Editor’s note: This is the first in a weeklong ISACA Now series looking ahead to top priorities for practitioners in digital trust fields. Look for upcoming posts exploring top 2022 priorities in security, risk, privacy, governance and emerging tech.
These past two years have been a stretch for everyone. Most are still learning how to work differently and re-evaluating their strategies to get the best out of the worst season. I remember when we went into lockdowns, our team had a meeting with our CEO, who asked, “Now that we are in lockdown, what are you going to do? Can you still carry out your audits or not, or have you ceased working?”
I believe the question was not just for the audit team but was also relevant to different divisions – or at least I hope we were not the only ones whose value seemed to have eroded during the pandemic. Months later, I read an article by the Institute of Internal Auditors of Australia titled, “Factsheet: Internal Audit and Pandemics.” It provided a guideline on auditing the process of managing pandemics by organizations. The article provided great recommendations; however, the following statements caught my attention as they took me back to the conversation we had had with our CEO:
- Statement 1: “The organisation would be best served by internal audit stepping back temporarily and giving business units breathing space to get on dealing with the crisis.”
- Statement 2: “Non-core business activities such as internal audit can provide people to fill gaps or perform specific roles to aid remediation and the recovery effort.”
- Statement 3: “Help the business with whatever needs to be done, even if that means stepping into roles and tasks that take away internal audit independence.”
The paper provided guidelines on assurance-specific roles that audit can play and did not just focus on the “gap-filling possibilities” where auditors can assist the organisation.
The past two years have been a re-learning journey for all, and it seems that the pandemic might overstay its welcome. Finding workable solutions is what we all need. Here are three top priorities I believe auditors should look out for in 2022 and beyond:
Priority #1: Audit Strategies
Like any business unit or service, auditors need to develop strategies to ensure that their work remains relevant and useful. The past two years have been about ensuring that resilience is built within the operating model of our organizations. Going forward, part of the focus will be about ensuring visible impact in the delivery of our audit services.
Agile auditing processes promise such an approach. The processes take on a more dynamic approach to audit work that focuses on deep diving into matters and bringing resolutions in shorter, collaborative methods.
One of the strategies at the start of the pandemic, while were in lockdowns and things were not clear, was a greater focus on consulting assignments, which by nature leverage the auditors’ knowledge to assist management in resolving specific, thorny issues. The Agile approach brings the same dynamic into assurance audits. I believe that from 2022 and beyond, auditors will be working on building strategies that clearly highlight the impact of their work and bring value to organizations. What is critical, though, is ensuring that whatever approach the audit team takes, the audit strategy is clearly defined and marketed to the organization.
Priority #2: Risk Assessment Methodologies
Risk management frameworks are essential in ensuring that the risk assessment process is undertaken easily and produces quality outputs. ISO 31000:2018 outlines that as part of the risk process, the scope, context and criteria should be clearly defined.
Prior to the pandemic, organizational risk assessments toward health-related risks were simple and very theoretical. If we could all share our risk registers on the likelihood and impact of a pandemic, as measured in 2019 against our current assessments, the likelihood and impact ratings would be very different.
However, the knowledge on pandemics and managing pandemics was available and well known by our public health specialists and medical practitioners. The pandemic was not a total blind spot, it is only that most organizations did not prepare for a health crisis as they would have prepared for a different, more tangible type of crisis.
Defining risk criteria and risk models going forward will require a more focused and collaborative approach. In the past year, organizations have engaged public health care specialists, psychologists and physicians to clearly understand health risks. The pandemic exposed several areas in which organizations need better collaboration, such as understanding supply chains, diplomatic relations and, in general, the impact of systematic failures of different industries, as well as gaining access to different experts in a wide range of industries.
Auditors in 2022 and beyond should assess how robust and practical the risk criteria and models used to identify and assess risks within their organization are. They should explore how organizations can apply collaborative approaches in building risk scenarios to assess risks holistically. The scope and context of the risk assessment process should not be limited to judgemental approaches that were applied in the past.
Priority #3: Digital Strategies for Performing Audits
Going forward, auditors will not just require skills to be able to audit emerging technologies – rather, auditors need to start integrating the use of emerging technologies in performing their audits.
In my desktop benchmarks, I marvel at how the Asian Development Bank has adopted the use of drones and BOTS in their audit process, revealing how emerging technology will change the strategic position of audit and enhance efficiency. The Bank uses drones to review infrastructure projects and robotics in reviewing loan application processes.
Likewise, PwC has also adopted the use of drones in their stock counts. In 2022 and beyond, auditors will have to find ways to leverage emerging technologies to their advantage. Such preparations will involve budgeting for such developments and building strong business cases.
As an example, when we engaged our data analytic software provider who provides robotics solutions, we noted that the implementation value was over 200 percent of our analytics budget! Despite this substantial cost, the need to move to such technologies is essential and auditors need to be prepared to start lobbying for more financing when engaging with the Audit Committee and the Board.
Going beyond gap filling
One may argue that when audit does a great job and its role is visible in the organization, the questions that our team faced two years ago should not be intimidating or the work should promote itself. The support services offered by audit should not be seen as “gap-filling” but rather as strategic inputs ensuring that the organization remains resilient.
As we look toward 2022, auditors can exercise leverage and bring about appropriate impact for the organization by employing effective audit strategies, branding the audit work, advising on the adoption of collaborative risk assessment methodologies and implementing emerging technologies in the audit process.
