Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
2019 report brought to you by:
&
Upskilling Internal AuditGetting the Right Mix of Skills and Talents for a New Tomorrow
2 | WWW.MISTI.COM
Upskilling Internal Audit
4
10
15
CONTENTSConducting an Internal Audit Skills Assessment and Gap Analysis
Nine Critical Skills to Enhance Your Audit Career Path
Boosting the Technology Capabilities of Internal Audit
3 | WWW.MISTI.COM
Upskilling Internal Audit
About MIS Training InstituteMIS Training Institute (MISTI) is the international leader in internal audit, IT audit, and information security training and conferences with offices in Boston, New York, and London. MISTI’s expertise draws on experience
gained in training more than 200,000 delegates across five continents. Helping internal audit and information security professionals stay at the top of their game has always been at the core of MISTI’s mission. To that end, MISTI has developed and focused its vast variety of training courses, events, newsletters, and other informational products on the wide-ranging needs of internal and IT auditors and information security practitioners. MISTI’s unparalleled course curriculum covers the most up-to-the-minute topics, provides proven internal audit and security practices, and delivers the information needed to be successful in today’s organizations. www.misti.com
About WorkivaWorkiva, the provider of the world’s leading connected reporting and compliance platform, is used by thousands of enterprises across 180
countries, including more than 75 percent of Fortune 500® companies, and by government agencies. Our customers have linked over five billion data elements to trust their data, reduce risk, and save time. For more information about Workiva (NYSE:WK), please visit workiva.com.
Joseph McCafferty, Editor & Publisher, Internal Audit 360°
Joseph McCafferty is the editor and publisher of Internal Audit 360°. During his 25 years in the publishing industry he has spent time in various senior roles at leading business publications, including as executive editor of Compliance Week, editor of Directorship, and as special projects editor at CFO Magazine. He honed his expertise in internal audit in these roles and as head of internal audit content at the MISTI, which specializes in internal audit training. He has also reported on several business areas during his career, including risk management, internal audit, technology, and finance. When he is not covering risk management and internal audit, he coaches youth ice hockey and baseball and serves as a board member for the Boston College student newspaper.
Author, Upskilling Internal Audit
4 | WWW.MISTI.COM
Upskilling Internal Audit
It’s no secret that the internal audit profession is in a period of intense change.
In fact, adapting to rapidly changing dynamics and new technologies is the theme of most
surveys and studies of internal audit lately, including the Institute of Internal Auditor’s 2019
Pulse Survey and PwC’s 2019 State of the Internal Audit Profession Study, which found
that “dynamic” internal audit departments are far more likely to adopt such technologies
as robotic process automation (RPA), artificial intelligence (AI), advanced analytics, and
other innovations.
Boards and senior management are increasingly asking internal audit teams to assess
an ever-growing array of areas outside the traditional finance and accounting disciplines.
Wherever there are risks—whether in compensation mechanisms, cybersecurity,
marketing programs, and many others—internal audit is expected to bring the needed
expertise to assess how those risks are being managed and confirm that the processes
are functioning as they should be.
To meet this mandate, internal audit teams must be stocked with professionals with
unique skill sets. They must be risk management gurus, compliance mavens, technology
whizzes, expert communicators, critical thinkers, innovators, and many other specialists.
And while it’s unrealistic to expect to find individual internal auditors who possess so
many capabilities, chief audit executives aspire to develop team members with many of
these skill sets, or at least to ensure that the department has many of these competencies
represented on the team as a whole.
So how does internal audit assess where there may be holes in its collective capabilities
and that it has the required skills to carry out all of the audits on the audit plan? With an
internal audit skills assessment and gap analysis. The internal audit skills assessment is
a formalized analysis of the skills possessed both at the individual level and at the team
level. It is generally accomplished in three steps:
1 Step One: Conduct a thorough inventory of the skills each auditor possesses.
2 Step Two: Map those skills to the needs of the audit plan and highlight any deficiencies.
3 Step Three: Create a plan to fill the gaps—either through hiring, training, or other
arrangements—to bring needed expertise to the internal audit team.
Conducting an Internal Audit Skills Assessment and Gap Analysis
By Joseph McCafferty
5 | WWW.MISTI.COM
Upskilling Internal Audit
“I would start by identifying the required core internal audit skills and assess each of
the core team members against the desired competencies,” says Rick Whitehead, an
independent internal audit and risk management consultant based in Nanoose Bay, British
Columbia. “Most CAEs could perform this sort of assessment on their teams. It has been
my experience that many core internal auditors have some good basic audit skills, but
often lack knowledge of the business, reporting, and people skills,” he says.
Step One: Conducting a Skills Assessment
An internal audit skills assessment can be an informal “back of the envelope” exercise
to ensure the team possesses the proper expertise to conduct a particular audit, or it
can be a more formal process to document the internal audit team’s various skill sets
and capabilities. Yulia Gurman, executive director of internal audit at Packaging Corp. of
America (PCA), recommends taking both approaches at different times. “We do periodic
reviews of whether we have the needed skills to carry out the audit plan, but we also do
a more formal skills assessment to create a longer-term plan,” says Gurman. “We want
to ensure we are developing our professionals and also moving the entire team forward.”
A skills assessment typically starts with a self-assessment questionnaire. Internal audit
team members answer questions about their own views of their strengths and capabilities.
Some of it is objective, such as: “Do you have experience in writing audit reports?” And
some of it is more subjective, such as: “How would you rate your knowledge of FCPA
compliance on a scale of one to five?”
There are many resources available to help with such assessments. When Gurman worked
on an evaluation last year, for example, she used a questionnaire developed by the Institute
of Internal Auditors (IIA) intended to assess where internal auditors could use additional
“I would start by identifying the required core internal audit
skills and assess each of the core team members
against the desired competencies.”
-Rick Whitehead, an independent
internal audit and risk management consultant
6 | WWW.MISTI.COM
Upskilling Internal Audit
training. She said it provided some great information, but can’t be the only tool you use to
conduct the assessment. “It’s good to see how people rate themselves, but you have to take
it with a grain of salt,” says Gurman. She also worked with managers to rate skills of those
who report to them and on such areas as business acumen and communication abilities.
In addition to questionnaires and manager ratings, chief audit executives may conduct
interviews of team members, observe auditors on the job, and collect feedback from
surveys by internal audit clients, such as process owners and business unit managers.
When Charlie Johnson conducted a formal internal audit skills assessment for the Lower
Colorado River Authority (LCRA), he wanted to get a good sense of each auditor’s knowledge
of the complex water and power utility based in Austin, TX. Team members were asked to
rate their knowledge of several aspects of the utility on a scale of one to five—these included
familiarity with power plant operations, switch yards, and other parts of the organization.
Johnson, who served as chief audit executive at the LCRA until last month, combined the
results with ratings on an IIA competency framework model, which lists and details a set of
core competencies every auditor should strive to achieve. The main categories are:
PROFESSIONAL ETHICS: Promotes and applies professional ethic
INTERNAL AUDIT MANAGEMENT: Develops and manages the internal audit function
IPPF: Applies the International Professional Practices Framework (IPPF)
GOVERNANCE, RISK, AND CONTROL (GRC): Applies a thorough understanding of
governance, risk, and control appropriate to the organization
BUSINESS ACUMEN: Maintains expertise of the business environment, industry
practices, and specific organizational factors
COMMUNICATION: Communicates with impact
PERSUASION AND COLLABORATION: Persuades and motivates others through
collaboration and cooperation
CRITICAL THINKING: Applies process analysis, business intelligence, and problem-
solving techniques
INTERNAL AUDIT DELIVERY: Delivers internal audit engagements
A quick note here: It’s important to keep in mind that there are core competencies that
every auditor should posses at the individual level, such as those listed above, and there
are also specialties, such as accounting knowledge, technology acumen, knowledge of
compliance, and others that are unlikely to all be represented in any given individual. These
are the skills that should be covered at the team level, based on the needs of the business.
7 | WWW.MISTI.COM
Upskilling Internal Audit
Step Two: Find the Skills Gaps
After creating a thorough inventory of the skills and competencies both at the individual
and team level, the next step is to map those to the needs of the internal audit team. The
needs are based on the risk assessment of the organization and the resulting audit plan.
“I would review the company’s principal risks and assess the specialized skills that are
either in-house or arranged through outside service providers to determine whether there
are gaps or areas that require improvement,” says Whitehead. “Again, this assessment
could be done by the CAE.”
In addition to the needs inherent in the audit plan, Joy Gray, a lecturer in the accounting
department at Bentley University as well as its Internal Audit Education Partnership
Coordinator, says the assessment should also be weighed against the longer-term goals
of the internal audit department. “You have to be able to see the big picture, plot a course,
and come up with a plan to get you there,” she says.
It may also be wise to gather input from internal audit clients on what they see as the gaps
between audit capabilities and needed skills. They will likely have some good perspective
on how well the members of the team understand the processes they manage. “You want
to find out what the principal risk owners think about internal audit’s skills relevant to their
areas,” says Whitehead. “Do the audit committee and key executives believe that internal
audit has sufficient understanding of the business? Is internal audit able to build strong
relationships with key business executives and the audit committee?”
Gray also emphasizes that the skills assessment and gap analysis can’t be a one-time
exercise. “You can’t do it once, check the box, and say, ‘that’s done,’” she says. “It has to
be an ongoing process because the needs and risks of the organization are constantly
changing and you need to be responsive to those changes.”
The gap analysis can also be an important tool to appeal to the board and management
that more resources are needed. If there are lots of holes, it may help make a case to the
audit committee chair and the CEO for additional training or the hiring of more auditors.
Step Three: Craft a Plan to Fill Gaps
The next step is to create a plan to fill the gaps at both the individual and team levels.
At the individual level, training will be a big part of the solution. There is no shortage of
training—whether through the courses provided by MIS Training Institute (MISTI) or the IIA
and others—available to help address deficiencies and bring auditors up to speed on core
competencies.
At the team level there are several options available to close gaps, depending on the
specifics of the organization and the gaps identified. Typically, chief audit executives don’t
get a green light to just go out and hire several new auditors who possess the missing
skills. Although hiring may be part of the plan to fill gaps, there are several other solutions.
“You have to be able to see the
big picture, plot a course, and come
up with a plan to get you there.”
-Joy Gray,accounting department lecturer at
Bentley University
8 | WWW.MISTI.COM
Upskilling Internal Audit
CO-SOURCING: There will always be times when you need to bring in an expert. Co-sourcing
arrangements with outside providers allow internal auditors to retain responsibility for the
internal audit process while relying on an outside firm for specialized technical skills and
personnel. PCA’s Gurman advises CAEs to always ensure that co-sourced experts work
alongside existing auditors. “You want to make sure there is a transfer of knowledge or
else it’s not very helpful,” she says.
GUEST AUDITOR: Many internal audit departments borrow experts from operations to
help out with the audit when key skills are needed. While such arrangements can raise
independence and objectivity issues, most audit teams are capable of managing around
those problems. The added benefit of the guest auditor is that when they return to their
jobs they can see things from an internal audit perspective and become advocates for
internal audit.
LUNCH AND LEARNS: Another strategy to boost knowledge, particularly the crucial business
knowledge that may be lacking in inexperienced auditors, is to bring in professionals from
around the business to discuss what they do and how their particular part of the business
functions. These events usually include opportunities to ask questions and gain a better
understanding of particular processes that may be the subject of upcoming audits.
BUILDING RELATIONSHIPS WITH PROCESS OWNERS: Forward-thinking CAEs also
encourage their team members to foster lots of relationships with process owners and
business managers. They may move individuals through assignments out in the business
or hold events that encourage relationship building. “Lots of times it comes down to the
relationships you build,” says Johnson. “That can be the best way to expand your base of
knowledge. It gives you the ability to empathize and put yourself in their shoes, which will
make you a better auditor,” he says.
One of the biggest barriers to improving and adding to the skills of the internal audit
team can be time. Many internal audit teams are under-sourced and most go flat out just
to complete all the audits on the audit plan. Making time for the skills assessment and
the subsequent training it necessitates may seem like a luxury to some internal audit
departments. Yet forgoing these exercises will cause the skills gaps to widen and leave
internal audit in a rut, falling further behind and eventually leading to obsolescence.
To ensure time for training, PCA holds “training weeks” each March, when all other
business is put on hold, to ensure internal auditors have time to gain training in needed
areas. Through the week, the team looks back over lessons learned from the prior year;
reviews the needs of the current audit plan, including tactical and technical requirements;
brings in executives to talk about their areas of the business; provides group training on
certain topics; and finally, it finds time to schedule some fun events for team building.
“We believe very firmly in professional development,” says Gurman. She says it’s her goal
to make the internal audit department known for turning out star performers, even if it
means losing some of its better staffers.
9 | WWW.MISTI.COM
Upskilling Internal Audit
Lifelong Learners
It’s important to emphasize that no amount of training and relationship building can
develop an internal auditor with all the needed skills and competencies. Indeed, Jonathan
Ngah, principal at internal audit, governance, risk, and advisory firm Synergy Integration
Advisors, says you wouldn’t want to, even if you could. “Don’t drive yourself crazy by trying
to fill all the many skill sets you are going to need. As soon as you think you have everything
covered, something else pops up,” says Ngah.
Instead, he says the one skill you should focus on most is flexibility. “We want to hire internal
auditors that have flexibility and agility. They need to have curiosity and become lifelong
learners,” says Ngah. These are people who look to bridge their own knowledge gaps. This
will make the internal audit team more flexible to adapt to fast-moving risks as they arise.
Johnson, former chief audit executive of LCRA, agrees. He says intellectual curiosity
and a thirst for knowledge may be the most important skills of all, along with a healthy
understanding of your limitations. Says the internal audit executive: “The minute you start
thinking you know everything is the minute you start falling down.”
“Lots of times it comes down to
the relationships you build... It gives you the ability to
empathize and put yourself in their
shoes, which will make you a better
auditor.”
-Charlie Johnson, former chief audit executive, Lower Colorado River
Authority
10 | WWW.MISTI.COM
Upskilling Internal Audit
Nine Critical Skills to Enhance Your Audit Career Path
What makes a great auditor? What’s the perfect career path for an auditor?
Twenty years ago, answers to these questions were undoubtedly much different than they
are today. Back then, a solid grasp of the ins and outs of internal audit could land you high
on the career ladder. In 2019, likely less so.
Here is the hard truth: today, auditing skills are table stakes. The stuff we learned in
accounting school—planning and fieldwork and reporting—doesn’t really distinguish us.
It’s more or less expected as part of the job.
When 49 percent of current work activities could be automated using technology, it is
ultimately the softer skills that will distinguish audit professionals in a highly demanding
and rapidly-changing landscape.
Want to improve the career path you are on as an auditor? Here are the top nine skills you
should master today:
By Ernest Anunciacion
11 | WWW.MISTI.COM
Upskilling Internal Audit
1. Healthy skepticism
Moving past a traditionally backward-focused approach in favor of a more proactive one
requires that internal auditors handle their work with a healthy amount of skepticism.
“[Skepticism] is an attitude that includes a questioning mind and a critical assessment of
the appropriateness and sufficiency of audit evidence,” writes Dr. Hernan Murdock, vice
president of the audit division for MISTI. “It requires being alert to conditions that may
indicate possible misstatement due to error, neglect, or fraud, and a critical assessment
of audit evidence.”
The best internal auditors trust nothing when reviewing financial documents, and they
conduct each review with a discerning eye and a high degree of vigilance—regardless of
the specific circumstances.
2. Critical thinking
Critical thinking skills are important for an audit career path. This type of reasoning
requires that they step outside of their own judgments and biases in order to consider all
perspectives, question the validity of each, and reach a conclusion.
As a Global Internal Audit Common Body of Knowledge (CBOK) study notes, “Critical
thinking is the most sought-after skill by internal audit hiring managers, but generally, it is
learned on the job through dedicated feedback and coaching from internal audit leaders.”
Despite the increasing prevalence of technology, this level of complex thinking is one skill
that AI and automation has yet to replace.
3. Business acumen
In the 2018 North American Pulse of the Internal Audit Profession survey conducted by
the IIA’s Audit Executive Center, business acumen was ranked as one of the most desirable
skills by CAEs.
Today’s practitioners need to know not only the numbers, they also need to know what role
they play and why they matter to the business. Internal auditors do the legwork.
In short, professionals with the strongest career paths do not just do their jobs with
excellence, but they also connect the dots to articulate the true business impact—which
is the information that matters most to other stakeholders. CEO and Founder of Leading
Women, Susan Colantuono, does an excellent job of explaining this concept in her TED talk.
4. Initiative
In any profession, employers want to know that their employees are eager to learn and
develop. They value people who go above and beyond expectations to advance themselves
and their knowledge.
For internal auditors, the willingness to take initiative and ownership over their own
Today’s practitioners need
to know not only the numbers, they also need to know what role they play and why they matter to
the business.
12 | WWW.MISTI.COM
Upskilling Internal Audit
success is crucial. Passionately pursuing professional designations, certifications, and
Continuing Professional Education (CPE) proves that they are not content to rest on their
laurels, but instead, are eager to learn and evolve along with the profession.
5. Empathy
For those on the receiving end, audits can be nerve-wracking, and skilled internal auditors
must know how to empathize with the emotions of their clients or stakeholders while still
maintaining their composure and remaining prudent.
Not only does this competency set internal audit practitioners apart and allow them to
deliver their findings in the most effective way, but it also leads to higher quality audits.
One study published by the International Journal of Auditing in March 2018 found that
emotional intelligence, closely related to empathy, actually improves audit quality.
6. Communication skills
Communication skills are a highly valued—yet surprisingly rare—trait in today’s working
world.
Case in point: In a 2016 survey conducted by Workforce Solutions Group, communication
skills were the top demand of hiring companies, yet two out of three employers cited a
lack of these interpersonal skills in their job applicants. This serves as proof that internal
auditors who are strong communicators will set themselves apart from any job competition.
“Internal auditors need to possess excellent communication skills in order to succeed
and advance in the changing, complex international global marketplace,” writes Dr. Gene
Smith, an accounting professor at Eastern New Mexico University, in an article published
in Managerial Auditing Journal. “Auditors utilize communication skills in almost every
situation they encounter.”
And that’s just verbal communication. The importance of nonverbal communication,
teamwork improvement techniques, and presentation skills are vital. In fact, one survey
found a correlation between presentation skills and success at work.
7. Executive presence
More than just a buzzword, executive presence is important for internal auditors who want
to foster a positive professional reputation. But what is it? Put simply, executive presence
is a person’s ability to inspire confidence.
“Internal audit leaders must inform, educate, and influence stakeholders as well as earn
their trust,” explains a release by a Big Four firm.
According to a recent study from PwC, nine out of 10 very effective internal audit leaders
excel in demonstrating executive presence.
One study published by the International Journal of Auditing
in March 2018 found that emotional
intelligence, closely related to empathy, actually improves
audit quality.
13 | WWW.MISTI.COM
Upskilling Internal Audit
8. Curiosity
As mentioned previously, the most successful internal auditors are not fulfilled with the
status quo—they have an eye for continuous process improvement and how they can
advance the profession in a business that is changing at an accelerated rate. Internal
auditors should seek to not only refine their own skills, but also to understand, adapt to,
and leverage emerging technologies.
Even if an organization does not have a structured or formal learning program in place,
internal auditors should pursue workshops and courses to independently expand their
own knowledge.
Curiosity also means that these internal audit practitioners ruthlessly dig into problems
in pursuit of an answer and solution. They are excited about a mystery, rather than being
discouraged by it.
“We want people who have a passion for truly understanding the business and a knack
for remaining inquisitive within environments that can change on a weekly or even daily
basis,” explains Kelly Barrett, vice president of internal audit and compliance for Home
Depot.
While some level of skepticism is encouraged, for a thriving audit career path, auditors
must balance that with a certain amount of open-mindedness in order to make informed
judgments and decisions.
“An open-minded auditor is nonpartisan and able to see the good practices, as well as
the improvement areas,” writes Amanda Bradley, GlaxoSmithKline’s director of risk and
14 | WWW.MISTI.COM
Upskilling Internal Audit
strategy. “This supports the development of the internal control framework, and means
that the auditor is able to challenge on the best corrective actions to put in place because
they have seen what good looks like.”
9. Cross-functional training
Of course, internal audit professionals must comply with an abundance of auditing,
accounting, and financial regulations. In order to do so, they must possess at least a basic
level of legal and analytic knowledge.
As the Association of Chartered Certified Accountants states, auditors must “have an
understanding of how laws and regulations affect an audit, not only in terms of the work
the auditor is required to do, but also to appreciate the responsibilities of both management
and the auditor where laws and regulations are concerned.”
Similarly, internal auditors work with a large amount of financial data, so they need to be
equipped with the skills to analyze those numbers. Being able to manage data is a sure-fire
way to stand out in a competitive field and labor market, especially since LinkedIn reports
that data science is one of the top 25 most in-demand skills of 2019.
Prepare today to become the auditor of tomorrow
Today, the internal auditing profession is about more than being an investigator—these
roles add real value to the business. However, that is far easier to prove if you supplement
your technical skills with these in-demand soft skills.
Doing so makes you a more well-rounded internal auditing professional, and it also helps
you realize that automation isn’t something to fear. In fact, by automating the manual tasks
that take time away from more proactive, value-added, and fulfilling activities, you can
become the strategic and insightful internal auditor that your organization needs.
Ernest Anunciacion, MBA, CIA, Director of Product Marketing, Workiva”
15 | WWW.MISTI.COM
Upskilling Internal Audit
The burden companies are placing on the internal audit function these days is increasing.
Boards and senior management expect internal audit shops to be supportive advisors to
businesses that, across the board, are undergoing rapid change.
How do we know that internal audit is under pressure to improve its assurance
capability and do a better job overseeing risk management? Because executives say so
themselves. A recent survey by the American Institute of CPAs (AICPA) and North Carolina
State University’s Enterprise Risk Management Initiative found that executives at most
companies say they have much work to do to get their organization’s risk management
up to par. It found that just 23 percent rated their organization’s overall risk management
oversight as “mature” or “robust.”
Disruptive technologies have had a profound impact on nearly all businesses. That means
internal audit must play a role in the organization’s response to such transformation,
including understanding these new technologies. According to the 2019 North American
Pulse of Internal Audit study conducted by the Institute of Internal Auditors (IIA),
cybersecurity and IT issues have grown to represent nearly 20 percent of the average audit
plan. That means internal audit must have a greater technological capability to execute
such audits and provide real value in a digital age.
At the same time that organizations are becoming increasingly digitized and tech heavy,
internal audit is being asked to do more with less. That means leveraging technology inside
the internal audit department to automate some functions and operate more efficiently. To
fulfill its mandate, internal audit must:
Reduce effort devoted to routine activities, such as repetitive control testing and
monitoring
Standardize and automate high value-added activities, such as fraud detection and
continuous auditing
Build and deploy advanced solutions such as predictive analytics and artificial
intelligence
Boosting the Technology Capabilities of Internal Audit
By Joseph McCafferty
At the same time that organizations
are becoming increasingly
digitized and tech heavy, internal audit is being asked to do
more with less.
16 | WWW.MISTI.COM
Upskilling Internal Audit
All of these trends and forces require internal audit to be more tech enabled. While adding
a few more tech whizzes to the staff can help, it’s really a change in mindset that is needed
to become a tech-savvy, innovative modern internal audit function.
“It’s not about just adopting new technologies so you can say you are proficient in them,”
says Ngah. “You have to consider, what tools do I need to help the business accomplish its
goals?”
The Right Technology for the Organization
Every organization is different and each faces different circumstances. Adopting the
right technologies means understanding the needs of the organization. A cutting-edge
Silicon Valley software provider, for example, will require a much more technologically
sophisticated internal audit function than one at a more traditional manufacturing company.
“It’s important to consider how mature the company is with the systems they use,” says
Gurman. While she says her internal audit department strives to be forward thinking, the
company relies on some legacy systems that present challenges of their own to internal
audit. “We are an old-line manufacturer. We have to understand the technology that is in
17 | WWW.MISTI.COM
Upskilling Internal Audit
use, not the latest and greatest,” says Gurman. (Indeed, matching the technology capability
to the needs of the organization is a common refrain among internal auditors and experts
alike.) But that hasn’t stopped Gurman and her team from embracing data analytics and
other advanced audit techniques.
According to Ngah, the right technology should focus on answering the following:
What type of information does internal audit need from the business to review and
add value?
What is the best technology to obtain, evaluate, and analyze this information?
What output could internal audit get from using certain technologies? What trends
do we see from analyzing data and highlighting issues to facilitate meaningful
conversations with management?
How receptive would managers and process owners be based on the evidence or
output from the tools or technology under consideration?
How could this output help provide insights to effectively highlight essential
problem areas and enable deep dives to review what matters to management?
Right-sizing the internal audit team’s capabilities is no easy task, but it’s more about
aligning with the strategy and objectives of the business than gaining proficiency in fancy
new technologies that may be of little added value.
Upping Your Cybersecurity Game
While balancing the technology capabilities of internal audit with those of the business is
an important concern, just about all audit shops need to ensure they have cybersecurity
covered. Cybersecurity routinely shows up on lists of top concerns for board members,
meaning it must also be a top concern for chief audit executives. Indeed, some CAEs worry
that they aren’t where they would like to be in terms of their cybersecurity proficiency.
According to the IIA Pulse report, 68 percent of the CAEs surveyed rated the risk as high
or very high for cyber and more than half (53 percent) rated the risk as high or very high
for IT. “Despite organizations uniformly identifying cybersecurity and cyber awareness as
key risk priorities, CAEs still have significant concerns about cyber and IT risk to their
organizations,” the report states.
As the IIA Pulse report finds, those concerns are based on a few barriers that are holding
them back. They include:
18 | WWW.MISTI.COM
Upskilling Internal Audit
Lack of cybersecurity expertise among internal audit staff, which 51 percent of
the CAEs surveyed rated as an extremely significant barrier
Lack of cooperation or communication from IT department (43 percent)
Lack of support from executive management to address cybersecurity risk (43 percent)
“I’d say cybersecurity is among the top three-to-five risks,” says Chris Dogas, vice president
of internal audit at Internap Corp., a global provider of high-performance data center and
cloud solutions. “It’s vital to obtain a robust understanding of the client’s technology,
networks, training, and education to identify risks and also hire and retain competent
auditors with deep understanding of the topic,” he says. Dogas says it’s also important
to develop close relationships with those in the organization who are responsible for
cybersecurity, such as the chief information security officer (CISO). “You need to build a
trusted relationship so that they relay issues and risks before they become significant,”
he says.
New Technologies
Many cyber risks are rooted in the use of new technologies both in the organization and
within the internal audit department. While internal audit doesn’t need to adopt all the
latest technologies, team members should have a good working knowledge of the tools
available and the technologies their peers are using to innovate their processes. “Even if
we are not going to use everything, I need to make sure that my team knows what’s out
there,” says Gurman.
Here is a run-down of some of the cutting-edge technologies internal audit departments
are either deploying or considering deploying:
Predictive Data Analytics: Internal audit departments are increasingly using predictive
analytics, which includes a variety of statistical techniques, such as data mining, predictive
modeling, and machine learning, to analyze current and historical facts to make predictions
about future or otherwise unknown events.
Robotic Process Automation: RPA is the use of software or other technology to create
scripts or “bots” to handle high-volume, repeatable tasks that previously required
humans to perform. These tasks can include queries, searches for red flags and outliers,
complicated calculations, and maintenance of records and transactions.
Blockchain: Blockchain is an advanced record-keeping system, where records or
transactions are stored in a digital ledger and linked in a way, using encryption, which
makes them difficult to alter without also creating a record of the changes. They can be
used to create a transparent system of records that can be stored in a distributed network.
It is often used to keep track of crypto-currency transactions, but is also being applied in
“It’s vital to obtain a robust understanding of the client’s technology,
networks, training, and education
to identify risks and also hire and retain competent
auditors with deep understanding of
the topic.”
-Chris Dogas, vice president of internal audit
at Internap Corp.
19 | WWW.MISTI.COM
Upskilling Internal Audit
new ways, particularly in the banking sector.
Artificial Intelligence: AI, while in its infancy, has the potential to transform internal audit.
According to John McCarthy, a Stanford University professor who is often considered the
father of AI, it is “the science and engineering of making intelligent machines, especially
intelligent computer programs. It is related to the similar task of using computers to
understand human intelligence, but AI does not have to confine itself to methods that are
biologically observable.”
A 2018 study by PwC, “State of the Internal Audit Profession: Moving at the Speed of
Innovation,” identified other technologies in use at corporations that internal audit must
be versed in, including the Internet of Things (IoT), virtual reality, 3D printing, drones,
and augmented reality. “Companies want internal audit to provide advice on how their
organization should exploit new technologies and to make recommendations as part of
the audit process that push the organization’s technological innovation levels,” the report
states. “Internal audit functions can serve in this valuable capacity only if they themselves
are innovating.”
What’s Holding Internal Audit Back?
Several studies, including the one from PwC cited above as well as recent studies from
internal audit advisory firm Protiviti and the IIA, suggest that internal audit is falling behind
on its understanding and adoption of new technology. The Protiviti report, titled “Embracing
the Next Generation of Internal Auditing,” surveyed 1,113 chief audit executives and
internal audit leaders and found that 41 percent of respondents were concerned that they
are moderately or far behind their competitors’ internal audit transformation activities.
The 2018 PwC State of Internal Audit study found that just 14 percent of internal audit
departments were “advanced” in their adoption of technology.
Indeed, Michael Smith, U.S. intelligent automation and solution lead for internal audit at
KPMG says there is a big gap between how CEOs see innovation and technology and how
chief audit executives do. “While a vast majority of CEOs say they are disrupting their
business or their sector, only 30 percent of CAEs say they are challenging the status quo,
so there is a disconnect there,” he says.
So what’s holding internal audit back? One of the issues is time. Most internal audit
departments are stretched thin and don’t have the time to devote to coming up to speed
on new technologies, even if it would save time in the long term. Another problem is that
the technology is moving so fast that some CAEs decide they can’t keep up with it all and
throw up their hands.
According to Smith, at companies where internal audit is behind on technology, the
problems often lie higher up in the organization. “At organizations where internal audit
isn’t particularly tech-savvy, it’s usually some combination of the lack of vision among
company leaders and the positioning of the internal audit function.” He says they haven’t
been empowered to go and create their own innovation.
20 | WWW.MISTI.COM
Upskilling Internal Audit
An Innovator’s Mindset
Bridging that gap could take some creativity and experimentation. KPMG’s Smith calls it
being “technology curious.” CAEs need to promote a culture where auditors are free to
experiment with possible technology solutions to see what they can accomplish.
For example, Dogas encourages internal audit staffers to think about other ways to
accomplish traditional tasks that could pay benefits down the line. “Identify suitable audit
engagements where the audit team can experiment using technology more to perform
manual audit steps. I find that we auditors are afraid to ask ‘what if’ questions during
the audit process,” he says. “What if we used technology to test controls pertaining to
payments, receipts, payroll, tax, etc.? I would use this technique as a pilot, in addition to the
manual test, until we can show that it’s effective.”
The spirit of experimentation and innovation can be contagious. It should also be coupled
with the idea that it’s OK to take chances and to fail. “It’s not enough to hire people with
technology skill sets, you have to create a culture of innovation,” says Herb Chain, assistant
professor and executive director of the Center for Executive Education and External
Programs of the Tobin College of Business at St. John’s University. He also says university
internal audit programs are working to better integrate technology tools into the curriculum
to develop more tech-savvy internal auditor candidates. “Universities are wrestling with
how to get more knowledge of technology tools into the curriculum,” says Chain.
Internal audit shops that don’t embrace change or explore new technology do so at their
own peril. With companies moving so fast into new and disruptive technologies, internal
audit departments that don’t keep up will soon become obsolete. And while it’s clear that
some internal audit shops are lagging, there are a few signs of encouragement as well.
KPMG’s Smith, for one, is hopeful: “This tech-enabled internal audit story ultimately helps
us to confirm that we can be data-driven, we can have some dynamic execution, and we
can drive change as internal auditors, but we have to have the right marriage of people,
technology, process, and leadership to respond.”
“It’s not enough to hire people with technology skill sets, you have to
create a culture of innovation.”
-Herb Chain, assistant professor and executive
director, Center for Executive Education and External Programs of the Tobin College of Business
at St. John’s University
Welcome to unparalleled data transparency.
Welcome to a stronger, more collaborative workforce.
Welcome to the connected future of internal audit.
Learn how connected audit management builds trust across your organization.Visit workiva.com
eBook brought to you by: &
MIS Training Institute153 Cordaville Road, Suite 200Southborough, MA 01772www.misti.com
Workiva2900 University BlvdAmes, IA 50010www.workiva.com