Achieving High Performance in Internal Audit: How valuable is internal audit to your organisation?

Executive Summary

Welcome to the 2020 Internal Audit Benchmarking Study exploring how our profession is achieving high performance in internal audit. This research continues to explore the fundamental themes of internal auditor capabilities and needs, the scope and roles that internal audit is playing in organisations, how internal auditors are engaging with their stakeholders, and what is being done to drive value, impact and quality.

Protiviti’s “Next Generation of Internal Audit” model represents a useful roadmap for how functions are directing that change. There is considerable take-up for the governance changes necessary to be an auditor of the future, but at this stage less in the methodology and technology opportunities.

Internal Audit Scope And Focus

Internal audit functions are receiving greater investment through delivering more value-adding work product.

Over the past 10 years of these studies, the internal audit profession has reported flat or reducing investment in the function and the size of the program. Finally, in 2019, this trend appeared to be reversing. 42% of respondents reported an increase in the size of their audit plan (in terms of audit days) over the past 12 months. Further, in 2020 there are signs of continued increase, with over a quarter of respondents anticipating spending more on external support over the next 12 months, and just under 20% of respondents anticipating spending more on internal resources.

This may stem from an environment of increased uncertainty and change. Politically, in Australia there is increased unpredictability in decision making and gaps in certainty in policy in areas of environment and energy. The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry has further impacted governance expectations across the private and public sectors. More rapid and more severe implications of poor governance, culture and control, may also be driving an increased expectation of internal audit to provide assurance and advice.

It is likely that this is being driven by internal audit functions delivering more value-adding work product. Beyond the traditional delivery of financial process and controls audits (for which over 75% of respondents reported either no change or a reduction in focus over the past 12 months), sizeable net increases in focus were reported in the following areas:

• Major projects and change initiatives
• Review of culture and soft controls
• IT assurance
• Risk framework assurance
• Compliance auditing
• Operational auditing.

These results are encouraging for the profession, suggesting that it is responding to change and to the needs of its stakeholders, and is doing so with some success. In an environment of increased providers of assurance in organisations, this is a trend that the profession should be pleased with, and needs to continue.

One of the more interesting priorities here is the focus on fraud. This may mean that organisations are seeing increased incidence of fraud, or a reduced appetite for fraud driving internal audit to be more involved in fraud control. In the era of the “24 hour news cycle” and the depth of community response to incidents of fraud, it is likely that organisations will see assurance in fraud control and fraud response as highly significant.

These priorities represent a significant change compared to when this question was posed to internal audit professionals in 2015, when the greatest areas of priority were environment, financial controls and credit risk (noting that this was a time of the introduction of a carbon tax in Australia and the recent emergence from the Global Financial Crisis).

Staffing

Technology, data, security and risk capabilities represent greater needs for internal audit functions in Australia.

One of the more interesting messages from the survey, was a relative lack of concern about staff retention. With the current generation of professionals being far more likely to change jobs and careers more regularly, we had anticipated a more keen sense of concern regarding staff retention. However this has not been the case, with two thirds of recipients being either unconcerned or only a little concerned about staff retention. Only 10% reported to be very concerned.

It is likely that this reflects the fact that a fluid workforce means that skills can be found just as easily as they are lost. Further, changes in workforce can bring a range of benefits to an internal audit function, not the least of which is a fresh perspective. Finally, the ability to draw on external service providers or the contractors market means that losses of staff can be addressed rapidly and successfully.

Areas where respondents reported unfilled demand for resources in a range of areas, in particular:

• Cybersecurity (61% very high or high unfilled demand)
• IT skills (59% very high or high unfilled demand)
• Data analysis (56% very high or high unfilled demand), and
• Risk management (42% very high or high unfilled demand).

This represents an opportunity for the profession (and for professional service providers) to respond. Although we note that some of these areas such as IT skills and risk management have been reported in previous editions of this study as areas where increased capability and capacity is required.

These areas of unfilled demand for capability is a change from 2015 where (apart from IT) the capabilities in demand were finance, operations and environment and sustainability. It is worth noting that environmental matters may come back given global focus on climate change.

Encouragingly, overall the profession is not avoiding providing assurance in areas where there is a capability or capacity gap, with only 11% of respondents reporting that they are choosing not to provide assurance in areas where skills are lacking. Most typically, the way in which functions are responding is to utilise service providers (80%), training up existing staff (56%), partnering with the business (42%) and using guest auditors (25%).

The use of service providers to fill gaps in capability reflects a trend that Protiviti has noticed in recent years, with more sophisticated procurement of services to target particular skills, rather than simple augmentation of capacity.

Reporting

There are some good initiatives being implemented to improve the impact of internal audit reporting, but the opportunities for further improvement are massive.

 

In Protiviti’s vision for Next Generation Internal Audit, one of the areas for transformative change is the need for higher impact reporting.

Our observations in the marketplace is that internal auditors have been slow to move to improve the impact of internal audit reporting. This study does however identify a range of good innovations that are being implemented by internal auditors in Australia to increase value-add from reports, including: identifying themes and trends, giving a point of view, presenting solutions that get to the root cause of issues, jointly developing solutions with management, and use of simple graphical tools such as traffic lights. There remains relatively lower take-up of other reporting options such as use of dashboards, use of data and broader publication of lessons learned. Anecdotally, we have seen some good examples in the marketplace of use of dashboards, providing overall conclusions and opinions, use of balanced reporting by bringing out areas of good practice and application of the organisation’s risk management framework to drive focus on more significant issues.

This opportunity for high impact reporting is discussed further later in this report. One area which has progressed in recent years is the reporting of overall opinions. Such opinions provide real value to stakeholders, but require certain disciplines and controls to ensure they are presented and understood accurately. In this year’s study, 57% of respondents reported that they were being asked to provide such an overall opinion, which is considerably increased on prior years.

Driving Impact, Quality And Improvement

98% of respondents have undertaken new initiatives in the last 12 months to generate significant improvements in the internal audit function’s effectiveness.

One of the encouraging themes from this year’s study is that internal auditors are recognising and responding to the need to change and improve. In response to the question, “Have you undertaken new initiatives in the last 12 months to generate significant improvement in the function’s effectiveness?”, over 95% responded positively.

Particular activities that were reported as being undertaken to improve the effectiveness and efficiency of internal audit functions include:

• Building stronger, more formal relationships with other assurance providers (56%)
• Data analytics (48%), and
• Root cause analysis (43%).

The high focus on relationships is interesting given previously published capabilities and needs surveys for internal auditors have all referenced a perceived weakness at internal and external networking. The result above suggests that our profession is working through this challenge, which is an important development.

The use of data analytics and root cause analysis are equally positive developments, and we would anticipate these to become more prevalent in the future, given the “big data” environment in which we all work, and the demands of stakeholders for increased value and impact in our reporting.

Disappointingly, there is relatively low take-up of other next generation disciplines such as continuous control monitoring (15%) and continuous transaction monitoring (5%). These use technology to provide timely population-based information on areas of control risk or unusual transactions and can move internal audit to a much more proactive delivery of assurance and insight to stakeholders. This may reflect these technologies being applied more by other parts of the business (e.g. in the second line of defence).

Measuring Impact

In order to drive impact from internal audits, it is helpful to have metrics which provide some objective assessment of the impact that internal audit is having.

While this can be challenging, historically internal audit functions have largely relied on feedback from management and the Audit Committee to provide some guidance on the impact being achieved. It is worth noting that the effectiveness of this as a tool to assess impact is heavily dependent on the questions asked to elicit such feedback. This year’s survey has reinforced that this remains the primary approach, with 89% of respondents utilising feedback from the Audit Committee and stakeholders, while 80% are (also) using broader business feedback. While not downplaying the importance of such feedback, these are imperfect tools for assessing impact of the internal audit function.

Encouragingly, this study has identified other tools being used to measure impact, including:

• Tracking the outcomes of recommendations (61%)
• Results of performance measures and indicators (39%)
• Post-implementation reviews (28%), and
• Measurement of costs and benefits (9%).

Increased take-up of some of these by other internal audit functions will help focus business improvement initiatives for internal audit functions in Australia.

Quality

One of the questions that these studies have explored for the past decade is the extent to which External Quality Assessments are performed by internal audit functions in Australia. In this year’s study, 59% reported having completed an EQA within the last five years (and another 11% reported completing one more than 5 years ago). Given it is a requirement of the IIA Standards to have an EQA at least every five years, these results are disappointing. Further, it is worth noting that this has not moved materially compared to previous years (in 2015, 60% reported having completed an EQA within the last five years and another 6% reported completing one more than 5 years ago).

This presents a challenge for the IIA on how to best drive better uptake of EQAs across the marketplace.

Next Generation of Internal Audit

Change is being driven by advances in technology and the use of data, as well as the broader economy in which knowledge, entrepreneurship, innovation, technology and collaboration are fuelling growth. Innovation changes the business model and, as a result, the organisation’s risks. Internal audit not only must respond to these changes, but also must be prepared to assess if the business is undertaking its innovation and transformation initiatives in the best possible manner. In order to accomplish this, internal audit must innovate itself.

Internal audit functions need to rethink how they perform their work in a more agile manner and how they can leverage the proliferation of data and technology to deliver on their objective to provide effective risk management more efficiently. This requires balancing new internal audit models with the right technology, resources and methodologies, as well as governance and infrastructure, to create value. The ultimate objective is clear: It is time for internal audit leaders to build what we term the next generation internal audit function.

In our view, there are three essential objectives of next generation internal audit groups:

• Improve assurance by increasing the focus on key risks. By evolving to become more data-enabled, next generation internal audit provides internal and external stakeholders with relevant, timely and impactful results on the effectiveness of risk management and controls.
• Make internal audit more efficient. Next generation internal audit drives toward data and technology-enabled audit processes, delivering increased efficiency and risk assurance.
• Provide deeper and more valuable insights from internal audit’s activities and processes. Next generation internal audit helps organisations make better decisions not only by addressing and managing current risks, but also by illuminating the risks and unforeseen consequences inherent in their longer-term digital transformation and growth strategies.

In this study, we asked respondents about the extent to which they have begun to adopt some of techniques and innovations proposed as part of the next generation of internal audit.

Governance

Next generation governance covers the internal audit function’s strategy, structure and skills — including how those skills are developed and sourced. Key features include:

• A prospective strategy promoting innovation
• Aligned enterprise assurance
• Streamlined structure and flexible resourcing
• Evolving skills and applied technical acumen.

Around 50% of respondents reported that they were applying these techniques in their internal audit functions, or were planning to do so over the coming year. This is encouraging as the foundation of an innovative and forward-looking governance approach to internal audit functions is typically the right platform for efficiency and effectiveness improvements.

Of these, the technique being applied by most respondents is the prospective strategy for the internal audit function promoting innovation. This is an important ingredient for next generation internal auditing, by providing a clear plan on how the function is going to evolve and change to support more effective and efficient auditing and assurance services and drive innovation to add increased value.

Respondents reported that an ability to achieve truly aligned assurance across the enterprise is the feature from the governance components of Protiviti’s Next Generation model that is most likely to have the greatest impact on the internal audit function’s effectiveness. This aligns with findings reported earlier in this report that respondents were particularly investing in network building across assurance providers within their organisations. This aligned assurance can have both an efficiency dividend (through reducing duplication in assurance activities) as well as an effectiveness dividend (through drawing more incisive conclusions based on the broader portfolio of assurance activities and findings).

Methodology

Next generation internal audit methodologies are designed to equip organisations with increasingly precise insights into real-time risks. Agile and advanced data management and analysis approaches represent key enablers of this real-time view. These methodologies, which also apply to reporting and collaboration activities, generally include:

• Dynamic risk assessment
• Agile, analytics-driven and scalable execution
• Simplified and high impact reporting.

Generally, the take-up of these is somewhat lower than the governance techniques described earlier. It is possible that this reflects the intent of internal audit functions to bed down the governance principles, before then embarking on changes to methodology.

Over one third of respondents reported no plans to head towards dynamic risk assessment. This is surprising given the rapid change of risk profile in the current political, economic and cultural environment. Given the unfilled demand for risk management capability reported earlier in this report, it may be that capability is the barrier for organisations to start implementing more dynamic risk assessment techniques. It may also be that for many internal audit functions, the risk assessment and management functions sit with a Chief Risk Officer (or equivalent) and therefore is beyond the influence of the internal audit function.

High impact reporting appears to be the highest area of focus amongst the methodology components of the Next Generation model. This aligns with comments in the Reporting section of this study. It is increasingly clear that the internal audit profession is far more acutely aware of the needs and expectations of stakeholders, and this is driving a focus on improving the “stakeholder experience” from reporting. Further, as reported earlier, reporting approaches can be highly influential in driving impact from internal audit activities.

Respondents reported that more continuous monitoring would have the greatest impact on efficiency and effectiveness of internal audit functions. Yet it is an area with known challenges in capability within the respondents to this survey. This represents an opportunity for the profession to drive increased training and capability in this area to support internal audit functions to make the most of this potential improvement.

Technology

According to our research, for more than a decade, most internal audit functions have posted sluggish improvements in their use of advanced auditing technology. However, extensive reliance on automation, data analysis and a variety of advanced technology applications is a defining feature of next generation internal audit functions. Common technology activities and tools implemented in next generation transformations include ubiquitous data analyses and advanced analytics, automated processes, process mining insights, and artificial intelligence and machine learning.

Respondents reported that, apart from data analytics, there is expected to be very low take-up of these opportunities, including artificial intelligence and machine learning, robotic process automation and process mining.

Anecdotal evidence suggests that there may be a number of drivers of this, including lack of capability in internal audit functions to know how to invest in these, budget constraints, a fear of change, and systems or technology leaders preventing use of these technologies.

Improved use of data analytics is the one bright spot here, with internal audit functions becoming increasingly comfortable working with the big data that exists in their organisations.

Respondents in the study reported a recognised strong need to improve in capability, but expected low impact on functional effectiveness. This likely reflects the absence of intention to invest in these technologies in the short term.

In our experience, the use of technology provides the greatest shift in efficiency and effectiveness, but it does need the governance and methodology components in place to provide the environment for leveraging the technologies. It also represents one of the more significant changes in approach, which needs to be managed for staff and stakeholders. On this basis, it may not be surprising that it is not a short-term goal for many internal audit functions. However, for those that have the courage and ability to make some of these changes, there will be potentially dramatic improvements in the functional effectiveness of internal audit.