The Question Should Be – “Where are the Internal Auditors”
May 2, 2016Conditioning the Organization for Risk – Agility vs Resiliency
May 16, 2016One of the great benefits of being the head of a global professional organization is that I am privileged to travel frequently to meet with internal audit practitioners around the world. By necessity, I have had to become a resourceful traveler. I’ve learned to pack lightly, make time to meet the professionals and appreciate the locales I visit, and take advantage of technology that keeps me connected.
This last aspect has been particularly interesting this year, when there have been two instances where technology played intriguing roles in my travels.
The first involves the powerful technology that keeps me connected to headquarters staff 24/7/365 — most people call it a smartphone. One recent estimate predicted the number of smartphone users will grow to 2.1 billion in 2016. That means about 3 out of every 10 people in the world are never out of reach.
This technology allowed my chief financial officer to reach me while I was in South America earlier this year after she received a directive for an immediate wire transfer from what appeared to be my email account. To her credit, she became suspicious and called me before taking any action and confirmed the email did not come from me. Mobile telephony made it as easy for her to reach me on another continent as ordering lunch from the deli down the road. In this case of the dueling technology between a potential fraudster and mine, my connectivity enabled us to prevail.
Technology played an even more innovative role in an incident less than a month later during my travels to Prague. I had an interview at the local PwC office, and I could not find my overcoat when it came time to leave. Suspecting that I had left it at the hotel restaurant, I returned there but was told no overcoat had been found.
Instead of speculating where I left my coat, the hotel manager instinctively pulled the security camera footage that showed me leaving the hotel at precisely 1:44 p.m. — with my overcoat. Armed with this new information, I was able to guide my PwC colleagues to where I had left my overcoat in their building.
I must admit it was a bit disconcerting when I realized how pervasive security technology has become. My Prague experience immediately brought to mind lyrics from the song Every Breath You Take, the 1983 megahit by The Police. While the song deals with obsessive love and not an Orwellian Big Brother, it is important to remember that we live in a world where technology has made it almost impossible to operate anonymously – or as The Police sang, “Every step you take, I’ll be watching you.”
I’m sharing these personal examples for two reasons. First, technology can provide powerful tools for internal auditors to fulfill their roles as independent and objective assurance providers. Second, internal auditors must be attuned to how technology creates situations that can potentially damage an organization’s resources and reputation.
Whether using technology to sift through massive databases in short order or recommending the latest technology to improve security protocols, technology sometimes can be internal audit’s best friend. But just as often, technology designed as convenience can create risks for the organization.
The next technological advancement – the Internet of Things (IoT) – already is creating new vulnerabilities. I am already leveraging this technology for personal use as I routinely monitor the interior of my home and adjust the climate no matter where I am in the world. This new wave of interconnected devices sold as convenience has the potential to create new risks and vulnerabilities in cybersecurity, employee safety, privacy, and more.
IoT promises to be the next high-risk, high-tech battleground. We must be prepared for that battle by working closely with IT and other risk managers to identify and understand all risks associated with technology.
As I often coach members of the profession, as internal auditors we must move beyond an exclusive focus on hindsight and insight to become agents of foresight. There are few risks areas where we can provide greater foresight than those related to technology.
As always, I welcome your comments.
I welcome your comments via LinkedIn or Twitter (@rfchambers).