Last week’s ransomware attack is sure to be a hot topic in C-suites and boardrooms over the next several weeks as CEOs and board members ask, “Could this happen to us?”
They are also likely to be asking what the internal audit department is doing to ensure that cybersecurity risks are being addressed and controls are functioning properly. Many internal audit shops will have a good answer. Indeed, 55 percent of the internal auditors we surveyed for the 2017 Internal Audit Planning and Staffing Priorities Report say that cybersecurity is on the audit plan for 2017, up a click from the 53 percent who said it was in audit plans for 2016.
Not only does cybersecurity rank as the most frequent topic in audit plans this year, but it was also the top worry of internal auditors. More than 60 percent of those we surveyed put cybersecurity in the top three concerns and half of those ranked it number one. Other areas of concern include regulatory compliance and legal (45 percent ranked it in the top 3), fraud (30 percent), and the organization’s risk management capability (23 percent).
“Cybersecurity is really a headliner risk for any organization, regardless of the size, shape, or industry,” says Ed Williams, senior manager of risk advisory services at Experis Finance, which co-published the survey. “Internal audit needs to play a role in helping organizations get better at managing cybersecurity risks and responding to cybersecurity threats and breaches. And having good IT resources within our ranks is really going to help us do that,” he says.
So, what about the internal auditors who say cybersecurity isn’t in the plan this year? Notably, no category is being universally audited. The data suggests, for example, that 45 percent are not looking at cybersecurity and 65 percent are not looking at compliance and ethics. This implies that chief audit executives rotate categories from year to year, and likely rotate focus areas within them. “We rotate geographic locations, but also coverage of different risk areas,” says Yulia Gurman, director of internal audit at Packaging Corp of America (PCA), a $5.8 billion box and paper producer based in Lake Forest, Ill. “This year we are focusing on cybersecurity risks and contracted services; the next year we may take a deeper dive into procurement process and vendor management.”
Other IT topics also rank high among areas that respondents say they are auditing this year, indicating that it is an important focus of internal audit departments. IT governance, for example, ranked second on 45 percent of audit plans. Data management and privacy were fifth, on 40 percent of audit plans, about the same amount as those who say they are auditing controls over financial reporting this year. Identity and access management was in 29 percent of plans, and cloud service providers are being audited by 14 percent of respondents, up 4 percent from last year.
Traditional Audit Areas Still Reign
Apart from IT, traditional audit areas still dominate audit plans. Accounts payable is the third most audited area, on 41 percent of audit plans, according to survey respondents. Controls over financial reporting ranked fourth at 40 percent, and travel and expense reporting and procurement are each on 31 percent of audit plans.
What’s concerning about this list, however, is that many auditors do not seem to focus on the common drivers of business success. “If you focus your audit on the objectives of the company, you should be able to get three or four obvious focus areas: revenue growth, product innovation, and human resources, in addition to decreasing expenses,” says Tom O’Reilly, vice president and general manager, internal audit and seminars at MISTI.
Such items are relatively rare when it comes to audit plans. Only 14 percent of auditors plan to audit sales this year, for example, and just 10 percent or fewer will audit R&D, new product rollout, talent and leadership development, or workforce planning and talent acquisition.
This suggests that either CAEs aren’t able to persuade business leaders to let them move beyond the basics, or that business leaders don’t have confidence in internal audit to assess such operational areas. To take their functions to the next level, internal audit leaders should consider re-evaluating their sacred cows and take a hard look at the balance between cost minimization and revenue generation in their audit plans. For example, “if you’ve audited AP for three years and gotten the same results—and there haven’t been any significant changes—why do you have to audit it again this year?” asks O’Reilly. “Instead, why not look at AP every other year and focus on digital marketing or the innovation process instead?” As with most types of non-routine audit projects, internal audit leaders may also want to consider outside experts to help.
Interestingly, some of these traditional audit areas experienced the largest declines in frequency from 2016 to 2017. The number of respondents who say they are auditing accounts payable, for example, declined 14 percent between last year and this year. Planned audits of controls over financial reporting declined 10 percent, expense reporting is in 7 percent fewer audit plans, and procurement is down 12 percent. This may reflect, say some observers, a slight move toward more audits of non-traditional, yet strategically important areas, such as culture, digital marketing, and other areas that internal audit is starting to explore. “We have to ask ourselves, is our audit plan aligned with all the different risk perspectives that our stakeholders are facing today,” says Williams.
Amjad Ally, chief audit executive of Summa Health System, is one of the 14 percent of respondents who plans to audit culture this year. “Culture is not as defined as looking at something like accounts payable, but it’s definitely something that is top of mind in our organization,” he says. That’s because after several years of campaigning for a culture of compliance, Summa management wants to make sure it’s truly instilled at the 11,000-employee non-profit hospital system. To that end, Ally was recently asked to audit the firm’s conflict-of-interest policy as well.
Not long ago, cybersecurity and IT governance may have seemed like non-traditional audit areas that internal audit didn’t have the expertise to assess, and now they are the most frequent items on internal audit plans. The change highlights the fact that internal audit needs to look where the risks are and right now, as the recent ransomware attack demonstrates, cybersecurity is front and center. It might not be long, though, before culture audits or audits of the talent development process also become routine.
Is internal audit focusing its resources on areas that have the greatest impact on the organization's success? Our "2017 Internal Audit Planning and Staffing Priorities Report" answers this question and more.