Many auditors are asking themselves the same legitimate question: With so much happening, where do we start? Advancements in technology and data have been so rapid in recent years that long-standing organizations that failed to pay attention have been disrupted and displaced by so-called “born-digital” competitors. In the case of many organizations who met their fate at the hands of born-digital competitors, it was often a lack of activity – or, at least, a lack of the right activity, at the right pace – that allowed for the rise of the disruptors and led to the demise of the disrupted. It is not hyperbolic to suggest that digital risk is an existential risk for many organizations if ignored.
So, where does internal audit start? In response to a real gap in digital awareness, Protiviti created a digital maturity framework as a way for companies to better understand the core competencies required for digital performance, and also as a way to self-assess and benchmark their digital capabilities on a maturity scale.
The framework allows a company to evaluate itself across a customizable set of competencies, ultimately resulting in an evaluation of the digital maturity of the organization along the digital skeptic-to-digital leader continuum (skeptics have no formalized plans related to digital and innovation and are often managing in an ad hoc or reactive manner, whereas leaders are digital at the core and have a proven track record of disrupting business models). More important, the framework allows an organization to evaluate the capabilities and/or attributes that it needs to succeed, rather than just rate the initiatives in progress.
By adapting and using this framework, even internal auditors still working through the early stages of their own digital learning can drive productive and thought-provoking discussions with stakeholders related to digital capability, initiatives underway, and areas not being addressed. Internal audit functions are typically very good at evaluating activity (things a company is doing) and providing observations and recommendations, but not always as good at identifying things that a company is not doing that present significant risk. The framework helps highlight these areas of inactivity. Inactivity and a lack of innovation and transformation may not be a high-velocity risk, but the potential impacts can be catastrophic with a slow bleed rate over time.
Among internal auditors who have used this framework, many have identified areas for audit focus that were not identified through traditional risk assessment and audit planning activities. We have also seen internal auditors use this framework as a way to increase awareness of and focus on digital capability at the board level.
Internal auditors can use the framework in a variety of ways, including as a standalone assessment at the enterprise level (assessing the organization’s maturity for all relevant capabilities); as a focused assessment of a particular part of the organization (e.g., the organization’s technology capability); as a digital risk or audit universe; to support and enhance existing internal audit risk assessment activities, providing a digital lens through which to evaluate risks associated with activity and inactivity; and lastly, as a way for internal audit to evaluate aspects of its own digital and innovation maturity.
It’s time for internal auditors to move beyond the hesitancy of evaluating digital risk and equip themselves with the tools and knowledge necessary to help their organizations successfully navigate in a dynamic world full of both risk and opportunity. Boards and executives have been clear that risk of digital disruption ranks high on their top risks list. Internal auditors must respond. Using Protiviti’s digital maturity framework to evaluate their organizations’ digital maturity is a practical step they can take.
To read more on this topic, you can access the following content on KnowledgeLeader: