The changing shape of internal audit - how should Heads of Internal Audit respond?
The changing shape of internal audit - how should Heads of Internal Audit respond?
Organisations are becoming ever more complex with heightened expectations from customers and stakeholders, pronounced dependence on technology and reliance on third parties. The last decade has seen growing geopolitical uncertainty and the extension of legislation into new areas as regulators seek to tackle global issues such as climate change and data protection.
Internal audit plans have therefore needed to change in response to this environment. Greater emphasis is now being placed on matters such as cyber, supply chain dependencies and climate change and internal audit teams have needed to upskill to get to grips with these new subject areas and provide more strategic advice.
In addition to this, the workplace is undergoing considerable disruption. Rapid advances in technology are driving change, traditional ways of working are being replaced and as alternative solutions become available through AI or analytics, organisations are looking to their internal audit teams to keep pace.
Internal audit teams are changing too, as Gen Alpha follows Gen Z and Millennials into the workplace. The different aspirations and skills they bring as digital natives present great opportunities as well as challenges for Heads of Internal Audit thinking through the strategy and succession planning for their teams.
Wider and more complex risk landscape
Business operations are more complex with organisational dependence on third parties and supply chain networks being highlighted by ongoing geopolitical conflicts and trade disputes. Organisations seeking to embrace new technology to drive efficiency increasingly require assurance that their digital models are robust and to provide comfort to their customers that their personal data is protected. ESG has been high on the agenda of regulators, investors and other stakeholders for some time now with increasing prominence of sustainability data measures included in annual reports and financing agreements. This wider risk landscape provides internal audit teams with the opportunity to significantly expand their traditional remit. Teams that do not respond to this challenge may find their value to the organisation declines and alternative assurance solutions are found.
Increased focus on technology risks
Assurance over cyber and other IT-related risks has become an essential component of the internal audit plan and the proportion of assignments with a digital element continues to grow. Cyber in particular remains one of the highest risks for many organisations in view of the significant consequences of weak defences. The threat landscape is constantly shifting with organisations being increasingly targeted through their third party system suppliers and backup infrastructure. Techniques used are growing in sophistication and finding ways to exploit vulnerabilities enabling previously highly trusted controls such as multi-factor authentication (MFA) to be bypassed. In response, the control measures deployed by organisations have inevitably also evolved for example segmentation and isolation of digital infrastructure is being deployed to improve resilience. Tools such as AI are now being used to improve detection of malware.
Traditional core skills such as an understanding of IT General Controls (ITGCs) are no longer sufficient. Regular investment needs to be made in upskilling internal audit teams so that they understand the latest developments. At very least internal auditors need to absorb the knowledge in audit guides provided by the Chartered IIA on topics such as AI, cyber, data governance. For some technical areas the knowledge required will be so specialised that the best solution may lie in partnership with an external service provider.
Strategic advisors
Internal audit is also increasingly expected to act not only as an independent assurance function, but also as a strategic advisor that helps the organisation anticipate risk, improve decision-making, and support business transformation. Plans that do not reflect organisational strategies, key initiatives and risks will not provide the meaningful insights and advice on best practices that are now prioritised by the Audit Committee, management and other stakeholders.
Standard setters also have higher expectations. These are evident in the Global Internal Audit Standards 2024 in which the Institute of Internal Auditors (IIA) expects that as well as providing “independent and objective assurance designed to add value and improve operations” - the purpose of internal audit is also to provide “risk-based assurance, advice, insight and foresight.”
AI-enabled and technology driven audit/ continuous auditing
As organisations begin to take more advantage of the benefits of using AI and analytics tools, they will expect their internal audit teams to follow suit.
Most teams are already using some form of data analytics software for sampling and to review data for outliers and anomalies. Extending this to enable continuous auditing has been problematic for many teams due to issues with the quality of production data, fragmented data sources, exception proliferation, integration difficulties with ERP, financial, operational and control systems, internal audit skills gaps and lack of support and investment from the wider organisation.
AI technology is another area of challenge for internal audit as teams look to integrate these into their operations to drive efficiency whilst retaining quality and accuracy. Take up has been mixed to date with some fully embracing AI tools and using these extensively and others taking a more cautious approach. Even though these tools are widely available, key practical issues can delay implementation. These include concerns around the security of data, ensuring deployment is in line with the policies of the organisation, training teams to use the technology effectively and safely and ensuring sufficient human intervention if they are used in the audit process to ensure quality and avoid hallucination.
Nevertheless, as these tools become more widely adopted, internal audit needs to be ready to seize the opportunity to innovate. New skills may need to be brought into the team that enable AI tools for internal audit to be deployed and data analytics to be widely used providing a more efficient approach – at least to the more routine audit assignments.
Recruitment model
The developments described above mean that the traditional career pathway for internal auditors will change forever. Entry-level routine tasks will be automated, limiting productive training-ground roles and requiring the internal auditors of the future to enter the profession with a higher level of strategic advisory skills and technological fluency from the outset.
Although the accounting qualification bodies and the IIA are making considerable efforts to keep the curriculum relevant by introducing subjects such as data science and sustainability, the traditional recruitment pool of accountancy trainees may no longer be able to provide the breadth of skills required. Added to this, the next generation of the workforce may consider newer professions such as cyber, data analytics and AI more attractive. Heads of Internal Audit may need to look at alternative solutions to recruit and develop their team members of the future.
How should Heads of Internal Audit respond?
In common with many professions, internal audit is facing the combined challenges of responding to increasing demands for quality from stakeholders and embracing the benefits of advances in technology to improve efficiency and drive down cost.
Many Heads of Internal Audit have already taken steps to move beyond traditional assurance towards a more dynamic internal audit plan that blends assurance with insight, foresight and strategic advisory. In these cases, the audit plan and methodologies are closely aligned to the organisation’s evolving risk profile, with a stronger focus on areas such as cyber risk, third party dependencies, ESG and emerging technologies.
Over the longer term, investment in capabilities is critical. Internal audit leaders must persuade their organisations to support the continuous upskilling of their team, the adoption of data analytics and AI tools where appropriate and building a flexible resourcing model that combines in house expertise with specialist external support. Embracing technology-enabled auditing and, where feasible, progressing towards continuous auditing over time will be key to delivering timely and value adding insights.
This has implications for how Heads of Internal Audit consider their budgets. It is probable that fewer but more highly skilled team members are required but with increased spend on investment in technology, upskilling the team and potentially buying in specialist capability.
The operating model and talent strategy of the internal audit team must evolve too. As automation reduces the need for routine audit tasks, future teams will need to be smaller, more specialised and more strategically focused. This will require rethinking traditional career pathways and developing a proposition that attracts and retains talent with the skills needed for the future.
Ultimately, those Heads of Internal Audit who respond decisively - by evolving their operating model, embracing innovation and strengthening their strategic influence - will enhance and maintain their team’s value and position.