Home > Risk > Elevating internal audit’s role

Elevating internal audit’s role

For many years, PwC has shared with us their view of the State of the Internal Audit Profession.

This year, the subtitle is Elevating internal audit’s role: The digitally fit function.

They have some useful words, but it is mixed in with an agenda with which I don’t totally agree. I will come to that later. But first, the good stuff:

  • Internal audit needs (1) the dexterity to pivot quickly and to keep up with the digital pace of the business, and (2) the knowledge and skills to provide advice and strategic assurance in this new arena.
  • Internal audit has to have a seat at the table with management. As you build these out, you don’t want internal audit to come in afterwards and identify gaps in controls. They really need to be there right at the beginning. However, it’s one thing physically having a seat at the table but another having the credibility to be listened to.
  • Dynamic internal audit functions are embracing new technologies from multiple dimensions by providing advice and assurance that appropriate controls are in place as their organisations adopt new technologies and by using the technologies within their own departments to streamline the function.
  • Internal audit leaders universally agree that annual plans and annual assessments are antiquated. More frequent and more-fluid cycles are what’s [sic] necessary today, and the vast majority of internal audit functions now revisit risk assessments and audit plans more frequently than they used to.
  • We’re doing preimplementation [sic] work focused on key strategic priorities to address any potential concerns real time.

Where I don’t fully agree with PwC is on the need for internal audit to put what they call “digital fitness” at the top of internal audit priorities. In fact PwC seems to assess internal audit effectiveness based on the function’s digital capabilities (both in understanding the enterprise’s digital systems and initiatives and in using digital technologies themselves).

Before considering digital fitness, an internal audit function has to have a deep understanding of the business: its business model, organization, objectives, and related risks.

Far too many audit the weeds of technologies and identify issues management has missed, but are unable to assess how those issues might affect the business as a whole and the achievement of its objectives. In fact, technical auditors can be misled by the romance of new technologies into spending time on issues that are not critical to enterprise success while leaving more mundane but significant areas on the table.

In addition, we must not forget that internal audit is not there to identify what management has missed. They are there to provide assurance that management has the ability to identify and address risks of significance. It’s better to see whether management has assessed and acted on the more significant technology-related risks than to set up internal audit as having that responsibility. If necessary, help management learn to fish (after talking to them and senior leadership about that as a weakness) rather than be the fisher of risks yourself.

PwC is obsessed with robotic-process automation (RPA). While this can be a very effective tool in monitoring data and processes, its use by internal audit should be questioned. After all, it is essentially a detective control and it’s management that should be employing it.

There has to be a good reason for internal audit to be the control, identifying data or other anomalies, rather than assessing whether management has the appropriate controls in place.

Internal audit should be (enterprise) risk-based in its planning, execution, and reporting.

Identify the risks that should be audited (and update the plan continuously). Only then select the tools to use. That includes making sure you have the people tools (staff) to be effective.

Be digitally fit to address and add value on the more significant risks to enterprise objectives.


I welcome your thoughts.

  1. July 9, 2019 at 10:25 AM

    What might an effective digital strategy for an IA function look like?

    1. If IA thinks it should be running a specific analysis, then it should start by encouraging management to do so. Ideally, we should be checking that management is analyzing the right things, not doing that ourselves.

    2. IA should evaluate the Company’s data management process, which includes how it determines what data to put in a data warehouse for ease of analysis. What % of the key data used in decision-making is in the warehouse? Having lots of analysts scattered around the company digging in individual applications for data and reporting is a big opportunity area. A centralized team of analysts should handle reporting requests via the warehouse.

    3. Companies should have automation initiatives, where leaders solicit automation opportunities from their teams. Where is the redundant data entry? Where are interfaces between systems missing or incomplete? Which systems are manually reconciled and can those reconciling items be eliminated with automation?

    • Norman Marks
      July 9, 2019 at 10:43 AM

      David, it starts by understanding the business – and specifically how its enterprise objectives depend on technology. What might go wrong and what needs to go right when it comes to the adoption and use of technology.

      Only then can internal audit start prioritizing where it will spend its time.

      Now you can determine what projects should be undertaken, then what skills, knowledge, and tools are required.

      Some of that assessment will be based on how much you can rely on management to do things right.

      Don’t get the latest, fastest, most dazzling tools or hire the smartest people unless you need them. Know what you need first.

      • Erwin Huizenga
        July 10, 2019 at 12:14 AM

        It all starts with knowing business. Then knowing the (your) business. The fact that your business is successful in seizing opportunities in order to achieve its objectives, doesn’t mean it is seizing the best possible opportunities or that it is not wasting resources. Nor does the fact that controls are not breaking today mean they will not break tomorrow.

        IA should get the most dazzling tools and hire the smartest people in order to add value to the business. As opposed to get the tools and people needed to achieve reasonable assurance.

        With this in mind: RPA is just a tool for IA to achieve its objectives. RPA for management is also a tool for them to achieve their objectives. When used as “complex event processing”, RPA could be a valuable tool for the IA to gain insight in possible issues with GRC. As opposed to “monitoring data and processes”.

  2. Roger Estall
    July 9, 2019 at 6:10 PM

    Norman, setting aside for the moment that ‘risk’ has a thousand meanings and thus no meaning (I read that in ISO standards alone, the word is used to formally label 40+ different concepts) I do not understand what you envisage happening when you advocate that IA should “Identify the risks that should be audited”? Where does such a list come from? If the list is from a ‘risk register’ (another largely meaningless entity) then (a) what is the basis for IA to believe that the list is valid and (b) what is the criteria for ‘should’? As to (b) it seems only possible that the answer could be only either ‘risks’ for which the level of risk is high (in which case, why not say so) and/or ‘risks’ which would be high but for the correct functioning of a single control (in which case, why not say so).
    But on the broader point of the IA function, why not take a leaf from the late Robert Townsend’s book ‘Up the organisation’ in which, in relation to HR departments (or Human Remains department as one of my friends is want to characterise them) Townsend advocated, simply locking the HR Department door while they are all out at lunch and replacing them with a ‘people person’ to whom employees could turn for help if they were having problems with the organisation. The similarity is this: the challenge for any organisation is to make sound decisions – i.e. decisions for which there is sufficient certainty that the intended outcomes will contribute to the organisation’s purpose and deliver the outcomes intended. If IA has a function, contributing to sound decision-making can be its only legitimate function. But the underlying assumption is that without IA, the organisation can not be sufficiently certain about its decision-making. But the validity of this assumption can only be confirmed by considering alternatives and the costs and benefits of each. At the end of the day, IA types are just people who, it is assumed (but perhaps seldom proved) are good at decision-making. So why not do a Townsend. Lock the IA door and put the effort into better decision-making across the organisation. Instead of an IA army, how about (Townsend like) appoint a Decision Coach?

    • Norman Marks
      July 10, 2019 at 5:40 AM

      Roger, there is more required to answer your question that I can include here. But you make a point with which I agree: how would the organization operate if internal audit disappeared? If there would be no change in either strategic or operational decision-making, then internal audit’s existence is not justified. But the solution is not to make the function disappear or to lock it behind closed doors. The solution is to change its leadership and practices so it provides the assurance, advice, and insight on the things that matter to the organization, when that information is needed, and in a form that leads to prompt and appropriate action.

  3. David Beer
    July 9, 2019 at 10:21 PM

    Having read the PWC article I think you are somewhat harsh in your analysis Norman. You are completely correct in what you say but PWC appear to me to be pointing out a valid business trend and one that IA need to be prepared for. The biggest problem with IA is that the vast majority of practitioners do not read your posts. If the PWC article results in more relevant support work then we should all be a little happier rather than using words such as ‘obsessed’ etc.

    • Norman Marks
      July 10, 2019 at 5:34 AM

      Thank you for the (mostly) kind words. My concern is that internal audit fails to understand the business and its objectives as a foundation for deciding on resources and audit priorities. That needs to be in place before considering tools and technical knowledge.

      I admit to being frustrated at the firms’ obsession (and I stand by that word) with RPA and other flashy stuff, when IA is often missing the ‘risks’ that are more likely to cause the business to fail, such as the inability to understand customer needs or to bring products to market with quality and so on.

      My IA team had as many as 1/3 of the staff ‘digitally fit’, and I was an IT auditor myself. So I ‘get it’. But technology-related risk was not my #1 priority for the entire department as there were many other strategic issues that needed to be addressed.

      The PwC report is a state of the internal audit profession and I expect it, as it has before, to have a broad view of IA and not one that focuses on a single issue.

  4. Primal Trivedi
    July 10, 2019 at 6:17 AM

    I don’t agree with PWC view. Global audit failure in last decade happened on merits and not on their digital incapabilities. IA gets due presentation in the Audit Committee and they don’t have to have a seat at the table with the management.
    I believe that too much of rhetoric and standards built around the IA is making the logical insights into internal controls opaque- that the IA should have.

    The entire IA fraternity needs to go back to the basics of blueprints of internal controls woven in any business model and go extra mile, double down on control evaluation and effectiveness. That will answer most of the intriguing questions.

  1. July 10, 2019 at 4:26 AM

Leave a Reply to Norman Marks Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: