Digital advances, such as big data analytics, mobility and smart connected devices are radically changing not just business processes, but entire operations. Companies across industries are racing to migrate analog approaches to customer interactions, products, services and operating models to an automated, always-on, real-time and information-rich marketplace. For internal audit, this means that IT risk is no longer limited to the traditional audit focus areas, but now spans the breadth of a firm’s operations (including areas that may not have been featured prominently in internal audit’s annual audit plan). And as companies store and process higher volumes of data in support of these automated routines, data governance remains critical.
Accordingly, internal audit departments need to consider the elevated risks this wave of digitization and automation may bring to day-to-day enterprise operations. Take customer service, for example. If routines are automated and customer service representatives now have lots of personally identifiable information on customers stored on workstations and network servers, then the risk profile of that department is elevated, and internal audit should evaluate controls to ensure that these potentially lower priority business functions are being considered and addressed in the context of technology risk.
We explored these challenges in our September 14th webinar, Digitization: What Does This Mean for Internal Audit. A recorded version is available on our website. More than 1,000 practitioners logged in for the live broadcast, which isn’t surprising considering that technology and data concerns topped the list of internal audit priorities in our 2016 Internal Audit Capabilities and Needs Survey.
Big data has also given rise to new, or emerging, risks. Cybercriminals are working both inside and outside of companies to capitalize on the massive and growing universe of valuable personal and private information. Regulators are promulgating policy and guidelines governing the security and privacy of the expanding universe of valuable and sensitive data. New technology-driven competitors are changing the competitive landscape. And older companies are trying to become more agile and innovative, replacing in-house data centers with cloud infrastructure.
As organizations embark on the digital transformation journey, it is incumbent upon the internal audit function to work with operational managers, risk managers, senior executives and the board to provide assurance that organizations continue to have the right controls, data governance, and compliance practices in place. In some cases, the internal audit function may serve a valuable role in educating stakeholders about the nuances of digitization and the associated risks.
Of course, all of these new responsibilities are over and above the traditional core functions, which cannot be neglected. Chief audit executives should ask themselves the following questions:
- Does the current internal audit plan consider digitization risks?
- Does IT leadership have a solid understanding of potential control impacts associated with digitization?
- Does the audit team understand digitization?
- Do our auditors have the right skills to effectively evaluate digitization risks and controls?
- Does the internal audit function understand the impacts that digitization may have on data privacy, cybersecurity and other regulatory compliance obligations?
There is no doubt that by embracing digitization, organizations can maximize opportunities and drive competitive advantage. By providing assurance over the organizational risks posed by digitization, the internal audit department can give senior management and the board the information and confidence they need to embrace the digital future.
Is your internal audit team ready for the digital transformation? Share your thoughts in the comment section below.