Organisations are rapidly rolling out digital initiatives in an arena defined by more data, more automation, sophisticated cyber attacks, and constantly evolving customer expectations.
In some ways – for internal audit functions – the situation is not new: Technology risks and controls have already been on their agendas for decades, and most can reliably deliver a technology audit.
Our 2019 Global Risk, Internal Audit and Compliance Survey of 2 000 executives (half in risk functions) shows that as organisations move through digital transformation, internal audit functions that are more digitally fit more effectively help their stakeholders make better decisions, and take smarter risks in the face of changing risk profiles.
But (1) what does digital fitness mean and, (2) what can internal audit functions focus on to become more digitally fit?
(1)The definition is twofold:
( a) Having in place the skills and competencies to provide strategic advice to stakeholders and to provide assurance with regard to risks from the organisation’s digital transformation, and
(b) Changing the function’s own processes and services as to become more data driven and digitally enabled so the function can align with the organisation’s strategic risks and thereby anticipate to respond to risk events at the pace and scale that the organisation’s digital transformation requires.
(2) As part of our survey we have shared the following 6 ways for internal audit functions to advance in their digital fitness:
(i) Assess your internal audit function’s current staff in the context of the organisation’s overall digital strategy. Consider ways to jump start your journey by taking advantage of resources in other parts of the organisation, and/or through third party partnerships, including co-sourcing.
(ii) Collaborate with the other lines of defense to help the organisation develop a common digital governance platform that will make sure that digital technologies get developed consistently and contain safeguards. When such frameworks don’t exist, consider the risk to the organisation.
(iii) Consider building an ongoing data governance audit into the audit plan in order to provide assurance with regard to the organisation’s data, which is critical to achieving the ongoing success of many of the emerging digital technologies.
(iv) Follow a consistent framework to identify and evaluate activities throughout the internal audit life cycle with a view to finding the best candidates for automation (e.g. areas with a large population).
(v) Align with other lines of defense to develop a common point of view on risks and rethink the traditional risk assessment in order to recognise the importance of risk velocity.
(vi) Identify new data-driven and technology driven capabilities and service offerings – such as continuous auditing of critical controls – in order to monitor high-risk areas in real time.
Birgit de Lange is an associate director: risk assurance services at PwC Namibia. Contact her at [email protected]