Home > Risk > The next generation of internal auditing

The next generation of internal auditing

I want to congratulate Workiva and Jose Tabuena for Internal Audit’s Guide to Planning, Managing and Addressing Risks. I want to focus on the first piece in that publication, Planning to Do the Right Audits: An Effective Internal Audit Risk Assessment.

Here are some excerpts, with comments by me:

  • While the responsibility for identifying and managing risks belongs to management, a key role of internal audit is to provide assurance that those risks are being appropriately addressed and mitigated. [ndm: sometimes it is appropriate to take risk, even more of it, for business reasons.]
  • Are you confident that your department understands the risks that are critical to the delivery of value and the achievement of corporate objectives? Every organization faces numerous risks that matter individually to managers with whom auditors interact, but are they risks that matter to the organization as a whole? The risks that truly matter are those that need to be addressed in the audit plan. [ndm: this sound like something I would say.]
  • Change does not occur on an annual basis. The move to a continuous and dynamic audit plan is significant for most internal audit departments.
  • It’s usually those who are in the details on a daily basis that have the best perspectives on risks and low-hanging fruit when it comes to increasing operational efficiency. [ndm: in other words, don’t just talk to senior management. Talk to the people who know what is really going on.]

The only disagreement of significance I have with Jose is when he talks about the risk assessment and planning being performed every six months. To the contrary, it should be at the speed of risk and of the business.


Protiviti has also shared their perspective. Next Generation Internal Audit: Catch the Wave is a collection of case studies featuring 16 different internal audit departments.

The overall message is not new: internal auditors need to change to meet business needs. That has been a constant in my professional life (going back decades).

I am not going to share excerpts from the Protiviti publication. I found it generally lacking in new and exciting practices. For example, the various CAEs talk about agile, but they are talking about the agile methodology, not necessarily in being agile. By agile, I mean able to change direction quickly to address what matters today as business conditions and related risk change.

Most still audit what matters to a process or business unit, rather than the enterprise as a whole. There is also a continuing failure to perform continuous audit planning.

Finally, many of the CAEs (with consultants cheering them along) are becoming owners of detective controls as they use RPA and other technologies to identify potential problems with data – rather than providing assurance that management is able to do that.

But those of you in internal audit might find value in reading about what other companies are doing.

If you want to know more about my ideas for ‘next generation’ internal audit, consider Auditing that matters.


I welcome your thoughts.


  1. July 14, 2019 at 8:55 PM

    As the 1st Line of Defense, i.e. management and internal control measures, ownership and responsibility for controls, be it detective controls such as RPA and other technologies rest with management, not Internal Audit. IA has plenty of more high-level assurance and advisory services to perform, rather than doing operational matters.

  1. July 26, 2019 at 4:34 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: