The beginning of a new year provides the perfect opportunity for internal audit leadership to reflect and prioritize internal audit initiatives for the year ahead. Here are six actionable areas of focus for 2020 that will help you lay the groundwork for your future business plans and identify ways to support your organization’s long-term business objectives.
Today’s connected technology ecosystems generate considerable amounts of sensitive data that are vulnerable to compromise. At the same time, compliance mandates like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have created sweeping new data privacy obligations – and there’s no end in sight related to new and evolving privacy regulations.
Understanding your organization’s unique data privacy risks and compliance requirements is a multifaceted, complex undertaking. It will require an “as-is” assessment that includes an in-depth assessment of your privacy program. This review should aim to gain an organizational understanding of what personal data is collected, stored, processed, and shared. You should also have institutional awareness of the technologies and processes that should be in place to safeguard this sensitive information.
Many organizations are not spending enough time thinking about the risks that their third parties bring to the table. Their risks can easily become your risks, so it’s essential that you assess your risk exposure related to them. It may sound extreme, but you should also understand who your vendors’ business partners are and how those entities address risks such as cybersecurity and privacy, to name just two.
Many internal audit functions still execute their responsibilities using audit methodologies that are very manual and rely heavily on disconnected software like spreadsheet programs. Internal audit executives need to find, understand, and adopt new technologies that can improve audit efficiency relatively quickly. Taking advantage of commonplace technologies will further boost the internal perception of your internal audit function’s value.
Internal audit executives should also look to identify opportunities to create efficiencies that enable your function and your organization’s ability to reduce the cost of ongoing compliance efforts around complex regulations, such as Sarbanes-Oxley. The cost of compliance-related activities in general remains significant because of factors such as new standards for external auditors, evolving accounting and auditing rules, rising cybersecurity risks, and new privacy regulations. Any efficiencies gained give you the added benefit of redistributing resources to work toward other key organizational objectives.
Many audit professionals don’t take full advantage of the extensive resources offered by the Institute of Internal Auditors (IIA). Local IIA chapters provide a wealth of educational seminars, roundtables, and training sessions, as well as opportunities to network with and learn from industry peers.
Internal audit executives may assume that educational programs offered by IIA chapters target junior auditors. Truth is, chapters develop a range of sessions for audit professionals across the experience spectrum. Some upcoming chapter sessions, for example, will address topics such as understanding new compliance technologies, managing cybersecurity and data privacy risks, improving leadership skills, creating multidimensional risk assessments, and understanding state and federal ethics. Getting involved with your local IIA chapter can also allow you to help shape the programming to meet the ongoing needs of your audit function and overall organization.
Most boards and audit committees crave educational opportunities and are eager to meet with internal audit executives and risk management professionals for updates on current issues, risks, and processes for operational efficiency. But with so much on their plates, boards often back-burner educational discussions. This presents an opportunity for internal audit executives to be thought leaders by proactively suggesting topics and scheduling presentations to the board and audit committee.
These presentations should go beyond rundowns of routine activities. Demonstrate your expertise by discussing forward-looking topics such as the move toward continuous auditing, highly sophisticated cybersecurity threats, upcoming data privacy regulations, and risks associated with increased organizational complexity. These types of strategic discussions can help elevate internal audit’s visibility in the C-suite and demonstrate its value to the overall organization.
As the responsibilities of internal audit rapidly evolve, internal audit executives should weigh their existing professional skills and those of their team against what will be needed five years down the road. Keep in mind that solid risk management/internal audit professionals are hard to find and even harder to keep. Internal audit executives need to start thinking now about how they are going to build, develop, and secure the skill sets needed going forward.
Additionally, it may be a good idea to develop a specialty in a specific discipline, such as data privacy compliance or analytics. The future belongs to internal audit professionals and executives who have an in-demand specialty they can hang their hat on. Consider the start of a new year as an opportunity to elevate your personal brand and the perception of the function you lead.
By taking the time early in the year to think about these six areas, you can continue building a value-added internal audit function that is focused on the most relevant risks currently facing your organization.
Press ReleaseCohnReznick earns CMMC Third-Party Assessment Organization AuthorizationThe C3PAO designation allows CohnReznick to assess Department of Defense contractors seeking CMMC compliance under the joint surveillance voluntary assessment program or as soon as the CMMC rule is finalized.
Insight6 keys to a future-ready enterprise risk management (ERM) programMaurice L. Crescenzi, Jr., Bhavesh VadhaniAn optimized ERM program is critical to bringing your organization into the future. Ready to move yours forward? Download our infographic.
InsightCMMC compliance process: What to expect and five steps to takeBhavesh Vadhani, Daryouche BehboudiCohnReznick is sharing our accreditation journey to offer lessons learned and insights into what DoD contractors can expect on their journey to CMMC compliance. Learn more
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.