Earlier this year, Deloitte published Internal Audit 3.0, The future of Internal Audit is now.
It’s great that they are encouraging internal audit departments to change so they can meet modern demands, but their presentation that they are offering something novel and disruptive is way off the mark.
As I read the report, I was almost immediately struck by errors of fact. For example, in Figure 1 on page 2, they show IT auditing as starting around 2010. This is absurd. I was running the IT audit function for a major US corporation in 1981! Indicating that data analytics is a current day development, when it’s a technique that has been used for over 30 years, makes me wonder.
In Figure 2, they show integrated audits and cyber risk starting around 2010 and 2012. Does Deloitte have an alternative set of historical facts?
The authors seem very proud to have come up with the “triad of value that Internal Audit stakeholders now want and need”. That triad of “Assure, Advice, and Anticipate” is nothing new. In fact, the IIA’s Mission Statement (published in 2015) is:
To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
The Core Principles of Effective Internal Auditing (also 2015) include:
- Provides risk-based assurance.
- Is insightful, proactive, and future-focused.
- Promotes organizational improvement.
In three years, Deloitte has come up with new words that, in my opinion, are not as powerful as those the IIA came up with in 2015. (Full disclosure: I was a member of the task force that developed both the Mission and the Core Principles.)
They have replaced “insightful, proactive, and future-focused” (a wonderful set of words, each with great meaning) with “anticipate”.
This is not progress.
When they discuss Assurance, they say:
Assurance on core processes and the truly greatest risks is essential but so is assurance around decision governance, the appropriateness of behaviors within the organization, the effectiveness of the three lines of defense (LoD), and oversight of digital technologies.
I agree with them on assurance related to the risks that matter. I also like the emphasis on decision-making and organizational culture.
But oversight of technology is hardly new, and they don’t seem to understand that when you take an enterprise-risk based approach there is no need to provide separate assurance on individual processes. Audits of how management provides reasonable assurance that the risks that matter are identified, understood, and addressed fully encompass the controls within the processes that manage those risks.
I can’t say more than an emphasis on the 3LoD is absurd. Why call it out? Just focus on the risks that matter and provide proactive and future-focused assurance, advice, and insight.
They also say:
Anticipating risks and assisting the business in understanding risks, and in crafting preventative responses, transforms Internal Audit from being a predominantly backward-looking function that reports on what went wrong to a forward-looking function that prompts awareness of what could go wrong, and what to do about it, before it happens.
This is a management function. Internal Audit should assess whether management has the capability to identify, assess, and address new or changing risks. If they don’t, we can provide advice and insight that will help them upgrade their processes.
They miss the point that insight should refer to the internal auditor sharing more with management than the standard language of the internal audit report. For example, is the manager of the function audited competent and does he treat his employees well? Is there a morale problem?
Then there is this:
Now, what if – using digital assets – core assurance could be automated, significantly reducing the resources needed to cover these traditional, core processes on a more continual basis? Automated core assurance harnesses analytics, robotic process automation (RPA), and artificial intelligence (AI) to monitor controls and flag non-conformance in real time. Combine this with automated reporting, and Internal Audit can communicate non-conformance to the business so they can remediate immediately, rather than only being able to check the controls every few years under a rotational audit plan scenario.
Let me present a contrary view.
- If digital assets can be deployed to detect non-conformance, they should be used by management as detective controls, not by internal audit (except in rare cases, such as fraud detection).
- Internal Audit should assess whether management has effective preventative and detective controls in place, not be the control themselves.
- When Internal Audit uses continuous auditing techniques (which have been advocated for decades), there is a danger that they are not assessing the controls management has in place and therefore are unable to provide an opinion on them.
- It is quite possible for there to be no errors in the data even though the system of internal control is deficient.
- This recommendation will support the view of Internal Audit as the corporate police rather than a business partner.
I know some of the Deloitte leaders and don’t understand how they could publish a document like this.
I suggest they read Auditing that Matters (2016).
Your thoughts?
- When enterprise risk-based audit plans are not enough - November 15, 2023
- More useful information about cyber risk - October 18, 2023
- How do you measure internal audit effectiveness? - October 3, 2023