june 2017 58 Internal audItor
opportunity from disruption
early in the process and bringing a risk
mindset to the business as it sets its
strategy and tactics.
Early and consistent involvement
in disruption requires internal audit
to get ahead of disruption and be flexible and responsive as it occurs (see
“Rethinking Internal Audit” on this
page). To do so, the department needs
to build certain traits into its DNA to
create the agility needed. Agile internal
audit functions are those that are adding significant value in areas of disruption by demonstrating six traits.
Be Forward Thinking
The key to becoming agile is being
more proactive than reactive. That
means staying on the forefront of
potential business disruption and recognizing that priorities may change
quickly during the year — 84 percent of
agile internal audit functions are mindful of disruption risk and include the
possibility as part of audit plan development (vs. 50 percent of less agile survey
respondents), according to the State of
the Internal Audit Profession study.
Use a Strategic Planning Process
Define how the department will change
its processes, technology, and talent to
keep pace with the business. This process
is more than an administrative “nice to
have;” it’s a road map to internal audit’s
vision. These changes will take time,
budget, and stakeholder buy-in.
Think Differently About Internal
Audit’s Risk Assessment Process
Many organizations are doing away
with a robust, annual risk assessment
interview/survey process and incorporating more frequent processes such as
semi-annual or quarterly assessments.
Consider whether internal audit interacts enough with key stakeholders
throughout the year to keep a more
real-time view of likely disruptions and
the top risks to the business.
risk universe to the organization’s
Create Flexibility in the Audit Plan
If there is no room left in the plan
after accounting for recurring activities, then it is difficult to find time for
more value-added, risk-based projects
aligned to disruptive risks. Allocate a
percentage of the audit plan to more
proactive and strategically aligned
audits, of which disruptive events are
a part. Also, allocate a portion of the
plan to ad-hoc, management requests,
or a “buffer” category to gain flexibility
during the year as issues arise.
Reassess Internal Audit’s Risk
Universe This assessment can confirm whether the risk universe captures emerging risk areas and more
holistic risk topics that may not yet
be embedded within company operations. If the universe is merely capturing everything that exists within
the organization today, it is hard to
anticipate what disruption-related
risks could be coming. These risks, by
nature, are ones that may not have an
“owner” yet, and therefore are often
missed in functionally organized risk
universes. One way to mitigate omitting key risks is to formally link the
Rethinking inteRnal audit
With stakeholder expectations evolving, internal audit leaders need to help their internal audit functions think differently and push beyond standard objectives and deliverables. to paraphrase
albert einstein, one can’t keep doing the same things over and over again
and expect different outcomes. audit leaders must think more strategically about where they are operating today and what their ideal state
would be by asking themselves:
» is the internal audit function doing anything different today than it did
three years ago?
» are those differences marginal or more transformative?
» is internal audit realizing value from those changes?
» Should audit leaders rethink how they are measuring the department’s value?
» is transformation and disruption within internal audit required to
remain relevant to the business?
One thing that distinguishes internal audit functions that have developed
the agility to embrace disruption is that they appear to have a broader
view of what is deemed an “auditable risk” than their less agile peers.
this is evidenced by their consistent involvement across many disruptors.
these functions are twice as likely as their peers to be involved in less
traditional, but high-value areas such as helping the organization respond
to operational disruption, changes in business strategy, brand and reputation incidents, and digital innovation. they also are far more likely to be
involved early in the disruption and strategic business decision-making
cycle. they do more to help their organizations proactively manage disruption before processes are fully developed. Moreover, they provide a
point of view around disruptive events beyond identifying existing process
or control gaps, and they are twice as likely to assist in identifying the
potential for a disruptive event to occur.