Following a year of extraordinary challenges, «Digital Leaders» are standing out with the use of next-generation internal audit practices. (image 1)
These difficult times have created new challenges and demands for the Internal Audit functions, as well as opportunities to engage and support the business in new, innovative ways. These developments underscore the need for internal audit functions to adopt next-generation internal audit practices to be more agile and technology enabled, to have the required skillsets in alignment with these practices, and to achieve a real-time level of engagement with risk management, data and controls.
Furthermore, Businesses are changing as they embrace the innovation economy. Well-documented advances in new technologies and the drive for innovation and digital transformation are upending industries and increasingly are challenging internal audit functions to remain relevant.
Change is being driven by advances in technology and the use of data, as well as the broader economy in which knowledge, entrepreneurship, innovation, technology, and collaboration are fuelling growth. Innovation changes the business model and, as a result, the organization’s risks. Internal audit not only must respond to these changes, but also must be prepared to assess if the business is undertaking its innovation and transformation initiatives in the best possible manner. In order to accomplish this, internal audit must innovate itself.
The journey starts with Commitment, Culture and Agile Mindset
To get started on the journey to the next-generation, internal audit functions need a clear roadmap. But the very first step, in our view, is establishing the mindset and commitment to:
- Transform the internal audit group’s governance, methodologies and enabling technology capabilities needed to address emerging business risks.
- Increase internal audit’s effectiveness and efficiency while fulfilling the function’s core mission to protect organizational value.
- Start thinking differently.
- Reassess the design and capabilities of internal audit, striving to become an agile next-generation internal audit function that embraces the benefits of technology and transformation.
Internal audit groups should approach this objective in an agile manner. Identify areas where change is needed, assign resources and make ongoing incremental improvements. Above all, be flexible and maintain a mindset of, «How can we be agile, innovative and do this better?» Look to take small steps but focus on taking those steps quickly and immediately. The «assess-design-implement-reassess» approach has become dated. Rather, adopt a more iterative approach and be flexible to make continual changes as the business evolves and new innovative approaches emerge.
The specific design of next-generation governance, methodology and enabling technology elements varies according to an organization’s unique risk environment and business objectives. On the other hand, there are common considerations and actions that have proven valuable in the growing number of internal audit transformation efforts underway.
Transformational components
The objectives of next-generation internal audit functions may be straightforward, but the means by which they achieve these objectives include a range of innovative approaches, tools and governance enablers, including a culture of innovation, that must be tailored to specific organizations and their needs.
In our view, there are three essential objectives of next-generation internal audit groups:
- Improve assurance by increasing the focus on key risks
- Make internal audit more efficient
- Provide deeper and more valuable insights from internal audit’s activities and processes
The specific governance structures, methodologies and enabling technologies that next-generation internal audit groups introduce vary.
Use of Enabling technologies in the Audit Process (image 2)
For more than a decade, most internal audit functions have posted sluggish improvements in their use of advanced auditing technology. However, extensive reliance on automation, data analysis and a variety of advanced technology applications is a defining feature of next-generation internal audit functions. Common technology activities and tools implemented in next-generation transformations include:
- Advanced data analytics – Leveraging data within the organization to assess risk enables the internal audit group to execute work more effectively (full samples, data-driven flowcharting, risk thresholds, etc.).
- Robotic processes automation – Reducing highly manual tasks within the internal audit function (e.g., generating audit announcements and document request lists, compiling finding summaries) allows the team to focus on risk within the business and areas that require significant levels of judgment.
- Process mining – Challenge traditional approaches to internal auditing by leveraging data to understand processes at a deeper level and earlier in the audit cycle, using data to tell the story of how processes are being transacted rather than through traditional, unreliable, and manual intensive walkthroughs. For example, process mining technology leverages organizational data to automate the process discovery activity and create visual representations of business processes throughout the organization that internal auditors can analyse quickly to identify risk, control breakdowns and inefficiencies. This not only delivers significant efficiency gains but also drives a more effective audit process. Remember, new technologies should not just be «dropped into» the old ways of doing things.
- Machine learning (ML) and Artificial intelligence (AI) – Leveraging artificial intelligence and machine learning enables internal audit groups to increase the effectiveness and efficiency of complex testing, as well as help move complex analysis to more real-time.
The above are just a sample of methods that internal audit should evaluate and incorporate into the delivery of internal audit services. The ease of deployment varies from straightforward (e.g., using optical character recognition or K-means clustering algorithm) to highly involved (e.g., deploying NLP with learning components), but there is a multitude of opportunities for advanced analytics in internal audit, including those that allow for the replication of aspects of auditor judgment. Internal audit should develop an awareness of available techniques and methods to determine those with potential to drive greater efficiency and effectiveness into the internal audit process.
The journey needs to begin now – Next Gen IA survey
Basing our consideration on a Global survey conducted early this year on the topic, CAEs and their teams have more challenges and demands today than at any time in recent memory, underscoring the need to adopt next-generation internal audit practices to be more agile and technology enabled, to have the required skillsets, and to achieve a real-time level of engagement with risk management, data and controls. But for most, the next-generation audit journey is just beginning. The results from the Survey reveal relatively low maturity levels in governance, methodology and enabling technology. But what is most telling is the skill and capability levels of organizations that we classify as «Digital Leaders.» They are reaping the significant benefits of next- generation internal audit practices given their higher levels of maturity in these areas.
The Authors
Matt Liang is a member of the ISACA Board CH and a Senior Manager working in Protiviti Switzerland as lead of the Internal Audit and Technology Consulting practices. CISA, CISSP, MCSD.Net, Agile Safe
Anjelica Perini is a Manager working in Protiviti Switzerland as Internal Auditor and Business Performance Improvement Consultant. CDPS, RPA Developer, Design-Thinking Certification