Internal Audit Functions Need to Disrupt Themselves

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

21 March, 2017

NEW YORK, March 20, 2017 – PwC today released its 13th annual State of the Internal Audit Profession study, which found that internal audit functions are losing ground in trying to keep pace with stakeholder expectations.

This year’s study shows that the number of stakeholders that view internal audit as “contributing significant value” dropped from 54% in 2016 to only 44% in 2017, reaching its lowest level in five years. Despite this drop, the good news is that nearly half of all stakeholders want internal audit to take on a more integral role; this can be achieved through the function’s ability to help stakeholders better manage unplanned or unanticipated events, also known as market disruptions.

“Organisations are facing rising complexity of risks and new disruptive sources, impacting them at increasing speed. Stakeholders expect internal audit functions to help them navigate this changing landscape or face a shrinking perception of the value internal audit provides,” says Jason Pett, PwC's US Internal Audit, Compliance & Risk Management Solutions Leader. “In a world of constant disruption, internal audit leaders need to think differently to accomplish more dramatic transformation and demonstrate their vitality. Particularly, they must be well-equipped to mitigate risk in several disruptive areas including regulatory changes, cybersecurity and changes to customer preferences -- the disruptors most likely to impact businesses over the next three years.”

Based on nearly 1,900 respondents[1] from organisations headquartered in 41 country or region[2], 18% of them report that their internal audit functions play a valuable role in helping their companies anticipate and respond to business disruption – a subset of the pool which we’ve coined “Agile Internal Audit (IA) Functions.”[3] Nearly nine out of ten stakeholders with Agile IA Functions report that internal audit is adding significant value – that’s more than double the percentage of stakeholders with less agile internal audit functions.

The study uncovered two key traits that enable Agile IA Functions to lead in disruptive environments –preparedness and adaptiveness.


Agile IA Functions are forward-looking and able to identify emerging disruptions and associated business needs. They collaborate with other lines of defense in a unified and integrated manner and make decisions mutually supported by others in the organisation. To boost preparedness, internal auditors should:

  • Build the eventuality of disruption into planning and risk assessment: 84% of Agile IA Functions are mindful of disruption and include the possibility as part of the audit plan development, compared to 50% of less agile peers.
  • Meaningfully collaborate with other lines of defense: 76% of Agile IA Functions cohesively work with other risk management and compliance functions to address disruption, compared to 40%of peers.
  • Invest in and elevate business and technical IQ: 73% of Agile IA Functions provide Internal Audit with advanced technology and encourage the development of trending and analysis techniques, compared to 60% of peers.


Flexibility is key in Agile IA Functions—their processes must be transformative across audit plan development, audit planning, fieldwork and reporting. They should also use innovative talent models as needed and routinely reorganise or redirect resources according to disruption. To be adaptive, internal auditors should:

  • Create more flexible processes and reporting mechanisms: 73% of Agile IA Functions change course and evaluate risk at the speed required by the business, compared to 37% of peers.
  • Drive the use of data analytics and technology: 47% of Agile IA Functions have increased the use of data mining and data analytics for continuous auditing/monitoring of trends and potential impacts of disruption, compared to 35% of peers.
  • Implement flexible talent models: 74% of Agile IA functions redirect/reorganise resources as needed to help the organisation manage or respond to disruption, compared to 40% of peers.


“To become a leading internal audit function likely means changing what internal audit is doing and where it’s focusing, such as using more frequent proactive risk evaluations in advance of disruptions,” said Mark Kristall, Partner within PwC's US Internal Audit, Compliance & Risk Management Solutions practice. “With an innovative vision of what internal audit can be, the function can deliver the greater value that stakeholders expect and need.”

Notes to editor:

To download a full copy of the report, please visit:

About PwC’s Risk Assurance practice

PwC understands that significant risk is rarely confined to discrete areas within an organization. Rather, most significant risks have a wide-ranging impact across the organization. As a result, PwC’s Risk Assurance practice has developed a holistic approach to risk that helps to protect business, facilitate strategic decision making and enhance efficiency. This approach is complemented by the extensive risk and controls technical knowledge and sector-specific experience of its Risk Assurance professionals. The end result is a risk solution tailored to the unique needs of the organization.

About PwC

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at

PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details.

© 2017 PwC. All rights reserved.

[1] The respondents were made up of internal audit executives and stakeholder of internal audit, including audit committee members and chairs, board members, CFOs, CEOs, CCOs and CROs.

[2] Country or region include: Argentina, Australia, Austria, Belgium, Brazil, Canada, Chile, Mainland China and Hong Kong, Cyprus, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Ireland, Italy, Japan, Kenya, Luxembourg, Mexico, Namibia, Netherlands, New Zealand, Nigeria, Norway, Poland, Portugal, Russia, South Africa, Spain, Sweden, Switzerland, Turkey, Ukraine, United Arab Emirates, UK, US and Venezuela.

[3] This subset was created based on two criteria: (1) their company received significant value from internal audit’s involvement in disruptive events, and (2) their company defined internal audit’s value as contributing something more than executing effectively and efficiently on the audit plan.



Staying the course toward True North


Contact us