The time to transform internal audit is now

Every internal audit function can move forward in the transformation journey

Some may go all in with a full transformation, while others may adopt a more iterative approach depending on industry regulations, the complexity and needs of the business and how quickly the larger enterprise is changing.

In all cases, transformation takes time and should be guided by a formal transformation plan and road map that provides direction, purpose and key tangible building blocks.

The bottom line: For the internal audit function, avoiding change is not an option. Transforming itself is not only what the business needs, it’s crucial to the function’s contribution to the enterprise, not to mention its continuing relevance to the business.

There are 5.9 million businesses in corporate America employing 127 million people. Estimates predict 40% of jobs could be affected by automation in the next 10 years. The balance of jobs will significantly change in nature, requiring new skill sets.

The time to transform internal audit is now. Avoiding change is no longer an option Download PDF

As technology takes a front seat, here’s what’s happening in the business ecosystem:

Customers and shareholders are just as focused on trust, integrity and privacy as they have been on quality, relationships and price
Regulators and standard setters are moving into previously unknown territory, such as privacy and operational resiliency, to uncover new risky behaviors that may impact customers

Communities and advocacy groups are both stakeholders and watchdogs, identifying potential issues before they are known to the business
Channel partners are an integrally connected extension of the business
Employees are embracing the opportunities provided by technology

All these changes have a central impact on risks and present new opportunities to innovate and fundamentally change the way internal audit operates at an organization.

Imagine a world in which internal audit and other risk management functions stop using traditional approaches to audit or monitor a business area. Taking a sample-sized approach is a thing of the past. Instead, internal auditors leverage data and digital capabilities to smartly audit process areas, uncovering trends and patterns that previously would have been impossible to find. Imagine that Internal Audit can effectively answer business’s question, “Can you tell me something I don’t know?”

When nothing in the internal or external environment is status quo, isn't it time to think differently about Internal Audit?

Real ways internal audit teams are transforming now:

One team can detect anomalies and correlations that wouldn’t otherwise be detected by using unsupervised learning (AI)
Another identifies high-risk transactions with channel partners in real time to define the scope and approach of audits
A third is so in-sync with business strategy that it has shifted 40% of its audit plan, at a moment’s notice, in order to focus on strategic issues of a new service launch
Another internal audit team has created risk indicators and data analysis tools now used by other lines of defense for continuous monitoring of controls
Another hosts digital upskilling sessions to ensure teams can adjust to the changing technology and risk landscape

With powerful data and technology in hand, internal audit can understand a greater array of business risks and provide assurance that those risks are managed and mastered. A transformed internal audit function has the ability to:

Identify blind spots, previously humanly impossible

Collaborate with other lines of defense to create a consolidated view of risks and use a common risk language

Provide greater coverage without increasing audit resources

Conduct audits with surgical precision

Uncover human behavioral patterns through machine learning and regression

Influence the strengthening of first- and second-line defenses through digital collaboration and continuous monitoring

Explore further

What does a transformed internal audit function look like?
How does a transformed internal audit function work with other lines of defense?
How to get started?
What does the NextGen internal auditor look like?

What does a transformed internal audit function look like?

Every stage of the internal audit lifecycle is impacted. The internal audit is evolving both operationally and strategically, by:

Moving away from point in time assessments and toward continuous risk sensing using external and internal data for risk identification and monitoring
Building a more flexible operating model with intentional and continuous collaboration across risk functions and leverage across the three lines of defense
Shifting from a one-size-fits-all approach to expand the audit spectrum—diversifying the nature of audit activities, including issues-based reviews, audit insight workshops and more
Changing execution from traditional sample and controls to higher precision audits that leverage technology such as neural networks and AI to test 100% of the populations
Using data and behavioral science to identify underlying behavioral patterns and root causes and uncovering the blind spots

How does a transformed internal audit function work with other lines of defense?

The internal audit’s stakeholder group has expanded and expectations are heightened. Change is fast and risks are complex and interconnected. As it transforms, Internal Audit can collaborate with first and second line functions in data-driven ways not previously possible—and, in doing so, reduce the likelihood of blind spots or significant issues materializing.

The three lines of defense can identify common sources of data and synergize data retrieval and analysis, so that each group is working efficiently and developing insights from a common foundation. And internal audit teams can share and other tools that can become real-time monitoring capabilities for the first and second line of defense. There are many opportunities. With an eye toward the broader risk capabilities of the organization, the internal audit can be a catalyst for bringing a greater level of insight and more effective assurance to the management team.

How to get started?

Internal audit teams have an opportunity to re-envision the impact they can make for the organization and reframe the approach they take to add value and keep pace with business change. Some areas to consider before starting your journey:

Assemble a strong team ready and excited get started
Discover new capabilities and ideas for the internal audit to drive value like never before
Pick the ideas that would drive immediate impact with limited or no additional budget
Explore alternative models for sourcing talent and technology and run some pilots
Socialize and celebrate your successes. Every small win builds momentum!
Develop a roadmap for a people-led, data-driven transformation

What does the NextGen internal auditor look like?

Digital upskilling is at the heart of Internal Audit’s transformation. It’s a new world that requires internal audit acumen, digital and data acumen as well as business acumen. Internal audit teams need people who can use technology effectively and who have the knowledge to audit business operations that use new technologies. Not all auditors need to be data scientists, but they do need to understand data sources to assess data quality and to know what insights can be drawn from data. Teams also need a high degree of business acumen to facilitate better conversations with business leaders and help identify where risks lie.

Digital upskilling is a journey in which no one has to be left behind. But it might require a different approach than traditional training. Start the shift to tech adoption, mass automation and a culture of innovation through a new way of learning:

Launch online learning assets that go deeper on skill needs
Reward learners with badges or certifications to get everyone excited
Build digital black belts on the critical skills you need
Create an environment and process for the best ideas to prevail
Push curiosity on a next round of topics
Always continue to advance and accelerate

Today’s workforce wants to stay relevant. Answer that need.

Contact us

Mike Maali

Partner, Cyber, Risk and Regulatory, PwC US

Lauren Massey

Principal, Cyber, Risk and Regulatory, PwC US

Dhiraj Malhotra

Principal, Risk and Regulatory, PwC US

Audit and Assurance services Consulting Tax services Newsroom Alumni US offices Contact us

© 2017 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.