Next-Generation Internal Audit: Getting Comfortable Doing What Is Uncomfortable

A global pandemic, a growing number of stakeholder demands, rapidly changing business models and a risk landscape with shorter cycle times — internal audit teams are dealing with a lot of changes.

There are new methodologies and enabling technologies available to help chief audit executives (CAEs) and their teams meet these and other challenges: automation, process mining, dynamic risk assessments, advanced analytics and, to a growing extent, artificial intelligence and machine learning. Organizations that have embraced these and other next-generation internal audit tools and techniques are reaping measurable rewards. A recent global study our firm conducted, however, indicates that most internal audit functions are just beginning their next-generation internal audit journey.

Change is hard. It makes people uncomfortable, especially in internal audit, where there is a longstanding bias toward sticking with the tried-and-true. Nevertheless, the evidence is mounting: Internal audit organizations that continue to cling to the old ways risk becoming irrelevant. It is time for the internal audit function to become more comfortable doing what is uncomfortable.

The Current Landscape

When we talk about “next-gen,” we look at three broad categories: (1) governance, which includes organizational structure, mission and vision, and the role of internal audit; (2) methodology, encompassing internal audit processes and reporting; and (3) enabling technology — the tools and techniques internal auditors employ to get the job done.

In late 2020 and early 2021, we polled 874 internal audit executives around the globe to determine where they were in their next-generation internal audit journeys. Our results, published in May, offer an interesting snapshot of where internal audit functions see themselves in this transformational process.

Key takeaways from the study include:

• While 66 percent of survey respondents expressed an intention to add to their organizations by investing in innovation and digital transformation, only 14 percent of internal audit functions have made any significant progress in that direction. That’s only a little bit more than the 10 percent of internal audit teams self-reporting as digital skeptics — those that continue to embrace outdated manual methodologies.
• CAEs and internal audit leaders tend to give themselves higher marks in areas of governance — particularly for having the vision to recognize the need for transformation and begin formulating a plan. Conversely, they give themselves lowest marks when it comes to enabling technology — not a surprise considering that capabilities such as machine learning, artificial intelligence (AI) and process mining remain relatively new for most internal audit groups, while governance is an area with which internal auditors are more familiar and does not require significant levels of innovation. Still, it is clear there is a lack of recognition of the link between effective governance and use of enabling technologies. To make meaningful progress, internal audit functions need to tackle these emerging, and perhaps uncomfortable, technologies and competencies with intent and move beyond those areas that are comfortable to them.
• The differences between organizations we define as digital leaders — those that have already made significant progress on their next-gen journey — and other organizations is significant in a number of areas, especially methodologies (how internal audit delivers) and enabling technology (the tools they use to deliver). Digital leaders are more focused on aligned assurance, an agile audit approach, technology and data. They have made significant advancements in recruiting people with the right mindset and capabilities. It should be noted, however, that even those respondents who consider themselves digital leaders indicated that they have made only moderate progress toward their ultimate goal and that they recognize the need for improvement, especially when it comes to more advanced technologies such as AI, machine learning and process mining. (Note: In our report, we provide a detailed definition of what we consider a digital leader organization.)

The CAE’s Role

Given the importance of embracing a next-generation internal audit mindset, CAEs need to assess their function’s current internal audit capabilities and prioritize the commencement or continuation of their next-generation internal audit journey. Understandably, the disruption of the COVID-19 global pandemic forced many organizations to set strategic initiatives like this aside to focus on more urgent, near-term matters. But progress was slow even before COVID-19 concerns pushed other priorities aside.

Over the long term, as more enterprises undergo digital transformation and seek support and guidance from their internal audit teams, a next-generation audit mindset is imperative for the profession. CAEs need to take the lead in transforming their audit functions to better serve their businesses. This includes defining a roadmap and establishing a culture of innovation embedded in the delivery of audit and consultation services.

A Next-Gen Roadmap to Success

Change can be daunting, but there is no need to make the journey in one giant leap. In fact, experience has shown that the path to success is more easily traveled with a proven approach and a series of smaller, more easily managed steps.

The first step may be the most important one — it’s about establishing the proper mindset and a commitment to:

• Transform the internal audit group’s governance and methodologies and enable technology capabilities needed to address emerging business risks and heightened stakeholder expectations.
• Increase internal audit’s effectiveness and efficiency while fulfilling the function’s core mission to protect organizational value.
• Start thinking differently.
• Reassess the design and capabilities of internal audit, striving to become an agile, next-generation internal audit function.

Here are some timeless tips to help CAEs get started on, or advance, their next-generation internal audit journey once this commitment and mindset are in place:

• Keep the big picture in mind. It is important for leaders of any transformation effort to focus on the long term, even as they deliver in the short term. This helps organizations avoid getting lost in the weeds of incremental projects that create numerous point solutions that detract from the larger goal.
• Empower people to innovate. Innovation cannot be a top-down endeavor. Encourage team members to submit ideas for improvements and innovation. Reward experimentation, and work with team members to implement.
• Begin with a win. While it is important to keep the big picture in mind, it is helpful to begin implementation with a single project carefully selected for its high potential to demonstrate success. For example, in implementing agile auditing, it makes sense to roll it out in a part of the business already familiar with agile methodologies, or on a simple non-integrated audit.
• Expect ripple effects. Changes in audit procedures are likely to create downstream changes to other workflows. For example, a shift to auditing complete data populations instead of a representative sample is likely to increase the volume and nature of information produced by the audit, which could require a change in reporting. Similarly, changes to procedures may require CAEs to rethink the skills and talent required, and even how their organization is structured.
• Design for adaptability. It is impossible to anticipate exactly how an internal audit organization should look and operate. With that in mind, it is important to develop an internal audit function that is committed to ongoing change and skills development. This is where a culture of innovation becomes essential.

Maturing the Organization

Specific governance structures, methodologies and enabling technologies of mature next-generation internal audit functions vary, but most transformations share the following four essential objectives:

1. Improve assurance by increasing the focus on key risks. By evolving to become more data enabled, digitally mature internal audit functions provide internal and external stakeholders with relevant, timely and impactful results on the effectiveness of risk management and controls.
2. Make internal audit more efficient. Digitally mature internal audit functions drive toward data- and technology-enabled audit processes, delivering efficiency and consistency in risk assurance.
3. Enhance skill sets continually. Next-generation internal audit functions seek to steadily advance their skills, both through upskilling staff and recruiting for new skill sets and capabilities.
4. Provide deeper and more valuable insights. Next-generation internal audit functions not only address current risks, but also illuminate and advise on the potential consequences of future actions and strategies.

In Closing

Beginning or advancing on the next-generation internal audit journey doesn’t have to be difficult. It should not be an all-compassing endeavor, and it isn’t necessary or advisable to try to change everything all at once. It is past time, however, for organizations to get moving toward their digital future. By becoming more comfortable doing what is uncomfortable and adapting to establish a culture of innovation and continuous improvement, CAEs and their internal audit teams can add significant value to their organizations and avoid falling farther behind and being rendered irrelevant by the inevitable march of progress.