The role of the Internal Auditor is changing. Internal Auditors (IAs) provide independent assurance that companies have appropriate internal control processes in place and that risk management and governance functions operate at a satisfactory level. Larger companies typically have internal auditing activities performed, at least partially, by their own employees while outsourcing some functions. For medium- and small-sized businesses, internal auditing functions are generally outsourced to accounting firms. Regardless of whether you have in-house or outsourced auditors, their world is changing – and so is yours.
For years, IAs devoted their time to Sarbanes-Oxley compliance activities. However, the ever-changing business landscape has required a shift in focus for these auditors towards greater alignment with stakeholder expectations and a more risk-based, innovative auditing approach. A key element in this shift is the ability of IA to understand the organization’s key risks and proactively identify emerging risks.
We’ve identified some risks and emerging trends that organizations are facing and ways in which IAs can enhance the value they deliver. These are scope-realignment conversations you can have with your in-house team or additional help you can request from your accounting firm if you outsource these services:
Cyber threats and data breaches can have pricey impacts on an organization’s bottom line and image, ranging from loss of customers to legal action. As the opportunities of cyber threats increases, the opportunity for IAs to add value and assistance also increases.
Internal Audit can:
- Perform risk assessments of the organization’s cybersecurity processes and provide recommendations on areas for improvement.
- Conduct penetration testing of selected IT assets.
- Evaluate if third-party security providers are adequately addressing emerging cyber risks.
#2: Cloud Computing
Cloud computing refers to the practice of using a network of remote servers hosted on the Internet to store, manage and process data, rather than a local server or a personal computer. As organizations continue to “move to the cloud,” big data and other technological advancements have continued to bring new areas of risk and focus for IAs.
Internal Audit can:
- Conduct assessments of the existing governance framework used for operating cloud platforms.
- Perform assessments of third-party cloud service providers to identify data security risks.
- Conduct reviews of the Service Level Agreements (SLAs) with third-party cloud computing service providers to determine their compliance with contractual obligations.
#3: Data Analytics and Process Automation
Data analytics has greatly impacted the way organizations compile and assess information. As such, it has also impacted the methods that IAs can apply when executing audits in an effort to provide a higher level of assurance in an innovative way. For example, Artificial Intelligence (AI) can be used for tasks such as full population testing, controls or risk modeling. Robotic Process Automation (RPA) can be used for monitoring of routine tasks such as data retrieval and audit testing.
Internal Audit can:
- Provide support in the development of analytics tools and dashboards for monitoring business behavior.
- Provide support in the development of automated auditing tools that identify key risk indicators.
- Design audit programs (enabled by data analytics) to help compile deficiencies, identify root causes and develop remediation plans.
These risks and emerging trends are driving changes in the business that will require Internal Audit functions to redefine their agendas as they plan for the continuous support of business initiatives. Simultaneously, this will also continue to highlight their role as a value-added strategic business partner.
Journet Greene, CISA, is a Director in Moore Colson’s Risk Advisory and Compliance Services Practice. She leads Sarbanes-Oxley initiatives, internal audits, SOC audits and other compliance engagements for the firm’s many large IT and consulting engagements.