Modern Compliance The Compliance, Risk and Internal Auditor's Guide to Increased Visibility & Enhanced Decision-Making
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Modern Compliance
The Compliance, Risk and Internal
Auditor’s Guide to Increased Visibility
& Enhanced Decision-Making
The internal audit, risk and compliance profession is undergoing tremendous
change as it faces greater compliance challenges, increased board-level
demands, growing investment in digital transformation and surging cyber threats.
No longer tasked with simply overseeing evaluations and
recommending improvements for the effectiveness of risk
management, control and governance processes, internal
Internal Audit must assure,
auditors are now being tasked with playing a more active advise and anticipate.
role in guiding executive decision-making – especially
regarding technology transformation. A modern Internal
Audit function should understand the organisation’s key
risks and proactively identify emerging risks in order Assure
to add value to the organisation because best in class Ensure that processes, systems and controls
organisations are realising that internal and compliance is are reviewed regularly.
not just an overhead cost driven by regulatory demand.
On the contrary, according to Deloitte, investment in the
function is associated with increased top and bottom lines, Advise
as well as lowered danger of reputational and other risks. Guide better decision making and influence
how the organisation takes smarter risks.
In today’s increasingly complex business environment,
organisations must bring a systematic and disciplined
approach to evaluate and improve the effectiveness of risk Anticipate
management, control, and governance processes. Deliver forward-looking insights to enable
the organisation to move at the speed of
To help businesses meet these new challenges, internal
innovation.
audit functions must evolve as well. While internal audit is
not the sole owner of risk within an organisation, it provides
unbiased insight into an organisation’s internal controls,
corporate governance, and business processes.
Organisations face four distinct problems in their pursuit of
building strategies to manage risks core to good governance.
1 Supporting Digital Transformation
PROBLEM
To keep up with the needs of an increasingly digital While Internal Audit and Compliance aren’t necessarily
workplace, many organisations are going through a directly responsible for these controls, they must be
period of increased investment in new digital solutions in cognizant of them to ensure data is appropriately protected
order to make their businesses more efficient. For most and controlled, to ensure their organisation is able to move
organisations, digital transformation was an agenda item on at the speed of innovation while still doing the right things to
many business plans, but the pandemic catapulted it to the protect for the risks of tomorrow.
top of the priority list for virtually every business in the
world. CFO Magazine provided a great example of this in S O LU T I O N
the auto insurance industry. In order to submit virtual claims, The Diligent Compliance Improvement Register provides a
customers take a picture of their damaged vehicle and central location for recording and managing all improvement
submit it directly to their insurer via a mobile app. In early opportunities identified by audits, assessments and control
April of this year, during the height of the pandemic, Allstate reviews, as well as ideas and suggestions for improvement
estimated that more than 90% of all of its auto claims would identified by staff. The intuitive interface allows
be submitted via its virtual tools. That was up from 50% two improvements to be quickly and easily filtered based on
weeks earlier. Before the pandemic, roughly 11% of auto priority, type and status, as well as by department or group.
insurance customers used virtual claims tools.
In addition to the Improvement Register that holds the
As companies start their digital transformation efforts, corrective and preventive actions, the Diligent Compliance
internal audit and compliance must remain cognizant of the Assessment Manager is the means by which audits can be
risks these new technological changes bring with them. securely and collaboratively delivered, or even leveraging
Below are a handful of questions that must be contemplated best practice libraries to conduct reviews and gap
whenever new technology is being implemented; assessments to identify opportunities for improvement.
• How will access to data and systems be handled in order While not specific to just internal audit, the Initiative Manager
to maintain compliance and protect data? could support teams involved in digital transformation
• What controls will be put in place to monitor the uptime projects and activities tasked with implementing any
and performance of this software? corrective/preventive actions identified through an internal
audit or review.
• Who specifically will design and monitor the controls?
• What processes will be implemented to prevent
unauthorized access to these new systems and their
sensitive data?
2 Uncertainty Over Compliance
PROBLEM • Based on the above more Boards will also become
Internal Audit and Compliance are tasked with identifying more involved in cybersecurity with this topic now
potential regulatory deficiencies that could put the becoming a top priority in boardroom discussions. A key
organisation at risk, as well as implementing the necessary internal audit objective will be to provide management
internal controls to better manage against these risks. with an independent assessment of an organization’s
cybersecurity policies and procedures and their
Focal Point Data Risk, a leading cyber-security services effectiveness. As a result, more internal audit departments
provider, highlighted three key areas where they see the will adopt the use of cybersecurity frameworks like ISO,
future of internal audit trending in 2020. NIST, COBIT to serve as a baseline for an organization’s
existing program and provide the structure, methodology,
• Data privacy compliance has been and will continue to be and best practices to achieve a strong security posture
a key focus for internal audit. Over the past few years, the and prevent potential security vulnerabilities or data
world has seen a substantial increase in data privacy breaches.
regulations with GDPR and, most recently, CCPA and many
organisations are already operating under the assumption S O LU T I O N
that CCPA-type protections will be extended to consumers Diligent Compliance has a powerful assessment engine for
regardless of their state of residence. According to conducting process compliance and maturity assessments.
Corporate Compliance Insights, data privacy compliance Rather than relying on less accurate survey-based methods,
represents an opportunity for internal audit to showcase its the solution’s auditing capabilities allow you to review
ability to provide strategic value in addition to critical documentary evidence and answer questions across a range
verification and quality assurance. of management domains and disciplines. Gaps are
• Cyber-security threats are continuing to increase in automatically translated into improvement tasks, along with
frequency and complexity, with each day bringing the measures of compliance, capability and maturity. The Diligent
potential of another data breach. In April 2020, Cloudflare Compliance Explorer provides a means of linking and reporting
reported that online threats had risen by as much as Control status against various best practice frameworks and
six-times their usual levels as a result of the COVID-19 standards. This feature provides a simplified means by which
pandemic. Additionally, Barracuda Networks, a security compliance can be easily reported against different business,
solutions company, also reported that Phishing attempts contractual, regulatory and legislative requirements, plus other
have soared by over 600% since the end of February. frameworks and standards as required.
Increased threats have also brought about increases in
regulation with new cyber-security regulations from the
U.S. Securities and Exchange Commission (SEC) and the
Public Company Accounting Oversight Board (PCAOB)
likely to require more internal audit involvement. To hold
public companies accountable to their stockholders
and investors, the SEC and the PCAOB are pressuring
public organisations to clearly demonstrate how they are
mitigating cyber risks, including highlighting key internal
controls.3 Data Transparency & Accountability Across Functions
PROBLEM SOLUTION
According to Gartner’s “2020 Audit Function & Risk Diligent Compliance streamlines processes and centralises
Coverage Priorities Benchmarking Report,” the most enterprise assets, which reduces oversight and ensures
important and challenging problems to solve pertain to the all departments reference only one version of holistic
increasing role of data in organisations and ensuring better information. The Diligent Compliance Risk Register provides
sharing of data and analytics across functions. a central location for recording and managing risk across
the business or within specific departments or groups. Risks
More internal audit departments must integrate data may be specific to just one area or shared/linked across
analytics as a core capability across all areas of the business multiple Departments or Groups. The intuitive interface
to gain a more comprehensive view of the business, allows risks to be quickly and easily filtered based on
identify risks earlier in the audit process and reduce time the risk score, type, status and treatment, as well as by
and effort expended while increasing quality and lowering department or group.
overall costs. On top of the data problem lies the problem
of cross-team visibility. With limited transparency, there
is often a divide between internal audit functions and
other departments, which is not conducive to maintaining
consistency and collaboration. A great way to better
facilitate internal audit processes is to centralise policies and
any other documents pertinent to internal review. Teams
often find that their employees have conflicting documents
in several different versions and file formats, which increases
risk exposure and can complicate or even hinder internal
audit processes.
Internal audit and compliance are becoming more complex,
requiring improved use of data and a focus toward the
proactive and the predictive in order for the function to
be a strategic advisor and a value add to an organisation.
According to Deloitte, in their paper, “Compliance to Power
Performance,” for these functions to reach this next stage of
value creation it will require adjusting the skill set in these
programs to be able to use analytics effectively, perform
data-driven analysis, and make data-based decisions. The
focus shifts from individual risks to trends and enterprise
concerns, with the endpoint being the transformation of
compliance into a trusted business advisor.4 More Coverage with Similar Resources
PROBLEM S O LU T I O N
As the pace of change continues to accelerate and risks Diligent Compliance provides a springboard for growth by
become more dynamic, utilising traditional, monolithic cutting out manual processes, expediting the management
approaches to auditing is no longer acceptable. Given the of risk and compliance and ensuring obligations are met in
greater prevalence of data in the organisation, internal an accurate and timely manner. Diligent Compliance frees
auditors and compliance specialists need to deploy individuals working in the internal audit function to focus
methodologies and technology that increase operational their time ensuring that processes, systems and controls
efficiency and provide for the capture and analysis of data, are reviewed regularly to guide better decision making
turning it into insight as close to real-time as possible. and influence how the organisation takes smarter risks
while delivering forward-looking insights to enable the
Next-generation internal audit drives toward data and organisation to move at the speed of innovation.
technology-enabled audit processes, delivering increased
efficiency and risk compliance by reducing highly manual
tasks within the internal audit function. This allows the
internal audit function to focus on risk within the business
and areas that require significant levels of judgment.In conclusion, best-in-class organisations are shifting their perception
of the governance and compliance function from a cost center
to realising that investment in the compliance function, and software
that helps support its operational efficiency and maturity, is
associated with increased top and bottom lines in addition to
lowered danger of organisational and reputational risk.
Diligent Compliance will enable organisations to:
1
Support Sustainable Growth
2
Ensure Profitability
3
Protect Brand Reputation
There is a strong link between According to a Ponemon Institute Organisations must make more
governance and the bottom line. Report, the cost of non-compliance informed decisions and take on
Good governance practices encourage is 2.71 times higher than the cost of smarter risks. Internal audit and
growth in the following ways: increased compliance. Organisations that delay compliance functions must also
business performance, raising capital, compliance efforts are taking an ill- evolve, shifting to work alongside the
financial control, accountability, and advised risk, which could ultimately business to identify new types of risk
competitive advantage. yield a pricier penalty. and determine the right controls and
mitigation strategies to manage them.
This article borrows content from the following articles:
The Future of Internal Audit: 10 Audit Trends to Prepare for in 2020
The Future of Internal Audit is Now
Audit Committees in the Private Sector: Essential or Excessive?
Diligent Compliance
Learn more about Diligent’s Security, Risk
See how you’re measuring up against requirements, swiftly address gaps and Compliance solutions or schedule
and communicate easily with regulators, auditors and shareholders with: a demo today:
• Dashboards and reports for visualizing program effectiveness
• A central library of internal frameworks and obligations REQUEST A DEMO
• Common controls that dynamically map to related obligations
• Automated review scheduling and notifications ComplianceSales@diligent.com
• Built-in processes to streamline workflows and reduce inefficiencies Learn.diligent.com/compliance-anz
“Diligent” is a trademark of Diligent Corporation, registered in the US Patent and Trademark Office. “Diligent Boards,” “Diligent D&O,” “Diligent Voting & Resolutions,” “Diligent Messenger”, “Diligent
Minutes,” “Diligent Insights,” “Diligent Evaluations,” “Diligent Governance Cloud” and the Diligent logo are trademarks of Diligent Corporation. All third-party trademarks are the property of their respective
owners. All rights reserved. © 2020 Diligent Corporation.You can also read
