The state of the internal audit profession and lessons for practitioners (III)

BY: Michael Asiedu-Antwi
Audit Committe memebers

In the past three weeks, we have shared insights on the PwC report “State of the Internal Audit Profession Study: Finding True North in a period of rapid transformation”.

In the first article, we discussed the key findings from the report and the lessons that internal audit practitioners in Ghana can draw therefrom.

Subsequently, we highlighted the findings from the report in relation to companies and internal audit functions in the financial services sector. This article seeks to throw light on the results of the survey in relation to companies and internal audit functions in the technology sector.   

The PwC report notes that the technology sector sits at the epicentre of business change. Innovations in technology are compelling business transformation in virtually every industry. In another PwC survey “Annual Global CEO Survey” (18th Edition), 58 per cent of CEOs across industries cited the rapid pace of technological change as a major challenge for their

 

Technology, a tool for audit operations

The 2015 PwC State of the Internal Audit Profession study confirms that at their core, technology companies view challenges and opportunities differently as compared to other industries. Whereas other industries focus on issues around regulatory complexity, 73 per cent of technology respondents see talent as the greatest area of concern.

In a previous article, we discussed the fact that it is easy for internal audit to fall behind when the business environment around them is changing rapidly. To evolve quickly as the business moves into new and uncharted territory, internal audit functions must have a vision of where they are headed (true north).

I have previously highlighted the fact that even though each internal audit function’s path to true north is different from that of others, the PwC study identifies four actions that are critical to pointing internal audit in the right direction. These are; focusing on the right risks at the optimal point in the process, developing talent and business acumen to be relevant and offer valuable insight, strengthening alignment with enterprise risk management (ERM) and other lines of defence, and harnessing the power of data throughout the audit life cycle to provide better insights into the business.

Technology company respondents considered the same four factors as critical enablers so that internal audit can be a more valued contributor. However, technology companies rated talent and business acumen as the collective top enabler instead of risk focus. In relation to talent and business acumen, our survey revealed that internal audit functions that add significant value have more-diversified skill sets than their peers—specifically, in business continuity, data privacy, and specialised IT (cybersecurity, cloud, mobile etc.).

Like the rest of the world, there has been advancement in technology in Ghana. This is particularly so for companies whose core businesses depend greatly on information technology, such as telecommunication companies. Coupled with this is the increase in the number of companies that actually provide technology products and services, e.g. as the use of biometric technology to register service beneficiaries, online payment systems and implementation of ERPs by organisations.

Risks to businesses

Associated with these technological advances are significant shifts in business risks, including the introduction of completely new risks. As the main internal assurance provider for most organisations, internal audit, in collaboration with other lines of defence, must aim to regularly assess, or reassess the overall knowledge, skill and competence of their teams to respond to these new risks and thus, continue to remain relevant to the business.

The results from the PwC survey very much align with the requirements of Implementation Standard 1210.A3 which states that “internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. Similarly, Implementation Standard 2110.A2 states “the internal audit activity must assess whether the information technology governance of the organisation supports the organisation’s strategies and objectives”.

While these standards apply generally to all internal auditors, those in the technology sector are of a necessity expected to exceed this minimum requirement if they are to deliver true value. To achieve this, Chief Internal Auditors (CAEs) must critically assess the adequacy of the skill sets of internal audit. This assessment must be properly structured, and based on risks, business needs and key stakeholder expectations. The development and execution of the internal audit plan must equally involve skilled resources. Internal audit skills acquisition must, therefore, be based on the desire to remain relevant to your organisation.

In considering long-term resources needs, CAEs ought to remember that internal auditing has become more dynamic than ever, a changing field that is no longer defined by who does the work. In the past decade, leading organisations have come to rely on co-sourcing relationship to provide flexibility and skill sets that can be impractical to retain in-house.