Internal Audit 3.0
The future of Internal Audit is now
April 2018
Contents
Internal Audit 3.0
01
Assure. Advise. Anticipate.
04
Assure
07
Advise
10
Anticipate
13
Contacts
15
Internal Audit 3.0
The future of Internal Audit is now
What’s often missing is the realization that
organizations and the business environment have
changed in material ways, which demand innovation.
Without applying new approaches, an Internal Audit
function is rendered behind strategic and technological
developments, unable to meet stakeholder needs,
and ill-equipped to deal with emerging risks. By the
same token, embracing innovative approaches helps
keep the function ahead of developments. Innovation
positions Internal Audit to anticipate and then respond
effectively to stakeholder needs, and equips the
internal auditors, themselves, to address emerging
risks in a helpful and impactful manner.
We have long been encouraging Internal Audit to
adopt new tools and techniques and to develop
capabilities needed to effectively respond to today’s
challenges. It is equally important for Internal Audit
to develop a coherent vision for both the profession
and the function. Such a vision is essential in order to
drive needed changes and prioritize initiatives for the
function and the organization as a whole.
Through consultation with audit committee chairs,
executives, chief audit executives and business leaders,
we have developed a blueprint which aims to clarify
the expectations of Internal Audit, codifying the most
important components.
We call it Internal Audit 3.0, the next generation of
Internal Audit, a function as attuned to the challenges
of emerging risks, technologies, innovation, and
disruption as the organization itself; a function fully
able to assist in safeguarding processes and assets as
management pursues new methods of creating and
delivering value.
As with any useful new release of an operating system
or application, Internal Audit 3.0 updates that which
needs updating, offers new features and functionality,
and retains and leverages the best of past versions.
Internal Audit 3.0 may therefore be considered an
innovative “operating system” that enables the Internal
Audit profession and function to better meet both
existing and emerging needs.
Where we’ve been
Until recently, the Internal Audit profession has not faced
the need to innovate, let alone reinvent itself. We can
trace the birth of modern Internal Auditing – ”Internal
Audit 1.0” – to the founding of the Institute of Internal
Auditors (IIA) in 1941 – and trace “Internal Audit 2.0”
to Sarbanes Oxley and its impact on the accounting
profession (Figure 1). Along the way, developments such
as the COSO framework, improved capabilities such as
IT internal audit and data analytics, and supplementary
guidance to improve the profession following the global
financial crisis helped move the profession forward.
As organizations hurtle into an increasingly technology-driven, innovation-oriented,
risky, and disruptive future, where is Internal Audit? Very often, despite ongoing efforts
to meet stakeholders’ growing list of needs, the answer is: playing catch-up.
01
Internal Audit 3.0 | The future of Internal Audit is now
Figure 1. Key Internal Audit milestones
Now, however, as we approach the end of a decade
of unsettling uncertainty, organizations face evolving
strategic, reputational, operational, financial,
regulatory, and cyber risks. And there is a need to
constantly innovate in order to compete (Figure 2).
The world is entering the fourth industrial revolution
where new technologies, digitalization, and artificial
intelligence are dramatically changing the business
landscape.
The types, complexities, and inter-dependencies of
risks associated with the fourth industrial revolution,
and the speed at which they emerge are new. The
pressures to evolve in order to create and deliver
value are new. The strategies, practices, and
technologies that organizations employ are new. All
of which are compelling Internal Audit to adopt a new
vision of its role and remit, to maintain its relevance
in providing impactful assurance and advisory
services to organizations.
Failure to act will allow the risks that the organization
faces to outpace Internal Audit’s skills and
capabilities. On the flip side, however, taking action
will position Internal Audit to create and deliver new
value to its stakeholders, just as the organization
strives to do so for its constituents.
Although Internal Audit’s service emphasis and
delivery models must be updated, its central
purpose remains much the same: to assure and
advise. However, in our view, the most successful
Internal Audit functions will also anticipate, and
through proactive assurance, help organizations
keep pace with and get ahead of emerging risks.
1941
1992
2002
2018
The birth of modern
internal auditing with the
establishment of the IIA
COSO Integrated
Control Framework
IT Internal Audit
Supplementary guidance
following the Global
Financial Crisis
Cyber Risk
Sarbanes Oxley
Data Analytics
Integrated Audits
and SME support
2017 IIA
Standards update
02
Internal Audit 3.0 | The future of Internal Audit is now
FINANCIAL
STRATEGY &
REPUTATION
OPERATIONS
REGULATION
CYBER
Credit
Market
Liquidity
Crisis
Capital
Innovation
Globalization
Brand
Organization model
Geopolitics
Ethics
Environment
Safety
Social media
Sustainability
Customers
Assurance
Compliance
Transformation
Suppliers
Competition
Cash flow
Cost
Internet of Things
Security
Automation
Technology
Artificial intelligence
Outsourcing
Crime
People
Data
Figure 2. Organizations face increasing uncertainly on multiple fronts
1941
1992
2002
2018
The birth of modern
internal auditing with the
establishment of the IIA
COSO Integrated
Control Framework
IT Internal Audit
Supplementary guidance
following the Global
Financial Crisis
Cyber Risk
Sarbanes Oxley
Data Analytics
Integrated Audits
and SME support
2017 IIA
Standards update
03
Internal Audit 3.0 | The future of Internal Audit is now
Assure. Advise. Anticipate.
These three – assure, advise, and anticipate – constitute the triad of value that Internal
Audit stakeholders now want and need. This has been borne out in numerous Deloitte
external quality assessments (EQAs) conducted for Internal Audit functions in a range
of industries, in interviews with more than 200 senior executives and audit committee
chairs, and in numerous Deloitte research surveys with chief audit executives and
heads of Internal Audit
1
.
These key sources of opinion have clearly said that:
Assurance constitutes and remains the core role of
Internal Audit. Yet the range of activities, issues, and
risks to be assured should be far broader and more
real-time than they have been in the past. Assurance on
core processes and the truly greatest risks is essential
but so is assurance around decision governance, the
appropriateness of behaviors within the organization,
the effectiveness of the three lines of defense (LoD), and
oversight of digital technologies. Assurance is central to
Internal Audit’s role but must not be the limit.
Advising management on control effectiveness,
change initiatives, enhancements to risk management
related to the three LoD and other matters – including
business effectiveness and efficiency – falls well within
Internal Audit’s role and stakeholders’ expectations.
All sources confirm that a strong advisory role is key to
maximizing the value of Internal Audit.
Anticipating risks and assisting the business in
understanding risks, and in crafting preventative
responses, transforms Internal Audit from being a
predominantly backward-looking function that reports
on what went wrong to a forward-looking function
that prompts awareness of what could go wrong, and
what to do about it, before it happens. Internal Audit
becomes more proactive and, through its assurance and
advisory roles, helps management intervene before risks
materialize.
We’ll examine these three dimensions of value in more
depth in this document, and, for now, simply assert
that delivering on the assure, advise, anticipate value
proposition calls for more innovative, technology-driven
approaches – hence, Internal Audit 3.0.
Internal Audit 3.0 – System overview
Assure, advise, and anticipate form the core value
proposition of Internal Audit 3.0, covering the basics
while advancing into activities that will deliver new
value to the organization. The three darkly shaded
areas – and the brief descriptors under assure, advise,
and anticipate – designate the core features of Internal
Audit 3.0 in Figure 3.
The assure, advise, anticipate value proposition is
enabled through:
• Digital assets, which have already begun to transform
Internal Audit work, and are about to revolutionize it
• Skills and capabilities, which position Internal Audit to
improve the interface with stakeholders and better
meet their needs
• Enablers, which engage the system to deliver new
value in desirable ways
04
Internal Audit 3.0 | The future of Internal Audit is now
Figure 3. Internal Audit 3.0 – System overview
Intelligent assurance
Core processes
Skills & capabilities
Enablers
Polymath
Assure
Purple person
SMEs
Next generation
resourcing
Relationship
management
Automated core
assurance
Agile IA
High impact
reporting
Response teams
Change catalyst
Digital assets
Advise
3 LoD
enhancements
Control
effectiveness
Assurance
by design
During change
Truly greatest
risks
Decision
governance
Behaviours
3 LoD
Digital
technologies
Anticipate
Risk sensing
Analytics
RPA
AI
Automated QA
Dashboards
Risk learning
Thinking that the same people operating in the same
way with the same resources can deliver the value
that stakeholders need now, let alone going forward,
amounts to a failure of imagination. Internal Audit
3.0 challenges Internal Audit leaders to stretch their
thinking, methods, and relationships to new, broader,
deeper dimensions. To adopt the elements of Internal
Audit 3.0, functions have to truly understand what
stakeholders value and work in ways that help improve
quality, drive efficiencies, and re-think traditional
assumptions.
This publication introduces select aspects of Internal
Audit 3.0 with other elements covered in detail through
separate publications, such as Agile Internal Audit
2
. For
further information on Internal Audit 3.0, please see our
contacts page at the end of this document and access
our latest thinking at
deloitte.com.
In the pages that follow, we explain further what
Assure, Advise and Anticipate means in the context of
Internal Audit 3.0.
05
Internal Audit 3.0 | The future of Internal Audit is now
06
Internal Audit 3.0 | The future of Internal Audit is now
Assure
The core – but not the limit – of Internal Audit
The “Assure” component of Internal Audit 3.0, includes six broad features in which the
function can provide value (Figure 4).
Core processes – unlocking value through
automation
Internal Audit planning aims to balance assurance
around two features – core processes and the truly
greatest risks to the organization. Internal auditors can
cover only so many processes per year and often default
to performing audits on a rotational basis in order to
find time to also provide assurance around the greatest
risks. Yet stakeholders need both types of assurance
– assurance that core financial and operational
processes in areas like procurement, payables, payroll,
and health and safety are working properly, and
confidence that the organization’s truly greatest risks
(e.g. cyber, digitalization, change management, etc.) are
appropriately managed – on a more continual basis.
Now, what if – using digital assets – core assurance
could be automated, significantly reducing the
resources needed to cover these traditional, core
processes on a more continual basis? Automated
core assurance harnesses analytics, robotic process
automation (RPA), and artificial intelligence (AI) to
monitor controls and flag non-conformance in real
time. Combine this with automated reporting, and
Internal Audit can communicate non-conformance to
the business so they can remediate immediately, rather
than only being able to check the controls every few
years under a rotational audit plan scenario.
Figure 5 illustrates the contrast between the traditional
approach and automated core assurance.
The chief benefits of automated core assurance are
that it:
• Eliminates the tradeoff between core process
assurance and strategic risk coverage (Internal Audit
can deliver both)
• Enables allocation of resources to address the truly
greatest risks
• Frees resources to analyze why issues
occur, including behaviors that contribute to
noncompliance, and to remediate issues
• Shifts Internal Audit’s role from identifier of issues
to partner in developing solutions, because audits
begin with known issues
• Enables Internal Audit to leverage its knowledge,
position, and experience to help the business to
improve processes and controls
Figure 4. Six features of assure
Figure 5. Traditional assurance versus automated core assurance
Traditional approach
Automated core assurance approach
Audit and
Analytics
RPA
Analytics
Core
processes
Issues and
recommendations
Core processes
Assure
Truly greatest
risks
Decision
governance
Behaviours
3 LoD
Digital
technologies
Core
processes
Real-time
reporting
Root cause
analysis
Behaviours
Change
catalyst
07
Internal Audit 3.0 | The future of Internal Audit is now
Automated core assurance is an important element
within Internal Audit 3.0. It automates what can be
automated, and applies human resources where they
will yield the greatest value, while providing more
effective assurance. It also exemplifies Internal Audit 3.0:
in that it leverages technologies such as analytics and
RPA to provide real-time monitoring and testing, while
repositioning Internal Audit from reporter of historic
issues to strategic business partner.
Assurance around behaviors
Management and employee behaviors drive risk.
Luckily, with Internal Audit 3.0, Internal Audit is
positioned to provide assurance around behaviors in
three key areas: individual accountabilities and whether
people are fulfilling theirs, operational discipline and
whether people understand and implement controls,
and ownership of remediation within the second- and
first-line functions. Assurance in these three areas can
significantly deepen insight into people’s attitudes and
conduct around risk and controls.
Assurance around digital technologies
Many organizations are adopting new and emerging
digital technologies. The rise of robotics and AI presents
new and specific risk areas that are less understood.
Internal Audit urgently needs to address new and
emerging digital technologies from an assurance
standpoint because the threats posed by people
writing, purchasing, and adopting apps and other
digital capabilities, including those related to the
Internet of Things (IoT), are real and here now.
This is where new skills and capabilities, and internal
auditors with different skills and experiences, will be
needed, including ‘purple people’ who possess a mix
of business and technology skills, and understand
cognitive systems in a business context. Additionally,
Internal Audit functions may need more ‘polymaths’ –
experts who can ask the right questions, understand
stakeholder needs, see the real risks, and embrace
new ways to provide assurance. This is not just about
having someone review the governance around, say,
application development and data access; it’s about
having people who can understand the risk exposures
created by the nature of a specific AI or RPA application
and the assumptions being made about them. These
skills are in short supply, but quite necessary.
“ Automated core assurance is an
important element within Internal
Audit 3.0. It automates what can
be automated, and applies human
resources where they will yield the
greatest value, while providing more
effective assurance.”
08
Internal Audit 3.0 | The future of Internal Audit is now
09
Internal Audit 3.0 | The future of Internal Audit is now
The “Advise” component of Internal Audit 3.0 comprises four broad features in which
the function can deliver new and needed value (Figure 6).
Advise
Maximizing value to stakeholders
Figure 6. Four features of advise
Enhancements to the three lines of defense
In Internal Audit 3.0, functions advise the second and
first lines of defense on ways to improve their own
assurance capabilities. While still maintaining their
objectivity and independence, internal auditors can
provide advice and share methods and tools. The
goal is to provide assurance where it can be done
most efficiently and effectively – and as close as
possible to real-time. Regarding independence (see
sidebar), Internal Audit should clearly not be making
management decisions or designing the controls it
will be auditing. But it is completely legitimate, and, in
our view, squarely within the function’s role, to assist
the first and second lines in improving their own
capabilities.
Internal Audit 3.0 can usefully shift certain assurance
activities to the first and second lines, but this must
be done properly. For example, if internal auditors
develop an analytical tool, which could be adopted
by the first and second line, care should be taken to
make sure appropriate safeguards are in place, but this
should not preclude functions from sharing knowledge
and tools for the benefit of the wider organization.
The approach will differ for different industries and
different organizations.
Advise
Assurance
by design
Control
effectiveness
During change
3 LoD
enhancements
Independence:
Success factor
or limiting factor?
In our experience, too many internal auditors
use “independence” as a crutch, as an excuse
to stay in their lane and avoid offering insights
and opinions when most stakeholders have said
that is what they truly want. This can relegate
the function to reporting on the past, which is
not the wave of the future.
Independence is important and must not be
disregarded, but Internal Audit functions can
make informed decisions about which types of
advisory services do not compromise functional
or individual auditor independence.
Typically, Internal Audit advisory services
require the function to provide a point of view,
challenge management, or deliver real-time
insights. Such services can join the dots which
others don’t see in their entirety, connect
people, and be a catalyst for change. Internal
Audit functions have a privileged position
within organizations, and not making use of this
position is a missed opportunity.
Independence means freedom from conditions
that create the risk of bias – and freedom to
have a point of view and to provide insights
supported by data, research, peer practices,
and experience. Using “independence” to opt
out of assisting the business benefits no one.
Under Internal Audit 3.0, functions can respect
independence whilst advising the business
through promoting objectivity, integrity, and
professionalism.
10
Internal Audit 3.0 | The future of Internal Audit is now
Control effectiveness
Assurance around control design effectiveness is
table stakes; the most useful advice for the business
comes at the time the controls are being designed.
The business benefits far less when Internal Audit
weighs in with only a review of control design after
implementation. Internal auditors should observe
those projects and provide real-time feedback.
Safeguards to preserve independence can and should
be established, by the business units or committees
in question and by Internal Audit, but Internal Audit
should be at the table and provide its control expertise
during the design phase.
Advising during change
Internal Audit should also have a seat at the table on
strategic projects and transformation initiatives, not
only to provide assurance on change projects but to
contribute to the quality of discussion by calling out
concerns, challenging management’s approach to
risk management and advising on ways to enhance
and provide assurance. In financial services in some
jurisdictions, Internal Audit has the right to attend
Executive Committee meetings and other key
management decision-making venues, for this very
purpose. This doesn’t always happen now.
Assurance by design
Internal Audit can help management to implement
mechanisms in the business that eliminate or reduce
the need for the second or third line to provide
assurance on processes or controls. The ideal situation
would be to reach a point where the system, rather
than a control that could be worked around, simply
generates non compliance reports. The basic question
is: How can we design-in and build-in mechanisms
that reduce the amount of assurance that human
beings have to provide? This advice stands apart from
the issue of providing reviews and assurance around
how well a control mitigates a risk. In fact, the goal of
assurance by design interlocks with, and supports,
the goals of real-time assurance and reporting, and
automated core assurance.
Indeed, virtually all features of Internal Audit 3.0
interlock and support one another.
“ Internal Audit can help management to implement
mechanisms in the business that eliminate or reduce the
need for the second or third line to provide assurance on
processes or controls.”
11
Internal Audit 3.0 | The future of Internal Audit is now
12
Internal Audit 3.0 | The future of Internal Audit is now
Risk sensing: Viewing the risk landscape
Currently available risk sensing platforms monitor
risk indicators based on internal or external data,
or combinations of the two. For example, many
organizations monitor social media for customer
sentiment and reputational risks, or newsfeeds and
regulatory filings, and apply analytics to identify themes
and trends. Financial services and large industrial
companies monitor central bank policies to anticipate
interest rate movements, and the impacts on their
businesses. Many organizations monitor internal
management information to identify trends in financial
or operational performance, customer behavior,
product defects, and other issues that could affect the
business.
Risk sensing, which combines advanced analytics
with human judgment, provides a panoramic view of
risk, extending well beyond traditional risk registers
of identified risks. Risk sensing focuses on emerging,
often unknown risks, and thus stands among the key
capabilities for anticipating issues and problems and
delivering insights. Risk sensing also enables real-time
and continuous risk assessment, moving away from
the traditional annual risk assessment approach. Used
effectively, risk sensing can help enhance Internal
Audit’s understanding of risk and focus assurance
activities accordingly.
Risk learning: Getting to why
Risk learning, or cognitive risk anticipation, applies
analytics to risk events and surrounding factors
to tease out causal relationships. If a risk event
occurs, analysts can examine what else occurred
before, during, and after the event. Over time, by
applying pattern recognition and root cause analysis
to a growing database of events and factors, the
organization can isolate correlations, sequences
of events, and causes and effects. This positions
management to take proactive steps to avoid or
mitigate risk events. It also positions Internal Audit to
conduct proactive assurance work related to those
steps. Risk learning takes both Internal Audit and the
organization well beyond the limits of traditional risk-
based planning, while reducing the level of “unknown
unknowns” that management faces.
Upgrading to Internal Audit 3.0
Digital assets, skills and capabilities, and other enablers
are what make Internal Audit 3.0 a reality.
How an Internal Audit group develops, accesses,
and deploys digital assets, skills and capabilities, and
enablers will depend on the function, organization, and
stakeholders. The essential first step here is to develop
a shared vision for Internal Audit 3.0 and then to chart
a path toward realizing that vision.
For some, this has involved Agile Internal Audit – our
method of applying practices from agile development
to Internal Audit work – which has already begun to
revolutionize forward-thinking functions, as explained
in our related publication. For others, it may be risk
sensing, or automated core assurance. Internal Audit
3.0 is about helping Internal Audit functions to keep
pace with change, create value, remain relevant, and
enhance impact and influence.
Anticipate
Delivering forward-looking insights
With unparalleled access to information within the organization, increasing capabilities
to use external data, and an enterprise-wide view of the organization, Internal Audit
is in the ideal position from which to anticipate risks and issues that could affect the
organization’s ability to reach its goals.
13
Internal Audit 3.0 | The future of Internal Audit is now
The inevitability of change
As the saying goes, “There are those who make things
happen, those who watch things happen, and those who
ask, ‘What happened?’”
The stakes are too high, for both Internal Audit and the
organization, for Internal Audit to be in the latter group.
Stakeholder needs have become clear enough for
Internal Audit to engage in true transformation. And
that is what is called for, in the context of a vision for
the function and its role in the organization. With a
vision – collaboratively developed, clearly articulated,
and strongly supported – functions can upgrade to
Internal Audit 3.0, providing stakeholders with its true
worth.
We have repeatedly seen well-developed visions
and diligent follow-through work. In our Chief
Audit Executive transition labs, in Internal Audit
transformation initiatives, and in projects that
promulgate automated assurance, advanced analytics,
Agile Internal Auditing, and high-impact reporting, we
have seen Internal Audit leaders and staff embrace
change, raise stakeholder expectations, and then
deliver on those expectations.
The future of Internal Audit has become clear, and the
time to upgrade is now.
“ The future of Internal Audit has become clear, and the time
to upgrade is now.”
14
Internal Audit 3.0 | The future of Internal Audit is now
Terry Hatherell
Global Internal Audit Leader
thatherell@deloitte.ca
Kris Wentzel
Americas Internal Audit Leader
kwentzel@deloitte.ca
Peter Astley
EMEA Internal Audit Leader
pastley@deloitte.co.uk
Porus Doctor
Asia Pacific Internal Audit Leader
podoctor@deloitte.com
Sandy Pundmann
United States Internal Audit Leader
spundmann@deloitte.com
Sarah Adams
Global IT Internal Audit Leader
saradams@deloitte.com
Neil White
Global Internal Audit Analytics Leader
nwhite@deloitte.com
David Tiernan
UK Internal Audit Innovation Lead
datiernan@deloitte.co.uk
Contacts
Please contact our team if you would like to discuss or need help defining the future of your Internal Audit function.
15
Internal Audit 3.0 | The future of Internal Audit is now
1. Evolution or irrelevance: Internal Audit at a crossroads Deloitte Global Chief Audit Executive Survey, Deloitte Development LP, 2016
content/dam/Deloitte/global/Documents/Audit/gx-deloitte-audit-executive-survey-2016-print.pdf>
2.
Understanding Agile Internal Audit: https://www2.deloitte.com/content/dam/Deloitte/us/Documents/finance/us-advisory-agile-internal-audit-part1-
introduction-to-elevating-performance.pdf
Putting Agile Internal Audit into Action: https://www2.deloitte.com/content/dam/Deloitte/us/Documents/finance/us-advisory-agile-internal-audit-part2-
putting-agile-ia-into-action.pdf
Endnotes
16
Internal Audit 3.0 | The future of Internal Audit is now
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee
(“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally
separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients.
Please see www.deloitte.com/about to learn more about our global network of member firms.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member
firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering
professional advice or services. Before making any decision or taking any action that may affect your finances
or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be
responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2018. For information, contact Deloitte Touche Tohmatsu Limited.
Designed and produced by The Creative Studio at Deloitte, London. J15021
Document Outline - Internal Audit 3.0
- Assure. Advise. Anticipate.
- Assure
- Advise
- Anticipate
Dostları ilə paylaş: |