Next Generation Internal Auditing: Addressing Risk in the Midst of Rapid Change

Michael Tetro, Associate Director Internal Audit and Financial Advisory

At the  SIFMA Internal Audit Society Annual Conference earlier this month in Nashville, Protiviti sponsored a breakout session of future-minded internal auditors talking about innovation in the profession. The panel was moderated by my colleague, Protiviti Managing Director Michael Thor, and featured Michael Bidun, Executive Director in charge of internal audit innovation at Morgan Stanley; Arslan Khan, Head of Analytics at State Street Corp.; and Vincent R. Pinelli, Managing Director and Deputy Chief Audit Executive for the Americas at MUFG Union Bank, N.A.

The theme of the conference was addressing risk within the new reality of digitalization and rapid change. The panel discussion focused on four key questions and offered a forward-looking perspective of how cutting-edge technologies, data analytics and transformative audit approaches and methodologies will shape the next generation of internal audit. Here is a recap.

Why Should Internal Audit Innovate?

Internal audit functions cannot remain stagnant while the business around them is evolving. It is this simple. The risk landscape is changing, and with it, stakeholders’ expectations. Audit committees and executives are looking to internal audit to deliver dynamic risk coverage with more efficient and modern techniques. Cost is just one of the drivers. What stakeholders want is better risk coverage and a better value.

What Does Innovation Mean?

In a nutshell: innovation in internal audit means more technology, a shifting mindset and new skills.

Technology in internal audit most often means using analytics tools and automation. But technology can also be applied to communications — for example, using outside-the-box methodologies such as video packages for both stakeholder communication and auditor training.

Artificial intelligence, machine learning and simple robotic process automation (RPA) can effectively replace manual sample-based testing with continuous monitoring and real-time reporting — a dramatic improvement that comes with the added benefit of freeing up staff time for more strategic, analytic tasks.

But technology isn’t everything. To audit differently, organizations must take a holistic approach, examining all parts of the audit function, from governance and structure to methodologies and, most importantly, people and skill sets.

As examples of the above, Khan described how State Street reviews its audits to identify areas where repetitive manual tasks might be automated with bots. The organization is working on managing data centrally and providing analytics training and dashboards to help auditors produce more frequent and sophisticated data analysis to meet the demands of stakeholders.

Bidun shared that auditors at Morgan Stanley are encouraged to continuously prime the innovation process by posting suggestions for improvements on the wall of his office (a “low-tech” out-of-the box approach that provides auditors with an opportunity to be activists of innovation as opposed to reluctant participants).

And Pinelli, of MUFG Union Bank, described a new approach to communication and training, using videos to keep stakeholders informed and enlist their help in getting auditors to anticipate, rather than waiting to react to, emerging risks.

What Are the Challenges?

As Bidun observed, auditors don’t like risk — but innovation is inherently risky. So auditors must get comfortable being outside of their comfort zone — this is a mind shift the profession must embrace. There are going to be challenges to procedures and methodologies. Internal audit has to ask and honestly answer the question of what’s best for the enterprise, versus what’s most convenient and comfortable for internal audit.

Data itself can be a challenge. There are questions of access and data quality, new software tools to master, and whole new methodologies and approaches to monitoring, analytics and reporting that need to be adopted.

Finally, changes of such magnitude require executive support. The best way to obtain it is to be present at the table, both to ask questions and to clearly articulate challenges to executives and the board.

What Is the Desired Future State?

Auditors must ask themselves: What is our strategic vision? Do we want more dynamic risk assessments? Better audit department decisions? Better tools (machine learning and AI)?  How can we further accelerate the internal audit profession through adopting change in our governance, methodology and technology enablement processes?

Establishing clear goals, through collaboration with stakeholders and honest reflection on future needs, is critical to everything, from the assessment process to implementation and measuring success.

One final thought, as I reflect on what I saw and heard at the conference and my own experience in the field: I’d say, as a profession, we’re maybe a couple of years into this internal audit transformation/maturity cycle. I would estimate that efforts to innovate will be a continuous evolution before we reach maturity as a profession. The driver, in my opinion, is auditor skill set. There will be continued emphasis on rebranding the traditional auditor and embracing the more efficient innovative tools at our disposal.

Auditors just starting out today are entering the profession comfortable with data and analytics. Experienced auditors who started their careers with the traditional manual testing tend to be more comfortable with the skills they’ve honed over their entire careers. That doesn’t mean that auditors today should shrug off innovation — it just means we have to adjust our train of thought a little bit more than our “digitally-raised” colleagues.

As others have pointed out here on The Protiviti View, technology implementation and adoption is a people challenge more than a technical challenge. The more organizations can do from the outset to communicate, train, educate and acclimate their internal audit teams to the merits of their desired future state, the sooner they’ll be able to reap the rewards.


Listen to Barbi Goldstein, a Managing Director with Protiviti’s Internal Audit and Financial Advisory practice, share her impressions from the SIFMA IAS conference (recorded live).

1 comment