Halloween is celebrated this week across large parts of Europe and North America, bringing a quirky combination of costumed revelers and things that go bump in the night. While it's safe to say most internal auditors won't be scared by the ghosts and ghoulies who appear at their doorsteps, there are some aspects of the future that should make them tremble.
Technology has accelerated the pace of change to breakneck speed. We are in an era when a backlash to too much change in too short a period of time is affecting diverse areas of our lives, from our politics to how we communicate to the security of our jobs. Some of the current geopolitical upheaval and economic uncertainty, I believe, are repercussions of that pace of change. Our profession is particularly susceptible to these challenges.
Below are five issues driven by technology and the pace of change that should spook all internal auditors.
Artificial Intelligence In previous blog posts, I wrote that artificial intelligence (AI) won't fully replace internal auditors. However, the caveat to that statement is that we must adapt as a profession to the monumental disruptions that AI promises to create.
The challenge is multifold. First, we must be aware of how AI impacts how we do our work — where internal auditors could be replaced by technology. Second, we must understand how it will impact the kind of work we do. For example, I believe we are more susceptible to replacement by AI in providing hindsight and insight than we are in providing foresight. Finally, we must recognize that a world highly dependent on AI will present complex new risks that will necessarily drive our audit coverage.
The Information Technology Industry Council (ITI) recently published its AI Policy Principles. One of its top recommendations relates to responsible development and use of AI. In its executive summary, ITI acknowledges that principles must be integrated into the design of AI technologies. As internal auditors, we must be keenly attuned to how AI is integrated and implemented by the organizations we serve. The ITI policy principles identify design and deployment, safety and controllability, robust and representative data, interpretability, and liability of AI systems related to autonomy as key areas of focus. I encourage all internal auditors to, at a minimum, review the executive summary of ITI's AI Policy Principles.
The Proliferation of the Second Line of Defense OK, for those who advocate "five lines of defense" or "no lines of defense" models, bear with me here. In the past, The IIA has examined the blurred line between the second and third lines of defense as described in the 3 Lines of Defense model. Those past examinations focused primarily on the dangers of internal audit straying too far into second-line tasks.
Today, the danger to internal audit relates to stakeholders thinking that second-line-of-defense functions, such as enterprise risk management and corporate compliance, provide all the assurance they need on the effectiveness of risk management and internal controls. In organizations burdened with bourgeoning expenses for oversight functions and internal audit, they are becoming less persuaded by the distinctions we might draw about our objectivity when providing assurance. In this misguided view, it is easy to paint internal audit as an expensive and expendable luxury. Now, more than ever, internal audit must demonstrate the value of independent assurance to stakeholders and enhance communication and collaboration with second-line-of-defense functions in order to minimize duplication.
Restless Stakeholders This threat is closely linked to how stakeholders view the value internal audit provides. The accelerated pace of change is creating new challenges and pressures for stakeholders, making them more likely to seek short-term answers to complex problems.
Several key studies published earlier this year contained ominous warnings to the profession that the stakeholder–expectations gap is widening — particularly with management. These signals should always be a call to action for internal auditors to step up their game. Those who do not have plenty of reasons to be spooked about the future.
The Regulatory Repeal Environment The growing move toward legislative and regulatory repeal is widely viewed as a positive for business, promising to unshackle industry from rules viewed as unnecessary or overly burdensome. The danger to the organization and internal audit is the fallacy that fewer regulations mean fewer risks. Practitioners must not succumb to the temptation to dismiss the risks that led to creation of the regulations in the first place. They must convince stakeholders that, while regulations may go, the risks remain and internal audit is essential to managing those risks.
The profession saw extraordinary growth in the U.S. and other regions of the world in the post Enron and Sarbanes-Oxley era. Today, many of the related regulations, and even the legislation itself, are under fire. If repeal efforts are successful, will the old adage that what goes up (internal audit resources) must come down play out? Or have we leveraged those resources and demonstrated our potential in ways that will enable us to retain and grow them?
The Risk(s) We Don't See Coming The five scariest words in the English language for me are, "Where were the internal auditors?" These words should strike fear in the hearts of all internal auditors. The pace of change is accelerating how risks emerge and mature, making it more important than ever for internal audit functions to be flexible, multifaceted, and agile. The annual audit plan, until recently the blueprint for internal audit's work, is quickly becoming anachronistic. Audit plans must undergo constant review in today's business environment. Those who fail to watch the horizon for emerging risks are doomed to be ambushed. Once that happens, the question, "Where were the internal auditors?" is quickly replaced with, "Where did the chief audit executive end up after he/she was let go?" Ouch!
The pressure to identify and mitigate risks quickly, efficiently, and effectively is a high as ever, and this will invariably put internal audit in the crosshairs whenever failures occur.
Regular readers of my blog will recognize the tone of this post is a departure for me. I typically am, and remain, optimistic about the profession and its future. But it is vital that we recognize and address these and other challenges head on if we are to succeed in elevating the profession and making it an indispensable part of good governance. I have always believed that the greatest fear shouldn't be of various risks that could come to fruition, but that it should be of complacency.
As always, I look forward to your comments.