Skip to main content

Internal Audit Strategies

The business environment has changed in material ways and this demands innovation. Without applying new approaches, an Internal Audit function may not be well placed to cope with strategic and technological developments, unable to meet evolving stakeholder needs and ill-equipped to deal with emerging risks.

Our view of the change in IA focus from prior year to now:


As financial services firms move into an increasingly technology-driven, innovation-oriented and disruptive future, it is only right that we also ask what is the future of internal audit.

For the most part, despite ongoing efforts to meet stakeholders’ growing list of needs, the answer is: playing catch-up. A common theme in this publication across the past couple of years has been the need for Internal Audit to adopt new tools and techniques and to develop capabilities needed to effectively respond to today’s challenges. However, it is equally important for Internal Audit to develop a coherent vision for both the profession and the function. Such a vision is essential in order to drive needed changes and prioritise initiatives for the function and the firm as a whole.

Through consultation with Audit Committee chairs, Executives, Heads of Internal Audit and audit teams, we have developed a blueprint which aims to clarify the expectations of Internal Audit, codifying the most important components which is Internal Audit 3.0 (IA3.0).

IA3.0 is Deloitte’s view of the next generation of Internal Audit. It is intended to act as a guide, focusing a function so that it is attuned to the challenges of emerging risk, new technologies, innovation and disruption and able to fully assist in safeguarding processes and assets as management pursues new methods of creating and delivering value.

IA's role

IA3.0 embraces innovative approaches that helps keep the function ahead of developments. Innovation positions Internal Audit to anticipate and then respond effectively to stakeholder needs and equips the internal auditors to address emerging risks in a helpful and impactful manner. IA should consider:

•Readily adopting various methods and tools such as Scrum and Kanban to ‘do’ Agile Internal Audit. IA also need to create an environment in which Agile can thrive.

•Automating core processes, using a combination of analytics and robotics in order to provide ongoing assurance, may be expensive. Where possible, IA can consider leveraging existing automation projects within the business.

•The internal audit function of the future, which needs a vastly different set of skills and capabilities to those of yesterday.

•Communicating clearly with its stakeholders to ensure they understand planned changes.


A number of financial services firms are undertaking large-scale transformational change, in particular digital transformation. Transaction activity in the market is also prevalent, including through both traditional deal activity and Fintech acquisitions.

Strategic change creates uncertainty, complexity and creates or increases risk, for example:

•Risk that strategic objectives are not met/undefined as a result of poor decision making.

•Heightened operational risk due to process and personnel changes.

•Risk of cost overruns and non-delivery.

•Risk that normal change management protocols are circumvented.

Success or failure of strategic change can have significant operational, financial, reputational and regulatory impacts.
IA's role

IA can help a firm to achieve its objectives during the organisational change process by providing independent and objective assurance that risks are identified, assessed and managed. IA activity evaluates risk exposures relating to the firm’s governance, operations and information systems. Specifically, IA should consider:

•The viability of the organisational change and ability to deliver value.

•The ability of the programme to deliver to the agreed timeframes and outcomes, following compliant project management disciplines.

•Whether the programme appropriately manages and mitigates operational, regulatory and financial risk.

•Whether the programme provides a suitable solution for the needs of impacted stakeholders.

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey