Elevating internal audit’s role: The digitally fit function

2019 State of the Internal Audit Profession Study

Six habits fueling smarter risk taking in digital transformation

Our 2019 Global Risk, Internal Audit and Compliance Survey of 2,000 executives (half in risk functions) shows that as organizations move through digital transformation, internal audit functions that are more digitally fit more effectively help their stakeholders make better decisions, and take smarter risks.

The stakes for digital initiatives are high, in opportunities gained and threats missed from both new technologies and the heightened risks they bring. Now is the time to shift from discussion to action. An internal audit function’s digital fitness must match that of its organization. If not, gaps across the lines of defense will widen, and more points of entry for risk will appear.

In our survey, we analyzed the digital fitness of internal audit functions by looking at five important fitness dimensions: vision and roadmap, ways of working, operations, services model and stakeholder engagement.

We identified six habits that lead to more digitally fit risk functions (listed below). As organizations go through digital transformations, these habits help drive effective internal audit and overall risk management performance. Three of these habits in particular (shown in bold and discussed in detail further down) audit more dexterity to move all six habits forward. Our lessons from the most digitally fit group, the Dynamics, guide internal audit functions towards what they must do to:

2. Enable the organization to act on risks in real time

4. Actively engage decision makers of key digital initiatives

6. Collaborate and align with other teams to provide a consolidated view of risks

Upskill and inject new talent to move at the speed of the organization

Creatively source talent to build the function’s digital skills, and invest to protect the talent you have.

As organizations become more digital, internal audit’s digital acumen and skills must improve. A deeper understanding of data is also critical because it is at the center of all things digital. Below are ways Dynamic internal audit functions find skills they need:

Cast a wider talent net. Not all auditors need to be robotic-process-automation (RPA) experts or data scientists. But they do need to understand data sources to assess data quality, to test whether an algorithm is performing as planned and to know what insights can be drawn from data.

Add skills to audit emerging technologies. Dynamics are ready to audit cloud technologies, automation of business processes and the internet of things—and their skills to do this more broadly are growing. They foresee a future in which they’re equipped to audit technologies not used by their organizations today.

Invest in the team’s technology skills. To increase internal audit’s level of digital knowledge, Dynamics are working with their organizations on digital initiatives, partnering with risk and compliance functions on training investments and building upskilling programs of their own.

But internal audit also needs more deep subject matter specialists. So Dynamics are identifying current employees with the aptitude and adjacent skills to become experts. Auditors with business acumen and demonstrated mathematics or data skills, or with backgrounds in science, math, statistics, economics and certain other fields that build critical thinking are now learning data science.

Dynamics are preparing to audit emerging technologies
My internal audit function is fully staffed and capable of auditing or in the past 12 months has audited an area that uses this technology.

Q. Which of the following best describes your current preparedness to audit each of the following new technologies?
Base: 98 Dynamics; 140 Actives; 271 Beginners

Find the right fit for emerging technologies

Audit and advise on emerging technologies, and use them to streamline the function

Dynamics are thinking about how technology can help them do things differently—not just improve processes. Consider the many internal audit functions that have adopted analytics, primarily for audit planning and execution. But, unlike Dynamics, what these groups are less likely to do is reimagine how the full audit approach could change through analytics, for everything from redesigning risk assessments to become data driven, to leveraging analytics to continuously monitor controls, to conducting full population testing and delivering stakeholders more insights through real-time dashboards and reporting. Here are a few ways Dynamics find the right fit:

Understand the primary role: advisor or assurance provider? Dynamics recognize the importance of early involvement in their organization’s new technology use, to provide risk and governance input, even with limited understanding of a technology. Then, as new technologies become pervasive at their organization, they serve as both consultant and assurance provider.

For technologies like augmented and virtual reality and 3D printing, Dynamics more often see themselves as risk consultants, helping the business understand risks from the use of a technology and its associated data, or as governance assurance providers performing audit or advisory activities to ensure appropriate technology governance. For more mature technologies like the cloud, the majority call themselves risk-and-controls-assurance providers.

Use emerging technologies in internal audit’s work. Many internal audit functions struggle to find the right fit for emerging technologies in their own work. More than half of internal audit respondents are either unsure of or do not plan to use AI within the next two years. Surprisingly, nearly as many do not plan to use RPA or do not know how they would use it. But not Dynamics: 37% use RPA currently, and another 45% plan to do so within two years.

As for automation, executives we spoke to pointed to Sarbanes–Oxley compliance as a logical starting point. Consider one company’s overwhelmingly manual testing of the removal of system access rights. This required using a lookup function from three different data sources for each IT application—an 100-hour task for just 20 tested instances of the control. With RPA, a bot was built in 40 hours. It performs previously manual processes in just seven hours. By automating many stages of the test except human review, testing hours fell sharply, while coverage expanded from a sample basis to full populations for greater assurance.

Artificial Intelligence for such tasks as full population testing, controls or risk modeling

Q. Which of the following best describes your internal audit function's use of each of these technologies
Base: 98 Dynamics, 140 Actives, 271 Beginners

Robotic process automation for monitoring or routine tasks such as data retrieval and audit testing

Q. Which of the following best describes your internal audit function's use of each of these technologies
Base: 98 Dynamics, 140 Actives, 271 Beginners

Enable the organization to act on risks in real time

Build new methods and services to deliver assurance at the speed the organization requires

Annual audit plans and risk assessments are antiquated. More frequent and fluid cycles are needed. The vast majority of internal audit functions now revisit risk assessments and audit plans more frequently than they used to. As organizations increasingly move to agile methodologies, internal audit functions are doing the same: planning, testing and validating in sprint cycles. They don’t wait to submit audit opinions after projects finish. Below are ways Dynamics help their organizations act on risks in real-time:

Use data in new ways. More frequent cycles help internal audit functions contribute more flexibly and in real-time. Dynamics are investing in data, analytics and technology to correlate data differently, to tie more closely to the organization’s strategic risks and to work more cohesively with other lines of defense in the management and monitoring of risks.

Such alignment will help internal audit sharpen its focus on pressing assurance activities—particularly those linked to digital initiatives. Shared governance, risk and compliance platforms, analytics tools and data lakes help in this regard because they provide current, common and accurate data. Rethinking risk assessments in light of risk velocity, and continually re-evaluating and adjusting risk profiles helps internal audit functions better prioritize risks and keep pace with digital initiatives.

Dynamics are using data and technology to develop more-powerful insights
My function…

Q. Is your internal audit function doing or planning to do the following service-related activities based on the availability of digital technologies? (Top row; Responses are ‘Doing now’)
Q. Please rate your level of agreement with the following statements about your internal audit function. (Bottom two rows; Responses are ‘Agree’ or ‘Strongly agree’)
Base: 98 Dynamics; 140 Actives; 271 Beginners

Find out if you have what it takes to make smart decisions about digital strategies and business risks.

If you are involved in digital initiatives, take our quiz to see how your strategies and moves to become more digitally fit compare to those of your peers (and competitors).

Contact us

John Sabatini

John Sabatini

Clients and Markets Leader, Cyber, Risk & Regulatory, PwC US

Andrew McPherson

Andrew McPherson

Global Risk Markets Leader, PwC Australia

Tel: +61 2 8266 3275

Mike Maali

Mike Maali

Partner, Cyber, Risk and Regulatory, PwC US

Verne Klunzinger

Verne Klunzinger

Partner, Risk and Regulatory, PwC US

Lauren Massey

Lauren Massey

Principal, Cyber, Risk and Regulatory, PwC US

Follow us