The role of internal audit is constantly changing. As the business climate continues to evolve with new technology and key business processes, so do related threats. This has meant internal auditors are being asked to go outside their “comfort zone” of primarily evaluating operational and financial risks and expanding into new areas. While risk management needs are changing, it appears that internal audit departments are not following suit. According to the results from the Institute of Internal Auditors’ annual Pulse of Internal Audit Report, According to the survey, there are three distinct areas where internal auditors can make changes to have a bigger impact. To help clients, prospects and other understand the impact of the survey findings, JLK Rosenberger has provided a summary of key points below.
- From Cybersecurity to Cyber Resiliency – Most organizations are focused almost entirely on cybersecurity from a prevention standpoint, so internal auditors are attuned to providing assurance related to preventive efforts. Yet, we’ve all seen the result of high profile, yet well protected, organizations falling victim to a cyber attack. While only 2% and 1% of respondents, respectively, ranked reaction and restoration efforts as the most effective method for addressing a cyber attack, it’s time to focus on “cyber resiliency.” This includes seamless continuance of operations after a breach, which will limit the financial and reputational consequences of business disruption. Responsive measures – such as limiting the impact, communicating the breach to appropriate parties, and restoring data – should be addressed thoroughly in business continuity and disaster recovery plans, which is another area for improvement. Of those who reported having a business continuity plan, only a quarter of them said it provides clear, specific procedures in response to a data breach, and 17% said they include no data breach or cyber attack procedures at all.
- Involvement in Organizational Data Use – With the large amount of data available today and the sophistication of data analysis tools, the level of business risk is also growing. Companies must consider legal and ethical ramifications for how data is collected, how complete and accurate the data is, whether it has been evaluated and analyzed correctly and without bias, and how to the use the data and resulting information, among other things. Unfortunately, the majority of internal auditors who responded to the survey are not significantly involved in evaluating the quality of their organization’s data (only 17%) and are not confident in the strategic decisions made based on the data their organizations collect and analyze (71%). Internal auditors can add significant value by understanding the risks associated with an organization’s use of data and providing assurance over its evaluation and use.
- Auditing Organizational Culture – Culture plays a big role in the control environment and organizational governance, which is evident from many corporate scandals where culture contributed to or condoned unethical behavior with disastrous consequences. However, less than half (42%) of auditors address culture influencers – such as management integrity, ethical values, operating philosophy, behavior modeled by executive management, and executive management communications – in their reports. Of those who do, only 21% consider it very or extremely effective.
Unfortunately, but not surprisingly, lack of key stakeholder support for internal audit’s involvement in culture and the difficulty in identifying and measuring it using common auditing techniques are closely linked with the lack of attention given to this area.
It’s important to ensure that your internal audit function, whether internal or outsourced, is providing the highest level of value to the organization. If you are interested in learning how to maximize the value from your internal audit function or with questions on survey results, JLK Rosenberger can help! For additional information please contact us at 949-860-9902, or click here to contact us. We look forward to speaking with you soon.