised a large-scale rollback in regulations that make life difficult for business. And while, for better or for worse, the jury is still out on whether or not it is delivering on that promise, there has certainly been a slowing of the breakneck pace of regulatory change in the United States that has characterized the decade or so prior to Trump taking office.
Just this week, for example, the House of Representatives passed a bill that could repeal several provisions of the Dodd-Frank Act, which reformed the banking industry after the financial crisis of 2008. Pro-business agency chiefs at the Environmental Protection Agency, the Food and Drug Administration, and several others have also rolled back what some consider onerous provisions or slowed enforcement. And while these may be welcome developments to executives who fret over regulatory compliance risk, there are very few, if any, compliance experts who would suggest that companies could let down their compliance guard.
New regulations could be on the way covering such aspects as cryptocurrencies, the use of artificial intelligence, and—in the wake of Facebook’s embarrassing scandal involving Cambridge Analytica—social media and online advertising and data collection.
Even if companies do get a break on regulations in the United States, for big companies, regulation is a global affair, and there has been no let up in regulatory actions by the European Union. For example, the massive General Data Protection Regulation, which creates a slew of new rules for any business that collects data from any European Union citizen, takes effect this Friday. Many companies say that even after a two-year interim period between when the law was adopted and when it takes effect, they are unprepared to comply with it.
Meanwhile, many other countries, including China, Brazil, and India have turned up the regulatory volume, with new rules on everything from bribery and corruption, to money laundering, to environmental compliance.
“The new regulations increase costs and place pressure on organizations by adding complexity to risk management, control, and governance processes,” The IIA report’s authors wrote. “As the pressure on boards increase, pressure also is placed on internal audit. Organizations are looking to internal audit with great expectation. They recognize the need for internal audit to provide advice and assurance as they redirect disruptive forces into opportunities, while at the same time staying in compliance with the constant change in regulations.”
The “to-do list” for internal audit executives on the regulatory front includes:
- Assess the organization’s approach to managing its global compliance activities, including integration of newly acquired organizations.
- Review compliance training programs, and evaluate the appropriateness for respective roles.
- Coordinate with internal and external assurance providers to ensure proper coverage and minimize duplication of efforts.
- Craft communications tailored to the organization’s interests and priorities to encourage a culture of compliance.
Responding to Disruption
Perhaps the only thing that scares companies more than cyber-thieves, onerous regulation, and the current labor market are disruptive forces in their industry that threatens their very existence. These days it’s such a frequent occurrence, that disruptive technologies and developments (Once referred to as being “Amazoned.”) simply must be on any risk assessment report and internal auditors should be considering the risk of a poor response to disruption or disruptive technologies among the organization’s biggest risks. The risk is also a dual one, since internal audit departments must also consider the use of disruptive technologies and innovations in their own operations and practices.
“While innovations, such as new technologies, offer great opportunities for internal audit to perform audit engagements, in many instances, innovation is accompanied by new risks, threats, and disruptions, which add to internal audit’s concerns,” the IIA reports authors write. “For example, instead of (traditionally) focusing only on risks, internal auditors now need to be able to quickly identify the would-be disruptions and determine which ones warrant immediate or additional attention.”
A recent PwC report on the topic suggested that internal audit is generally slow to adopt new technologies to use in its own execution of its duties. That limitation can have a multiplying effect, since internal audit must also provide assurance over the use of new technologies throughout the organization. If internal audit is not using technologies like artificial intelligence and robotics, it may find difficulty in auditing them.
Despite the high stakes, internal audit is woefully low tech, several recent studies indicate. Among them is the 2018 PwC State of Internal Audit study, which finds just 14 percent of internal audit departments are “advanced” in their adoption of technology. “The most surprising finding in our report is how small that top group is,” says Lauren Massey, a principle in the PwC’s U.S. internal audit, compliance, and risk management practice. “I think we were expecting to see that number a little higher, especially when you consider how powerful that category is in all the different things they are doing.”
All of this is to say that internal audit must have its finger on the pulse of innovation and the CAE must lead the way. He or she must recognize changes in the business environment, experiment with new technologies in the process of conducting audits, keep up on the use of new technology throughout the organization, and foster a culture of innovation. In today’s world, standing still is falling behind.
Many More Risks
While this is certainly just a short portion of the many things that keep internal audit executives up at night, these are at the top of the list. The IIA report offers many good action points on dealing with them, but the fact that they have been at the top of the list of concerns for so long indicates just how difficult they are to deal with. Other risks to consider, according to the report are risks inherent to the audit committee, the budget, lines of defense, and strategy.
“Risk opens the door for failure to achieve an organization’s mission and strategic objectives, and threatens an organization’s overall value. Therefore, internal audit’s responsibility—as a trusted advisor to assist risk management, control, and governance processes—requires the consideration of all risk opportunities and making the right recommendations,” the report concludes. 
Joseph McCafferty is editor & publisher of Internal Audit 360°
Did you enjoy this article? Consider making a small donation to support independent business journalism at Internal Audit 360°. Click Here!
And much thanks to all of those who have already donated. Our success depends on it.
Interesting that Talent Management is #1..it doesn’t surprise me as a recruiter and former HR leader who supported one of the best IA shops in the country. I recruit a ton of talent of IA shops in the country. I don’t see a lot of people talking about how to improve. One of the best ways to attract talent to Internal Audit is to have a robust rotational development program – IT is the ONLY way we can get A Player talent to consider Internal Audit. Then you must live up to it and not hold on to talent. You have to have leaders who develop talent. So it may take upgrading your current talent and also you will need a ton of support from the business to provide you opportunity to do non SOX work, but you need to earn it.