Today’s businesses must be constantly evolving to meet changing business models, new regulatory requirements, technology innovations, and an increase in cyberattacks. To help businesses meet these new challenges, internal audit (IA) functions must evolve as well. While internal audit is not the sole owner of risk within an organization, it provides unbiased insight into an organization’s internal controls, corporate governance, and business processes. IA educates board members and executives on the business risks and their impact, helping detect and address issues before they are identified by external audit.
As data and technology permeate every aspect of the modern organization, IA departments can no longer work alone. IA teams must expand their skillsets and work alongside other departments to more effectively reduce risk, improve controls, and identify inefficiencies within the organization. While 2019 has already brought significant changes to the audit industry, 2020 provides the opportunity for even more. Here are the top 10 trends we expect to see for the internal audit world in 2020:
1. Privacy compliance will be a key focus for internal audit.
Over the past few years, the world has seen a massive increase in data privacy regulations at the state and national levels. Many organizations are struggling to keep up with these regulations, trying to untangle a growing number of legislative, regulatory, and internal requirements to demonstrate compliance.
With the potential for more privacy regulations in 2020, internal audit needs to stay informed of these changes and develop a better understanding of potential privacy risks, so it can be more actively involved in identifying compliance risks and establishing the appropriate controls to mitigate those risks. IA must start incorporating privacy considerations into its enterprise risk assessments and determine how equipped the organization is to respond to new regulations as well as sustain ongoing compliance.
As part of these privacy efforts, internal audit is responsible for validating the organization’s data classification policy. To do this, IA will need to review the processes for collecting, analyzing, storing, and sharing personal information to ensure compliance with current and new data regulations. By gaining a thorough understanding of these processes, internal audit will help enable the identification of current and emerging risks, giving shape to a privacy roadmap for future compliance efforts.
2. New cybersecurity regulations from the SEC and PCAOB will require more internal audit involvement.
Cyber threats are continuing to increase in frequency and complexity, with each day bringing the potential of another data breach. To hold public companies accountable to their stockholders and investors, the U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) are pressuring public organizations to clearly demonstrate how they are mitigating cyber risks, including key internal controls.
These compliance requirements push internal auditors into the world of cybersecurity. From required board oversight to data incident disclosures to insider trading regulation, internal audit must evaluate the existing policies that address the requirements from external bodies and show external auditors that adequate controls are in place. A few key steps auditors can take to help ensure compliance include:
- Revisit and, if necessary, refresh data-security public disclosures to ensure compliance with the new guidance
- Consider the adequacy of internal controls and procedures for identifying cybersecurity risks and incidents as part of the design and effectiveness of a company’s disclosure controls and procedures
- Update existing enterprise-wide data security policies, plans, and procedures
- Ensure that controls are in place to escalate cyber risk, incident engagement, and oversight by senior corporate leaders and the board
- Review data security incident disclosure processes to ensure key stakeholders are notified of significant data security incidents and establish a decision-making process and protocol to timely disclose material cybersecurity incidents
- Revise codes of conduct and internal securities trading policies to ensure that, as appropriate, securities trading restrictions are put in place upon the detection of a material cybersecurity incident
- Regularly testing security controls, policies, and processes and making improvements as needed to help reduce the likelihood of a security incident
3. Boards will become more involved in cybersecurity.
By providing an independent, objective evaluation of an organization’s existing controls, internal audit plays a crucial role in helping organizations manage potential cyber threats. However, with cyberattacks on the rise, security breaches at an all-time high, and new pressures from the SEC and PCAOB, cybersecurity is now becoming a top priority in boardroom discussions. Board members want to gain a comprehensive view of the risks both inside and outside of the organization. As involvement in cyber risks grow and board responsibility to adhere to the FTC’s increased standards of care becomes a concern, boards will rely more heavily on Chief Audit Executives (CAEs) and their IA team to communicate these risks and effective methods for countering them.
During these discussions, IA will need to educate board members on the steps taken to test the organization’s cybersecurity program to validate its effectiveness. Utilizing their knowledge of industry trends, risk management best practices, and business strategies, the IA team will recommend solutions to handle any detected risks before they become too large to address.
Based on the FTC’s Safeguards Rule, which requires a comprehensive information security program containing safeguards to collect and handle customer information, boards must also annually attest to the effectiveness of this program. IA will be the driving force in monitoring this program, updating its policies, and instilling confidence in the board’s verification. Boards looking to remain highly engaged in matters of cybersecurity and cyber threats will find a useful partner in internal audit.
4. More internal audit departments will use cybersecurity frameworks.
One of internal audit’s objectives is to provide management with an independent assessment of an organization’s cybersecurity policies and procedures and their effectiveness. IA identifies regulatory deficiencies that could put the organization at risk, as well as the necessary internal controls to mitigate them. More than ever, organizations must balance the evolving threat landscape against their security program. In the coming year, this will be seen more often through the adoption of a cybersecurity control framework, which can serve as a baseline for an organization’s existing program. A few popular control frameworks and standards include:
|Frameworks & Standards||Year of Release||Description|
An established best-practice framework for organization's seeking a program to assess cybersecurity practices against. Often required of contractors of the US federal government.
|CIS Top 20||2008||
Contains the prioritized, top 20 actionable security requirements for all organizations and serves as a good first framework for building a cybersecurity program.
One of the most popular baseline security frameworks; serves as an international standard that outlines how organizations should manage information security.
|ISACA COBIT 5||2012||
IT management framework to help businesses develop, organize, and implement strategies around information management and governance.
A comprehensive list of security requirements designed to reduce credit card fraud and strengthen the security posture of organizations that store, process, or transmit card data.
Helps organizations (especially healthcare) effectively manage data, information risk, and compliance, and demonstrate compliance with HIPAA requirements.
When determining which framework to use, internal auditors will need to take into account industry standards, regulatory guidance, legal requirements, and the advantages and disadvantages of each framework. The selected framework will provide the structure, methodology, and best practices to achieve a strong security posture and prevent potential security vulnerabilities or data breaches. As an organization’s third line of defense, internal audit must play a key role in developing a strong cybersecurity program through an established cybersecurity framework to ensure a reliable, systematic way to mitigate cyber risk, regardless of how complex the environment.
5. Third-party risk management will become a concern.
Reliance on third-party vendors for essential business functions continues to grow. According to the Ponemon Institute, companies share confidential information with an average of 583 third parties, and approximately 59% of companies say they’ve experienced a data breach in the past year due to a third party or vendor. Many organizations are unsure where their data goes or who has access to it once it is shared with a third party, which can lead to noncompliance, penalties, legal action, and reputational damage.
As third-party relationships increase an organization’s exposure to new risks, formalizing an effective third-party risk management (TPRM) program to mitigate these risks will become a common practice in 2020. Internal audit can assist in this process by:
- Reviewing the existing TPRM program to assess processes and controls, including third-party selection, contract negotiation, ongoing monitoring, and vendor termination
- Validating that the TPRM program is meeting organizational concerns in various areas, such as data privacy, cybersecurity, contracts, business strategy, etc.
- Evaluating management’s oversight of vendor performance and contractual obligations with the third party
- Detecting critical or high-risk third parties and ensuring they are evaluated and monitored more frequently
- Conducting an assessment of third-party risk management controls and recommending opportunities for improvement on lacking controls
6. Internal audit will play a key role in digital business transformation.
To keep up with the needs of an increasingly digital workplace, many organizations are going through a digital transformation, implementing new technologies and processes to make the business more efficient. For example, intelligent automation such as robotic process automation (RPA) is continuing to expand at a rapid clip and will play a key role in many businesses in 2020. RPA allows for tasks to be completed in a systematic manner, free from any variation, increasing efficiency and accuracy. As companies start this business transformation, internal audit must remain cognizant of the risks these technological changes bring with them. Despite the value that tools like RPA can bring, IA will need to help guide the company when considering the following:
- How will access to data and systems be handled?
- What controls will be put in place to monitor the performance of these tools?
- Who will design and monitor the controls?
- What processes will be implemented to prevent unauthorized access to these new systems and their sensitive data?
Ultimately, RPA can help IA and the business increase productivity, reduce risk exposure, and bring economic and workforce advantages; therefore, internal audit has the chance to position itself as a trusted partner for these transformation initiatives.
However, when making significant digital transformation changes, all areas of the organization will be affected. As business processes are redesigned and automated, CAEs and their audit teams should be involved in executive management and board-level discussions. Since IA understands the risks of RPA and the added value and opportunity that automation can bring to an organization, it can provide a blueprint for the successful implementation of these digital business transformation initiatives.
7. Integrated risk management (IRM) will remain a key initiative.
Internal audit functions are traditionally viewed as an organization’s third line of defense, but this siloed perspective sometimes results in limited transparency into other departments' risk management efforts. Integrated risk management (IRM) breaks down these silos and gives audit the opportunity to streamline processes, centralize business assets, and ensure all departments work in unison. IA should be the driving force behind these IRM programs due to their ability to identify risks and controls and recommend actionable solutions. IRM also enforces IA’s opportunity to leverage automation tools and better communicate the standardization and formulation of controls across all risk areas of the business.
To establish a strong IRM program, an effective and well-configured governance, risk, and compliance (GRC) tool can help streamline tasks. Importing existing processes into a centralized GRC repository will allow an organization to easily share the information with the entire business. From there, a baseline of the existing GRC structures can be compared against industry standards to create audit reports that identify risks and vulnerabilities in the organization.
8. Internal audit will leverage data analytics to manage the vast availability of data.
The amount of data in the world is expected to reach 44 zettabytes by next year, which is more than 40 times the number of stars in the observable universe. But with businesses handling more data than ever before, the potential risks are even higher. Data analytics has significantly changed the field of internal auditing, transforming manual processes into automated ones, improving the accuracy of audit results, providing valuable insights to management, and increasing the ability to identify and address risks across the enterprise.
Over the next year, more internal audit departments will integrate data analytics as a core capability across all areas of the business, bringing a wide variety of benefits following its adoption:
- A more comprehensive view of the business: Data analytics can deliver a more detailed look at the internal controls, financial statements, and accounting processes.
- Identifying risk earlier in the audit process: Data analytics in the audit process can help detect patterns earlier, allowing for advanced decision-making and more time to implement changes and improvements.
- Reduced time and effort: Using data analytics, audit can offer more automated processes, which increases the quality of an audit while shortening the time it takes to complete the assessment.
- Lower audit costs: Using data analytics, auditors can perform the same audit quicker and with less resources, leading to shorter, more cost-effective audits.
9. Internal audit skills and expertise will expand.
The drive for innovation within many organizations is forcing the internal audit profession to adapt and evolve at a rapid pace, and many auditors are struggling to keep up with these changes.
IA’s role in managing organizational risks, its enterprise-wide perspective, and its understanding of various frameworks make it multifaceted, but in today’s business environment, internal auditors need to expand their abilities beyond traditional areas like accounting, compliance, fraud, and finance. To support business change, many companies are already looking for internal auditors with expertise in technical areas like data science, analytics, IT, cybersecurity, and privacy. In addition to hiring professionals with specialized knowledge, companies should also encourage current employees to expand their skills and expertise through training in these areas.
10. Greater investments will need to be made in internal audit.
According to the IIA’s International Standards for the Professional Practice of Internal Auditing, CAEs are responsible for ensuring that internal audit resources are “appropriate, sufficient, and effectively deployed to achieve the approved plan.” Yet, many CAEs are struggling to meet the board’s expectations for aligning audit activities with strategic business goals while also overseeing fluctuating risks on the current budget allocation.
Risk assessments performed by internal auditors can be resource and labor-intensive. Frequent audit plan revisions over the course of the year are typical in order to manage emerging business risks. And with the cost of a data breach reaching more than 3 times the cost of compliance, not allocating sufficient resources up front can end up costing more in the future.
Internal audit departments will need a budget increase to adequately address emerging business risks and equip their team with the tools and skills they need to do it efficiently. CAEs should also meet with their boards to provide them with insights into audit needs and present the risks of not adequately investing in IA.
In addition, CAEs and audit directors should also consider the new tools and technologies available to auditors (e.g., RPAs and data analytics) that can help save money that could be applied to other audit areas. In the past, IA spent much of its time and resources on SOX compliance, but many teams are finding that specialty audits and operational audits actually provide more value to executive leadership. This shift requires more budget for these specialty audit areas, requiring CAEs and audit directors to find ways to reduce SOX compliance costs and allocate more budget to higher-value areas.
The digital world is changing, compelling internal audit to adopt new tools and techniques in order to effectively respond to today’s threat landscape. 2020 will be a challenging year for IA as it faces greater compliance challenges, board-level demands, technological change, and increased cyber threats. However, as long as internal audit has the tools and resources it needs to stay current with the latest developments and advancements, this evolution will bring significant value to businesses everywhere.
Want more risk management insights?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.