Where is Internal Audit, into an increasingly technology-driven, innovation-oriented, risky, and disruptive future!
The world is entering the fourth industrial revolution and new technologies, digitalization, and artificial intelligence are dramatically changing the business landscape.
That means organisations are hurtling into an increasingly technology-driven, innovation-oriented, risky, and disruptive future. The question is now where is the internal audit? The answer is that, most of the time and despite ongoing efforts to meet stakeholders’ growing list of needs, it’s playing catch-up.
Until recently, the Internal Audit profession has not faced the need to innovate. Internal Audit 1.0 was born with the founding of the Institute of Internal Auditors (IIA) in 1941 while the Sarbanes Oxley Act of 2002 brought Internal Audit 2.0. Along the way, such developments as the COSO framework, improved capabilities such as IT internal audit and data analytics, and supplementary guidance have improved the profession following the global financial crisis.
However, as we approach the end of a decade of unsettling uncertainty, organisations face evolving strategic, reputational, operational, financial, regulatory, and cyber risks. There is also an urgent need for Internal Audit to innovate to the next level.
Internal Audit 3.0 is the next generation of Internal Audit, and is a function attuned to the challenges of emerging risks, technologies, innovation, and disruption as the organisation itself. Internal Audit must be a function fully able to assist in safeguarding processes and assets as management pursues new methods of creating and delivering value.
Based on Deloitte external quality assessments (EQAs) conducted for Internal Audit functions in a range of industries, in interviews with senior executives and audit committee chairs, and in numerous Deloitte research surveys with chief audit executives and heads of Internal Audit, the following constitute the triad of value that Internal Audit stakeholders now want and need.
• Assurance constitutes and remains the core role of Internal Audit. Yet the range of activities, issues, and risks to be assured should be far broader and more real-time than they have been in the past. Assurance on core processes and the truly greatest risks is essential but so is assurance around decision governance, the appropriateness of behaviors within the organisation, the effectiveness of the three lines of defense (LoD), and oversights of digital technologies. Assurance is central to Internal Audit’s role but must not be the limit.
• Advising management on control effectiveness, change initiatives, enhancements to risk management related to the three Lines of Defence and other matters – including business effectiveness and efficiency – falls well within Internal Audit’s role and stakeholders’ expectations. All sources confirm that a strong advisory role is key to maximising the value of Internal Audit.
• Anticipating risks and assisting the business in understanding risks, and in crafting preventative responses, transforms Internal Audit from being a predominantly backward-looking function that reports on what went wrong to a forward-looking function that prompts awareness of what could go wrong, and what to do about it, before it happens. Internal Audit becomes more proactive and, through its assurance and advisory roles, helps management intervene before risks materialise.
As the saying goes, “There are those who make things happen, those who watch things happen, and those who ask, ‘What happened?’” The stakes are too high, for both Internal Audit and the organisation, for Internal Audit to be in the latter group. Stakeholder needs have become clear enough for Internal Audit to engage in true transformation. With a vision – collaboratively developed, clearly articulated, and strongly supported – functions can upgrade to Internal Audit 3.0 providing stakeholders with its true worth. The future of Internal Audit has become clear, and the time to upgrade is now.
These key sources of opinion have clearly said that:
Assurance constitutes and remains the core role of
Internal Audit. Yet the range of activities, issues, and
risks to be assured should be far broader and more
real-time than they have been in the past. Assurance on
core processes and the truly greatest risks is essential
but so is assurance around decision governance, the
appropriateness of behaviors within the organization,
the effectiveness of the three lines of defense (LoD), and
oversight of digital technologies. Assurance is central to
Internal Audit’s role but must not be the limit.
Assurance constitutes and remains the core role of
Internal Audit. Yet the range of activities, issues, and
risks to be assured should be far broader and more
real-time than they have been in the past. Assurance on
core processes and the truly greatest risks is essential
but so is assurance around decision governance, the
appropriateness of behaviors within the organization,
the effectiveness of the three lines of defense (LoD), and
oversight of digital technologies. Assurance is central to
Internal Audit’s role but must not be the limit.
Advising management on control effectiveness,
change initiatives, enhancements to risk management
related to the three LoD and other matters – including
business effectiveness and efficiency – falls well within
Internal Audit’s role and stakeholders’ expectations.
All sources confirm that a strong advisory role is key to
maximizing the value of Internal Audit.
Anticipating risks and assisting the business in
understanding risks, and in crafting preventative
responses, transforms Internal Audit from being a
predominantly backward-looking function that reports
on what went wrong to a forward-looking function
that prompts awareness of what could go wrong, and
what to do about it, before it happens. Internal Audit
becomes more proactive and, through its assurance and
advisory roles, helps management intervene before risks
materialize.
change initiatives, enhancements to risk management
related to the three LoD and other matters – including
business effectiveness and efficiency – falls well within
Internal Audit’s role and stakeholders’ expectations.
All sources confirm that a strong advisory role is key to
maximizing the value of Internal Audit.
Anticipating risks and assisting the business in
understanding risks, and in crafting preventative
responses, transforms Internal Audit from being a
predominantly backward-looking function that reports
on what went wrong to a forward-looking function
that prompts awareness of what could go wrong, and
what to do about it, before it happens. Internal Audit
becomes more proactive and, through its assurance and
advisory roles, helps management intervene before risks
materialize.
Internal Audit planning aims to balance assurance
around two features – core processes and the truly
greatest risks to the organization. Internal auditors can
cover only so many processes per year and often default
to performing audits on a rotational basis in order to
find time to also provide assurance around the greatest
risks. Yet stakeholders need both types of assurance
– assurance that core financial and operational
processes in areas like procurement, payables, payroll,
and health and safety are working properly, and
confidence that the organization’s truly greatest risks
(e.g. cyber, digitalization, change management, etc.) are
appropriately managed – on a more continual basis.
Now, what if – using digital assets – core assurance
could be automated, significantly reducing the
resources needed to cover these traditional, core
processes on a more continual basis? Automated
core assurance harnesses analytics, robotic process
automation (RPA), and artificial intelligence (AI) to
monitor controls and flag non-conformance in real
time. Combine this with automated reporting, and
Internal Audit can communicate non-conformance to
the business so they can remediate immediately, rather
than only being able to check the controls every few
years under a rotational audit plan scenario.
around two features – core processes and the truly
greatest risks to the organization. Internal auditors can
cover only so many processes per year and often default
to performing audits on a rotational basis in order to
find time to also provide assurance around the greatest
risks. Yet stakeholders need both types of assurance
– assurance that core financial and operational
processes in areas like procurement, payables, payroll,
and health and safety are working properly, and
confidence that the organization’s truly greatest risks
(e.g. cyber, digitalization, change management, etc.) are
appropriately managed – on a more continual basis.
Now, what if – using digital assets – core assurance
could be automated, significantly reducing the
resources needed to cover these traditional, core
processes on a more continual basis? Automated
core assurance harnesses analytics, robotic process
automation (RPA), and artificial intelligence (AI) to
monitor controls and flag non-conformance in real
time. Combine this with automated reporting, and
Internal Audit can communicate non-conformance to
the business so they can remediate immediately, rather
than only being able to check the controls every few
years under a rotational audit plan scenario.
Assure
The core – but not the limit – of Internal Audit:
The core – but not the limit – of Internal Audit:
Advise
Maximizing value to stakeholders:
Maximizing value to stakeholders:
Anticipate
Delivering forward-looking insights:
Delivering forward-looking insights:
Courtesy:
deloitte:gx-internal-audit-3.0-the-future-of-internal-audit-is-now
No comments:
Post a Comment