The Value Challenge in the Evolution of Internal Auditing

internal audit evolution

GUEST BLOG
The most recent macroeconomic developments have had a dramatic impact on global markets, forcing directors and management to demonstrate the capability to make very complex decisions in a timely and incisive fashion. Increasingly, the complexity of the economic environment reaffirms how important it is that the decision-making process is based on qualitative, well-timed, and complete information.

In this framework, there is a good space for action where the auditor can provide added value to his or her internal clients. In fact, according to the Institute of Internal Auditors, internal audit is designed “to enhance and protect organizational value.” Such a mission statement crystallizes how the internal audit mandate must be oriented: toward protection and creation of value at the same time.

In translating this mission statement, our stakeholders expect internal audit to evolve the traditional “inspectorate” approach in order to act more as trusted advisors able to provide independent insights and support risk-oriented business decisions at all levels of the organization.

Lean Thinking
What happens when internal audit is unable to add value for its stakeholders? An interesting parallelism is represented by the Lean Thinking approach, by which value resides in the price the client is willing to pay for a good or service. According to this theory, every additional control activity is defined as a muda, a waste of energy and resources.

This might represent an interpretative key to explain the diffidence that sometimes surrounds internal audit. How can we as auditors expect our stakeholders to increase their marginal propensity to invest in internal audit if our traditional conception of added value does not coincide with their expectations nor address their needs?

The most recent evolution of the competitive landscape imposes a focus on core value elements: careful cost management, effective selection, and prioritization of investments. This focus helps internal auditors present greater value to the stakeholders and for them to, in turn, place more resources into internal audit.

The Strategic Evolution of the Internal Auditor
As in the natural selection process, internal audit will have to evolve and not succumb. Internal audit must interpret its role in a way that is more consistent with stakeholders’ expectations and with the emerging external threats. This adaptation is inevitable and in some ways already designed. If the strategic evolution of internal audit depends on the dynamics of every organization, we can already observe some common ground elements that will be the basis of future IA functional developments.

The risk panorama is evolving much more quickly than before and thus internal audit processes must evolve faster as well, allowing internal audit activity to develop at a pace consistent with risk exposures.

Our stakeholders need continuous feedback, streamlined audit processes that inform quickly on existing and emerging risks, with internal auditing focused on risk prevention rather than only on risk detection. Agile Auditing and continuous risk monitoring approaches are allowing internal audit to positively and effectively influence change. To articulate them properly, the audit will have to be constantly aware of business dynamics and challenges, developing essential skills of business acumen.

Furthermore, internal auditors will have to be able to interact with other control functions so that risk exposures could be described consistently across the organization and to avoid inopportune and wasteful duplications in assurance services.

Within this scenario, we can easily predict that the successful internal auditor will be driven to operate closer to the limit of independence and to provide added value to management. Auditors will need to consistently work with audit committees so that required independence safeguards are maintained.

Data Analytics, Process Mining, and RPA
Nowadays, many control activities can be digitized on highly automated processes with a high number of transactions, delegating the execution of basic testing activities to duly designed periodic exception reporting and testing bots and process mining analyses.

Having said that, despite the sophistication of such technology solutions, they do not provide interpretation of exceptions detected and an understanding of root causes underlying in business phenomena such as gaps in the control environment or business culture. Modern internal auditors must be ready to use technology as a continuous analysis tool but will have to use their expertise and business acumen to identify the true causes of issues and standard process deviations.

The advanced use of technology will allow internal audit to reduce the costs of low added-value activity, positioning the auditor not only as an “analyst” of symptoms but as “diagnostician” of the causes of ineffective risk management, internal control, and performances.

Executive Presence and Training
The internal audit figure should evolve from the role of a simple a “checker” to becoming a “trusted business advisor.” In order to influence and promote change and to provide useful insights to management and the board, auditors should position themselves consistently within the organization, working to earn the reputation not only as experts of internal control and risk management, but also as business experts.

Besides reconsidering their stakeholder management, chief audit executives should evolve their approach to training, granting a significant portion of their training budgets to developing and strengthening business competencies, soft skills, and executive presence of auditors. Training of internal audit professional elements is necessary, but not sufficient anymore. Internal audit leaders must develop their training tactics to meet the requirements of a more influential role.

Key Success Factors in the Evolution of the Profession
If internal auditors evolve themselves according to the aforementioned trajectories, they will be able to better intercept and address their stakeholders’ needs. In return, the latter will recognize more easily the internal auditors’ contribution to added value, and will be more open to increasing investment in the function in both technology and human capital.

The recent macroeconomic developments emphasize a change that is already taking place: remaining anchored to the most traditional and archaic conception of the internal audit mandate exposes the profession to the highly probable and impactful risk of losing relevance, progressively emptying not only its perceived value but the real content of the profession as well.

We live in an era of epochal changes which demand an evolution of the internal audit profession. Paraphrasing Darwin: if we as auditors will be more reactive to change and will change proactively, we will not only survive, but also consolidate a competitive advantage. The alternative would lead the function to an inexorable, progressive decline. Internal audit end slug


Michele Variale is Chief Auditor at Telepass Group, a mobility services technology firm, based in Rome, Italy.

Tommaso Lizier is Manager at Wolters Kluwer.

 

10 Replies to “The Value Challenge in the Evolution of Internal Auditing”

  1. The article is good but I’d like to push back on the IIA Mission quoted, “to enhance and protect organizational value.” That’s only part of the quote. Taken by itself, it sounds like a management function which is prohibited by the Standards. The rest of the Mission statement gives context to it “…by providing risk-based and objective assurance, advice, and insight.” Audit is an instrument used by management to assist them in their effort “to enhance and protect organizational value.”

  2. From a simple “checker” to a “trusted business advisor” – This must be the aspiration of the ‘4.0 auditor’! Totally agree with the Authors’ vision about values and objectives of the Internal Audit function.

  3. The recent macroeconomic developments settle a change that is already in place.
    Indeed, internal auditors have to evolve themselves according to new scenario so that it will be easier to collect new inputs.
    Of course, this new process requires that a modern internal auditors must be ready to use technology as a continuous analysis tool. Thank you for this note. I totally agree wth the relevant content.

  4. I’m totally agree. New framework, new decisions and new opportunities to develop the archaic concept of the internal audit (i.e. “the Checker”) in a concept more “value-added oriented”. The management have to use the internal auditors’ independent vision and the internal auditors’ information in all business contexts. In my opinion, only in this way, the business’ environment could be ready and proactive to face all future (and present) challenges.

  5. Internal audit department has to analyse their risks firstly (as business unit) and adopt a proactive approache to cope with those risks, before starting any risk assessment related to their organisation and its departments,. Changes are around and dynamic adoption in internal audit department mindset is a must, as well.

  6. Auditors of our times will be dancers on a tight rope. They have to learn how to balance the independent assurer as per Standards with the Darwinian evolved role of a trusted business advisor..
    Very good reading.

  7. Internal Auditors need to be challenging to the management in relation to compliance needs. Otherwise non compliance in itself can become a threat for business and its stakeholders. Compliance needs fulfilled rightly have in itself value for everyone and everything whether it is Business, customers or management. Adherence to industry compliance policies covers risks. So, must be top priority. Management need to accept challenge of adherence to compliance to avoid any risk with integrity, which can be actual definition of effectively working with audit committee inside business. Internal Audit need to update policies and update control measures in line with updated policy requirements. Internal Auditors work must be reliable and must be strictly relied on!!

  8. It’s a very useful article and all replies are very important to be considered in our nowadays aduit philosophy. I woukd de much appreciated to have more researches and publicatiins like this in addition to the best practices of the audit mechanisms and plans specialized in IT SMEs who’s mainly serving public sectors’ digital transformation mega projects.
    Sincerely,

    Ahmed Y. Darwish
    Senior Strategy and Governance Director
    Egypt Public Sector

Leave a Reply

Your email address will not be published. Required fields are marked *