By Weerapong Krisadawat
Special to the Nation
That means organisations are hurtling into an increasingly technology-driven, innovation-oriented, risky, and disruptive future. The question is now where is the internal audit? The answer is that, most of the time and despite ongoing efforts to meet stakeholders’ growing list of needs, it’s playing catch-up.
Until recently, the Internal Audit profession has not faced the need to innovate. Internal Audit 1.0 was born with the founding of the Institute of Internal Auditors (IIA) in 1941 while the Sarbanes Oxley Act of 2002 brought Internal Audit 2.0. Along the way, such developments as the COSO framework, improved capabilities such as IT internal audit and data analytics, and supplementary guidance have improved the profession following the global financial crisis.
However, as we approach the end of a decade of unsettling uncertainty, organisations face evolving strategic, reputational, operational, financial, regulatory, and cyber risks. There is also an urgent need for Internal Audit to innovate to the next level.
Internal Audit 3.0 is the next generation of Internal Audit, and is a function attuned to the challenges of emerging risks, technologies, innovation, and disruption as the organisation itself. Internal Audit must be a function fully able to assist in safeguarding processes and assets as management pursues new methods of creating and delivering value.
Based on Deloitte external quality assessments (EQAs) conducted for Internal Audit functions in a range of industries, in interviews with senior executives and audit committee chairs, and in numerous Deloitte research surveys with chief audit executives and heads of Internal Audit, the following constitute the triad of value that Internal Audit stakeholders now want and need.
• Assurance constitutes and remains the core role of Internal Audit. Yet the range of activities, issues, and risks to be assured should be far broader and more real-time than they have been in the past. Assurance on core processes and the truly greatest risks is essential but so is assurance around decision governance, the appropriateness of behaviors within the organisation, the effectiveness of the three lines of defense (LoD), and oversights of digital technologies. Assurance is central to Internal Audit’s role but must not be the limit.
• Advising management on control effectiveness, change initiatives, enhancements to risk management related to the three Lines of Defence and other matters – including business effectiveness and efficiency – falls well within Internal Audit’s role and stakeholders’ expectations. All sources confirm that a strong advisory role is key to maximising the value of Internal Audit.
• Anticipating risks and assisting the business in understanding risks, and in crafting preventative responses, transforms Internal Audit from being a predominantly backward-looking function that reports on what went wrong to a forward-looking function that prompts awareness of what could go wrong, and what to do about it, before it happens. Internal Audit becomes more proactive and, through its assurance and advisory roles, helps management intervene before risks materialise.
As the saying goes, “There are those who make things happen, those who watch things happen, and those who ask, ‘What happened?’” The stakes are too high, for both Internal Audit and the organisation, for Internal Audit to be in the latter group. Stakeholder needs have become clear enough for Internal Audit to engage in true transformation. With a vision – collaboratively developed, clearly articulated, and strongly supported – functions can upgrade to Internal Audit 3.0 providing stakeholders with its true worth. The future of Internal Audit has become clear, and the time to upgrade is now.
Weerapong Krisadawat is a Partner in Risk Advisory for Deloitte Thailand