Is Internal Audit Ready for Disruptive Innovation?

Is Internal Audit Ready for Disruptive Innovation
Is Internal Audit Ready for Disruptive Innovation?

Reshaping the Audit Plan Using Protiviti's Digital Maturity Assessment Tool

Disruptive innovation is pervasive. Every organization today is being impacted and every leader needs to be engaged in and well-informed about the digital revolution, its impact on the organization, the risks it presents, as well as the potential advantages it can deliver.

Our recent study of “The Top Global Risks for 2019” with senior executives and board members, conducted worldwide, highlighted a significant change in perspectives on risk. The ability of existing operations to meet performance expectations and competing against “born digital” firms is now rated the number one concern for these leaders. This top risk is followed closely by concerns over the rapid speed of disruptive innovation and resistance to change. This incongruence presents a dilemma across all organizations. It is a natural response to headlines about the emergence of digital companies with a “digital first” strategy and suggests the need for adapting to modern ways of business development.

Not surprisingly, many executives are asking themselves whether they are focusing on and doing enough of the right things to avoid being swept aside in the digital economy. Board members and executives want to know where they stand compared to their peers and competitors and what they need to do to keep pace. Chief audit executives should ask themselves whether they could answer this question and whether they are doing enough to provide assurance that these risks are being appropriately managed. Unfortunately, many organizations continue to make the same mistakes and few audit functions are sufficiently prepared and engaged to identify and report upon these failings.

*Scores are based on a 10-point scale, with “10” representing that the risk issue will have an extensive impact on the organization.
Source: Executive Perspectives on Top Risks for 2019, Protiviti and North Carolina State University’s ERM Initiative,

Reactive response to disruptive innovation

So how are most executive leadership teams responding to change? There is often too much of a focus on investing in new technology. This often starts with investing heavily in customer-facing technologies (e.g., websites and mobile apps) as the organization looks to place a greater emphasis on digital channels. Many organizations also are embracing the cloud and replacing legacy applications with next-generation software.

However, for many, these initiatives result in a digital “veneer” around the business that looks promising on the outside but fails to address shortcomings at its core. To outsiders, and in some cases to employees, this digital veneer creates an illusion that the business is changing and keeping up with the times. The unfortunate reality is that the change is very superficial. Legacy systems and applications often remain archaic and cumbersome, while manual intervention within business processes continues to be present despite the innovative presentation to customers. Often, insufficient consideration is given to how digital channels, the emergence of new business models and the changing competitive landscape impact the more traditional, analog aspects of the business.

Digitalization Approaches

Digital transformation is a way of thinking

To become a leader in the digital age, it is essential to reinvent the business at its core. Beyond technology and process changes, this means the way people think and act in everything that they do needs to substantially evolve. The people aspects are much more important than the technology. That is not to say that technology is not important, but it should not be the driver nor the destination. Fundamentally, digital transformation is about people transformation.

Of course, most organizations are not digital leaders and may never be. Nor do they necessarily need to be.

Many are content to be followers, allowing others to be the pioneers and make mistakes on the “bleeding edge.” However, the pace of change is much faster in the digital age, shrinking the half-life of entrenched business models and making it harder to react.

If the organization is to survive as a digital follower, it needs to be agile and able to react very quickly when leaders disrupt. It must recognize the signs of disruption and act on that knowledge in a timely manner. Increasingly, only organizations — and specifically, their people — who think and behave digitally can do this.

The reality is that most large organizations are slow and resistant to change. This is particularly true of established leaders for whom a traditional approach has been successful for an extended period of time — often decades or longer. Many of these organizations are not taking the steps to challenge and disrupt the status quo.

Internal audit needs to think about how it is assessing the actions the business is taking to transform the organization. It needs to ask, “How are our people transforming?” and “What are our leaders doing to effect change?” Most audit functions are highly capable of providing assurance over changes the business is making, especially in “traditional” areas of audit focus such as finance and technology. However, it has become just as important to highlight the risks associated with not taking the necessary steps to make change, particularly with regard to how the organization’s people are transforming, undergoing training and preparing for digital transformation in the market. Many internal audit functions are far less effective and often hesitant to comment on what an organization
is not doing, particularly in areas of new or rapidly evolving risk.

Key attributes of a digital leader

We have conducted extensive research into what it takes to be a leader in the digital age. We have defined five levels of digital maturity:

Digital Maturity Scale

Digital Skeptics: All organizations are digital to some extent, and this includes Digital Skeptics. These organizations tend to react to what is going on around them and are seen by many as laggards.

Digital Beginners: Beginners are embracing change and having success implementing new technologies. Often, digital transformation activities are best characterized as a collection of point solutions.

Digital Followers: Followers know what it takes to succeed in the digital age and have a clear strategy for execution. They make quick decisions and are able to focus attention when needed to deliver change. The strategy, once delivered, will bring transformation to some aspects of the core of the business.

Digital Advanced: Advanced organizations have progressed their digital transformation efforts further, and have transformed the business to the core, where necessary, revisiting business models that may have served them well over the years. There is a recognition that digital is a way of thinking and not just process automation. Advanced organizations are embracing the latest technology to achieve very high levels of automation throughout their business, reducing their cost base significantly and introducing hyperscalability.

Digital Leaders: To Digital Leaders, this all comes naturally. They have all the attributes of an advanced business and have proven repeatedly that they know what it takes to innovate and disrupt, resulting in a brand associated strongly with innovation. Leaders are altering customer experience paradigms and rethinking traditional business models. As a result of this disruption, they are growing fast and stealing market share from the incumbents.

When we look at digital maturity in this way, we find a significant cluster of organizations somewhere between a Digital Beginner and Digital Follower.

Many are much closer to a Digital Beginner than they at first believe they are. Few internal audit functions are drawing this to the attention of executive leadership and highlighting the risks associated with inadequacies in transformation activities. When organizations fail to deliver, it is often asked: “Did internal audit draw attention to the risks that were not being effectively managed?”

Reshaping the audit plan

Our Digital Maturity Assessment and supporting application has been designed to enable our clients to assess their digital aptitude and to identify quickly areas requiring attention. We view it as a complement to existing risk assessment processes and it can be used by internal audit functions as a digital risk universe.

We assess 36 core attributes that differentiate Digital Leaders from other organizations along a continuum using the five digital maturity levels.

Key areas of focus in our assessment include:

  • Strategic Planning and Business Model Disruption
  • Risk Management and Compliance
  • Culture and Management
  • Organization and Processes (including areas such as Human Resource Management, Knowledge Management, Innovation & Research)
  • Business Process Automation
  • Go-To-Market Execution (including Customer Experience, Digital Marketing and Cross-Channel Strategy)
  • Technology Competencies (including IT Architecture, Software Development, Third Party Collaboration and Cyber Security)
  • Big Data Analytics (including Data Value Creation, Data Governance and Data Science Team)

Protiviti’s Digital Maturity Assessment methodology combines self-assessment through the application, with interviews and workshops. This allows us to help our clients quickly obtain input from a large, diverse group of individuals and stakeholders. The results are consolidated in dashboard reports that we then validate by working collaboratively with the executive management team.

Digital Maturity Assessment Framework

The dashboard reporting provides executives with a measure of how digital transformation efforts are progressing, at a macro or detailed level, providing an assessment of digital maturity for each of the attributes assessed.

Working with internal audit leadership, we use the results of this assessment to reshape the audit plan, focusing attention on areas that will present risk over time if not appropriately managed. We use the tool to highlight areas of inactivity that require consideration. The objective is to provide assurance that the key risks are understood and appropriate governance is in place to manage the risks associated with innovative disruption.

If you knew how your organization measures up, how would you react? Has internal audit looked at the right areas, asked the right questions and reported what it has found? Has internal audit made its opinions heard?

Executive Overview


Brian Christensen
Executive Vice President,
Global Internal Audit
[email protected]
Jonathan Wyatt
Managing Director
Leader, Protiviti Digital
[email protected]
Andrew Struthers-Kennedy
Managing Director
Leader, IT Audit Practice
[email protected]
David Cheung
Managing Director
[email protected]
Ewen Ferguson
Managing Director
[email protected]
Jaap Gerkes
Managing Director
The Netherlands
[email protected]
Peter Grasegger (Germany)
Managing Director
[email protected]
Emma Marcandalli
Managing Director
[email protected]
Michael Pang
Managing Director
Hong Kong
[email protected]
Michael Thor
Managing Director
United States
[email protected]

Ready to work with us?

Brian Christensen
EVP, Global Internal Audit
Jonathan Wyatt
Jonathan Wyatt
Managing Director