By Mark Peters, Internal Audit Leader, Protiviti UK

For several years, we at Protiviti have recommended internal audit functions to embrace the wave of transformation and innovation underway in their organisations and more broadly. In fact, for the last two years we have structured our annual survey of IA Leaders around these very principles – built around the cornerstones of governance, methodology and enabling technologies – and this year was no different. Since the survey was performed in late 2019, the COVID-19 pandemic has altered the very foundations of business operations, practices and processes, necessarily bringing to light new ways for internal audit to perform its essential assurance and advisory work.

The study, titled “Exploring the Next Generation of Internal Auditing,” surveyed nearly 780 Internal Audit Leaders globally across a broad range of industries to uncover their priorities when it comes to next-generation auditing skills. Those working in the finacial services sector accounted for approximately 25% of those surveyed.

In what should be a red flag for Internal Audit Leaders and Audit Committees, enabling technology received some of the lowest competency marks in the entire survey, based on the participants’ own self-assessments (rated on a 1 to 5 scale, with 5 being highest). Possibly more worryingly, for those respondents in the financial services sector, their scores (as shown in brackets) were marginally lower than the population as a whole.

• Robotic process automation (RPA) – 2.1 (2.0)
• Artificial intelligence (AI) and machine learning – 2.0 (2.0)
• Process mining – 2.2 (2.1)
• Advanced analytics – 2.6 (2.3)

In one telling finding, only 9% of those financial services firms surveyed reported their audit functions are using process mining – a form of analytics that uses transactional data captured by enterprise systems to analyze and visualize how processes are actually being performed, and a surprising 25 percent of respondents reported they have no plans to adopt this enabling technology at all. Notably, internal audit lags behind other key business functions, such as finance, in its exploration and adoption of enabling technologies.

The study also examined audit plans. While the following priorities were the most pressing at the time the survey was conducted, prior to the COVID-19 pandemic, they remain relevant and enduring topics for audit plans across all sectors and industries:

• Fraud risk management
• Enterprise risk management
• Cybersecurity risk/threat
• Vendor/third-party risk management

In the wake of the COVID-19 pandemic, most audit leaders have been re-evaluating their priorities as well as the capabilities of their teams to deliver in these changed and challenging conditions. While not in the survey, many internal audit leaders are focusing efforts in the following areas: sufficiency of processes related to risk assessment; reporting and other stakeholder communications and interactions; impact to the control environment from workforce disruption and the introduction of new technologies; ongoing performance and resilience of critical business functions; and increased use of data and tools.

The foundation of next-generation internal auditing lies in principles such an agile mind-set, real-time risk and controls monitoring, dynamic risk assessment, and the effective leveraging of data and advanced technologies. The need to fully embrace these principles has become even more pressing during the pandemic crisis. Consider risk assessments as just one example. The vast shifts in working arrangements within many financial services firms, such as substantially all members of staff suddenly working remotely should have had a significant impact on Internal Audit’s assessment of risk and the control environment. Examples include heightened cyber security risks, the challenge of how managers manage remotely, increased difficulty in confirming compliant trading environments, and increased fraud risk.

In addition, Internal Audit functions are not exempt from these forced and rapid changes.  How internal auditors go about their trade when they are working fully remotely requires an agile methodology and mindset, supported by a more in-depth understanding of risks and an ability to quantitatlively measure and monitor them.  With the pace of changes to the risks firms are facing, never has it been more critical for Internal Audit to respond in a proactive and informative way, for example with “short, sharp” reviews and any findings raised and reported promptly. IA Leaders need to be braver, recognising that there is no shame in raising audit findings in good faith, based on the available evidence at the time – dotting the ‘i’s’ and crossing the ‘t’s’ of a report are a luxury few organisations can currently afford.

We continue to recommend internal auditors to embrace a next-generation mindset and competencies. We believe that there is a danger that if transforming the audit process is not viewed as a priority by Internal Audit Leaders and brought in alignment with the evolving expectations of stakeholders, the IA function will begin to lose relevance and cede its responsibilities to other sources of assurance.