The beginning of a new year provides the perfect opportunity for internal audit leadership to reflect and prioritize internal audit initiatives for the year ahead. Here are six actionable areas of focus for 2020 that will help you lay the groundwork for your future business plans and identify ways to support your organization’s long-term business objectives.
Today’s connected technology ecosystems generate considerable amounts of sensitive data that are vulnerable to compromise. At the same time, compliance mandates like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have created sweeping new data privacy obligations – and there’s no end in sight related to new and evolving privacy regulations.
Understanding your organization’s unique data privacy risks and compliance requirements is a multifaceted, complex undertaking. It will require an “as-is” assessment that includes an in-depth assessment of your privacy program. This review should aim to gain an organizational understanding of what personal data is collected, stored, processed, and shared. You should also have institutional awareness of the technologies and processes that should be in place to safeguard this sensitive information.
Many organizations are not spending enough time thinking about the risks that their third parties bring to the table. Their risks can easily become your risks, so it’s essential that you assess your risk exposure related to them. It may sound extreme, but you should also understand who your vendors’ business partners are and how those entities address risks such as cybersecurity and privacy, to name just two.
Many internal audit functions still execute their responsibilities using audit methodologies that are very manual and rely heavily on disconnected software like spreadsheet programs. Internal audit executives need to find, understand, and adopt new technologies that can improve audit efficiency relatively quickly. Taking advantage of commonplace technologies will further boost the internal perception of your internal audit function’s value.
Internal audit executives should also look to identify opportunities to create efficiencies that enable your function and your organization’s ability to reduce the cost of ongoing compliance efforts around complex regulations, such as Sarbanes-Oxley. The cost of compliance-related activities in general remains significant because of factors such as new standards for external auditors, evolving accounting and auditing rules, rising cybersecurity risks, and new privacy regulations. Any efficiencies gained give you the added benefit of redistributing resources to work toward other key organizational objectives.
Many audit professionals don’t take full advantage of the extensive resources offered by the Institute of Internal Auditors (IIA). Local IIA chapters provide a wealth of educational seminars, roundtables, and training sessions, as well as opportunities to network with and learn from industry peers.
Internal audit executives may assume that educational programs offered by IIA chapters target junior auditors. Truth is, chapters develop a range of sessions for audit professionals across the experience spectrum. Some upcoming chapter sessions, for example, will address topics such as understanding new compliance technologies, managing cybersecurity and data privacy risks, improving leadership skills, creating multidimensional risk assessments, and understanding state and federal ethics. Getting involved with your local IIA chapter can also allow you to help shape the programming to meet the ongoing needs of your audit function and overall organization.
Most boards and audit committees crave educational opportunities and are eager to meet with internal audit executives and risk management professionals for updates on current issues, risks, and processes for operational efficiency. But with so much on their plates, boards often back-burner educational discussions. This presents an opportunity for internal audit executives to be thought leaders by proactively suggesting topics and scheduling presentations to the board and audit committee.
These presentations should go beyond rundowns of routine activities. Demonstrate your expertise by discussing forward-looking topics such as the move toward continuous auditing, highly sophisticated cybersecurity threats, upcoming data privacy regulations, and risks associated with increased organizational complexity. These types of strategic discussions can help elevate internal audit’s visibility in the C-suite and demonstrate its value to the overall organization.
As the responsibilities of internal audit rapidly evolve, internal audit executives should weigh their existing professional skills and those of their team against what will be needed five years down the road. Keep in mind that solid risk management/internal audit professionals are hard to find and even harder to keep. Internal audit executives need to start thinking now about how they are going to build, develop, and secure the skill sets needed going forward.
Additionally, it may be a good idea to develop a specialty in a specific discipline, such as data privacy compliance or analytics. The future belongs to internal audit professionals and executives who have an in-demand specialty they can hang their hat on. Consider the start of a new year as an opportunity to elevate your personal brand and the perception of the function you lead.
By taking the time early in the year to think about these six areas, you can continue building a value-added internal audit function that is focused on the most relevant risks currently facing your organization.
Press ReleaseSun joins CohnReznick as Principal, CybersecurityDavid Sun leads CohnReznick’s security incident response and recovery; computer forensic and litigation support; and cloud security services.
InsightUnderstanding Zero TrustBhavesh Vadhani, Adonye ChamberlainRead about the evolution of this cybersecurity paradigm, why it is increasingly necessary, and how to get started on its implementation.
InsightBe on guard for phishing attacks amid bank collapsesBhavesh VadhaniAs scammers take advantage of the chaos caused by the Silicon Valley Bank and Signature Bank turmoil, keep these key security principles top of mind.
InsightProposed regulatory changes increase board responsibility for cybersecurity programsScott Corzine, Bhavesh VadhaniProposed regulations may increase the responsibility of corporate board directors with cybersecurity programs. Learn more.
Press ReleaseCohnReznick adds two senior leaders to growing Cybersecurity, Technology Risk, and Privacy practiceScott Corzine, Managing Director, and Stephen P. Gilmer, Director, have joined CohnReznick's Cybersecurity, Technology Risk and Privacy practice, bringing extensive experience in cybersecurity risk, risk management, compliance, and operational impact.