Audit committees and boards of directors are looking for deeper insights into the companies they govern. This need matches The Institute of Internal Auditors’ vision of internal auditing and is aligned with the next-generation capabilities of what we at Protiviti have been calling the “future auditor.” This opportunity is fleeting, however, and if audit leaders don’t act quickly, to capitalise on it, boards will fill that need elsewhere.
Disrupt, or be disrupted. That is the challenge facing chief audit executives. Many have already begun the transformation journey: According to Protiviti’s 2020 Internal Audit Capabilities and Needs Survey, 6 out of 10 internal audit organisations are undertaking digital transformation initiatives – but that’s a decrease from 2019. What’s more, self-reported competencies in the three fundamental areas of governance, methodologies and enabling technologies remain remarkably low – and that was prior to the disruption caused by the global pandemic.
Digital transformation and the adoption of next-generation best practices, including advanced analytics for reporting and robotic process automation (RPA) for the control environment, need to be a priority for every internal audit organisation if they want to remain relevant.
With RPA, for example, data analysis previously performed on a sample basis once a year could be done continuously, in real time and on a complete data population, enabling better decision-making and reducing reaction time. Process mining is used to examine organisational processes, expose risks and improve effectiveness. And data analytics allows auditors to shine light on every corner of their organisation at any time, before they even conduct any interviews with the business.
Read how leading organisations have embraced the digital imperative in Internal Auditing Around the World, Volume XVI.
There are some in the profession who might argue that the digital imperative is too radical. Some have suggested that all this talk of new tools and technologies is encouraging people to chase the latest shiny object. But ignoring these changes isn’t going to make them go away. If internal audit leaders don’t adapt to help the board of directors do their job better by providing faster, more complete and a more accurate view into the risks that are buffeting organisations today, other organisational functions will fill this void.
Efficiency, adaptability, increased engagement and deeper, more valuable insights are the hallmarks of next-generation capabilities that every internal audit function should be striving for. Those capabilities – governance, methodology and enabling technology – are essential to changing the backward-looking, change-averse culture and conventional thinking of traditional internal auditing.
Internal audit leaders need to become champions of change, communicating their digital vision and strategy to everyone from top to bottom in the audit department, and to key company stakeholders. They need to conduct competency assessments and establish training regimens to expand and advance current capabilities. And they need to improve talent management to emphasise fresh perspectives. This might include an internal audit rotation for rising stars in other parts of the company, and a shift in hiring practices away from traditional finance and accounting types to data scientists and other critical thinkers.
For two reasons, internal audit leaders need to become more involved in the company-wide adoption of technology. Firstly, to ensure that proper controls are being considered and implemented, and secondly, to provide internal audit with a better understanding of technologies being deployed throughout the business that could be effectively leveraged for internal audit purposes. These best practices, and others, are outlined in Volume 7, Issue 6 of The Bulletin, Protiviti’s review of corporate governance.
At present, too many internal audit teams are not adequately prepared to commit to difficult but necessary transformation. Audit executives need to take action today. They need to adapt to the current dynamic risk environment and embrace the new tools and enabling technologies that will take their organisations to the next level. There really is no turning back.