4 minute read 18 Feb 2019

How a disrupted internal audit can be a stronger strategic partner

Internal audit needs digitalization, a flexible people model and a more dynamic approach geared to giving timely insights on strategic risks.

The global risk landscape continues to change rapidly, requiring companies to direct more attention to risks arising outside of their organization. Internal audit needs to keep pace with these changes to be able to provide strategic advice.

Although no one can predict the future, the rapid pace of change in the global marketplace suggests there is one certainty for all organizations, regardless of location or sector: the status quo is no longer acceptable.

Internal audit (IA) has been “transforming” for the past 20 years, making incremental improvements that have helped the function do the same things faster with a better focus on risks, however, the basic approach and methodology of IA have not substantially changed. The case for disruption has never been more real for the profession. To continue to instil trust in the organization – allowing management to maintain its confidence to take the risks needed to achieve the long-term strategic objectives of the organization – IA must embrace strategic disruption.

Digitalization: the game changer

Digitalization is enabling companies to not only react to change, but to proactively improve their ability to anticipate consumer preferences, develop better ways to deliver products and services, and penetrate new markets. However, new agile, digitally enabled companies are able to scale and compete effectively with industry incumbents, giving them a competitive advantage in a digital world.

IA is uniquely positioned to provide so much more.

  • What if IA no longer performed financial and compliance testing, but instead managed a series of online dashboards to detect errors?
  • What if IA could provide a real-time view of the status of risk management in every area of the company at any point in time?
  • What if IA managed a flexible talent model that allowed them to bring in the right resources with the right skills at the right time?

What will IA look like in the future?

IA needs to change what it does, how it does it and who actually performs the work.

The mandate will remain substantially the same; however, there will be a shift in focus and IA functions must:

  • Be highly connected, agile, proactive and forward-looking 
  • Continue to assess and challenge the efficiency and effectiveness of internal controls 
  • Be involved in the most strategic activities of the organization 
  • Harness emerging technology for better and more predictive risk mitigation outcomes 
  • Challenge the risk framework and view to also account for upside and outside, in addition to downside risks

What IA will do – the mandate

Despite the level of disruption occurring in the business landscape, IA’s mandate to provide assurance, business insights and strategic advice has not and does not need to change.
However, striking the right balance between assurance and advisory projects and how the mandate is executed should.

An IA mandate is not “one size fits all.” IA assurance is broader than an assessment of compliance with financial and regulatory requirements. It includes working with management to understand all of the organization’s risks to determine if they are properly identified, managed and mitigated by the business.
An updated view of the risk framework includes the following types of risk:

  • Upside – risks that directly relate to an organization’s ability to execute its business strategy and objectives, and provide organizations with a positive opportunity for value creation and growth (e.g., return on assets, market penetration, talent management)
  • Downside – risks that only represent a negative outcome and an organization is focused on eliminating, avoiding, mitigating or transferring in a cost-effective manner (e.g., employee fraud, regulatory compliance, information security)
  • Outside – risks that can have positive and negative impacts but are unpredictable because they are beyond the organization’s control (e.g., geopolitical, competitive shifts, natural disasters)

Historically, organizations and IA functions have been focused on downside risks, but in the future there is a need to expand the focus to all three categories to continue giving stakeholders confidence in the age of disruption.

IA will need a flexible resource model including:

  • Core audit staff 
  • Guest auditors 
  • Contingent workers 
  • External service
  • providers
  • Staff rotation
  • High performing teams 

The IA profession has a unique opportunity to embrace digitalization and lead by example. While it is a journey to get to the future state of the IA profession, it is one that must be started now.

Who will do it – talent and technology

The digital revolution will disrupt everything we take for granted today about how work is done. For leaders who fail to embrace this new reality, the old mantra “Our people are our greatest asset” could become “Our people are our biggest problem.”

IA must incorporate emerging technologies (robotic process automation, artificial intelligence, machine learning, etc.) as part of its new operating model. This will also allow a variety of dynamic outputs to be utilized on a more real-time basis to deliver feedback based on the needs of different stakeholders.

These new technologies require new skills and, importantly, new ways of working. Just employing people with different skills, or upskilling existing employees, is not the answer. To compete with disruptive startups, organizations need people with a different approach and attitude to their work.

A new workforce model, enabling IA to focus on purposeful, value-added work will be required. These changing workforce dynamics will require IA audit to develop a more flexible, adaptive and collaborative work environment.

The IA profession has a unique opportunity to embrace digitalization and lead by example. While it is a journey to get to the future state of the IA profession, it is one that must be started now.

The following are some key steps IA should take now to lay the foundation:

  • Understand the organization’s objectives and future vision
  • Define the future state for IA with a clear purpose and a mandate that aligns to the organization’s and enables the company to achieve its strategic objectives
  • Assess the current IA operating model, resource model and technology footprint to determine how they will enable the future state of IA
  • Review the IA life cycle to identify opportunities to automate and innovate to better position the function as a strategic advisor

As the foundation is solidified, IA should take the following actions to continue to drive to its future state:

  • Build a business case to demonstrate IA’s capabilities and its evolving role with digitalization and communicate it broadly and often to stakeholders
  • Drive efficiencies in financial and compliance risk coverage to free up resources and time to focus on strategic risks and the future state of the function
  • Start a process of transformation — technology development and deployment, skills sourcing, branding initiatives — to move toward the future state of IA
  • Remain aligned with the changing business so the function flexes with the changing vision and objectives of the organization


Many companies are embracing new technologies, restructuring their business models in response to changing risk profiles and using alternative strategies to satisfy their resource needs. Now, the case for transforming internal audit has never been stronger. To deliver more timely and strategic insights on risk to to the organization, internal audit needs to embrace an entirely new operating model and talent strategy.

About this article