Internal Audit 3.0

The future is now

April 2018

As organisations hurtle to an increasingly technology-driven, innovation-oriented, risk, and disruptive future, where is Internal Audit? Very often, despite ongoing efforts to meet stakeholder’s growing list of needs, the answer is playing catch-up.

Internal Audit 3.0

Until recently, the Internal Audit profession has not faced the need to innovate, let alone reinvent itself. Now, as we approach the end of a decade of uncertainty, organisations face evolving strategic, reputational, operational, financial, regulatory, and cyber risks. The world is entering the fourth industrial revolution where new technologies, digitalisation, robotics, and artificial intelligence are dramatically changing the business landscape.

Through consultation with audit committee chairs, executives, chief audit executives and business leaders, we have developed a blueprint which aims to clarify the expectations of Internal Audit, and required enablers to meet these, codifying the most important elements. We call it Internal Audit 3.0, the next generation of Internal Audit. This publication introduces Internal Audit 3.0 and outlines our point of view on selected aspects of the framework, depicted below.

Figure 1. Internal Audit 3.0 – System overview

Assure. Advise. Anticipate

These three – assure, advise, and anticipate – constitute the triad of value that Internal Audit stakeholders now want and need.


Assurance continues and remains the core role of Internal Audit. Yet the range of activities, issues, and risks to be assured should be far broader and more real-time than they have been in the past. Equally, while assurance is central to Internal Audit’s role, it must not be the limit. Internal Audit 3.0 outlines how functions can meet growing stakeholder demands through innovation and technology enablement.


Advising management on control effectiveness, change initiatives, enhancements to risk management and the design of assurance mechanisms falls well within Internal Audit’s role and stakeholder expectations. In our experience, too many internal auditors use “independence” as a crutch, as an excuse to stay in their lane and avoid offering insights and opinions when most stakeholders have said this is what they truly want. This can regulate the function to reporting on the past, which is not the wave of the future. Under Internal Audit 3.0, functions can respect independence whist advising the business through promoting objectivity, integrity and professionalism.


Anticipating risks and assisting the business in understanding risks, and in crafting preventative responses, transforms Internal Audit from being a predominantly backward-looking function that reports on what went wrong to a forward-looking function that prompts awareness of what could go wrong, and what to do about it, before it happens. Internal Audit 3.0 introduces risk sensing and risk learning to Internal Audit’s role, helping the function keep pace with and get ahead of emerging risks.

Upgrading to Internal Audit 3.0

Digital assets

Such as robotics, artificial intelligence, visualisation tools, which have already begun to transform Internal Audit work, and are about to revolutionise it.

Skills and capabilities

Thinking that the same people operating in the same way with the same resources can deliver the value stakeholders need now, let along going forward, amounts to a failure of imagination. Internal Audit functions need new skills and capabilities which position Internal Audit to improve the interface with stakeholders and change traditional thinking, approaches and mind-sets.


Enablers such as automated core assurance, Agile Internal Audit and new ways to deliver high impact reports are helping Internal Audit functions to deliver new value, and improving the impact and influence of Internal Audit.

Did you find this useful?