This article was published by cebglobal.com
Change management projects, a desire for leaner operations, and cybersecurity risks should all be on Internal Audit's radar
Over the past decade, the risks that companies face have changed a lot. In particular, they have had to identify and manage more “strategic” risks – those that could spell the end for a company if it succumbs – and include things like a sharp decline in demand for core products, or a failure to identify asset price bubbles that will leave a firm with a destructive amount of debt.
This has changed the way internal audit teams must provide assurance to take these kinds of risks into account. But the needs of board members, senior managers and front line managers have also changed, and diverged in many cases, and internal audit teams must now make sure they balance their focus on strategic risks for board members and senior managers with traditional compliance-oriented assurance for more junior colleagues.
This shift in the types of risk and the types of assurance needed coalesce into three main trends that auditors should watch out for in 2016.
A lot more change on the way: With a patchy return to growth, and some economies facing recession companies will have to work hard to keep pace with pressure from investors to produce revenue growth and, in turn, are likely to pass some of the pressure on to their own employees. It is also likely to cause senior managers to launch a raft of big and disruptive “change initiatives,” which are tough for employees and pose new and different risks.
CEB research shows that a rise in the number of change initiatives leads to a drop in risk management effectiveness at the frontline of the business, decreased productivity and a higher likelihood of employee attrition. So Internal Audit’s assurance efforts should focus on the effects all this change is having, especially on employees and the decisions they make.
Leaner operations will bring more regulatory and reputational risk: As companies strive for leaner operations, they rely more heavily on third parties, joint ventures, and sourcing important inputs from a single company. This increases exposure to risks outside the company (like a spike in commodity prices that might hurt an important supplier). It also diminishes risk oversight, as companies must rely on the risk management (and compliance) capabilities of third parties, which may not meet the same standards.
On top of that, companies are more complex and interconnected than they’ve ever been, and will only become more so. This makes it harder to anticipate and respond to risks, particularly regulatory risk. With an increase in the use of third parties, and expansion into new markets and geographies, companies are subject to more complex regulatory regimes, especially when it comes to things like data privacy or international tax planning, where regulatory and reputational risk has increased the most.
Digitization means ever more information risk: For many years, only technology firms based their innovation and growth plans on IT. But now firms from all industries, even traditional ones like utilities and retailers, use information and digital technologies to adapt their business models and create new business opportunities.
This has created an exponential increase in the amount of data produced and collected by any company on an increasing number of devices and networks. Which for internal audit teams has meant that information and technology risk expands from being a purely functional risk to an operational one spanning the breadth of a firm’s operations. There are a wealth of cybersecurity risks, generated particularly by employees, and compliance and data privacy risks due to all the personal information being collected, collated, and analyzed (especially so since the demise of the “safe harbor” agreement).
To support the business properly and provide assurance over an ever-growing risk universe, Internal Audit should do four things.
First, find efficiencies in their traditional work through the use of data analytics or automation. Second, acquire the skills to provide assurance over these types of risks, either through internal development of skills (e.g., in technical areas) or by coordinating with other assurance groups, such as information security and data privacy.
Third, alter the cadence and nature of assurance activities, moving from retrospective reviews of static processes to reviews of processes in flux. Fourth, given the greater interconnectedness and complexity of risks, Internal Audit must also adapt their risk assessments to draw the causal relationships between risks and their causes.