Risk foresight
Business collaboration
Traditional assurance
Proactive assurance
Emerging
Evolving
Static
Individual risk areas
Mature/static
Developing/
changing
Immature/
rapidly changing
Maturity or pace of change within the internal business environment (including internal controls)
An internal auditor at a consumer products company reads a publication about shifting consumer sentiment that could significantly impact sales related to one of its key products over the long-term. The company has been producing this product for many years, and the business environment, including the internal control embedded in the processes across the value chain, is mature.
The internal auditor raises the concern with the appropriate business leaders, who decide to further assess the potential impacts, perform scenario analyses, and draft response plans for each scenario.
In this scenario, internal audit initiated a needed change in a relatively static / mature environment that needed to change to get out in front of external change that could significantly impede the organization’s ability to grow.
A technology company is assessing the impacts of changes in the cybersecurity threat landscape in response to changes in the business and geopolitical environment and is in-process of making changes to key elements of its cybersecurity program.
As part of the risk assessment, internal audit has rated cybersecurity a top evolving risk, and with the support of subject matter resources from its co-sourced provider, plans to perform a tabletop exercise with the senior management team to help the company assess how well recent changes have increased management preparedness and inform planned changes.
The exercise identifies a few areas for improvement that are then incorporated into the company’s cybersecurity program.
A life sciences organization is going through an ERP implementation and as part of that implementation processes are being redesigned.
In this scenario, internal audit would be well-positioned to support the business by providing management guidance related to risk, controls and security as part of the implementation or as part of a pre-implementation review, accelerating the assurance role earlier on to address risks before they materialize into business issues.