The Next-Generation Internal Audit Journey Needs to Begin Now

Key Takeaways From Our Survey

• Progress remains slow: Next-generation internal audit journeys are just beginning – For CAEs and internal audit leaders as well as other internal audit professionals, self-reported maturity levels are primarily in the midrange, with lower scores related to adoption and use of enabling technologies. After a challenging 2020 that required many internal audit functions to reprioritise projects, it’s now time to refocus efforts on embracing the next generation of internal auditing as the new normal.
• Digital Leaders stand out – With regard to next-generation internal audit capabilities, there is a clear difference in the skill and maturity levels between Digital Leaders and other organisations. 
• Digital maturity remains a rarity, but progress is evident – Most internal audit functions are just getting started on their next-generation journey: A clear majority rank both their organisation and internal audit department below the Digital Leader level. Yet a majority have transformation and innovation initiatives underway, which is a positive development. Keep in mind that progress toward next-generation capabilities and performance is not limited to only those operating as Digital Leaders. It can be achieved through an intentional series of incremental steps.

Protiviti’s Digital Maturity Scale

In our study, respondents were asked to rate the digital maturity of their organisation and, separately, their internal audit department on a 10-point scale (see below). The question was prefaced with a detailed definition of digital transformation and maturity: 

Digital transformation is about changing the way an organisation acts and thinks in everything it does to position it to compete with “born digital” companies and Digital Leaders, including through increased use of data and technology to support enhanced customer engagement, digitisation of products and services, better informed decision making, and improved operational performance. We define the levels of digital maturity as follows:

• Digital Skeptic: Digital plans are not formalised and initiatives are managed in an ad hoc or reactive manner. React to competition. Risk averse.
• Digital Beginner: Digital plans are not fully developed, although multiple digital initiatives are underway and the objectives of these initiatives are understood. Embracing change. Collection of point solutions.
• Digital Follower: A digital strategy has been developed and the organisation has a proven track record of delivering on digital initiatives. Digital initiatives are typically focused on discrete aspects of the customer journey. Clear strategy. Agile. Effective at change delivery.
• Digital Expert: Digital aspects are in place and managed quantitatively enterprisewide. High levels of process automation have been achieved. The organisation has a proven track record adopting emerging technologies. Low cost base. Hyper scalable.
• Digital Leader: The organisation has a proven track record of disrupting traditional business models. Digital aspects of strategic plans are continually improved based on lessons learned and predictive indicators. Innovative. Disruptive.

Digital Maturity Scale

1 – Digital Skeptic

2 – Digital Skeptic +

3 – Digital Beginner

4 – Digital Beginner +

5 – Digital Follower

6 – Digital Follower +

7 – Digital Expert -

8 – Digital Expert

9 – Digital Expert +

10 – Digital Top Performer

For the purpose of our analysis, we have categorised our group of “Digital Leaders” to include those organisations and internal audit departments that rank themselves at “7” or higher.

Assessing Next-Generation Internal Audit Maturity Levels

Table 1

Level of Maturity: Next-Generation Internal Audit Capabilities – Overall Results (North America)*

What You Need to Know

Overall, maturity levels for next-generation internal audit competencies are in the mid to low range, indicating most organisations are still in the early stages of their next-generation audit journeys.

Governance maturity levels are higher than those for the other two categories. Average maturity scores are the lowest for enabling technologies – not a surprise considering that capabilities such as machine learning, AI and process mining remain relatively new for most internal audit groups. Still, it is clear there is a lack of recognition of the link between effective governance and use of enabling technologies.

CAEs should ask, “How do we both develop and access the necessary skills to build a next-generation audit function?” Doing so will enable internal audit to better serve stake-holders and achieve aligned assurance.

Where Digitally Mature Organisations Stand

Table 2

Level of Maturity: Next-Generation Internal Audit Capabilities – Organisations That Are Digital Leaders vs. All Others (North America)*

What You Need to Know

There are striking differences between next-generation internal audit maturity scores for Digital Leaders and other organisations. Digital Leaders clearly stand out as having greater skills and capabilities in these competencies.

Key areas of focus for next-generation internal audit functions include aligned assurance, an agile audit approach, and technology and data. For these, internal audit departments require the right mindset, skillsets and toolsets – areas in which internal audit groups within Digital Leaders have made significant advance-ments.

Of note, even for Digital Leaders, maturity scores for enabling technologies trend lower. Though these scores are still notably higher compared with other organisations, having a plan in place to develop skills and capabilities in AI, machine learning, process mining and other technologies is vital.

Differentiating Internal Audit Digital Leaders

Table 3

Level of Maturity: Next-Generation Internal Audit Capabilities – IA Department Digital Leaders vs. All Others (North America)*

What You Need to Know

Similar to the Digital Leader findings shown in Table 2, there are remarkable differences when comparing the next-generation internal audit maturity scores for internal audit departments in the Digital Leader category and other organisations.

A broad takeaway from these results is that even for Digital Leaders, maturity levels are only at moderate levels, at best. The question for CAEs to consider is, “How far behind might we be?”

CAEs need to take the lead in transforming their internal audit functions to better serve the business. This includes defining a roadmap and getting started possibly with small projects enabling achievable wins, and establishing a culture and mindset of innovation so that it becomes a grassroots effort embedded as part of delivery.

Roadmap – Getting Started and Advancing on Your Next-Gen Audit Journey

It Starts With Commitment, Culture and an Agile Mindset

In our white paper, The Next Generation of Internal Auditing – Are You Ready?, we provide a call to action and roadmap for internal audit organisations to begin their next-generation transformation journey.This guidance remains highly relevant and links closely to the results of this survey on next-generation internal audit principles and practices. As such, we are pleased to republish our recommendations here.

First, we are optimistic about the future of internal auditing. Every internal audit organisation has an opportunity to become better and either begin or advance their next-generation internal audit journey. There are small, achievable steps to take that will make notable differences, even if the organisation is not a Digital Leader.

To get started on the journey to become a next-generation internal audit function, a clear roadmap is needed. But the very first step, in our view, is establishing the mindset and commitment to:

• Transform the internal audit group’s governance, methodologies and enabling technology capabilities needed to address emerging business risks and heightened stakeholder expectations.
• Increase internal audit’s effectiveness and efficiency while fulfilling the function’s core mission to protect organisational value.
• Start thinking differently.
• Reassess the design and capabilities of internal audit, striving to become an agile next-generation internal audit function that embraces the benefits of the latest in thinking, methods and technologies and is transformation-oriented.

We believe internal audit groups need to be ready and need to get started now. And they need the right commitment and mindset. While this transformation is mission-critical, it won’t be easy.

Internal audit groups should approach this objective in an agile manner. Identify areas where change is needed, establish goals and a plan to accomplish them, and stay focused and intentional in executing against them. Progress doesn’t necessarily have to be achieved through modest increments. Each organisation will need to figure out the right areas of focus and establish a plan and timeline, understanding that they may end up delivering in a traditional way or through a more agile approach.

Above all, be flexible and maintain a mindset of, “How can internal audit find ways to perform better?” with the perspective that “better” can mean different things to different organisations. Look to take small steps, but commit to taking those steps quickly and immediately. The sequential “assess-design-implement-reassess” approach has become dated. Adopt a more iterative approach, remain flexible, and be prepared to make changes as the business evolves, new priorities are established and new innovative approaches emerge.

While the specific design of next-generation governance, methodology and enabling technology elements varies according to an organisation’s unique risk environment and business objectives, there are common considerations and actions that have proven valuable in the growing number of internal audit transformation efforts underway.

First, CAEs and their teams need to recognise that, while necessary, change and progress is hard. For example, CAEs, as well as the team responsible for designing the next-generation function, need to appreciate the difficulty of the endeavor. In most cases, developing a next-generation internal audit function requires changes to every major component of the function – from processes, to enabling technologies, to the skills and resources within the function, to how the function is structured and managed. What’s more, an individual organisation’s vision for next-generation internal audit will change over time as new business objectives, risks and technologies materialise once the new function begins to take form. For this reason, an effective next-generation audit function must be adaptable – that is, flexible enough to respond to disruptions that are unforeseen today. Engagement with executive stakeholders is also vital in order to solicit input on and support for these changes.

Adaptability is among several key success factors CAEs and innovation teams should consider as they move forward. The others include the following actions:

• Establish an agile mindset. To succeed, next-generation efforts require an internal audit culture that embraces change and the need to be agile. Instilling this mindset throughout the function calls for a clear message from the CAE that continued long-term success requires change. This enabler is not unique to internal audit groups, but it represents a formidable hurdle for many of them to overcome.
• Keep the big picture in mind. Remember that the purpose of this transformation effort is to fundamentally change and seek to continually improve how all internal audit work is performed. It is incumbent on the leader of the innovation effort to focus on the long term while continuing to deliver in the short term. This helps ensure that the focus on incremental improvements does not result in the implementation of point solutions that may detract from making progress toward the larger goal, which will bring about much larger benefits.
• Empower people to innovate. Regardless of whether the internal audit function is 1,000 strong or a team of five, the CAE must encourage and empower every member of the internal audit group to pursue innovations and work with the team to implement them. Encourage the team not only to adopt a mindset of innovation, but also to submit ideas for improvements and innovations. In addition, be sure to reward experimentation. The key is to drive innovation throughout the internal audit function – innovation should not be a top-down exercise.
• Seek quick wins. While the internal audit innovation team should keep the big picture in mind (in other words, becoming a next-generation internal audit function), it is helpful to start the implementation of the plan with a single project that is carefully selected for its high potential to demonstrate visible success – in other words, generate a quick “win” rather than take on too much at once. For example, as the function begins to implement agile auditing, it makes sense to do so in a part of the business already familiar with agile methodologies (e.g., software development within IT), in an area of the business where internal audit has a good relationship, or with a simple, familiar, non-complex and non-integrated audit. On the other hand, launching the implementation effort by introducing new technologies and/or methodologies to a complex auditing area can bog down the effort at a point where it is crucial to demonstrate success and progress.
• Recognise and react to two sets of ripple effects. As internal audit teams innovate and implement changes to auditing processes, they must recognise two aftereffects. First, any change to one phase of the auditing lifecycle is likely to affect other phases. For example, changes to how a particular audit is executed may alter the volume and nature of information the audit work produces, which may create the need for essential changes to how the audit work is reported. Second, changes in internal audit processes and technologies may require changes to the internal audit function’s organisational structure and talent. At the same time, changes in talent and skillsets may compel internal audit leaders to think differently about how they leverage them most effectively. A key to addressing these aftereffects is active and open dialogue with internal and external stakeholders.
• Integrate adaptability into the design. Given the current pace and magnitude of change, the notion of defining how the internal audit function should look and operate can be an intimidating proposition. Clearly, it is impossible to anticipate (1) every change that will materialise in the near and long term; and (2) how those shifts will affect auditing operations and skills required within the internal audit function. For this reason, it is useful to develop an adaptable internal audit function, one that is committed to ongoing skills development, routinely experiments with new technologies and approaches, and can, relatively easily, incorporate new technologies, risk management techniques, and other business processes as they emerge and as the broader organisation evolves as part of its own transformation efforts and in response to rapidly changing external forces. This is where a culture of innovation, embedded in the audit function and among all team members, becomes so important. Every team member can have good ideas and should be encouraged and empowered to develop and share them.

Appendix – Protiviti’s Vision of the Next Generation of Internal Auditing 

The objectives of next-generation internal audit functions may be straightforward, but achieving these objectives requires a range of innovative approaches, tools and governance enablers, including a culture of innovation, that must be tailored to specific organisations and their needs.

In our view, there are four essential objectives of next-generation internal audit groups:

1. Improve assurance by increasing the focus on key risks – By evolving to become more data-enabled, next-generation internal audit provides internal and external stakeholders with relevant, timely and impactful results on the effectiveness of risk management and controls.
2. Make internal audit more efficient – Next-generation internal audit drives toward data- and technology-enabled audit processes, delivering increased efficiency and risk assurance.
3. Enhance skillsets continually – Next-generation internal audit functions seek to continually advance their skills, both through upskilling staff and recruiting new skillsets and capabilities.
4. Provide deeper and more valuable insights from internal audit’s activities and processes – Next-generation internal audit helps organisations make better decisions not only by addressing and managing current risks, but also by illuminating the risks and unforeseen consequences inherent in their longer-term digital transformation and growth strategies.

The specific governance structures, methodologies and enabling technologies that next-generation internal audit groups introduce vary. However, nearly all of the transformations Protiviti has supported or seen have addressed most, if not all, of the competencies, qualities and components in three broad categories illustrated below. 

Governance

• Internal Audit Strategic Vision – Next-generation internal audit organisations should seek to define a clear and concise strategy to establish the function’s purpose, enable achievement of objectives within the established vision and mission, and facilitate a culture of innovation that helps achieve the function strategy and ensure future relevance.
• Organisational Structure – A traditional internal audit hierarchy begets a traditional approach. As new methodologies are embraced, the organisational structure to support those will begin to look very different. The structure must be developed to allow for sufficient and flexible coverage across legal entities, geographies in which the organisation operates and risks facing the organisation. Reporting lines and roles and responsibilities of both audit and support teams will be redrawn. The composition, size and locations of the audit and support teams will also look very different. Flexible resource models will be employed to gain both access to skillsets and capacity as needed.
• Resource & Talent Management – In today’s corporate climate, a resilient workforce will prove vital to a company’s ability to pivot in the face of changing market realities. The workforce of the future needs to be reimagined for increased flexibility and be able to respond to rapid changes in business. Next-generation internal audit groups need to ensure that robust resource management strategy and processes are in place to acquire, manage, retain and enhance the resources, skillsets and capabilities that will enable the internal audit function to achieve both core assurance and transformational goals and objectives.
• Aligned Assurance – Aligned enterprise assurance is a correlation of risk, controls and a broader view of the control environment across the three lines of defense and by and between the organisation’s assurance functions. It seeks to maximise operating efficiency and provides clearer visibility of results to stakeholders. This approach facilitates governance and management of risk within an organisation’s risk appetite and aims at optimising the coverage of assurance obtained from management, internal assurance providers and external assurance providers on the risk areas affecting the organisation.

Methodology

• Dynamic Risk Assessment – Internal audit functions that desire to enhance and transform their organisation should continually seek to adapt their risk assessment approach to more effectively quantify risk in a rapidly evolving business environment and execute relevant assurance work to align with key organisational risks and priorities. A dynamic risk assessment approach is designed to be increasingly data-driven and adaptive to emerging risks and proactively measure key existing risks, enabling organisations to identify changing risk trends in real time, quantitatively measure and prioritise risk, and drive the most effective use of assurance coverage.
• Agile Audit Approach – An agile audit approach utilises a framework that is based on iterative and sustainable development, where requirements and solutions evolve through collaboration between cross-functional audit teams focused on quality. Internal audit and its stakeholders are focused on a common goal of risk mitigation through responding to changing and emerging business needs and directions while simultaneously working to meet business and regulatory commitments.
• High-Impact Reporting – Internal audit demonstrates its value by communicating effectively and, in the process, utilising simplified and high-impact reporting. This is the culmination of all internal audit’s activities leading to the right type of communication tailored to each audience to achieve maximum impact. Communications should occur in a variety of forms to stakeholders with different needs and expectations, including audit reports, risk assessments, audit committee presentations and reports to regulators. Next-generation internal audit functions communicate what stakeholders need to know and allow them to drill down to the details as needed.
• Continuous Monitoring – Next-generation internal audit organisations should seek to adopt a robust continuous monitoring programme to optimise the efficiency and effectiveness of their audit operations and facilitate deployment of audit resources to more strategic efforts. Organisations should work to create a technology roadmap that includes the necessary data and functionality to facilitate a continuous monitoring programme. Internal audit organisations also should consider the potential for continuous monitoring in the context of their broader assurance strategy.

Enabling Technology

• Advanced Analytics – Internal audit organisations should challenge their current state of analytics capabilities and commit to making better use of data. Raise awareness, develop skills, explore new tools, establish a plan and drive incrementally increased use.
• Automation – As the popularity of automation increases, including but not limited to robotic process automation (RPA), internal audit departments should be asking about their organisation’s current strategy and plans and evaluating whether there are any processes or tasks that lend themselves to automation. This can increase the effectiveness and efficiency of audit work by improving audit quality/coverage as well as by automating routine audit tasks, which, in turn, frees up time for more value-adding work.
• Machine Learning and Artificial Intelligence – Organisations are rapidly looking to turn their data into value-added products and services through machine learning techniques. Internal audit departments need to be familiar with this field of study, the risks and opportunities it presents, and how it can be applied. AI and machine learning represent great examples of techniques with the potential to deliver significant value through the internal audit lifecycle (risk assessment and planning, scoping, discovery, fieldwork, reporting, follow-up and monitoring) and change the way we use data to complete audit activities.
• Process Mining – Internal auditors should seek out new technologies that will help add value to their organisations beyond traditional audit methods. Enabling technologies such as process mining allow auditors to easily analyse large quantities of data, visually recreate processes from data, explore deviations and identify root causes to previously unknown issues. Process mining also allows for more dynamic and meaningful reporting.