What do cybersecurity, data privacy, cloud computing, digital business models and M&A have in common? They all present critical risks to the success of an organization — risks that audit must verify and assess so the organization can manage and mitigate the potential effects. These risks are growing in number and magnitude, and some of the most threatening risks evolve constantly, and so are the hardest to track.
“This environment has changed the way internal audit teams must provide assurance and has created a ‘change gap,’” says Malcolm Murray, research leader at Gartner. “This is the gap between audit’s current ability to adapt and provide assurance and its required change capability in light of new risks and those that suddenly get more important.”
More than 10% of necessary assurance activity over critical risks isn’t taking place
This gap is currently over 10%. In other words, more than 10% of necessary assurance activity over critical risks isn’t taking place, according to a Gartner survey of about 90 heads of audit. If audit stays at its current level of adaptability, our model forecasts that this gap will become untenable in 2020, reaching more than 90%.
To reduce the potential for unchecked risk exposure, internal audit must adapt to a real-time environment. This requires audit teams to:
- Gather and analyze information in real time, using a broader set of inputs
- Adapt the audit plan as soon as it is needed
- Enable auditors to execute audit engagements based on this faster flow of information
Read more: Moving Toward Real-Time Assurance
3 ways to keep up with risk
To guard against unchecked risks, audit teams must move to a new era of real-time assurance, which relies heavily on data gathering and collaboration with other business units — and empowers auditors to work closely with management. To implement this shift, they should:
- Use a broader set of inputs to gather and analyze information. Internal audit must update its risk assessment process. It is crucial to involve everybody from the audit department, not just senior leadership. Given the information overload in most organizations today, every auditor must be empowered to analyze and report new risks so there’s a process of continuous risk assessment.
- Adapt the audit plan in real time. The next step is to make real-time changes to the audit plan in response to new risk information. To do this, audit teams must be open to a more flexible audit plan and alternative options for executing assurance activities. If the only options available to internal audit are a full-scope or a limited-scope engagement, the costs of changing the audit plan quickly become too high.
- Enable flexibility in audit engagements. The third step is for auditors to execute audit engagements based on real-time risk information. Internal audit must shift away from a linear execution of the audit scope to a more iterative process and ensure auditors are responsive to the latest views on risk.
What matters most is that all three steps work in concert and reinforce each other. Pioneers are closing the residual assurance gap, and guarding against a widening of the gap in the future.