5 GRC and Internal Audit Trends to Watch For in 2019

Posted on 3rd May 2019

1. Internal Audit’s Role in GDPR Compliance

ARTICLE BY: Jody Paterson

You couldn’t talk about compliance in 2018 without mentioning the impact of the EU General Data Protection Regulation, or GDPR for short. Designed to give EU citizens more control over their personal data, the May 2018 regulation applies to not only every organization operating in the EU, but also organizations that market to or serve EU citizens. Virtually any business that targets prospects in the UK must adhere to GDPR, and if noncompliance of GDPR is discovered, companies could face steep penalties and reputation damage that can be even more disastrous should a data breach occur. Just recently, Google was the first tech company to suffer a massive fine of $57million for violating GDPR regulations in France.

In this post-GDPR world, internal auditors have an opportunity to take a role in continued GDPR compliance as it continues to evolve. Working with the CTO, DPO, or Chief Audit Executive, internal auditors can be the watchdogs of GDPR by testing the effectiveness of the measures in place and making recommendations if there are weaknesses or failures in the company’s GDPR compliance. With clear two-way communication between internal audit and the teams responsible for GDPR compliance, this approach can be the new standard going forward in 2019 and beyond.

2. Internal Audit’s Focus on Cybersecurity

2018 has been a breakthrough year for cybersecurity. While awareness and education on cybersecurity threats have grown, so has the number of headline-making breaches and attacks. In 2017, Accenture reported there was an average of 130 breaches per company, and in 2018 that number is expected to increase by 27 percent. Going into 2019, companies must be ready for large-scale attacks and breaches, not just from external threats, but from internal threats as well. I reported on Digital Guardian’s Data Insider blog that the biggest cybersecurity risk in 2019 will be internal threats. Unlike external attacks, internal attacks can go undetected for years as it’s difficult to distinguish who should have privileged access, not to mention that employees could easily cover up their actions.

Adding to the cybersecurity focus, the PCAOB, the organization that oversees the audits of public companies, reported in their Inspections Outlook for 2019that cybersecurity will be a key area of-focus for their inspection of audit firms’ reviews. They are looking to determine if “cyber risks and actual breaches pose risks of material misstatement to companies’ financial statements.” This increased scrutiny to cybersecurity measures also ties into the SEC’s findings of corporate phishing attacks, where employees of nine companies were tricked into sending large sums to bank accounts controlled by fraudsters. Over $100 million was wired to the criminals, most of which was not recovered. That’s even more reason to focus on the risk of cybersecurity attacks when implementing and testing access controls.
 
 3. Automation Impacting GRC

Automation has been another hot topic of 2018. From AI to bots, white-collar fields are getting their own industrial revolution with the onslaught of cutting-edge automation software, and GRC is no exception. By 2020, Gartner estimates that over 60 percent of organizations will utilize tools for Segregation of Duties (SoD) control monitoring, abandoning manual methods of SoD control monitoring. The PCAOB also reinforces the trend towards GRC automation in their Inspections Outlook for 2019. One key area of focus is software audit tools, citing that they will continue to monitor the use and development of an audit firm’s software audit tools.

While the thought of automating GRC processes sounds daunting, the thought of not using automation is downright frightening. With cybersecurity becoming a larger threat, plus steep regulatory fines and an increase in personal accountability for executive management and audit committees, the cost of not automating GRC is much higher. Overall, automation tools save time and resources, and in many cases create more accuracies than might be possible with humans alone, who are prone to errors.

It may be overwhelming to consider these trends and their impacts on the organization, but organizations that don’t adapt soon will inevitably face an uphill battle as old technology becomes outdated and new data regulations emerge. These trends serve not as a crystal ball into the future, but rather a guide on what’s making waves right now in the GRC and internal audit landscape. Armed with the awareness of them and best practices, you’re better prepared in updating and refining your organization’s internal audit and GRC functions in 2019.