If you happened to own an automobile sixty years ago, chances are it would have lacked many basic safety features, including seat belts and padded dashboards. Compare that with the latest self-driving cars that come equipped not only with passive protective features such as air bags and crumple zones, but also active safety systems like automatic emergency brakes and collision avoidance assistance.
Internal auditors are much like the safety systems of the modern enterprise. They help close gaps, anticipate issues, and mitigate risks so that organizations can perform better and faster. But are they evolving fast enough to keep up with the changes taking place around them?
This question bears consideration particularly at a time when organizations are being disrupted at an unprecedented pace: New digital technologies like the cloud and artificial intelligence (AI) are rewriting business models and operations. Regulatory pressures are constantly on the rise. The types and complexities of organizational risks are steadily increasing.
To stay relevant in this rapidly changing business landscape, internal audit must be able to innovate and reinvent itself. As Raven Catlin, Former CAE and Industry Expert in Internal Audit and Risk Management, pointed out at the MetricStream GRC Summit 2019, “We have to stop doing things the way we’ve always done them because that’s the way we’ve done them.”
With that in mind, here are some ways in which internal auditors’ roles and responsibilities are likely to evolve as they seek to add more value to their organizations:Download an Insight
55% of Chief Audit Executives are either already using an agile approach to internal auditing or are considering doing so.
With that in mind, here are some ways in which internal auditors’ roles and responsibilities are likely to evolve as they seek to add more value to their organizations:
Providing assurance around the effectiveness of processes and controls will continue to remain the core responsibility of internal audit. Yet the scope of that assurance and the way it is conducted will evolve.
Agile auditing is the new mantra as internal auditors seek to keep up with the pace of change in their organizations, while also aligning their audit program to key business objectives. Unlike a traditionally structured and linear audit model, agile auditing focuses on a collaborative, flexible, and iterative approach to audit planning, execution, and reporting.
The emphasis is on determining upfront the specific outcomes that need to be delivered, and then working towards that in short, targeted sprints. Frequent communication with stakeholders, along with regular pauses for reflection, allow the audit team to continuously identify and enable areas of improvement. The result is better efficiency and speed in auditing, as well as stronger alignment with stakeholder needs.
“If we can delegate repetitive tasks especially in the field of testing to machines and RPA, we can free up humans to focus on important decisions and cases.We can also improve the availability of information because machines can tirelessly and continuously test and audit instances.”
Technologies like robotic process automation (RPA), machine learning, and AI are changing the way audits are conducted. Repetitive control testing tasks that once took weeks to complete can now be performed much faster and in larger samples with RPA.
At the GRC Summit 2019, many of the attendees spoke about being able to conduct full population testing and continuous auditing with the help of automation and analytics. Not only were they able to spot areas of concern that they might have missed in a limited sample test, but they were also able to cut down on manual effort and spend more of their time on value-added activities such as advising stakeholders.
Meanwhile, the scope of internal audit is also changing. Today, organizations are looking for assurance not just around processes and controls, but also around emerging technologies, culture, conduct, and cyber. Increased automation will make it easier to meet these demands. However, it will also require internal audit to upgrade their knowledge and skills, so that they can ask the right questions, identify the real risks, and provide assurance on a broader range of issues.
Alignment with Other Lines of Defense
The future of internal audit lies not in policing the organization but in partnering with the business to catalyze performance and success— all this while maintaining a sufficient level of independence and objectivity.
Collaboration is key here. Instead of simply telling the business what to do, or pointing out what’s wrong, internal audit will need to explore new ways of assisting the business in improving its own risk awareness and assurance. That will involve taking the time to talk to the front lines, understanding their concerns and challenges, and then providing advice and recommendations to help them perform their duties as the first line of defense more effectively.
Partnership with the second line of defense will also become more important. Many internal audit functions today are working closely with risk and compliance functions to build common risk and control taxonomies, so that they are both speaking the same risk language when communicating with the management and board.
Other internal audit functions are using GRC platforms to link certain aspects of audit management with risk and compliance management. For instance, enterprise risk assessments are being integrated with audit planning in some instances to help auditors minimize data redundancies and duplication of effort. The results of these risk-based audits can also be used by the second line to understand critical areas of concern they might have missed in their own risk assessments.
76% of internal audit departments in Europe and 63% in North America use data analytics as part of their audit process. In fact, 79% of internal audit departments in Europe and 40% in North America have a dedicated data analytics function.
Focus on Data Integrity
With data becoming the lifeblood of the digital economy, internal auditors are being called upon to evaluate the effectiveness of data governance frameworks. Their role in this capacity lies in determining that there are sufficient checks and controls in place to ensure the accuracy, completeness, reliability, and consistency of data.
A typical data integrity audit uncovers gaps or potential issues that could result in data being breached or misused. It can also include a review of data access and management controls, as well as oversight and governance mechanisms.
As traditional assurance activities become more automated, the bulk of internal audit eﬀort will be spent less on control testing, and more on analyzing data to deliver the insights needed by the business. Internal audit is already well-positioned, by virtue of its birds-eye view of risks and processes across the enterprise, to join the dots that others don’t fully see, and to provide intelligence that drives the achievement of strategic objectives.
Traditionally retrospective audit analyses of risks and control issues will rapidly give way to forward-looking, predictive audit insights that enable organizations to anticipate control failures, and mitigate emerging risks before they snowball into bigger issues. The emphasis will be on “predicting to prevent". For instance, as organizations adopt new technologies like AI, internal audit will be needed to advise management on the potential ethical and reputational risks of these technologies, including the possibility that the underlying algorithms could be biased against certain classes, genders, or ethnicities.
“Anything we recommend must add value to the business. We also have to be mindful of the costs of the controls we’re suggesting.”
Cyber is another area where internal audit will continue to play a key role in providing intelligence based on evaluations of cyber governance frameworks, IT vendor risks and compliance, asset management, data breach responses, and security awareness. These insights will enable organizations to act on and prevent potential security risks, lapses, and issues in real time.
Technology will be integral to internal audit’s role in anticipating emerging risks and issues. Advanced analytics, visualization, and continuous control monitoring, combined with AI-based pattern recognition, will help internal audit provide advance warnings of potential risk incidents even before they occur.
Integration of Data Science
As internal audit looks to adopt new technologies while striving to meet the changing demands of stakeholders, new talent will need to be attracted, retained, and integrated into their teams. At the GRC Summit, Jacqueline Bukaluk, COO – Internal Audit & Credit Review, Royal Bank of Canada, pointed out that today’s internal audit function is no longer composed merely of traditional accountants and auditors, but also data scientists, process engineers, and others.
Meanwhile, Deloitte’s 2018 Global Chief Audit Executive survey found that over 40% of functions have either dedicated team members with strong analytics backgrounds, or dedicated data scientists/ equivalents. This kind of diversity will become increasingly essential for internal audit teams to deliver the value that organizations need in a digital economy.