What Is the Future for Internal Audit?

What’s the problem?

Our 2012 benchmarking studies have shown that Internal Audit (IA) headcount has, on average, remained flat for the fifth year in succession. However, Chief Audit Executives (CAEs) continue to face a multiplicity of urgent challenges, including:

• Companies expanding into new territories and launching products
• New legal or regulatory requirements or increased enforcement activity
• Increased, changing, and incompatible stakeholder expectations
• Heightened sensitivity to risk incidents, faster risk velocity and greater public scrutiny of incidents
• Absence of a coherent view of effective corporate governance
• Varied potential roles for Internal Audit – from compliance monitoring to business partner / advisor or from traditional audits to strategic risk assurance

As a result, every year CAEs have short-term improvement initiatives to address issues that are particularly urgent in the moment, but do not contain a clear longer-term goal. In isolation, each initiative is worthwhile, but the execution occurs in the absence of a longer-term vision and strategy.

Is the problem going to change?

The operating situation for many CAEs could become more stable and predictable because:

• There are now similar laws, regulations, and listing requirements in the major economies,
• Companies have greater knowledge of the operating environment in their newer markets,
• Key risks (see below) remain common, interconnected, and enduring:

1. Talent management
2. Regulation compliance
3. Data security and IP protection
4. Fraud
5. Sustainability of their business model and supply chain

• Companies are improving the quality of their Board & Audit Committee oversight by upskilling the people involved and improving the flow of information they receive,
• CAE s and their companies have projects in play to improve the quality of their first and second Lines of Defense (LoD).

What do most companies do?

Most CAEs launch a project or two each year to improve the quality of some aspect of their department function, typically, audit activity or value delivered. Normally, these projects focus upon ERM first or second LoD improvements (moving IA into advisory or strategic auditing, introducing data analytics, or improving the audit talent pool) one dimension at a time.

However, we see that separate projects running sequentially demonstrate little apparent clarity over the longer-term goal. Further, the thinking around the development of IA appears to be disconnected to other projects led by General Counsel, Company Secretary, Compliance, and Risk Manager or those required by external bodies.

CAEs often refer to their external audit firm and IIA for guidance on the vision of the future. All of these organisations have published a paper this year on the future of internal audit. While these perspectives show some insight into the possible future of audit, they are without a clear connection to the wider issues.

What do leading companies do?

We are starting to see some leading companies create a more coherent vision of corporate governance including the role of IA. Companies with a coherent vision of corporate governance collaborate with other functions to:

• Build a coherent view of their desired corporate governance and risk management framework including committees, policies, roles, information flow, checks & balances.
• Ensure they have an open management style with transparent flow of key information and a strong, positive, supportive corporate culture
• Build an active, engaged, skilled, motivated and visible first LoD that genuinely take on their responsibilities for risk management
• Ensure the second LoD is coordinated and effective with common vocabulary, taxonomy, shared information, and coordinated activity
• Leverage technology to monitor performance, report breaches, and flag trends and variances that will automatically prompt action by the appropriate team
• Identify the optimal mix of compliance and advisory roles for IA, paying close attention to the appropriate team size, skills, methodologies and culture of your organization

What can ADR do to help?

Our recent research has detailed innovative and effective tactics to improving several key attributes: risk-based planning, talent management, and leveraging the work of other assurance providers. We are researching the Future of Audit as a topic again and would welcome sight of your IA department’s strategic plan (click here to donate). Our current hypotheses include the following potential key characteristics:

• The importance of building a coherent foundational view of an effective corporate governance structure that links involved parties that is relevant globally which includes structural requirements and cultural aspects
• The need to identify the key attributes of a successful IA department and how they are interrelated
• The painting of a picture of the role of audit in a well managed organisation of the future. Leveraging our recent research into particular dimensions and improvement priorities for CAEs
• The identification of implementation guidelines to achieve optimal status for supporting any CAE who needs to improve on one or more dimension

What is ADR doing for members?

ADR research available now:

How much is enough – Identifying the truly key risks, making the right trade-off decisions, leveraging other assurance providers, and engaging effectively with stakeholders.
Integrated (combined) assurance – Providing research and case studies that describe the drivers behind greater integration of assurance activity, and case studies to illustrate effective implementation tactics
ADR Webinars – In this webinar replay, members Jenitha John, CAE at First Rand Bank and Bruce Vincent, CAE at IHG share their insight and experiences with regards to integrated assurance.

If you would like to comment on this blog or want further information please contact Ian Beale.