For many years, PwC has shared with us their view of the State of the Internal Audit Profession.
This year, the subtitle is Elevating internal audit’s role: The digitally fit function.
They have some useful words, but it is mixed in with an agenda with which I don’t totally agree. I will come to that later. But first, the good stuff:
- Internal audit needs (1) the dexterity to pivot quickly and to keep up with the digital pace of the business, and (2) the knowledge and skills to provide advice and strategic assurance in this new arena.
- Internal audit has to have a seat at the table with management. As you build these out, you don’t want internal audit to come in afterwards and identify gaps in controls. They really need to be there right at the beginning. However, it’s one thing physically having a seat at the table but another having the credibility to be listened to.
- Dynamic internal audit functions are embracing new technologies from multiple dimensions by providing advice and assurance that appropriate controls are in place as their organisations adopt new technologies and by using the technologies within their own departments to streamline the function.
- Internal audit leaders universally agree that annual plans and annual assessments are antiquated. More frequent and more-fluid cycles are what’s [sic] necessary today, and the vast majority of internal audit functions now revisit risk assessments and audit plans more frequently than they used to.
- We’re doing preimplementation [sic] work focused on key strategic priorities to address any potential concerns real time.
Where I don’t fully agree with PwC is on the need for internal audit to put what they call “digital fitness” at the top of internal audit priorities. In fact PwC seems to assess internal audit effectiveness based on the function’s digital capabilities (both in understanding the enterprise’s digital systems and initiatives and in using digital technologies themselves).
Before considering digital fitness, an internal audit function has to have a deep understanding of the business: its business model, organization, objectives, and related risks.
Far too many audit the weeds of technologies and identify issues management has missed, but are unable to assess how those issues might affect the business as a whole and the achievement of its objectives. In fact, technical auditors can be misled by the romance of new technologies into spending time on issues that are not critical to enterprise success while leaving more mundane but significant areas on the table.
In addition, we must not forget that internal audit is not there to identify what management has missed. They are there to provide assurance that management has the ability to identify and address risks of significance. It’s better to see whether management has assessed and acted on the more significant technology-related risks than to set up internal audit as having that responsibility. If necessary, help management learn to fish (after talking to them and senior leadership about that as a weakness) rather than be the fisher of risks yourself.
PwC is obsessed with robotic-process automation (RPA). While this can be a very effective tool in monitoring data and processes, its use by internal audit should be questioned. After all, it is essentially a detective control and it’s management that should be employing it.
There has to be a good reason for internal audit to be the control, identifying data or other anomalies, rather than assessing whether management has the appropriate controls in place.
Internal audit should be (enterprise) risk-based in its planning, execution, and reporting.
Identify the risks that should be audited (and update the plan continuously). Only then select the tools to use. That includes making sure you have the people tools (staff) to be effective.
Be digitally fit to address and add value on the more significant risks to enterprise objectives.
I welcome your thoughts.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.