In many English-speaking nations, there's a tradition of singing "Auld Lang Syne" as the clock strikes midnight on New Year's Day. Based on a 1788 poem by Robert Burns, the song is used as a farewell to the old year in great anticipation of the new one.
My tradition is not to stumble through a nostalgic refrain of, "we'll tak' a cup o' kindness yet, for auld lang syne," but instead to suggest some resolutions that all internal auditors should contemplate for the coming year. Indeed, I've offered five such resolutions at the start of each year for about as long as I've penned this blog, which celebrates 10 years next month.
This year's list of resolutions reflects the rapid and almost continuous change that the profession is experiencing. Now, like never before, internal auditors must be aware, attuned, agile, innovative, courageous, and committed.
So, here are my Top 5 Resolutions for 2019:
Keep your head out of the sand and take on difficult risks. This resolution is really no different than in any other year, but I include it this year because there are still too many heads buried in the sand as a result of the ever-growing demands on practitioners, which can seem overwhelming. Stakeholders are demanding more of us. New, technology-driven risks are requiring us to be agile and innovative. That same deluge of technology also offers us new tools — from robotics process automation to artificial intelligence — that require us to quickly adopt and acquire new skills.
It would be easier to simply hunker down and do the work we're most comfortable doing, thus avoiding these new challenges. But that's not why most of us entered this profession or what we are being paid to do. We have an obligation to our organizations, to our professional Standards, and to ourselves to be ever vigilant for new and emerging risks, step up to the challenge, and deliver unassailable, independent assurance services.
If you see something, say something. We have all heard this expression, typically in the context of potential threats to public safety. However, it applies to internal audit, as well. We must be willing to step up and speak courageously when we see behavior that's potentially harmful or creates risks, even when involving top executives. In addition, if we notice internal audit colleagues taking shortcuts that could undermine the accuracy or credibility of an internal audit, we should not hesitate to say something. I plan to expand further on this theme in an upcoming blog.
Sharpen your technology tools. I believe there is little room for debate that technology is one of the primary drivers of risk. Cybersecurity and data protection consistently rank at the top of risk profiles from our stakeholders, and the pace of technology-driven change shows no signs of slowing. That's why internal auditors must become fluent in technology. Earlier this year, I wrote a blog post that looked ahead at anticipated risks in 2019, based on risk reports published by Gartner and the European Consortium of Institutes of Internal Auditors. Data and technology are central to risk discussions on cybersecurity preparedness, data privacy, data governance, IT governance, and third-party risk, as well as digitalization, automation, and artificial intelligence. We must recognize and address the risks that technology presents in our organizations and embrace technology in serving our organizations. No practitioner can afford not to.
Expect the unexpected. Just as technology is driving known risks, so too does it drive emerging and atypical risks. It is almost a given that the coming year will bring surprises that we did not envision just a few days ago. Internal auditors must be agile and prepared to pivot quickly when the unforeseen occurs. This correlates with the resolution on speaking out. While emerging and atypical risks are not generally part of internal audit's scope of work, it does not release us from our obligation to speak out on emerging or atypical risks.
Be mindful that you remain aligned. It has become cliché to say stakeholders don't like surprises and that internal auditors should know what keeps management and the board up at night. While clichés, they do remind us about the importance of being aligned with the needs and expectations of our stakeholders – particularly board members.
But alignment goes beyond just understanding the board's views on risk. Here are five components of this final resolution. Internal audit should resolve:
- To leverage audit committee relationships to make certain internal audit remains aligned with the board's view on risks.
- To work with executive management to get a clear understanding of strategic and operational priorities and align internal audit's efforts to support those priorities.
- To respond to changing demands in IT, data analytics, artificial intelligence, and other areas by investing in the improvement, expansion, and alignment of our skills to meet the needs of the organization.
- To examine how changing demands and pressures to perform align with conformance to IIA Standards.
- To align our work effort to deliver on internal audit's mission to provide service that enhances and protects organizational value.
I look forward to 2019 with optimism. I believe it will offer great opportunities for internal auditors to expand our abilities and enhance our service to our organizations.
As always, I look forward to your comments.