Bridging the risk exposure gap with strategies for internal auditors

In this Help Net Security interview, Richard Chambers, Senior Internal Audit Advisor at AuditBoard, discusses the transformational role of the internal audit function and risk management in helping organizations bridge the gap in risk exposure.

He talks about how a well-documented strategic plan for an organization’s internal audit function isn’t meant to provide all the answers, but it can help identify and address questions. Such a plan supports internal audit in recognizing the levers needed to respond effectively.

Chambers also highlights transformational opportunities for internal audit leaders, including prioritizing strategic planning, using AI technology and governance, fostering cross-functional collaboration, improving high-impact communications, and enhancing capabilities to identify emerging risks.

With risks evolving faster than the risk management capacity, what strategies do you recommend to bridge this growing ‘risk exposure gap’?

The widening risk exposure gap demands that every organization adapt, looking critically at strategy and paving a deliberate path toward the transformations needed to stay viable and relevant. To help our organizations close the gap, risk and audit professionals must also be transformational.

First, understand that true transformation starts with mindset. Whatever your past habits, move forward by embracing ambiguity and complexity, forging a culture of experimentation, innovation, and learning, and reimagining your approach. Second, enhance your capabilities to identify emerging risks. Today’s risks tend to have uncertain time horizons and be chaotic, complex, volatile, ambiguous, and difficult to manage. Improved collaboration among professionals across the three lines, paired with IRM technologies, continuous communication with management and the board, and systematic processes (e.g., PESTLE) for gathering and documenting insights, can be critical to enhancing your understanding of emerging risks. Most importantly, focus on thinking and managing more strategically. Strategic plans are a key mechanism risk and audit executives can use to proactively manage and transform their functions.

With only a fifth of internal audit functions having a comprehensive strategic plan, what are the consequences of this lack of strategic planning, and what steps should be taken to address this?

Without a strategic view of the future — including a clear-eyed assessment of strengths, weaknesses, opportunities, threats, priorities, and areas of leakage — internal audit is unlikely to recognize actions needed to enable success. There is no bigger threat to organizational success than a misalignment between exponentially increasing risks and a failure to respond due to a lack of vision, resources, or initiative.

Create and maintain a good, well-documented strategic plan for your internal audit function. This can help you organize your thinking, force discipline in definitions, facilitate implementation, and continue asking the right questions. Nobody knows for certain what lies ahead, and a well-developed strategic plan is a key tool for preparing for chaos and ambiguity. A strategic plan isn’t there to provide all the answers, but it can help identify and address the questions and support internal audit in its ability to recognize the levers needed to respond effectively.

The report highlights a delay in critical technology investments, including AI and automation. What is the role of these technologies in transforming internal audit processes, and why is there hesitancy in adopting them?

Internal audit has important opportunities in two primary directions: Using AI within internal audit, and providing guidance and assurance to the organizations we serve. Within internal audit, AI tools are a capacity multiplier offering access to an enormous body of knowledge — a great supplement (e.g., to augment planning, risk assessments, and reporting) to internal auditors’ skills and expertise. Plus, top talent will absolutely expect your organization to be leveraging next-generation AI technologies, as this is a key way they can supplement and develop their skills.

Some internal auditors are interested in and engaged with generative AI, but most are not ready to take decisive action. Beyond a dangerous sense of complacency — and budget, time, and knowledge constraints — there seems to be a common perception that AI is not yet “safe.” Given the developing nature of generative AI, it’s only natural for internal audit to approach with caution. But neither internal auditors nor organizations can afford to put off investing in using, governing, and gaining assurance on AI. Internal audit must step up to explore and validate AI’s capabilities and safeguards, educating ourselves, our executives, and our boards in the process.

Given the dynamic regulatory landscape, especially in cybersecurity and data privacy areas, how should internal audit teams stay ahead and ensure compliance?

Cyber and data security risk has only grown in importance over the past year. As threats and attacks continue to proliferate, 2023 has been a transformative year for related regulatory and legislative activity.

Companies may have less time than they think to prepare for compliance, and internal auditors should be supporting their organizations in getting the right enabling processes and technologies in place as soon as possible. This will require a continuing focus on breaking down silos and improving how internal audit collaborates with its risk and compliance colleagues. Identifying the emerging compliance risks on the horizon requires that all the people holding the binoculars share information about what they’re seeing.

Lastly, every internal audit function can benefit from creating more dynamic and genuinely impactful reporting, ensuring that all stakeholders have the information needed to support timely analysis, decision-making, and action. Take a fresh look at how you are communicating about regulatory and compliance risk, and make a plan to enable more timely, relevant, risk-informed, concise, and insightful communications.

With the ongoing challenge of attracting and retaining talent, what innovative approaches do you suggest for internal audit functions to build a resilient and capable team?

Internal audit must evolve to stay relevant. That means fueling genuine innovation and continuing to transform our skills and teams. Recent surveys have found that less than half of internal audit leaders are very confident that internal audit has the talent and skills the function will need in the next several years. Further, more innovative internal audit functions are more likely to attract and retain top talent.

Don’t stop optimizing the basics, but press forward in exploring, experimenting, and implementing improvements leveraging new thinking and new technologies. In addition, make sure internal audit’s strategic plan includes a comprehensive talent management strategy to help you adapt to the unknowns ahead. Not only should this include creative sourcing and recruiting, but also development and mentoring, upskilling, retention, and succession planning. Identify skills gaps (current vs. future state) and how internal audit capabilities and strategy can be better aligned with the organization’s overall strategy, vision, and evolving risk profile.

How do you see the role of internal audit evolving in the face of these diverse and complex risks, and what skills will be most valuable for auditors in 2024?

In this environment of heightened risks, the role internal audit plays is more important than ever. With its unique ability to offer valuable insight and foresight, internal audit is well-positioned to help organizations meet these unprecedented challenges head-on. Key transformational opportunities for internal audit leaders include prioritizing strategic planning, AI technology use and governance, cross-functional collaboration, high-impact communications, and enhancing capabilities to identify emerging risks.