Rear view of two hikers walking along river bank

How Internal Audit can Fast4WARD to the future

Authors

Contributors

9 minute read 19 May 2021
Related topics
Consulting
Risk
Trust by design

This four-step methodology can make the future of IA a reality today.

In brief

  • Becoming a wiser IA function is about moving from a single point-in-time view of risk to one that is dynamic and continuously refreshing in real time.
  • IA teams must be agile so they can respond to dynamic environments, and this includes an agile skillset from a diverse workforce.
  • Driving digital in IA means striking a balance between having the right technology and having creative people who can drive change.

Over the course of 2020, the need for IA to transform and define the future forward intensified in urgency. Following a new methodology, IA can move “Fast4WARD” to become a function that is:

  1. Wise
  2. Agile
  3. Resilient
  4. Digital

1. Wise and risk-conscious

If we were to go back in time to 2010, we would see many organizations were crafting and announcing their “vision 2020.” These mission statements mostly spoke to providing clarity on where the company was heading, and were supported by operational or revenue goals and well-defined but complex roadmaps. IA functions followed suit and created nested strategic visions with digital roadmaps that defined how teams would develop their skillsets and analytics programs to provide the business with better and deeper insights.

It’s safe to say that few organizations’ vision 2020 accounted for the risk of a global pandemic, historic weather changes, political and social unrest across the world. Ultimately, 2020 was the year that proved the importance of IA being adaptable, with a risk appetite that allowed for more innovative audit approaches.

For IA teams today, wisdom means blending perspective and experience with facts and data – and doing so on a continuous basis. Being wise and risk-based transcends the traditional definition of what is often referred to as providing “insights to the business” and streamlines how functions can operate.

According to the EY Global Internal Audit Survey published in December 2020, over 60% of internal audit functions still perform a risk assessment on an annual basis. For internal audit to improve how it identifies and responds to risks, it requires the right methodology and tools to enable agility. This approach goes beyond just increasing the frequency of when risk assessments are performed or including additional data points for analysis to changing how we understand risks and management’s preparedness. 

For IA to improve, it’s about more than just carrying out additional risk assessments or
adding extra data points for analysis. Rather, IA must change how it understands risk. This
necessitates the right tools and approach in order to enable and support agility.

How EY can help

Here’s how IA can Fast4Ward to a wiser, risk-based function:
 

  • Disrupt the risk assessment process
     

Move from a static, single point-in-time view of risk to dynamic, technology-enabled risk identification and prioritization that is refreshed continuously in real-time. Consider collaboration tools to facilitate efficient and timely feedback from key stakeholders and explore the use of tools and enablers such as EY Growing Beyond Borders and IBM Watson to identify outside risks.
 

  • Adopt continuous monitoring
     

Broaden the focus from detection based on past results to also predicting control failures and risk triggers in real time. Implementing a data analytics platform that monitors key risk indicators throughout the organization will help you achieve this. Enhance risk management within the organization by enabling the first and second line to continuously monitor baseline risk, enabling IA to optimize its audit approach and focus on emerging risks.
 

  • Communicate with impact
     

Transform the way that IA communicates with its stakeholders by focusing more on delivering insights than simply reporting results. Communication of findings should focus on the root cause of the issue, providing the business with valuable wisdom and insight that can be used to enact real change and improvement. Consider the use of interactive reporting dashboards, which allow for quicker turnaround of results, better engagement with the user and more impactful conversations than traditional audit reports.
 

The diagram below shows a dynamic internal audit workflow, digitally enabled and continuously refreshed in real time.

ey-Diagram

2. Agile in its approach, delivering value cost-effectively

IA functions are under increasing pressure to mirror their organization’s pace of transformation, particularly in times of such rapid change. IA functions must not add friction, slow processes or inhibit innovation – they must become more agile in their internal auditing processes to better address fluid and dynamic risk environments.

But don’t confuse the word “agile” with the project management methodology. Adding Agile into IA projects may add complexity and unnecessary project management to an audit process that should already be agile in nature and generally executed and reported in under a month.

Instead, IA should operate with an agile mindset as an inherent attribute, embedded within the DNA of an organization. Truly agile organizations can monitor and respond to risks efficiently as well as pivot their approach based on the risk profile at hand. With an agile approach, IA functions can even become change agents.

One way to approach this is to deploy a Flexible Audit Response Model (FARM). It offers multiple options beyond traditional audits for IA to respond to the risks highlighted in risk monitoring, ranging from a quick analytics review to a full audit, if needed. The key is that FARM enables IA’s response to identified risks to be swift, efficient, responsive and enabled by technology.

Agile auditing is a mindset, and adopting it changes the way IA’s processes and deliverables are prioritized, completed and communicated to the organization. They should focus on how IA can disrupt itself, best add value and provide relevant insights in the context of ever-changing industries, organizational structures and risk profiles.

 

 

By adopting a mindset that embraces agile auditing, the whole way in which IA interacts
with the organization changes. The focus should be on how to add value and contribute
useful insights in a dynamic environment, characterized by constantly changing
organizational structures and attitudes to risk.

 

 

3. Resilient in its human skills

An agile IA function demands a mindset change – and a huge component of making it work is understanding the next generation of leaders, while enabling every generation to work together. For example, emerging leaders often focus on sustainability, equality, cooperation and commitment to society. These are values that could be held by members of any other generation, too.

Society has long created blanket definitions of generations, but it is not so simple: every individual is different. And while it is important for Gen Xers and millennials to understand the perspective and agility of new generations entering the workforce, it is also important for Gen Zers to learn from past generations and be able to build upon their successes and further improve the business world they inherit. The key to resilience is inclusion – enabling everyone to be heard, welcomed and valued.

The responsibility is on all of us to find balance in our evolving, generational diverse workforce. Throughout the pandemic we have all learned to adapt and work differently – we should not miss the opportunities to work together and drive true resilience in IA’s human capital.

 

 

The pandemic has meant we have all had to learn and adapt to different ways of working.
Going forward, we can build on this experience by driving resilience through inclusion, so
that everyone feels they are listened to, welcomed and valued.

 

4. Digital in its thinking and execution

IA’s transformation to digital has been slow and challenging, to say the least – until the pandemic struck and forced IA functions to think digital, whether they were ready or not. Based on the EY Global Internal Audit survey published in December 2020, 50% of the 647 respondents indicated that they do not have any digital strategy, 47% have either just begun or have partially implemented, and only 3% have fully implemented. 

No digital strategy
of the 647 respondents to the EY Global Internal Audit survey indicated that they do not have a digital strategy.
Implementing a digital strategy
of respondents have either just begun or partially implemented a digital strategy, and only 3% have fully implemented one.

If they are not already doing so, Chief Audit Executives (CAEs) and internal auditors must ask themselves how to leverage technology for more efficient and effective audits, what tools should be used to simplify the audit process and execute high quality and high impact audits, and how to enable internal auditors to think digitally and own the digital strategy.

Here’s how to drive digital in IA:

  • Balance tools with people

The IA function must have the technology or tools to enhance their audit process, and more importantly, have innovative people capable of driving change. For example, some IA functions in various organizations have been using audit management systems, but often only as a repository of working papers. In order to maximize the full functionality of these systems, internal auditors must view these systems as tools to rethink their processes and determine where they can drive efficiency instead of simply maintaining the status quo.

  • Establish a culture of creativity in IA systems

Enabling internal auditors to think digital starts with asking what they can do to take an innovative perspective and how they can apply technology, not in the next five or ten years, but today. There should also be digital ownership, as internal teams become confident in their ability to use these technologies, from acquiring data, running analytics and sharing insights with management.

  • Listen to the needs of auditees

Improving the audit experience for auditees is key, and it is consistent with IA’s goal of delivering high-quality audits and reducing the burden of the audit on the business. There are many tools available to support this, including virtual collaboration (replacing face-to-face discussions), advanced analytics refining risk assessment and scoping processes, process mining and artificial intelligence (AI). Even more advanced is having a system that uses automation to reallocate IA procedures from employees to machines, which gives IA more time to focus on deeper insights and have meaningful interactions with the business.

Fully digitalize IA service delivery

EY has developed the Virtual Internal Auditor platform to digitalize IA services from strategy to risk assessment and reporting.

Discover more

What tools are available to help IA Fast4WARD?

  • Virtual collaboration

Various functional groups and business units across the globe can now work together in real-time to identify and categorize an organization’s key risks and leverage on each other’s inputs to prioritize those risks and communicate solutions.

  • Voice enabled assistants

These are used to transcribe meetings and provide real-time insights. Chatbots that manage and answer queries are also available.

  • Advanced analytics

These come in the form of predictive data models, continuous analytics, and external risk  indicators, among others. Results of the analytics are used during risk assessment to help define and refine the audit scope; during audit execution to identify trends, red flags and root cause; and during monitoring by updating and building new and relevant analytics that management can use.

  • Process mining

This smart, big data technology visualizes real process flows in real time. It can be applied across the IA lifecycle end-to-end, and reveal bottlenecks and inefficiencies based on data generated in the organization.

  • AI

Automated processes can extract insights from natural language processing and perform predictive analytics that leverage advanced algorithms and machine learning.

  • Drones and augmented or virtual reality (AR or VR)

Some organizations use drones during inventory physical count in high risk and sensitive areas. AR or VR can also be used to simulate environments. 

Looking 4WARD

The growing “digital and data divide” between IA and the business within organizations will continue to challenge the relevance of IA and compliance functions. To support this journey, IA must strive toward a new, significantly enhanced IA value proposition, methodology, governance and people model, enabled by technology.

This model should be strengthened by real time data insights, continuous risk monitoring, and innovative communication of results. In the context of “agile” buzzwords and a plethora of new technology platforms to support it, such a framework can provide a concrete methodology which can support organizations in moving with, rather than against, the current of change toward a more adaptive and innovative IA function.

As businesses look to increase their agility in a post-COVID-19 world by accelerating their digital transformation, IA must move 4WARD to meet the more complex needs of its stakeholders and deliver value for organizations.

The authors would like to thank the following who also contributed to this article: Angelynn Mercado, Manager, Ernst & Young Advisory Pte Ltd; Madeleine Bowdern, Senior Consultant, Ernst & Young ABC Pty Limited; Brendan Clark, Senior Manager, Ernst & Young LLP; and Catherine Chua, Senior Manager, Ernst & Young Advisory Pte Ltd.

Summary

Internal Audit has a unique opportunity to transform and demonstrate how, as a function, it can be wise and risk conscious, agile, resilient, and digital in terms of its tools and thinking. By adopting this methodology and way of thinking, Internal Audit can help lead the organization forward.

About this article

Authors

Contributors

Related topics
Consulting
Risk
Trust by design

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.