Over the past few days, I've been researching recent cyber breaches and came across an insightful article that made me consider how internal audit strategically leverages written communication. It's a simple concept with potentially far-reaching impact. An enterprising reporter
wrote in the aftermath of the Equifax breach:
In a keyword search through 5 years' worth of Equifax annual reports, terms that would suggest adequate risk awareness, such as risk management, cyber risk, privacy, data security, data breach, or information security, barely appear at all. In fact, the term cyber risk does not appear once in any of the credit bureaus' annual reports in the last 5 years.
We now know that Equifax was the target of the theft of highly personal information — birth dates, names, addresses, and driver's license, Social Security, and credit-card numbers — impacting more than half the U.S. adult population. In hindsight, I see the conspicuous absence of these words having a direct correlation to the organization's culture surrounding cybersecurity.
That got me thinking … if we performed this same type of analysis on past audit reports, what would we find? Are boards of directors, audit committees, and senior management seeing what they need to see? What words are we using to effect positive outcomes in our organizations? Are we mirroring or challenging the organization's culture in what we write?
Considering this opportunity and my own research and interactions with leaders in the profession, I've developed a list of the top five words I would expect to show up regularly in audit reports over the next 12 to 18 months:
Cybersecurity – This seems too obvious, but IIA surveys tell us that too many internal audit departments still avoid this area due to lack of funding and staff with the right expertise. Whether you cosource, outsource, or just pay the premium to get the talent you need, this is a critical space to be in. Boards are worried, and internal audit has the opportunity to step up.
Culture – A lot has been written about culture over the past year, and it continues to be top of mind for boards (check out the National Association of Corporate Directors' Blue Ribbon Commission
report on culture.) Culture is a tough concept to wrap our brains around, and I don't suggest taking it all on at once (see my earlier post:
"Bite-sized Culture Audits") That said, culture is at the root of most issues identified during audits and must be challenged head on to reach lasting solutions.
Disruption – I'm hearing this word so much lately it's almost becoming cliché. However, just because the word is being used a lot doesn't mean it's not referring to underlying risks. I recently wrote about "Internal Audit's Digital Transformation Imperative." The three issues driving internal audit's need for transformation — changes to customer demand, changes to the competitive landscape, and changes to technology — also resonate across our organizations and should be explored as part of any audit.
Talent – At the core of every organization is the talent that keeps it operating. Deploying competent talent efficiently and effectively drives success; but, when done poorly, it leads to failure. Addressing issues surrounding talent can be uncomfortable but is critical to organizational performance.
Data – Whether it's data analytics, data science, data governance, data security, or simply big data, we can all agree that data is intertwined in everything. More and more, organizations are relying on data analytics and machine learning to drive decision-making. Ensuring the completeness, accuracy, reliability, and ethical use of data has become essential to internal audit's relevance.
These are just a few of the words that should get some attention at least through 2018. There are any number of other words that could be relevant to you and your organization. What's important is that internal auditors carefully consider the words we choose, the lasting impression we want to make on our stakeholders, and, more importantly, the positive impact we are trying to have on our organizations.
That's my point of view. I'd be happy to hear yours.