We find ourselves in a period of unprecedented volatility that shows no signs of letting up in the foreseeable future. Learn which risk areas should be on internal audit’s radar to face the challenges of today’s uncertain conditions.
Even the most casual observer of the business world knows that it’s changing rapidly. Whether technological, geopolitical, societal, or macro-economical—evidence of the increasing rate and scope of change is all around us. To help organizations meet the challenges of volatile conditions, internal auditors must stay agile and keep pace with emerging risk areas.
The World Economic Forum (WEF) observes that the changes sparked by what they refer to as the Fourth Industrial Revolution are occurring at such an exponential rate that there is no historical precedent—transforming nearly every industry at a breadth and depth that is disrupting business models and triggering shifts in entire systems of production, management, and governance.
Internal audit teams have already felt the impact of digital transformation, which expanded the scope of their risk coverage as their organizations seek to stay competitive—the pursuit of new growth strategies, M&A activity, expansion into new markets, and increased adoption of transformative technologies such as cloud, AI, robotics, RPA, and Big Data. In the face of new seismic shifts, which areas of risk should internal audit target?
According to Gartner’s annual Audit Plan Hot Spots report—based on a survey and interviews with over 200 chief audit executives (CAEs) from around the world—there are 11 key risks, connected by four key trends “underlying the risks expressed by CAEs as being critical to guide their audit planning” in our current environment.
1. The Strategic Importance of Data
A growing number of organizations are using data to inform their business strategy, whether to improve the customer experience, increase competitiveness, or implement advanced technologies. With an expanded use of data comes the need for data protection and accountability—and increased risks in terms of data governance, data privacy, ethics, and integrity. While the majority of CAEs polled in Gartner’s research say that they “definitely” plan to cover Data Governance (67 percent) and Data Privacy (77 percent) in their audit activities in the next 12-18 months, fewer expressed confidence in audit’s ability to provide assurance over these risks.
To help tackle these data-related risks, internal audit teams can advise on strategic and operational steering committees, provide input as governance frameworks are being built, and conduct assurance projects around data usage, access, classification, and training.
2. IT Vulnerabilities
As an organization’s IT infrastructure becomes increasingly complex and new applications are introduced into the enterprise technology ecosystem, the access points to the organization also expand. Gartner’s report points out that many of these technologies go unmonitored, or are slow to be patched. Combined with the growth and sophistication of cyber attacks, as well as the diversification of threat actors of advanced tools such as AI, the risks begin to overshadow the promise and advantages these transformative technologies offer. This positions cybersecurity preparedness, as well as providing assurance over IT vulnerabilities, as potential issues for internal audit to keep on their radar going forward.
3. Cost and Growth Pressures
The average lifespan of companies is estimated at 24 years, down from 60 years in 1958; by 2027, it’s estimated to shrink to an astonishing 12 years. Given this dire forecast, many organizations recognize that “business as usual” is no longer an option.
To strengthen long-term viability and stay competitive amidst new market disruptors, companies are taking on more digital transformation projects, expanding into new markets, and redesigning business strategies to not just survive, but thrive. However, Gartner points out that “in seeking cost efficiencies and adopting new growth strategies, organizations need to be wary of weakening the control environment or deprioritizing governance and oversight.” As a result, risks like a growing reliance on third parties, digital business transformation such as the emerging ecosystem business model, and strategic workforce planning must be top of mind for internal auditors.
4. Shortened Planning Horizons
Gartner points out that “uncertainty and volatility have been prevailing features of 2018 and are likely to also be for 2019.” As a result, internal auditors must be prepared to handle the unexpected. Increased disruptions to business operations and instability around the globe create a seemingly unpredictable environment in which regulatory uncertainty, operational resilience, and trade and tariffs are emerging risks. These volatility-driven risks bring new challenges for internal audit teams, from scenario planning and the forming of long-term strategies, to compliance requirements and limited risk awareness. Agility becomes key when faced with disruptions, and internal audit must be able to react and quickly change course when needed.
Change—whether good or bad—can be intimidating. For internal audit teams, the key to thriving at a time when the rapid pace of transformation is only speeding up is to embrace a change mindset. By staying flexible and agile, internal audit can help their organizations stay on top of the current risk environment while leaving room for adaptation to face future challenges.