Home > Risk > Deloitte predicts change for Internal Audit

Deloitte predicts change for Internal Audit

A new report from Deloitte has some interesting conclusions – plus predictable ones.

2016 Global Chief Audit Executive Survey: Internal Audit at a crossroads has some provocative content.

Deloitte says there is a choice to be made: “Evolution or irrelevance”.

They surveyed more than 1,200 CAEs from 29 countries and the majority voiced concern over the current state of internal auditing.

That is not surprising in itself; as I have previously reported several surveys of executives and board members (such as from KPMG and PwC) have said the same thing, notably that internal audit was not consistently auditing the risks that matter.

But it is surprising that so many CAEs, who should be in a position to make the necessary change, echo the concern.

Some excerpts of note:

  • Our research found that CAEs have serious concerns. They know that their organizations are changing—that’s been the case for a while. They also know that Internal Audit needs to respond to meet the changing needs of their organizations.

Those organizations need Internal Audit to inform them about the future rather than only report on the past. They need insights as well as information, advice as well as assurance. They need reviews of not only financial and operational controls, but also of strategic planning and risk management processes. They need internal auditors to apply their rigor, objectivity, independence, and skills in new ways.

As the results of this survey indicate, Internal Audit will have to evolve in specific ways in order to meet these needs. The needed changes are clearer than ever. CAEs must now lead their functions to take the next critical steps. In addition, Internal Audit’s key stakeholders, notably the audit committee and the executive team, must support the function as it takes those steps.

  • The status quo is not an option when 85 percent of CAEs expect their organization to change moderately to significantly in the next three to five years, and nearly as many (79 percent) expect similar change in Internal Audit. The survey also found that most CAEs believe that management and the audit committee will expect Internal Audit to step up to meet new challenges
  • Only 28 percent of CAEs believe that their functions have strong impact and influence within the organization. A disturbing 16 percent noted that Internal Audit has little to no impact and influence. Meanwhile, almost two-thirds believe that Internal Audit’s strength in these areas will be important in the coming years. This disconnect—between current and needed impact and influence—must be addressed, for the good of Internal Audit and the organization.
  • Dynamic reporting is poised to increase. Most Internal Audit groups communicate with stakeholders through static text documents and presentations. Use of text in particular is expected to decrease (from 78 percent to 58 percent) as dynamic visualization tools increase dramatically (from 7 percent to 35 percent). These dynamic visualization tools enable Internal Audit to deliver more insightful observations, interact with stakeholders, and deliver greater value.
  • Reviews of strategic planning and risk management will increase. While about one third of Internal Audit groups have evaluated their organization’s strategic planning process in the past three years, over half expect to do so in the next three to five years. A strong increase is also expected in the number of Internal Audit groups reviewing their risk management function.
  • To make changes in its approaches and activities, Internal Audit should embrace an innovative mindset, as well as actual innovations. However, the function is not known for aggressive innovation.
  • Perhaps Internal Audit should adopt the mantra of many companies—if you are not moving forward, you are moving backward, if only in relation to everyone who is moving forward.

If you have seen my posts for the last few years, you will expect me to agree with many of the points Deloitte makes in this publication.

I especially like the comments about (a) moving to a new model where internal audit communicates what stakeholders need to know, when they need to know – dynamically, taking advantage of today’s and tomorrow’s technology; (b) assessing and contributing to the improvement of risk management; and, (c) assessing the strategic planning process.

I believe that by auditing what matters to the board and executives, internal audit’s influence will soar.

However, I am more cautious about the use of analytics. I wholeheartedly encourage the use of mobile analytics by the entire audit staff, where the time spent obtaining insights into the underlying data is minimal. But, I fear the extensive investment some are making into analytics that are not molded to a dynamic audit approach where few audits are repeated and management is responsible, not internal audit, for risk monitoring.

I always used co-sourcing as CAE. Deloitte stresses this, as any good co-source provider would.

But, I believe there is a point here worth thinking about.

If, as I believe we should, internal audit will need to be very much more agile in the future (if not already), agility in resourcing will become more important.

We need to staff for the audits we perform, not perform audits based on the staff we have.

If our audits are ever-changing, and the skills and experience we need also change at speed, we may need fewer employees and more co-sourced staff. We still need a core with a deep understanding of the business and of the risks that will need to be addressed every year. But, if we expect to perform audits of many different risks each year, we may need to go to the co-source well much more often.

What do you think?

I recommend reading the entire Deloitte report.


  1. July 20, 2016 at 5:35 PM

    “We need to staff for the audits we perform, not perform audits based on the staff we have.” Norman – I couldnt have said it better myself! 🙂

    • Teet
      August 4, 2016 at 12:18 AM

      and yet, this is basically excerpt from standards

  2. Andy Douglas
    July 21, 2016 at 4:53 AM

    From where I see it,

    Internal Audit’s liitle baby know as the three lines of defense has grown up, and it is now biting back on its creator. Too many internal audit functions are stuck in reviewing internal controls and are digging for exceptions. As the 2nd LoD fattens out, as is evidently the case with Compliance, Risk Management and IT Security for example, their scope is in many cases is pushing Internal Audit further out to the margins of the business.

    The case you make on analytics is absolutely spot on. Audit needs a more dynamic and adaptable approach to to this subject, with continuous monitoring, in my opinión being in the realm of the 1st or 2nd LoD.

  3. July 23, 2016 at 1:51 PM

    The challenge for both IA and risk management is to be truly forward-looking.

    This comes down to working out what makes organisations vulnerable to future problems whose shape cannot be identified but whose root causes can. Conventional ‘three lines of defence misses the whole area concerned – see http://bit.ly/2a8t8C2 for more on this.

    To find the typically behavioural or organisational fault lines that these root causes represent, IA and risk management need a fundamentally different kind of approach. We have developed ‘vulnerability evaluations’ to fill the gap.

    The basis for this, the evidence behind it and essence of the new risk identification processes needed will be explained in our new book “Rethinking reputaitonal risk” which wil be published in January by Kogan Page. http://amzn.to/2aCXLgZ

  4. July 24, 2016 at 12:44 AM

    “We need to staff for the audits and consulting services we perform, not perform audits and consulting services based on the staff we have”
    – Agree with both Tom and Andy. We need to re-define the meaning of an independent and objective audit [of the effectiveness of internal control], in the eyes of the board for many reasons.

  5. Brian Robb
    August 3, 2016 at 12:53 PM

    Again a good summary of the salient points for Internal Audit to consider. The findings also reflect our situation with our Chief Executive being very clear he wants “forward looking” rather than “backwards looking” reports from us. We have the challenge of remaining relevant which means structuring our work and reports to offer the insight desired. This means working with the 2nd line functions and drawing insights and an integrated view of how things are going from these functions tempered with our own “business intelligence” including from our use of analytic tools.

    This includes assisting with the improvement of key organisational functions such as the already mentioned areas of governance (strategic planning) and second line functions such as Risk Management and Compliance and our own organisation’s business analytics function. Our challenge is to collaborate well with these function and be the one to provide senior management with the insights gained from our unique role of being across all these functions and being able to tell a compelling story of how things are going and whether we are appropriately future focused for upcoming changes and making the necessary agile changes.

    It is our time of opportunity to remain relevant or become extinct!

  6. Elliot Fisch
    August 7, 2016 at 10:50 AM

    These are the same comments I’ve heard for 40 years. The problem is how relevant Internal Audit is to the company and how seriously they view Audit’s findings, regardless of how risk is identified and what Internal Audit reviews. No commitment from management and no interest by the Board is a long term problem–they rely on the external auditors opinion almost exclusively which is what they are willing to pay for. When was the last time you saw an negative financial report opinion? The external auditors only give passing interest to internal auditors findings and unworthy of their more lofty and more forgiving goals.The report only emphasizes what a better job they do at focusing on risks. Internal Audit will only be window-dressing until management pays attention.

  7. nickmcm
    August 26, 2016 at 10:35 PM

    Those are all obvious statements regarding the role CAE has decided I take. I like to lead, I want to lead and I know I can lead. I feel the biggest hurdle I’ve continued to face is CAE refusing to let go for any reasonable length of time roles and responsibilities needed to lead. The first hint of a situation possibly failing is met with the removal of duties by CAE and all roles reassumed. Usually done publicly so remaining members naturally in turn follow suit. I could and should be doing more productive things in my day but I have been highly discouraged at the negative rhetoric met at most turns while CAE uses CAE’s inability to allow any real decisions to be made by audit as the reason audit won’t step up and adapt. audit should evolve and loves to grow but has admittedly been very discouraged but wants to refocus regardless of anyone’s explanations.

  8. robertlarose2016
    September 12, 2016 at 11:17 AM

    It’s always good to look for ways to improve internal audit.

    Commenting on this article’s analysis and not the Deloitte study itself, I here are some observations based on an internal audit career of 30 years:

    1) Internal audit will never be irrelevant in organizations (like US public corporations) where compliance with Sarbanes-Oxley is required. Evaluation of internal control effectiveness belongs to internal audit and the importance of this function should never be minimized.

    2) In private organizations, the effectiveness of internal audit it directly proportional to the support IA receives from the top-company ownership, primarily. Many organizations want an internal audit function on paper, but only if internal audit reports that management is effective. To report otherwise is to risk the job and careers of the internal auditors. This is the reality of life in internal audit. Internal audit in such organizations could be greatly improved by guaranteeing CAE guaranteed contracts similar to the Statutory Auditors in publicly traded Japanese Corporations, who have guaranteed 5 year contracts.

    3) In publicly listed corporations subject to Sarbanes Oxley, requests to evaluate strategic planning should come from the audit committee. Such an evaluation would probably be limited to evaluating if a formal strategic planning process with measurable metrics exists. Assuming that such metrics exist, then internal audit could evaluate if these established metrics were met (for example, occurrence of annual strategic planning meetings, issuance of strategic planning reports, etc.) However, the true measurement of strategic planning effectiveness occurs in the marketplace, not in an internal audit report.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: