Although most organizations are prepared to handle a reasonable level of change and disruption, the Covid-19 pandemic turned normal business operations on its head. Organizations around the world were forced to shift gears, rushing to prepare a largely remote workforce, respond to budget cuts, and adjust 2020 strategies to stay afloat. While many organizations have semi-adjusted to this new normal in the last 10 months, these changes set new expectations for the world of internal audit. Internal audit functions are now tasked with navigating new risks brought on by the pandemic, while minimizing business disruptions and meeting executive demands, all in a socially distanced environment.
However, with change comes innovation, and with 2020 done and gone, it’s important to look to the future to prepare for what may be required of the internal audit world over the next 12 months. Although we might have failed to predict a global pandemic last year, here are the top 7 trends we expect to see for internal audit in 2021.
1. Remote work will continue, presenting new challenges for internal audit departments.
As cities and countries began introducing quarantine protocols and social distancing requirements to slow the spread of Covid-19, many organizations quickly transitioned to fully remote operations. This move to a remote workforce presented a host of new challenges and risks to internal audit teams, who had to adjust their audit processes to work in a remote setting. But with technology like videoconferencing, secure file-sharing platforms, virtual private networks (VPNs), and so on, many internal audit teams were able to facilitate this transition. However, the Institute of Internal Auditors (IIA) suggests that over 75% of audit teams are lacking a modern audit technology solution.
And while technology has helped internal audit pivot to a remote audit format, it has also presented new risks and challenges. Many organizations quickly deployed remote access tools, but often times, failed to properly test and secure them. Since employees must now use shared home or public WiFi networks, the likelihood of this type of cyberattack has grown. Studies have shown less than 50% of people secure their connection when relying on a public network. Not to mention the 600% spike in phishing attacks and the privacy concerns around video conferencing tools.
In addition, many internal audit leaders are struggling to keep team bonds strong and find overseeing the work of team members to be a struggle in these remote work arrangements. Many remote workers are also grappling with reduced productivity due to the loss of structure and socialization. Internal audit is a function that relies heavily on personal interactions to investigate risks and develop solutions. Adapting to a remote way of performing these audits without inducing “Zoom fatigue” is a challenge. Despite the fact that there are many benefits associated with remote work, this shift will continue to present new challenges for internal audit departments throughout 2021.
2. Privacy audits will become a key component of internal audit plans.
The regulatory landscape for privacy and data protection is growing more complex each day, especially in the wake of Covid-19. While some regulatory bodies have released guidance for handling these uncertain times, others like the General Data Protection Regulation (GDPR) expect the protection of personal data to still continue, even amid Covid-19 business changes. Because the consequences of failing to comply with global data privacy regulations can be severe, we expect to see privacy audits become a key component of internal audit plans in 2021.
Organizations in every industry are being overwhelmed with new regulatory requirements. In 2020, the California Consumer Privacy Act (CCPA) went into effect, its enforcement began, and new amendments were released. California also approved a new, stronger data protection regulation, the California Privacy Rights Act (CPRA), to further strengthen the measures of the CCPA. Brazil’s Personal Data Protection Regulation (LGPD) - which was initially postponed due to the pandemic - has now also gone into effect. And state data privacy laws in the U.S. are also on the rise. But with companies making significant changes to cope with Covid-19 requirements and restrictions, the requirements of all these regulations are difficult, but essential, to keep up with.
As a result, internal audit must think strategically about privacy and how the organization handles and protects sensitive data. Companies that perform frequent privacy audits can reduce compliance costs by almost $3 million. As an independent function well-versed in enterprise operations and policies, internal audit is uniquely equipped to perform these audits and help organizations mature their privacy programs. Internal auditors can leverage the guidelines of different frameworks, such as the NIST Privacy Framework, to evaluate how privacy controls are applied throughout the organization and build a unified enterprise-wide privacy strategy. Since the risks and penalties associated with privacy and data protection noncompliance are great, internal audit will play a key role in privacy during and beyond 2021.
3. Internal audit will be more involved in cybersecurity.
Even before the Covid-19 pandemic hit, cybersecurity was already a persistent threat to organizations. More and more companies are starting to recognize the need to create a third line of defense, one that can provide an independent review of security measures and identify opportunities to strengthen protection measures. Roughly 77% of audit departments planned to cover cybersecurity detection and prevention in audit activities over this past year, but only 53% of these departments are actually confident in their ability to provide assurance over these risks.
Executive leadership and boards are demanding more insight into cyber risk, as cyberattacks increase and devastate businesses across the globe. Due to their high-level understanding of an organization’s risk landscape and the technology used across the enterprise, internal audit is in an ideal position to assess cybersecurity processes and policies and report on the effectiveness of the security program to leadership, as well as opportunities for advancement.
About 80% of audit and risk professionals believe that the risk environment will continue to be unpredictable in 2021. With the average data breach costing almost $4 million, internal audit will become more involved in cybersecurity over the next year to help ensure the right controls are in place to detect and prevent these attacks and to stay aligned with core cybersecurity regulations.
4. Internal audit will become more automated.
By 2022, it is estimated that 90% of large organizations will have adopted robotic process automation (RPA) in some form. In 2021, worldwide revenue for RPA software is expected to reach over $1.58 billion, an increase of roughly 20% from this past year. Often internal audit can be reluctant to embrace technological advances and the risks it can bring, but in 2021 we predict many will make room for intelligent automation more consistently.
With automation technologies, internal audit can play a larger role in monitoring controls, regulatory compliance, policies, and reporting activities while still remaining independent. Here are a few areas where automation can make the biggest impact in internal audit:
- Data gathering for analytics: RPA can generate analytics that check for the completeness of fields and duplicates, freeing time internal audit would normally use gathering data.
- Performing risk assessments: Annual risk assessment processes can be automated to help audit focus on trend analysis and uncover more pressing risks.
- Population gathering: Automation technology can process data populations more efficiently and accurately than human auditors, especially when handling large datasets.
- Automation of controls: Automation can perform controls testing, allowing internal audit time to prioritize more pressing opportunities.
By levering RPA and other automation and analytic tools, internal audit can drive efficiencies in monitoring controls, provide greater coverage across large data populations, offer time and cost savings that can be redirected to higher priority tasks, and allow for improved visibility within an organization.
5. Internal auditors will need to expand their skillsets and specializations.
The role of an internal auditor has evolved from a compliance-centric approach to becoming a trusted business advisor. In order to continue to meet stakeholder expectations and detect emerging threats, internal auditors will look to expand their skillsets and specializations outside of audit in the coming years. In a recent survey, almost 60% of Chief Audit Executives (CAEs) doubt that their teams have the expertise to meet the expectations of their stakeholders. Therefore, internal audit must start expanding their technical expertise.
With areas like privacy, security, automation, cloud adoption, and remote work on the rise, internal auditors must increase their understanding of the tools and systems supporting these functions and their technical capabilities. We expect to see many audit functions investing in technical training for their audit team members in this coming year.
6. Culture audits will grow in popularity.
An organization’s corporate culture has a significant impact on how the company conducts its business. Since internal audit has a strong understanding of an organization’s systems, processes, and policies, they can evaluate whether the corporate culture supports the organization’s business model and values. For this reason, we expect internal audit’s scope to expand to the broader workforce and include culture audits designed to uphold corporate accountability on all business levels.
Company culture is a set of shared goals, attitudes, and practices that characterize how things are done in an organization. When leadership reinforces the organization’s visions and supports the code of conduct, clear expectations around the culture are established. Conversely, a poorly managed company culture has a trickle-down effect, leading to employee dissatisfaction, poor performance, and loss of revenue.
Companies with a thriving culture can grow their revenue more than 500% compared to those without one – proving the necessity of investing and evaluating corporate culture. During a culture audit, internal audit objectively assesses the overall culture to identify weak areas, such as team divisions, company turnover rates, lack of employee confidence, and ineffective management styles. Although culture can be difficult to measure, internal audit integrates soft control evaluations into their audit procedures and conducts structured interviews and focus groups to gather evidence.
A few considerations internal auditors take into account when auditing culture, include:
Satisfaction / Opinion Considerations
- Employee perception of their peer environment and culture
- Employee perception of the importance of compliance and ethics within the organization
- Customer complaints
- The existence of a comprehensive training program for new and existing employees
- Frequency of training and documentation of attendance
- How frequently the organization faced legal problems
- Timeliness and effectiveness of corrective actions
HR Practices, Incentives, and Enforcement
- How frequently the organization received negative media coverage (including social media)
- Appropriateness and consistency of penalties for violating policies
- Employee turnover
Recommendations are then provided to management to help improve decision making and achieve an enterprise-wide ethical corporate culture. Some companies have already embraced culture audits, and this trend will likely gain momentum during the next year.
7. Internal audit teams may have to do more with less.
Internal auditors are always under constant pressure to do more with less. But with organizations facing economic hard times due to the effects of the Covid-19 pandemic, internal audit teams will need to prioritize their resources and effectively demonstrate their value under these new expectations in 2021. According to a recent survey conducted by the IIA, over 45% of respondents anticipated cuts to their internal audit budget, a complete shift from the previous year, which recorded that 37% of respondents were predicting an increase in spending.
Despite these budgetary cuts, internal audit must still continue to create and sustain value and provide a holistic view within the organization and across teams. By embracing automation and digital technologies like exploratory analytics, automated controls testing, robotic process automation, and continuous risk assessments, internal audit can take care of repetitive manual tasks and unlock time to perform more value-added activities.
Further developing relationships with teams outside of the audit department can also help internal audit do more with less. For instance, audit and privacy teams can invest time into understanding each other’s objectives and building a strategy to achieve them together (e.g., regularly discussing risk controls, compliance requirements, risk management processes). This can help reduce inefficiencies (e.g., data privacy can utilize risk assessments performed by audit), detect risks that were previously overlooked, and create a more secure organization as a whole.
As Covid-19 pandemic continues, it seems like the changes brought on due to the pandemic are here for the long haul. While internal auditors serve several roles, their expertise in risk management will only continue to grow as we all adjust to this new normal. Yet, despite budget cuts, new auditing processes, and work from home orders, internal audit will still continue to be trusted business advisors and help companies thrive even amid growing threats and an uncertain future.
Want more audit insights straight to your inbox?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.