The Future of Internal Audit: 5 Trends from the IIA International Conference
This July, Workiva’s governance, risk, and compliance (GRC) team was thrilled to join the IIA International Conference in Amsterdam as a diamond sponsor, where one topic was on everyone's minds: the future of internal audit.
Wondering what you missed? Here’s an in-depth rundown of the hottest internal audit trends covered during the event.
5 Emerging Changes in Internal Audit
The role of the internal auditor has been experiencing significant transformation on a global scale. While still seen as a police figure by some, they are now increasingly being recognized as a central business collaborators and value drivers.
This shift is down to both evolving perspectives and changing circumstances. Today’s leaders recognize that an accurate understanding of where their organization stands is more valuable than rigid rule enforcement. Meanwhile, the external landscape has completely transformed, calling for a more nuanced and tailored approach to business.
To understand where things are heading, let’s take a closer look at five key areas in flux and how they are impacting the profession.
Change #1: AI is introducing new risks and opportunities
For internal auditors around the world, the advent of artificial intelligence (AI) technology looms large—and for good reason. For some time now, technology has been in place to speed up, automate and ease the burden of internal audit. As AI tools become increasingly advanced, they will be able to provide valuable input into audit planning, testing and reporting, and auditors are likely to leverage these in tackling their most complex challenges.
“AI is expected to affect accountants and auditors significantly”.
Anthony Pugliese, IIA President
However, while new technology delivers crucial efficiencies to teams, its associated challenges require monitoring. One noted example is the emergence of new or morphed cybersecurity risks, alongside changing roles and team structures throughout the company.
What this means: Internal auditors need to place themselves at the forefront of technological developments
AI will reshape not only how internal audits are conducted but also what needs to be audited and when. By providing a clear view of how the evolving risks and opportunities of the landscape intersect with the rapidly changing requirements, goals and reality of their company, they can place themselves as a key advisor at the forefront of change.
While frameworks for auditing AI, such as the one published by the IIA, are essential for helping manage emerging risks, internal auditors must also consider the transformational opportunities new technology presents—not only to their organization but also to their position within it.
Change #2: Approaches to technology will define a company's success
According to the IIA's 2023 Pulse of Internal Audit report, cybersecurity and information security remain the top threat identified by internal audit leaders.
As new tools using AI and robotic process automation (RPA) emerge, organizations need to be aware of how they are being used by employees—both officially and unofficially—in order to stay ahead of potential risks.
However, while caution remains essential, an emerging risk has been identified: fear of technology.
As several 2023 IIA international speakers highlighted, new technology now presents such significant potential benefits to organizations that a tech-fearful attitude within leadership should be considered a risk. Increasingly, the tools a company adopts (or ignores) will be pivotal to its success—and, often, these decisions will be shaped by human emotion.
“If left unmonitored, emotional responses can turn into barriers to innovation and progress. We all need to ask ourselves: Am I a digital asset or a digital liability within my organization?”
Rohit Talwar, CEO of Fast Future
What this means: Internal auditors need to understand, monitor and track human relationships with technology
With technology now essential to an organization's growth, internal auditors need to help their company reap the benefits while also mitigating unwanted risks. This requires both an up-to-date knowledge of new tools that might affect the business and a clear understanding of how their organization currently relates to technology.
To truly understand a company’s relationship with technology, internal auditors should be able to answer the following questions:
- What level of risk is the organization willing to take on?
- How are individuals within the company already using new tools (both officially and unofficially) to speed up their tasks?
- On an emotional level, how does leadership feel about new technology?
- Which processes within the organization are ready to be automated, and which aren’t?
Change #3: Values and company culture are now recognized as material to growth
Once considered a ‘nice to have’, it is now widely accepted that organizations with a strong handle on their culture outperform their competitors.
The IIA defines company culture as “the invisible belief systems, values, norms and preferences of the individuals that form an organization”. Corporate teams, just like cities, towns and families, have their own distinct ways of thinking and acting. From an internal audit perspective, this has historically been viewed through the lens of enabling compliance and preventing fraud—but now, a broader range of factors need to be considered.
Today’s shareholders, customers and employees are all increasingly concerned with the ethics of the companies they engage with. From the environmental impact of the company’s activities to the core values it places ahead of making a profit and how its employees are treated, stakeholders are keen to know whether the image a company projects is upheld throughout the organization, with failure to uphold these values leading to material losses.
What this means: Internal auditors need to assess company culture
Internal auditors can help provide a detailed and realistic view of where a company’s external values and internal culture either align or diverge, identifying key areas of risk. Frameworks published by the IIA and the Institute of Business Ethics provide helpful guidance on how to internally audit company culture and ethics, but should be used in conjunction with the internal auditor’s understanding of their company.
As with approaches to technology, being able to provide context and practical insight into the daily reality of the company and its culture will become increasingly invaluable to business leaders.
Change #4: Disruption is now the norm
Another important change organizations have been facing is a considerable increase in external disruption. While the past three years might seem like an extreme example of this, global leaders agree that major disruptive events are likely to become more frequent and severe.
Here, internal audit teams can help their organizations stay prepared for challenges in the face of an unpredictable external landscape. By remaining informed of potential destabilizing factors and regularly assessing the organization’s level of preparedness, internal auditors can have a measurable impact on how their company fares in times of crisis.
What this means: Internal auditors need to help establish a “living plan” for times of crisis
While it may not be possible to predict every future scenario, internal auditors can help their company assess selected areas in the face of potential change and can provide insights on the organization's overall level of resilience.
“[Have a] living plan—not one that exists on paper, but one that actually works in practice”.
Kees Roks, Chief Audit Officer, Novartis
Maintaining an agile disruption plan with regular testing, training and consideration of new routes is the main lesson Novartis learnt from the COVID-19 pandemic. He also stresses the importance of dynamic materiality, which recognizes that the significance and risk levels of certain factors can fluctuate over time.
One way to do this is by viewing various aspects of the business through the lens of diversification. Taking a detailed look at supply chain routes, office and factory locations, talent pools, tools and resources, customer bases, industries and sectors and more, where is the company limited to a narrow range of options? Could more alternatives be considered?
Change #5: ESG and sustainability metrics are being monitored more closely than ever
Strong governance over ESG practices has been a hot topic of discussion among business leaders for some time now. While emerging legislations and frameworks are a major driver for change, strong ESG controls are increasingly becoming an investor expectation. Organizations are having to track far more material information than they once did. That information needs to be accurate, timely and verifiable—not only for reporting but also to make fundamental business decisions.
What this means: Internal audit needs to be brought into the process as early as possible
Companies gearing up to meet specific standards are being advised to immediately start establishing how they will get the data they need and how they plan to verify it. By setting up the right processes, tools and controls for their ESG metrics today, businesses enable themselves to gather the material, high-quality knowledge they will need to survive and thrive. Rather than being there to flag when things go wrong, internal audit should be involved as early as possible, leveraging their industry knowledge and understanding of the organization to help set them up for success.
How should internal auditors respond to these changes?
As the nature of the profession continues to transform, how can internal auditors ensure they stay ahead in their profession?
Tip 1: Continue building a relationship of trust within your organization
To truly understand the reality of their organization, internal auditors need to continue cultivating a bond of trust between themselves and their colleagues. Establishing a culture of openness and psychological safety will not only help in monitoring compliance, but in achieving a full and realistic picture of where the organization stands and where it's going. This will help you provide essential context to leadership by bringing accurate insights to data interpretation.
Tip 2: Stay informed of external developments
With emerging technologies, increasing levels of disruption and higher expectations surrounding ESG and company culture, internal auditors will need to take on a proactive role in the face of external changes. These might include geo-political risks, corporate regulations and shareholder attitudes and expectations. Staying informed about the wider landscape, what's around the corner and how it might affect your organization will help you stay ahead of both emerging risks and opportunities.
Tip 3: Get involved at decision-making stages
While maintaining a level of independence is important, internal auditors can be invaluable in helping design controls, make key business decisions and choose new tools. By combining their understanding of the external landscape with their on-the-ground knowledge of the company, they can provide invaluable guidance that will help shape the future of the organization.
As organizations are pushed to establish more stringent controls over their ESG reporting practices, now is the time for internal auditors to get involved at the early stages of the process, continue to build strong relationships throughout their company and secure their seat at the decision-making table.