In the new normal, industries and organizations have been embracing several transformations that were either caused or accelerated by the coronavirus pandemic, such as digital transformation and sustainability. The auditing industry continues to grapple with these changes, especially in terms of getting the right talent, yet opportunities are within their reach.
According to a recent survey by technological research and consulting firm Gartner, Inc., attracting talent with nontraditional skills is found to be the top challenge for audit leaders or chief audit executives (CAEs), represented by 57% of the respondents.
Related challenges cited by over half of audit leaders surveyed as important to solve in the next 12 months include: making the leap to more advanced analytics applications (e.g., continuous monitoring, automation and artificial intelligence) (56%); inadequate assurance over cybersecurity (53%); IT auditing practices not keeping pace with the need to audit new technologies and IT risks (53%); and measuring the impact of higher-value activities our team performs (51%).
“Top challenges for audit leaders reflect the increasing need for their audit teams to provide assurance over rapidly evolving technologies and expanded digital transformation initiatives,” Gartner’s report noted.
This difficulty in attracting talent to internal audit is even seen as a major factor driving many of the other top challenging facing audit leaders.
“[M]any audit leaders also expressed lower confidence in their team’s ability to audit evolving areas, such as cybersecurity, ESG (environmental, social, and governance standard) and talent risks in the broader organization, and increase the department’s use of data analytics and technology,” the report read. “These areas often require specialized skills audit teams are trying to attract or effectively upskilling existing talent, which also presents its own challenges.”
Such findings mirror what was explored by the Internal Audit Foundation (IAF) of the Institute of Internal Auditors, in collaboration with professional services firm Deloitte, in a research report published last year that assessed internal audit competency.
The report highlighted that while internal auditors are confirmed to have strong competence in core knowledge areas, a critical need is sought for them to have an additional focus on the use of innovative technologies.
“Business strategy and technology strategy are converging. Today, many business models could not exist without digital technologies, such as cloud-based platforms, automation, machine learning, advanced analytics, and blockchain,” read the report. “Despite the criticality of these technologies, many auditors do not believe they have the skills needed to provide effective assurance and advisory services in these areas.”
These seen gaps, nonetheless, can be considered as opportunities for auditors moving forward.
“This unique point in time offers internal auditors an opportunity to articulate the value they could add to their organizations if adequately enabled by relevant transformative technology and upskilling opportunities,” Mike Schor, risk & financial advisory partner at Deloitte, was quoted as saying in a comment to the report’s findings.
Opportunities amid risks
In an annual perspective of its internal audit specialists, Deloitte identified key risks and opportunities that it believes internal auditors should consider in their audit plans this year.
Among the numerous considerations, Deloitte agrees that adopting the ESG standard is imminent in several major economies, and so internal audit should not delay in tackling the issue, “as the stakes are simply too high, with pressure exerted by regulators, investors, customers, third-party affiliates, and society at large.”
A challenge internal audit (IA) functions just starting on their ESG journey should brace for is identifying responsible parties within the organization, the firm noted.
“Oftentimes, we find the CFO (chief financial officer) pointing to investor relations, who look to HR (human resource), which passes the buck to legal, who redirects to marketing. Effective coordination among these groups and a focal point of responsibility will be critical to progress,” Deloitte wrote in the report.
Deloitte also recommends initiating training as needed to fill knowledge gaps, both within IA and throughout the organization at large.
“Invest in resources with the right experience and skillset to understand, recognize, and assess ESG risks. Consider creating ESG-dedicated position(s) within internal audit to allow for specialized expertise and increased focus,” Deloitte added.
IA functions are also encouraged to get involved with organizations as they embark on automation in order to realize business value.
“Start by helping management find a balance between risk taking and risk appetite. Connect early in the process, when strategic decisions about automation are first being made. Ideally, the relationship will include both advisory and assurance elements — helping the organization realize [return of investment] and then providing assurance services for its automation deployment,” Deloitte explained.
“Simultaneously, adapt your audit plan to the new environment,” the firm added. “Risk assess new capabilities (impacted business processes, ways of working, and new enabling technologies) across key risk domains, such as financial, operational, regulatory, technology, and strategic, and then prioritize based on impact and vulnerability criteria.”
Regarding cybersecurity, CAEs are advised to pay particular attention to leveraging the “cyber cloud skills” of auditors as the cloud bring a concurrent set of risks while enhancing the ability to quickly leverage new capabilities such as AI, machine learning, blockchain, and data lakes.
“Consider approaches such as a risk-based “assurance by design” cloud migration strategy; take advantage of native cloud services; and embed security and engage in a multi-cloud strategy. For IT IA, cloud assurance will be a multi-year journey — not one audit and done,” Deloitte advised. — Adrian Paul B. Conoza