The forces of innovation and technological advancement continue to transform business. CPAs and finance professionals, as the scorekeepers of commerce, are looking for ways to leverage this wave of change to improve processes, drive innovation, and glean deeper and more valuable insights for their organizations and stakeholders. This is a goal shared by the internal audit function, which works together with management to ensure the accuracy of financial statements, provide strategic advice, and help identify risks and vulnerabilities.
Similar to finance and accounting, internal audit has evolved over the years, expanding beyond financial assurance to take on a more advisory role, providing insights into everything from cybersecurity to regulatory compliance and human resources. The accounting profession is driven by many of the same forces—technology, risk, and rising stakeholder expectations.
The model used by the authors, shown in the Exhibit, illustrates some of the levers, capabilities, and methodologies that are available and increasingly deployed by internal auditors. These are grouped into three main categories: governance, methodology, and enabling technology.
It is not easy creating a culture of innovation in a risk-averse profession, but the speed of change requires that internal auditors reduce their focus on the manual testing of risks and controls and increase their focus on key and strategic risks. In the modern, data-driven environment, that means improving the visibility and credibility of information across the organization and focusing on high-value activities, such as aligning assurance activities across all three categories and bringing in external skills and assistance as needed.
As an example from the authors’ experience, the internal audit department at a large multinational energy company is working closely with the data scientists and quantitative analysts in IT to find ways to both leverage data tools already deployed in other parts of the company and establish real-time monitoring and controls. The organization is also outsourcing some routine audit tasks to third-party providers to free up internal resources for more strategic activities. In another example, a large consumer financial services company has developed its own data intelligence academy for internal auditors to nurture the department’s data analytics skillset from within. (For more on these cases, see “Next-Gen Internal Audit—Are You Ready?” by Protiviti.)
Good governance depends on the internal audit organization’s ability to increase audit and reporting quality through more insightful and actionable reporting, continuous monitoring, real-time risk assessment, and more streamlined and flexible audits. A dynamic risk assessment approach that adapts to emerging risks will enable an organization to identify risk trends in real time, prioritize risks using risk-based principles, and optimize assurance coverage.
One large financial services organization the authors have worked with has embarked on a global audit transformation to help internal audit produce more effective and valuable insights and work more collaboratively across business units. This includes a more streamlined and continuous risk assessment approach, along with more advanced data visualization techniques. As another example, a large security organization is changing rapidly as a result of its digital transformation initiatives. Because internal audit is being asked to obtain information and deliver insights faster than possible under the traditional audit model, it is employing agile auditing techniques to produce more timely and relevant audit results.
The speed of change requires that internal auditors reduce their focus on the manual testing of risks and controls and increase their focus on key and strategic risks.
The same technologies driving the need for change are being deployed by internal audit organizations to help them rise to the challenge. From robotic process automation to predictive analytics, artificial intelligence, machine learning, advanced data analytics, and visualization, the opportunities for improved insights and efficiencies are staggering. Even if organizations are not yet employing some of these technologies within their business operations, internal audit can gain value from them and potentially demonstrate value that can be replicated throughout the organization with wider adoption.
One of the areas seeing the greatest early adoption by internal audit departments is robotic process automation. The authors have worked with many organizations on a spectrum of adoption, from implementing proof-of-concept robots for specific tasks to deploying a structured robotics program performing many activities simultaneously. Organizations often focus on automating repetitive tasks perceived as being of lower value, such as compliance testing. Common early use cases also include augmenting data collection as part of the annual risk assessment process and preparing governance reporting for the audit department.
Another example of technology-driven audit innovation is the use of process mining, a technique that allows process maps to be generated from a system by analyzing detailed transactional data sets. Key use cases for this technology include educating the risk assessment process and providing insights into a business process before the planning phase of an audit begins, giving the auditor a huge head start.
Even through this cursory discussion above, it should be clear that all of these areas—governance, methodologies and enabling technology—are interrelated. Furthermore, some next-generation transformations, most notably high-impact reporting and dynamic risk assessment, touch on all three areas.
Sweeping changes are enabling internal audit departments to deliver greater value to an organization. These are exciting and challenging times for internal auditors and CPAs in general.