Skip to main content

A new era of IA: Paving the way for meaningful impact in 2024

Managing risks and emerging stronger amid uncertainty

Internal audit (IA) has a critical role to play in helping organizations strengthen and maintain resilience and agility—by providing objective advice and assurance, anticipating risk, and helping management to accelerate improvement in the governance, risks, and controls landscape. Here’s our view on the major risks organizations face today and the strategies internal audit functions can employ to effectively address these risks by providing necessary assurance and insights.

Prioritizing key risks: Insights from the IA 4.0 Framework

In today's business environment, the internal audit function must keep pace with the hastening speed, volume, and complexity of risk. Against a volatile geo-political backdrop, organizations are navigating risks posed by environmental, social, and governance (ESG) regulations, emerging technologies such as Generative AI (GenAI), and the future of work.

Our recently updated Internal Audit 4.0 framework offers three new features that we believe can greatly enhance internal audit’s impact and value for your organization. By aligning internal audit outcomes with the organization’s purpose, accelerating organizational change and learning, and fully embracing digital technologies, internal audit leaders can stay ahead of the curve and continue to evolve the function to meet stakeholder needs. But, without a deep understanding of the risks that matter, functional improvement alone cannot maximize the impact that an internal audit function can make. We are pleased to present our perspective on the most significant risks facing organizations today and what strategies internal audit functions should adopt to provide the assurance and insights needed to address these risks effectively.

Eight ways to a promising year: Perils and possibilities for IA

By connecting its own raison d'être with the broader organization’s purpose, internal audit has an opportunity to maximize its impact.

If the internal audit function fails to articulate its purpose or value to the broader organization clearly, lacks employee engagement, follows the same working practices that everybody else uses, and stays stuck on the status quo, it risks losing the opportunity to deliver new revenue streams, grow faster, and enhance its ability to attract and retain talent.

Internal audit has a largely untapped opportunity to accelerate engagement around purpose. By aligning its role and remit with the organization’s purpose, internal audit can maximize its impact by working in a more intentional way to support specific, purpose-driven organizational outcomes; attracting top talent who, research has shown, would prefer to work for purpose-driven organizations and teams; and ensuring innovation efforts are purpose-driven.

As more and more businesses go bust on trust, internal audit is a natural fit for building it back and accelerating a strategic trust agenda.

Today's stakeholders expect organizations to do the right things and do them well. These expectations run the gamut, from safeguarding customers’ private data to taking a strong stance on ESG issues; and from providing safe working conditions to being transparent about vulnerabilities and risks. Meeting these stakeholder expectations consistently—by displaying capability, reliability, transparency, and humanity—engenders trust. Failing to meet them poses risks to the organization. Like any other performance-related attribute, trust indicators need to be monitored for gaps, analyzed for risks and opportunities, and ultimately assured. Considering these factors, along with its broad enterprise view, internal audit is a natural fit for advising on trust and accelerating a trust agenda.

Created by design, not by accident, resilience is the outcome of multiple risk-and-control disciplines done well and in coordination with each other.

While great cost-efficiencies can potentially be gained, management should consider if a centralized strategy eliminates diversity and redundancy that might be useful, inadvertently creating a major point of potential failure. The COVID-19 pandemic exposed the downside of costing out diversity and redundancy in the relentless pursuit of efficiency. After experiencing critical supply shortages, resilience was suddenly on the tip of everyone’s tongues and at the top of many priority lists. Unlike business continuity, disaster recovery, or information security, resilience is not a risk-and-control discipline; it is an outcome of executing risk-and-control disciplines well and in concert with one another. Resilience requires alignment of language, definitions, and goals. Internal audit functions can help organizations shift gears.

Is the disruptive potential of GenAI the real deal or a deep fake? Internal audit can help companies decide.

Mature disruptive technologies, such as cloud applications and infrastructure, are becoming increasingly sophisticated—often by embedding generative AI (GenAI) and machine learning (ML) into their solutions—even as companies seek to cost-optimize their cloud portfolios and align them with enterprise strategy. Such developments also point to the potential for elevated risks.

Internal audit has a key role to play in creating and protecting value by assuring, advising, anticipating, and accelerating the organization’s ability to both manage the related risks and take advantage of the opportunities posed by disruptive technologies. For instance, internal audit can help the board and management understand which GenAI and other disruptive technologies are leveraged in the organization and what risks they present. The challenge for auditors will be how to keep pace with the shifting risk landscape to deliver insightful assurance and valuable advice.

Do not bend over backward. Get a spine.

Many internal audit functions have started their digital journeys by leveraging analytics capabilities. Yet, most still use these digital tools in a limited way, such as for inquiries or data sampling. To date, few functions view digital broadly enough to systematically move toward building a digital backbone—a spine capable of automating processes and driving efficiencies and insights across the entire audit life cycle.

Disparate platforms used for risk assessment, planning, audit execution, issue remediation, and continuous monitoring can indicate the lack of a formal architecture for building a digital backbone. Therefore, now is the time to get on the road to seamless connectivity by ensuring that the technologies you are acquiring fit together. Only through an intentional approach to embracing digital will you be able to architect an integrated platform capable of carrying your internal audit function forward into a real-time, continuous future.

Beyond assurance, controls modernization gives internal audit an opportunity to catalyze and advise.

When it comes to controls modernization, internal audit typically provides assurance retroactively after the controls have been designed, implemented, and tested, and in some cases, found to be ineffective or inefficient. While internal audit has an obvious duty to remain independent, this does not preclude advising management on how to achieve the shared ambition of the organization, which is making sure the end-to-end control program is understood, owned, and operated in an efficient and sustainable manner. Manual maneuvering and user dissatisfaction are some of the warning signs. For internal audit or the organization at large, for that matter, there is no success in reactively producing a hefty report calling out dozens of deficiencies.

Modernizing the control environment and achieving greater levels of efficiency and effectiveness requires both greater automation and a recognition by the organization that internal audit can advise management and anticipate risks, in addition to providing traditional assurance.

We encourage you to review our report as you plan for the year ahead. Deloitte has a wealth of experience in the areas covered, and together, we look forward to helping your organization manage these risks effectively and emerge stronger and more resilient in the face of uncertainty.

Did you find this useful?

Thanks for your feedback