Key findings: Agile Internal Audit functions exhibit Preparedness

State of the Internal Audit Profession Study, 2017


Agile IA Functions build the likelihood of disruption into planning and risk assessment

Agile IA Functions think ahead about potential disruptions and prepare accordingly.  They are enabled by a planning process that is forward-looking in identifying emerging disruptions and associated business needs, and by knowledge sharing inside and outside the organization.  They work with other lines of defense in a unified and integrated manner and make decisions mutually supported by others in the organization.  In comparing Agile IA Functions to others, the differences highlight actions internal audit can take to boost preparedness.

It’s impossible to identify all potential business disruptions, but one can be fairly certain that at least some disruption will occur during the course of each year.  Agile IA Functions plan for disruption to occur and create flexibility in their planning and resource allocation, which enables them to address disruptive events when they happen. In addition, nearly half (49%) have increased or shifted internal audit budget to enable greater participation in areas of business disruption compared to just 27% of less adaptive functions. 

Read our Case study: Preparedness in action


“For disruptive events, management wants a quick response but the deliberate nature of our work slows things down. We are looking to increase the consult vs. risk-based audit mix to give a more timely response. In operations’ minds it’s a 72-hour turnaround time, and we wouldn’t have our work planned in that amount of time.”

– Jen Conley, Chief Audit Executive,Intermountain Healthcare

Unify with Other lines of defense

Collaboration across the lines of defense has been discussed for some time and most internal audit functions are working toward that.  But, there is a difference between collaborating and being truly unified.  Internal audit functions that are unified work cross-functionally with the other lines of defense to address disruption as no one team can address the volume and pace of disruption alone.  This goes beyond knowledge sharing such as what’s in each function’s plan and what findings is each team discovering.

Invest in and elevate business and technical IQ

Agile IA functions know disruption when they see it. They have a command of their business strategies, risks, and the wider economic and competitive landscape. They have sufficient business acumen to identify when things are changing, and they can analyze the impact of those disruptive changes.

As just one example, a group of CAEs in one healthcare industry sub-sector maintains a network that gathers annually to discuss topics of common interest, including emerging and disruptive risks. They use this forum to invite subject matter specialists, audit committee members, and other expert speakers to lead discussions that help them better understand the external environment.

76% of Agile IA Functions cohesively partner with other risk management and compliance functions to address disruption (vs. 40% of peers)


Case Study: Preparedness in action

Global agribusiness and food company Bunge takes several steps to maintain its business and technical IQ. A rigorous training program is in place which originates from a competency self-assessment required for all team members. Key themes are incorporated into individual development plans and a global training week. Structured Centers of Excellence have been established to deepen the knowledge of business areas and technologies and to more effectively align with key stakeholders. As a talent development platform for the company, internal audit also heavily leverages guest auditor and rotational programs to complement the audit teams and raise overall business acumen; an average of 60% of audit projects utilize guest auditors.


Food for thought

  • Who owns risk in your organization?  Who shares risk? 
  • Is internal audit staying close enough to the business?
  • How has your collaboration with other compliance and risk functions improved the communications around risk matters or fundamentally changed internal audit’s approach to projects?
  • How well does your internal audit function understand disruption and the business dynamics?
  • Is internal audit engaged and at the forefront of what is happening in your industry?

“We have a triumvirate between risk, compliance and audit functions. For us to all do our jobs, our functions need to be joined at the hip, meeting every two weeks to catch up on everything going on. That keeps us focused and coordinates the plan so we minimize any overlap or underlap.”

– Doug Watt, Senior Vice President & Chief Audit Executive,Fannie Mae

Contact us

Jason Pett
Risk Assurance Leader, PwC US
Tel: +1 (410) 659 3380

Lauren Massey
Internal Audit, Compliance & Risk Management Solutions Principal, PwC US
Tel: +1 (813) 222 5455

Mark Kristall
Partner, Internal Audit, Compliance & Risk Management Solutions
Tel: +1 (617) 530 7592

Terrence Panfil
Director, Internal Audit, Compliance & Risk Management Solutions, PwC US
Tel: +1 (312) 298-2868

Follow us