In a full outsourcing arrangement, Deloitte serves as the Internal Audit function. Deloitte’s Internal Audit professionals support the performance of internal audit projects and thereby provide organizations with a greater level of assurance. We also offer insights and recommendations on business strategy execution and the redeployment of valuable resources towards achieving strategic goals and objectives.

In a co-sourcing arrangement, the client maintains control and responsibility for the day-to-day function while Deloitte provides ‘on-demand’ Internal Audit support, related advice, leading practices, and experienced professionals with industry and specialized business and/or technical capabilities.

In both models, we often provide Subject Matter Specialists to support the in-house Internal Audit team with the planning, execution and reporting of audit work. Specifically, we can draw on SME support from a global perspective. We provide Internal Audit specialists to work alongside the in-house Internal Audit team in delivering their annual Internal Audit plan. We also work with the Internal Audit leadership team to help them develop the team and function.

One of the areas we can support and which many companies struggle with is the establishment of an advanced risk monitoring & audit platform, though the automated and continuous monitoring of – for example - your compliance risks. Having such a platform allows you to monitor your (compliance) risks in real time and take timely action when there are indications that (compliance) risks occur. Such platforms could be established by the Internal Audit function together with other ‘Three-lines-of-defense’ functions to enable effective communication and alignment.

Through our Internal Audit 3.0. model, Deloitte provides a robust end-to-end review of the Internal Audit function, which is based on ‘good practices’ and the standards from the Institute of Internal Auditors (IIA).

- Assurance remains the core role of Internal Audit. Yet the range of activities, issues and risks to be assured should be far broader and more real-time than they have been in the past. Equally, while assurance is central to Internal Audit’s role, it must not be the limit. Internal Audit 3.0 outlines how functions can meet growing stakeholder demands through innovation and technology enablement.

- Advising management on control effectiveness, change initiatives, enhancements to risk management and the design of assurance mechanisms falls well within Internal Audit’s role and stakeholder expectations. In our experience, too many internal auditors use ‘independence’ as a crutch, as an excuse to stay in their lane and avoid offering insights and opinions when most stakeholders have said this is what they truly want. Under Internal Audit 3.0, functions can respect independence while advising the business through promoting objectivity, integrity and professionalism.

- Anticipating risks, assisting the business in understanding risks and crafting preventative responses, transforms Internal Audit from being a predominantly backward-looking function that reports on what went wrong to a forward-looking function that prompts awareness of what could go wrong, and what to do about it, before it happens. Internal Audit 3.0 introduces risk sensing and risk learning to Internal Audit’s role, helping the function keep pace with and get ahead of emerging risks.

We help clients apply agile methodology to internal auditing. By taking an iterative, time-boxed approach, agile methods support a collaborative environment for audit and the organization, enabling them to solve business problems with speed.

We support internal audits related to financial, operational, IT and compliance-related processes and risk areas. We have a large range of specialists in-house who could support you, for example in the areas of:

1. Compliance audits, e.g. in the area of fraud, anti-bribery and corruption, sanction controls and many other topics.

2. Audits of other assurance functions such as your compliance function, risk management function or internal controls function.

3. Third-party audits, e.g. performance of audits at your contractors or subcontractors to assess alignment with agreed standards.

4. Cybersecurity audits in order to assess governance over your cyber risks.

5. Privacy and GDPR audits.

6. Other types of specialist audits, for example in the area of sustainability, tax, etc.

Often, the audit does not end with the issuance of an internal audit report. On the contrary, this is often the starting point for risk mitigation and further enhancements of processes and functions, whereby internal auditors – within the limits of independence - can help to drive workshops and development of roadmaps.

Internal Audit is at the cusp of innumerable possibilities to collaborate with the other lines in the ‘Three-lines-of-defense’ model, develop roadmaps and help improve governance across the organization.

We support companies in setting up an effective ‘Three-lines-of-defense’ model in which the assurance model is effectively and efficiently assigned.

- Organizations can decide to combine fulfilling assurance responsibilities with combined core assurance spread throughout the lines of defense, rather than just through Internal Audit. This also includes the imminent need for Internal Audit to advise the business with anticipation and measurement of risk.

- We can support organizations with ‘Assurance Mapping’ which identifies the risk areas that are covered by each line of defense. An assurance map can provide the organization with insights on where there may be risk management gaps or opportunities to remove or refocus efforts.

- We can support with the establishment of the right roles and responsibilities across the three lines of defense to ensure high-risk areas are sufficiently governed and to avoid duplications or gaps.

- We can also support with establishing an efficient and effective Governance, Risk and Compliance (GRC) Framework and optimized reporting process to Executive Management, Audit Committee and Board of Directors

Having an effective ‘Three-Lines-of-defense’ model is a critical element of the Internal Audit of the future, which will create capacity for Internal Audit to focus on the truly most relevant and impactful risks to the organization.

Technological advances and trends in advanced analytics, robotic process automation and cognitive intelligence are rapidly reshaping business models, improving productivity and enabling innovation in the way organizations operate and conduct business. Internal Audit functions should keep up with these developments

1. We help Internal Audit departments assess and understand the new opportunities associated with these technologies (such as Blockchain, RPA, automation digitalization and other developments) so they remain proactive in advising senior management on preventing and detecting new and emerging risks.
2. We also support Internal Audit departments with optimizing their own processes and capabilities, for example through automation of internal audit processes (risk analysis, planning, reporting) or through deployment of tooling to enable effective and efficient control monitoring and testing such as analytical capabilities and compliance monitoring platforms.
3. Deloitte can help you deploy accelerators to give you a head start in your audit analytics journey. For example, through deployment of AuditWise (for ad-hoc or recurring Data Analytics supporting your planning or fieldwork process), Process X-Ray, Process Mining tooling or other advanced or customized audit analytics capabilities.