The future of Internal Audit is now
Internal Audit 3.0
As organizations hurtle to an increasingly technology-driven, innovation-oriented, risky, and disruptive future, where is Internal Audit? Very often, despite ongoing efforts to meet stakeholders’ growing list of needs, the answer is playing catch-up.
Internal Audit 3.0
Until recently, the Internal Audit profession had not faced the need to innovate, let alone reinvent itself. Now, as we approach the end of a decade of uncertainty, organizations face evolving strategic, reputational, operational, financial, regulatory, and cyber risks. The world is entering the fourth industrial revolution where new technologies, digitalization, robotics, and artificial intelligence are dramatically changing the business landscape.
Through consultation with audit committee chairs, executives, chief audit executives and business leaders, we have developed a blueprint which aims to clarify the expectations of Internal Audit and required enablers to meet these, codifying the most important elements. We call it Internal Audit 3.0, the next generation of Internal Audit.
This publication introduces our point of view on Internal Audit 3.0 and outlines selected aspects of the 3.0 blueprint, depicted below.
Assure. Advise. Anticipate.
These three – assure, advise, and anticipate – constitute the triad of value that Internal Audit stakeholders now want and need. This has been borne out in numerous Deloitte external quality assessments (EQAs) conducted for Internal Audit functions in a range of industries, in interviews with more than 200 senior executives and audit committee chairs, and in numerous Deloitte research surveys with chief audit executives and heads of Internal Audit.
Assurance constitutes and remains the core role of Internal Audit. Yet the range of activities, issues, and risks to be assured should be far broader and more real-time than they have been in the past. Assurance on core processes and the truly greatest risks is essential but so is assurance around decision governance, the appropriateness of behaviors within the organization, the effectiveness of the three lines of defense (LoD), and oversight of digital technologies. Assurance is central to Internal Audit’s role but must not be the limit.
Advising management on control effectiveness, change initiatives, enhancements to risk management related to the three LoD and other matters – including business effectiveness and efficiency – falls well within Internal Audit’s role and stakeholders’ expectations. All sources confirm that a strong advisory role is key to maximizing the value of Internal Audit.
Anticipating risks and assisting the business in understanding risks, and in crafting preventative responses, transforms Internal Audit from being a predominantly backward-looking function that reports on what went wrong to a forward-looking function that prompts awareness of what could go wrong, and what to do about it, before it happens. Internal Audit becomes more proactive and, through its assurance and advisory roles, helps management intervene before risks materialize.
Internal Audit 3.0 - System Overview
The assure, advise, anticipate value proposition is enabled through:
- Digital assets, which have already begun to transform Internal Audit work, and are about to revolutionize it
- Skills and capabilities, which position Internal Audit to improve the interface with stakeholders and better meet their needs
- Enablers, which engage the system to deliver new value in desirable ways
For more information on Internal Audit, please contact Rob de Leeuw or Olaf Helmond via their contact details given below.