Internal Audit Insights 2018 - High-impact areas of focus - Deloitte
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Internal Audit Insights 2018 High-impact areas of focus
Deloitte research1 and experience strongly indicates that stakeholders expect Internal Audit to be far more focused on the risks and issues of the future than on those of the past. This means shifting from auditing the past to advising on the future and to focusing on activities that present new and unfamiliar risks. Some of this will require new skills and talent models. Some demand new frameworks and interaction with new stakeholders. Failing to keep pace with the evolving organization and environment, however, puts at risk Internal Audit’s role as a relevant, engaged, and strategic player within the organization. For that reason, our 13 high-impact areas of focus for 2018 identify activities and risks that present opportunities for Internal Audit to make a positive impact. Whether by adopting new methods, such as automating core assurance and taking an Agile approach to internal auditing, or auditing new threats, such as digital risk, a focus on these areas as they relate to your organization will heighten Internal Audit’s impact and influence. Moreover, these areas of focus will satisfy stakeholders who desperately need Internal Audit’s objectivity, skills, and advice as they tackle new challenges. 1 Evolution or irrelevance? Internal Audit at a crossroads, Deloitte’s Global Chief Audit Executive Survey, Deloitte, 2016
Internal Audit Insights 2018 |
High-impact areas of focus
Table of contents
Robotic process automation
Third-party risk
and cognitive intelligence
Auditing digital risk Culture risk
Cyber security Operational risk assurance
Data privacy Crisis management
Internal Audit analytics Auditing agile
Automated core assurance Agile internal auditing
Cloud migration
The year ahead
3Robotic process automation
and cognitive intelligence
Robotic process automation (RPA) is the use with these technologies. Doing so calls for
of software to perform rules-based tasks an understanding of the new risks and
in a virtual environment by mimicking user the need for well-designed and properly
actions to obtain the same or enhanced implemented controls. It is also necessary
results. RPA also often taps multiple to govern the use of these technologies
systems. In general, it makes repetitive in areas like integrity, data access, change
manual activities more efficient protocols, and security.
and effective.
Internal Audit plans should address
Cognitive intelligence (CI) – a step beyond the effects of RPA and CI on processes,
RPA – ncludes natural language processing management, and the organization. To
and generation, artificial intelligence, and provide sound assurance, Internal Audit
machine learning. CI can extract concepts should become involved early. Review
and relationships from data, “understand” documentation of testing procedures
their meaning, and learn from data patterns and any prior testing by sampling test
and prior experience. cases documented, results generated,
and issues logged. Ascertain that
Both RPA and CI are seeing adoption in
a framework and process exist to
the business and second-line functions,
monitor “bots” in testing and production
particularly in financial services and other
environments and to triage issues.
data-intensive industries. In addition to
Specifics include issue identification and
many benefits, RPA and CI pose operational,
resolution, bot change management, third-
financial, regulatory, organizational, and
party risk management, and supervision
technology risk. Fortunately, the associated
and compliance. Opportunities also include
risks can generally be addressed by
advising on risk mitigation, leading practices,
extending existing approaches.
and automation strategies.
Consider: As functions adopt RPA, CI, and
Finally, Internal Audit should consider using
similar technologies, Internal Audit should
RPA to automate repetitive controls testing
support them in identifying, assessing,
and internal reporting tasks.
and monitoring the risks that come along
4
Back to contentsInternal Audit Insights 2018 |
High-impact areas of focus
Auditing digital risk
Many companies have established digital methods, whereas digital innovators employ processes, and products. Review the digital delivery teams. Promulgate fit-for-purpose
transformation strategies; created siloed more agile and automated techniques. strategy and road map and decide where to digital risk frameworks, methods, and
teams to develop apps, websites, and Apps and websites used in customer focus, given the risk themes. Digital poses oversight in the first and second lines. This
other digital channels; and embedded acquisition and interactions can raise a the usual cyber risks, plus new strategic, includes providing the appropriate level of
first- and second-line teams in these range of identity, privacy, and security reputational, and third-party risks – in a fast- assurance over frameworks for managing
efforts. Yet Internal Audit generally lags in risks. Meanwhile, many organizations lack paced environment. Internal Audit should external parties in digital initiatives.
understanding the technologies, methods, risk frameworks and risk management aim to understand the tools used to Integration of platforms blurs the boundary
and tools of digital initiatives. These include capabilities equal to the complexities and automate processes and controls, and then between organizations and third parties,
application-development methods, dev-ops challenges of those risks and those posed assess the integrity of the tools. Track digital so clarify the processes, data flows, and
teams (which combine development and by external partners who provide these new project pipelines and get involved in early regulatory implications. Internal Audit
operational professionals), and tools that technologies, channels, and services. stages and selected iterations. groups are increasingly using cosourcing,
automate controls. Many Internal Audit upskilling, and dedicated teams to develop
Consider: In audit planning, use key risk Focus on how related risk functions are
groups retain traditional mind-sets and the focus and resources needed in this area.
themes to assess risks of digital programs, involved, since they are closer to the
5
Back to contentsCyber security
In recent years, cyber security Organizations involved in several and drug trials, but overlook those
audits have often focused on recent high-profile cyber incidents related to a small nuclear reactor
regulatory compliance - areas were likely in compliance with used in radioisotopes (an actual
such as data privacy, IT security, applicable cyber regulations. situation). In Internal Audit planning,
and business continuity. These Indeed, while most cyber be proactive and cast a wide net.
audits have generally ascertained security activities focus on the
Look beyond rotational audit
compliance with regulations and IT department, corporate email,
plans to seek out new initiatives,
standards (such as ISO 27000). and the like, the highest risks now
Compliance will continue to emanate from business teams using products, markets, contracts, and
be high on most companies’ cloud-based systems, working with external parties. Then challenge
radar, especially for US-listed external developers, and using management on risk identification,
organizations with the Securities applications outside of IT proper. monitoring, and management in
and Exchange Commission making Much of this activity escapes the those areas.
cyber security a priority in its attention of the CIO, CISO, and
Management should instill a culture
National Exam Program, and with Internal Audit, and presents serious
its recent creation of a Cyber Unit risks. The challenge now is to of awareness of how decisions and
within its Enforcement Division. identify a broader range of cyber behaviors magnify or minimize
Also, new regulations are being risks before they occur. cyber risk. Encourage the use of
developed daily in parallel with war gaming to test the impact of
the new AICPA cybersecurity Consider: Internal auditors cyber incidents on operations,
risk management examination. accustomed to providing infrastructure, data, finances,
Companies should continue compliance-related assurance need reputation, and recovery and to
to focus on assurance while new mind-sets and methods. Start gauge responses and resilience –
understanding that compliance by thinking broadly. For example, both of which should be
with existing regulations hardly in a pharmaceutical company, regularly assessed.
guarantees high, or even Internal Audit may audit cyber
adequate, cyber risk management. risks related to privacy regulations
6
Back to contentsInternal Audit Insights 2018 |
High-impact areas of focus
Data privacy
The EU General Data Protection by enhanced data mapping and transferred and stored, and for what
Regulation (GDPR), effective management. Internal Audit can purposes. Help stakeholders to
May 25, 2018, affects all EU help the organization to manage identify data repositories, data flows,
organizations that collect or process the increased risk posed by the and who uses and who can alter
data on individuals, and non-EU new regulations and to realize data. This data mapping positions
organizations with EU operations. the potential of an enhanced the organization to respond to
The GDPR greatly expands understanding of data that this work information inquires and manage
individuals’ ability to determine can create. individual consent.
which personal data is collected
Consider: Organizations must In Internal Audit planning, take a
on them and how it is treated.
establish clear accountabilities risk-based approach to addressing
For example, individuals will have
around data. Apart from appointing requests and requirements and
to opt in to allow certain uses of
a DPO, this means clarifying who emphasize key systems, as defined
their data. The GDPR establishes
is responsible for addressing by data volume, importance, and
strong penalties for noncompliance,
specific requirements, such as data sensitivity. Ensure that a Data
and calls for appointment of a
requests, breach response, and Privacy Impact Assessment (DPIA)
data protection officer (DPO) and
data retention. Accountabilities is conducted for any new initiative
detailed documentation of roles,
and related processes must be involving individual data and pay
responsibilities, and processes
documented in a framework close attention to hand-offs of data
related to the collection, use, and
that explains the execution of to any third parties.
retention of data on individuals,
information requests, retention of
including employees and
data, and other procedures. Given
independent contractors.
the mandate to retain data only as
While most affected organizations long as it is needed, focus on the
have been working to fulfill these data life cycle and on retention and
requirements, many are lagging deletion policies.
in certain areas. Moreover, GDPR
The organization must also
presents real opportunities for the
document what data is collected
organization given the marketing
by which systems, where data is
and analytical possibilities provided
7
Back to contentsInternal Audit analytics
Analytics is a perennial high-impact Consider: Analytics should be seen Also, consider using RPA and CI (as noted
area for several reasons. First, beyond- as integral to all of Internal Audit’s above) to automate repetitive tasks and
the-basics analytics is the single most planning, execution, and reporting, accelerate reporting. Set your sights on
powerful booster of Internal Audit and should be reflected in methods and “Digital IA,”2 an integrated set of analytical
efficiency and effectiveness available. skills accordingly. capabilities geared to using and auditing
Second, the continuing digitalization advanced technologies.
Rather than setting uninformed and
of business generates huge quantities
fixed audit objectives, use data in the
of data, which analytics can transform
audit scoping stage to highlight unusual
into valuable information and business
patterns, unexpected relationships, and
insights. Third, the tools for analyzing and
changes in business conditions.
visualizing data are now simpler, cheaper,
more available, and easier to use than To prove the value of analytics, initiate
ever. Finally, stakeholders’ needs for pilot projects in areas where data
higher-level assurance, insights, and risk is readily available, success is fairly
anticipation have never been greater. certain, and results will drive value
(such as reducing fraud, waste,
Yet Internal Audit’s adoption of analytics
or other policy breaches).
has been relatively uneven and slow.
Internal Audit is, admittedly, a function Start with a hypothesis and gather
that can find changing the status quo relevant data; for example, we expect
and adapting to a new way of life difficult. a certain behavior or outcome here; is
An often-undiagnosed barrier to progress that supported by the data? Then iterate
can be methodology: traditional audit through the data to drive sampling and
approaches can choke innovation, generate relevant insights (rather than
restrict data gathering, and treat lists of exceptions), and communicate
analytics as a bolt-on capability rather using data visualization tools.
than an imperative.
2
The untapped power of “Digital IA,” Deloitte, 2017
8
Back to contentsInternal Audit Insights 2018 |
High-impact areas of focus
Automated core assurance
Leaders realize that risks associated with business as usual Technologies to facilitate automated assurance and real- Conversations with stakeholders can identify key risks and
need to be managed even as they pursue new initiatives, time reporting include off-the-shelf tools, which hold some controls to monitor. Not everything should be automated,
and they are coming to expect ongoing assurance on these benefits, and custom solutions that can deliver automated which raises scoping issues – whether to emphasize, for
core activities. Internal Audit groups should be moving to assurance over most critical processes and controls. example, financial or operational risks and controls.
provide this continuous comfort – ongoing assurance – on
Consider: Automated assurance should gear comfort levels Become familiar with the possibilities of automation tools,
those core processes, controls, and activities to
to the drivers of value and risks to those drivers. Begin by and locate early and easy wins, typically found around key
management and the board.
assessing core processes in the first line, their criticality, financial controls and reconciliations.
Automated assurance implies real-time reporting that flags and the risks, and then prioritize accordingly.
Overall, automation provides ample opportunities for
actionable items. Such reporting enables rapid remediation,
Technology tools in existing systems provide many easily-achieved cost savings and enhanced assurance
with the option of continued monitoring pending further
capabilities for automating core assurance, although simultaneously. Automating core assurance also enables
notification. At this point, using a sampling approach when
the first and second lines rarely fully employ them. So Internal Audit to allocate resources to higher value areas
entire populations could be monitored, and reporting
promulgate use of these capabilities and the embedding and activities.
irrelevant details, is becoming a hallmark of a backward-
of them into processes and systems. First- and second-line
looking Internal Audit function that cannot keep up with
functions are often unaware of these capabilities, which
developments or provide assurance efficiently.
vendors rarely emphasize.
9
Back to contentsCloud migration
Using cloud services can significantly alter Consider: Traditional audits of areas such Additional assurance can be gained by
an organization’s risk profile, depending on as network configuration, asset protection, evaluating providers’ locations, business
the data involved, cloud service and model access control, logging and monitoring, model, customer base, history, and financial
type, and strength of user and third-party and vulnerability assessment are still soundness. Ascertain that management
controls. The term cloud includes software relevant for the cloud, but can differ. understands which contractual
as a service (SaaS), platform as a service Cloud standards and guidelines from the responsibilities are the cloud service
(PaaS), and infrastructure as a service SANS Institute, NIST, ISO, and the Cloud provider’s, the organization’s, or shared.
(IaaS). SaaS and PaaS provide cloud-based Security Alliance are useful, but each has its
software and platforms, while IaaS provides own focus, so you must tailor an approach
infrastructure services. Cloud service that fits your organization’s strategy, risk
models include private, public, or hybrid profile, cloud use-case(s), and cloud service.
models (a mix of on-premise, private cloud, Assess the cloud environment holistically,
and public cloud services). and evaluate governance elements and
shared responsibilities.
The risks for these service types depend
mainly on access and data criticality. Given Often-misunderstood areas include
the varying levels of user control, security inherited controls, incident response
requirements will differ for each service responsibilities, and disaster recovery
and model type. The appropriate security capabilities. Consider obtaining cloud
controls will also depend on the data and certification and tapping external expertise.
processes involved.
While cloud services are often positioned
Regardless of service type, in a public cloud, as cost savings, ensuring optimum value
you are entrusting data to a third party, and calls for choosing services carefully,
you can audit controls design and execution monitoring and managing resources tightly,
only up to a point, after which you rely on and deactivating unnecessary components
that party’s assurance. Whatever assurance promptly – all items to review.
is obtained from the cloud provider or
through procurement, you have limited
visibility into the provider’s environment.
10
Back to contentsInternal Audit Insights 2018 |
High-impact areas of focus
Third-party risk
Organizational leaders have long must. Why? Because third parties have An overall EERM framework can be
expected assurance around processes become critical to most organizations utilized to surface key areas of risk
for vendor screening, selection, while presenting myriad risks. specifically embedded within the
contracting, evaluation, payments, and third-party ecosystem. Effective audit
Consider: When planning your internal
termination. They have also expected programs that assess the health of the
audits, start with an assessment of
audits geared to identifying potential ecosystem and its components will
third-party contracts on the basis
cost savings and recovery. help to reduce risk over the sourcing
of spend and risk. Large, complex
of goods and services most critical to
Developments in technology and contracts will generally present more
business strategy and operations.
automation have introduced more potential exposures and risks than
advanced analytics capabilities and real- contracts for goods purchased within
time assurance. Beyond this, however, the usual procurement process.
leaders want – and need – a more
For vendor spend assurance,
holistic picture of third-party risks and
promote adoption of automated
their management.
tools for analyzing spend and vendor
This calls for Internal Audit to performance, if they are not in place; if
understand the organization’s entire they are in place, provide assurance on
approach to third-party relationships. As their integrity and effectiveness. Some
noted in a 2016 Deloitte global survey3, of these tools can apply RPA to data on
the third-party risk universe includes deliveries, service levels, billings, and
the third-party ecosystem, third-party other metrics, making real-time third-
risk management and governance, and party assurance a reality – and, soon,
technology and methods for monitoring an expectation. These tools also free
and managing relationships. resources to work on other third-party,
or extended enterprise, risks.
While cost savings and recovery remain
key, excellence in extended enterprise
risk management (EERM) is also a
3
The threats are real: Third party governance and risk management, Deloitte global survey, 2016
11
Back to contentsInternal Audit Insights 2018 | High-impact areas of focus
Culture risk
An organization’s culture plays a major role in business Consider: Internal Audit should engage in broader Assess how culture differs across locations and ascertain
performance and marketplace reputation. Culture can also organizational-level culture risk management efforts – whether the risk management framework can identify and
create risk for the organization when there is misalignment providing assurance and advice on culture as appropriate address outlier behavior.
between an organization’s values and leaders’ actions that and validating risk management activities. To do this,
Work to ensure that the second line of defense has visibility
shape culture, employee conduct and behaviors that sustain consider aspects of culture throughout the life cycle of
into culture at the first line, and ensure management and
culture, or organizational systems that reinforce culture. an internal audit; for example, coordinate with culture
the Board understand that culture will always remain a work
stakeholders (e.g., human resources, risk, compliance,
The spotlight often shines on culture risk issues only after in progress.
customer experience, security, technology) to understand
an organizational crisis or incident, but a growing number of
potential areas of risk to optimize audit coverage, link
leaders are shifting to a proactive approach turning culture into
cultural and employee engagement assessments into
a value enabler and driver of organizational performance. Such
internal audit risk assessments, and incorporate culture
an approach requires gaining greater data-driven insight into
metrics and control aspects into audit programs, including
the organization’s culture, better understanding of employee
aspects of culture risk in audit reports.
engagement and employee behaviors, and looking for external
market signals to get ahead of risk issues and drive necessary Internal Audit can also perform assessments of the
management actions. organization’s culture risk management activities against
leading practices to provide recommendations to
As the third line of defense, internal audit plays a vital
management and perform additional procedures to assess
role in culture risk management – providing assurance
culture risk management programs’ effectiveness. A culture
and advising on culture as appropriate and validating
risk assessment can provide insight into intangible drivers
mitigation activities. Auditing culture is not a matter of
of risk, controls effectiveness, compliance failures, and
reviewing risk-related policies and procedures; it is a matter
potential misconduct; it can also direct audit fieldwork and
of developing an understanding of people’s approach to
analysis to where it most matters. Such an assessment can
managing risk as they do their jobs. In a strong culture, there
include a range of activities, such as confidential interviews,
is clear awareness and alignment of values, organizational
focus groups, and data analytics geared to discovering
processes, behavioral norms, internal and external
where controls are working well, causing frustration, or
statements, and reward systems to promote the right
failing to deliver intended results.
decisions, the right risk management behaviors, the right
conduct – and, thus, the right culture.
12
Back to contentsInternal Audit Insights 2018 |
High-impact areas of focus
Operational risk assurance
While functions such as cybersecurity and employee health capital, and sustainability. However, field-level audits – of When developing the Internal Audit plan, tie operational audit
and safety already provide assurance around operations, productivity, asset performance management, maintenance activities to organizational goals and strategies and to key
Internal Audit should conduct deeper assessments of activities, operations technology and systems, regulatory operational risks posed to them. Using an operational risk lens,
operational efficiency, effectiveness, and risk management. compliance and safety, and asset integrity –may present identify upcoming capital projects, significant maintenance,
more opportunity to add value. and similar initiatives. Look to the organization’s risk
Operational audits focus mainly on nonfinancial assets
assessment and the Enterprise Risk Management
and processes. They aim to determine how performance Consider: Excellence in company-level operational internal
system, but also conduct robust conversations with key
aligns with management’s expectations, identify areas to be audits should be table stakes. A clear focus on core operations
operating executives.
investigated, and propose enhancements. Meanwhile, many demands an understanding of field-level operations as well as
internal auditors are oriented more toward financial processes company-level operational risks. Start by ascertaining Apply analytics to process data to isolate trends, patterns,
and performance. that second-line activities are providing proper assurance anomalies, and root causes, and enhance reports through
and, if they are not, help them to do so or provide the needed visualization tools, added insights, and risk anticipation.
Even in capital-intensive industries like manufacturing and
additional assurance.
oil and gas, traditional audits may overlook basic operations. Consider whether external subject matter specialist
Internal Audit groups in such industries typically conduct resources may be needed, or whether knowledge can be
useful company-level audits around the supply chain, accessed internally through guest auditor or
cybersecurity, contract compliance, capital projects, human rotation programs.
Back to contentsCrisis management
Crisis management provides the structure, Consider: An organization needs a crisis
leadership, decision-making, and communications management program encompassing governance,
to support the organization in managing a crisis processes, and risks. Governance organizes program
situation. It encompasses business continuity, ownership and the roles and responsibilities of
disaster recovery, cyber incident response, and security, legal, IT, Internal Audit, and other functions.
financial market crisis response planning and Processes are needed to address crisis response,
execution. Most major organizations have basic decision-making, recovery, communications, and
business continuity plans and disaster recovery contingency plans. Risks must be identified to
plans in place, particularly for IT, supply chains, enable scenario planning and response capability
and facilities. development through training and simulations.
Aim to provide assurance and advice in each of
Usually Internal Audit will, on a rotational basis,
those areas, and to anticipate events and
review those plans, provide assurance on related
promulgate best practices.
compliance, and conduct post-event reviews.
However, the focus on continuity management has Consider whether leaders can answer the questions:
widened to include any event that could irreparably What are you prepared for? How prepared are you?
damage finances, operations, cyber capabilities, Ensure that simulations are regularly conducted
reputation, or other essential assets. and used to develop and test overall plans as well as
playbooks for specific events.
A crisis management plan provides a framework and
contingency plans for senior executives should the Go beyond regulatory guidance and checklists
need arise. Responsibility for crisis management and audit not just the existence of plans, but their
sits with senior leaders, which means that Internal likely effectiveness.
Audit is the logical – and perhaps only – source of
Also, consider industry-specific issues and evolving
assurance and advice.
regulations, such as the EU’s GDPR reporting
requirements for breaches. Internal Audit may need
to upskill or tap external sources to add value in this
area, but doing so can save the entire enterprise.
14
Back to contentsInternal Audit Insights 2018 |
High-impact areas of focus
Auditing agile
Organizations are increasingly adopting Internal Audit must be aware of Agile Proactive engagement by Internal Audit
Agile methods of managing projects and processes and projects in the organization, is key to establishing how Agile can be
processes. Companies and functions in and of their potential issues and impacts. managed while maintaining balanced and
technology and financial services lead the sustainable levels of control.
Consider: Internal auditors should
way, but others seeking increased speed,
understand Agile methods and clarify
efficiency, and innovation are also coming
responsibilities, schedules, resources,
on board. (These include Internal Audit
deliverables, and risks and controls – in
functions – see below.) Desired outcomes
discussion with Agile team leaders.
include faster results, greater focus on
A flatter structure may mean greater
user needs, more nimble decision-making,
variability in the way outcomes are
and reduced documentation.
achieved, while less documentation may
Agile empowers people to make decisions reduce visibility into risks. Controls may
and take calculated risks based on more be given short shrift as the pace of work
targeted objectives delivered in shorter picks up. Therefore, assurance functions,
time frames, but these attributes can including Internal Audit, should assess
stress some control environments. A risks and controls during all phases, from
fast pace can introduce more frequent ideation to pre-implementation.
impacts or errors, but that can be offset by
Traditional audit plans may be less useful
increased direct business ownership.
than early involvement and parallel visibility
An intense focus on user needs can into the work. Internal Audit may best
overlook other considerations, such as approach Agile by understanding what is to
security or regulatory concerns, which can be delivered – what the Agile project or
be mitigated by ensuring that standards process aims to achieve, delivery risks, and
are known and applied across Agile teams. proposed controls – and by understanding
Reduced documentation can make it how it is being delivered, including
hard to know what was done, by whom, management of risks and use of controls.
when, and why, which calls for changes to
governance and controls.
15
Back to contentsAgile internal auditing
Principles and practices of Agile development are being Learn about Agile from internal practitioners in software
applied to audits and projects by forward-thinking or systems development, or enlist external support.
Internal Audit groups. Agile methods foster rapid Understand that adopting Agile demands a change of
response to emerging issues, closer collaboration with mind-set as well as methods, and not every internal
stakeholders, faster delivery cycles, and streamlined auditor can adapt. However, those who do usually find
reporting4. Agile also changes the approach that internal that they relish the pace of work, engagement with
auditors take to their work. For example, instead of stakeholders, and enhanced effectiveness that result
auditing to a periodic schedule, internal audits are from Agile Internal Auditing.
conducted when needed, particularly when the need
is urgent. Rather than waiting until an internal audit is
complete, auditors deliver weekly or even daily updates
as findings or issues emerge. Rather than presenting
unnecessary details, reports deliver insights on what
matters most.
Agile has the power to revolutionize Internal Audit by
making audits and reviews more relevant, risk-based,
and real time.
Consider: First, be clear about what Agile is and what it
is not. While it is a flexible methodology, simply calling a
process Agile (or using terms such as Sprint, Scrum, and
Backlog) does not make it so. Agile Internal Audit adapts
Agile to Internal Audit needs. It is up to you to decide
whether and where Agile might work in your function.
Good candidates are areas with a need for more
responsive and relevant reporting, high-stakes projects
like IT installations or merger integrations, and where
Internal Audit groups need to do more with less.
4
Becoming agile: A guide to elevating internal audit’s performance and value, Deloitte, 2017 < https://www2.deloitte.com/content/
dam/Deloitte/us/Documents/finance/us-advisory-agile-internal-audit-part1-introduction-to-elevating-performance.pdf >
16
Back to contentsInternal Audit Insights 2018 |
High-impact areas of focus
The year ahead
Clearly, the year ahead calls for a strong Forward-thinking Internal Audit functions
focus on all things digital. Of our 13 seek not only to provide assurance and
hot topics, more than half are aligned advice, and to apply digital technologies
directly or closely with information to their own work, but also to anticipate
technology and capabilities. Most issues and risks associated with
Internal Audit groups should prioritize those technologies. They anticipate
assurance and advisory work around stakeholders’ potential moves to new
uses of these technologies in the technologies, strategies, and business
organization and ways of using them models so they can ready themselves
to enhance their own work. Just as and the organization for those moves.
customers are tending to outpace In this way, they assist stakeholders in
organizations in their uses of digital some of the most challenging areas they
technologies, many stakeholders now face – new areas where risks are
outpace Internal Audit in similar ways. emerging and where new value can be
created – thus increasing their impact
and influence in visible and
valuable ways.
17
Back to contentsGlobal Internal Audit Leadership Terry Hatherell Kristopher Wentzel Porus Doctor Peter Astley Global Internal Audit Leader Internal Audit Leader, Americas Internal Audit Leader, APAC Internal Audit Leader, EMEA thatherell@deloitte.ca kwentzel@deloitte.ca podoctor@deloitte.com pastley@deloitte.co.uk +1 416 643 8434 +1 416 643 8796 +91 22 6185 5030 +44 20 7303 5264 Sandy Pundmann Sarah Adams Neil White Heinz Wustmann US Internal Audit Leader IT Internal Audit Global Leader Internal Audit Analytics Global Leader Internal Audit Leader, Germany spundmann@deloitte.com saradams@deloitte.com nwhite@deloitte.com hwustmann@deloitte.de +1 312 486 3790 +1 713 982 3416 +1 646 436 5822 +49 89 29036 8814 This presentation contains general information only, and none of Deloitte GmbH Wirtschaftsprüfungsgesellschaft or Deloitte Touche Tohmatsu Limited (“DTTL”), any of DTTL’s member firms, or any of the foregoing’s affiliates (collectively, the “Deloitte Network”) are, by means of this presentation, rendering professional advice or services. In particular this presentation cannot be used as a substitute for such professional advice. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this presentation. This presentation is to be treated confidential. Any disclosure to third parties – in whole or in part – is subject to our prior written consent. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/de/UeberUns for a more detailed description of DTTL and its member firms. Deloitte provides audit, risk advisory, tax, financial advisory and consulting services to public and private clients spanning multiple industries; legal advisory services in Germany are provided by Deloitte Legal. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s approximately 263,900 professionals are committed to making an impact that matters.
You can also read
