Building the internal-audit function of the future

Due to the pandemic, many organizations have prioritized short-term priorities for internal-audit functions, but now is also the time to recalibrate for potential long-term uncertainty and complexity.

The primary role of internal-audit (IA) functions is to help decision makers protect organizational assets and reputations, as well as to support operational sustainability—functions that have come under increasing pressure over the past year. With the COVID-19 pandemic leading to a sharp rise in home-based working, asset risks have increased, while a disrupted business environment has fueled uncertainty around reputations and sustainability. Over the coming year, the challenge for IA functions will be to ensure that they continue to provide secure oversight while adapting to a dynamic risk landscape.

Video
Building the internal-audit function of the future

In normal times, the IA function focuses on offering assurance around business-process risks and controls. However, as risks have multiplied and become more complex, IA has been required to deliver a wider range of services, often on short notice. In some cases—for example, at financial institutions—IA also has responsibilities around governance, risk appetite, and a risk and control culture that has been under the spotlight in recent years.

The IA remit is not new, per se. What is new is the number of emerging risks that IA must track. These, for example, relate to digital operations in a dispersed working environment, the accelerating pace of business-model change, and the depth of uncertainty in many markets. In this dynamic context, auditors are presented with challenges in three key areas:

  • the wholesale shift to remote working, which has implications for assets, governance, and audit coverage because established protocols can’t always be implemented
  • new and more severe risks, for example, around information security
  • the need for new strategies and processes, including innovative tools and skill sets, due to the impacts of the pandemic

A few businesses started to make preparations ahead of the disruptive wave of the pandemic. But even innovation leaders must recalibrate for a post-COVID-19 environment.

As the risk landscape becomes more complex, the onus is on IA functions to review their current operations—ensuring they are equipped for a working landscape that, in some areas, has seen years of change in just a few months. For a few leading organizations, the recent shake has come as no surprise. These businesses saw the disruptive wave picking up ahead of the pandemic and started to make preparations. However, even innovation leaders need to recalibrate for a post-COVID-19 environment in which we expect to see faster business cycles and increased complexity. For some organizations, particularly financial-services firms, any change will need to be balanced against regulatory mandates. However, the aggregate picture is consistent across the board—an imperative to align with a new normal and unlock more efficient and effective assurance processes.

To manage these challenges and align capabilities with emerging risks, decision makers may take action in three no-regret areas, as outlined below.

Recognize that changing work patterns and economic relocations have created new risks

Remote working, macroeconomic shifts, and structural changes have heightened existing risks and created new ones, for example, relating to remote supervision and training. Audit functions must refocus on areas they may not have considered high risk or on risks they may not have considered at all. In a physically compromised environment, for example, basic control steps such as supervision and segregation of duties may be compromised—especially where they rely on technology work-arounds that preclude physical oversight and inquiry. Remote-technology latency issues, meanwhile, may undermine time-sensitive processes.

Given the impact of the pandemic on work patterns, some audits may require additional rigor. Protocols for information security, for example, traditionally leverage technology controls to prevent improper access. However, these may not sufficiently withstand the demands of remote working. Indeed, new environmental parameters may be necessary. There may also be more prosaic challenges: some staff working from home will share a workspace, presenting additional security concerns.

Given the potentially permanent shift to increased home-based working, IA teams should compre­hensively review information-security protocols to ensure they address environmental risks. Additional controls may be required, including attestations that staff are able to secure data, and expanded compliance testing. Since IA often has access to vast stores of confidential data, it should also review its own security procedures, including items such as data-download capabilities and printing regimes.

As well as shoring up databases, audit functions should revisit cybersecurity and the need to protect access to their networks, which may be more prone to attacks in a remote environment—either due to human error or vulnerabilities in systems not designed for remote work. Transactions initiated by clients and customers normally go through multiple oversight routines, including call-back proce­dures. However, in the current environment, such procedures may be more exposed to risk. Specific to the industrial and operational context, institutions should analyze third-party interactions and consider how they may impact institutions’ risk profiles and control processes.

Finally, IA should work with business lines and second-line functions to review their risk and control matrices, ensuring that new risks are included in taxonomies and checking that existing controls are appropriate and effective.

Leverage advanced analytics to ensure more real-time risk identification and timely update of audit plans and scope

The events of the past year have reinforced the reality that early identification of emerging risks is an essential element in identifying control weaknesses. Leading companies have responded by investing in advanced-analytics techniques. These have enabled audit teams to undertake a broader range of activities with a higher degree of accuracy across risk assessment, audit planning, and execution. They have also helped ensure that the prioritization of audits and scope of testing reflect a highly dynamic environment, both internally and externally.

The goal of audit analytics, however, should not solely be to “automate” audit processes. Instead, firms should reimagine testing concepts to achieve much higher levels of efficiency and effectiveness and sharpen identification of emerging risks. The most valuable use cases are likely to be associated with patterns or risks that were previously undetectable. Artificial intelligence (AI) is particularly well adapted to this kind of application, and can provide the insight required to both launch new audits and reprioritize existing cases.

In one example, a pharmaceutical company modernized its approach to prioritizing clinical sites for audits. The firm developed a machine-learning model that processed multiple signals—including site characteristics (type of site, location, experience), historical performance (previous quality issues, audits), in-trial direct observations (adverse events, deviations), and in-trial secondary signals (data-submission delays, aberrations in dropout rates). The model was trained on historic data, then tailored for the sites/trials in scope. It was then able to more accurately identify potential issues and flag higher-risk sites. The model also informed monitoring frequency at sites in different risk tiers. The results from ongoing audits were used to further improve the model’s predictive power over time.

Many audit functions are currently at the beginning of the journey toward leveraging the full potential of analytics. In many cases these efforts are inhibited by data challenges, including a lack of single, verifiable sources of data (data lakes). Still, short sprints on select use cases can yield powerful results, both in terms of improving the effectiveness of the audit process and making a case for development funding and transformative change.

Enhance execution and accelerate reporting to reflect rapid changes in operating environments

Balancing speed with rigor and comprehensiveness is a perennial challenge. Audit and reporting cycle times are often too long and lack the agility required in a dynamic environment. Audit functions can adapt via new technologies (for example, collaboration tools), increased automation, and enhanced reporting mechanisms. These kinds of solutions can enable faster audit cycles and more timely reporting.

Audit functions that incorporate new technologies and increased automation can enable faster audit cycles and more timely reporting.

Simultaneously, IA teams should ensure they incor­porate control monitoring of second-line functions in the scope of scheduled reviews. Testing of second-line monitoring should not replicate second-line functions. Rather, it should ensure that the activity is effective and additive to the control process and is focused on key risks and exposures. Cases where the work is duplicative or ineffectual should be discontinued.

Current audit processes may also lack mechanisms to speedily report key issues to senior manage­ment and the audit committee (AC). This is often caused by the “cycle time” in the audit process, which comprises planning, risk assessment, walk-throughs, testing, issue identification, issue agreement and clearance, management responses, and final opinion determination. While middle management will usually discuss issues early in the cycle, reporting to senior management and the AC is often delayed until completion of the process. The cycle often plays out over 90 days or longer—too long in a fast-changing business environment. Reporting is often further set back because of the normal quarterly cycle of AC meetings.

One way to enhance and embed more timely reporting would be through an “internal audit dash­board,” which could be made available to senior management (and potentially AC) on a real-time basis. The dashboard would provide performance metrics based on factors including scope, timing, status, and potential issues, and serve as the basis for a more regular dialogue with senior management.


As we approach the coming year amid significant uncertainty, IA functions are likely to be consumed by near-term COVID-19-related priorities. However, this may also be a good moment for a focused dialogue on potential efficiency initiatives and a plan to recalibrate IA functions for a more uncertain and complex commercial landscape.

Related Articles