The business environment has changed and continues to do so, affecting every organisation, in every market, to one degree or another. As the risk landscape expands – and with it the complexity of doing business – challenges arise and new opportunities are being created. It is essential for organisations to be ready to respond, but it’s by no means easy. 

Boards and senior management are being placed under unprecedented pressure to stay on top of current and emerging risks and internal audit’s mandate now extends beyond processes, financial systems and regulation. Stakeholders expect internal audit to ‘look deeper and see further’, acting as a lever for change and supporting an organisation’s strategic agenda. The time has come for internal audit to be bold, courageous and innovative in order to capitalise on the growing need to provide strategic insight.

The first step is an effective internal audit plan designed to meet the rising expectations of the internal audit function’s stakeholders. In this article we draw upon some of our previous thought leadership and explore four key considerations which allow internal audit to deliver the greatest value through the planning cycle.

A holistic view of risk

The risk assessment process is not only a requirement to meet IIA standards, but also a foundation to how internal audit develops a plan aligned to the strategic objectives and risks of its organisation. 

In our 2016 publication ‘Rising to the challenge - Keeping pace with stakeholder expectations’ we discuss internal audit’s journey from assurance provider to trusted adviser and explore the concept of being ‘risk focused’ as one of the eight attributes of internal audit excellence.  An internal audit function operating as an assurance provider will evaluate the enterprise risk management function, adapt the internal audit plan to focus on management’s response to risks and then refine the plan to focus on the residual risk.

Trusted advisers, on the other hand, are forward-looking and take a holistic view of risk that considers internal, external, short term and emerging risk factors. They have a thorough understanding of the organisation’s risk culture, risk appetite, and regulatory and legal requirements. They invest the appropriate amount of time in performing a dynamic risk assessment that encompasses top-down, strategic perspectives focused on identifying the most critical risks facing the organisation today and in the future.

This strategic top-down risk focus is often calibrated with a bottom-up approach centred on where risks are manifesting themselves in the organisation today. For certain areas, such as IT risks, a second-tier, more specific risk assessment is performed, leveraging subject matter experts to pinpoint where these risks may materialise.

Build the inevitability of disruption into planning

Disruptions are significant, quickly developing, and potentially unplanned or unanticipated events that create risk and potential opportunity, demanding the attention and resources of the business. Disruptions are no longer episodic; in fact, they are constant, ranging from disruptive innovation that creates a new market, to economic volatility, regulatory changes or even a catastrophic event. This fast-changing, unpredictable environment necessitates that businesses anticipate and react to all kinds of change to survive and thrive. 

It’s impossible to identify all potential business disruptions, but one can be fairly certain that at least some will occur during the course of each year. In our 2017 State of the Internal Audit profession study, half of the functions described as agile have increased or shifted internal audit budget to enable greater participation in areas of business disruption, compared to just 27% of less agile functions.

Agile internal audit functions look ahead for potential disruptions and prepare accordingly. They are enabled by a planning process that is forward-looking in identifying emerging disruptions and associated business needs and create flexibility in their planning and resource allocation so they can address disruptive events when they happen. In anticipation of business changes and disruption, the risk assessment is also refreshed at regular intervals to keep the audit plan focused on the most critical and value added areas.

‘Our success is not measured on whether we complete our audit plan. It’s important to have the ability to be nimble and have the freedom to say “This is more important than the audit plan”.’

Chief Audit Executive, interviewed for 2017 State of the Internal Audit profession study

Meaningful collaboration with other lines of defence

Coordination across the lines of defence has been discussed for some time and most internal audit functions are working towards that. But, there is a difference between coordination and true collaboration. Internal audit functions that are well-linked work cross-functionally with the other lines of defence in a unified and integrated manner to address both strategic and operational risks in the face of disruption. No one team can address the volume and pace of these factors alone. Their collaboration goes well beyond sharing what is in each function’s plan and what findings each team is discovering. 

Collaborative lines of defence have a clearly defined corporate risk appetite, leverage a common risk assessment approach, have a common risk language across the business and a framework for clear risk aggregation and communication. As a result, their organisations derive significant value from the combined effort of the lines of defence.

Leverage data analytics

Increased focus on risk, compliance and transparency has required internal audit to develop a deeper understanding of the organisation. They must evaluate a wealth of information to identify patterns, trends, anomalous behaviour, and ultimately find ways to enhance the internal audit value proposition for stakeholders. It has become common practice to leverage data analytics during the fieldwork stage of the audit, but by embedding independent and meaningful data analytics into the planning cycle, internal audit can not only ensure that the right areas are audited, but enhance coverage, efficiency and effectiveness of the plan. Key areas to consider when leveraging data during planning include: 

  • What sources of data analytics and business intelligence already exist? – this could include internal risk reporting and MI or third party benchmarks and data sources.
  • What groups within the organisation could internal audit partner with to capture and evaluate this data?
  • What historical trends do the data show that provide insight into business risks? – ie compliance failure across the group or performance variances within specific locations or operating segments.

In conclusion, our research has found that incremental changes being made by internal audit leaders are not being implemented quickly enough to keep pace with business change. There is a very real risk that if disruptions are taking internal audit off course – or internal audit is failing to address disruption related risks – the function will likely fall behind as the business charges ahead.

In an environment of increasing stakeholder expectations, it is imperative that internal audit is prepared to adapt, and truly embedding this agility within the function starts with enhancing the planning cycle.

Susan King, PwC Internal Audit