No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Featured

The Opportunity for a New Breed of Entrepreneurial Auditor

by Dan Zitting
June 8, 2016
in Featured, Internal Audit
It’s time for a new approach to internal audit

In part one of this post, we discussed the obsolescence of the traditional internal auditor and the rise of databots who will systematically replace knowledge workers in the audit, compliance and risk management process. With that not-so happy outlook, what might we do now?

The good news though is that enterprise data is complicated, and it is going to be an exceptionally fruitful environment for those with the skills to develop the “databot environment,” driving real efficiency and mountains of value into an organization’s bottom line. Thus… the salary split we’re already beginning to see. The opportunity is for a new breed of entrepreneurial auditor to take control and lead the charge to reinvent our largely broken approach to traditional internal auditing. It seems apparent that the mandate for innovation and forward progress in the audit, risk and compliance professions—without the massive over-complication usually surrounding the discussions of “big data”—should be effectively three-fold:

1. Get a clear view of what’s important based on organizational strategy.

In this stage it is time to do what I call “The GRC Grind.” The GRC Grind is the painful but imperative process of identifying what’s actually important to the business in terms of controls by deconstructing its top-level strategy into key goals/objectives, the enterprise-level risks that are likely to threaten the achievement of those goals, the process- and project-level control objectives that mitigate those enterprise risks, the process-level risks that threaten achievement of the control objectives and the actual controls that mitigate the process-level risks. This set of controls should define what is truly important to the business operationally. The last step of The GRC Grind, then, is to map to the framework compliance requirements to those controls and any “overhead controls” that are required for compliance reasons but not already captured. Once completed, this will create a complete picture of governance that will meaningfully push forward the organizational assurance that will achieve its performance g.oals.

2. Automate the “menial” audit work away.

With the clear picture of the broader business developed through The GRC Grind, there will undoubtedly be basic control testing and monitoring that needs to be done, core “must-monitor” compliance areas, basic risk rating and standard operational auditing that need to be done by location, process, entity, etc. All of this work presents an opportunity for automation through data. This is where traditional data mining and data analytics come into play. By building fully repeatable and sustainable data mining analytics that evaluate a risk/control/etc. on an ongoing basis and automating prescriptive communication and remediation processes for red flags, we are creating the “databots” that eliminate the need for traditional audit work, freeing up time and resources to uncover what are the really big stories going on in the business.

3. Help the organization look forward by uncovering the meaningful stories in the organization through its data.

Where the real future internal auditor will then spend the majority of their time is developing and sharing the perspectives on organizational risk and performance that look forward on the organization’s likelihood of achieving its objectives. The only way to truly do this is through data, using risk analytic techniques that are foundationally forward-looking in nature. The term “predictive analytics” is grossly overused and essentially useless, implying some sort of statistical algorithms that are magic in their ability to dictate what the future will look like. What is important is using analytics to weave a forward-looking picture… for example, by analyzing and correlating some basic data on product sales and customer usage patterns, we can relatively easily develop a story about our general ability to engage and retain a customer after their purchase to ensure success and advocacy. Similarly, by analyzing and correlating some basic data around systems access, it is relatively easy to create a forward-looking picture of where in the organization cybersecurity vulnerability may exist.

Lessons from the field… start small and evolve, but ACTUALLY start!

Embracing the shift to “data-driven” is the first step certainly, however it’s step 2—actually doing something—that really matters. Eighty percent of the failure I see in building data programs in internal audit is just because they never get started. Organizations tend to spend an inordinate amount of time worried about what tool to buy, how to get the budget for “training,” tip-toeing around conflict on getting access to data with IT, etc. None of which actually relates to the objectives, risks and controls we want to analyze.

I recently did a session at the 2016 IIA GAM conference in Dallas with Laura Biland, who leads up the data analytics efforts (among other roles) in the internal audit team at Texas Instruments, the Fortune 200 semiconductor manufacturer. What I like about Laura and her program at TI is that they have systematically developed their capabilities and innovated around how they look at audit through data since starting in 2008. While they have had all the typical struggles… access to data, auditor skill sets, etc., they’ve continually pushed through so that they’re now in a position to really transform how they look at audit across TI. The timeline of their experience she shared at the conference looks like the following:

image013

The punchline here is that they have been on a more than eight year journey now, but by taking it one step at a time with even very limited resources dedicated specifically to data analytics, they are now in a place where a good chunk of mundane audit work (coverage of approximately 200 risk/control points) is completely automated and systematically looked after on a continuous basis. They are now moving into scoping out all audits with data analysis so no time is wasted in areas of minimal risk, and ultimately into more forward-looking analysis to assess risk across the enterprise. They are well ahead of most companies in transforming internal audit because they simply got started, made time, got small successes, built on the learning gained and iterated until they had a sustainable program in place. This agile approach to transformation through data is what I see bringing (unfortunately currently few) internal audit shops back to the strategic advisor table in the new data-centric world of digital business.


Previous Post

Promoting & Measuring Bank Culture Reform

Next Post

Do Boards of Directors Have a Use-By Date?

Dan Zitting

Dan Zitting

Dan Zitting serves as Chief Product & Strategy Officer at Galvanize, the leading provider of SaaS solutions for enterprise governance, risk management and compliance (GRC) globally. Recognized by both Forrester and Gartner as the category leader, more than 6,000 of the largest enterprises and governments in over 130 countries globally use our HighBond platform to run their organization better. His role includes executive leadership of the company's strategy, products, underlying technology and customer service/success. Dan has been recognized with multiple prestigious awards, including CPA Practice Advisor Magazine's Forty under 40, ColoradoBiz Magazine 25 Most Influential Young Professionals, IIA Emerging Leaders, BCTIA Team of the Year, GRC 20/20 Technology Innovation and Business in Vancouver Forty under 40. Prior to Galvanize, Dan spent 10 years in professional services, including four years with the Technology & Security Risk Services practice at Ernst & Young. Following E&Y, he co-founded advisory firm Linford & Company LLP, a provider of GRC consulting services that grew to serve clients across North America, Europe and Asia. While building his firm, Dan developed a software platform for use by clients, which ultimately led him to leave to found Workpapers.com, the first truly cloud-based audit and compliance management system in the market. Under Dan's leadership, Workpapers.com found strong success and was ultimately acquired by Galvanize in 2011, combining the power of cloud collaboration and "big data" analytics under one market-leading brand.

Related Posts

no right answer

That ‘Do the Right Thing’ Mug? It’s Missing Some Fine Print.

by Vera Cherepanova
May 20, 2025

Ethics isn’t a slogan; it’s a practice

doj sign front

Assessing the Business Risks of the Trump Administration’s ‘Total Elimination’ Strategy

by José Cortina and Jennifer Christian
May 20, 2025

As cartels increasingly participate in mainstream economic activities, traditional due diligence practices become inadequate to address new material support risks

drug cartel soldier camo

Leveraging Human Rights Frameworks to Combat Emerging Cartel Risks

by Nate Lankford, Matteson Ellis and Nisha Sawhney-Murkett
May 19, 2025

As enforcement priorities shift to cartels and foreign terrorist organizations, established human rights processes can identify and mitigate emerging legal...

You are now registered!

Webinar: What Employee Experience Reveals About Your E&C Program

by Corporate Compliance Insights
May 16, 2025

11 a.m. - 12 p.m. ET Tuesday, June 3 Are your ethics and compliance metrics capturing what really matters? Programs...

Next Post
Do Boards of Directors Have a Use-By Date?

Do Boards of Directors Have a Use-By Date?

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights