GDPR – Using Internal Audit as a “Early Warning System”

March 27, 2018

All financial service businesses have assurance controls. Some businesses likely rely more on luck and the reporting of one or two employees. Some businesses rely on their external auditors to check their system once a year and other business employ an internal audit team. When new, increased and more complex demands are put on a financial service business, impacting every business process, how should the audit team then respond? GDPR does requires more than traditional auditing. It requires teams to rethink their assurance practices and their skills. Business and audit teams that take advantage of rethinking assurance practices and skills can reinforce Internal Audit as a “trusted advisor”, that will bring the Board and management new insight to prevent damaging business impact and win opportunities.

It is the role of internal audit to provide assurance to the Board and management. Assurance that the organization is reaching its objectives by an effective risk management process.

To provide the Board with assurance, the internal audit tasks includes:

  1. Risk assessment – Assisting management by identifying events and its impact of achieving objectives of the organization, prioritizing opportunities and limit exposure to loss.
  2. Control assessment – Identifying “trouble spots” – where preventative, detective, automated, and/or manual control procedures are not properly implemented.
  3. Process walkthroughs – by interviewing departments and process owners, documenting current IT systems and processes with a focus on “what can go wrong” scenarios.
  4. Testing –verifying that control procedures are working as designed and thereby limit exposure as wanted to achieve objectives of the organization.
  5. Reporting – inform management of observations and recommendations to improve control processes to limit exposure and ensure resources are used effectively.

So, Internal audit are in touch with the entire organization and can therefore provide assurance that the system of internal control has been working properly. However, can assurance of management of GDPR risk only be done in a back-rear-mirror view?

There are several specific benefits with traditional assurance practices that Internal Audit can provide:

  • Improve the “control environment” of the organization.
  • Make the organization process-dependent instead of person-dependent.
  • Identify redundancies in operational and control procedures and provides recommendations to improve the efficiency and effectiveness of procedures.
  • Ultimately increase accountability within the organization.

However, with an outside world that is continuously changing and expanding uncertainties can Internal Audit also serve as an Early Warning System, enabling events to be remediated on a timely basis? We believe so!

By embracing the following three practices an Internal Audit team can add significantly more benefits;

Real Time auditing

Real Time auditing is a methodology that enables auditors to provide written results on GDPR risks as businesses are managing them. This requires closer collaboration with the organizations’ subject matter experts in their implementation of new frameworks and processes. It also requires collaborative assurance work with other defense lines within the organization. Clear rules and responsibilities ensuring the auditors objectivity during real time auditing must also be in place. As well as a reporting framework, aligned to the organizations objectives. The ability to report on events in or near real-time can provide significant benefits to the Board, as it enables auditors to report on subject matter within a much shorter timeframe than under the traditional model. Theoretically, in some environments it should be possible to decrease the reporting timeframe to provide almost instantaneous auditing.

Monitoring Processes

Monitoring allows Internal Audit to observe the performance of one or many control processes, systems or types of data. The monitoring processes must be set up based on the risk assessment carried out by Internal Audit and aligned against the audit guidelines set out by the Board. This requires continuous and frequent discussions with the Board to ensure clear guidelines of how risks should be managed. Also, Internal Audit must ensure a strict data discipline as data is varied and from different risk management processes across the organization. However, once established, audits will give a deeper insight of the effectiveness of the system of internal controls. And even though monitoring cannot help organizations preventing events from impacting business the work on mapping and analyzing data flows and personal data could be leveraged as a tool to enable this.

Audit team skills

GDPR risks impacts all business processes. To ensure that Internal Audit can provide the Board true insights will require processes being audited in collaboration by IT-, legal risk-, and financial risk-auditors. In order to ensure the right skills CAE can use a “skills review.” This review is a process of measuring and analyzing the skills of the audit team. A skills review takes on a perspective of the skills needed both at the present time, and in the future. This requires an understanding of the objectives of the organization, mapping current and required future skills. It also requires an understanding of how the training plan relates to annual performance appraisals to ensure true development and to avoid any duplication of effort. If carried out well-planned and consequently, audit managers can assign the right people to each audit, plan for more effective auditing and ensure increased understanding of the risks and controls enquired in the organization, and thereby broader the Boards insight to how it can reach its objectives. And with the increasing changing demands on organizations – legal requirements, an increasing uncertainty and new technologies – skills are important.

The added value of enhancing internal audit practices can be seen from the perspective of various stakeholders. With an internal audit team acting as a “trusted advisor”, management will have an advocate, a risk manager, a controls expert, an efficiency specialist, a problem-solving partner and, maybe most importantly, more insight.

– And more insight can turn risks into opportunities.

By Heidi Gliese Hylleborg and Rasmus Forssblad.



Related news