For several years, Protiviti has described the “future auditor” as a chief audit executive (CAE) who takes definitive steps toward making The Institute of Internal Auditors’ vision of “an independent, objective assurance and consulting activity that adds value and improves an organization’s operations” a reality. Several issues of The Bulletin have been devoted to describing various aspects of the future auditor’s journey.
The future is fast arriving with digital technologies unleashing a tsunami of opportunity and disruption that no one can ignore, particularly internal audit. As organizations reinvent customer interactions, digitize products and services, and transform their business models, internal audit must undertake a continuous journey of transformation along the path of innovation.
CAEs are rethinking how their functions plan, execute and deliver results to increase the value contributed to the companies they serve. That is the core message of Protiviti’s latest edition of Internal Auditing Around the World. Profiles of 16 internal audit teams recount how they are adopting more agile practices, engaging the business earlier in the audit process, and becoming more data- and technology-enabled to provide value-added insights and recommendations more efficiently and consistently.
This issue of The Bulletin offers a compendium of some of the best practices obtained from mining the narratives describing the respective journeys of these internal audit functions, under the direction of their forward-thinking CAEs.
Internal Audit: A Next-Gen Perspective
Efficiency, adaptability, increased engagement and deeper, more valuable insights are what next-generation internal auditing is about. Three broad categories of next-generation capabilities — governance, methodology and enabling technology — impact the people, processes, data and technology supporting the internal audit function. Examples of the competencies, qualities and components supporting these categories are illustrated below:
Source: The Next Generation of Internal Auditing — Are You Ready? Catch the Innovation Wave, Protiviti, November 2018.
A narrow focus on individual elements within a given category yields limited benefits because these three categories and the elements comprising them are interrelated and overlapping. Accordingly, these categories are used to organize the best practices gleaned from the next-gen capabilities of the leading internal audit functions profiled in the latest edition of Internal Auditing Around the World.
Governance Best Practices
Setting a line of sight on transforming, innovating and becoming more future-focused is not easy for a function that has historically been backward-looking, change-averse, and reliant on traditional methodologies, long-trusted point solutions and conventional thinking. But some CAEs are doing just that. It all begins with governance and the right people. To that end, the following are some relevant best practices:
Communicate the vision and strategy to everyone who matters. After finalizing the function’s transformation vision and strategy, it is important to communicate it to everyone from top to bottom in the function, as well as to key company stakeholders, and then track and report on progress. In the function itself, the strategy’s relevance is particularly important to everyone involved in its implementation — everyone should be on board to create buy-in and participation.
Conduct competency assessments and training to facilitate the transition to new capabilities. Internal audit leaders should identify the characteristics of personnel needed to make the transformation strategy and vision a reality. The performance expectations to take internal audit to the next-gen level may include the ability to adapt and deploy new technology and approaches, manage rapid change, and pivot quickly. The latter demands a blend of technical and interpersonal skills, including creativity, resiliency, intellectual curiosity, strategic thinking, interpersonal savviness, the ability to collaborate, comfort with ambiguity and a process-first mindset. Other skills might include coding, data extraction, aggregation and analysis, use of visualization techniques, and the ability to link audit objectives and findings to strategic priorities. It’s a brave new world, and it takes new skills to flourish in it.
Improve talent management processes to emphasize diversity and fresh perspectives and avoid being wedded to old constructs. The processes for acquiring and developing talent should open up to a new mindset of emphasizing diversity and hiring talent, not disciplines. Diversity encompasses not only gender, race and ethnicity but also a diversity of experience, thought, background, education and skills, all working toward enhancing the function’s capabilities of solving new and unique challenges. Critical-thinking skills can also serve internal audit well, as the future auditor is more like a business analyst. Auditors should have a variety of skills within their repertoire, including, but not limited to, being strong communicators, as well as problem-solvers who can bring together multiple disciplines beyond the traditional fields of accounting, auditing and technology to address issues.
In accessing the necessary talent, rotational assignments and secondments from the business are part of the mix, as is hiring external talent in the early career stage with a value proposition of simultaneously gaining auditing experience as well as industry and organizational knowledge. New career tracks may be required for highly specialized resources (e.g., data scientists). Internal audit should resist the temptation of trying to convert these professionals into auditors and, instead, allow them to focus their attention on their respective technical areas.
Provide a pipeline of talent for the business. As internal audit focuses on acquiring and developing people who can partner and problem-solve with the business, part of the function’s value proposition is to be seen as a pipeline of talent for the company. That makes internal audit — through the work it performs, its leadership and development programs, its culture, and its reputation as a value driver for the business — a desirable place either to serve in a rotation program or to advance a career. As the function increases its emphasis on consulting skills, turnover in internal audit can become a positive thing, provided the professionals leaving the function stay within the company. If that is the case, the function’s credibility is enhanced, and internal control awareness increases throughout the organization.
Conduct empathy research, including design thinking sessions, to develop value-added audit processes and more in-tune stakeholder engagement models, and enhanced deployment of easy-to-apply tools. Innovation starts with people. Empathy research is a technique for tapping into the audit team’s “collective genius” in designing human-centered and technology-enabled approaches, methodologies, and tools. It focuses on understanding the needs of auditors and how auditees experience audit processes so that the models, data products and other tools the team designs add value and get results. It is an effective way to ensure that the function’s processes are well-managed, and the best methods and practices are deployed in coordination with the first and second lines of defense in the business.
Align key performance indicators (KPIs) to incent the desired behaviors. To shift the traditional focus away from productivity and report volume, new KPIs are needed, focusing on the “new normal” of value delivery, increased velocity, relevancy, elevated trust from business partners and new career development opportunities for auditors. As these KPIs are developed, performance management parameters and links to rewards should be aligned.
Hold weekly sharing sessions to support the function’s transformation objectives. Weekly sessions during which audit team members share with the rest of the team a recent TED Talk or a thought-provoking article covering topics outside of the traditional internal audit realm can broaden the staff’s thinking and reinforce the function’s commitment to knowledge management, information-sharing and continuous improvement. These sessions should challenge how the team thinks, focus on what interests and motivates team members, and help signify why diversity of thought is important when communicating with stakeholders.
Obtain a seat at the digital project design table. Internal audit, to sustain its relevance, should be engaged in the company’s innovation and business transformation activities. For example, as the organization implements a cloud platform, internal audit’s involvement could include identifying the types of controls the business should consider, way in advance of their implementation, and assuming an independent oversight role to ensure effective project management and reporting. A side benefit of this involvement is increased knowledge of emerging tools and how such tools can be deployed for internal audit’s purposes.
Leverage automation for routine tasks. Compliance is important and has its place. But a function deeply mired in compliance assurance may have a ceiling limiting the CAE’s efforts to brand internal audit as a truly valued, consulting-minded business partner. A possible solution is to harmonize and rationalize compliance processes across the organization to define common processes and procedures and explore robotic process automation (RPA) opportunities to reduce labor-intensive testing.
Methodology Best Practices
Auditing at the speed of change is a critical transformational challenge for internal audit. To achieve that goal, many organizations are modifying the more formal agile methodologies from manufacturing and software development and applying them to create faster, more flexible auditing practices.
Adopt agile methods to provide faster, deeper and more valuable insights. Agility is the ability to move quickly and easily. It takes time, energy, persistence and cultural acceptance for audit teams to embrace an agile delivery framework fully. In making the business case for agile:
- Address the needs of business partners as well as auditors (e.g., conduct the same auditing work in less time).
- Articulate the asks of business partners who participate in an agile audit (e.g., timelier fulfillment of information and data requests than in the past, and availability of senior business leaders to discuss status reports periodically).
- Outline the payoff the business gets in return (e.g., a quicker, more transparent process with no surprises in the audit report).
Internal audit adaptations of agile do not necessarily follow to the letter the Agile — with a capital “A” — textbooks. But they borrow enough of the underlying principles to foster a level of agility that makes the audit process more flexible and relevant, and less disruptive. Some of the ways that leading internal audit functions are deploying agile methods include:
- Issuing informal interim updates as a “working draft” of observations during the audit, allowing for business process owners to respond and for auditors to adjust their subsequent work according to that feedback.
- Holding progress meetings (“scrums”) between short “sprints” to increase transparency and minimize surprises in the final audit report.
- Working closely with the technology department to improve analytics and create new data visualization applications to make the audit process more adaptable to the needs of stakeholders and increase the relevance of audit reports to business users.
- Creating an agile auditing center of excellence (CoE) staffed with tenured agile coaches and veteran auditors, and tasking the CoE to use design thinking to find ways to conduct the same auditing work in less time and with fewer disruptions to business processes.
Deploy specialized “agile pods.” These small, cross-functional and multidisciplinary teams focus on managing a specific task and its related risk, identifying and resolving any issues or challenges that arise in the audit process, and reprioritizing work daily. Agile pods can be particularly useful as the organization works toward real-time monitoring and auditing. They have established routine cadences identifying impediments arising from the audit process and offer an effective way to resolve those issues as quickly as possible as well as improve how the function interacts with and provides value to the business.
Automate real-time reporting in areas involving large amounts of text. One audit function is digitizing reporting out of a customer relationship management (CRM) tool used to schedule hundreds of risk discussions with business leaders, management and other key contacts, and store the notes from those discussions. The function is also exploring the use of natural language processing (NLP) capabilities to identify and tag key risks or other important points captured in the discussion notes. In another example, internal audit is working with the organization’s legal group to apply NLP to vendor contracts to search for variances from standard contract clauses or required clauses that are missing altogether.
Create automated dashboards to provide more frequent or near real-time updates. In the digital age, dashboards need to inform in as close to real time as possible. By automating the downloading, sorting and integration of large quantities of internal and external data and the creation of a dashboard that provides more timely information access, as well as robust drill-down capability, the audit team is able to perform more in-depth and timely analyses and improve the quality of audit selection, scoping and testing.
One internal audit function uses a combination of Power BI and internal audit management software to enhance data visualization in a new dashboard to help the CAE monitor audit performance metrics, the status of open and closed issues, and various trending data more effectively and efficiently. The function is now working to create similar dashboards that make extensive use of data visualization techniques for business partners responsible for operational risks, fraud and other areas, with the objective of driving process improvements in addition to ensuring adherence to policies.
Emerging Technology Best Practices
Governance and methodologies lay a foundation for embracing more sophisticated digital tools. The potential is limitless as RPA is combined with machine learning (ML) algorithms and NLP to transform the free (unstructured) text in documents, databases and other data sources into normalized, structured data suitable for analysis and insightful reporting.
Put process before technology. Implementing an advanced technology tool has much appeal. But why bother if no one uses it? The appropriate mantra is “process first, tools second.” Process first means focusing on the underlying methodology and fundamental changes that the introduction of new technology requires. This point is closely linked to communicating the vision and strategy. That said, auditors should increase their knowledge of a variety of emerging technologies, even absent an established use case. Exploration and familiarity necessarily precede adoption.
Introduce automated process maps for all internal audit activities. Automated process mining tools can fundamentally change the way that auditors analyze processes and perform audits. They deploy ML to extract existing data from an organization’s IT systems to reconstruct visually how processes actually perform. These tools offer one of the best examples of the transformative effect of the future auditor’s transition to a digital world.
Increase efficiency by delegating tedious, time-consuming data-gathering and other highly repetitive manual tasks to RPA bots. In addition to allowing internal audit personnel to focus on more value-added tasks, RPA deployment is an efficiency play. Bots work 24/7, and while everyone sleeps. They do what they are programmed to do, so they don’t make mistakes that humans might make in areas involving large quantities of data. Thus, they can dramatically reduce the number of hours internal audit must spend annually in many areas. Following are examples of RPA applications by leading internal audit departments:
- Testing of internal controls over financial reporting and IT general controls — work that is often associated with Sarbanes-Oxley (SOX) testing of issuers listed on U.S. exchanges.
- Automating the process of emailing business partners with information requests, reminder emails and requests for responses to unanswered audit questions to eliminate the need for auditors to upload reports and remember to send follow-ups manually.
- Collecting data from throughout the organization, through existing user interfaces, and gathering it in a single database where it can be put to greater strategic use and analysis (e.g., collect and cleanse expense data from spreadsheets and upload it into a database for deeper analysis).
- Managing the interaction with the internal audit function’s governance, risk and compliance (GRC) platform, creating work program templates, uploading completed templates and supporting artifacts, updating control effectiveness attributes, and performing completeness checks.
Leverage advances in automation and data science technologies to incorporate data analytics in delivering proactive, efficient and effective assurance. The “state of the art” in sourcing data for analytics has progressed to big data sources such as data lakes in the cloud. As a result, access to raw data in multiple structured and unstructured formats has become faster and more flexible, making possible the extraction of value-added insights and reporting supported by drill-down capability to underlying support in real time. For example, leading internal audit departments are deploying near real-time risk analysis and dashboards with drill-down capabilities to help focus audit selection, scoping and testing. They are applying methods to ingest and analyze external data sources as a complement to internally available data. Examples of applications deployed include:
- Monitoring of transactional data to identify high-priority process or policy deviations.
- Intra-company (e.g., inter-department) benchmarking of KPIs to identify “gold standard” performance and possible areas of improvement.
- Operational risk models and dashboards that help business partners monitor their own risks and take corrective measures, as needed.
- Sales and customer analytics to identify focused questions to address during the sales and customer field audit pertaining to customer acquisition, retention and attrition.
- Digital dashboards to get a better sense of whether a risk is going up or down, and to show business owners broad trends over time (instead of using a point-in-time assessment).
- Data analytics to identify trends, with the transfer of ownership of the analytics program to the business for use in monitoring performance.
- Monitoring to track data fluctuations, anomalies or deviations, starting with simple things like travel and entertainment expense reporting, delinquent payments, or slow-moving inventory, and conducting comparative process reviews of activities among all business units — and, from there, driving targeted spot audits of identified anomalies and deviations.
Developments in data analytics can be transformational for internal audit, but they require a change in mindset to deploy. Following are ideas to facilitate that change:
- Assign full-time responsibility for data analytics and other pivotal innovations (e.g., appoint data analysis champions who are accountable for driving adoption and passing on their knowledge to the rest of their respective teams).
- Create a data and analytics CoE to ensure that every team member has at least a working knowledge of data analytics.
- Identify and pursue opportunities for quick wins (e.g., the use of freely available data-profiling tools to evaluate datasets) and provide insight to support audit scoping activities.
- Weave digital technology skills into the DNA of all auditors (and not just specialists), by establishing an “all in” mandate for auditors to use data analytics for every internal audit task unless a waiver is granted to opt out. Exceptions should not be granted lightly.
- Combine attributes of artificial intelligence (AI) — ML algorithms, automation, NLP — with data science and analytics to power deep, broad-based and more forward-looking insights from available data.
- As noted earlier, leverage what has already been developed in the company.
Work with the technology function to identify opportunities to reconfigure or re-engineer certain processes and controls to make them more suitable for data analysis and RPA-enabled testing. Partner with the technology group to explore how to ensure internal audit has the appropriate infrastructure to consume data from the business, combine it with its own data (such as historical issues and ratings in audit working papers), and deliver data-driven insights consistently through the audit process. For example, make a case for securing direct access to the company’s enterprise data lake through the appropriate technology infrastructure and tools to enable implementation of ML, data products and agile analytics in support of the audit plan.
But … don’t reinvent the wheel. As internal audit increases its use of advanced analytics, the function should find out about data analysis already underway across the business (e.g., the existing data lake maintained by the company’s data analytics group), learn how management is using it, and consider how the audit function can use it and thereby leverage innovations, knowledge and technology already available within the company.
Consider offshoring data analysis to reduce costs. If offshored resources are already providing data analysis for other parts of the organization, there may be a cost benefit for internal audit to engage them. Such applications require upskilling these individuals to think like auditors as well as consideration of potential control issues.
Deploy visualization tools to communicate key messages and insights quickly and effectively. Given the demands on many senior stakeholders’ time, we refer to visualization tools again under enabling technologies (see graphic on page 2). Internal audit can benefit from using quantified examples, engaging visuals and more effective ways of presenting improvement opportunities. Examples of the use of these tools follow:
- Equip management and employees with a sharper, more lucid understanding of risks in their respective areas, so they better manage and mitigate those risks.
- Analyze all medium- and high-risk audit findings from the prior five years and apply analytics skills and tools to identify new correlations to “connect the dots” and show the business where it is improving and where it may be regressing, so leaders have more actionable insights to consider.
- To supplement reporting to the audit committee, create dashboards to provide an automatic snapshot of where the function is in terms of overall plan status, project tracking, aging of open internal audit issues, open compliance deficiencies and contractor audit results.
Protiviti’s latest edition of Internal Auditing Around the World shows CAEs and their internal audit functions harmonizing people with methodology and enabling technology to achieve transformational change. These organizations are well on their way toward realizing a next-generation imperative of becoming problem-solvers, rather than mere problem-finders. This is the destiny of the future auditor — paving pathways to efficiency, adaptability, increased engagement and deeper, more valuable insights.
These are exciting times for internal audit. Transforming the function is a work in progress, with much work to be done. There is no one-size-fits-all approach, as the above compendium of best practices suggests. But the future is no longer a hypothetical. It is here now and looking incredibly bright as CAEs blaze the trail along the cutting edge. A bold commitment to elevate the internal audit function’s value proposition, embrace change and improve continuously is the hallmark of these innovative trailblazers. We can all learn from their successes.
 These issues of The Bulletin are: “The Future Auditor: The Chief Audit Executive’s Endgame,” April 2014; “The Future Auditor Revisited,” July 2016; “The Future Auditor’s Advancement of the Audit Committee Relationship,” August 2017; and “The Future Auditor Goes Digital,” May 2019.
 Internal Auditing Around the World: Next-Gen Internal Audit — Are You Ready? Volume 15, Protiviti, July 2019.
 Note that many “off the shelf” ML capabilities do not require high levels of technical aptitude to deploy.
The Bulletin: Protiviti’s Review of Corporate Governance (Volume 7, Issue 6)