May is Internal Audit Awareness Month. On the blog, we are focusing on next generation internal audit – what does it look like and how can auditors get there? Subscribe to follow our series.
With longstanding brands collapsing or making significant adjustments to their business models under pressure from digital competitors (the number one risk identified in Protiviti’s most recent Top Risks survey), board members and executives are taking a deeper, harder look at digital risk. And while chief audit executives should be the go-to resource for assurance that digital risk will not upend the enterprise, many are reluctant to take action because they either don’t know where to start or consider it outside their traditional scope.
Reluctant or not, digital risk assurance (along with adoption of next generation internal audit practices and digital capabilities)) will be a core focus of next generation internal auditors so it is imperative that all of us recognize the reality of disruptive forces and embrace the change. We recently conducted a webinar with our colleague Brian Christensen, Protiviti’s global leader of internal audit, to issue a challenge to the profession and help nudge the internal audit community forward. Judging from the more than 2,000 participants, a lot of internal auditors are ready to take the next step.
How to Become a Digital Auditor
According to Protiviti’s latest Internal Audit Capabilities and Needs survey, three out of four audit organizations are pursuing some form of transformation with the objective of advancing their next gen capabilities while also helping the board and executive management to evaluate their digital capability and maturity. To understand and lead this deeper change, individual auditors will need to educate themselves on the realities and risks of the digital world. Reading books on general digital topics, attending conferences, listening to webinars, and even subscribing to techie podcasts are ways for auditors to get ahead of digital risk, which could arise from both the inside (advanced technologies the company is adopting) and the outside (technologies that may blindside the company if adopted by competitors).
There will be new concepts to master – from robotic process automation (RPA) to artificial intelligence (AI) and advanced analytics – and it’s important that auditors embark on that learning curve now. If auditors don’t understand the connection between culture and innovation, RPA, AI, data science, etc. then they will be hard pressed to be relevant and credible when doing reviews and helping the organization chart a course in the digital environment. Perhaps even more important for achieving next generation proficiency is having an open mind, and the understanding that everything that is impacting an auditor’s personal life from a digital standpoint also impacts them professionally.
Where to Look for Digital Risk
Many auditors have a legitimate question: With so much happening, where do we start? Advancements in technology and data have been so rapid in recent years that long-standing organizations that failed to pay attention have been disrupted and displaced by so-called “born digital” competitors. In the case of many organizations who met their fate at the hands of born digital competitors, it was often a lack of activity – or, at least, a lack of the right activity, at the right pace – that allowed for the rise of the disruptors and led to the demise of the disrupted. It is not hyperbolic to suggest that digital risk is an existential risk for many organizations if ignored.
So, where does internal audit start? In response to a real gap in digital awareness, Protiviti created a digital maturity framework as a way for companies to better understand the core competencies required for digital performance, and also as a way to self-assess and benchmark their digital capabilities on a maturity scale.
The framework allows a company to evaluate itself across a customizable set of competencies, ultimately resulting in an evaluation of the digital maturity of the organization along the digital skeptic-to-digital leader continuum (skeptics have no formalized plans related to digital and innovation and are often managing in an ad hoc or reactive manner, whereas leaders are digital at the core and have a proven track record of disrupting business models). More important, the framework allows an organization to evaluate the capabilities and/or attributes that it needs to succeed, rather than just rate the initiatives in progress.
By adapting and using this framework, even internal auditors still working through the early stages of their own digital learning can drive productive and thought-provoking discussions with stakeholders related to digital capability, initiatives underway, and areas not being addressed. Internal audit functions are typically very good at evaluating activity (things a company is doing) and providing observations and recommendations but not always as good at identifying things that a company is not doing that present significant risk. The framework helps highlight these areas of inactivity. Inactivity and a lack of innovation and transformation may not be a high velocity risk, but the potential impacts can be catastrophic with a slow bleed rate over time.
Among internal auditors who have used this framework, many have identified areas for audit focus that were not identified through traditional risk assessment and audit planning activities. We have also seen internal auditors use this framework as a way to increase awareness of and focus on digital capability at the board level.
The attributes in the framework are grouped into six focus areas: vision, culture, organizational structure, market presence, technology, and data. Behind each of the 36 capabilities there are detailed capability statements as well as risk statements to provide a comprehensive toolkit for auditors in helping assess digital and innovation risk and maturity.
Under big data analytics, for example, a digital “follower” has employees who are aware of the more traditional data analytics capability, with complex data analytics being done on demand by specialist resources. A “leader” is data-centric in everything that it does, with data specialists engaged on any significant change program.
Similarly, under culture, a “follower” would be someone who recognizes the importance of digital culture, however cultural change is driven on an ad hoc basis rather than by design; while a “leader” has developed a positive and motivating digital culture and has aligned hiring practices to recruit and retain individuals who share that vision, establishing innovation and a digital mindset as part of the organization’s DNA.
Internal auditors can use the framework in a variety of ways, including as a standalone assessment at the enterprise level (assessing the organization’s maturity for all relevant capabilities); as a focused assessment of a particular part of the organization (e.g., the organization’s technology capability); as a digital risk or audit universe; to support and enhance existing internal audit risk assessment activities, providing a digital lens through which to evaluate risks associated with activity and inactivity; and lastly, as a way for internal audit to evaluate aspects of its own digital and innovation maturity.
It’s time for internal auditors to move beyond the hesitancy of evaluating digital risk and equip themselves with the tools and knowledge necessary to help their organizations successfully navigate in a dynamic world full of both risk and opportunity. Boards and executives have been clear that risk of digital disruption ranks high on their top risks’ list. Internal auditors must respond. Using Protiviti’s digital maturity framework to evaluate their organizations’ digital maturity is a practical step they can take.
For a more in-depth discussion of the framework and digital risk, listen to our recorded webinar.