The year 2020, just like 9-11, has forever changed our world. The events that swooped down and entered our lives in the early part of the year have transformed the way we work, live, and play. Changes occurred rapidly and may have been ones never envisioned.
For the internal audit profession, many are speaking about "how internal audit can attain or retain relevance." Remaining relevant or attaining relevance in our "new normal" will require a concerted effort.
Less than a year ago many professionals would have never dreamed that the "close the books" process could be executed through remote work arrangements. Then 2020 struck and organizations adapted while technology evolved. Those things didn't happen overnight. Management teams had to really look within their own procedures and skill sets and determine how to adjust and make things happen.
To remain in the "relevant" category, internal audit should consider the actions below.
2020 has both taken and given us many things. One thing it has given us is the opportunity to re-evaluate our individual work habits and processes for signs of needed change or evolution. An immediate reaction by many internal auditors may be to identify how they can "shuffle the cards" and maintain presence with management and stakeholders. I challenge internal audit groups to first look deeper within their own ranks.
Internal audit, now more than ever, must continue to evolve and adjust to the new normal (whatever that is). Examine your departmental tools, skills, reporting line structure as well as your own processes and procedures.
There may be many ways where the shift experienced in 2020 has impacted the manner in which internal audit should approach its work and projects as well as its overall strategic purpose. In other cases, you may find the evolving world requires a new focus on skill set or communication skills. Whatever the case, take the opportunity to execute your own evaluation before the organization makes the decision for you.
Throughout the pandemic, technology advances have evolved numerous times and accelerated the pace of change that all organizations must adapt to. With this evolution comes increased risk, not only on the technical side but also on the people and resource application side.
Internal auditors must embrace the new norm, ensure they have the appropriate knowledge of new technology applications, and understand the risks that come with our increasingly vulnerable cyber world. I am not advocating that all auditors have an IT background, but in today's world, it is imperative to focus on understanding the concepts embedded in technology and how the controls the organization selects will enhance or mitigate potential issues.
Examine Internal Resources
During 2020 many internal audit groups may have loaned resources to other areas of the company. Much of this was out of need; however, it has brought a new dynamic to our profession. Work loan programs, rotation of auditors, cosourcing, and training programs are going to become part of our next normal. This will require a strong leadership mentality to ensure new members of the internal audit function fully embrace the International Standards for the Professional Practice of Internal Auditing and internal audit protocols, including independence, objectivity, and professional skepticism.
Before the pandemic, many internal audit groups were evaluating the concepts of agile auditing. Agile auditing incorporates a project-based approach to auditing and requires a complete shift in the mindset of both auditors and management. A complete agile audit approach may be difficult to embrace at this time. However, auditors can evaluate the concept more deeply and identify elements within the approach that may work for their organization. Staying agile to changing needs will be critical to maintaining relevance in a crisis world.
This may be the last thing on management's mind at this time. However, the change in work habits has created a new dynamic in the functioning of all aspects of the organization. Internal controls are more important than ever.
If your company must report on compliance with the U.S. Sarbanes-Oxley Act of 2002, it is safe to say many of your previously identified key controls have altered or changed. Outside of internal controls over financial reporting, control processes have certainly changed due to work arrangements, technology, and availability of personnel.
Now is not the time to take your eye off the ball. It is critical that management understand the risk presented if controls have been altered, changed, or limited. Internal auditors must maintain their focus on this core area and protect their organizations, which may face the "opportunity" segment of the fraud triangle with individuals taking short-cuts when completing their responsibilities.
These are just a few considerations for internal auditors who want to ensure their organizations continue to embrace the function as one of purpose and relevance to the proper execution of the organization's strategy and work.
Lynn Fountain, CGMA, CRMA, CPA, is an internal control, risk management, and business process consultant in Overland Park, Kan.
Want to be a part of Your Voices? Click here to learn how to contribute a blog post.