Progress often moves in fits and starts, and that, apparently, is the case with next-generation internal auditing (IA), according to Protiviti’s 2020 Internal Audit Capabilities and Needs Survey, published earlier this month.
The survey was conducted in the last quarter of 2019, before the COVID-19 pandemic disrupted businesses and their well-laid audit plans. There is no doubt that the pandemic has highlighted the need for CAEs and their departments to act with agility, be more current, look deeper and anticipate risks earlier. The next-gen audit skills and knowledge on which we polled our survey participants, and which is summarized below, can help internal auditors meet this newly highlighted expectation.
Next-Gen Skill Development Has Slowed Down
The strong movement toward cutting-edge approaches in internal audit that was evident in the 2019 survey has waned in the past year, according to the responses of 775 internal audit professionals across industries and geographies. Respondents graded their firm’s next-generation competencies no better than middling scores.
In the area of governance, for example, the highest average score was 3.3 (out of a top mark of 5.0) for the next-gen category of IA strategic vision. In the area of technology, the scoring was even lower, with none of the capabilities averaging above 2.6, including advanced analytics. They scored the combined category of machine learning (ML) and artificial intelligence (AI) even lower, giving it an average mark of 2.0.
If these findings alone don’t serve as a wake-up call for chief audit executives (CAEs), the unusual situation in which organizations find themselves today and in the foreseeable future will. Traditional ways of performing audit activities have been upended in the remote working environment, and static audit plans can no longer meet stakeholders’ expectations. CAEs would be well-advised to rank next-gen capabilities as a high priority. In addition to being fit for the dynamic environment of today, they can also serve as a magnet that draws top performers to internal audit departments. Conversely, the lack of such competencies might lead to career-minded auditors gravitating toward more leading-edge departments or companies.
Despite the apparent backsliding in next-gen progress, a couple of bright spots do emerge in the 2020 report. One is that cutting-edge practices continue to be top-of-mind among internal auditors. Most, if not all, of the categories listed as important in the report were not considered essential in the early years of our annual survey, which dates back more than ten years – but they are today.
Key Findings in the 2020 Report
- Next-gen competencies need to be prioritized, especially those of enabling technologies. Digital transformation is the name of the game in this business era, as many have learned the hard way, so as firms and departments within firms adapt to ML, AI and other capabilities, internal audit will be expected to keep pace.
- Fewer IA groups are undertaking innovations or transformations. Although IA departments are progressing along the digital maturity curve, they risk falling behind other departments if they don’t take action.
- The expectations of audit committees are rising. Audit committees want to see more coverage of risks and deeper audit reviews, which can best be accomplished through next-gen competencies.
- Top audit priorities include cyber threats, enterprise risk management (ERM), fraud and third-party risk. Next-gen competency is key for addressing these concerns effectively.
Next-Gen Competency Areas
Becoming a “next-gen audit function” overnight sounds daunting. But if we examine the three next-gen competency areas – governance, methodology and enabling technology – progress seems more attainable, driving value through each new competency.
IA departments have made more progress in implementing advanced governance competencies than in the other two broad areas, but even here the capabilities remain low compared to traditional audit functions. Aligned assurance, for example, rated a score of only 2.8 out of 5.0, even though IA professionals ranked it the top governance skill that their departments need to improve on.
As the term implies, aligned assurance works to make sure that all key functions are focused on the most important risks to the company overall. These functions include internal audit, compliance and risk management.
In the area of methodology, respondents to our survey ranked agile audit as the foremost capability where improvement was needed. Unlike the more familiar language of risk management, agile methodology is discussed in specific terminology borrowed from software development that in many cases can seem intimidating at first but becomes less so once an organization understands the concepts behind the terms. Agile auditing consists of working collaboratively with stakeholders from beginning to end, allowing the departments being audited to give continuous feedback and shaping the nature of the audit in real time.
Such interactivity allows the internal audit function to focus on stakeholder needs, accelerate audit cycles, drive timely insights, reduce wasted effort and generate less documentation. In an agile audit, internal auditors and stakeholders are able to determine upfront the value deliverables.
In the area of enabling technology, the survey respondents cited robotic process automation (RPA) as the most important capability needing improvement. As with other technologies, such as comprehensive data analytics and machine learning, it provides a big opportunity for internal audit departments to take a huge step forward in assessing entire populations.
Although RPA functions are often based outside the auditing department as a shared function, they can still provide game-changing results. For example, an auditor may have the task of verifying every quarter that all individuals who have access to a sensitive accounting platform are authorized. Practically speaking, a quarter is a huge gap in time in which the wrong person can hack into the system. However, with RPA capabilities, a robot can perform a daily check. In many cases, robotics developed for internal audit use can be adopted and refined by the business to perform first-line control activities.
Getting a Jump on Next-Gen Capabilities
Despite the fairly low scores CAEs gave themselves, interest in next-generation capabilities was high just before the pandemic; and if we were to conduct our survey today, I am sure there will be an even greater urgency to adopt the methodology and enabling technologies to support a “new normal” work environment. In a recent webinar we conducted, nearly one-third of organizations said only their most essential workers have returned to the office so far, and they expect that up to half of their workforce will remain remote permanently. If half the workforce is remote, internal audit will have no choice but to adapt to that situation. Process mining and data analytics have become essential tools, and remote work environments and reduced headcount have accelerated the need to increase reliance on technology.
It’s not enough to simply task one or two audit team members with studying these new tools, reporting back, and then adopting a few new changes to traditional methods. For next-gen progress to be sustainable, everyone in the internal audit function should be informed on the value of these new competencies and continually trained on their uses and implementations. Internal audit professionals have an opportunity to be leaders in driving change and addressing challenges, as well as attracting the most ambitious and talented workers on their teams. It is an opportunity that should not be lost.