Introduction
In today’s rapidly changing business environment, operational resilience has become a critical focus for organizations worldwide. The ability to withstand and recover from disruptions is not just a competitive advantage but a necessity. As a result, the role of internal audit is evolving to ensure that organizations are not only compliant but also resilient.
In January 2024, the Institute of Internal Auditors (IIA) unveiled its revised Global Internal Audit Standards, reflecting the global regulatory focus on operational resilience. At the core of these updated guidelines, a strong emphasis on leveraging technology to improve internal audits and risk management practices.
Embracing a tech-enabled approach well means doing three things: it’s about an organization’s overall responsiveness, agility, and effectiveness in identifying and mitigating potential threats.
Understanding Operational Resilience
Operational resilience refers to an organization’s ability to continue delivering critical operations through disruptions. These disruptions can range from cyber-attacks and natural disasters to supply chain failures and pandemics. The goal is to minimize the impact of these events and ensure a swift recovery.
The Traditional Role of Internal Audit
Traditionally, internal audit has focused on compliance, financial reporting, and risk management. Auditors would assess the effectiveness of internal controls, identify areas of improvement, and ensure that the organization adheres to regulatory requirements. While these functions remain essential, the scope of internal audit is expanding.
The Shift Towards Operational Resilience
- Proactive Risk Management: Internal auditors are now expected to take a proactive approach to risk management. This involves identifying potential threats before they materialize and assessing the organization’s preparedness to handle them. By doing so, internal audit can help build a more resilient organization.
- Integration with Business Continuity: Internal audit is increasingly integrated with business continuity planning. Auditors work closely with business continuity teams to ensure that plans are robust, regularly tested, and updated. This collaboration helps in identifying gaps and ensuring that the organization can respond effectively to disruptions.
- Focus on Cybersecurity: With the rise in cyber threats, internal audit plays a crucial role in assessing the organization’s cybersecurity posture. This includes evaluating the effectiveness of security controls, incident response plans, and employee awareness programs. By doing so, internal audit helps in mitigating the risk of cyber-attacks and ensuring a quick recovery.
- Regulatory Compliance: Regulatory frameworks such as the Digital Operational Resilience Act (DORA) in Europe emphasize the importance of operational resilience. Internal audit ensures that the organization complies with these regulations and is prepared for regulatory scrutiny.
- Use of Technology: The use of advanced technologies such as data analytics, artificial intelligence, and automation is transforming internal audit. These tools enable auditors to analyse large volumes of data, identify patterns, and provide deeper insights into the organization’s resilience capabilities.
A Snapshot of the Recent Operational Resilience Movement
The regulatory landscape surrounding operational resilience is rapidly evolving, with significant initiatives emerging across various regions.
- In Europe, the Digital Operational Resilience Act (DORA) establishes a new regulatory framework that mandates financial institutions to enhance their operational resilience by effectively managing ICT-related incidents.
- Similarly, the UK’s Financial Conduct Authority (FCA) introduced the Operational Resilience Act, aimed at ensuring firms can prevent, adapt to, respond to, recover from, and learn from operational disruptions.
- In the Asia-Pacific region, the Australian Prudential Regulation Authority (APRA) has introduced CPS 230, a comprehensive framework for APRA-regulated entities to identify, assess, manage, and report on operational risks.
- The Monetary Authority of Singapore (MAS) has also issued guidelines on Business Continuity Management (BCM), encouraging financial institutions to adopt principles to minimize disruptions to critical business services.
The Future of Internal Audit in Operational Resilience
As the business landscape continues to evolve, the role of internal audit will become even more critical. Organizations will rely on internal auditors to provide assurance that their resilience strategies are effective and that they can withstand future disruptions. This will require continuous learning, adaptation, and collaboration with other functions within the organization.
- Operational Resilience Priority:
- Operational resilience remains a key priority for internal audit. Firms need to demonstrate that their important business services can operate within their impact tolerance.
- Internal Audit should support and assure progress over the transition period, focusing on areas like service mapping, scenario testing, relationships with third parties, and embedding resilience outcomes post-2025.
- Assessment and Comparison:
- Internal audit should form its own view of risks that could impair operational resilience or cause disruptions.
- If management has completed a resilience maturity assessment, internal audit should compare those results to its own view of the current position.
Remember, the goal is to ensure robust operational resilience while aligning with regulatory expectations.
In conclusion, the evolving role of internal audit in operational resilience is a testament to the increasing importance of resilience in today’s world. Leveraging Technology is one of the key aspects to consider embracing this expanded role, internal auditors can help organizations navigate uncertainties and emerge stronger from disruptions.
Final Thoughts
As the regulatory focus on managing operational risks continues to grow, the internal audit function is becoming increasingly valuable. By adopting a proactive and strategic approach, internal auditors can mitigate risks and empower firms to transact with confidence and scale compliantly. This is the key to long-term organizational stability and longevity.
Please find the case study:
BUPA and SAI360: Boosting Audit Efficiency and Information Sharing in a Global Network
This article is based on a post published by SAI360, with additional insights and supporting materials provided by our team.