I compare notes with internal audit (IA) colleagues in other companies from time to time, and whenever the topic turns to adapting the internal audit function to the digital era, I hear a consistent theme: “This is such a big challenge. Where do we even begin?”
The fear of getting started is understandable. Transformation is a significant challenge. There are a lot of moving parts, and they are all in motion at the same time. IA professionals who are used to predictability, precision and process are naturally going to be a bit unnerved by a change effort that can, at times, appear to be messy and even chaotic. The good news is that if you have the courage not just to get your feet wet but to dive in, you will discover that the water is fine.
Based on our experience in transforming the internal audit function at Accenture, you do not need to have all of the answers to begin asking some illuminating questions. Certainly everyone wants to do as good of a job as possible, but when it comes to change on this scale, there is nothing wrong with learning as you go.
Take analytics in the internal audit function as one example. No one says you have to be an advanced user of analytics to begin benefitting from its power. You will learn more and grow more sophisticated in your use of analytics tools by actually applying them to current IA tasks rather than by studying them in the abstract.
Advisory services is another good example. Many IA organizations are used to providing retrospective audits only. While important and a critical foundation for IA functions, there is a real opportunity to add value for the business by providing advisory services around risk identification, controls and mitigation as new products, services or business functions are being created. This helps prevent problems, and the business will appreciate the value IA can add. Do not try to follow all the rigor typically built into the audit process—remember, the focus is on value-add, so tailor the advisory services approach accordingly.
Having encouraged everyone to dive in, there are certain high-value decisions where you will want to take your time and consider your options before taking the plunge. Consider the question of which enterprise governance, risk and compliance (eGRC) platform you decide to use. The process, change management and technology investment will be sizable, and once you begin using the solution, it will not be easy to change course. In these instances, you will want to exercise prudent caution.
But generally speaking, we have found that it is better to get started, make some initial progress, and then make things better over time rather than waiting for every principle and process to be perfect before implementing IA changes.
Read Bob Kress’ recent Journal article:
“Transforming the IT Audit Function—Taking the Digital Journey,” ISACA Journal, volume 1, 2016.