There are some good initiatives being implemented to improve the impact of internal audit reporting, but the opportunities for further improvement are massive.
In Protiviti’s vision for Next Generation Internal Audit, one of the areas for transformative change is the need for higher impact reporting.
Our observations in the marketplace is that internal auditors have been slow to move to improve the impact of internal audit reporting. This study does however identify a range of good innovations that are being implemented by internal auditors in Australia to increase value-add from reports, including: identifying themes and trends, giving a point of view, presenting solutions that get to the root cause of issues, jointly developing solutions with management, and use of simple graphical tools such as traffic lights. There remains relatively lower take-up of other reporting options such as use of dashboards, use of data and broader publication of lessons learned. Anecdotally, we have seen some good examples in the marketplace of use of dashboards, providing overall conclusions and opinions, use of balanced reporting by bringing out areas of good practice and application of the organisation’s risk management framework to drive focus on more significant issues.
This opportunity for high impact reporting is discussed further later in this report. One area which has progressed in recent years is the reporting of overall opinions. Such opinions provide real value to stakeholders, but require certain disciplines and controls to ensure they are presented and understood accurately. In this year’s study, 57% of respondents reported that they were being asked to provide such an overall opinion, which is considerably increased on prior years.
Driving Impact, Quality And Improvement
98% of respondents have undertaken new initiatives in the last 12 months to generate significant improvements in the internal audit function’s effectiveness.
One of the encouraging themes from this year’s study is that internal auditors are recognising and responding to the need to change and improve. In response to the question, “Have you undertaken new initiatives in the last 12 months to generate significant improvement in the function’s effectiveness?”, over 95% responded positively.
Particular activities that were reported as being undertaken to improve the effectiveness and efficiency of internal audit functions include:
- Building stronger, more formal relationships with other assurance providers (56%)
- Data analytics (48%), and
- Root cause analysis (43%).
The high focus on relationships is interesting given previously published capabilities and needs surveys for internal auditors have all referenced a perceived weakness at internal and external networking. The result above suggests that our profession is working through this challenge, which is an important development.
The use of data analytics and root cause analysis are equally positive developments, and we would anticipate these to become more prevalent in the future, given the “big data” environment in which we all work, and the demands of stakeholders for increased value and impact in our reporting.
Disappointingly, there is relatively low take-up of other next generation disciplines such as continuous control monitoring (15%) and continuous transaction monitoring (5%). These use technology to provide timely population-based information on areas of control risk or unusual transactions and can move internal audit to a much more proactive delivery of assurance and insight to stakeholders. This may reflect these technologies being applied more by other parts of the business (e.g. in the second line of defence).
In order to drive impact from internal audits, it is helpful to have metrics which provide some objective assessment of the impact that internal audit is having.
While this can be challenging, historically internal audit functions have largely relied on feedback from management and the Audit Committee to provide some guidance on the impact being achieved. It is worth noting that the effectiveness of this as a tool to assess impact is heavily dependent on the questions asked to elicit such feedback. This year’s survey has reinforced that this remains the primary approach, with 89% of respondents utilising feedback from the Audit Committee and stakeholders, while 80% are (also) using broader business feedback. While not downplaying the importance of such feedback, these are imperfect tools for assessing impact of the internal audit function.
Encouragingly, this study has identified other tools being used to measure impact, including:
- Tracking the outcomes of recommendations (61%)
- Results of performance measures and indicators (39%)
- Post-implementation reviews (28%), and
- Measurement of costs and benefits (9%).
Increased take-up of some of these by other internal audit functions will help focus business improvement initiatives for internal audit functions in Australia.
One of the questions that these studies have explored for the past decade is the extent to which External Quality Assessments are performed by internal audit functions in Australia. In this year’s study, 59% reported having completed an EQA within the last five years (and another 11% reported completing one more than 5 years ago). Given it is a requirement of the IIA Standards to have an EQA at least every five years, these results are disappointing. Further, it is worth noting that this has not moved materially compared to previous years (in 2015, 60% reported having completed an EQA within the last five years and another 6% reported completing one more than 5 years ago).
This presents a challenge for the IIA on how to best drive better uptake of EQAs across the marketplace.
Next Generation of Internal Audit
Change is being driven by advances in technology and the use of data, as well as the broader economy in which knowledge, entrepreneurship, innovation, technology and collaboration are fuelling growth. Innovation changes the business model and, as a result, the organisation’s risks. Internal audit not only must respond to these changes, but also must be prepared to assess if the business is undertaking its innovation and transformation initiatives in the best possible manner. In order to accomplish this, internal audit must innovate itself.
Internal audit functions need to rethink how they perform their work in a more agile manner and how they can leverage the proliferation of data and technology to deliver on their objective to provide effective risk management more efficiently. This requires balancing new internal audit models with the right technology, resources and methodologies, as well as governance and infrastructure, to create value. The ultimate objective is clear: It is time for internal audit leaders to build what we term the next generation internal audit function.
In our view, there are three essential objectives of next generation internal audit groups:
- Improve assurance by increasing the focus on key risks. By evolving to become more data-enabled, next generation internal audit provides internal and external stakeholders with relevant, timely and impactful results on the effectiveness of risk management and controls.
- Make internal audit more efficient. Next generation internal audit drives toward data and technology-enabled audit processes, delivering increased efficiency and risk assurance.
- Provide deeper and more valuable insights from internal audit’s activities and processes. Next generation internal audit helps organisations make better decisions not only by addressing and managing current risks, but also by illuminating the risks and unforeseen consequences inherent in their longer-term digital transformation and growth strategies.
In this study, we asked respondents about the extent to which they have begun to adopt some of techniques and innovations proposed as part of the next generation of internal audit.
Next generation governance covers the internal audit function’s strategy, structure and skills — including how those skills are developed and sourced. Key features include:
- A prospective strategy promoting innovation
- Aligned enterprise assurance
- Streamlined structure and flexible resourcing
- Evolving skills and applied technical acumen.
Around 50% of respondents reported that they were applying these techniques in their internal audit functions, or were planning to do so over the coming year. This is encouraging as the foundation of an innovative and forward-looking governance approach to internal audit functions is typically the right platform for efficiency and effectiveness improvements.
Of these, the technique being applied by most respondents is the prospective strategy for the internal audit function promoting innovation. This is an important ingredient for next generation internal auditing, by providing a clear plan on how the function is going to evolve and change to support more effective and efficient auditing and assurance services and drive innovation to add increased value.
Respondents reported that an ability to achieve truly aligned assurance across the enterprise is the feature from the governance components of Protiviti’s Next Generation model that is most likely to have the greatest impact on the internal audit function’s effectiveness. This aligns with findings reported earlier in this report that respondents were particularly investing in network building across assurance providers within their organisations. This aligned assurance can have both an efficiency dividend (through reducing duplication in assurance activities) as well as an effectiveness dividend (through drawing more incisive conclusions based on the broader portfolio of assurance activities and findings).
Next generation internal audit methodologies are designed to equip organisations with increasingly precise insights into real-time risks. Agile and advanced data management and analysis approaches represent key enablers of this real-time view. These methodologies, which also apply to reporting and collaboration activities, generally include:
- Dynamic risk assessment
- Agile, analytics-driven and scalable execution
- Simplified and high impact reporting.
Generally, the take-up of these is somewhat lower than the governance techniques described earlier. It is possible that this reflects the intent of internal audit functions to bed down the governance principles, before then embarking on changes to methodology.
Over one third of respondents reported no plans to head towards dynamic risk assessment. This is surprising given the rapid change of risk profile in the current political, economic and cultural environment. Given the unfilled demand for risk management capability reported earlier in this report, it may be that capability is the barrier for organisations to start implementing more dynamic risk assessment techniques. It may also be that for many internal audit functions, the risk assessment and management functions sit with a Chief Risk Officer (or equivalent) and therefore is beyond the influence of the internal audit function.
High impact reporting appears to be the highest area of focus amongst the methodology components of the Next Generation model. This aligns with comments in the Reporting section of this study. It is increasingly clear that the internal audit profession is far more acutely aware of the needs and expectations of stakeholders, and this is driving a focus on improving the “stakeholder experience” from reporting. Further, as reported earlier, reporting approaches can be highly influential in driving impact from internal audit activities.
Respondents reported that more continuous monitoring would have the greatest impact on efficiency and effectiveness of internal audit functions. Yet it is an area with known challenges in capability within the respondents to this survey. This represents an opportunity for the profession to drive increased training and capability in this area to support internal audit functions to make the most of this potential improvement.
According to our research, for more than a decade, most internal audit functions have posted sluggish improvements in their use of advanced auditing technology. However, extensive reliance on automation, data analysis and a variety of advanced technology applications is a defining feature of next generation internal audit functions. Common technology activities and tools implemented in next generation transformations include ubiquitous data analyses and advanced analytics, automated processes, process mining insights, and artificial intelligence and machine learning.
Respondents reported that, apart from data analytics, there is expected to be very low take-up of these opportunities, including artificial intelligence and machine learning, robotic process automation and process mining.
Anecdotal evidence suggests that there may be a number of drivers of this, including lack of capability in internal audit functions to know how to invest in these, budget constraints, a fear of change, and systems or technology leaders preventing use of these technologies.
Improved use of data analytics is the one bright spot here, with internal audit functions becoming increasingly comfortable working with the big data that exists in their organisations.
Respondents in the study reported a recognised strong need to improve in capability, but expected low impact on functional effectiveness. This likely reflects the absence of intention to invest in these technologies in the short term.
In our experience, the use of technology provides the greatest shift in efficiency and effectiveness, but it does need the governance and methodology components in place to provide the environment for leveraging the technologies. It also represents one of the more significant changes in approach, which needs to be managed for staff and stakeholders. On this basis, it may not be surprising that it is not a short-term goal for many internal audit functions. However, for those that have the courage and ability to make some of these changes, there will be potentially dramatic improvements in the functional effectiveness of internal audit.