Deloitte globally provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 210,000 professionals, all committed to becoming the standard of excellence. In India, Deloitte member firms are spread across 13 locations with around 30,000 professionals who take pride in their ability to deliver to clients the right combination of local insight and international expertise.
The rising expectations from internal audit and its increasing discernibility in recent times has made it widely accepted as the lynchpin of effective governance in organizations. High performance and effectiveness demand that internal audit departments focus their efforts on the key risks and issues facing organizations—a task made more difficult in today’s environment of continued complexity, uncertainty, and change. It is, therefore, important that the internal audit departments consider incorporating the following high impact risk areas into their audit plans:
Cyber security Reports on major breaches of proprietary information and damage to organizational IT infrastructure have become rife with the dawn of cloud computing, social media, mobile technology, Internet of Things, etc. The ways in which internal audit groups define and prepare to address cyber risk will largely determine their effectiveness in cyber security audits. Hence, cyber security needs to be defined comprehensively and should cover all digital assets and the data processes and systems. As the third line of defense in risk management, internal audit should verify that the steps taken by the first line (business) and second line (risk management) are equal to existing and anticipated cyber risks.
Key Performance Indicator (KPI) assurance
KPI assurance has been identified as another high-impact area. Gauging KPIs with an auditing scale is critical to improve related processes, systems, and controls. Management reports on leading trends and practices, etc. and statements about customer service and product quality, demand accurate and reliable KPIs. Firstly, internal audit should determine whether management is tracking the right KPIs for what is being measured and whether the underlying processes are well-designed and controlled, and then, over time, provide assurance on the data and processes.
Leveraging automation and analytics:
The regulatory, legal, and competitive environments, and rapid evolution of technology combined with ever increasing volumes of information, are driving many organizations to look for new high impact areas like Internal Audit Analytics, Data visualization, governance & life cycle management, and IT internal audit.
IT concern areas now include social media, big data, devices, and apps, as well as technology-driven disruption of entire industries. The core internal audit professionals should work cohesively with the data scientists and analysts and call on subject matter specialists as appropriate. Data Visualization has emerged as a powerful area of data analytics which streamlines the snowballing size and complexity of information. Visualization can depict trends, patterns, and exceptions very precisely and succinctly during an audit. Visualization aids better reporting through more comprehensible and recallable data projection techniques. Besides, it is also important to manage the data throughout the life cycle. Information life cycle management involves consistent management of information from inception to final disposition. Given the pace of technology development and the value of digital assets, organizations should consider grouping IT audit activities into core, advanced, and emerging technology categories.
Planning for dynamic internal audit and crisis management:
Dynamic internal audit planning can create a flexible, adaptable approach in which data analytics and continuous monitoring supplement annual risk-based assessments. Dynamic internal audit planning uses qualitative and quantitative methods on a continuous basis to identify issues and allocate resources to key risks. Audit planning can also establish whether management has identified the full range of potential crises and their likely impacts. Crisis management planning is important to ensure that impacts of a crisis do not compromise stakeholders’ interests and the organization’s operations and data.
Vendor governance is another space where the sooner internal audit gets involved, the better. While third-party relationships provide many benefits, they also present risks, and management cannot outsource accountability for risks. Clarity at the front-end smoothens the relationship on both sides, with many vendors appreciating early notice of errors and contract interpretation issues rather than lengthy back-end recovery proceedings.
International Professional Practices Framework (IPPF) and corporate governance
The Institute of International Auditors (IIA) released an updated IPPF in July 2015 to reflect the evolving role of internal audit—the first major revision since 1999. While the definition of internal audit, the code of ethics, and the standards remain the same, the framework features a new mission and core principles for the professional practice of internal auditing. Globally recognized frameworks like the IPPF should be referred to for checking current activities against the standard value that the internal audit should be generating. This helps provide objective and risk-based assurance, advice, and insights. Internal audit should also review the organization’s corporate governance framework and mechanisms, and plan internal audits accordingly to assure stakeholders of the maturity and effectiveness of the board, and also to advise the board and management of ways to enhance their governance.
- By Porus Doctor, Partner, Deloitte Haskins & Sells LLP. Views expressed are personal.