Internal Audit Innovation

As organisations grow in both complexity and the rate at which they change, it is increasingly clear that traditional Internal Audit methodologies, such as annual planning, may fail to identify key business risks as they arise. Whilst adopting an agile mindset and approach serves to address this issue through rolling wave planning, constraints on time and resources have driven leading Internal Audit functions to consider ways in which they can use technology to adopt a more dynamic approach to risk assessment. Dynamic risk assessments enable organisations to robustly monitor and identify risks in time to take action, and many are taking this further by considering how they can perform continuous risk assessments, which offers the unique potential of enabling far greater coverage with the same resources using real-time assurance models, and can provide significant savings in cost, improved foresight, and better levels of assurance provided.

Enhancing the approach to First and Second Line risk assessment will enable efficiencies across organisations, including a risk-based approach to asset allocation (people and technology) and a consistent mechanism to discuss risk across the business.

This approach can promote coordination with multiple functions and alignment of resources and risk coverage but also elevate the dynamism of the Internal Audit assurance response.

To achieve true dynamism, it is important that Internal Audit make risk assessment more real-time by driving audit focus and ensuring that the function is adaptive, responsive and identifies the right risks. Internal Audit functions should reflect on their remit, and where necessary they should re-focus this to become more forward looking, anticipatory and advisory, so that not only can they provide better assurance but can add much more value to the business. Further, Internal Audit should champion the enhancement of First and Second Line risk assessment approaches to introduce more data-driven, real time and high frequency monitoring to support the risk assessment approach. Internal Audit should also look to leverage the enhancements to the risk assessment process across the First and Second Line of Defence for its own annual, periodic and real time risk assessment and planning processes. The following areas should be considered:

• Audit universe structure: Regardless of the structure in use, Internal Audit should collaborate with the business to use technology in place/develop technology to easily input the relevant data needed to capture all risks, processes, laws and regulation for each auditable entity. The enablement of automated processes will allow Internal Audit departments to work towards increased data source diversity while ensuring data quality and consistency across the business;
• Risk rating factors and approach: Continue to source a broader set of authoritative data sources to help drive decisions. Increased use of data analytics and leveraging automation/technology within the business will only further assist Internal Audit in their risk assessment decisions and better inform them on likelihood and impact of identified risks feeding into their risk assessment process;
• Integration and alignment: While the maturity of Internal Audit departments within organisations will vary, the key is to start identifying current inefficiencies in an organisation’s Three Lines of Defence Model to encourage innovation with meaningful, strategic steps. Innovation should extend beyond technology, including coordination, communication, audit and risk assessment methodology, and elevating engagement connection with First and Second Line stakeholders;
• Audit planning: Whilst the majority of institutions still primarily rely on an annual audit planning process, Internal Audit should strive to make their risk assessment process as dynamic as possible. Dynamic audit planning provides increased flexibility but requires focus and investment to get it right. Build the risk assessment process so that it can be conducted throughout the year and supported by KPIs to capture change in the business risk profile; and
• Tools, technology and data: While steps have been taken to enhance and implement innovative solutions and technologies, institutions still have not realised the full value of innovative technologies and data analytics in their risk assessment methodologies. The types of technology and tools that Internal Audit invest in can help drive decisions more efficiently and effectively while providing repeatable, standardised tools and methods to allow for continuous monitoring of risk and adjustment to the Audit Plan.

High impact reporting, including the use of alternate reporting methods to replace or accompany traditional reports in order to deliver impactful insights, has long been a key enabler for the next generation of leading Internal Audit functions. Faced with potentially the most significant economic challenges that the UK and other global markets have seen in a generation, it’s now more important than ever for Internal Audit to report faster, engage with stakeholders more quickly, and find new ways to add value (while simultaneously replacing processes that have historically been manual, ad-hoc, and unsustainable).

This was echoed in Deloitte’s 2020 Global Audit Committee Survey, which collected insights from over 60 Board Members, Audit Committee Chairs, and Audit Committee Members, from across more than 140 companies and 20 countries, including every major industry sector; 63% of Survey respondents said Internal Audit should be faster at reporting the results of their work, and there is a need to tailor output to better inform stakeholders of emerging concerns before they become critical.

As Internal Audit has responded to changing business risks in light of the COVID-19 pandemic, there has been a need for more flexible reporting mechanisms to allow stakeholders to receive Internal Audit’s points of view in a near real-time basis. Navigating these turbulent times has accelerated the plans which many institutions had in place to re-shape and digitise operations.

During this period, functions have increasingly moved away from traditional reporting methods and we have seen greater adoption of alternative, more agile reporting techniques such as ‘hot reviews’, unrated reporting, e-mail reporting, mid-review points of view (‘POV’ reporting), and oral feedback as alternatives. This, among other developments, has provided opportunities to enhance audit methodology for the longer term as opposed to just a short term or temporary response.

Internal Audit needs to rethink and innovate to improve the relevance and value of its Audit Committee reporting.

The following steps should be considered:

• Tell a story: The Audit Committee acts on the information presented to them, so needs to know what’s important. Master the art of story telling; communicate key messages that resonate with the Audit Committee audience in a compelling-but-concise fashion, something the reader will remember;
• Tailor reports: Audit Committee reports should be thematic in nature, employing root cause analyses and visualisation tools to join the dots and call out key messages across different audits. Reports should provide a holistic view, describing the impact on the control environment;
• Look ahead: Audit Committees appreciate forward-looking narratives that anticipate and prioritise emerging risks. Tell them what’s coming and why it’s critical. Have confidence to offer a point of view even if you only have 80 percent of the data, rather than waiting for 100 percent certainty;
• Get to the point: Get to the crux of the insight or issue quickly, saving the technical details for the appendix (or provide only upon request). Many reports contain details that are unnecessary and distracting to an Executive audience;
• Challenge traditional reporting formats: Reconsider the best way to present information. Infographics and data visualisation techniques, such as dashboards and interactive reporting (see example, left), can help drive insights into risk and assurance trends and root causes. A small number of leading Internal Audit functions are piloting the use of video to accompany reporting on specific audits, such as health and safety, to bring to life the risks highlighted by Internal Audit. Audio reporting is also being used by leading functions, to enhance the Audit Committee user experience; information can be consumed quickly and on the move; and
• Don’t wait for the report: Schedule regular touch points with the Audit Committee Chair outside of the meeting schedule, to alert them to items on Internal Audit’s radar and to escalate significant risks without formally issuing reports, allowing for more real-time reporting. Internal Audit is the eyes and ears for the Audit Committee and gaps between reporting cycles shouldn’t result in a communication shutdown.

As we near the end of 2021 many organisations will be grappling with how to respond to a post COVID-19 restrictions work environment and the challenges that it will bring. The successful rollout of vaccination programmes and the end of Government schemes to support workers who cannot work remotely will create a trend of organisations and their employees returning to work. The workplace that the employees return to and the economic environment in which their organisations operate may be very different to the pre COVID-19 environment and organisations and employees need to be able to adapt to this in an efficient and risk conscious way. For example, the economic impacts of the pandemic need to be factored into current business strategies such as lending into the commercial real estate sector, where cashflow, asset values and borrower credit quality will need to be reassessed. There will be heightened considerations around employee health, this is wider that legal obligations and will need to focus on issues such as operational resilience, for example how to keep a business running if your employees have an obligation to self isolate due to COVID-19 fears (such as the recent UK pandemic). We will almost certainly see organisations respond with future of work strategies whereby the workforce is increasingly remote and agile, this can have competitive benefits but also brings risks that need to be addressed such as remote working cyber risk challenges or the “virtual meeting” fatigue that employees have felt over the last year. Organisations should be considering all these risks and opportunities as part of their 2021 and beyond strategies and Internal Audit should be challenging the conclusions through ongoing stakeholder management, continuous monitoring and the 2022 Internal Audit Plan.

In 2020 we labelled the first phase of reacting to COVID-19 as Respond—In this phase organisations adapted to dealing with the initial impact of COVID-19 and Internal Audit functions had an important role to play to continue to provide critical Assurance, help Advise Management and the Board on the shifting risk and controls landscape and help Anticipate emerging risks. We recommended that functions should be:

• Agile and focus on short term priorities;
• Collaborate with stakeholders and understand the changing risk landscape;
• Adopt/Increase usage of new technologies e.g. Zoom, Teams and make use of virtual meetings and workshops;
• Accelerate the usage of analytics; and
• Prioritise assurance over the emerging risk landscape.

The second phase we labelled as Recover—where Internal Audit had an important role to play in adjusting an organisation’s mind-set to the recovery objectives, providing assurance over key risks presented by inevitable changes, giving advice on the shifting control environment, and anticipating emerging risks. We highlighted three key areas of focus: 

• The future of work—As a consequence of COVID-19 organisations were reviewing their operating models and working practices to adapt to provide employees with greater flexibility between when, where and how they undertake their work;
• Technology Investment—COVID-19 created a massive shift in the uptake and reliance on technology on all fronts; and
• Controls redesign—Many of the most critical operational controls will need to be digitalised to function with an increased remote workforce. Internal Audit has a vital role to play in ensuring the responses of the first and second lines of defence are aligned and support the wider organisational objectives.

In the third and final Phase which we have labelled Thrive—we see an opportunity for Internal Audit to increase its value add and advisory role through undertaking quick agile “thrive” reviews with a focused scope covering a small number of key hypothesis questions and “Flash Reports”. Areas where we can see value from this approach include technology risk, commercial implications and people and the work environment.

Technology (incl. Cyber)
We recommend that Internal Audit functions focus on risks that will be increased due to the change environments, for example Cyber threats are magnified by change. There are risks that will arise from the physical environment changes for example how are controls from previously segregated areas such as trading floors going to be maintained in a hybrid model. Organisations will also need to assess what we term Control Debt, the extent to which controls were relaxed during the Respond and Recover phases, for example have exceptions been made to controls to take account of the previously unprecedented circumstances and do organisations know where these exceptions are or have plans to reverse them for example system access rights. Overall, the last 12 months have seen an acceleration of digitalisation and virtualisation and Internal Audits 2022 plans will need to take account of this.

Commercial implications
It is inevitable that there will be an increase in consumer distress that will create a need for greater sensitivity in relation to conduct risk and TCF. Internal Audit is well placed to challenge their organisations responses to this. There are specific sectors that will have been impacted and previous assumptions need be revisited for example risk appetite and risk profile changes for the leisure and hospitality sectors or commercial real estate. Many regulatory capital and liquidity regulatory obligations are dependent on customer behaviour modelling and these behavioural patterns may be distorted by COVID-19 for example the stability of retail current account balances with the retail sector largely closed there is a risk that an element of stability is assumed that will not be the case in a post lockdown environment. There are also strategic risks that need to be considered, for example new or accelerated client interaction models for example the evolution from branch-based banking.

People and work environment
There is a heightened awareness of the need for organisations to keep people safe and the legal and reputational risks of organisations getting this wrong are significant. Tis is wider than traditional HR and legal obligations and includes physical and mental wellbeing, stress management and the need for organisations to create a safe environment for Psychological safety-and the calling out of issues. Internal Audit should be assessing the risks that can arise from hybrid working models such as the challenges with building organisational and risk cultures remotely. The risk culture is a particular challenge for new employees, how do they benefit from their colleagues' experience of the control environment with remote mentors and supervisors.