IIA training and events

Future-proofing internal audit

The concept of risk, internal control and corporate governance has developed gradually over time in conjunction with the internal audit profession which has existed for more than 70 years. The profession has arguably been subject to a greater pace of change over the last 25 years due to the rate of technological advancement.

Internal audit’s evolution has not strictly followed a linear progression as there have also been reactive leaps forward in response to market pressures, the changing risk landscape and corporate governance failures. Some notable examples over the last thirty years include Barings Bank, Enron, Tesco, Wells Fargo Bank and more recently with Carillion. Each such instance should be seen as an opportunity to learn. Although the root cause around these failures varies, it is debatable that more effective internal audit could have at least reduced the impact of such failures and ideally helped prevent them from occurring.

As the years advance, the rate of change accelerates but the internal audit profession’s need to respond to this change remains. For internal audit to remain relevant, it must respond effectively to the various challenges faced by organisations. Failing to evolve will erode the impact and value internal audit can bring.

Key challenge 1: the business environment
Key challenge 2: technology
Key challenge 3: regulation
Key challenge 4: approach, mind-sets and mainstreaming specialisms
Key questions for internal audit to consider
Why should organisations take action?
Summary

Key challenge 1: the business environment

Evolutionary success and the success of internal audit is dependent upon the ability to adapt to the environment in which it operates. From a business point of view, the challenge for internal audit is to adapt to changing environments and respond to the various challenges presented.

For instance, a common criticism of internal audit was around its role or lack of impact during the 2008 financial crisis. It transpired that internal audit had largely fulfilled its obligations to varying degrees across industries; however, in too many instances its impact upon organisations was limited. Therefore, it needs to be more effective, forward looking and dynamic.

Internal audit must take an anticipatory and strategic approach to evolve ahead of the wider organisation to ensure it can fulfil its purpose, stay relevant and deliver insight. The risk of not evolving will act as a barrier to achieving the ultimate objective of internal audit.

Such changes can result from internal or external forces and can be difficult to exert any level of influence over. However, if such changes can be anticipated, internal audit functions can structure themselves in such a way to survive, add value in a constantly evolving environment, helping organisations to adapt to handle the forever changing nature of risk and forging strong relationships to become a trusted advisor.

Key challenge 2: technology

It is important to acknowledge that technology is evolving more quickly than the human brain and subsequently quicker than the socio and economic systems designed by it. Therefore, the risk profile of organisations is becoming more complex and difficult to manage.

Internal audit must embrace and be responsive to change in order to adapt to a world which is becoming more technologically advanced whilst having complex political and geopolitical pressures and considerations to contend with.

The way we do things has a more complex set of pressures upon it and the response to these needs to be more sophisticated. Internal audit’s approach needs to reflect this higher degree of sophistication by increasing awareness and reliance on new technologies to improve the audit process. This includes developing data analysis capabilities, employing artificial intelligence and continuous monitoring approaches.

It is therefore essential that internal audit is progressive and adaptive to keep pace with the latest innovations whether this is from an approach, methodology, skillset or technological point of view. Ultimately, a key part of internal audit’s evolution is in its ability to anticipate, understand and incorporate technology.

The focus within most internal audit functions is on technology and how the function can leverage the various technological developments and tools available. For instance, internal audit has to consider the implications of big data and the structured and unstructured emerging tools and technologies around this such as cloud computing and data mining.

Many organisations create, generate and use ever increasing volumes of data that must be scaled by the audit process to deliver a comprehensive assessment and analysis of the data in the context of risk and control. It is the technologies of AI and data analysis that can be exploited by the smart internal audit function to identify areas of high risk. This can be a slow process and is often restricted by things such as budgets, competencies, organisational cultures, and strategy and legacy systems.

Key challenge 3: regulation

The regulatory landscape has also undergone a number of changes over the last few years across key industries. The evolving role of internal audit has meant that auditors needs to have a good understanding of regulation that directly and indirectly impacts upon the organisations in which they operate and covering multiple jurisdictions.

For instance, Solvency II has had a significant impact upon the Insurance industry and the subsequent audit plans along with the upcoming Insurance Distribution Directive. The Markets in Financial Instruments Directive (MiFID II), the Bribery Act 2010 and General Data Protection Regulation (GDPR) have also had a significant impact upon organisations.

Internal audit needs to evolve in tandem with changing regulatory pressures and considerations in order for it to fulfil its purpose and add value to the organisation. This is especially relevant given the inevitable changes to the political and regulatory landscape due to Brexit. Internal audit functions need to ensure that they are well placed to anticipate and interpret regulatory and legislative changes and understand the impact upon the wider risk profile.

Key challenge 4: approach, mind-sets and mainstreaming specialisms

Internal audit’s key skills will remain relevant as organisations evolve, however there is a need to complement our key skill sets with a more flexible and adaptive approach. It is therefore important that internal audit functions have the methodology and tools available to facilitate a more flexible and progressive approach.

The profession has not been viewed as particularly dynamic and has operated under rigid paradigms of thinking. However, there is a growing understanding of the need to attract a wider spectrum of professionals into the internal audit profession and functions to improve capabilities and broaden mind-sets. This is resulting in a greater number of internal audit teams supplementing their team’s skills and experience with expertise from other fields such as IT, statistics, computer programming and actuarial.

Whilst some organisations may increase internal audit budgets for others it will mean doing more with the same resources. This will require identifying more efficient ways of working, prioritising audit work, improving delivery of audits and use of subject matter experts, guest audit programme and co-sourcing.

As the overall experience within internal audit teams grows and evolve in line with the type of audit engagements and expectations, some of the skills, knowledge and experience now considered specialist will need to become mainstream to ensure the internal audit function can continue to fulfil its purpose. Skills assessments and gap analysis needs to be performed to identify future needs and how these will be accommodated either through training and development or recruitment efforts or a mix of these.

To ensure that the organisation appreciates that internal audit is evolving and to meet the changing business needs, internal audit needs to promote the fact that it is an innovative, forward looking, insightful, dynamic and value-adding team of ‘trusted’ advisors.

Key questions for internal audit to consider

As highlighted in Risk in Focus, hot topics for internal audit 2018, a report from European Institutes of Internal Auditors on evolving the audit function:

  • Has internal audit performed a gap analysis to assess where it may be lacking skills?
  • Does the head of internal audit understand what the organisation’s assurance requirements are today and are likely to be in the future, and is this consistent with the internal audit function’s collective skill set?
  • Has the internal audit function considered the net benefit of adopting data analytics tools?
  • If the function is co-sourcing/outsourcing to address any gaps do these ad-hoc resources deliver the right level of insight, expertise and assurance?
  • Has the function considered new and efficient approaches to working such as the Agile method?
  • Has the audit committee defined what it believes good internal audit looks like and does the internal audit function match up to that?
  • Has the internal audit function benchmarked its effectiveness with external quality assessments and does it live up to the IIA Core Principles?
  • Does the function have an adequate quality assurance and improvement programme in place to ensure it is advancing and evolving?

The 2019 Risk in Focus publication identifies digitalisation, automation and artificial intelligence: technology adoption risks, as detailed below, as one of the priority risk areas for 2019. Whilst covered from an organisational perspective also has a role to play in the evolving internal audit function.

  • What different technologies are being adopted? Is there a clear, documented rationale for doing so that is consistent with the organisation’s broader operational and strategic objectives?
  • Who is accountable for these projects and are they taking into account the potential risks that come with digitalisation?
  • To what extent will new technologies require updates and modifications to the control environment? Is the first line making these control changes?
  • Is there enough buy-in and sponsorship from middle management to give technology adoption the required momentum to be successful?
  • Is there resistance to digitalisation in the workforce and is it negatively impacting culture? If so, what steps can be taken to measure and remediate this?
  • Are automated processes being risk assessed for data quality, the accuracy of algorithms and outputs and is internal audit equipped to confirm that technologies are working as intended? If not, who is providing this independent assurance?

Why should organisations take action?

Internal audit functions along with organisations in general are under pressure to do more with fewer resources, therefore better utilising technology and developing a wider set of skills is a necessity if internal audit is to survive and continue to fulfil is vital purpose.

The challenge for organisations is to encourage internal audit to utilise the latest technology and tools whist broadening skillsets. This will ensure that developing a specialisms is the new norm and that each auditor has a number of specialist skills and knowledge areas. Some of these may need to be from more unconventional areas rather than the traditional accounting. Examples may consist of actuarial expertise, statistics, psychology or computer programming.

Organisations need to take action to ensure the relevance and effectiveness of internal audit as this will contribute to the success and survival of the wider organisation. However, expectations in the wider business must also be managed to ensure there is appropriate buy-in and understanding over how internal audit must develop to ensure its ongoing relevance.

Summary

The challenge for internal audit is to keep up with the latest developments as the potential exponential rate of computing capacity and machine learning poses significant risk and may actually require a change in paradigm from an internal audit perspective as requirements and possibilities evolve. Internal audit functions, and therefore internal auditors, must develop and enhance their capabilities over the following:

  • Technological, regulatory and commercial awareness;
  • Developing a more adaptive and progressive methodology;
  • Strategic mind-sets and deeper understanding of risk management;
  • Development of new and a wider set of specialisms and mainstreaming specialisms;
  • Utilising new tools and technology;
  • Integration of IT skills;
  • In depth knowledge and understanding of internal control environments.

While the traditional qualities and skills of internal auditors will continue to be valuable, these need to be developed further and enhanced through greater technological capability.

Therefore it can be said that the role and abilities of the traditional internal auditor may start to merge with the technical technological abilities of a computer programmer or data analyst. A key benefit will be the ability to assess and evaluate data to gain deeper and new insights. This would allow internal auditors to be better placed to provide a bridge between the human and technological elements of organisations.

As we move forward, and traditional internal audit becomes increasingly automated, the diverse perspective of technology and human factors gained by the traditional auditors will allow many to contribute valuable insight to the management as trusted business advisors. 

Further reading

Risk in Focus 2019

Download PDF
Content reviewed: 11 October 2019