Internal Audit Insights 2018 - High-impact areas of focus - Deloitte

Page created by Enrique Gibson
 
CONTINUE READING
Internal Audit Insights 2018 - High-impact areas of focus - Deloitte
Internal Audit Insights 2018
High-impact areas of focus
Deloitte research1 and experience strongly indicates that stakeholders
expect Internal Audit to be far more focused on the risks and
issues of the future than on those of the past. This means shifting
from auditing the past to advising on the future and to focusing on
activities that present new and unfamiliar risks. Some of this will
require new skills and talent models. Some demand new frameworks
and interaction with new stakeholders. Failing to keep pace with the
evolving organization and environment, however, puts at risk Internal
Audit’s role as a relevant, engaged, and strategic player within
the organization.
For that reason, our 13 high-impact areas of focus for 2018 identify
activities and risks that present opportunities for Internal Audit to
make a positive impact. Whether by adopting new methods, such as
automating core assurance and taking an Agile approach to internal
auditing, or auditing new threats, such as digital risk, a focus on these
areas as they relate to your organization will heighten Internal Audit’s
impact and influence. Moreover, these areas of focus will satisfy
stakeholders who desperately need Internal Audit’s objectivity, skills,
and advice as they tackle new challenges.

1 Evolution or irrelevance? Internal Audit at a crossroads, Deloitte’s Global Chief Audit Executive
Survey, Deloitte, 2016
Internal Audit Insights 2018 | High-impact areas of focus

Table of contents

    Robotic process automation
                                                      Third-party risk
      and cognitive intelligence

             Auditing digital risk                    Culture risk

                  Cyber security                      Operational risk assurance

                    Data privacy                      Crisis management

         Internal Audit analytics                     Auditing agile

     Automated core assurance                         Agile internal auditing

                Cloud migration

                                     The year ahead

                                                                                                                                  3
Internal Audit Insights 2018 | High-impact areas of focus

Robotic process automation
and cognitive intelligence
Robotic process automation (RPA) is the use              with these technologies. Doing so calls for
of software to perform rules-based tasks                 an understanding of the new risks and
in a virtual environment by mimicking user               the need for well-designed and properly
actions to obtain the same or enhanced                   implemented controls. It is also necessary
results. RPA also often taps multiple                    to govern the use of these technologies
systems. In general, it makes repetitive                 in areas like integrity, data access, change
manual activities more efficient                         protocols, and security.
and effective.
                                                         Internal Audit plans should address
Cognitive intelligence (CI)—a step beyond                the effects of RPA and CI on processes,
RPA—includes natural language processing                 management, and the organization. To
and generation, artificial intelligence, and             provide sound assurance, Internal Audit
machine learning. CI can extract concepts                should become involved early. Review
and relationships from data, “understand”                documentation of testing procedures
their meaning, and learn from data patterns              and any prior testing by sampling test
and prior experience.                                    cases documented, results generated,
                                                         and issues logged. Ascertain that
Both RPA and CI are seeing adoption in
                                                         a framework and process exist to
the business and second-line functions,
                                                         monitor “bots” in testing and production
particularly in financial services and other
                                                         environments and to triage issues.
data-intensive industries. In addition to
                                                         Specifics include issue identification and
many benefits, RPA and CI pose operational,
                                                         resolution, bot change management, third-
financial, regulatory, organizational, and
                                                         party risk management, and supervision
technology risk. Fortunately, the associated
                                                         and compliance. Opportunities also include
risks can generally be addressed by
                                                         advising on risk mitigation, leading practices,
extending existing approaches.
                                                         and automation strategies.
Consider: As functions adopt RPA, CI, and
                                                         Finally, Internal Audit should consider using
similar technologies, Internal Audit should
                                                         RPA to automate repetitive controls testing
support them in identifying, assessing,
                                                         and internal reporting tasks.
and monitoring the risks that come along

4
                                                                                                           Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

      Auditing digital risk
      Many companies have established digital           methods, whereas digital innovators employ    processes, and products. Review the digital         delivery teams. Promulgate fit-for-purpose
      transformation strategies; created siloed         more agile and automated techniques.          strategy and road map and decide where to           digital risk frameworks, methods, and
      teams to develop apps, websites, and              Apps and websites used in customer            focus, given the risk themes. Digital poses         oversight in the first and second lines. This
      other digital channels; and embedded              acquisition and interactions can raise a      the usual cyber risks, plus new strategic,          includes providing the appropriate level of
      first- and second-line teams in these             range of identity, privacy, and security      reputational, and third-party risks—in a            assurance over frameworks for managing
      efforts. Yet Internal Audit generally lags in     risks. Meanwhile, many organizations lack     fast-paced environment. Internal Audit              external parties in digital initiatives.
      understanding the technologies, methods,          risk frameworks and risk management           should aim to understand the tools used to          Integration of platforms blurs the boundary
      and tools of digital initiatives. These include   capabilities equal to the complexities and    automate processes and controls, and then           between organizations and third parties,
      application-development methods, dev-ops          challenges of those risks and those posed     assess the integrity of the tools. Track digital    so clarify the processes, data flows, and
      teams (which combine development and              by external partners who provide these new    project pipelines and get involved in early         regulatory implications. Internal Audit
      operational professionals), and tools that        technologies, channels, and services.         stages and selected iterations.                     groups are increasingly using cosourcing,
      automate controls. Many Internal Audit                                                                                                              upskilling, and dedicated teams to develop
                                                        Consider: In audit planning, use key risk     Focus on how related risk functions are
      groups retain traditional mind-sets and                                                                                                             the focus and resources needed in this area.
                                                        themes to assess risks of digital programs,   involved, since they are closer to the

                                                                                                                                                                                                              5
Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

Cyber security
In recent years, cyber security                Organizations involved in several      and drug trials, but overlook those
audits have often focused on                   recent high-profile cyber incidents    related to a small nuclear reactor
regulatory compliance - areas                  were likely in compliance with         used in radioisotopes (an actual
such as data privacy, IT security,             applicable cyber regulations.          situation). In Internal Audit planning,
and business continuity. These                 Indeed, while most cyber               be proactive and cast a wide net.
audits have generally ascertained              security activities focus on the
                                                                                      Look beyond rotational audit
compliance with regulations and                IT department, corporate email,
                                                                                      plans to seek out new initiatives,
standards (such as ISO 27000).                 and the like, the highest risks now
Compliance will continue to                    emanate from business teams using      products, markets, contracts, and
be high on most companies’                     cloud-based systems, working with      external parties. Then challenge
radar, especially for US-listed                external developers, and using         management on risk identification,
organizations with the Securities              applications outside of IT proper.     monitoring, and management in
and Exchange Commission making                 Much of this activity escapes the      those areas.
cyber security a priority in its               attention of the CIO, CISO, and
                                                                                      Management should instill a culture
National Exam Program, and with                Internal Audit, and presents serious
its recent creation of a Cyber Unit            risks. The challenge now is to         of awareness of how decisions and
within its Enforcement Division.               identify a broader range of cyber      behaviors magnify or minimize
Also, new regulations are being                risks before they occur.               cyber risk. Encourage the use of
developed daily in parallel with                                                      war gaming to test the impact of
the new AICPA cybersecurity                    Consider: Internal auditors            cyber incidents on operations,
risk management examination.                   accustomed to providing                infrastructure, data, finances,
Companies should continue                      compliance-related assurance need      reputation, and recovery and to
to focus on assurance while                    new mind-sets and methods. Start       gauge responses and resilience—
understanding that compliance                  by thinking broadly. For example,      both of which should be
with existing regulations hardly               in a pharmaceutical company,           regularly assessed.
guarantees high, or even                       Internal Audit may audit cyber
adequate, cyber risk management.               risks related to privacy regulations

6
                                                                                                                                Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

      Data privacy
      The EU General Data Protection          by enhanced data mapping and           transferred and stored, and for what
      Regulation (GDPR), effective            management. Internal Audit can         purposes. Help stakeholders to
      May 25, 2018, affects all EU            help the organization to manage        identify data repositories, data flows,
      organizations that collect or process   the increased risk posed by the        and who uses and who can alter
      data on individuals, and non-EU         new regulations and to realize         data. This data mapping positions
      organizations with EU operations.       the potential of an enhanced           the organization to respond to
      The GDPR greatly expands                understanding of data that this work   information inquires and manage
      individuals’ ability to determine       can create.                            individual consent.
      which personal data is collected
                                              Consider: Organizations must           In Internal Audit planning, take a
      on them and how it is treated.
                                              establish clear accountabilities       risk-based approach to addressing
      For example, individuals will have
                                              around data. Apart from appointing     requests and requirements and
      to opt in to allow certain uses of
                                              a DPO, this means clarifying who       emphasize key systems, as defined
      their data. The GDPR establishes
                                              is responsible for addressing          by data volume, importance, and
      strong penalties for noncompliance,
                                              specific requirements, such as data    sensitivity. Ensure that a Data
      and calls for appointment of a
                                              requests, breach response, and         Privacy Impact Assessment (DPIA)
      data protection officer (DPO) and
                                              data retention. Accountabilities       is conducted for any new initiative
      detailed documentation of roles,
                                              and related processes must be          involving individual data and pay
      responsibilities, and processes
                                              documented in a framework              close attention to hand-offs of data
      related to the collection, use, and
                                              that explains the execution of         to any third parties.
      retention of data on individuals,
                                              information requests, retention of
      including employees and
                                              data, and other procedures. Given
      independent contractors.
                                              the mandate to retain data only as
      While most affected organizations       long as it is needed, focus on the
      have been working to fulfill these      data life cycle and on retention and
      requirements, many are lagging          deletion policies.
      in certain areas. Moreover, GDPR
                                              The organization must also
      presents real opportunities for the
                                              document what data is collected
      organization given the marketing
                                              by which systems, where data is
      and analytical possibilities provided

                                                                                                                                                                                        7
Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

Internal Audit analytics
Analytics is a perennial high-impact                      Consider: Analytics should be seen          Also, consider using RPA and CI (as noted
area for several reasons. First, beyond-                  as integral to all of Internal Audit’s      above) to automate repetitive tasks and
the-basics analytics is the single most                   planning, execution, and reporting,         accelerate reporting. Set your sights on
powerful booster of Internal Audit                        and should be reflected in methods and      “Digital IA,”1 an integrated set of analytical
efficiency and effectiveness available.                   skills accordingly.                         capabilities geared to using and auditing
Second, the continuing digitalization                                                                 advanced technologies.
                                                          Rather than setting uninformed and
of business generates huge quantities
                                                          fixed audit objectives, use data in the
of data, which analytics can transform
                                                          audit scoping stage to highlight unusual
into valuable information and business
                                                          patterns, unexpected relationships, and
insights. Third, the tools for analyzing and
                                                          changes in business conditions.
visualizing data are now simpler, cheaper,
more available, and easier to use than                    To prove the value of analytics, initiate
ever. Finally, stakeholders’ needs for                    pilot projects in areas where data
higher-level assurance, insights, and risk                is readily available, success is fairly
anticipation have never been greater.                     certain, and results will drive value
                                                          (such as reducing fraud, waste,
Yet Internal Audit’s adoption of analytics
                                                          or other policy breaches).
has been relatively uneven and slow.
Internal Audit is, admittedly, a function                 Start with a hypothesis and gather
that can find changing the status quo                     relevant data; for example, we expect
and adapting to a new way of life difficult.              a certain behavior or outcome here; is
An often-undiagnosed barrier to progress                  that supported by the data? Then iterate
can be methodology: traditional audit                     through the data to drive sampling and
approaches can choke innovation,                          generate relevant insights (rather than
restrict data gathering, and treat                        lists of exceptions), and communicate
analytics as a bolt-on capability rather                  using data visualization tools.
than an imperative.

1
    The untapped power of “Digital IA,” Deloitte, 2017.

8
                                                                                                                                                       Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

      Automated core assurance
      Leaders realize that risks associated with business as usual   Technologies to facilitate automated assurance and real-         Conversations with stakeholders can identify key risks and
      need to be managed even as they pursue new initiatives,        time reporting include off-the-shelf tools, which hold some      controls to monitor. Not everything should be automated,
      and they are coming to expect ongoing assurance on these       benefits, and custom solutions that can deliver automated        which raises scoping issues—whether to emphasize, for
      core activities. Internal Audit groups should be moving to     assurance over most critical processes and controls.             example, financial or operational risks and controls.
      provide this continuous comfort—ongoing assurance—
                                                                     Consider: Automated assurance should gear comfort levels         Become familiar with the possibilities of automation tools,
      on those core processes, controls, and activities to
                                                                     to the drivers of value and risks to those drivers. Begin by     and locate early and easy wins, typically found around key
      management and the board.
                                                                     assessing core processes in the first line, their criticality,   financial controls and reconciliations.
      Automated assurance implies real-time reporting that flags     and the risks, and then prioritize accordingly.
                                                                                                                                      Overall, automation provides ample opportunities for
      actionable items. Such reporting enables rapid remediation,
                                                                     Technology tools in existing systems provide many                easily-achieved cost savings and enhanced assurance
      with the option of continued monitoring pending further
                                                                     capabilities for automating core assurance, although             simultaneously. Automating core assurance also enables
      notification. At this point, using a sampling approach when
                                                                     the first and second lines rarely fully employ them. So          Internal Audit to allocate resources to higher value areas
      entire populations could be monitored, and reporting
                                                                     promulgate use of these capabilities and the embedding           and activities.
      irrelevant details, is becoming a hallmark of a backward-
                                                                     of them into processes and systems. First- and second-line
      looking Internal Audit function that cannot keep up with
                                                                     functions are often unaware of these capabilities, which
      developments or provide assurance efficiently.
                                                                     vendors rarely emphasize.

                                                                                                                                                                                                          9
Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

Cloud migration
Using cloud services can significantly alter            Consider: Traditional audits of areas such       Additional assurance can be gained by
an organization’s risk profile, depending on            as network configuration, asset protection,      evaluating providers’ locations, business
the data involved, cloud service and model              access control, logging and monitoring,          model, customer base, history, and financial
type, and strength of user and third-party              and vulnerability assessment are still           soundness. Ascertain that management
controls. The term cloud includes software              relevant for the cloud, but can differ.          understands which contractual
as a service (SaaS), platform as a service              Cloud standards and guidelines from the          responsibilities are the cloud service
(PaaS), and infrastructure as a service                 SANS Institute, NIST, ISO, and the Cloud         provider’s, the organization’s, or shared.
(IaaS). SaaS and PaaS provide cloud-based               Security Alliance are useful, but each has its
software and platforms, while IaaS provides             own focus, so you must tailor an approach
infrastructure services. Cloud service                  that fits your organization’s strategy, risk
models include private, public, or hybrid               profile, cloud use-case(s), and cloud service.
models (a mix of on-premise, private cloud,             Assess the cloud environment holistically,
and public cloud services).                             and evaluate governance elements and
                                                        shared responsibilities.
The risks for these service types depend
mainly on access and data criticality. Given            Often-misunderstood areas include
the varying levels of user control, security            inherited controls, incident response
requirements will differ for each service               responsibilities, and disaster recovery
and model type. The appropriate security                capabilities. Consider obtaining cloud
controls will also depend on the data and               certification and tapping external expertise.
processes involved.
                                                        While cloud services are often positioned
Regardless of service type, in a public cloud,          as cost savings, ensuring optimum value
you are entrusting data to a third party, and           calls for choosing services carefully,
you can audit controls design and execution             monitoring and managing resources tightly,
only up to a point, after which you rely on             and deactivating unnecessary components
that party’s assurance. Whatever assurance              promptly—all items to review.
is obtained from the cloud provider or
through procurement, you have limited
visibility into the provider’s environment.

10
                                                                                                                                                        Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

      Third-party risk
      Organizational leaders have long                    must. Why? Because third parties have          An overall EERM framework can be
      expected assurance around processes                 become critical to most organizations          utilized to surface key areas of risk
      for vendor screening, selection,                    while presenting myriad risks.                 specifically embedded within the
      contracting, evaluation, payments, and                                                             third-party ecosystem. Effective audit
                                                          Consider: When planning your internal
      termination. They have also expected                                                               programs that assess the health of the
                                                          audits, start with an assessment of
      audits geared to identifying potential                                                             ecosystem and its components will
                                                          third-party contracts on the basis
      cost savings and recovery.                                                                         help to reduce risk over the sourcing
                                                          of spend and risk. Large, complex
                                                                                                         of goods and services most critical to
      Developments in technology and                      contracts will generally present more
                                                                                                         business strategy and operations.
      automation have introduced more                     potential exposures and risks than
      advanced analytics capabilities and real-           contracts for goods purchased within
      time assurance. Beyond this, however,               the usual procurement process.
      leaders want—and need—a more
                                                          For vendor spend assurance,
      holistic picture of third-party risks and
                                                          promote adoption of automated
      their management.
                                                          tools for analyzing spend and vendor
      This calls for Internal Audit to                    performance, if they are not in place; if
      understand the organization’s entire                they are in place, provide assurance on
      approach to third-party relationships. As           their integrity and effectiveness. Some
      noted in a 2016 Deloitte global survey2,            of these tools can apply RPA to data on
      the third-party risk universe includes              deliveries, service levels, billings, and
      the third-party ecosystem, third-party              other metrics, making real-time third-
      risk management and governance, and                 party assurance a reality—and, soon,
      technology and methods for monitoring               an expectation. These tools also free
      and managing relationships.                         resources to work on other third-party,
                                                          or extended enterprise, risks.
      While cost savings and recovery remain
      key, excellence in extended enterprise
      risk management (EERM) is also a

      2
        The threats are real: Third party governance and risk management, Deloitte global survey, 2016
      < https://www2.deloitte.com/content/dam/Deloitte/za/Documents/risk/ZA_Third_Party_
      Governance_and_Risk_Management_Survey_RA_Dec16.pdf >

                                                                                                                                                                                                         11
Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

Culture risk
An organization’s culture plays a major role in business            Consider: Internal Audit should engage in broader                 Assess how culture differs across locations and ascertain
performance and marketplace reputation. Culture can also            organizational-level culture risk management efforts—             whether the risk management framework can identify and
create risk for the organization when there is misalignment         providing assurance and advice on culture as appropriate          address outlier behavior.
between an organization’s values and leaders’ actions that          and validating risk management activities. To do this,
                                                                                                                                      Work to ensure that the second line of defense has visibility
shape culture, employee conduct and behaviors that sustain          consider aspects of culture throughout the life cycle of
                                                                                                                                      into culture at the first line, and ensure management and
culture, or organizational systems that reinforce culture.          an internal audit; for example, coordinate with culture
                                                                                                                                      the Board understand that culture will always remain a work
                                                                    stakeholders (e.g., human resources, risk, compliance,
The spotlight often shines on culture risk issues only after                                                                          in progress.
                                                                    customer experience, security, technology) to understand
an organizational crisis or incident, but a growing number of
                                                                    potential areas of risk to optimize audit coverage, link
leaders are shifting to a proactive approach turning culture into
                                                                    cultural and employee engagement assessments into
a value enabler and driver of organizational performance. Such
                                                                    internal audit risk assessments, and incorporate culture
an approach requires gaining greater data-driven insight into
                                                                    metrics and control aspects into audit programs, including
the organization’s culture, better understanding of employee
                                                                    aspects of culture risk in audit reports.
engagement and employee behaviors, and looking for external
market signals to get ahead of risk issues and drive necessary      Internal Audit can also perform assessments of the
management actions.                                                 organization’s culture risk management activities against
                                                                    leading practices to provide recommendations to
As the third line of defense, internal audit plays a vital
                                                                    management and perform additional procedures to assess
role in culture risk management—providing assurance
                                                                    culture risk management programs’ effectiveness. A culture
and advising on culture as appropriate and validating
                                                                    risk assessment can provide insight into intangible drivers
mitigation activities. Auditing culture is not a matter of
                                                                    of risk, controls effectiveness, compliance failures, and
reviewing risk-related policies and procedures; it is a matter
                                                                    potential misconduct; it can also direct audit fieldwork and
of developing an understanding of people’s approach to
                                                                    analysis to where it most matters. Such an assessment can
managing risk as they do their jobs. In a strong culture, there
                                                                    include a range of activities, such as confidential interviews,
is clear awareness and alignment of values, organizational
                                                                    focus groups, and data analytics geared to discovering
processes, behavioral norms, internal and external
                                                                    where controls are working well, causing frustration, or
statements, and reward systems to promote the right
                                                                    failing to deliver intended results.
decisions, the right risk management behaviors, the right
conduct—and, thus, the right culture.

12
                                                                                                                                                                                        Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

      Operational risk assurance
      While functions such as cybersecurity and employee health        capital, and sustainability. However, field-level audits—of       When developing the Internal Audit plan, tie operational audit
      and safety already provide assurance around operations,          productivity, asset performance management, maintenance           activities to organizational goals and strategies and to key
      Internal Audit should conduct deeper assessments of              activities, operations technology and systems, regulatory         operational risks posed to them. Using an operational risk lens,
      operational efficiency, effectiveness, and risk management.      compliance and safety, and asset integrity—may present            identify upcoming capital projects, significant maintenance,
                                                                       more opportunity to add value.                                    and similar initiatives. Look to the organization’s risk
      Operational audits focus mainly on nonfinancial assets
                                                                                                                                         assessment and the Enterprise Risk Management
      and processes. They aim to determine how performance             Consider: Excellence in company-level operational internal
                                                                                                                                         system, but also conduct robust conversations with key
      aligns with management’s expectations, identify areas to be      audits should be table stakes. A clear focus on core operations
                                                                                                                                         operating executives.
      investigated, and propose enhancements. Meanwhile, many          demands an understanding of field-level operations as well as
      internal auditors are oriented more toward financial processes   company-level operational risks. Start by ascertaining            Apply analytics to process data to isolate trends, patterns,
      and performance.                                                 that second-line activities are providing proper assurance        anomalies, and root causes, and enhance reports through
                                                                       and, if they are not, help them to do so or provide the needed    visualization tools, added insights, and risk anticipation.
      Even in capital-intensive industries like manufacturing and
                                                                       additional assurance.
      oil and gas, traditional audits may overlook basic operations.                                                                     Consider whether external subject matter specialist
      Internal Audit groups in such industries typically conduct                                                                         resources may be needed, or whether knowledge can be
      useful company-level audits around the supply chain,                                                                               accessed internally through guest auditor or
      cybersecurity, contract compliance, capital projects, human                                                                        rotation programs.

Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

Crisis management
Crisis management provides the structure,                     Consider: An organization needs a crisis
leadership, decision-making, and communications               management program encompassing governance,
to support the organization in managing a crisis              processes, and risks. Governance organizes program
situation. It encompasses business continuity,                ownership and the roles and responsibilities of
disaster recovery, cyber incident response, and               security, legal, IT, Internal Audit, and other functions.
financial market crisis response planning and                 Processes are needed to address crisis response,
execution. Most major organizations have basic                decision-making, recovery, communications, and
business continuity plans and disaster recovery               contingency plans. Risks must be identified to
plans in place, particularly for IT, supply chains,           enable scenario planning and response capability
and facilities.                                               development through training and simulations.
                                                              Aim to provide assurance and advice in each of
Usually Internal Audit will, on a rotational basis,
                                                              those areas, and to anticipate events and
review those plans, provide assurance on related
                                                              promulgate best practices.
compliance, and conduct post-event reviews.
However, the focus on continuity management has               Consider whether leaders can answer the questions:
widened to include any event that could irreparably           What are you prepared for? How prepared are you?
damage finances, operations, cyber capabilities,              Ensure that simulations are regularly conducted
reputation, or other essential assets.                        and used to develop and test overall plans as well as
                                                              playbooks for specific events.
A crisis management plan provides a framework and
contingency plans for senior executives should the            Go beyond regulatory guidance and checklists
need arise. Responsibility for crisis management              and audit not just the existence of plans, but their
sits with senior leaders, which means that Internal           likely effectiveness.
Audit is the logical—and perhaps only—source of
                                                              Also, consider industry-specific issues and evolving
assurance and advice.
                                                              regulations, such as the EU’s GDPR reporting
                                                              requirements for breaches. Internal Audit may need
                                                              to upskill or tap external sources to add value in this
                                                              area, but doing so can save the entire enterprise.

14
                                                                                                                          Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

      Auditing agile
      Organizations are increasingly adopting        Internal Audit must be aware of Agile            Proactive engagement by Internal Audit
      Agile methods of managing projects and         processes and projects in the organization,      is key to establishing how Agile can be
      processes. Companies and functions in          and of their potential issues and impacts.       managed while maintaining balanced and
      technology and financial services lead the                                                      sustainable levels of control.
                                                     Consider: Internal auditors should
      way, but others seeking increased speed,
                                                     understand Agile methods and clarify
      efficiency, and innovation are also coming
                                                     responsibilities, schedules, resources,
      on board. (These include Internal Audit
                                                     deliverables, and risks and controls—in
      functions—see below.) Desired outcomes
                                                     discussion with Agile team leaders.
      include faster results, greater focus on
                                                     A flatter structure may mean greater
      user needs, more nimble decision-making,
                                                     variability in the way outcomes are
      and reduced documentation.
                                                     achieved, while less documentation may
      Agile empowers people to make decisions        reduce visibility into risks. Controls may
      and take calculated risks based on more        be given short shrift as the pace of work
      targeted objectives delivered in shorter       picks up. Therefore, assurance functions,
      time frames, but these attributes can          including Internal Audit, should assess
      stress some control environments. A            risks and controls during all phases, from
      fast pace can introduce more frequent          ideation to pre-implementation.
      impacts or errors, but that can be offset by
                                                     Traditional audit plans may be less useful
      increased direct business ownership.
                                                     than early involvement and parallel visibility
      An intense focus on user needs can             into the work. Internal Audit may best
      overlook other considerations, such as         approach Agile by understanding what is
      security or regulatory concerns, which can     to be delivered—what the Agile project or
      be mitigated by ensuring that standards        process aims to achieve, delivery risks, and
      are known and applied across Agile teams.      proposed controls—and by understanding
      Reduced documentation can make it              how it is being delivered, including
      hard to know what was done, by whom,           management of risks and use of controls.
      when, and why, which calls for changes to
      governance and controls.

                                                                                                                                                                                                       15
Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

Agile internal auditing
Principles and practices of Agile development are being                 Learn about Agile from internal practitioners in software
applied to audits and projects by forward-thinking                      or systems development, or enlist external support.
Internal Audit groups. Agile methods foster rapid                       Understand that adopting Agile demands a change of
response to emerging issues, closer collaboration with                  mind-set as well as methods, and not every internal
stakeholders, faster delivery cycles, and streamlined                   auditor can adapt. However, those who do usually find
reporting3. Agile also changes the approach that internal               that they relish the pace of work, engagement with
auditors take to their work. For example, instead of                    stakeholders, and enhanced effectiveness that result
auditing to a periodic schedule, internal audits are                    from Agile Internal Auditing.
conducted when needed, particularly when the need
is urgent. Rather than waiting until an internal audit is
complete, auditors deliver weekly or even daily updates
as findings or issues emerge. Rather than presenting
unnecessary details, reports deliver insights on what
matters most.

Agile has the power to revolutionize Internal Audit by
making audits and reviews more relevant, risk-based,
and real time.

Consider: First, be clear about what Agile is and what it
is not. While it is a flexible methodology, simply calling a
process Agile (or using terms such as Sprint, Scrum, and
Backlog) does not make it so. Agile Internal Audit adapts
Agile to Internal Audit needs. It is up to you to decide
whether and where Agile might work in your function.
Good candidates are areas with a need for more
responsive and relevant reporting, high-stakes projects
like IT installations or merger integrations, and where
Internal Audit groups need to do more with less.

3
 Becoming agile: A guide to elevating internal audit’s performance and value, Deloitte, 2017 < https://www2.deloitte.com/content/
dam/Deloitte/us/Documents/finance/us-advisory-agile-internal-audit-part1-introduction-to-elevating-performance.pdf >

16
                                                                                                                                    Back to contents
Internal Audit Insights 2018 | High-impact areas of focus

                   The year ahead
                   Clearly, the year ahead calls for a strong   Forward-thinking Internal Audit functions
                   focus on all things digital. Of our 13       seek not only to provide assurance and
                   hot topics, more than half are aligned       advice, and to apply digital technologies
                   directly or closely with information         to their own work, but also to anticipate
                   technology and capabilities. Most            issues and risks associated with
                   Internal Audit groups should prioritize      those technologies. They anticipate
                   assurance and advisory work around           stakeholders’ potential moves to new
                   uses of these technologies in the            technologies, strategies, and business
                   organization and ways of using them          models so they can ready themselves
                   to enhance their own work. Just as           and the organization for those moves.
                   customers are tending to outpace             In this way, they assist stakeholders in
                   organizations in their uses of digital       some of the most challenging areas
                   technologies, many stakeholders now          they face—new areas where risks are
                   outpace Internal Audit in similar ways.      emerging and where new value can be
                                                                created—thus increasing their impact
                                                                and influence in visible and
                                                                valuable ways.

                                                                                                                                          17
Back to contents
Global Internal Audit Leadership

Terry Hatherell                              Kristopher Wentzel                             Porus Doctor
Global Internal Audit Leader                 Internal Audit Leader, Americas                Internal Audit Leader,
thatherell@deloitte.ca                       kwentzel@deloitte.ca                           APAC
+1 416 643 8434                              +1 416 643 8796                                podoctor@deloitte.com
                                                                                            +91 22 6185 5030

Peter Astley                                 Sandy Pundmann                                 Sarah Adams
Internal Audit Leader, EMEA                  US Internal Audit Leader                       IT Internal Audit
pastley@deloitte.co.uk                       spundmann@deloitte.com                         Global Leader
+44 20 7303 5264                             +1 312 486 3790                                saradams@deloitte.com
                                                                                            +1 713 982 3416

Neil White
Internal Audit Analytics
Global Leader
nwhite@deloitte.com
+1 646 436 5822

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their
related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide
services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple
industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries
and territories bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how
Deloitte’s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively,
the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may
affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss
whatsoever sustained by any person who relies on this communication.

© 2018. For information, contact Deloitte Touche Tohmatsu Limited
You can also read