How is your internal audit function evolving?
This question contains a subtle yet blunt challenge: Standing pat will not suffice. Internal audit stakeholders in the C-suite, on the board of directors and throughout the organization rely greatly on their internal audit functions to provide assurance- and compliance-related activities. But more and more, these contributions represent just the tip of the iceberg. Amid ongoing business transformation, stakeholders seek more input from their internal audit groups, including but not limited to risks tied to long-term strategy or a catastrophic cybersecurity breach that may be lurking just beneath the surface.
In the 10th year of our Internal Audit Capabilities and Needs Survey, we believe internal audit has arrived at a tipping point. The issue is no longer whether or not your function is evolving, but rather how quickly and effectively it is transforming for the future toward a more strategic, collaborative and data-driven mode of operation while maintaining the highest quality of performance.
Our key findings this year:
- The strength of cybersecurity measures hinges on board engagement and inclusion in the audit plan. Cybersecurity is not an IT issue; it is a business risk requiring a comprehensive risk-based approach to manage.
- Cybersecurity risk is becoming a fixture in the annual audit plan. Nearly three out of four organizations are evaluating cybersecurity risk as part of the annual audit plan, compared to just half of organizations in 2015.
- Notable audit priorities include mobile applications, cloud computing, IT standards and the Internet of Things. Technology issues dominate the priority list for internal auditors, from emerging technologies and trends to IT auditing standards.
- It’s time to move forward with data analysis and technology-enabled auditing capabilities. Internal audit continues to view data analytics and technology-enabled auditing as significant priorities, but after a decade of stagnant growth, we're at a tipping point where more process is needed.