Defining Alignment in a Dynamic Risk Landscape
Internal audit is in a race to define its place in a rapidly changing world. It is a place where the promise of a fourth industrial revolution — where connectivity and data are married seamlessly with technological breakthroughs in robotics and artificial intelligence — presents a powerful and enticing picture to the women and men who lead our organizations. Those who can master these world-changing developments will guide their organizations to success. However, success will come only to those who can balance the opportunities and risks created by these technological advances, and internal audit must play a central role in helping them find that balance. This will require internal audit to develop team members with the necessary skills to provide independent assurance on increasingly complex risk issues and for its leaders to have the fortitude to make their voices heard in boardrooms and C-suites.
The 2019 North American Pulse of Internal Audit identifies four risk areas where internal audit can make its voice heard:
Internal audit must improve its efforts to provide high-level assurance and advisory services in this area. This requires building strong relationships with CIOs and CISOs, and accelerating efforts to build cyber-savvy teams through training, new hires, or cosourcing. CAEs must speak up about having the audit plan allocations properly reflect the importance of cyber and IT assurance and discuss any areas where the CAE feels internal audit must strengthen itself in this vital area.
Third-party relationships are part of every organization’s ecosystem of risks, and organizations that fail to properly address thirdparty risks are in peril. Internal audit must educate boards and executive management to the dangers of weak or non-existent controls over third-party relationships and work closely with the audit committee and management to define the role that internal audit should play to provide assurance in this important area.
Emerging and Atypical Risks
Threats from emerging and atypical risks are growing as technology accelerates the speed at which they can mature and do damage to organizations. CAEs must educate themselves about emerging and atypical risks that can potentially impact the organization. CAEs must speak up when the organization relies solely on management assurances about mitigation of emerging and atypical risks. CAEs should push for stronger KRIs to monitor precursor indicators, and provide assurance on processes to identify, monitor, and mitigate emerging and atypical risks.
Board and Management Activity
Like never before, regulators and shareholders are pressing boards to provide proper governance oversight. They can best accomplish this if the information on which they base their decisions is accurate and complete. CAEs should position their functions to provide assurance on all information going to the board and educate the board and executive management about the benefits that independent assurance can provide.
For more than 75 years, internal auditors have shown great skill in pivoting to meet new challenges. The challenges they face today — complex, accelerated, global — will require agility, innovation, and effective dialogue with the board and executive management. It will require a fundamental commitment to assure boards have information that is accurate, complete, timely, transparent, and reliable. Simply, for internal audit to find its place in this brave new world, practitioners must courageously raise their voices.