Business Risk Services

The Internal Audit Function: Post-pandemic challenges and priorities

Sara McAllister
insight featured image
Some 2,500 years ago, famed military strategist and philosopher Sun Tzu penned his influential treatise “The Art of War”. Since then, his work has become synonymous with the importance of institutional planning and self-understanding as the key to success in battle.

He states, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.” (Sun Tzu, 544 BCE)

Such words surely make us question in today’s world of business whether organisations really know themselves and where their key risks lie?

For many businesses, the COVID-19 pandemic’s manifestation as a black-swan event highlighted the shortcomings of the organisation’s risk awareness and risk management ability. In 2023 and beyond, the need for a trusted Internal Audit business partner, with a truly enterprise-wide risk lens, has emerged as a must-have rather than an optional extra. Knowing yourself, and in particular knowing which areas pose the greatest risks to your organisation are critical in today’s business and regulatory environment.

Post-pandemic, Boards and Audit Committees of organisations -both public and private- are increasingly looking at the level of value generated from the Internal Audit function, and those without a dedicated Internal Audit team are now considering how to leverage such expertise to provide a more transparent view of risk and internal control within their organisation. With markets increasingly being characterised by uncertainty, risk and dynamism, companies and institutions need both clarity on these challenges and alignment of vision to deliver successfully.

This sentiment is supported by the findings of Grant Thornton’s recently released International Business Report (IBR) which highlights many of the emergent issues facing organisations, with half of Irish businesses citing economic uncertainty as a major constraint, up from 40% in H1 in 2022. Other growing concerns identified for Irish business in the report include accessing finance with 34% citing this as a major constraint in H2 2022 versus 22% in H1 2022, and recruiting and retaining the right people for the job.

When analysing the value added by the Internal Audit function, it is important to highlight the twin key drivers of success in any organisation: Purpose and People. Without meaningful investment in the right talent and a well-defined purpose, alignment of goals across the organisation becomes difficult. The increasingly powerful tools available to Boards and Audit Committees arising from technological advances such as data analytics, agile models and real-time feedback are valuable in highlighting patterns and flagging potential pitfalls, but without a concerted approach involving all stakeholders within the business, navigating the hurdles of today’s business environment will remain challenging.

One of the ways that organisations can better manage risk, is through sharing of knowledge - what has worked well and what hasn’t worked - along a series of thematic risk profiles. Building alignment between the organisation’s strategic purpose and its people at every stage and bringing true transparency around existing and emerging risks to the business is critical. Departments often experience what are perceived as isolated risks specific to their function while the reality is that these issues arise in different functions across the organisation. Working more closely with Internal Audit can identify many of the concerns flagged in Grant Thornton’s IBR -from Finance to HR- thereby adding value through cost reduction and minimising of duplicate activities.

Currently, risks are manifesting from many external sectors. There are specific sets of challenges emerging in the technology and utility sectors, both of which are key to most organisations today in delivering their strategies and objectives. Typically, these capabilities are outsourced to third-party providers, further increasing the risk of exposure to energy price fluctuations and the impact of the talent resourcing dynamics within the tech sector. This is reflected in the findings of the recently published IBR with Irish businesses expecting to hire more staff (52 percent of firms expecting an increase in employment) in the next 12 months, some 61% of respondents indicated that challenges exist around availability of skilled staff. Building of trust within the organisation through sharing of risk insights can be an underrated source of value-creation in the face of such challenges.

Taking a centralised approach to risk identification and management adds value through the transparency it delivers, highlighting existing and emergent risks affecting many business functions, whether in-house or through third-party outsourcing of services. Risk is an inherent part of doing business. A true cross-organisation horizontal perspective enables efficiencies in tackling common challenges as and when they emerge, and without a successful risk-management strategy delivering on the organisational goals and objectives becomes very difficult.

So, what are the priorities for the Internal Audit function in a post-pandemic world?

Many of the perennial issues are still priorities for both the public and private sectors. Ongoing considerations around outsourcing and third-party risk management remain as a key pain point for many organisations. Additionally, as evidenced by the IBR above, obstacles remain around organisational change and transformation, particularly as companies are rethinking their positions against the headwinds of dynamic and increasingly unpredictable market activity. Managing the risk profile of various levels of change and transformation is key during any change process.

Risks arising from technology are still increasing, whether from a cyber-security perspective or the increased requirements around data protection and compliance. Talent retention challenges too are some of the most contentious issues for organisations post-pandemic, with senior management no longer able to assume that having the right core staff with the right skillsets and experience as a given.

Alone, any one of these issues represents a threat to the operational resilience of a company or institution; in aggregate however, they present an ever-shifting network of interdependent hurdles requiring an integrated and clearly defined organisation-wide risk management approach. The Internal Audit function can lead the charge in identifying, embracing and managing both the existing and emerging risks faced by any organisation. In doing so, it is imperative that there is alignment, not just between overall strategy and risk appetite, but that this is clearly and effectively communicated across the entire organisation as a whole.

Having a transparent view of where the key risks lie for any company can assist in shaping organisational success. It would seem that Sun Tsu’s sage advice to leaders to “know thyself” is perhaps valid now more than ever.

Visit our IBR Hub to read the latest news and insights on what we’ve learnt following the most recent survey.