As organizations hurtle to an increasingly technology-driven, innovation-oriented, risky, and disruptive future, where is Internal Audit? Very often, despite ongoing efforts to meet stakeholders’ growing list of needs, the answer is playing catch-up.
Until recently, the Internal Audit profession had not faced the need to innovate, let alone reinvent itself. Now, as we approach the end of a decade of uncertainty, organizations face evolving strategic, reputational, operational, financial, regulatory, and cyber risks. The world is entering the fourth industrial revolution where new technologies, digitalization, robotics, and artificial intelligence are dramatically changing the business landscape.
Through consultation with audit committee chairs, executives, chief audit executives and business leaders, we have developed a blueprint which aims to clarify the expectations of Internal Audit and required enablers to meet these, codifying the most important elements. We call it Internal Audit 3.0, the next generation of Internal Audit.
This publication introduces our point of view on Internal Audit 3.0 and outlines selected aspects of the 3.0 blueprint, depicted below.
These three – assure, advise, and anticipate – constitute the triad of value that Internal Audit stakeholders now want and need.
Assurance remains the core role of Internal Audit. Yet the range of activities, issues, and risks to be assured should be far broader and more real-time than they have been in the past. Equally, while assurance is central to Internal Audit’s role, it must not be the limit. Internal Audit 3.0 outlines how functions can meet growing stakeholder demands through innovation and technology enablement.
Advising management on control effectiveness, change initiatives, enhancements to risk management and the design of assurance mechanisms falls well within Internal Audit’s role and stakeholder expectations. In our experience, too many internal auditors use “independence” as a crutch, as an excuse to stay in their lane and avoid offering insights and opinions when most stakeholders have said this is what they truly want. This can regulate the function to reporting on the past, which is not the wave of the future. Under Internal Audit 3.0, functions can respect independence while advising the business through promoting objectivity, integrity and professionalism.
Anticipating risks and assisting the business in understanding risks, and in crafting preventative responses, transforms Internal Audit from being a predominantly backward-looking function that reports on what went wrong to a forward-looking function that prompts awareness of what could go wrong, and what to do about it, before it happens. Internal Audit 3.0 introduces risk sensing and risk learning to Internal Audit’s role, helping the function keep pace with and get ahead of emerging risks.
Robotics, artificial intelligence, and visualization tools have already begun to transform Internal Audit work, and are about to revolutionize it.
Thinking that the same people operating in the same way with the same resources can deliver the value stakeholders need now, let alone going forward, amounts to a failure of imagination. Internal Audit functions need new skills and capabilities to position Internal Audit to improve their interface with stakeholders and change traditional thinking, approaches and mind-sets.
Enablers such as automated core assurance, Agile Internal Audit and new ways to deliver impactful reporting are helping Internal Audit functions to deliver new value, and improving the impact and influence of Internal Audit.
Peter Astley
Global and EMEA Internal Audit Leader
pastley@deloitte.co.uk
Porus Doctor
Asia Pacific Internal Audit Leader
podoctor@deloitte.com
Kris Wentzel
Americas Internal Audit Leader
kwentzel@deloitte.ca
Sarah Adams
Global IT Internal Audit
saradams@deloitte.com
Neil White
Global Internal Audit Analytics Leader
nwhite@deloitte.com
David Tiernan
UK Internal Audit Innovation Lead
datiernan@deloitte.co.uk