In addition, as organizations continue to employ more digital capabilities and ecosystem partners as part of their broader transformation initiatives, scoping and building an organization that can support this new environment is essential to good governance. That means ensuring that auditors have the necessary tools, capabilities, and skill sets to deliver on different and growing stakeholder expectations. This article will review some of the key considerations for internal audit.
Flatter, Leaner, Faster
One of the first questions that arises in discussions about organizational structure is staff size: for example, “How many auditors do we need?” But it’s no longer about the number of full-time employees. As audit functions adopt new methodologies, the organizational structures required will look very different.
Among these approaches, next-generation internal audit groups develop and leverage flexible resource models to access skills, experience, and capacity as needed. This requires resourcing models that differ from traditional approaches and extend beyond the walls of internal audit to encompass the entire business, partners, and vendors. In addition, with regard to skills and experience, the structure of the next-generation internal audit department should support the efficiency and effectiveness of an audit function facing emerging risks.
In addition, next-generation internal audit shops tend to have flatter organizations with more flexible matrix structures and teams of auditors providing coverage across multiple legal entities, geographies, and risks. Resources who primarily focused on testing a portion of audit scope in the prior audit may find themselves leading the next audit. This level of flexibility in roles encourages a less hierarchical culture that is more aligned with the younger generation, while providing new challenges that can help retain top talent and future leaders. Reporting lines and responsibilities of both audit and support teams are increasingly built to facilitate agile audit methodologies. Ultimately, the size and scope of the internal audit function will also depend upon technology, risk coverage, organizational hierarchies, and the extent to which the company can utilize flexible resourcing, such as third parties.
Setting the Right Course
Rather than a standard blueprint, the optimal structure for any internal audit organization should be determined by the types of audits and services being performed. An internal audit function with more experienced people performing a greater proportion of advisory and consultative work for the business—as well as focusing on agile auditing, dynamic risk assessments, and other next-generation internal audit practices—is more likely to be flatter than one that performs a significant amount of traditional, sample-based auditing. Traditional shops tend to employ testing and documentation techniques that require more people performing time-intensive field work and then passing it up the chain of command.
Another structural driver is the level of compliance-related activity undertaken. Organizations that are heavily regulated (e.g., financial services) or that have to perform a lot of Sarbanes-Oxley (SOX) compliance work are going to have additional workstreams—and infrastructure—dedicated to those deliverables. These organizations may need to retain a more traditional, hierarchical organizational structure due to regulatory expectations and the practicalities of the work they perform.
Industry best practices also come into play. In the financial services industry, for example, it is increasingly common for internal audit functions, particularly in larger institutions, to have professional practices groups (PPG) responsible for setting strategy, priorities, methodologies, policies, standards, and procedures. The most effective PPGs take a systemic approach, developing a detailed understanding of the entire audit life cycle, from governance and methodology to resources and technology, as well as ensuring that the function meets its obligations and operates as efficiently as possible.
Achieving More with Greater Efficiency and Agility
Only after developing a clear picture of the internal audit function’s overall objectives can the Chief Audit Executive (CAE) determine the resource levels required to achieve them. Internal audit strategy was covered in a prior column, describing the importance of thinking strategically and defining strategic objectives. Aligning an appropriate organizational structure is a key component to successfully delivering on strategic objectives.
Historically, the scope of work to be performed would determine how many additional auditors would be required to per-form that work. Today, especially for internal audit functions that strive to align with leading practices, there are proven approaches that allow CAEs to achieve greater levels of precision, productivity, and efficiency in meeting their core objectives—most notably, automation and flexible resourcing.
Automation. Over the past decade, according to research conducted by Protiviti (the author’s firm), most internal audit functions have made sluggish improvements in their use of advanced auditing technology. In our view, now is the time to explore opportunities to employ technologies such as process automation, continuous monitoring, data visualization, artificial intelligence, machine learning, and robotic process automation. These and other technologies are increasingly being utilized to streamline internal audit workflows and eliminate tedious and time-consuming tasks. They also generate dashboards that can be used to provide real-time insights into risk and compliance, allowing auditors to focus their efforts where they can add more value.
Flexible resourcing. As noted above, next-generation internal audit groups develop and leverage variable resource models to become agile and gain access to skill sets and capacity as needed; resource flexibility is key. Partnering with third-party subject matter experts to supplement internal auditing staff is increasingly common. Internal audit groups can quickly fill skills gaps, often requiring deep and specialized technical expertise, while also supplementing internal resources during time-intensive projects with critical deadlines.
An internal audit department’s structure reflects its strategic direction. Departments with more traditional audit methodologies, technologies, and governance techniques will typically maintain a traditional, hierarchical internal audit structure. Next-generation internal audit functions with a culture of adopting leading practices have flattened their organizations, becoming more flexible and agile. They are more likely to leverage a strategic matrix that empowers auditors to work faster and more effectively across legal entities, risk areas, and geographic boundaries. To accomplish all of this in a timely manner, they are more likely to utilize new technologies and employ a more flexible approach to staffing the function with a blend of full-time staff, variable resources, and third-party experts.
Thinking strategically about how the internal audit department is structured, and being open to challenging the status quo, is a critical element of delivering enhanced value and achieving organizational objectives, particularly in dynamic and transformative business environments. By scoping and building the right structure up front, internal audit functions will set the stage for current and future success.