As we head into 2015 and Internal Audit (IA) organizations finalize their audit plans, it's always interesting to hear what they're going to focus on and how that aligns with management's perceptions of risk. Recent surveys of audit organizations by several global auditing and consulting organizations show some of the top global risks audit groups are talking to their audit committees about and including in their audit planning are:
- Regulatory changes and scrutiny
- Cyber risk and data security
- Reputational risk
- Business innovation
- Talent recruiting and succession planning
- Economic conditions restricting growth
- Timely risk identification and escalation
- Disruptive innovations and IT
It's refreshing that a separate survey of CEOs noted most of these risks as high priority also, with one exception being financial performance as the highest priority. Some of these risks are areas IA is adept at dealing with, such as risk identification or regulatory changes and compliance. But how does IA evaluate economic conditions restricting growth, or talent recruiting and succession planning? Even more difficult is a nebulous topic like reputation risk because so many factors can impact it, such as cyber attacks to social media campaigns to inadequate responses to business or IT disruptions.
On top of these risks being factored into the ongoing motions of audit planning and execution are the recent changes to Institute of Internal Auditor (IIA) standards and COSO 2013 guidelines that many companies are electing to implement soon or are in the process of doing so. By the way, these two areas were also listed often as risks to IA organizations.
The question becomes how does IA factor these risks into their audit plans? How are these risks audited? What controls need to be considered to mitigate these risks? Finally, what metrics need to be monitored to show if progress is being made? These are all questions that become more difficult to answer as IA groups face risks that are becoming more diverse and strategic to the organization's business objectives.
I won't disclose the answers here, but in an upcoming white paper, I'll discuss these risks and some real life where IA groups are addressing them, as well as how an integrated Governance, Risk and Compliance (GRC) program can significantly help. In the meantime, have happy holidays and if you want to contact me directly, I'm at Patrick.firstname.lastname@example.org.