Internal Audit’s Changing Role in a Changing Technological Environment

with co-author Wade Cassels

It’s the present neatly wrapped with a bow, the car in the showroom that glistens with a new coat of wax, the lights and sounds of Las Vegas or a million other examples that intrinsically draw our attention and turn our wants into perceived needs. For organizations, these shiny new toys have been replaced with an increasing array of technological advancements. Even without fully assessing whether they are a fit for their business model and customer base, technological financial expenditures have skyrocketed over the past few years, with no end in sight.

And internal audit is caught squarely in the middle.

As the auditor’s role continues to shift away from one of strict independence, organizational leaders are demanding more and more input from this group. No longer tasked with simply overseeing evaluations and recommending improvement for the effectiveness of risk management, control and governance processes, internal auditors are now being tasked with playing a more active role in guiding executive decision-making – especially regarding technology transformation.

This mandate is coming from the highest organizational levels, as boards and executives expect internal audit “to become proactive by throwing out its checklists of IT audits and what it thinks it should do and, instead, look further and see deeper, by engaging with stakeholders across the organization in order to discover exactly what it must do to support the company and the company’s business objectives.”

An ever-changing technological landscape mandates that businesses continually evolve to best leverage subsequent emerging opportunities. In response, internal audit must also evolve. With rapid globalization, industry convergence and changing consumer behaviors/demands forcing technology to become the most pervasive of organizational business drivers, companies are greatly increasing their technological budgets to best connect with customers across the globe and “give them the insights and efficiencies to outpace their competitors.”

A Deloitte and OnResearch survey in which 500 U.S. executives from privately held, mid-market companies were polled found that “one-third of respondents spend more than 5 percent of their annual revenues on technology… [and that] 57 percent said they’re spending more on tech this year than they did last year.”

In a separate study conducted by ROI consultancy Alinean Inc., small and medium-sized companies (with less than $50 million and between $50 million and $2 billion in annual revenue, respectively) often outspend larger ones, with midsize companies spending $13,100 per employee on IT alone.          

According to Gartner, global IT spend was projected to reach $3.5 trillion in 2017 and only increase going forward. In this atmosphere, leadership is turning to internal audit to be the determining voice regarding the true value of their IT investments.          

Changing at the Speed of Business

With a focus on leveraging “the opportunities presented by the pace of technological advances,” there are three keys Jim Pelletier, Vice President of Standards and Professional Knowledge for the IIA, points to as instigators of change for internal auditors:

• Changes to stakeholder/client demand,
• Changes to the competitive landscape and
• Changes to technology.

Given that changes in technology are expected to instigate change for the internal audit profession, one wonders, is internal audit keeping pace with technological transformations?

Just as technology transformation focuses on reinventing an organization’s operations to “leverage opportunities presented by a variety of developed and emerging technologies,” leaders are challenging internal audit to become a viable piece of this critical pie by disdaining the status quo and developing ways to help companies meet stakeholder demand more effectively. As Pelletier states, “It’s no longer about how we have done it in the past. It’s about how we need to do it to survive and flourish in the future.”

Another question remains, then: How does internal audit gain a more robust understanding of how an organization’s technological investments directly impact strategy, operations, reporting and compliance? Furthermore, how does IA utilize this knowledge to accurately support leadership’s objectives?

Via four key objectives:

1. Supporting the board through use of internal audit’s business intelligence portal and lessons learned from audits of key risk areas. This provides the impetus for clear insights to support transparency and oversight of risk management.
2. Transforming the audit plan into real time via “automated and real-time key risk indicators, predictive analytics and AI.” With newfound agility, internal audit can execute audits wherever and whenever needed while focusing more on strategic risk and leaving routine audits to robotic process automation.
3. With real-time information, auditors can focus on root causes that allow it to prioritize work in areas of greatest urgency. A more complete organizational view and this new data allows auditors to provide intricate analysis to the board and management.
4. Coordinating efforts with management throughout the engagement, internal auditors “share data, information and lessons learned throughout,” effectively eliminating the need for formal audit reports.

These opportunities for internal audit take on added significance when reviewing PwC’s 2018 State of the Internal Audit Profession survey report, “Moving at the Speed of Innovation.” Its findings reveal that numerous internal audit functions soon will be implementing transformational new technologies and that rapid technological advancements will provide a significant challenge for internal audit functions.

“Not only does internal audit need to have a point of view on what risks come with those technologies,” said PwC’s Lauren Massey, “but the best way to make sure they have that point of view is by embracing these emerging technologies themselves.”

With more than 2,500 board members, senior executives and audit professionals from 92 countries surveyed, internal audit organizations using workflow/dashboarding/reporting tools within internal audit will increase from 53 percent to 85 percent and those using governance, risk management and compliance technology tools will increase from 23 percent to 62 percent.

Even more startling is that the study found almost 80 percent of Chief Audit Executives believe internal audit must expand or improve its technology skills to meet its future needs. This translates into “the most advanced internal audit organizations learning how the risk profile is changing and understand[ing] how fast it is changing… They are more prepared to have a point of view on that risk because they are also pushing forward with new technology in their own operations.”

Where Internal Audit Still Lags

Change is never easy, even when all involved realize it’s for the better. That’s why it’s not surprising that, despite a clear case of internal audit needing to become an information facilitator in an organization’s technology transformation, painfully few are assuming this role.

“Stakeholders seek to navigate the future more than revisit the past or dwell in the present. It is time for internal auditors to focus our telescopes ahead. We need to concentrate on the risks of tomorrow if we are to not only protect, but enhance value for our organizations.”

Furthermore, internal auditors understand the expectation of them to complete compliance mandates, reduce costs and act as a strategic advisor to the business.

However, an Ernst & Young survey showed just “27 percent of internal auditor functions are considered strategic advisors” and that while “54 percent intend to be advisors within the next two years, their biggest skills gap is in data analytics.”

PwC found clear evidence that internal audit is often not meeting stakeholders’ technology expectations, despite 60 percent of heads of internal audit (HIAs) stating, “they’ll need to provide value-added services and proactive advice within the next five years, [and that] only 11 percent say they are indeed doing so now.”

Even more alarming results were found via the Institute of Internal Auditors’ 2019 North American Pulse of Internal Audit, titled, “Defining Alignment in a Dynamic Risk Landscape.” The report found that companies often struggle to monitor both emerging and atypical risks, are “too often caught off guard when risks do arise” and that challenges are due in part to “disruptive technology.” Furthermore, in 85 percent of the 500 responding internal audit executives, “internal audit rarely or never provides assurance on management information sent to the board. What’s more, variations in reporting structures may be hampering internal audit findings and insights from getting through the board in key risk areas.”

Where does internal audit go from here to reverse these numbers and become that shiny new toy to help navigate the landscape of digital disruption and transformation and drive return on IT investment? According to PwC, auditors must:

• Understand that stakeholder expectations will continue to evolve while supporting organizational objectives by proactively uncovering emerging threats and producing effective mitigation strategies. 
• Complete a thorough risk assessment, taking into account the company’s risk appetite and potential opportunities.
• Incorporate a future-thinking mindset by focusing advisory engagements on emerging technological risks and how they align with the most important organizational objectives.
• Utilize its independent status to learn from the most successful organizations, then provide stakeholders with greater understanding of how technological opportunities can provide the greatest support and hindrance to the company’s objectives.

Through extensive stakeholder engagement and a willingness to assume a more substantial role, internal audit can become the business unit to develop critical, overall understanding of the “strategic, operational, reporting and compliance objectives behind the company’s IT investments.” It can then use that knowledge to “prioritize and promote activities aligned with areas of both greatest potential benefit and greatest potential impediment to the achievement of those objectives and to then identify emerging technology-related risks.”

Sources

KPMG. (2019). Top 10 Considerations for Impactful Internal Audit for 2019. Retrieved from https://advisory.kpmg.us/content/advisory/en/index/articles/2019/top-considerations-internal-audit.html

PwC. (2017). Transforming Internal Audit to Drive Digital Value. Retrieved from https://www.pwc.com/sg/en/risk-assurance/assets/internal-audit-transform-ia-to-drive-digital-value.pdf

Peterson, B. (2017, July 13). Companies Will Spend $3.5 Trillion On Tech This Year — the price it would cost to buy Apple 4.5 times. Business Insider. Retrieved from https://www.businessinsider.com/worldwide-it-spending-2017-7

Pelletier, J. (2018, January 4).Internal Audit’s Digital Transformation Imperative​. Internal Auditor. Retrieved from https://iaonline.theiia.org/blogs/Jim-Pelletier/2018/Pages/Internal-Audit’s-Digital-Transformation-Imperative.aspx

Benes, R. (2018, August 13). How Much Are Companies Spending on Technology? eMarketer. Retrieved from https://www.emarketer.com/content/how-much-are-companies-spending-on-technology

Tysiac, K. (2018, March 13). How Internal Audit Can Improve By Embracing Technology. Retrieved from https://www.journalofaccountancy.com/news/2018/mar/improving-internal-audit-with-technology-201818551.html

Idea. The Changing Role of Internal Audit. Retrieved from https://idea.caseware.com/the-changing-role-of-internal-audit-and-use-of-technology/ .

Institute of Internal Auditors. (2019, March 4). 2019 North American Pulse of Internal Audit Report Identifies Potential Misalignment in Corporate Risk Landscape. Retrieved from https://na.theiia.org/news/Pages/2019-North-American-Pulse-of-Internal-Audit-Report-Identifies-Potential-Misalignment-in-Corporate-Risk-Landscape.aspx

Chambers, R. (2018, August 6). Internal Audit and Emerging Risks: From Hilltops to Desktops. Internal Auditor. Retrieved from https://iaonline.theiia.org/blogs/chambers/2018/Pages/Internal-Audit-and-Emerging-Risks-From-Hilltops-to-Desktops.aspx