@ISACA Volume 1  9 January 2019

Strengthening Internal Audit’s Influence and Impact

By Lisa Young, CISA, CISM

Boards, audit committees, senior executives, risk managers and the business need internal audit’s best efforts in today’s environment of ongoing disruption and increasing risk. These stakeholders also need internal audit’s objective, enterprisewide perspective and its rigorous observational and analytical skills in more areas than ever. If the characteristics innovative, efficient or creates business value are not among the top thoughts that pop into your mind when you hear the words “audit” or “internal auditor,” here are some tips that may help to change that perspective.

The key to increasing internal audit’s impact, influence and value is not to do more, but to do more of the right things and to do them well. The right things relate to the risk and challenges that are most important to internal audit’s stakeholders. Here are some considerations to increase your audit team’s ability to provide value, motivate change and inspire efficiency:

  • Define your audit services in a compelling manner—How are you currently describing or defining your audit services and your internal audit team? If you are using something similar to this narrative: “We are an independent, objective assurance and consulting activity designed to add value and improve an organization's operations,” or “We provide overall assurance on the effectiveness of internal controls and risk management,” you may want instead to try something such as:
    • We improve operations and look for more effective ways of working.
    • We help protect assets and corporate brands.
    • We give advice to chief executive officers (CEOs), chief operations officers (COOs), chief information security officers (CISOs), chief information officers (CIOs) and other senior leaders to enable better decision-making.
    • We thwart nefarious fraudsters.
    • We act as change agents for the organization. Yes, change agents. We really do have interesting jobs and there is not much in an enterprise that we do not review, evaluate, investigate or otherwise touch at one point or another.
  • Align internal audit priorities with organizational strategic priorities—How are you supporting the organization to move forward and innovate? Think about what types of advisory services in cyber, risk and new technologies you can provide to support the enterprise strategy. Your impact is tied directly to your ability to influence. Effective influence begins by building a base of credibility. New technologies such as blockchain, machine learning and artificial intelligence (AI), are starting to support or replace certain decisions rather than just replace human effort the way earlier automation has. That factor introduces a new realm of opportunity—but also risk—and the need for thinking differently about controls. To adapt, internal audit departments must shift their underlying methodologies to more ongoing, continuous or real-time modes of audit that require a deeper understanding of the business and operations. If your organization is an “order to cash” type of environment, it would be good to understand the critical end-to-end processes of each step of the delivery of a service or product.
  • Assess the scope and breadth of the current risk assessment or risk and control self-assessment (RCSA) process—A first step in this consideration is to understand if the organizations’ risk assessment process is holistic and provides management with a thorough understanding of the risk landscape in which the enterprise operates. Remember that cyberthreats do not respect organizational boundaries. Most business leaders would agree that preventing a realized risk is better than dealing with the impact after the fact. If the current risk assessments are done at an asset or business unit level, but are not done holistically, consider the broader risk landscape and external environment; there may be an opportunity for audit to help change this view.
  • Assess the organization’s operational fitness in relation to its enterprise strategy—Does your internal audit shop perform operational improvement assessments that are not audits?
    • If your organization is a technology business, invest in skills needed to assess the particular type of technology and make sure that the intellectual property (IP) of the organization is protected in contracts, by escrow, etc.
    • If your organization is a service business, look into processes that can be improved for efficiency and cost reductions (e.g., hospitality and healthcare).
    • If your organization is a knowledge worker organization, look for manual processes that can be automated or productized into a standard repeatable process. Having a template (and possibly a set of technology control boundaries) to guide manual data input serves as a quality control element to reduce errors and save time.
    • If there is heavy investment in physical or tangible assets (e.g., healthcare, energy, automotive, manufacturing, shipping), perform a stress test on the current property and casualty insurance or other risk transfer portfolio against the potential cyberloss exposure scenarios.
    • If privacy is a chief concern, perform an analysis of the privacy policy on the customer-facing website with the actual security practices that are in place to ensure customer privacy.
  • Assess the internal audit staff skillsets—Determine what skills your employees need and how you are going to deliver that training or understanding. Look beyond technology itself. Yes, some employees might need training in data analytics and coding, but they also need to learn design thinking, empathy maps to better understand customers or users, and how to turn data into business insights. Does your team have the skills to extract the data needed from the operational and financial systems that underpin the organization, e.g., the enterprise resource planning (ERP) or governance, risk, and compliance (GRC) systems? Demonstrating these skills increases the demand function for internal audit’s services, which strengthens influence in the long run.

There are no quick fixes or easy buttons when it comes to changing people’s perception of internal audit, but there are opportunities, techniques and solutions that should be considered to make a difference.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Learn to Audit AI


Source: KTSDesign/
Science Photo Library;
Getty Images

Artificial intelligence (AI) will not only impact how enterprises do business, but will also impact society as a whole. Emerging AI technologies will cause disruptions to the way everyone, including IT auditors perform their work, especially until these technologies are more familiar. While in this emerging phase of AI, governance around auditing AI will need to be established.

The Auditing Artificial Intelligence white paper presents IT auditors with information they need as they prepare to focus on providing AI assurance. This paper defines AI, explores the challenges of auditing AI and discusses how COBIT 2019 and other frameworks can help govern AI audit.

To learn more, download the complimentary ISACA white paper on the Auditing Artificial Intelligence page of the ISACA website.


ISACA Turns 50—Join the Celebration!


Getty Images

ISACA is celebrating its 50th anniversary this year, and members are essential participants in the year-long celebration.

On ISACA’s anniversary website, you can view ISACA’s history including infographics, articles, photos and videos. The website will be updated weekly with new stories and photos and monthly with anniversary-themed podcasts. The site also features items from ISACA’s anniversary storefront, where individuals or chapters can purchase items such as keychains, pens, water bottles, umbrellas, jackets and more.

You can also participate in the ISACA 50th anniversary social media conversation using #ISACA50 or follow ISACA on Facebook, LinkedIn, Twitter or Instagram to view anniversary posts. This quarter, join the Where in the World Is ISACA? social media campaign by visiting and following the instructions on the Participate page of the anniversary website.

ISACA also will host anniversary celebrations at its CACS conferences around the world this year. They will feature exclusive videos and panels on the evolution of technology.

As ISACA looks back on its past with deep appreciation, the organization also looks forward to the future with tremendous excitement. In this 50th anniversary year, ISACA will launch a new foundation and future of IT audit initiative to help members navigate their professional futures and add tremendous value to their organizations. In February, ISACA will offer a new Transforming IT Audit microsite with a Future of IT Audit research report, guidance on artificial intelligence (AI) and audit, and many other resources.

“This year is an incredible opportunity to both honor our past and innovate for the future,” said ISACA Board Chair Rob Clyde, CISM. “We are truly thankful to our members and volunteers, all of whom are an important part of the ISACA 50 story. We are proud to have been the source they can turn to navigate professional challenges and opportunities, advance their careers, and serve their organizations for the past 50 years, and we are excited to be there for them in new and exciting ways for the next 50.”


ISACA’s Advocacy and Public Affairs Team Engages With EU Officials and Organizations


Since its launch last year, ISACA’s Advocacy and Public Affairs team has engaged with key stakeholders and officials around the globe on behalf of the professions it serves through meetings, roundtable discussions and position papers on key issues such as certification, cybersecurity, IT audit and governance. ISACA’s Advocacy and Public Affairs team hopes to broaden the reach, impact and worldwide influence of ISACA and the professionals it represents. This increased global cooperation will increase the need for ISACA members’ skills and guidance internationally.

As part of its work in the European Union, ISACA formed an EU General Data Protection Regulation (GDPR) Working Group, which created an ISACA position statement and paper that the Advocacy and Public Affairs team leveraged in meetings with government officials in 2018. ISACA is currently working on a number of projects within the European Union, including work with the European Union Agency for Network and Information Security (ENISA) and other governmental organizations on topics such as cybersecurity and certifications. Additionally, ISACA developed a resource web page to help professionals prepare for and understand GDPR requirements, particularly in the areas of privacy by design, appropriate security protection and the role of the data protection officer.

As a result of all of the ISACA’s Advocacy and Public Affairs team’s efforts, it was recently named “Professional Body of the Year” by the Public Affairs Awards Europe 2018. These awards recognize excellence in the public affairs space in Europe among various groups, including consultancies, in-house teams, charities and think tanks.

To learn more about ISACA’s global advocacy work, visit the Advocacy page of the ISACA website.