Internal Audit Capabilities and Needs: Great “Tech-spectations”

Ari Sagett, Managing Director IT Audit
Christine Fitzgerald, Director Internal Audit and Financial Advisory

With a growing number of companies investing in cloud adoption, digitalization and data-intensive projects, Protiviti’s 2018 Internal Audit Capabilities and Needs Survey makes it clear that internal audit has arrived at a point where it needs to evolve its analytics and technological proficiency among all individuals within the function, as opposed to relying on a single technology “specialist.”

This mandate for change is necessary not only to provide reasonable assurance over increasingly automated business processes, but also to be able to conduct those audits in a timely fashion and meet growing stakeholder expectations for increased assurance and value-adding insights.

Top priorities in this year’s survey results show a strong desire to meet these expectations by becoming more effective in understanding new guidelines regarding the auditing of smart devices and big data. Respondents gave themselves low marks (2.1 and 2.2, respectively, on a 5-point scale) for competency in these two areas. Other priorities center on increasing knowledge and capabilities related to digital transformation and the fundamental changes in the way business is conducted – specifically process automation, cloud computing and IoT.

Robotic process automation (RPA), in particular, is emerging as a central theme in the technology discussion – not only as an efficiency driver within the business, but also as an audit subject and an audit tool. Adoption of RPA is sporadic since many companies today lack standardized processes and suffer system incompatibilities that make it difficult to obtain clean, timely data so processes around it can be automated. Nevertheless, we are seeing a strong desire among companies across industries to better understand and explore ways to leverage the power of RPA.

Standardizing processes is important prep work before investing in RPA tools. Companies need to eliminate process redundancies, unnecessary steps and manual workarounds before a process can be considered a strong candidate for automation. Companies also need to be realistic about their data maturity and address any shortcomings likely to prevent them from realizing a meaningful return on that investment. Automating existing inefficiencies is not what most companies have in mind when they consider RPA.

One of the more revealing findings in this year’s survey was the interest surrounding the cloud, and the significant number of respondents who both gave themselves high marks for cloud computing knowledge and expressed a high need to improve. There is no doubt that this is a reflection of the growing reliance on cloud-based infrastructure across businesses, and the higher priority placed by internal auditors on the need for an effective control framework to manage the associated risk.

Last but not least, respondents report increased vigilance and interest in the risks and potential compliance challenges posed by shadow IT and other “rogue” technology. This is a growing problem created by a tech-savvy workforce that values expediency and functionality over corporate rules they may consider burdensome – if they consider them at all. While it is not the internal auditor’s job to go around hunting for shadow IT, awareness of its existence and scoping an IT audit to identify it definitely does fall into that job description, as is reporting to the audit committee on its risks and the appropriate controls. Internal audit is well-positioned to educate leadership on the risks associated with using shadow IT, along with helping to explore the company’s real reason(s) for using these unsanctioned technologies.  With a better understanding of the root cause, internal audit may be able to help drive better collaboration between IT and other functional leaders who have historically resorted to shadow tactics.

One thing we did not find in the Technology and Analytics section of our survey was complacency – internal auditors are well-aware of a technological “capabilities lag” but they appear poised to close on it quickly, despite the steep learning curve, and reap the benefits in the form of more efficient and valuable audits for businesses increasingly underpinned by technology.

Add comment