Innovative internal audit groups have been actively adopting agile methods, with benefits that can be summed up in three words: better, faster, happier.

• Better—because audit results are more linked to business risks and relevant to stakeholder needs.
• Faster—because internal auditors work with stakeholders in a collaborative, focused, iterative manner to quickly identify what they need—and don’t need—to do.
• Happier—because they’re working as a team with autonomy to determine how to get the work done, and they’re allowed to focus on the task at hand.

Internal audit teams that experience agile almost never want to revert to traditional methods. But adapting agile methods to internal audit work presents predictable hurdles. Agile calls for no special technology, only a willingness to work in a different way. Adopting this internal audit future trend means not only learning new ways of working together but also unlearning what we’ve been practicing for years. This isn’t just a change within internal audit; stakeholders also need to come along on this journey.

Organizations’ responses to risk events and regulatory mandates have often resulted in assurance activities that can be characterized as narrowly focused, redundant, costly, intrusive to the business, and unrelated to drivers of value and performance. Integrated assurance aims not only to rationalize assurance activities and achieve efficiencies; it also aims to direct assurance activities to where they will create the most value for the organization.

Integrated assurance is designed to align assurance activities around the drivers of value in the organization and to create visibility into risks and the effectiveness of risk management while boosting efficiency. Despite its many benefits, integrated assurance often faces barriers to adoption. Chief among these are an organization’s tendency to misunderstand it, overestimate its complexity, underestimate its value, or cling to existing methods.

In general, we see five benefits of this internal audit trend that support integrated assurance:

• Better value for the investment in assurance
• Reduced burden on the organization
• More reliable business outcomes
• Improved coverage on enterprise risks
• Greater insights into business strategy and operations

Any of these constitutes a valid reason to consider moving toward integrated assurance.

Culture supports business strategy and must be actively understood and managed. Risks to culture occur when there’s misalignment between the organization’s values and leaders’ actions, employees’ behavior, or organizational systems. Culture has also become key to success and performance, as well as a source of legal and reputation risks. This internal audit trend shows how internal audit can help management and the board drive the right culture, which is essential amid today’s ongoing digitalization, intense media and regulatory scrutiny, and heightened oversight expectations.

Many companies have some processes for monitoring cultures, such as employee engagement by human resources, insider threat monitoring by security, and other second-line initiatives. But they also need an overall program for managing culture, based on a practical framework.

Internal audit can provide guidance on steps that management and the board can take, including setting the tone at the top, sending the right cultural messages, and aligning incentives with values. Internal audit can also provide assurance services by embedding an assessment of culture into all audit segments. Many auditors find culture to be a theoretical concept, as it is subjective by nature. Yet the risks are real and can be quantified, and efforts to do so work particularly well over time.

The European Union (EU)’s General Data Protection Regulation (GDPR) raises the bar for data privacy for any EU organization collecting or processing data on individuals or any non-EU organization doing business in this market. GDPR is a risk-based regulation that doesn’t prescribe how to protect customer data; rather, it sets expectations in terms of the data, based on its sensitivity and the potential risks.

Instead of a uniform response, the regulator seeks customized approaches that protect the types of data the organization processes, geared to the risks posed to the data. So, the GDPR program must be geared to the sensitivity of the data and the potential impact of risks on the individual and the organization.

GDPR-related audits should be incorporated into annual risk assessment and internal audit planning processes, as undertaken for other regulatory compliance assurance activities. Internal audit holds the responsibility to become educated on the privacy by design and mandated responses to data subjects of the regulation, or to leverage a third party with the required subject matter expertise in order to complete these audits. This internal audit future trend also applies to companies and internal auditors currently not affected by GDPR. They should consider it a wake-up call as we expect other jurisdictions around the world to consider and adopt similar legislation.

As the strategic importance, risks, and opportunities of cyber increases, internal audit needs to adapt if it is to continue to provide value to the organization. This entails a shift from IT and compliance-based approaches to a more risk-based approach to cyber. In this internal audit trend, most internal audit groups find covering all cyber issues challenging, mainly due to lack of resources and depth of skills.

Despite this, internal audit can’t ignore cyber risk due to its criticality. Responsibility for cybersecurity permeates all business units and functions, which means the related governance must span the organization and all three lines of defense must be involved—and their roles and responsibilities clarified.

Start with a cybersecurity governance assessment because governance sets the entire framework and tone for the cybersecurity program and for operationalizing cybersecurity. Then drill down into specific areas of concern to the organization, while considering tools and measures already in place to address specific risks. These areas might include data protection, identity and access management, cloud security, and risk monitoring. Develop an audit plan for the coming quarters and years based on the assessment and risk ranking of the domains and specify the scope of each audit. Assess the audit plan and scoping at least annually for continued relevance amid emerging issues.

Two powerful internal audit future trends are shaping the future of work: rapid adoption of automation and cognitive technologies, and the increasing use of alternative staffing models. These trends are raising questions as to who’s doing the work (on- or off-balance sheet talent) and where the work is being performed (on-site or remotely). Both trends present new risks for organizations to address and new opportunities for internal audit.

Internal audit must understand and review how the organization is engaging with all talent sources from policy, procedural, and physical workplace perspectives. Be prepared to alert management to the risks of mobile workers using their own or the organization’s devices as well as regulatory and tax issues—and provide assurance and advice accordingly. Maintaining a strong culture becomes more challenging with a dispersed workforce, so emphasize the need to define and manage culture. For example, culture assessments should perhaps include part-time employees and independent contractors. When developing the internal audit plan and specific audit programs, keep in mind areas with heightened risk in an extended workforce.

The traditional audit planning process is of limited value in assessing risks in today’s disruptive environment. Continuous risk monitoring, assessment, and tracking can help internal audit direct its resources to where they’re most needed—a valuable departure from rotational audit plans. This approach can change the dynamic with stakeholders, enabling internal audit to more effectively anticipate risks and advise management.

Functions ahead of the curve on this internal audit trend are moving toward real-time risk monitoring via technology-enabled risk sensing, analytics, and visualization tools. While internal audit shouldn’t absorb management’s risk identification responsibilities, the function should have the tools needed to form a view and alert the organization to emerging risks.

Use the output from second-line risk assessments to develop more dynamic audit plans and work with second-line functions on what is—and should be—monitored and why, as well as on forms of monitoring and how output is used. Internal audit can itself use risk sensing or output from second-line sensing and publicly available data to develop an outside-in view of risk. All these positions internal audit to advise the business on risks that may otherwise not even be known.

Leading internal audit groups are aiming to automate core assurance to the greatest extent possible. This is primarily because automation leads to higher levels of assurance as larger populations of transactions can be tested and controls can be continuously audited. Automated assurance also enables movement of assurance-related activities to the second line—to compliance, cybersecurity, risk management, and similar functions—or to the first line, where the risks should be managed and where people can act on the results. Internal audit would then adjust its procedures to provide the necessary independent assurance in these areas.

To adopt this internal audit future trend, consider creating cross-functional teams that can use pre-determined strategies to identify automation opportunities across the lines of defense. The quick wins are typically in core business processes (for both Sarbanes-Oxley Act controls and operational controls), such as accounts payable, travel and entertainment, payroll and general ledger, and in IT. Automating these “low-hanging fruit” activities can build confidence in key stakeholders who are instrumental in the broader deployment of automated solutions.

Having already established analytics programs encompassing data science, visualization, and predictive analytics, many internal audit groups have embraced the internal audit trend of advancing toward robotic process automation (RPA) and cognitive intelligence (CI) tools (collectively RPA&CI) to drive efficiency, expand capacity, boost quality, and extend audit coverage.

While fewer groups have applied machine learning and artificial intelligence (AI), all these disruptive technologies are winning acceptance as innovators and early adopters continue to prove their value throughout the internal audit lifecycle. Those finding the greatest success adopt a systematic approach that considers the operating model, infrastructure, and use cases across the audit lifecycle, and then develop and launch pilot projects.

First, develop a well-defined vision and strategy for automation. This begins with identifying where and how automation technologies can be embedded in internal audit activities and reasons for doing so. Second, build an infrastructure to support the deployment of automation capabilities. This will facilitate effective implementation, ongoing maintenance, and risk mitigation. Third, develop a target-state operating model to support and sustain automation. This model should be a natural extension of the existing operating model. But it’s also important to consider how automation will affect the interplay of people, processes, and technology and call for changes in each of those components.

Driven by the need to create value and drive efficiencies, organizations continue their rapid adoption of disruptive technologies, such as robotic process automation and cognitive intelligence. While adoption of this internal audit future trend, both in the business and in internal audit, is spreading fastest in financial services, innovative organizations across all industries are using, or at least considering these technologies. Internal audit must understand the risks of these technologies in the organization, advise management on those risks, and provide assurance that the risks are being adequately addressed.

Internal audit should balance its assure, advise, and anticipate responsibilities in this area. In providing assurance, get involved early as the organization adopts disruptive technologies and the second line of defense modernizes its approach to controls testing. This will help internal audit provide assurance that isn’t duplicative. Internal audit should focus on anticipating risks associated with these technologies by using data analytics and risk-sensing tools to proactively identify emerging risks and by running crisis simulations to reveal potential lapses in the organization’s ability to respond.