Competing in a rapidly changing world, companies must grapple with emerging challenges seemingly every day: cyber threats, emerging and potentially disruptive technologies, business performance risk and more. In order to help IA functions to tackle these challenges, KPMG enumerated the 10 key areas to focus on in order to effectively add value across the organization and maximize its influence on the company.
The KPMG Internal Audit: Top 10 considerations for 2017, help to ensure that IA allocates its valuable resources to those areas of highest impact to the organization. This should result in a wide range of competitive benefits, from improvements in internal control environments and enhanced risk management processes to a more confident audit committee.
The 10 areas where IA should focus, so it can effectively add value across the organization and maximize its influence on the company, are the following:
1. Integrated assurance: With a constantly evolving landscape, the Board and senior management expect all assurance functions to work together to provide an integrated view of the organizations risk profile.
Internal audit can help by leading or supporting coordination of risk assessment, planning, work execution and reporting across multiple assurance functions. Furthermore, IA can assist in developing and executing holistic assurance plans, evaluating business implications of emerging trends and encourage increased utilization of data and analytics.
2. Cybersecurity: Several factors have driven the increased attention paid to cyber security issues, including changes in the threat landscape, rapid changes in technology, changing regulatory environments, social change and corporate change.
Internal audit can review the organization’s cybersecurity assessment, procedures and controls to protect its Intellectual Property. Moreover, IA can assess the implementation of revised technology security models, champion robust training and education program and assess third party security providers.
3. Emerging Technologies: Organizations face a wealth of opportunities to identify and capitalize on technology advances to drive change and innovation across markets in industries. However, with new evolutions in technology come new risks. IA can, for example, assess existing and emerging technology systems, evaluate changes in the business model – and relate changes to the control structure and review policies and procedures.
4. Strategic alignment: When a company’s transformational and other goals lead to strategic objectives and initiatives, IA should be an active participant in considering the impact to risk and related governance and controls. IA can help to ensure their resources are allocated towards the most important objectives. They can also sharpen focus on areas that are normally not associated to the IA functions (for example, IT and data management).
5. Regulatory compliance: Companies, regardless of industry, are being inundated with new regulatory requirements, both domestically and abroad. In this context, IA can help to evaluate the company’s response to notable instances of noncompliance, or can ensure that compliance training programs are offered.
6. Third-party relationships: To boost productivity and adapt to changing business models, companies are increasingly relying on third parties to carry out vital business functions. Though, they need to ensure they are getting the most benefits from their third-party relationships while having in place appropriate controls to reduce liabilities. The IA department can help by, among other things, evaluate the contract management processes, monitor regulatory developments and enforce third party compliance.
7. Data analytics and continuous auditing: Data analytics can help IA departments to simplify and improve their audit process, resulting in higher quality audits and tangible value to the business. IA should collaborate with their organization to develop and implement a cohesive strategy to leverage data and analytics for the benefit of the company as a whole. Furthermore, they can help to implement automated audit focused on root cause analysis, and recommend consistent use of analytics.
8. Anti-bribery/anti-corruption: A well-designed and executed anti-bribery and corruption compliance program may mean the difference between a prosecution and non-prosecution agreement, and may even reduce the monetary fines and penalties levied. IA can conduct a gap assessment of the organization’s procedures, provide assurance regarding the design and operating effectiveness of the controls and drive continuous improvement through testing and evaluation.
9. Performance risk: Shareholders’ expectations of business performance and the risk of not performing are growing increasingly more important. The Internal Audit department can assist by evaluating how the company is measuring performance and identifying initiatives for improvement. Or, IA could execute a holistic approach to assess management’s effectiveness in managing the risk of not performing.
10. Culture risk: A company’s culture can be observed, monitored and changed over time to mitigate misconduct and encourage strategic behavior. Internal Audit can conduct an assessment of the organization’s cultural drivers in relation to the organizational norm, or can review the alignment of performance measures to strategy, to ensure desired behaviors are incentivized and rewarded.