Cybersecurity, climate change and sustainability, major shifts in technology, and strategic transactions such as M&A and divestitures globally represent risk to businesses.
Risk leaders continue to pave the way for disruptive change
EY recently carried out research on the priorities of internal audit and risk management leaders around the world. The study found that the most prominent risks were cybersecurity, climate change and sustainability, major shifts in technology, and strategic transactions such as M&A and divestitures globally.
Top opportunities to improve risk functions included leveraging emerging technology, collaborating with the business as a strategic advisor and focusing on improving and diversifying skills and talent.
The study found priority areas for Internal Audit (IA) and Risk Management and we look at these through a South African lens.
Embracing technology to unlock strategic value
Although technology such as data analysis and automation offers the greatest potential to enhance the whole IA lifecycle, its use globally is only 30%. The same applies to our local business landscape.
Reasons include the maturity of the automation of controls – still mainly manual, the quality of data and/or skills within IA.
Yet analytics not only improves coverage and drives efficiencies, it also provides valuable business insights, especially when analytics-based testing shifts from sample based to data analysis.
It is important that IA should be aligned with the organisation’s digital strategy, but when the organisation is not evolving digitally, IA could become the catalyst for such evolution. The organisation can build on the data analytics performed by IA by introducing continuous control monitoring which will shift the responsibility and accountability for monitoring controls to the first and second lines of defence.
As companies continue to embrace technology, they can expand upon traditional requirements and integrate a more holistic discipline of risk optimisation
Shifting regulatory landscape provides strategic opportunities for risk executives.
The regulatory environment is subject to continuous change, such as when the JSE introduced 3.84k of the listing requirements that requires sign-off by the CEO and CFO on internal financial controls. This dynamic regulatory landscape is putting compliance pressure on organisations. This in turn puts IA and risk management front and centre as strategic advisors.
IA can provide value by evaluating their organisation’s existing position relative to the pending regulatory requirements. This will further entrench and broaden their role within the organisation.
Dynamic risk assessment will minimise audit and compliance fatigue
Four out of five boards believe improved risk management will be critical for their business to protect and build value in the next five years. But they need to find the balance between risk and opportunities inherent in disruptive technologies.
Over half of organisations surveyed have more than 21 auditable components, while nearly 30% have between 11 and 20. This demonstrates the significant audit and compliance burden on these organisations.
IA plays an important role in, and often leads, combined assurance. Although local organisations mostly understand the concept and its benefits, the practical application remains a challenge. The introduction of 3.84k by the JSE has strengthened the need for effective combined assurance.
These factors require future risk functions to be data-driven, using emerging technologies, with more dynamic processes, and draw on a flexible people model that could include external expertise, co-sourced relationships, and internal rotations as needed.
Reimagining talent and IA models
Like the rest of the world, South Africa experienced the Great Resignation over the past two years. This phenomenon had a significant impact on more qualified and experienced talent. Retaining these top talent and skills remains a challenge. Failing to do so is a risk that could hamper critical functions and increase costs.
At the same time, new technologies require new skills and new ways of working. Among these new skills are internal auditors with business acumen. One solution is a guest auditing programme, but this is not yet fully embraced in South Africa.
Talent models must become more flexible and draw on a diverse and mobile workforce with a broad range of skills.
Organisations need to determine whether they have the digital talent to leverage their technology investments in-house or if they need to outsource in the interim. It is critical that internal audit functions have the capacity to leverage data and analytics across the risk spectrum.