Internal audit tools and techniques are evolving rapidly, creating a lot of energy and excitement around transformation and innovation. In a recent Protiviti webinar on “next-generation” internal auditing, nearly 70 percent of participants indicated that they were undertaking such initiatives.
The objectives of these transformations — efficiency, adaptability, increased engagement and deeper, more valuable insights — are easy to understand. The mechanisms to implement such changes, however, vary across a number of elements. Each organization will need to develop its own vision of what next-generation internal audit will look like, but many have elements in common.
For purposes of discussion, we’ll group these common elements into three categories (see graphic below):
- Governance – including strategic vision, organizational structure, resource management and aligned assurance.
- Methodology – the “how” of transformation, including how internal audit functions go about executing their work. This is the focus of this post.
- Enabling technology – analytics, robotic process automation, process mining, machine learning and artificial intelligence are all technologies currently being implemented as part of transformation efforts.
All of these elements are interrelated — people, processes, data and technology. Changing individual components will yield a limited benefit. Recognizing the need for holistic change is key to accelerated and higher-value outcomes.
For example, process mining used as a new capability but as part of a traditional audit approach will not yield the full benefits of the technology. To maximize the benefit of new technologies, internal audit functions will need to redesign aspects of the audit activity while also ensuring audit team skill sets are evolving.
Skills and Collaboration Are Key
Any aspect of methodology change needs to consider technology solutions that can both enable and accelerate the change while also ensuring resource capability to deliver it.
Value to the organization can be further enhanced when internal audit’s transformation is not only strategically aligned but also coordinated and aligned with other organizational assurance functions.
Risk management in an organization is delivered across all lines of defense— the firstt line (business), the second line (risk management) and the third line (internal audit). Internal audit can assist in establishing coordination across the lines of defense, driving enhanced value through a consistent definition and description of risk, common taxonomies and rating scales, and reduced redundancy in work effort, among other benefits.
Similarly, on agile audit approaches, as organizations across industries adopt the more dynamic, agile methodologies pioneered in the technology sector, internal audit organizations are going to have to develop equally agile and dynamic ways to continuously monitor risk and provide assurance and insight without adding undue friction to the flow of operations. This doesn’t mean textbook adoption of agile methodology but rather finding more flexible, efficient, risk-focused ways of working.
Failing Forward Is Okay
Moving at this speed, mistakes are inevitable. Internal auditors are reticent to fail, but that needs to change. Innovation isn’t success after success. Auditors need to be comfortable being uncomfortable — trying out new things, failing forward and adjusting how they work, all with a goal of seeking to deliver on their mandate with greater efficiency and effectiveness, driving more valuable, actionable business insight.
Audit committees can help by asking: How can we identify the right areas of focus and accelerate the necessary transformation? Can we start to make those changes on a pilot basis within the organization and learn from the experience?
It sometimes helps to look for quick wins — initiatives that can move things along and deliver benefit and perhaps encourage additional investment and resources — without losing sight of the broader strategy.
Adaptability, the New Normal
To recap: Holistic transformation requires internal audit functions to look across the three themes of governance, methodology and enabling technology. They have to pick the areas within them that will progress the audit agenda the most in the context of not only the needs of the audit function, but also the business and stakeholder needs.
And finally, it is important to recognize that adaptability is the new normal. Transformation is not the end but rather the end of the beginning, as internal audit starts on a path of innovation and ongoing advancement. The technologies and methods that are new today are not going to be the same ones required to stay ahead of the risk curve five years from now.