How to adapt the Internal Audit function to the digital development
The digitization affects us all and leads to more and more dependence on automated processes and systems for both private and public entities. The development is extremely fast and new technical solutions are being implemented continuously. The question is: How can internal audit functions remain relevant in this changing climate?
Through our consultancy assignments, we work with many internal audit functions and there are some areas that we see needs to be considered in the development of the internal audit profession going forward:
More Technical Skills:
Today, some basic technical skills are needed to review more or less all business processes. Information technology is a large part of the business and Internal Audit functions generally need to increase their technical skills to perform relevant audits. IT auditors or auditors with CISA certification are still a minority in most Internal Audit functions.
More Forward-looking Audits:
With the rapid rate of change that most businesses face today, internal audit functions must be more forward-thinking and be involved in the strategic changes that the business is undertaking and the technology shift in progress. Project reviews should, for example, be made after start-up, during projects as well as after implementation.
A challenge with data analytics has historically been that it has been difficult to obtain reliable data. Now the technology begins to enable more structured data storage, and internal audit functions are thus able to contribute with more comprehensive testing in audits. Data analytics can and should also be used more extensively in risk analysis and audit planning, to obtain accurate data as a basis.
Flexible Audit Plans:
As a result of the high rate of change in organizations, internal audit functions needs to be more flexible in its audit plans and adapt better to changes in operations. Annual plans are good to have, but thy should not be too complicated and bureaucratic to adjust continuously. The focus should be on risk rather than number of audits performed.
Written by Magnus Thyllman, CIA, CISA, CISM, CRISC