Navigating GRC and Audit
The Coming Compliance Wave is on the Horizon - But what is the impact for Internal Audit?
By: Christopher Fox
We know it’s coming. We just don’t know when, and what form it will take.
The current financial crisis will generate a number of new regulations, and probably increased enforcement of existing ones. As risk, compliance, and audit professionals, our jobs will undoubtedly become more challenging.
What changes or additional areas of regulation are likely to emerge? Well, it’s anybody’s guess, but here’s mine:
· Boards and management not meeting their corporate governance responsibilities could result in regulation formalizing their roles and responsibilities.
· The lack or failure of risk management could result in increased risk management requirements.
· Rating agencies not identifying significant risks could result in more regulatory focus on the extent and quality of the rating process.
· The lack of an approach to systematic risk will result in a major overhaul of the regulatory process.
These changes are likely to impact how companies manage compliance. First, I think that there will be increased focus on compliance with policies and procedures, in addition to external regulations. In the past, it was often considered sufficient to post existing policies and procedures on an enterprise’s intranet and not take any further steps to ensure compliance. The risk associated with this approach is that ‘best practice’ policies were written but were not actually being followed in practice. And, in many cases, management did not give appropriate attention to audit findings that highlighted areas of lack of compliance with policies and procedures.
In recent times, this approach to policies and procedures has become less acceptable – if not unacceptable. In the short to medium term, we can anticipate changes that will require companies to implement better governance and risk management practices. Improved compliance processes will confirm not only adherence with laws and regulations, but also that management directions (policies) are being followed.
But, back to this wave of new regulations that we expect to see. As new regulations appear, or existing ones are strengthened over the next year or so, technology will have a central role in the management and monitoring of compliance. This has been important in the past (for example, compliance has been a primary business driver for identity and access management solutions for several years now). But, as new mandates appear on the horizon, the need for, and adoption of, technology that helps with compliance will increase. Specifically, technology can aid with compliance in these areas:
· The automation of policy and procedure management
· Centralization of access management
· Automation of key identity management processes (such as user provisioning)
· Automation of log aggregation and analysis
· Integration of policies and procedures with training and awareness programs
· Integration of processes related to business performance management and risk management
Clearly these changes will have an important impact on the role of internal audit. Internal audit will continue to have a central role in ensuring that an effective compliance process is in place. But, more specifically, I envision that the increased regulatory environment is likely to impact the internal audit function in the following ways:
· Internal audit will be expected to assume a more active role in assisting the Board and management to meet corporate governance responsibilities.
· Currently there is a common perception that internal audit may be constrained due to economic factors. Once regulation has been enacted and the Board understands the level of its impact, this constraint should no longer be a limitation.
· Internal audit will be expected to be thoroughly familiar with governance, risk and compliance (GRC) technology, and the use of this technology will be a mandatory skill for them.
· The role of internal audit will expand. Audit will be required to thoroughly understand the breadth of a business and, where necessary, be able to understand detailed business processes.
The next year or so will be exciting for audit professionals (not that the previous year has been exactly uneventful!). Let’s fasten our seat belts, expand our view of the compliance horizon, and use our skills and experience to help maneuver our business through these challenging waters.
Please provide feedback on this article below
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®