4 Risk Trends That Should Be On Every Internal Auditor’s Mind
The modern function of Internal Audit centres around a proactive awareness of risks. With risk being a constantly evolving threat to organisations, mitigating against them whilst planning for their potential consequences are all part of an effective risk-based strategy.
With organisations shifting towards digital and regulatory changes posing an ongoing headache for auditors, these four trends should be at the top of your risk-based audit plan in 2019.
Is your organisation keeping up with digitalisation?
Digitalisation is driving a new form of business that surpasses traditional business models. Driving a radical cultural shift in an organisation, digital transformation implements technology in the foundation of almost every aspect of an organisation. As digitalisation is ever-changing, IA needs to keep pace - fail to embrace development and you risk losing credibility with stakeholders, or if you adopt change without precaution adequate risk mitigation is negated.
The role of internal audit requires continual assessment of the businesses’ plans for digital transformation, ensuring these plans are materialising and assessing whether businesses are fully reaping the benefits.
Internal audit functions are not immune to digitalisation, so adapting processes that incorporate technology in the execution of audits should not be overlooked. Audit specific data mining tools and data sharing tools enable audit to meet the cultural shift towards collaboration and greater connectivity.
General Data Protection Regulation (GDPR)
Since coming into play in May 2018, the European Union General Data Protection Regulation (GDPR) has been the largest change regarding privacy and data protection in recent history. With big-name companies like British Airways and the Mariott having already been slapped with huge fines, clearly, GDPR Regulation possesses huge reputational risks and bottom-line impacts. Their most recent fines include a mammoth £183 million fine for British Airways after hackers stole half a million of their customer’s personal data and the Marriott had the personal data of 339 million guests stolen leaving them with a fine of nearly £100 million.
Aside from an extensive knowledge of the requirement of GDPR and how these regulations impact the organisation, Internal Auditors need to continually evaluate an organisation’s level of compliance and test for the risks, gaps and remediated procedures. Beyond this, having an awareness of how EU GDPR affects a company’s subsidiaries and business partners outside of the EU is vital.
The diverse risks of the digital world mean the role of Internal Audit is wide-reaching and imperative. From litigation to customer loss, data breaches and other cyber threats are costly to an organisation’s bottom line and image.
Internal auditors must be analysing an organisation’s cyber security processes with reference to best practice industry standards. These standards are continually evolving creating the need for continual education and awareness of the cyber industry. Cyber Security should include multi-layered defence processes, heightened security breach detection and data encryption processes. Penetration testing further assesses IT control vulnerabilities.
Expertise is everything as an internal auditor, from understanding the organisation’s cyber security procedures to third-party IT dependencies. Characteristically the weakest aspect of company’s defence system, these third-party relationships should not be overlooked.
Crisis Response – The Four Modern Crises
The continually developing business environment has caused the crisis landscape to significantly change. KPMG identified cyber crises, physical crises, financial crises and reputation crises due to digital and social media platforms, as the four modern crises.
Internal Auditors need a comprehensive awareness of potential and emerging risks. Expertise in effective crisis management and awareness of recent events highlighted in the media is also necessary. Looking to social media, both company pages and employee’s personal social media, has been a heightened reputational issue for many high-profile companies in recent years. According to the Reputation Report 2018, one in three businesses have noted negative content to have damaged their business.
Assessing the leadership’s readiness for crisis situations and crisis stimulation with senior management should not be overlooked, along with critical assessment of existing crisis plans.