Digitalization Expands Audit Scope Into New Territory

David Brand, Managing Director IT Audit
Ari Sagett, Managing Director IT Audit

Organizations across industries are racing to migrate analog approaches to customers, products, services and operating models to an always-on, real-time and information-rich digital business model. Using technology and digital advances, such as analytics, social media and smart embedded devices, these organizations are radically improving the performance and reach of their enterprises. This has profound implications for the scope of internal audits, as digitalization crosses departmental and even enterprise boundaries. We spoke on this topic at the IIA All-Stars Conference in Las Vegas in October, and we want to share some of those thoughts with you here.

The digital transformation is being largely driven by customer expectations for real-time, online reporting of account activity, 24/7 access to their accounts, transactions approved in minutes, purchased devices that are ready for immediate use, and more. Companies must adapt and accelerate processes throughout their organization to meet these expectations. The technologies that make this transformation possible include:

  • The Cloud – Cloud computing offers agility, allowing companies to tap into services outside of their core operations and cutting the costs associated with physical server maintenance.
  • Analytics – Big data empowers analytics, which generates unprecedented insight to enable real-time decision making.
  • Mobile – Mobility serves as the cost of entry in the consumer market. Businesses seeking optimization are already on board with mobile technologies.
  • Social – Social technologies allow for rapid creation and sharing of knowledge over social networks, enhancing reach and connectivity with customers and collaboration and information sharing across the business.
  • Internet of Things (IoT) – A sign of things to come, the IoT is an online environment in which people, things and even animals are able to connect and transfer data over a network without the help of human-to-human or human-to-computer interaction.

As companies use these new technologies to evolve their capabilities and/or create new business opportunities, they introduce more IT risk. Digitalization has exponentially increased the amount of data produced and collected by companies. It also has allowed the data to be used in new ways by a growing number of parties.

For internal audit, that means a larger sphere of IT risk that now spans the breadth of a firm’s in-house operations, including parts of the business that may not have received priority attention from internal audit in the past. That sphere extends beyond the company too, to third-, fourth- and fifth-party vendors entrusted with sensitive customer information and trade secrets.

The risks manifest both in areas that have received lots of attention – cybersecurity, data privacy, IT governance, data management, and fraud – and in emerging risk areas such as digital culture, digital disruption, digital interdependence, globalization of IT and more.

As organizations progress through the lifecycle of transformation (strategy, execution, ROI, security), digitalization will have a progressively greater effect on audit plans. Data protection, loss detection and incident response plans will become a higher priority, as will information governance and data privacy audits. As mobile technologies and applications proliferate, the audit scope will need to expand to assess data encryption, mobile device management practices, and security risks in application development.

The more an organization relies on third-party providers for applications, electronic payments, analytics and infrastructure, the more the internal audit scope should expand to include third-, fourth- and fifth-party vendors to assess vendor preparedness and ensure that data is secured and managed consistent with the company’s data management policies and in compliance with applicable regulations.

Internal auditors need to recognize the potential risks of digitalization and incorporate that thinking into everything they audit – from data sensitivity to compliance with information governance protocols, to culture audits that ensure the organization is embracing innovation in an informed manner. To cover the new, and technical, areas of risk, auditors must utilize and be comfortable with current technologies as well, particularly data analytics.

Technological advancement is an unstoppable force. Customers are demanding innovation. It is therefore essential that risk, compliance, security, and internal audit teams act as enablers of innovation with technological insight, curiosity and savvy. It’s a challenge we cannot afford to turn away from.

Add comment