6 internal audit areas of focus for 2020

Today’s connected technology ecosystems generate considerable amounts of sensitive data that are vulnerable to compromise. At the same time, compliance mandates like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have created sweeping new data privacy obligations – and there’s no end in sight related to new and evolving privacy regulations. 

Understanding your organization’s unique data privacy risks and compliance requirements is a multifaceted, complex undertaking. It will require an “as-is” assessment that includes an in-depth assessment of your privacy program. This review should aim to gain an organizational understanding of what personal data is collected, stored, processed, and shared. You should also have institutional awareness of the technologies and processes that should be in place to safeguard this sensitive information. 

Many organizations are not spending enough time thinking about the risks that their third parties bring to the table. Their risks can easily become your risks, so it’s essential that you assess your risk exposure related to them. It may sound extreme, but you should also understand who your vendors’ business partners are and how those entities address risks such as cybersecurity and privacy, to name just two.

Internal audit executives should lead the way in implementing risk-related analytics and technologies that continuously monitor for and report anomalies to be investigated. Doing so can boost the efficiency of internal audit and help move the function into the desired value-added, in-house consultative role. Auditing has never been an annual once-and-done practice, but now more than ever, internal audit programs should include some component of routine continuous auditing that is embedded into relevant operations across the organization. This will require internal coordination, the development of new processes, and a cultural change where business leaders leverage internal audit’s consultative expertise as a means of achieving the organization’s strategic objectives. The move to analytics and continuous auditing may initially be a challenge for mid-size and small organizations, which may lack bandwidth and/or skill sets, but they should start taking the first steps. 

Many internal audit functions still execute their responsibilities using audit methodologies that are very manual and rely heavily on disconnected software like spreadsheet programs. Internal audit executives need to find, understand, and adopt new technologies that can improve audit efficiency relatively quickly. Taking advantage of commonplace technologies will further boost the internal perception of your internal audit function’s value. 

Internal audit executives should also look to identify opportunities to create efficiencies that enable your function and your organization’s ability to reduce the cost of ongoing compliance efforts around complex regulations, such as Sarbanes-Oxley. The cost of compliance-related activities in general remains significant because of factors such as new standards for external auditors, evolving accounting and auditing rules, rising cybersecurity risks, and new privacy regulations. Any efficiencies gained give you the added benefit of redistributing resources to work toward other key organizational objectives. 

Many audit professionals don’t take full advantage of the extensive resources offered by the Institute of Internal Auditors (IIA). Local IIA chapters provide a wealth of educational seminars, roundtables, and training sessions, as well as opportunities to network with and learn from industry peers. 

Internal audit executives may assume that educational programs offered by IIA chapters target junior auditors. Truth is, chapters develop a range of sessions for audit professionals across the experience spectrum. Some upcoming chapter sessions, for example, will address topics such as understanding new compliance technologies, managing cybersecurity and data privacy risks, improving leadership skills, creating multidimensional risk assessments, and understanding state and federal ethics. Getting involved with your local IIA chapter can also allow you to help shape the programming to meet the ongoing needs of your audit function and overall organization. 

Most boards and audit committees crave educational opportunities and are eager to meet with internal audit executives and risk management professionals for updates on current issues, risks, and processes for operational efficiency. But with so much on their plates, boards often back-burner educational discussions. This presents an opportunity for internal audit executives to be thought leaders by proactively suggesting topics and scheduling presentations to the board and audit committee. 

These presentations should go beyond rundowns of routine activities. Demonstrate your expertise by discussing forward-looking topics such as the move toward continuous auditing, highly sophisticated cybersecurity threats, upcoming data privacy regulations, and risks associated with increased organizational complexity. These types of strategic discussions can help elevate internal audit’s visibility in the C-suite and demonstrate its value to the overall organization. 

As the responsibilities of internal audit rapidly evolve, internal audit executives should weigh their existing professional skills and those of their team against what will be needed five years down the road. Keep in mind that solid risk management/internal audit professionals are hard to find and even harder to keep. Internal audit executives need to start thinking now about how they are going to build, develop, and secure the skill sets needed going forward. 

Additionally, it may be a good idea to develop a specialty in a specific discipline, such as data privacy compliance or analytics. The future belongs to internal audit professionals and executives who have an in-demand specialty they can hang their hat on. Consider the start of a new year as an opportunity to elevate your personal brand and the perception of the function you lead. 

By  taking the time early in the year to think about these six areas, you can continue building a value-added internal audit function that is focused on the most relevant risks currently facing your organization.

George Gallinger, Principal, Governance, Risk, & Compliance National Director

973.871.4060