6 internal audit areas of focus for 2020

new year resolution cybersecurity privacy

The beginning of a new year provides the perfect opportunity for internal audit leadership to reflect and prioritize internal audit initiatives for the year ahead. Here are six actionable areas of focus for 2020 that will help you lay the groundwork for your future business plans and identify ways to support your organization’s long-term business objectives. 

1. Take action on neglected risks

Today’s connected technology ecosystems generate considerable amounts of sensitive data that are vulnerable to compromise. At the same time, compliance mandates like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have created sweeping new data privacy obligations – and there’s no end in sight related to new and evolving privacy regulations. 

Understanding your organization’s unique data privacy risks and compliance requirements is a multifaceted, complex undertaking. It will require an “as-is” assessment that includes an in-depth assessment of your privacy program. This review should aim to gain an organizational understanding of what personal data is collected, stored, processed, and shared. You should also have institutional awareness of the technologies and processes that should be in place to safeguard this sensitive information. 

Many organizations are not spending enough time thinking about the risks that their third parties bring to the table. Their risks can easily become your risks, so it’s essential that you assess your risk exposure related to them. It may sound extreme, but you should also understand who your vendors’ business partners are and how those entities address risks such as cybersecurity and privacy, to name just two.

2. Lead your organization into the age of analytics

Internal audit executives should lead the way in implementing risk-related analytics and technologies that continuously monitor for and report anomalies to be investigated. Doing so can boost the efficiency of internal audit and help move the function into the desired value-added, in-house consultative role. Auditing has never been an annual once-and-done practice, but now more than ever, internal audit programs should include some component of routine continuous auditing that is embedded into relevant operations across the organization. This will require internal coordination, the development of new processes, and a cultural change where business leaders leverage internal audit’s consultative expertise as a means of achieving the organization’s strategic objectives. The move to analytics and continuous auditing may initially be a challenge for mid-size and small organizations, which may lack bandwidth and/or skill sets, but they should start taking the first steps. 

3. Do more with less

Many internal audit functions still execute their responsibilities using audit methodologies that are very manual and rely heavily on disconnected software like spreadsheet programs. Internal audit executives need to find, understand, and adopt new technologies that can improve audit efficiency relatively quickly. Taking advantage of commonplace technologies will further boost the internal perception of your internal audit function’s value. 

Internal audit executives should also look to identify opportunities to create efficiencies that enable your function and your organization’s ability to reduce the cost of ongoing compliance efforts around complex regulations, such as Sarbanes-Oxley. The cost of compliance-related activities in general remains significant because of factors such as new standards for external auditors, evolving accounting and auditing rules, rising cybersecurity risks, and new privacy regulations. Any efficiencies gained give you the added benefit of redistributing resources to work toward other key organizational objectives. 

4. Get involved with your local IIA

Many audit professionals don’t take full advantage of the extensive resources offered by the Institute of Internal Auditors (IIA). Local IIA chapters provide a wealth of educational seminars, roundtables, and training sessions, as well as opportunities to network with and learn from industry peers. 

Internal audit executives may assume that educational programs offered by IIA chapters target junior auditors. Truth is, chapters develop a range of sessions for audit professionals across the experience spectrum. Some upcoming chapter sessions, for example, will address topics such as understanding new compliance technologies, managing cybersecurity and data privacy risks, improving leadership skills, creating multidimensional risk assessments, and understanding state and federal ethics. Getting involved with your local IIA chapter can also allow you to help shape the programming to meet the ongoing needs of your audit function and overall organization. 

5. Be a thought leader to your management, audit committee, and board

Most boards and audit committees crave educational opportunities and are eager to meet with internal audit executives and risk management professionals for updates on current issues, risks, and processes for operational efficiency. But with so much on their plates, boards often back-burner educational discussions. This presents an opportunity for internal audit executives to be thought leaders by proactively suggesting topics and scheduling presentations to the board and audit committee. 

These presentations should go beyond rundowns of routine activities. Demonstrate your expertise by discussing forward-looking topics such as the move toward continuous auditing, highly sophisticated cybersecurity threats, upcoming data privacy regulations, and risks associated with increased organizational complexity. These types of strategic discussions can help elevate internal audit’s visibility in the C-suite and demonstrate its value to the overall organization. 

6. Evaluate your professional skills

As the responsibilities of internal audit rapidly evolve, internal audit executives should weigh their existing professional skills and those of their team against what will be needed five years down the road. Keep in mind that solid risk management/internal audit professionals are hard to find and even harder to keep. Internal audit executives need to start thinking now about how they are going to build, develop, and secure the skill sets needed going forward. 

Additionally, it may be a good idea to develop a specialty in a specific discipline, such as data privacy compliance or analytics. The future belongs to internal audit professionals and executives who have an in-demand specialty they can hang their hat on. Consider the start of a new year as an opportunity to elevate your personal brand and the perception of the function you lead. 

By  taking the time early in the year to think about these six areas, you can continue building a value-added internal audit function that is focused on the most relevant risks currently facing your organization.


George Gallinger, Principal, Governance, Risk, & Compliance National Director


Subject matter expertise

  • Contact George George+Gallinger george.gallinger@cohnreznick.com
    George Gallinger

    CIA, CFE, Principal, Risk Advisory, Global Consulting Solutions

  • Close


    Let’s start a conversation about your company’s strategic goals and vision for the future.

    Please fill all required fields*

    Please verify your information and check to see if all require fields have been filled in.

    Please select job function
    Please select job level
    Please select country
    Please select state
    Please select industry
    Please select topic
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.