First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Deloitte predicts change for Internal Audit

internal auditA new report from Deloitte has some interesting conclusions—plus predictable ones. 2016 Global Chief Audit Executive Survey: Internal Audit at a crossroads has some provocative content.

Deloitte says there is a choice to be made: “Evolution or irrelevance”.

They surveyed more than 1,200 CAEs from 29 countries and the majority voiced concern over the current state of internal auditing.

That is not surprising in itself; as I have previously reported several surveys of executives and board members (such as from KPMG and PwC) have said the same thing, notably that internal audit was not consistently auditing the risks that matter.

But it is surprising that so many CAEs, who should be in a position to make the necessary change, echo the concern.

Some excerpts of note:

  • Our research found that CAEs have serious concerns. They know that their organizations are changing—that’s been the case for a while. They also know that Internal Audit needs to respond to meet the changing needs of their organizations.

Those organizations need Internal Audit to inform them about the future rather than only report on the past. They need insights as well as information, advice as well as assurance. They need reviews of not only financial and operational controls, but also of strategic planning and risk management processes. They need internal auditors to apply their rigor, objectivity, independence, and skills in new ways.

As the results of this survey indicate, Internal Audit will have to evolve in specific ways in order to meet these needs. The needed changes are clearer than ever. CAEs must now lead their functions to take the next critical steps. In addition, Internal Audit’s key stakeholders, notably the audit committee and the executive team, must support the function as it takes those steps.

  • The status quo is not an option when 85 percent of CAEs expect their organization to change moderately to significantly in the next three to five years, and nearly as many (79 percent) expect similar change in Internal Audit. The survey also found that most CAEs believe that management and the audit committee will expect Internal Audit to step up to meet new challenges
  • Only 28 percent of CAEs believe that their functions have strong impact and influence within the organization. A disturbing 16 percent noted that Internal Audit has little to no impact and influence. Meanwhile, almost two–thirds believe that Internal Audit’s strength in these areas will be important in the coming years. This disconnect—between current and needed impact and influence—must be addressed, for the good of Internal Audit and the organization.
  • Dynamic reporting is poised to increase. Most Internal Audit groups communicate with stakeholders through static text documents and presentations. Use of text in particular is expected to decrease (from 78 percent to 58 percent) as dynamic visualization tools increase dramatically (from 7 percent to 35 percent). These dynamic visualization tools enable Internal Audit to deliver more insightful observations, interact with stakeholders, and deliver greater value.
  • Reviews of strategic planning and risk management will increase. While about one third of Internal Audit groups have evaluated their organization’s strategic planning process in the past three years, over half expect to do so in the next three to five years. A strong increase is also expected in the number of Internal Audit groups reviewing their risk management function.
  • To make changes in its approaches and activities, Internal Audit should embrace an innovative mindset, as well as actual innovations. However, the function is not known for aggressive innovation.
  • Perhaps Internal Audit should adopt the mantra of many companies—if you are not moving forward, you are moving backward, if only in relation to everyone who is moving forward.

If you have seen my posts for the last few years, you will expect me to agree with many of the points Deloitte makes in this publication.

I especially like the comments about (a) moving to a new model where internal audit communicates what stakeholders need to know, when they need to know—dynamically, taking advantage of today’s and tomorrow’s technology; (b) assessing and contributing to the improvement of risk management; and, (c) assessing the strategic planning process.

I believe that by auditing what matters to the board and executives, internal audit’s influence will soar.

However, I am more cautious about the use of analytics. I wholeheartedly encourage the use of mobile analytics by the entire audit staff, where the time spent obtaining insights into the underlying data is minimal. But, I fear the extensive investment some are making into analytics that are not molded to a dynamic audit approach where few audits are repeated and management is responsible, not internal audit, for risk monitoring.

I always used co–sourcing as CAE. Deloitte stresses this, as any good co–source provider would.

But, I believe there is a point here worth thinking about.

If, as I believe we should, internal audit will need to be very much more agile in the future (if not already), agility in resourcing will become more important.

We need to staff for the audits we perform, not perform audits based on the staff we have.

If our audits are ever–changing, and the skills and experience we need also change at speed, we may need fewer employees and more co–sourced staff. We still need a core with a deep understanding of the business and of the risks that will need to be addressed every year. But, if we expect to perform audits of many different risks each year, we may need to go to the co–source well much more often.

What do you think?

I recommend reading the entire Deloitte report.

Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, , , ,

Comments are currently closed.