Elevating internal audit’s role: The digitally fit function

2019 State of the Internal Audit Profession Study

Six habits fueling smarter risk taking in digital transformation

Our 2019 Global Risk, Internal Audit and Compliance Survey of 2,000 executives (half in risk functions) shows that as organizations move through digital transformation, internal audit functions that are more digitally fit more effectively help their stakeholders make better decisions, and take smarter risks.

The stakes from digital initiatives are high, in opportunities gained and threats missed from both new technologies and the heightened risks they bring. Now is the time to shift from discussion to action. An internal audit function’s digital fitness must match that of its organization. If not, gaps across the lines of defense will widen, and more points of entry for risk will appear.

In our survey, we analyzed the digital fitness of internal audit functions by looking at five important fitness dimensions:  Vision and roadmap, Ways of working, Operations, Services model and Stakeholder engagement.

We identified six habits that lead to more-digitally-fit risk functions.  As organizations go through digital transformations, these habits help drive effective internal audit and overall risk management performance. Three of these habits in particular give internal audit more dexterity to move all six habits forward. Our lessons from the most digitally fit group, the Dynamics, guide internal audit functions towards what they must do to advance:

Upskill and inject new talent to move at the speed of the organization

Creatively source talent to build the function’s digital skills, and invest to protect the talent you have.

As organizations become more digital, internal audit’s digital acumen and skills must improve. A deeper understanding of data is also critical because it is at the center of all things digital. Below are ways Dynamic internal audit functions find skills they need:

Cast a wider talent net. Not all auditors need to be robotic-process-automation (RPA) experts or data scientists. But they do need to understand data sources to assess data quality, to test whether an algorithm is performing as planned, and to know what insights can be drawn from data.

Add skills to audit emerging technologies. Dynamics are ready to audit cloud technologies, automation of business processes, and the Internet of Things and their skills to do this more broadly are growing. They foresee a future when they’re equipped to audit technologies not used by their organizations today.

Invest in the team’s technology skills. To increase internal audit’s level of digital knowledge, Dynamics are working with their organizations on digital initiatives, partnering with risk and compliance functions on training investments, and building upskilling programs of their own.

But internal audit also needs more deep-subject-matter specialists. So Dynamics are identifying current employees with the aptitude and adjacent skills to become experts. Auditors with business acumen and demonstrated mathematics or data skills, or with backgrounds in science, math, statistics, economics, and certain other fields that build critical thinking are learning data science.


Dynamics are preparing to audit emerging technologies
My internal audit function is fully staffed and capable of auditing or in the past 12 months has audited an area that uses this technology.

Q. Which of the following best describes your current preparedness to audit each of the following new technologies?
Base: 98 Dynamics; 140 Actives; 271 Beginners

Find the right fit for emerging technologies

Audit and advise on emerging technologies, and use them to streamline the function

Dynamics are thinking about how technology can help them do things differently - not just improve processes. Consider the many internal audit functions which have adopted analytics, primarily for audit planning and execution. But they far less often reimagine how the full audit approach could change through analytics, for everything from redesigning risk assessments to be data driven, to leveraging analytics to continuously monitor controls, to conducting full population testing and delivering stakeholders more insights through real-time dashboards and reporting.  Here are a few ways Dynamics find the right fit:

Understand the primary role: advisor or assurance provider? Dynamics recognize the importance of early involvement in their organization’s new technology use, to provide risk and governance input, even with a limited understanding of a technology. Then, as new technologies become pervasive at their organization, they serve as both consultant and assurance provider.  

For technologies like augmented and virtual reality and  3-D printing,  Dynamics more often see themselves as risk consultants, helping the business understand risks from the use of a technology and its associated data--or as governance assurance providers performing audit or advisory activities to ensure appropriate technology governance. For more mature technologies like the cloud, the majority call themselves risk-and-controls-assurance providers.

Use emerging technologies in internal audit’s work. Many internal audit functions struggle to find the right fit for emerging technologies in their function. More than half of internal audit respondents are either unsure of or do not plan to use AI within the next two years.  Surprisingly, nearly as many do not plan to use RPA or do not know how they would use it. But not Dynamics: 37% use RPA currently, and another 45% plan to do so within two years.

As for automation, executives we spoke to pointed to Sarbanes–Oxley compliance as a logical starting point. Consider one company’s overwhelmingly manual testing of the removal of system access rights.  This required using a lookup function from three different data sources for each IT application--an 100 hour-task for just 20 tested instances of the control. With RPA, a bot was built in 40 hours. It performs previously manual processes in just seven hours. By automating many stages of the test except human review, testing hours fell sharply, while coverage expanded from a sample basis to full populations for greater assurance.


Artificial Intelligence for such tasks as full population testing, controls or risk modeling

Q. Which of the following best describes your internal audit function's use of each of these technologies
Base: 98 Dynamics, 140 Actives, 271 Beginners


Robotic process automation for monitoring or routine tasks such as data retrieval and audit testing

Q. Which of the following best describes your internal audit function's use of each of these technologies
Base: 98 Dynamics, 140 Actives, 271 Beginners

Enable the organization to act on risks in real time

Build new methods and services to deliver assurance at the speed the organization requires

Annual audit plans and risk assessments are antiquated. More-frequent and fluid cycles are needed today.  The vast majority of internal audit functions now revisit risk assessments and audit plans more frequently than they used to. As organizations increasingly move to agile methodologies, internal audit functions are doing the same: planning, testing, and validating in sprint cycles. They don’t wait to submit audit opinions after projects finish. Below are ways Dynamics help their organizations act on risks in real-time:

Use data in new ways. More-frequent cycles help internal audit functions contribute in more-real-time and flexible ways.  Dynamics are investing in data, analytics, and technology to correlate data differently, to tie more closely to the organization’s strategic risks, and to work more cohesively with other lines of defense in the management and monitoring of risks.

Such alignment will help internal audit sharpen its focus on pressing assurance activities—particularly those linked to digital initiatives. Shared governance, risk, and compliance platforms, analytics tools and data lakes help in this regard because they provide current, common and accurate data. Rethinking risk assessments in light of risk velocity, and continually re-evaluating and adjusting risk profiles helps internal audit functions better prioritize risks and keep pace with digital initiatives.


Dynamics are using data and technology to develop more-powerful insights
My function…

Q. Is your internal audit function doing or planning to do the following service-related activities based on the availability of digital technologies? (Top row; Responses are ‘Doing now’)
Q. Please rate your level of agreement with the following statements about your internal audit function. (Bottom two rows; Responses are ‘Agree’ or ‘Strongly agree’)
Base: 98 Dynamics; 140 Actives; 271 Beginners

Find out if you have what it takes to make smart decisions about digital strategies and business risks.

If you are involved in digital initiatives, take our quiz to see how your strategies and moves to become more digitally fit compare to those of your peers (and competitors).

Take our quiz to learn how you compare

Contact us

Jason Pett

Risk Assurance Leader, PwC US

Tel: +1 (410) 659 3380

Andrew McPherson

Global Governance Risk Compliance (GRC) and Internal Audit Leader, PwC Australia

Tel: +61 2 8266 3275

Mike Maali

Internal Audit, Compliance & Risk Management Solutions Leader, PwC US

Tel: +1 (312) 298 2462

Verne Klunzinger

Internal Audit, Compliance & Risk Management Solutions Partner, PwC US

Tel: +1 (216) 875 3172

Lauren Massey

Internal Audit, Compliance & Risk Management Solutions Principal, PwC US

Tel: +1 (813) 222 5455

Follow us