A Quick Overview of the 2019 Pulse of Internal Audit Report
Recently, The Institute for Internal Auditors (IIA) released their 2019 North American Pulse of Internal Audit report, and it is packed with some actionable tips and impressive statistics. They are perfect for the internal audit leader looking to make an impact in his or her organization.
It is a sizable report—40+ pages—so I put together a quick summary of the high points. All in all, there were four main themes: cybersecurity, third-party risks, emerging and atypical risks, and board and management activity.
Let's take a closer look at each.
Topic One: Cybersecurity
"70% of CAEs identify risk of reputational damage caused by a privacy data breach as an area of high or very high concern."
The IIA report found that the largest concern by Chief Audit Executives (CAEs) is, far and above, cybersecurity. And there are some troubling statistics: with malware on the rise and huge, million-dollar-plus price tags attached to cybersecurity incidents, keeping data safe is enormously important.
Make sure you have secure tools in place to keep your risk, audit, and controls data safe, and house it on the cloud to make it all accessible (with the right permissions, of course).
Topic Two: Third-party risk
"CAEs must elevate the discussion to ensure management and the board understand that third-party relationships contribute to the overall ecosystem of risks and are not separate from the organization."
As mentioned in a recent white paper, 6 Hot Topics in SOX Compliance, simply being affiliated with risky third parties in any capacity can potentially burden the reputation of a company. That is exactly the sort of thing that petrifies risk officers.
According to the survey, 21% of CAEs describe their organizations’ third-party selection processes as ad hoc, weak, or nonexistent. The time is right to bolster yours. Make sure your GRC vendor is stable, has third-party validation, and is put through the same rigor and process you would expect of any other kind of vendor.
If you are not sure the things to be looking for in this instance, download this Internal Audit Technology Purchasing Checklist.
Topic Three: Emerging and atypical risks
"CAEs report a 36% gap between actual vs. desired assurance over readiness and response to cyber threats."
Many internal audit departments report a sizable discrepancy between their current efforts as compared to what is really needed to provide assurance for risk—colloquially known as "the effort gap."
Most notably, the effort gap exists between emerging and atypical risks. For example, while cyber and IT issues have grown to represent nearly 20 percent of the average audit plan, the two risk areas individually continue to lag behind issues considered lower risks by boards, such as operational, financial reporting, and compliance/regulatory.
Topic Four: Board and management activity
"53% of board directors responding to a National Association of Corporate Directors (NACD) survey said the quality of management reporting must improve."
It is one thing to provide reports to the board, but another to provide complete, accurate reports. Boards are putting increasingly more scrutiny on the information they receive from management and from internal audit teams.
As the report suggests, boards need better—not more—information from management. Teams should revisit the technology they employ to streamline internal audit processes and create stronger, more actionable, and detailed reports.
One last thing
Any area of misaligned risk presents evident, substantive risks to organizations and undermines the confidence in internal audit should things go awry. And, when they do go awry, it is usually the internal auditors who are first on speed dial.
As an auditor, my biggest nightmare is missing a risk entirely and failing to bring it to the attention of the company. Today, technology is available to put that nightmare to rest and help innovate and maximize the value and influence of internal audit.
It is up to internal auditors to take the first step to keep our companies safe today and in the future.
About the Author
Ernest Anunciacion, Director of Product Marketing, brings over 15 years of experience in internal audit, risk management, and business advisory consulting to Workiva. Ernest is a Certified Internal Auditor and Six Sigma Black Belt. He holds an undergraduate degree and an executive MBA from the Carlson School of Business at the University of Minnesota.