No Match Found
Our survey highlighted five compelling findings. Each is explored further in this report, focusing on why they matter to IA and its stakeholders, the value to the organisation, and practical tips to address them.
Recent megatrends are creating risks in new areas that are unprecedented in scale and complexity. IA is uniquely positioned to give the organisation confidence to navigate these challenges and find a new direction—and new opportunities.
Driven by increased complexity and higher stakes, business executives are opening the door for IA to help them address more strategic areas. IA can choose to engage differently with its stakeholders to provide new strategic value, or risk becoming irrelevant.
First and second line have ‘levelled up’ their capabilities and response to risk. IA can help combine expertise across the organisation to harness momentum and forge something stronger together.
Technology has become exponentially more sophisticated, providing organisations with access to more data and opportunities than ever before. IA must continue to evolve its human capabilities to ensure it can turn data into decisions, build new relationships, and help others to see risk differently.
Technology investment in recent years has not yielded the returns many have expected and the next wave of technology is already here. IA needs to recalibrate its approach and work with others to unlock the potential of technology; but the window is closing fast.
“Whilst today’s world and its risks are more connected than ever, the level of complexity and pace of change can mean it’s hard to focus and see clearly what’s important. Many organisations still have functional silos that are rigid and hard to traverse, information and data that is difficult to access or trust, and communication gaps that are behavioural and tough to change. Together, these create ‘walls’ that restrict agility, stifle innovation, and limit the power of working as one organisation. The interwoven themes explored in this study will show that IA’s objectivity and ability to ‘connect the dots’ means that it has the potential to ‘see through’—and ultimately break down—these walls, to create new value, and give its stakeholders the confidence to navigate the risk multiverse.”Shaun Willcocks,PwC Global Internal Audit Leader
Pioneers leading the way
Throughout this report we will refer to a group of respondents we call ‘Pioneers’. The group, which represents 8% of respondents, was identified based on three characteristics: (1) they are very effective at raising significant risks and challenges the organisation has not yet considered, (2) they are in the top quartile for percentage of effort spent on strategic risk areas, and (3) they are in the top quadrant for percentage of work effort delivered using innovative and agile methods.
The Pioneer group is small, but this reflects the nature of pioneers—those that break new ground. It is also a reality of a more globalised and connected world—standing out and being seen becomes harder, both for IA, and organisations as a whole. Our data shows that Pioneers stand out from their peers in a number of dimensions, including the number of strategic risks they cover, the outcomes they are achieving from technology investments, and confidence that they have the right talent now and in the future.
Today’s megatrends are driving rapid global change in areas like technology, geopolitics, climate, supply chains, regulation, and workstyle reform. These changes are not occurring in isolation, but rather they are interconnected, interwoven, and ‘stacking up’ to create complex risks. In other words, organisations are facing a new reality—a ‘risk multiverse’.
This complexity is amplified by the globalised nature of modern markets, faster information flows, and more sophisticated expectations of consumers, regulators, and stakeholders—and greater consequences for failing to meet these expectations. This brings with it more blindspots and new types of disruption—or ‘company killers’.
The result can be that organisations slow down, lose confidence in their strategy and roadmap, and are unable to steer quickly through change or avoid hazards. This can mean disruption at best, or obsolescence at worst. This is forcing organisations to speed up transformation and change their core strategies. PwC’s 26th Annual CEO Survey found that nearly 40% of global CEOs do not think their organisations will be economically viable in ten years’ time if they continue on with their current strategy.
To succeed in this new reality, organisations will need different approaches, skills, and technology. For IA, it means they are needed more than ever. Our survey showed respondents ranked IA’s top attributes as its (1) risk and controls mindset, (2) independence and objectivity, and (3) business knowledge and experience. Enhanced by IA’s organisational reach, this unique combination makes IA ideally placed to help organisations connect the dots and navigate risk and complexity.
When equipped with the right technology, vision, and talent, IA’s ‘superpowers’ can not only protect value, but also create value by ensuring the organisation can capture the upside of risk. Our survey found that, in addition to better governance, more risk awareness, and stronger internal control, executives believe that a high-performing IA function can help:
Ultimately this can mean organisations have the confidence to adjust their risk appetite to take more risks and move quicker—all of which is critical in responding to the megatrends and remaining viable as an organisation.
For IA, This means that IA leaders must be bold. They must voyage into uncharted territory where there is no roadmap.
We are seeing examples of IA functions pushing forward to tackle today’s megatrends. The following are examples of IA's response to supply chain disruption, rapid IT modernisation, and acceleration of Artificial Intelligence (AI).
One example of multi-layered complexity has been the recent supply chain disruption. This caused a crisis where demand was difficult to forecast, goods were hard to source, transportation was hard to find, and routes were backlogged and unpredictable. Volatility rippled throughout the supply chain and introduced significant risks to business models and processes, putting it high up on the agenda for many organisations.
Our survey found that 47% of IA functions address supply chain disruption in their audit plan and 34% plan to do so in the next one-to-three years. Many, however, are wondering how they can tackle risks and disruption that occur with such scale and speed.
Claire Qian, PwC’s Risk and Compliance Leader for Mainland China & Hong Kong, highlights that, “While much responsibility to manage supply chain risk falls on the first and second line, the third can add value by sharing insights, advising on risks, and providing assurance over what the second line is doing.” IA realises that to address the speed of these risks, all parts of the business need to be aligned, with second and third line working alongside the business to ensure communication is fluid and early warning (or ‘risk sensing’) systems are built in. For IA, this has included working with Compliance to automate supplier due diligence processes, leverage third party intelligence data, and refocus vendor audits and monitoring. IA can use its vantage point to look across the end-to-end supply chain and challenge whether resilience and business continuity arrangements are robust, and management has stress-tested the supply chain for blind spots or weaknesses, such as supplier dependencies.
Accelerated by the COVID-19 pandemic, many organisations have had to turn to technology to help adapt their strategies and commercial and operational models to remain viable. This has forced IA functions to reflect on how they can keep pace with this change, and reconsider where in the change lifecycle they should be involved. The investments that organisations have made in recent years—from large enterprise resource planning (ERP) system implementations, introduction of AI, machine learning, automation, and cloud solutions—have meant old IA approaches may no longer work, and new skills are needed. This includes approaches to new risks around responsible AI, collaborating with outside specialists, or with guest auditors from the business. It has also meant being bold enough to stop IA activity that is not adding much value.
The pharmaceutical, life sciences, and medtech industry, for example, has experienced rapid growth and groundbreaking innovation in recent years. This has included streamlining and automating research and product development, leveraging technology for clinical trials, and a shift towards remote interactions. This has changed the strategic and commercial landscape for organisations—and patients—but also forced IA functions to reflect on their own approaches. “The IA survey highlights the considerable opportunity that exists for IA functions to be equipped with the right set of technology capabilities, but also with the need to understand emerging technology at rapid speed,” says Brian Long, PwC’s Pharmaceutical & Life Sciences Sector IA Lead.
“Our Internal Audit team believes that technology & digitisation is the only way for us to support the mission and vision of Moderna to create transformative medicines and commit to innovation. By adopting a digital mindset and building strong relationships with our digital teams, we have aligned our vision with the company's strategy. I am confident that by ‘digitising everywhere’, we will provide better assurance and meaningful insights to all our stakeholders.”Sanjay Sharma,VP Internal Audit, Moderna
The rapid emergence of AI marks the beginning of a new phase of IT modernisation. Traditional AI is advancing, and Generative AI is so powerful and easy to use, it’s poised to change business models and revolutionise how work gets done. A wide array of risks have already emerged, including risks to decision-making, privacy, cybersecurity, regulatory compliance, third-party relationships, legal obligations, and intellectual property. This is explored further in PwC’s Managing the risks of generative AI publication.
IA will be a key facet of addressing these risks and helping ensure the upside and RoI from AI can be realised. This includes providing stakeholders with confidence that there is a responsible governance framework around AI and appropriate controls are embedded in underlying processes. This may require IA to step outside of its comfort zone and become involved earlier in the change lifecycle to assess whether the organisation’s AI strategy is appropriate and transformation risks are being addressed.
In parallel, IA has to determine how to harness the potential of AI and other technology, like RPA, to evolve its own capabilities and ways of working. In the past 12 months, just 27% of IA functions have invested in RPA or AI for use inside the function. Many IA functions are still grappling with adopting and using more basic technology, like audit workflow or analytics tools, and so the arrival of AI is causing many IA leaders to reflect on how best to approach it. Some IA functions have ‘hit a wall’ with their technology strategy as the returns from previous investments have not always met expectations—or they are not clear on the actual problem they are trying to solve with technology. We explore this further in section 5 of this study.
“A successful IA function is always changing and evolving, leveraging technology, thinking of new ways of working and continuing to change its operating model to flex with business strategy.”Jennifer Moak,SVP of Internal Audit, Verizon
Reconcile the current IA plan with the known and emerging megatrends to identify any that might not be addressed and discuss with the Audit Committee, stakeholders and second line if this is the right approach.
For transformation initiatives in the organisation, such as the introduction of AI, consider who is providing assurance over the alignment of business strategy, transformation objectives, implementation activities, and measurement of intended outcomes. The ability to connect the dots and spot misalignment can often require an objective viewpoint.
PwC’s Global CEO Survey asked CEOs what they consider to be the top threats to their business. Inflation and macroeconomic volatility topped the list. Our Global IA Survey shows, however, that nearly 50% of IA functions are not addressing these two top threats in their audit plan, and one in 10 have no plans to do so at all. Just 6% said their IA plans are addressing the full spectrum of threats.
If IA is not tackling an organisation’s greatest threats, how can it be considered the last line of defence? It may be that IA does not believe it’s within its mandate to address some of these areas. For some, these threats are perceived as not auditable and for others, IA may lack the confidence or skills to tackle them.
The good news is that the door has been opened for IA. Our survey shows that many business leaders want more strategic engagement with IA early and proactively with 68% wanting IA to be involved during the risk identification and assessment stage and over 50% seeking IA involvement in management strategy and planning. This may be driven by a multitude of factors, including the complexity of today’s risks, the need to provide comfort to others, awareness of the benefits of better governance, and/or recognition of IA’s value and potential.
Strategic risks are not always easy to see, and are sometimes not the ones documented in the risk register. They will also be specific to each organisation, so it’s important for IA to have the right Board and executive relationships—and sufficient opportunity to talk—to understand what matters. IA must be willing to challenge strategic decisions when risks indicate a course correction is needed; however, to do this effectively IA may need to reposition itself with stakeholders and be willing to have different conversations in order to be heard. At Pepkor in South Africa, for example, IA positions itself close to the organisation’s strategy and holds frequent discussions with management regarding key strategic risks. Wikus Theunissen, Chief Audit Executive, shares that “IA has steered away from a typical audit plan. Instead, 30% to 40% of the audit plan is agile, which allows IA to respond to urgent risks.”
Examples of strategic areas some IA functions are auditing
Pioneers are 38% more likely than peers to provide proactive advice on emerging risks.
Our survey indicated that IA has the opportunity to have more high quality, open, and frequent conversations with management about risk. It shows that only 36% of stakeholders classify their risk conversations with IA leaders as of sufficient quality and frequency. While more than half of IA leaders indicate frequent, high quality risk conversations take place with the audit committee chair, the CFO, CEO, CRO, and CCO, only 8% indicated ‘good quality and frequent interaction’ across all relevant stakeholders.
“When you are doing audits and providing assurance to a business that is trying to be disrupting and innovating, you have got to come with the right attitude and calibrate transparency, risk, and box-ticking—and box-ticking is not always the right way to go.”Jason Davies,Chief Internal Audit Officer, NEOM
The benefits of better risk conversations can include new insights on emerging risks, more focused and timely assurance, and a fresh perspective on other opportunities. Our survey found that the percentage of business, risk, and compliance leaders in pioneering organisations that report having good quality and frequent risk conversations with the IA leader is nearly thirty points higher than non-Pioneers (63% v 36% overall). This is where the Pioneers can challenge the status quo and shine a light on alternative paths. This can help the business course-correct where necessary, particularly for the almost 40% of global CEO’s who worry about the longer-term viability of their organisation.
Practically, this may mean changing the format and style of stakeholder meetings, engaging earlier when a new strategic initiative is being considered, and communicating more frequently outside of the normal audit cycle. It can sometimes be as simple as IA asking its stakeholders to explain their business strategy, priorities, and expectations for the future.
Paula Adkison, Senior Vice President of Internal Audit at McKesson, highlights the significant ways in which her organisation aligns with management. IA sits on the executive oversight committee which brings a better purview of strategic initiatives, and helps IA align its activities more closely to strategy. IA’s risk assessment process begins with an interview with the CEO, and broader Executive Operating Team, which gives IA the perspective to get a better pulse on risk across the organisation. Adkison spends a lot of time with business leaders, as does her team. Conversations centre around what trends and risks each are seeing, and what might be worrying the business. As Adkison says, “Our partnership with the business is important. IA asks questions and looks holistically and the business isn’t always able to do that. We weigh the high risks and we don’t waste our time doing insignificant things. The reaction we get from the business is positive.”
Examples of how IA can have better risk conversations
The definition of ‘better’ will differ from stakeholder-to-stakeholder, but we have seen effective IA teams engage with their stakeholders by:
Offering a viewpoint and commentary on new or draft business strategies and plans. IA can maintain objectivity whilst still offering a perspective based on their cumulative experience and ability to see risk differently
Authoring discussion papers or presentations on emerging risk areas or topics, outside of regular audit reports, which can offer an ‘early warning’ or prompt discussion. Our survey found that half of IA functions are authoring position papers on new risks, trends or regulation
Summarising findings from multiple audit reports into broader root causes and themes at a company level. This can also be mapped to trends in the industry
Bringing other expertise from first or second line teams, or external advisors, to broaden debates and offer other perspectives; for example, in topical or risk workshops
Sharing materials from industry or technical sources and/or communities of interest. This can help highlight industry-level trends or emerging risks
Agreeing ‘value-based’ metrics and Key Performance Indicators (KPIs) for IA, so it can be measured against the value it adds to stakeholders
Pioneers spend an average of 66% of their focus and effort on strategic areas versus 42% of others.
“For us, this is not about second guessing or auditing the strategy, but about working from a deep understanding of the business and its strategic direction. We need to know what can really hurt the company, both now and in the future. Understanding where the danger lies in emerging risks and in those that can be taken for granted; we should never lose sight of the fundamentals. This requires strong connection with the business , and collaboration — bringing the collective strengths of the function. My team needs to be ahead of the business, learn continuously, make judgments, and have real agility. We need to put ourselves out there and that can be challenging, but incredibly valuable for the company and rewarding for us when we get it right.”Ralph Daals,Group Chief Auditor, Zurich Insurance
Look back at previous strategic change initiatives and at what point IA became involved; consider what additional value could have been generated if IA had been involved earlier, and reflect this in the approach for current or future initiatives.
The right mix will be different for each organisation, but it should be by design and not by accident. This can involve asking stakeholders what is important to them. Using a simple matrix to plot what effort is spent on traditional versus strategic risk areas, and the type of audit approach taken, can be a simple way of setting the right balance.
Some IA functions have moved from formal meetings (with agendas and minutes) with stakeholders to more agile conversations, and have become bolder in adding views not necessarily backed by audit evidence.
Use visualisation tools to present elevated insights and to show how IA is connecting the dots across risks and organisational silos. Vary the nature, timing, and extent of reporting to fit different needs and different stakeholders.
Illustrative quadrant showing IA risk focus and approach
Percentages are illustrative only and each organisation needs to decide the right balance for them.
Most significant corporate failures have resulted from something the organisation either didn’t see coming, or they didn’t understand. Risks are not always easy to see—they can sometimes be too big (e.g. geopolitical, macro-economic, industry-wide) or buried in complex and multi-layered technical areas (e.g. regulatory, cyber, commercial). When they occur, the consequences can sometimes be seen in every part of the organisation, and often externally, which can impact reputation.
IA’s unique vantage point and risk-mindset means that it is able to ‘see through the walls of the organisation’ and shine a light on areas others may not clearly see. It cannot, however, see everything, all of the time. It is unlikely that any one function has the skills, experience, and capacity to cover the diversity of risks organisations face. Traditionally, IA functions have relied on guest auditors or co-sourcing to bring in the required expertise and, whilst this is still necessary to reinforce IA’s capabilities, IA needs to also be confident that nothing is missed at an organisational level. This is particularly relevant to industries that have been impacted by significant disruption to commercial models, complex reform, or new technological advancements, such as the pharmaceutical, energy, and financial service sectors.
The good news is that our survey showed that organisations have at least five second line functions on average with which to collaborate, and most have strengthened their capabilities and ‘levelled up’ over the last three years.
The strengthening of the second line represents an opportunity for IA to harness these skills and maximise the power of combining different capabilities; however, there is work to do: just over half (52%) of IA functions show strong alignment with first and second line on key risks and problems.
Business executives recognise that there is room for improvement with 49% believing that IA does not have strong alignment with the other lines on key risks and problems. This gives IA a strong mandate to take the lead in creating a unified view and finding new ways to leverage the different capabilities in the organisation.
The concept of ‘assurance maps’, which provide a consolidated view of how comfort over key risks is being addressed across the organisation, has gained traction in the profession. While the second line challenges and performs a critical role in its oversight of risk, compliance, and internal controls, IA is in a position to provide an independent and objective assessment and elevate issues beyond management to the Audit Committee. Pioneers are finding ways to make this approach mutually beneficial to IA and the business, including having combined teams to pool experience and add credibility to tackle tough or strategic areas like Environmental, Social, and Governance (ESG), M&A, or digital transformation. These require IA to draw on a wide variety of capabilities, including those relating to IT and cyber, legal, people and change or human resources, finance, treasury, commercial, product development, tax, and marketing.
Practically, this can involve a range of different approaches, such as:
Done well, such actions allow IA and others to achieve a ‘multiplier effect’—adding up to better risk coverage, greater efficiency, and more valuable insights. In other words, they become more than the sum of their parts. This can also have the benefit of showcasing to the Audit Committee and Board the value of integrated assurance, and opens the door to better engagement.
“IA can be like translators—interpreting and communicating risks and issues between different parts of the business, including the Board and Executives, who may have a different perspective, experience or background. This means IA can help to join the dots when there is a risk—or an opportunity.”Roberto Delgado,Chief Internal Audit Officer, Nissan Motor Co., Ltd.
A ‘risk shield’ around the organisation
A shield is only as strong as its weakest part. In today’s world, where risks can come from all directions, an organisation’s foresight and defense needs to be 360-degrees. As organisations assemble different capabilities and embrace new technology, they may also need to look differently at their internal structures, including how the three lines work together to increase agility, break down silos, and remove blind spots to ‘see through walls’.
Whilst it is critical that objectivity remains one of IA’s core superpowers, it should consider where the activities of each line intersect and overlap, how communication flows between them, and what this means for the organisation’s resilience as a whole. This involves being clear on responsibilities, the control and assurance mechanisms that exist, and the new opportunities to collaborate.
Changing the way we see IA and risk
The energy sector’s multiverse reality
Geopolitics and economic volatility have delivered a massive shock to global energy markets and fueled a global energy and cost-of-living crisis. This has made it challenging for organisations to balance profitability and growth with their customer and broader social responsibilities. This disruption sits on a backdrop of climate change, intense competition, regulatory reform, and technological change in energy generation, delivery and use.
This is contributing to a shift in audit focus towards commercial and operational resilience. Our survey found that, within three years, executives in the energy, utilities, and resources sector expect IA to spend 51% of its focus and effort on strategic risks. Marco Galioto, PwC’s Energy Sector IA Lead, summarises, “The sector is balancing many different strategic challenges. IA plays a critical role in helping the business respond. In a complex risk multiverse, IA should sit right in the middle”. For IA to be effective in this role, it needs a clear line of sight through the organisation (across different levels, functions, regions, and systems) and down the energy supply chain, including third parties relied upon. This involves providing comfort over its commercial strategy, response to regulation (and deregulation), and the huge volumes of data flowing through the ‘pipes’ of the organisation.
Some organisations are investing in data scientists, process mining, and visualisation software to help address the challenge, and increasing collaboration between the lines. In one case, dashboards built by IA were then replicated in the business to help them enhance controls and monitor things they couldn’t see before. There is, however, more work to do. Our survey found that, in the past 12 months, only 25% of IA functions in the sector have invested in RPA or AI, and only 20% have invested in 'centres of excellence' or dedicated hubs focused on technology and data. The good news is that change has begun, and the first steps are always the hardest.
Work with the other lines to map the different control and assurance activities performed to determine where there is duplication, blind spots, and opportunities to collaborate. Make the output visible to others to help close any gaps and support investment decisions.
Identify and collaborate with any CoEs, or similar pools of experience, that may exist in your organisation. Examples include cyber security, data, and operational excellence groups. These can provide economies of scale, optimise methodologies, and promote innovation.
Bigger organisations may have the capacity to pull together cross-functional teams or interest groups on key risk or technical areas, such as ESG, AI, or cyber. Similarly, encourage those in the second and third line to get involved with professional or industry groups to build experience and get fresh ideas.
Professional scepticism, a risk and controls mindset, and objectivity are long-standing IA skills and remain the foundation for its future. As the scale and complexity of risks change, IA will need more nuanced human skills to have meaningful and strategic conversations with its stakeholders. Our survey found that a smaller portion of executives ranked strategic thinking (19%) and ability to challenge constructively (23%) as key strengths of IA.
“Ultimately you find insights by talking to people. This requires good communication skills, empathy, and being able to speak the same language as the auditees. The business has the mindset of wanting to learn from mistakes and they know that IA can help them do that.”Gary Burmiston,Senior Vice President, Corporate Audit, E.ON Energy
One CAE we interviewed indicated that two of the most important strengths an internal auditor can have is the ability to effectively relate to people in one-on-one meetings and to turn interviews into conversations rather than interrogations.
Technology skills will remain critical, and should continue to evolve, but they must be balanced by the human side of the equation. Important attributes include strengthening strategic thinking as well as creative thinking, agility, flexibility, and empathy. This will also be particularly important as changes from AI and other emerging technology give organisations access to data that they might not have either had access to before or been able to collate manually. If there is no one able to interpret this data, turn it into information, and view it through a risk and assurance lens, it will remain unused in the real world. PwC’s UK Internal Audit Leader, Justin Martin, likens this to a conductor in an orchestra: “They have to understand the audience, musicians, and instruments, and how they work together to create the music. The difference might be that AI increases the complexity of the instruments and speed the music is played”.
Just 45% of executives are very confident that IA has the talent and skills the function will need in the next three to five years. They rank the lack of IA resources, skills, and expertise to cover key risk areas as the top barrier that could prevent IA from achieving the outcomes the organisation wants.
The stakes are high. Turnover and re-skilling remain challenges; PwC’s 2023 Global Workforce Hopes and Fears Survey of 54,000 workers indicates that despite recessionary worries and rising unemployment in some regions, 26% of employees are likely to change jobs in the next 12 months, and 58% of employees with specialist training believe the skills required to do their job will change significantly over the next five years.
The IA function at PT Bank Rakyat Indonesia Tbk has what it calls a cross-border program with the first and second line. IA personnel can move to an operational unit or business division and then return to IA after gaining greater business insight, and vice versa. Triswahju Herlina, CAE, notes that, "by utilising various backgrounds and points of view, IA is able to provide broader, and more valuable, insights to stakeholders as a strategic business partner."
Whether sourcing from inside or outside of the organisation, most IA leaders would agree that finding and retaining talent is challenging. That is why Marie-Pauline Lauret, Chief Risk Assurance Officer, Philip Morris International, believes the only way to attract talent is to have an appealing proposal—a state of the art vision and function—and show staff and recruits they are contributing to shaping the future. “Talented and engaged people want to make an impact, so if you have an attractive proposition you will get them on board,” she says. “Sustainability, for example, is just becoming integrated fully into risk functions, and Philip Morris IA is building a five-year program, thinking far ahead to be able to work on the right ESG topics to build preparedness for the future. I'm sharing our vision around embedding ESG risks into ERM, and making talent part of the process is helping to generate excitement and attract people to be part of it.”
“Sometimes to be better auditors, we need to stop thinking like auditors.”Suguru Watanabe,Internal Audit Director, Olympus
Conduct a current and future state skills assessment. Determine how auditor capabilities can be aligned to support the organisation’s future vision and strategy, and risk profile.
Create an upskilling and sourcing strategy. Consider including guest auditor, leadership development, and rotation and secondment (internal and external) programs, to create diversity and new thinking. Consider co-developing this strategy with the second line.
Plan for succession and transition of key talent. Use this as a way of setting development paths and promoting different types of skills and experience in line with the IA, talent, and business strategies.
Create learning pathways for different roles and ensure there is sufficient recognition and incentives for individual upskilling, and celebrate accomplishments among the team. Tap into the organisation’s training programmes around leadership and soft-skills.
Identify individuals in the first and second line who demonstrate the right mindset and have the right skills to augment those of IA on particular topics. Obtain support from business leaders for rotational programs. The quid pro quo is teams will benefit from new perspectives and experiences. This can also be an effective way of disseminating better risk awareness across the organisation.
In 2019, PwC’s Internal Audit State of the Profession Study focused heavily on IA data and technology, and PwC has subsequently seen a lot of activity in this area; however, the RoI has not been realised. Just over 20% of IA functions have achieved the desired benefits from their technology and data investments over the last twelve months.
IA’s greatest use of technology and data has been for risk assessment activities, audit planning, and continuous monitoring. Some have made great strides in integrating data into IA processes, and are seeing the benefits. Conversely, nearly a third of IA leaders report they are not using data and technology to a great extent in any area, including scoping or testing activities in individual audits.
There could be multiple reasons why RoI is falling short, but these can include:
The advancement of AI is redefining what is possible for organisations, business functions and individuals. IA leaders have discussed the potential value of automation and AI for years, yet 52% of executives, inclusive of IA leaders, say that IA has not invested in AI and has no plans to do so in the next three years.
There could be various reasons for this. It could be fatigue from other technology investments, or it may be that IA leaders just don’t know how or where to get started. There are, however, risks to inaction, including becoming irrelevant as others move forward.
As organisations continue to change and adopt AI, IA needs to evolve in parallel. If IA doesn’t understand AI, how can it understand the many risks arising from it, or provide comfort over them? What would stop the business from trying to forge on ahead without the comfort IA provides or get this directly from generative AI itself? And, if so, what might be the consequences (seen or unseen)?
The time horizon will vary and depend on when, and how, each organisation adopts AI. At some point, budget and resource capacity will constrain IA from covering an expanding risk landscape, and technology will be needed to drive greater efficiency. Moreover, if IA waits too long to recruit knowledgeable talent, those individuals may become hard to find or attract in a more competitive market.
No one knows for sure where AI will lead, but many have an educated view, and IA needs to be at the forefront of that thinking. The resources available to IA functions vary significantly, but there is still an opportunity—or even a necessity—to make forward strides in embedding technology through all that IA does.
A financial services perspective: lots done, but more to do
As historical barriers such as older bespoke and inflexible systems improve, many IA functions are investing more to capitalise on new opportunities: 51% of financial service firms have invested in IA team member training and upskilling on data and technology in the past 12 months and 46% plan to do so in the next one-to-three years. Examples of measures some have taken include:
A financial markets infrastructure firm put its entire team, including the CAE, through data analytics training, with a focus on its benefits, the art of the possible, and practical tips to deliver quality insights.
An investment bank embarked on a generative AI pilot. By using Natural Language Processing and training a Large Language Model, the pilot aimed to replace a large amount of manual testing. Early indications are that it could save up to 8,000 hours annually.
A bank implemented an audit management system comprising a much more open platform than traditional systems. This enables the team to build digital assets that automatically source enterprise data directly into their system for continuous risk assessment and testing.
Technology is not the panacea. It can accelerate the availability of information, but human experience and judgement is needed to turn it into trusted insights. Generative AI is driving real opportunities for change, but a machine cannot (yet) identify the difference between right and wrong. “In a world where doing the right thing matters more and more, the human touch is critical,” says Steve Frizzell, PwC’s Global Financial Services IA Lead.
“At Elevance Health our ERM has crossover and collaboration with IA in identifying risks. We work collaboratively in identifying emerging risks, such as AI, and partner with our business owners to be ahead of the game. For example, in partnership with our Responsible AI function through an IA/ERM risk assessment, we identified opportunities to enhance and strengthen our governance and internal control structure associated with our use of AI. The company immediately responded and devoted more resources to our Responsible AI team to develop a robust program.”Troy Meyer,Chief Internal Audit & Enterprise Risk Management Officer, Elevance Health
Our study highlighted that Pioneers have invested in a larger number of capabilities and are more likely to have achieved multiple, tangible outcomes from these investments. For instance, Pioneers are 59% more likely to provide elevated insights, such as benchmarking and trend analysis. One IA function, for example, was an early adopter in building global data analytics capabilities and infrastructure. This includes a dedicated team focused on data, software tools, and its own ‘data marts’ (which were recently moved to the cloud to dramatically improve processing time). This has allowed internal and external key risk indicators to be used in risk assessment and audit planning activities, and help prioritise entities and audits.
These benefits can be compounded and multiplied. The more technology and data is woven into the fabric of IA, the more it can be connected end-to-end to increase efficiency and effectiveness. Only 6% of organisations, however, are using the full range of technology and data techniques outlined below to a great extent, so there is still plenty of latent potential to unlock.
Explore opportunities with other functions to co-invest in technology and leverage data sources and tools that may already exist (such as eGRC, analytics, workflow, and visualisation tools) or could be co-developed together. This can also involve sharing assurance techniques and automation, such as monitoring routines and analytics scripts.
Work with the business and second line to establish connections to ERP and other systems to facilitate the efficient and effective extraction of data into risk, compliance, and audit tools to support audits and monitoring.
Create a strategy to move towards more proactive continuous auditing and monitoring from discrete, point-in-time audits. This should include looking for opportunities to connect data across end-to-end processes to help provide broader and more strategic, company-wide insights.
Define the roadmap for how AI—and AI auditing—will be implemented. Find ways to collaborate with the broader organisation to upskill together and jointly consider associated risks.
When evaluating or implementing new technology, list the activities in IA and beyond that you will start, stop or continue. This is important so the real benefits can be considered.
PwC’s IA Maturity Continuum, introduced in prior IA studies provides a model to help IA and its stakeholders determine where they are in their maturity journey, and where they want to evolve, based on their mandate and vision. Our survey shows that whilst most organisations currently categorise their IA maturity as a ‘Problem Finder’ (12%), ‘Assurance Provider’ (23%) or ‘Problem Solver’ (30%), more and more organisations want IA to become a ‘trusted advisor’ in the next three years (35%). This would involve providing new and proactive advice on risks and initiatives that are strategic to the organisation, and being confident in using technology to help achieve this.
IA’s role in providing assurance and confidence is the common denominator at any level of maturity—this is fundamental. The differentiator between success and failure, value and irrelevance, comes down to how effectively IA can understand what its stakeholders want, shine a light on what they may not see or understand, and break down barriers to assemble and connect the right technology and capabilities across the organisation.
There is, however, no one-size-fits all approach. Pioneers rarely have a template. This means that each organisation needs to have clarity on where they are now, and where they want to be in the near, mid, and long term. The success of IA will depend on its ability to use its superpowers to listen, interpret, challenge, and knit together the views of different stakeholders.
Just as CEOs recognise the imperative to keep their strategy and business model viable, IA has the obligation to continually evolve and remain relevant.
When Pioneers look at risk and change, they see opportunity; when they look at complexity, they see a path forward that avoids hazards and gives the organisation confidence to speed up. Our survey affirms that high-performing IA functions are driving broader business outcomes and more value than ever before. Executives agree that stronger governance and risk awareness (42%), and more robust and efficient internal controls (with fewer failures) (39%), are outcomes that result from high-performing IA functions.
Pioneers are more likely than others to rank the following outcomes among their top three:
New strategic business opportunities, such as cost reduction or revenue generating initiatives.
Greater success in transformation programmes, such as digital and workforce transformation.
Greater resiliency and ability to predict or manage disruption.
These are outcomes that any organisation would value, but ones that can remain hidden behind walls if IA and the business are not willing to climb them together, look up, speak up, and see things differently.
Our benchmarking tool allows you to answer a subset of questions from this year’s survey and compare your responses against the global data.
We have Internal Audit teams globally who are ready to talk to you. Please contact those listed here or speak to your local PwC team.