Internal Audit (IA) is in the grips of an identity crisis. A recent PwC survey found stakeholder perception of its value to an organization at its lowest in five years, and to many it is unclear where exactly it adds value as a function. But is there a way back?
In 2016, 54% of respondents to PwC’s annual study on the state of the Internal Audit profession said they felt that IA was adding significant value to the organization. In this year’s survey, just 44% said the same. Of the 1,900 stakeholders responding to this year’s online survey, 58% were IA leaders and their direct reports and 42% held management or board titles. So presumably, not even all of the IA leaders believed that they were adding significant value, let alone anyone else.
There are many reasons for this. It may even be - as Richard Chambers, president and chief executive officer of The Institute of Internal Auditors, believes - that the result is simply part of the ‘ebb and flow’ of opinion. It is true that it was 54% in 2014 and 48% in 2015, before rising again to 54% in 2016, but these figures do not exactly represent a rave review even if they don’t evidence a direction. To ignore the problems cited would be immensely reckless for the profession, as it is clear that there are many that need to be dealt with.
One of the primary issues with Internal Audit cited by respondents was a failure to deal with unplanned and unforeseen events, those disruptive risks that can destroy a company. IA has to be more active in anticipating disruptive risks and helping the organisation best manage them. This does not mean just looking at the more traditional disruptors. As Jason Pett, PwC's US Internal Audit, Compliance & Risk Management Solutions Leader, noted : ’Organisations are facing rising complexity of risks and new disruptive sources, impacting them at increasing speed. Stakeholders expect IA functions to help them navigate this changing landscape or face a shrinking perception of the value IA provides. In a world of constant disruption, IA leaders need to think differently to accomplish more dramatic transformation and demonstrate their vitality. Particularly, they must be well-equipped to mitigate risk in several disruptive areas including regulatory changes, cybersecurity and changes to customer preferences - the disruptors most likely to impact businesses over the next three years.’
In order to do this, Internal Audit needs to be highly responsive. The problem is that IA is usually not remotely nimble. This cannot necessarily be helped. Ensuring that rules are followed is at the heart of its reason for existence and it seems a big ask to expect a function so intrinsically tied to bureaucracy to suddenly become a tour de force of agility. Indeed, they are precisely the kind of people who prevent large organizations from becoming nimble. Just 18% said that their IA functions play a valuable role in helping their companies anticipate and respond to business disruption. These were the standout performers and there a number of lessons to be learned from them. Of the 18%, nine out of ten stakeholders reported that IA is adding significant value – more than double the percentage of stakeholders with less agile IA functions - and 84% are mindful of disruption and include the possibility as part of the audit plan development, compared to 50% of less agile peers.
The simple truth is that Internal Audit functions are currently too slow to anticipate the huge changes affecting businesses these days. They need to be forward-looking and able to identify emerging disruptions and associated business needs. There are number of fairly simple things that IA teams can change to ensure this happens.
As it stands, Internal Audit still primarily serves in an assurance capacity. The main thing that successful IA functions are doing is positioning themselves as trusted advisors. The PwC report says that ’76% of Agile Internal Audit functions cohesively partner with other risk management and compliance functions to address disruption (vs. 40% of peers).’
Internal Audit’s ability to provide both better resource allocation and a fuller assessment of the risks, thereby providing a more accurate appraisal of the Risk Management framework, are now widely recognized. However, it is often still not properly integrated within the Risk Management framework. The most pressing problem is that such responsibilities are too often considered beyond its remit, and there is a lack of support from management. In order to to overcome such challenges, the service that IA can provide needs to be recognized, the unique space it exists in from which it is able to look at risk across an entire organization, as well as its ability to exploit the benefits of integrated reporting to achieve the communication necessary to respond with the speed required to deal with risk in the modern world. Senior management needs to adapt the way it integrates IA into the framework so as to ensure it does not get in its way and stop it doing its job.
Another way IA can ensure it becomes more nimble is to put a greater emphasis on implementing data analytics. CEB data has found that almost two-thirds of audit departments have recently made or are planning to make significant investments in data analytics. In a recent interview with us, Brian Matthews, International Internal Audit Manager at car repairs firm AutoZone, noted that ‘the most important aspect of Internal Audit, to me, is understanding the business. In traditional Internal Audit departments [primarily focused on compliance, after-the-fact control validation and issuing opinions], understanding the business allows auditors to effectively analyze processes, assess risk and identify key controls.’ The capability to better understand the business is a key advantage to using data analytics. It can also be used to pinpoint risks and issues, as well as delivering enhanced quality and coverage while providing more business value. IA can now leverage data from far more places than simply financial transactions, with email, social media, and so forth also providing reams of unstructured data that can now be analyzed for insights on a close to real time basis. However, while companies seem sincere in their attempts to adopt analytics for IA, the function is still some way from integrating the technology to the extent it should be. Accessing data and data analytics to independently verify testing and to enable continuous monitoring will have to become normal practice if IA is to have hard evidence upon which conclusions can be based available quickly. Analytics that seek out abnormalities that require further investigation need to be enhanced to utilize fast-emerging new data-analytic techniques and capabilities.
Ultimately, both collaboration and an emphasis on data analytics are about one thing - responsiveness. Mark Kristall, a PwC partner and one of the authors of the PwC report, sums it up best when he notes, ‘if an internal auditor is finding about it after the fact, it’s too late.’