Article

Internal Audit Innovation

Financial Services Internal Audit Planning Priorities 2023

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2023. We hope this informs your 2023 planning and assurance approach.

6.1 Aligned Assurance



Why is it important?

Growing stakeholder expectations, the heightening regulatory landscape and expanding organisational risk profiles present a demanding assurance landscape and highlight the need for Internal Audit to work with other assurance providers in a more co-ordinated and aligned way. With a traditional three lines model, misaligned assurance activities and burdensome compliance programmes often limit the ability of organisations to optimise efforts. Issues can be compounded by disconnected technologies and methodologies, resulting in lapses and errors, and, occasionally, very public management failures. In today’s world, corporate leaders need connected, risk-intelligent assurance systems that are optimised for agility, insight and efficiency.

What’s new?

  • Organisations are on the brink of a new age of capabilities; the acceleration of digital technologies and the opportunity to rethink the approach to risk and assurance is radically changing organisations in ways that will challenge the three lines model.
  • The ongoing digitalisation of business processes, transactions, and relationships, along with the decreasing cost and increasing accessibility of digital technologies, holds tremendous potential for assurance, compliance, and risk management functions.
  • As organisations face inflationary pressures and increased uncertainty, now is the time to reimagine the approach to risk and assurance across the Three Lines of Defence to drive efficiencies and better management and oversight of risk.
  • By incorporating assurance by design into business processes, leveraging automation for control functions, and innovating assurance activities, organisations can generate greater visibility into risk and faster response to remediation.
  • Organisations that can connect, modernise and digitise their approach to assurance, compliance and risk across the three lines will be better able to optimise performance, increase productivity, grow profitability, improve risk management, and lower the cost of compliance.

What should Internal Audit be doing?

Area of Focus

Ascertain Your Position
Description

To ultimately realise the potential benefits, a strategic approach is required. An approach that not only transforms the way the business delivers assurance, compliance and risk management, but also seeks to seamlessly automate and connect those capabilities. Whilst it should not necessarily be Internal Audit’s role to drive this, there is a need for Internal Audit to determine what role it should have to support the aligned assurance agenda within the organisation.
Make a Case for Change ​ Knowing the path that the organisation should take is one thing. Convincing others that this is the right course of action is quite another. That’s why getting buy-in from senior leadership is a prerequisite to achieving successful change. To gain that buy-in, there must be a crystal-clear business case for that change. One that is typically grounded in reduced cost, enhanced performance and better business resilience.
Create a Roadmap and / or Clarify Your Existing Roadmap ​

Internal Audit should consider its own role in providing assurance and also support the wider aligned assurance strategy by:

  • Aligning with the organisation’s key risks, risk language (e.g. risk categories), risk assessment criteria, Audit Universe design, applicable control frameworks and compliance requirements. Preferably this would be delivered through a single or connected technology platform (GRC tool).
  • Understanding the organisation’s risk appetite and required assurance response against each major risk category. For example, coverage requirements, depth and frequency of assurance, degree of independence required by the assurance provider, etc.
  • Determining the primary providers and secondary users of assurance, including minimum expectations over the quality of assurance activities to enable reliance by secondary users.
  • Helping to develop governance processes to coordinate and minimise duplication, e.g. an ‘assurance traffic control’ to oversee changes to planned assurance activity.
  • Working with management to leverage the benefits of technology investments e.g. key risk indicator monitoring, data analytics, and continuous controls monitoring.
  • Explore opportunities for integrated reporting of specific risks across the three lines model.


Key contacts: Owen Jackson and Jamie Whitehouse

6.2. Internal Audit Analytics and Automation Factory



Why is it important?

Organisations looking for ways to evolve through new ways of working and adoption of advanced technologies have seen automation open the door to efficiencies and throughput never before seen. But with growth of Digital tools comes operational challenges which threaten to stifle the value and impact of analytics and automation. The opportunity for Internal Audit to engage with this through understanding the availability of data, improving data quality and creating appetite to gather information on risk and controls will allow for the function to meet the increasing demands we’re seeing across the industry. This broadening remit creates challenges such as integrating analytics into individual audits and thinking about the interlinkage of digitalisation of the function and the overall Internal Audit strategy in the coming years.

What’s new?

The changing competitive and risk landscape calls for a digital transformation of Internal Audit functions to an insight-based advisory role with greater coverage, efficiency, and resilience. Functions are starting to think more broadly about the use of data analytics, e.g. through the use of process mining or integrating automated dashboarding in routine reporting.

The objectives for an analytics and automation programme are:

  • Capabilities and impact by providing better access to information, structured processes, and delivery frameworks.
  • Scalability by enabling analytics and automation programmes to better manage increasing complexity as the programme scales through enhanced resource allocation, reporting of in-flight automations and backlog, and future planning.
  • Competencies of automation and business teams through targeted training paired to refined roles and responsibilities and required skillsets for each.
  • Value creation through effectively measuring automation value using enriched ROI calculations and maximising value through better defined business cases and requirements translating into reductions in waste and re-work.
  • Governance and control through process and technology controls, enhanced audit reporting, and standards around documentation, development, and operations.

What should Internal Audit be doing?

Area of Focus

Fostering an Environment for Creation
Description

  • Facilitate audit automation by highlighting the potential and benefits of automation.
  • Support online forums, newsletters and other periodic communication vehicles to drive enthusiasm and collaboration, provide support and perpetuate auditor momentum.
  • Creating a prescribed approach to identifying opportunities across the functions ways of working including use of automation and visualisation in audit work and performance within the function.
  • Train auditors to understand how and where technology can be applied to achieve leverage.
  • Conduct workshops with audit teams to take a deeper dive into key business processes to identify audit automation opportunities.
  • Host hands-on automation discovery roundtable sessions to brainstorm automation possibilities and share successes.
  • Update the Audit Methodology to mandate the use of automation and analytics within internal audits where feasible. Create audit roles supporting the alignment of audit, data and technology.
AAF Components ​

Deloitte’s Analytics and Automation Factory approach is modular in focus, focusing specifically on:

  • Opportunity Identification: Facilitate a culture of automation through education, incentives and workshops to foster a pipeline of automation candidates with net positive return on investment.
  • Intake and Pipeline Management: Capture ideas quickly and frequently. Add more details as the ideas gain support and momentum. Capture value metrics such as ROI, and prioritise work.
  • Development and Deployment: Stay up to date with the development team, including updates on planning, building, testing, and implementation.
  • Maintenance and Re-Certification: Perform updates and incremental improvements to ensure digital assets continue to provide value and are in proper operating condition.
  • Decommissioning: Confirm that obsolete assets are retired with transparent communication and appropriate archiving.
  • Reporting: Develop a set of stakeholder targeted reports to monitor and communicate program adoption and trajectory, throughput, quality, efficiency, audit coverage, etc.


Key contacts: Nanette Scott and Yannis Petras

6.3. Re-setting IA's Purpose - IA 4.0



Why is it important?

Expanding stakeholder demands, and the increasing breadth and scope of risks continue to challenge Internal Audit functions. Technology and changes to organisational ways of working are also having a profound effect on Internal Audit functions. Internal Audit needs to have a clearly articulated future vision to meet these changes and ensure that Internal Audit not only maintains relevance but delivers the greatest value and impact to the organisation. Internal Audit functions should be purpose driven and digitally powered.

What’s new?

A lot has happened since Deloitte released Internal Audit 3.0 (IA 3.0), our market leading framework for elevating the role and expanding the remit of Internal Audit. The above demands and pace and scale of innovation in the profession have led us to update our vision of Internal Audit.

Through working with and engaging across a wide breadth of stakeholders and Executives, we have created our Internal Audit 4.0 framework, bringing three new features to the forefront:

  • Internal Audit purpose should be aligned to the wider organisational purpose. Whether forced to re-engage with their purpose in the wake of the pandemic, or the groundswell of Environment Social and Governance (ESG) and Diversity, Equity and Inclusion (DEI) issues, purpose has become increasingly important for organisations and their stakeholders to strengthen their brand and reputation, generate market value, and contribute to sustainability initiatives. Every organisation has a purpose, with some being more clearly defined than others. Purpose drives an organisation and inspires and harmonises its functions, teams, and individual roles.
  • Internal Audit has a role to play in accelerating organisational change and learning. Organisations who have thrived in uncertain times were the ones who could learn to adapt and act quickly. Many functions already work to help with organisational learning and Management actions through root cause analysis, thematic observations, insightful reporting, yet more can be done.
  • Internal Audit 4.0 aims to transform ways of working by embedding digital capabilities across Internal Audit work. Many functions have embraced digital but limit their adoption of digital capabilities, for example, only using analytics for data query or sampling. Few view digital capabilities sufficiently broadly or leverage it to support the entire audit lifecycle.

What should Internal Audit be doing?

Internal Audit functions should look into the interplay of their vision, challenging themselves on how you align your strategy to the organisations purpose creating purpose led actions framed around the following areas of focus.

Area of Focus

Purpose
Internal Audit should align its role and remit to organisational purpose. Clearly aligning purpose and articulating how Internal Audit’s role and remit helps the organisation achieve its own purpose (for example, by designing ways of working to support specific organisational outcomes), can create greater value. This can help attract top talent and also enables Internal Audit to make smarter investment choices, ensuring innovation efforts are purpose driven.
Accelerate ​

Internal Audit should define what role it can play in accelerating organisational learning.

  • Act with speed – Consider ways in which the function can be quicker in communicating insights. Could your function embrace agility, work in sprints and issue findings iteratively, forming stable teams to continuously improve and speed up the way they operate?
  • Go beyond the audit – Without owning remediation, Internal Audit can promote learning after the audit and provide ‘after sales’ care. Helping to bring the organisation together, sharing good practice from within or outside the organisation, and moving the focus to the bigger picture (away from solely on point fixes to individual issues) can build a more robust and future-proofed control environment.
  • Change the culture – Consider how Internal Audit can influence organisational culture to help create optimal conditions for learning and action to embrace the concept of psychological safety.
Digital ​

Assess how integrating and embedding digital technologies can transform ways of working.

  • Mindset – It doesn’t matter if you're a small or large function, the mindset and willingness to explore and experiment with digital tools is half the battle.
  • Approach – Be willing to experiment. While transformative initiatives can work, many functions have avoided a ‘big bang’ approach and moved towards an iterative approach with a mindset of continuous learning and sustained incremental change. More functions have taken this systematic and methodical approach to digital innovation in order to drive internal audit ‘operating system’ enhancements, intentionally piloting proofs of concept and measuring return on investment to guide purpose-driven initiatives.


Key contacts: Owen Jackson and David Tiernan

Did you find this useful?