According to history, our cave-dwelling predecessors, the Neanderthals, went extinct for a reason–they couldn’t adapt to their changing environment. Maybe they wanted to, but they couldn’t and unfortunately, they didn’t. Eventually, they were replaced by us humans, of course, who were better able to adapt to changing weather, hunting patterns, and waves of disease and famine.
Fast-forward to 2023, and one wonders if internal auditors might be on the same dangerous path as our big-browed forebearers. Could traditional internal auditing become extinct because it isn’t able to adapt to the lightning-fast changes that are currently taking place all around us. Could how internal audit is perceived in its ability to add value (or not) hurry its demise, relative to its more progressive and agile line-of-defense cousins?
Let me start by stating that I believe strongly in the future of internal audit. It’s a very bright future if internal audit teams can embrace data and technology skills as being critical to their success. It must also ditch some of the historical practices and ways of thinking that don’t differentiate our work and add value in today’s digital world. Internal audit is at cross-roads in its evolution and the changes being driven by big data and digitalization must drive internal audit innovation and strategic repositioning for it to survive.
Continuous Adaptation
Every internal audit department operates differently and there is a broad spectrum of internal audit shops out there, from very traditional (anchored in sample-based testing, annual plans, and three-to-four-year rotational risk views of the organization) to fully agile (anchored in data driven results, full population audits, and risk responsive teams, with active management and audit committee engagement developing quarterly audit plans). If your internal audit future is not focused on understanding and mastering skillsets in such areas as data analytics, blockchain, robotic automation, artificial intelligence, and others, then you will increasingly find it difficult to differentiate yourself and to add value to the business. Some internal auditors may be risking extinction if they fail to adapt in the short to medium term. Exactly how much time is left is anyone’s guess, but the clock is most certainly ticking.
Independence, integrity, and objectivity will remain at our core, but our core skills must adapt and adapt quickly to keep internal auditors positioned to add value in the future. We cannot forget that beyond our independence and stakeholder reporting responsibilities, our ultimate commercial role in the organization is to enable the business to be better and to be catalysts for positive organizational and cultural change. We can add value by bringing the human element–empathy, being differentiated through demonstration of data and technology savviness, and delivering more forward-looking issues and insights to help business thrive in a digital and data-centric world.
Seven Steps to Internal Audit Transformation
To support internal audit in its progression and transition into the future, here is my perspective on practices to stop (or reduce) and practices to start. There are no perfect answers, and there will always be a continuum of internal audit capabilities and automation. However, the key point is to be a progressive team and to value the continuous learning and improvement needed to position internal audit for greater impact and relevance. Having a clear audit vision will help you align your methodology and practice changes, over time. The list below outlines some key areas for reflection to help you become the internal auditor and audit team of the future.
1 – Stop sample-based testing and start auditing full populations: It may still be relevant for highly manual or smaller-scale activities, but with most business activities housed in modern systems internal audit should be looking to test full populations of data as much as possible. Some teams have already achieved this, but if you have not yet achieved this milestone, it is time to set a vision to achieve this goal including bringing data science skillsets into your team and up-skilling existing team members.
Outcomes matter. By developing data hypotheses internal audit can independently assess data conformance and assess outcomes across large datasets, which will allow for better sizing of issues. In addition, greater focus on datasets will yield more valuable insights for management. If your organization cannot support full data auditing given legacy systems and poor data modeling and governance, I probably have given you a high rated issue to be discussing with management, and the audit committee.
2 – Stop auditing low-level risks and start anchoring your audit plan to key risks: If you have performed audits that have taken a few months to complete and have few if any findings, you likely have over-audited low risk areas. Where is the value? Would you pay for this audit if you were the client?
Instead, anchor your audit plan to the organization’s key risks and key risk themes (a top-down view) and also align it to key risks in specific areas (bottom-up risk view). Audit resources in most organizations are a scarce commodity, so ensure your audits are risk-justified. Internal audit can supplement the risk view with a resource-allocation view, so the risk coverage intent is clear. Being responsive to risk requires internal audit to have an array of products for different risk coverage scenarios. Using an Audit Plan Gameboard is a great way to develop and deliver your risk coverage story to the board and audit committee.
3 – Stop taking several months to complete audits and start adopting an agile audit approach: Determined to complete 100 percent of your initial scope statement regardless of your initial audit outcomes? Sound familiar? Instead, adopt a progressive or agile audit approach to better demonstrate audit value and relevance. Use “sprints” and sprint reviews (typically two-week work bundles) to focus on the bigger risk areas first to drive value and every two weeks reflect on the value delivered and whether it is worth continuing or stopping the audit to start a more valuable audit in your audit plan pipeline.
Your clients will love internal audit’s transparency. By being more risk responsive and valuing timeliness your audit team will develop a reputation for having commercial sense and auditing a greater number of risks that matter more here and now. As we become fully data enabled, we should fully expect a shortening of the audit cycle. Set a clear vision for your team and align your strategic projects and improvements to achieving that vision. It will not be easy, possibly a multi-year journey, but it will help your team to deliver value more consistently.
4 – Stop adding documentation and manual review and start using data analytics: Clear, concise documentation will always be valuable, but modern systems should enforce accountability and tolerances to achieve the desired outcomes and better control environments.
Using data analytics to focus on actual outcomes across the full populations of data will yield better results faster. Data hypotheses can test transactional controls conformance and overall monitoring outcomes via digital scorecards and management data filters and tolerances. Assessing outcomes will enable internal audit to determine issues with control design effectiveness, operational effectiveness, or both.
5 – Stop writing long audit reports full of jargon and start using reporting brevity and consistency: Remember, every extra word you use in your audit report is simply another opportunity for error. Brevity and clarity is critical to your success.
While every Internal Audit Team has its rubric for writing audit reports and issues, we found this one to be very helpful in crafting issues consistently:
- Who Has Not Done What? (1 sentence)
- Risk Statement (1 sentence)
- Root Cause(s) (1 sentence)
- Support (bulleted outcomes from data hypotheses testing)
6 – Stop siloed thinking and start operating as coordinated assurance functions: Assurance work in many organizations may involve four or more different teams: internal audit, compliance, risk management, operational risk, governance, new business control, and more. Each of these teams have insights and context helpful to the others, so leverage that shared perspective openly.
Assurance is one of those activities where the total sum is greater than the sum of the individual contributions. Internal audit can extract great value from leveraging risk management and compliance risk assessments as a critical input to their risk assessment. Governance teams can provide perspective on challenges here and now–at the coal face as we often like to say. Sharing risk perspectives openly and attending stakeholder meetings together is indicative of a great risk culture. Equally, management and the board and audit committee will value the coordination among the assurance functions.
7 – Stop delaying auditor training and start embracing continuous learning: We all do it. We push back training either for yourself or your team, given how busy everyone is, and you rest on historical qualifications and experience. We must resist this urge. Don’t misunderstand me, all professional qualifications and experience are earned through hard work and are valuable, but it is important to keep adding to your technical skillsets and knowledge base to stay relevant. So, embrace continuous learning. Mastering data and tech prowess will be critical for internal auditors of the future.
The learning journey never ends when it comes to skillsets if we remain hungry and flexible. For internal audit teams it is critical to identify your individual and team skill-set gaps and to plot a course to obtain those skills, hire them into the team, or co-source them. Embrace data and tech skills to enable you to be the auditor of the future–an integrated resource capable of gathering and extracting risk and control value from large datasets and outcomes.
Survival of the Fittest
Internal auditors need to continuously adapt to stay relevant to their organizations and to help enable the business. Our future will no doubt be data and technology centered. Data, and its uses and interpretations, will be the new debits and credits for the accounting profession; some would say it already is. Data sets and the technology skills to master them must become part of the internal Audit DNA as blockchains and artificial intelligence tools become more mainstream.
Indeed, all assurance functions will use data as a locus, and it may be survival of the fittest at some future point. So, learn from ancient history and don’t hide in the cave. Invest in and continually adapt your data and tech skill sets now to position your internal audit team and yourself for the future, so you don’t go by the way of the Neanderthals!
Shane Rogers, FCA, MBA, is an independent risk and audit management consultant. He is also a former Audit Managing Director and U.S.-based Chief Audit Executive with deep, partner-level, insurance, and investment banking experience globally.
What an excellent article, thank you!!
Good article.