May is Internal Audit Awareness Month. On the off chance that didn’t make it onto your calendar, I’d like to make the case that rethinking internal audit’s potential is time well spent.
While traditional internal assurance remains important, a modernized, agile internal audit function stands to add significant value to your organization. The pace of doing business shows no sign of slowing—whether it’s one of many forms of disruption, increasingly vocal and varied stakeholders, or the speed at which news (good or bad) spreads. An internal audit function aligned with and focused on these realities can make all the difference.
To illustrate, consider the role of the chief information officer. New capabilities, cost pressures, privacy concerns and an emphasis on innovation translate to high expectations. To meet these demands effectively while managing risk, CIOs are increasingly turning to IT internal audit. Relying on internal audit for help identifying risks early, strategic guidance, and substantive expertise has proven a valuable tool for many CIOs as they navigate an increasingly complex and unpredictable environment.
This strategic role for internal audit can extend well beyond IT, benefiting multiple functions. Whether the challenge is financial, digital, or an issue of organizational culture, we have found that more extensive, proactive involvement correlates with more effective management of disruption. It boils down to a simple equation:
Prepared + Adaptive = Agile
More specifically,
• Preparedness means thinking ahead. Disruption is the new normal, so finding ways to anticipate the unexpected adds great value. Audit has traditionally looked back at past performance, but agile internal audit requires auditors to face forward, plan strategically and then share their perspective with other departments and the C-suite. Working across the organization to build in flexibility and enable faster reactions are all part of preparedness.
• Adaptiveness is enabled by all that preparation. Agile internal audit functions are sufficiently flexible that they can shift their audit plan development, audit planning, fieldwork and reporting as circumstances change. They are savvy enough to know that one size need not fit all. For example, agile internal audit functions assess areas where controls are not yet developed or fully operational by using health-checks, maturity/progress assessments or even sitting as part of a steering committee. Reorganization and redirection of resources are routine.
All of this requires the right skills. The ability to acquire top talent through hiring, training, retaining and co-sourcing is one of the hallmarks of internal audit agility. As PwC discussed in our recent report, The quest for internal audit talent as stakeholders expect more, 83 percent of very effective internal audit leaders do well at talent management, compared with only 47 percent of effective leaders and 24 percent of less effective leaders. And it’s not easy: chief audit executives cited talent shortages as their top leadership challenge.
Given how hard it is to find top talent, it’s essential for organizations to acquire audit talent that will match their risk areas. Too often, internal audit functions focus solely on financial and IT talent. While these skills are almost always necessary for a successful internal audit group, they may not be sufficient. Diversifying internal audit to include nontraditional backgrounds like engineers, supply chain professionals or regulatory specialists may be a critical step toward helping your organization manage the risks and realize the opportunities when those disruptive curveballs get thrown your way.
In our recent study, Navigating disruption, we found that agile internal audit outperformed its more traditional counterparts. For example, when managing disruption around culture and compensation change, 54 percent of agile internal audit components were moderately to extensively involved, which translated to a view that, overall, the business effectively managed the disruption 41 percent of the time. By contrast, 27 percent of other internal audit components had that same level of involvement, and only 27 percent of those respondents said their business effectively managed the disruption. Significantly, we found similar correlations across many different types of disruptions. The conclusion: Agile internal audit functions that are more closely aligned to the business at the point of disruption and risk help the organization better manage the risk event.
Innovation, disruption and speed define the way we do business. By aligning internal audit with these realities, organizations can gain important strategic advice and improve risk management. Prepared, adaptive, agile. Happy Internal Audit Awareness Month to all!