Assessing Technology Industry Results from the 2012 Internal Audit Capabilities and Needs Survey
THE GROWING MOVE TO THE CLOUD MAY REPRESENT THE BIGGEST DRIVER OF CHANGE IN THE INDUSTRY. CLOUD APPLICATIONS AND INFRASTRUCTURE CREATE A HOST OF OTHER ISSUES, INCLUDING DATA SECURITY AND INTELLECTUAL PROPERTY PROTECTION, THAT REQUIRE ATTENTION.
Although the technology industry has long been defined by unexpected developments, the industry’s current pace of change and penchant for surprises are at an all-time high.
Some of the industry’s biggest-named and most lucrative initial public offerings (IPOs) took place in the past few years as companies like Facebook, LinkedIn, Pandora, Yelp and Zynga shed their private status.
Beyond IPOs, technology companies continue to contend with a growing wave of cybersecurity breaches and supply chain disruptions – some of which stemmed from massive natural disasters in Asia. And thanks in part to merger and acquisition (M&A) activity, traditional territorial boundaries between major technology companies are being redrawn.
Additionally, the growing move to the cloud may represent the biggest driver of change in the industry. Cloud applications and infrastructure create a host of other issues, including data security and intellectual property protection, that require attention. Finally, technology companies are rethinking how major changes in the use and delivery of content – including the transformational force of social media – influence their businesses, partnerships and supply chains.
These issues have direct implications on internal audit functions within the technology sector, according to the technology industry findings from Protiviti’s 2012 Internal Audit Capabilities and Needs Survey. Specifically, the technology industry survey findings suggest that internal audit’s activities over the next year will center on four overarching priority areas:
- Increasing the use of technology to audit key business process controls (e.g., cash receipts/applications, revenue recognition) more effectively
- Addressing and managing existing and emerging risks holistically
- Enhancing efficiency through technology-enabled auditing
- Nurturing internal collaboration and networking externally
In all, the results from technology industry participants in the 2012 Internal Audit Capabilities and Needs Survey present a picture of internal audit functions that are prioritizing their activities and deploying their skills in order to balance tactical requirements with strategic contributions during what promises to be an extremely eventful and disruptive year.
RESULTS AND ANALYSIS
To understand the priorities and challenges within technology industry internal audit functions, it helps to keep in mind some of the primary external drivers of change. These conditions and trends include:
- Blurring Lines: In the past few years, submarkets throughout the industry have grown increasingly crowded. Technology manufacturers have purchased software vendors. Software vendors began producing mobile devices, and hardware companies launched, or increased, major service businesses. As a result, supply chain partners became competitors, while competitors became supply chain partners. Google is even testing an unmanned robotic car, raising questions about where the technology industry ends and other industries (such as retail, automotive and telecommunications) begin.
- Cloud Computing: Cloud migration raises a number of serious questions for companies of all sizes: How will we protect data in the cloud? What privacy issues does the cloud pose? How can we as a company continue to manage the information security of our customers, employees and supply chain partners as the cloud becomes a more pervasive platform within our business? Organizations must address these and other questions as they move data and key functions away from in-house servers and systems with established internal controls and security measures.
- Content Delivery: The way in which consumers and businesses are using content has changed, and these shifting preferences have implications for a wide range of technology companies. Today, consumers expect content across an array of devices – smartphones, laptops, tablets and desktops – and they want to access that content in an immediate and seamless manner. Technology companies are striving to meet these expectations while managing risks associated with different content-delivery systems, networks and devices.
- Cybersecurity: It has become increasingly common to open up any major newspaper and find a headline announcing the latest information security breach. Many of these incidents result in business disruptions, loss of revenue, additional expenses and reputation damage. For technology companies, the rising tide of information security challenges presents both internal threats and business opportunities.
While helping their organizations address these pressures, internal audit functions also face an internal demand to execute their activities in a more innovative and efficient manner. The survey results indicate that internal auditors within the technology industry should respond to these opposing needs by leveraging their own use of technology more effectively.
1. Increasing the Use of Technology to Audit Key Business Process Controls (e.g., Cash Receipts/Applications, Revenue Recognition) More Effectively
Respondents were asked to assess, on a scale of one to five, the degree to which their organizations use technology to audit 36 business process controls, with one indicating no use and five representing extensive use. For each area, they were then asked to indicate whether they believe their level of technology use is adequate or needs to be increased, taking into account the circumstances of their organization and industry.
The results suggest there continues to be significant concerns about (1) the proliferation of technology and how employees throughout the organization are leveraging a variety of desktop and mobile devices as part of their day-to-day duties, and (2) the potential for fraud in the organization.
Considering the proliferation of new technologies in organizations today, it is incumbent upon the IT organization to keep careful track of devices, tools, software and other technologies that have been deployed throughout the organization to potentially thousands of employees. It also is incumbent upon the internal audit function to audit and test controls related to the policies for these tools and devices, including security and privacy, change control, and data integrity. As any organization knows, there is significant cost associated with IT assets, from which a return on investment (ROI) is needed. Physical security is important; it’s easy for “little” things to disappear. Even a relatively small percentage of loss in terms of hardware or, more importantly, data and other intellectual property, could result in significant financial losses and, in the event of a security or data breach, potentially devastating effects in terms of regulatory noncompliance and reputation damage.
In terms of fraud, internal audit professionals clearly are looking to do a better job of capitalizing on technology-enabled auditing to monitor controls over areas more prone to fraudulent activity, such as access controls, suppliers, capital expenditures, and travel and entertainment expenses, among others. The high “Need to Increase Use of Technology” rankings for auditing business processes, such as cash receipts, accounts receivable, billing, purchasing and purchase orders, represent further indicators of ongoing fraud-related concerns among internal auditors and their organizations, and the power and leverage of using technology to assist them.
Vendor negotiation and setup ties into these concerns as well. Creating vendors for actual use in the company’s enterprise resource planning (ERP) system in itself is a key transaction that makes those vendors “go live” and allows for disbursements of funds to those organizations, albeit with the requirement of various approvals.
Upon setup, payments can be made – but it is possible that certain payments could be unauthorized or even fraudulent.
Organizations also are mindful of the fact that extending access to key systems and controls to any third parties, vendors or otherwise, creates fraud- and security-related risks that must be managed carefully. In addition to these concerns, internal audit must work with department heads and business owners to ensure vendor relationships are set up in compliance with organizational standards, as well as applicable laws and regulations.
The relatively low Use of Technology in Auditing Business Process Controls also suggests that internal auditors within the technology industry should strengthen their collaboration with internal technologists in the IT department. More effective partnerships between internal audit and IT can help improve IT asset management while strengthening a range of internal audit activities (and fraud prevention and detection, in particular) via the introduction of greater automation to those processes.
2. Addressing and Managing Existing and Emerging Risks Holistically
Respondents were asked to assess, on a scale of one to five, their competency in 57 areas of technical knowledge important to internal audit, with one being the lowest level of competency and five being the highest. For each area, they were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their organization and industry.
As in virtually every other department and function in organizations today, the rise of cloud computing and, in particular, the meteoric increase in the use of social media applications are having major effects on internal auditing activities. However, it appears that internal auditors within the technology industry appear better equipped to address issues related to cloud computing. Internal auditors in the technology industry rated their cloud computing competency higher than survey respondents from all other industries. This difference makes sense, given that cloud computing originated within the technology industry, of course, and many technology industry companies were the earliest adopters of the breakthrough.
Despite familiarity with cloud computing, internal auditors within the technology industry still identified it as one of their top four improvement priorities, along with social media applications (with which industry respondents indicated a lower level of competency).
Both cloud computing and social media applications are relatively new. As with any new process or activity that introduces significant elements of change, social media applications and cloud computing create substantial new risks that internal audit must – in partnership with executive management and business owners – identify, assess, monitor and mitigate appropriately. This need is reflected in other related risk management areas that industry respondents identified as priorities, including GTAG 6: Managing and Auditing IT Vulnerabilities and GTAG 15: Information Security Governance.
With regard to social media, there are numerous security, privacy, legal and reputation risks to consider. It is incumbent upon the internal audit function to work with management, the board of directors, department leaders and business process owners to develop clear social media use policies and standards, and to ensure there is ongoing compliance with these standards throughout the organization.
More broadly, internal audit should partner with these executive and leadership groups to assess the risks of the organization’s social media capabilities, and ensure that this risk profile fits the corporate culture and overall control environment. Indeed, the most important improvement priorities survey respondents selected – including ISO 31000 (risk management), IT governance and GTAG 13: Fraud Prevention and Detection in an Automated World – confirm a prevailing shift toward a more efficient and overarching approach to risk management that encompasses global issues as well (e.g., International Financial Reporting Standards (IFRS) and compliance with region- and country-specific tax laws).
3. Enhancing Efficiency Through Technology-Enabled Auditing
Respondents were asked to assess, on a scale of one to five, their competency in 52 areas of audit process knowledge, with one being the lowest level of competency and five being the highest. For each area, they were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their organization and industry.
Continuous auditing and computer-assisted audit tools (CAATs) continue to rank as top priorities for internal audit professionals in the technology industry, along with continuous monitoring (a new category to the 2012 survey). In fact, continuous auditing and CAATs consistently have ranked among the top areas identified as in need of improvement among survey respondents from all industries, including technology, since 2008. This is a strong indicator of the rapid evolution and rising prevalence of technology in business today. In addition, many organizations still have not fully embraced the use of technology tools as part of their audit processes (as Table 1 shows), which suggests there may be a lack of training in these areas for their internal auditors.
Furthermore, the use of these and other technologies is enabling organizations to perform millions of transactions and capture vast amounts of data on a daily basis. Organizations are looking to their internal audit functions to devise efficient and cost-effective ways to monitor these activities and review and analyze this data on a continuous basis. Fortunately, there are a variety of auditing technologies available to accomplish this. The key is to enable internal audit team members, through education and training, to use them effectively and efficiently.
This ability grows in importance every year as more and more business processes rely to a greater degree on automation. As a result, preventing, detecting and responding to fraud within these processes also requires internal auditors to rely more heavily on technology in their activities. This helps explain technology industry survey respondents selecting numerous facets of fraud management (including monitoring, risk assessment, prevention and more) as improvement priorities.
The bottom line is that there is an ongoing movement in the internal audit profession from manual, time- intensive and, in many ways, inefficient auditing (relative to today’s demands) to technology-enabled auditing practices that enable the review of virtually every transaction and piece of data on a continuing basis.
4. Nurturing Internal Collaboration and Networking Externally
A quick glance at the top Personal Skills and Capabilities improvement priorities indicates that internal auditors are striving to elevate their game. Specifically, internal auditors appear intent on (1) strengthening their function’s overall capabilities through outside networking and practices sharing, and (2) forging stronger, more collaborative relationships with the senior executive team and the board. In terms of board relationships, survey respondents said that they are focused on strengthening their collaboration with audit committee members, as well as with the rest of the board.
It is noteworthy that these priorities exist even in skills and capabilities areas where competency levels already are relatively high. For example, although industry respondents rated their audit committee relationships and rapport with senior executives relatively high from a competency perspective, they also indicated that they want to work to strengthen both of these important relationships. This drive for continuous improvement also is evident in the fact that creating a learning internal audit function also figured as one of the top five improvement priorities among these respondents.
Many of these improvement priorities – such as leadership (within your organization), high-pressure meetings, dealing with confrontation, and negotiation – also reflect the ongoing evolution of the internal audit function. Few, if any, effective internal audit departments operate in a silo today. A growing number of functions have embraced an “immersive role” as they work closely with business partners to address threats and opportunities throughout the enterprise.
From a skills perspective, it is no longer sufficient to simply step out of the old silo mindset and into a new, more immersive role. Instead, internal auditors appear eager to ensure that their collaborations with all of the different parts of the business are as strong as possible. This requires leadership, negotiation, dealing with confrontation, persuasion and other “soft” skills that can lead to effective relationship building.
At a time when every day delivers the possibility that the technology industry will be reshaped by an acquisition, IPO or game-changing innovation, internal auditors remain committed to continuously improving their own capabilities.
This commitment, as evidenced by priorities selected by respondents to the 2012 Internal Audit Capabilities and Needs Survey, should help technology companies remain agile, efficient, innovative and, perhaps above all, prepared for when the next disruptive innovation emerges.