In their latest issue of The Bulletin, Protiviti summarizes recent developments in the business environment and suggests internal audit teams should capitalize on changing expectations. They highlight these areas:
Manage audit committee expectations. As these change, internal audit should be ready to adapt.
Evaluate IT security and privacy. These continue to be areas of risk that hit the headlines and, as a result, boardroom agendas.
Conduct value-added risk assessments. The authors point out that risk assessments must be kept current, and that internal audit should always add their own insights to any risk assessment process by management. But, I would have liked to have seen more emphasis on internal audit assessing and contributing to the improvement of management’s risk management programs.
Use assurance maps to identify vital assurance processes. They reference an IIA Practice Guide that I frequently recommend. However, I would have liked them to point out that this tool is excellent for identifying where there are gaps — nobody provides assurance that the company is complying with a law or regulation — and overlaps — where there is redundant and duplicative coverage.
Keep priorities up to date. This should relate to the maintenance of an updated risk assessment that is linked to an updated audit plan — flexible enough to ensure the significant risks today are addressed in the audit, not the risks when the plan was updated several months ago. However, Protiviti has chosen to talk about a ‘more balanced focus’ rather than a focus on what matters — and that may not be balanced at all! I know they support addressing what matters, and maybe they mean to say that you need to consider all areas of risk in building a plan that addresses what matters — the more significant risks.
Leverage technology to expand coverage. This pretty much goes without saying, but I wish Protiviti had emphasized using technology to understand the business and its risks in addition to its use for testing.
Acquire, develop, and distribute talent.
Demonstrate positive change. Personally, I prefer to talk about effecting change.
As usual, Protiviti has given us thoughts to stimulate thinking. I appreciate that and congratulate them.
One thing concerns me, I must admit, with the tone of the piece. While internal audit must be responsive to changing expectations, it cannot afford to be passive. Internal audit needs to lead the board and executive management, explaining the potential for internal audit and the assurance and consulting services it offers.
What is your opinion on internal audit and change? What changes are needed and why?