Reshaping the Audit Plan Using Protiviti's Digital Maturity Assessment Tool
Disruptive innovation is pervasive. Every organisation today is being impacted and every leader needs to be engaged in and well-informed about the digital revolution, its impact on the organisation, the risks it presents, as well as the potential advantages it can deliver.
Our recent study of “The Top Global Risks for 2018” with senior executives and board members, conducted worldwide, highlighted a significant change in perspectives on risk. The rapid speed of disruptive innovation is now rated the number one concern for these leaders, closely followed by concerns over resistance to change from within the organisation. This incongruence presents a dilemma across all organisations. It is a natural response to headlines about the collapse of long-established brands and suggests the need for an imperative to improve readiness.
Not surprisingly, many executives are asking themselves whether they are focusing on and doing enough of the right things to avoid being swept aside in the digital economy. Board members and executives want to know where they stand compared to their peers and competitors and what they need to do to keep pace. Chief audit executives should ask themselves whether they could answer this question and whether they are doing enough to provide assurance that these risks are being appropriately managed. Unfortunately, many organisations continue to make the same mistakes and few audit functions are sufficiently prepared and engaged to identify and report upon these failings.
*Scores are based on a 10-point scale, with “10” representing that the risk issue will have an extensive impact on the organisation.
Reactive response to disruptive innovation
So how are most executive leadership teams responding to change? There is often too much of a focus on investing in new technology. This often starts with investing heavily in customer-facing technologies (e.g., websites and mobile apps) as the organisation looks to place a greater emphasis on digital channels. Many organisations also are embracing the cloud and replacing legacy applications with next-generation software.
However, for many, these initiatives result in a digital “veneer” around the business that looks promising on the outside but fails to address shortcomings at its core. To outsiders, and in some cases to employees, this digital veneer creates an illusion that the business is changing and keeping up with the times. The unfortunate reality is that the change is very superficial. Legacy systems and applications often remain archaic and cumbersome, while manual intervention within business processes continues to be present despite the innovative presentation to customers. Often, insufficient consideration is given to how digital channels, the emergence of new business models and the changing competitive landscape impact the more traditional, analog aspects of the business.
Digital transformation is a way of thinking
To become a leader in the digital age, it is essential to reinvent the business at its core. Beyond technology and process changes, this means the way people think and act in everything that they do needs to substantially evolve. The people aspects are much more important than the technology. That is not to say that technology is not important, but it should not be the driver nor the destination. Fundamentally, digital transformation is about people transformation.
Of course, most organisations are not digital leaders and may never be. Nor do they necessarily need to be.
Many are content to be followers, allowing others to be the pioneers and make mistakes on the “bleeding edge.” However, the pace of change is much faster in the digital age, shrinking the half-life of entrenched business models and making it harder to react.
If the organisation is to survive as a digital follower, it needs to be agile and able to react very quickly when leaders disrupt. It must recognise the signs of disruption and act on that knowledge in a timely manner. Increasingly, only organisations — and specifically, their people — who think and behave digitally can do this.
The reality is that most large organisations are slow and resistant to change. This is particularly true of established leaders for whom a traditional approach has been successful for an extended period of time — often decades or longer. Many of these organisations are not taking the steps to challenge and disrupt the status quo.
Internal audit needs to think about how it is assessing the actions the business is taking to transform the organisation. It needs to ask, “How are our people transforming?” and “What are our leaders doing to effect change?” Most audit functions are highly capable of providing assurance over changes the business is making, especially in “traditional” areas of audit focus such as finance and technology. However, it has become just as important to highlight the risks associated with not taking the necessary steps to make change, particularly with regard to how the organisation’s people are transforming, undergoing training and preparing for digital transformation in the market. Many internal audit functions are far less effective and often hesitant to comment on what an organisation
is not doing, particularly in areas of new or rapidly evolving risk.
Key attributes of a digital leader
We have conducted extensive research into what it takes to be a leader in the digital age. We have defined five levels of digital maturity:
Digital Maturity Scale
Digital Skeptics: All organisations are digital to some extent, and this includes Digital Skeptics. These organisations tend to react to what is going on around them and are seen by many as laggards.
Digital Beginners: Beginners are embracing change and having success implementing new technologies. Often, digital transformation activities are best characterised as a collection of point solutions.
Digital Followers: Followers know what it takes to succeed in the digital age and have a clear strategy for execution. They make quick decisions and are able to focus attention when needed to deliver change. The strategy, once delivered, will bring transformation to some aspects of the core of the business.
Digital Advanced: Advanced organisations have progressed their digital transformation efforts further, and have transformed the business to the core, where necessary, revisiting business models that may have served them well over the years. There is a recognition that digital is a way of thinking and not just process automation. Advanced organisations are embracing the latest technology to achieve very high levels of automation throughout their business, reducing their cost base significantly and introducing hyperscalability.
Digital Leaders: To Digital Leaders, this all comes naturally. They have all the attributes of an advanced business and have proven repeatedly that they know what it takes to innovate and disrupt, resulting in a brand associated strongly with innovation. Leaders are altering customer experience paradigms and rethinking traditional business models. As a result of this disruption, they are growing fast and stealing market share from the incumbents.
When we look at digital maturity in this way, we find a significant cluster of organisations somewhere between a Digital Beginner and Digital Follower.
Many are much closer to a Digital Beginner than they at first believe they are. Few internal audit functions are drawing this to the attention of executive leadership and highlighting the risks associated with inadequacies in transformation activities. When organisations fail to deliver, it is often asked: “Did internal audit draw attention to the risks that were not being effectively managed?”
Reshaping the audit plan
Our Digital Maturity Assessment and supporting application has been designed to enable our clients to assess their digital aptitude and to identify quickly areas requiring attention. We view it as a complement to existing risk assessment processes and it can be used by internal audit functions as a digital risk universe.
We assess 36 core attributes that differentiate Digital Leaders from other organisations along a continuum using the five digital maturity levels.
Key areas of focus in our assessment include:
- Strategic Planning and Business Model Disruption
- Risk Management and Compliance
- Culture and Management
- Organisation and Processes (including areas such as Human Resource Management, Knowledge Management, Innovation & Research)
- Business Process Automation
- Go-To-Market Execution (including Customer Experience, Digital Marketing and Cross-Channel Strategy)
- Technology Competencies (including IT Architecture, Software Development, Third Party Collaboration and Cyber Security)
- Big Data Analytics (including Data Value Creation, Data Governance and Data Science Team)
Protiviti’s Digital Maturity Assessment methodology combines self-assessment through the application, with interviews and workshops. This allows us to help our clients quickly obtain input from a large, diverse group of individuals and stakeholders. The results are consolidated in dashboard reports that we then validate by working collaboratively with the executive management team.
Digital Maturity Assessment Framework
The dashboard reporting provides executives with a measure of how digital transformation efforts are progressing, at a macro or detailed level, providing an assessment of digital maturity for each of the attributes assessed.
Working with internal audit leadership, we use the results of this assessment to reshape the audit plan, focusing attention on areas that will present risk over time if not appropriately managed. We use the tool to highlight areas of inactivity that require consideration. The objective is to provide assurance that the key risks are understood and appropriate governance is in place to manage the risks associated with innovative disruption.
If you knew how your organisation measures up, how would you react? Has internal audit looked at the right areas, asked the right questions and reported what it has found? Has internal audit made its opinions heard?