Waist up portrait of three smiling business people discussing work while standing behind glass wall in office, copy space

Three questions to answer for a forward-looking internal audit function

Delivering more value to executives means shedding old mindsets and outmoded technology, especially as the risk landscape gains complexity.

In brief
  • IA functions must widen their focus to include upside and outside risks, but they are held back by manual processes, spreadsheets and patchwork solutions.
  • Automation, analytics and dashboard visualizations can enable continuous risk monitoring, helping professionals shift from being reactive to proactive.
  • The EY VIA platform can be used to drive integration, digitization and automation across the IA life cycle, with the flexibility for configuration.

The COVID-19 pandemic instantly became the biggest risk event of the past decade, adding more complexity to a landscape already full of it, in the form of accelerating technology, rapidly converging business models, increasing regulation, and an evolving workforce of the future with different priorities and needs. Facing a need to deliver more data-driven insights, many internal audit (IA) functions are hobbled by ineffective software and backward-looking mindsets.

Click to play video.

To be successful, organizations need to shift their focus from simply mitigating risk to embracing new upside opportunities. IA functions have a vital role to play in enabling that shift and becoming a valued partner to the C-suite group. Executives must be equipped with what they need to know to make decisions confidently, across broader dimensions of risk — yet too many IA functions are still focused on the past.

IA professionals must be willing to rethink how they deliver value and where they focus their efforts. They need to be empowered with a truly digital platform that can fundamentally improve baseline assurance while delivering higher value through deeper insights to stakeholders.

Instead, IA functions are saddled with a patchwork of solutions that don’t necessarily work together. Auditors are using spreadsheets, or maybe a governance, risk management and compliance (GRC) tool with no connection to data analytics or ability to generate one-click reporting. Low-value, manual processes are eating up time and resources to produce audits with little value. Executives are left without a holistic view of their audit universe or a full understanding of all the dimensions of risk.

EY Virtual Internal Auditor (VIA) is a new platform to replace this inefficiency and fragmentation with integration, customization and collaboration. As you imagine a future state for IA with new technology and new possibilities, here are three questions to ask.

1. How many programs will your auditors need to use?

Among many other tasks, IA functions should document their work, manage issue tracking, measure progress and generate reports. Many auditors can find themselves working in several programs in some of these areas, complemented with manual processes. Workflows can be inefficient and hard to define, with little transparency or visibility at a given moment.

Think about how your function will approach its tasks across five key areas: strategy and IA management, risk assessment, audit planning, execution, and reporting and communication. To what extent do you have technology across these areas, and how much of it is integrated? EY VIA is a platform for the end-to-end IA life cycle to become fully digital and automated; it considers the different core and edge capabilities, validating that the right governance, process and capabilities and enablers are in place for each area of the life cycle.

2. How well are your tools connected to automation and analytics?

By introducing analytics and automation, IA functions can expand and enhance the depth of their risk analyses and demonstrate their worth in becoming a trusted advisor to the C-suite. Automation frees IA professionals from rote tasks like trying to input data or move it from one system to another, among other low-value responsibilities.

With these technologies, functions can better enable root-cause analyses and continuous risk monitoring to shift from being reactive to proactive in their audit responses, providing information that helps anticipate future risks and recommend measures that mitigate or reduce risk.

This functionality should be integrated in any solution you consider. EY VIA includes automation and analytics, as well as dashboards and other visualizations that are critical for executive decision-making in real time. For instance, those in EY VIA show constantly updating information based on ratings, related processes and deadlines.

3. How will you account for upside and outside risks, not just downside?

Risk management is often centered around downside risks, such as fraud or cyber attacks, that are inherent in an organization’s operations that must be prevented or mitigated. Yet, as the COVID-19 pandemic has shown, truly understanding the environment also requires a broader understanding of risk, including when your organization may miss out on an opportunity (an upside risk).

Risk assessments should anticipate risk continuously — not just at the start of the year or a quarter, and not in a monotonous process that spits out a yes-or-no answer. EY VIA will handle this by bringing in many sources of data, and it puts automation and analytics to use and triggers the digital mindset of your talent when recommending action items. Perhaps they will want to issue a finding or explore the surfaced issue in more depth. The assessment is a four-step process:

  • Identify possible risks that an organization’s processes are subjected to
  • Prioritize risks
  • Identify and assess the value of risks
  • Determine risk treatment options to deal with the risks


A platform built on leading practices, yet flexible

As an organization’s business needs change, EY VIA can be adjusted to meet your needs. The views and the formats of your templates can be configured in any way, and your rules and responsibilities, access points, and approval points can be defined as you see fit. EY VIA can also be easily adapted through suite of modules that can be added or dropped as needed, covering and transforming the complete IA life cycle.


Through EY VIA, you gain a complete holistic view of your risk and process universe while expanding the depth and breadth of your risk analysis, identifying topics beyond today’s scope — all while working more efficiently.


As you rethink what’s possible in IA and how to position the function as a strategic advisor, don’t settle for systems that don’t work well together and aren’t empowered with automation and analytics.

Related Consulting articles

How to use real-time data to mine better insights

Learn how a leader in the food and beverage industry is harnessing the power of information to prepare for what comes next

31 Mar 2023 Milene Carvalho + 2