Internal audit future trends
Emerging trends and high-impact areas of focus
In any organization, there are many areas where internal audit’s perspective and skills can provide valuable insights. In the coming year, where can internal audit have the most positive impact and influence?
- Download the 11 trends
- Strategic planning
- Third-party management
- Integrated risk assurance
- Risk culture
- Strategic and emerging risks
- Sustainability assurance
- Media audits
- New reporting methods
- Get in touch
- Join the conversation
- Related topics
The year ahead
This edition of our internal audit insights series identifies 11 areas of high impact for internal audit in the year ahead. It also explains why these areas are important to stakeholders and how internal audit might approach the area in upcoming audit plans.
In strategic planning, management lays the foundation for the success or failure of the organization going forward. Internal audit should review all key components of the strategic planning process: parties involved, data and intelligence, models, assumptions, scenarios, approvals, and communication and use of the plan.
Potentially high-impact components include management’s key assumptions and sources of data, such as those related to market share and growth, sales forecasts, interest rates, input costs, product pricing, funding sources, and regulatory activities. Internal audit should also review the governance over related models and can provide recommendations to strengthen the strategic planning process.
Internal audit should ideally begin with an assessment of management’s process for managing third-party relationships and risks across the relationship lifecycle.
Reviews of third parties offer potentially high returns in cost savings and cash recovery, which go directly to the bottom line (in contrast to compliance). However, internal audit may need specialized skills to assess certain relationships, such as those in advertising, cyber, or capital projects.
Analytics can boost efficiency and effectiveness in a range of internal audit activities. Dynamic audit planning enables internal audit to plan based on evolving risks rather than on those of the past. Analytics also enables internal audit to provide insight and foresight regarding risks and issues of interest to stakeholders, as well as insight-driven dynamic reporting.
Perfect data doesn’t exist. But analytics has been embraced and embedded even in situations where internal audit departments view their organization’s data as suboptimal.
Integrated risk assurance
In audit planning, integrated risk assurance can generate more meaningful information and insights for stakeholders. In audit execution, it can improve coordination among the first and second lines of defense and allocation of audit and risk management resources.
Internal audit’s position as the third line of defense positions the function to develop and deliver integrated risk assurance. This means that audit plans should start with the business strategy, goals, and means of achieving them—and the associated risks.
As the ubiquity of cyber has become clear over the past year or so, boards have decided that incident and security reports from the CIO or CISO aren’t enough. They want internal audit’s independent, objective, comprehensive review of cyber risks.
Internal audit needs to define a cyber auditing approach that meets the needs of the organization, industry, and stakeholders, including regulators, third-party partners, and external auditors. The audit plan should prioritize the processes and capabilities to be audited and define the methods and frequencies of related audits.
Broadly, digitalization converts currencies, transactions, services, products, experiences, and relationships into virtual forms. Virtual forms are potentially more flexible, far-ranging, and profitable—and more challenging to audit.
At a minimum, internal audit should gauge the impact of internal or external digitalization and its business and functions. Internal audit should also understand how digitalization fits management’s strategic vision and plans, conduct appropriate risk analyses and rankings, and define audit procedures to identify risk exposures and review management’s steps to address them.
Regulators and boards are focusing on risk culture because it largely determines decisions, conduct, and risk taking within an organization. And gauging risk culture within an organization is becoming more critical across all industries.
Internal audit can audit risk culture within standard operational and financial audits by adding interview questions, gathering data, and developing an informal review. Since risk culture can vary across organizational areas, the results of risk culture reviews should be considered individually and in aggregate.
Strategic and emerging risks
With its enterprise-wide view and responsibility for providing risk assurance, internal audit has much to offer in the areas of strategic and emerging risks. Audit committees want assurance that the businesses and risk management are able to detect strategic and emerging threats posed by competitors’ moves, nascent technology, changing marketplace trends, and regulatory developments.
Existing efforts to monitor competitors, social media, and customer sentiment are often siloed, limited, or both. Instead, organizations need frameworks and formal, integrated, well-supported processes. Internal audit should review the framework, processes, and mechanisms for identifying, assessing, and managing strategic and emerging risks.
Regulators, institutional investors, nongovernmental organizations, and the media are increasingly seeking disclosure on sustainability risks that could materially affect the organization and its performance.
Internal audit should cover at least one area of sustainability per year, such as employee or contractor health and safety, carbon emissions, operations management systems, or community engagement, selected in light of the materiality of the issue.
Recent changes in the advertising landscape have led to agency transparency and advertising performance concerns. Some concerns include agencies not passing discounts and rebates through to the advertiser and digital ads being viewed by robots rather than humans.
As for all vendors, internal audit should review the process for selecting, managing, and monitoring the organization’s advertising agencies, especially when advertising is a large part of overall expenses. However, the current advertising landscape presents complexities that often make this area challenging for internal audit groups without specialized expertise.
New reporting methods
Driven by stakeholder demand, internal audit is adopting new models of reporting that simplify the user experience while generating data-driven insights. The resulting reports are more forward-looking and insightful, briefer and more layered, and more visual and dynamic.
The larger and more complex the organization, the faster internal audit needs to adopt these new ways of reporting. Even without advanced analytics, internal audit can still use heat maps, bubble charts, and infographics to convey findings and insights.