KnowledgeLeader Blog

How to Improve Internal Audit's Capabilities and Needs

Written by Protiviti KnowledgeLeader | Tue, Mar 10, 2020 @ 03:00 PM

Ongoing professional development is essential for today’s internal auditors, previously outlined in Protiviti’s 2013 Internal Audit Capabilities and Needs Survey. The results of the survey provide plenty of food for thought on the importance internal auditors assign to professional development in the light of a rapidly changing environment with new challenges at every turn. At the same time, internal auditors are enjoying a broader range of career paths and becoming innovative thinkers to meet the needs and challenges of a changing environment.        

SOCIAL MEDIA AND AUDIT PROCESSES

Social media has been identified as the top need-to-improve area, primarily due to its rapidly growing use throughout the enterprise and the attendant risk it brings. Among the top tangible risks associated with social media and the audit process are disclosure of company information, ethical use of social media, disclosure of employee information, approved use of social media applications, information security, an organization’s purpose in using social media, approved use of community forums and employee training.

Social media risk already is on the radar of most professionals. Fifty-five percent reported that they are or will be addressing social media in next year’s audit plan. The top-three ranked areas of risk were brand or reputation damage, data security, and regulatory compliance.

As of lately, social media risk management capabilities have been ineffective or moderately effective; however, successful auditing in this area yields several perceived benefits. The top three were the ability to monitor reputation risk, to identify risks early on and to reinforce the overall business strategy. Roadblocks to surmount include inadequately trained staff, perceived risk, lack of management support, inadequate technology and lack of IT support.

Social media is one of the newest and most exciting areas that auditors are diving into – a medium in which a lot of organizations have various exposures. Internal auditors need to think through these risks to see how they can address them with existing internal audit plans and practices. That starts with how the organization utilizes social media risk, which is often a hard question to answer.

GENERAL TECHNICAL KNOWLEDGE

Survey respondents ranked social media applications as the top need-to-improve area of competency in terms of technical knowledge. Others involved keeping up with recently enacted IIA Standards, technical support and cloud computing.

Compared from the results of 2011 to 2013, highly dynamic social media opportunities exist for organizations – but also a host of new security, privacy, legal and reputation risks for internal audit to recognize, understand and monitor. Applying a rigorous and regimented process for identifying and modifying social media presents a difficult challenge for the internal audit function. Similarly, dynamic knowledge areas inside and outside the organization require improvement, whether it’s harvesting big data or responding to the external needs of upcoming changes in framework such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Also, changes in IIA Standards and supporting technical knowledge will require an auditor to remain diligent in their day-to-day activity.

The trend is similar for chief audit executives, whose responses mirror those of the general internal audit constituents. A three-year comparison shows social media and cloud computing have risen in prominence: an indication that auditors are getting more comfortable with those concepts. General technical knowledge of the COSO internal control framework and other changes also remain high among CAEs and their staff.

With the recent release of the 2013 COSO Framework, the COSO cube has been expanded and updated to provide implications of other changing governance structures within organizations. These conditions call upon auditors to understand the governance oversight, globalization and overall enterprise risk. Auditors at all levels are starting to recognize that they can be instrumental in helping to educate and dedicate the framework to their organization.

AUDIT PROCESS KNOWLEDGE

Fraud detection/investigation, prevention and monitoring are also key priorities that need improvement. And for the fourth consecutive year, data analysis tools and computer-assisted audit tools (CAATs) surfaced as need-to-improve areas.

Internal audit plays a key role by working with organizations to assess and manage big data-related risks. Specifically, internal auditors must audit processes related to governance, classification, retention and security; at the same time, auditors are users of big data. Availability of all this information to IA provides an opportunity to use it in audit scoping, audit execution, continuous monitoring and fraud monitoring.

Also, as more tools are released, the need for internal audit to be current on the newest technologies increases. Comparing 2013 results with the results of 2011, auditing IT and new technologies ranked number two on the CAEs’ list of priorities. As new technologies involving cloud computing and tools around development, productivity and modeling technologies are adopted more quickly than in the past, there’s a need for IT to understand them and their associated risks. For internal audit, this becomes a challenge.

Internal auditors in midsize companies link quality assurance and improvement together as a high need-to-improve review area. This is reflective of a mature internal audit department, one having a defined QA review process in place following IIA Standards. Many of these organizations may meet the five-year QAR requirements but often fall short of having a defined internal review process.

Many organizations, when looking at big data, have focused on how to manage risk associated with such centralized data and the additional risks that occur around security, compliance, segregation of duties and continuity.

The focus recently has been on fraud risk and how to better leverage this data to identify and mitigate the serious problem. The Association of Certified Fraud Examiners in 2013, reported that companies lose $3.5 trillion to fraud each year. It is a risk that every organization, regardless of size or structure, must address. 

There are more opportunities now for auditors to leverage technology. Previously, we looked at subsets of information and now we can examine real-time data across the entire organization and do full sample-set testing. Organizations must find more ways to effectively use the tools available to them.

PERSONAL SKILLS AND CAPABILITIES

The survey polled 19 areas of personal skills and capabilities. Among them, dealing with confrontation, negotiation, persuasion, high-pressure meetings and public speaking rank as top areas for improvement.

The personal skills and capabilities internal auditors acknowledge as key areas for improvement in 2013 reflect the functional strategies and challenges they confront. The transformative nature of social media, ongoing economic volatility and the ever-quickening pace of business change appear to be motivating the focus on relationships within the organization and how auditors deal with people. Strategic thinking is also identified as a critical priority, suggesting another positive development for the profession: internal audit is being called on more often to provide insight and analysis before strategic decisions are made, and ultimately those decisions include key considerations related to risk and opportunities.

The key difference between the CAE and the overall internal audit results is that the CAEs are seeking to develop more board committee relationships, outside contacts and networking opportunities. Mastering new technology and applications also rank high among them. From the perspective of company size, one can see a pattern of deep personal skills when dealing with difficult areas such as confrontation, negotiation and persuasion – soft skills that are ever in-demand. The outlook for internal audit is very positive, and the people element has never rated higher.

IN SUMMARY

Due to the increasingly complex and integrated nature of business and internal business processes, fewer companies can afford the inefficiencies that occur when business functions, units and teams operate in silos. To monitor and analyze business processes effectively, internal audit must work in an increasingly collaborative fashion with virtually all areas of the organization.

You can read more on this topic in our Annual Internal Audit Plan Report and by exploring these related tools on KnowledgeLeader:

Data Analytics and Mining Guide
Internal Audit Innovation for the Next Generation
Internal Audit Risk Assessment Audit Committee Report