Bruce Turner, “an active company director and audit committee chair”, was recently interviewed on this topic. You can see the full interview at CERM Risk Insights and there is also an article in Future of Professions.
The second of these, the article, has some interesting observations that I will let you read at your leisure.
When Bruce is asked about how the profession of internal auditing should change, he makes some points worth repeating here:
There are three fundamentals to internal auditors adapting to the changes confronting them – demonstrate impact; embrace technology; and apply a balanced approach.
Auditors will need to continuously demonstrate the value of their work if they are to receive sufficient and sustained funding. They will need to work more efficiently while operating in unpredictable conditions, and it will be imperative to leverage technology to compensate for the likely loss of people within their audit teams. Auditors need a balanced approach, whereby audit technology is used wisely and strategically, and blended with physical interactions with clients to witness organizational culture and operational practices firsthand.
Bruce was asked additional questions that are reported in the CERM piece. One relates to that point in the article about the use of technology.
The question was:
In an article I wrote recently, I envisioned increasingly powerful computing capability and AI-driven screening taking over the preponderance of audit tasks by passing all transactions through the screening process rather than relying on after-the-fact statistical sampling of only some of them. Is this reasonable?
Bruce’s answer was:
Yes, it is reasonable in organizations that have a strong digital platform. However, there are some global regions where this will be quite some years off. Where internal auditors do have the opportunity to leverage powerful computing capability I would rather see this being used to enhance the value proposition of internal audit (i.e. to help internal auditors boost their value and productivity, without the need to slash internal audit resourcing per se).
I disagree both with the premise of the question and the answer.
I much prefer internal audit to confirm that management has the controls in place to ensure the integrity of data rather than attempting to do it themselves.
The technology being discussed makes excellent detective controls performed by management. Internal audit can help by working with management to deploy these tools for advantage rather than use them themselves.
There are five useful takeaways in the CERM piece. This one resonates strongly with me:
Governance, risk management, compliance, assurance and audit professionals need to be innovative in what they do and how they do it to evolve from a hindsight perspective where they traditionally reported on the past, to delivering insights that help business managers now, and ultimately, they need to share foresight that helps business managers run the business in the future.
Having said that, what do I foresee in the future of internal auditing?
- A continuation of the trend to flexible and agile auditing that focuses on what matters to the success of the organization now and in the future.
- The obsolescence of the annual audit plan and its replacement by a continuously updated or rolling plan.
- A focus on communicating the information that leaders need, when they need it, in a readily consumable form rather than a formal audit report.
- The elimination of traffic lights to rank issues in favor of an approach that explains why they matter.
- New attention to the quality of decision-making processes!
That last may not be the final frontier, but it is a fascinating one.
What do you think?
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- The future of internal auditing - December 20, 2021
- Do you hire people who can think? - November 17, 2021
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021