Internal audit – beyond the crossroads

8 Jul 19

In an increasingly complex world, with all the business risk associated with it, internal audit needs to adapt – and quickly

“We cannot solve our problems with the same thinking we used to create them.” Albert Einstein

From small beginnings

It’s 9 December 1941, two days after the attack on Pearl Harbour. Twenty-four men (one might assume), all internal auditors, convene in New York City. The Institute of Internal Auditors is born. Exactly what triggered the meeting on that particular date is opaque and no doubt coincidental to the shock that brought the US formally in to the Second World War. More relevant was that John B Thurston, internal auditor for a utility company based in New York and who became the Institute’s first president, was agitating for internal audit to be recognised as distinct from, and not as an extension to, external audit. The need for that distinction continues to this day.

Internal audit has never been more needed than it is now. The scale and complexity of risks facing organisations is rising, with internal audit being well placed to influence better outcomes, combining deep business knowledge with objectivity. But with technology doubling in power each year, dramatically accelerating the pace and style of service delivery, as well as the way organisations are run, internal audit needs to change, and change quickly.

Risk just got riskier

A recent US study notes that “the magnitude and severity of risks affecting [their] organisations are greater in 2019 than in the prior year” 1, with boards perceiving a much riskier environment than their executive counterparts. Concerns that existing operations and legacy infrastructure may not be able to meet expectations, as well as those of competitors “born digital”, has leapt from 10th to top position. Other risks in the top five are: succession and retention challenges; heightened regulation and scrutiny; cyber security; and resistance to change. That’s the global picture, across different industries and sectors.

These risks chime with an analysis by the Government Internal Audit Agency (GIAA) of audit plans for the current year, with the notable addition of those arising from the supply chain in commercial arrangements and, perhaps inevitably, a lesser concern about regulation and scrutiny which is in the genes of government.

The same US study concludes that organisations need to realise “that the level of investment in risk thinking and their willingness to engage in robust risk management tools and dialogue is inadequate”. Internal audit has a vital role to play here, in helping organisations assess and modernise their risk management capabilities and processes, in looking ahead and anticipating new risks, and, of course, appraising the effectiveness of the measures put in place to manage them. Internal audit, with its unique combination of deep internal knowledge and professional objectivity, is a power to be harnessed. A report by the Chartered Institute of Internal Auditors UK and the Institute of Directors reminds audit committees and directors of internal audit’s ability “to speak with authority and objectivity about the entire business and the risks it faces”

The 21st-century organisation

We live in an era of exponential developments in technology and data processing – a post-digital age some argue – which is affecting how services are delivered, but is also rightly prompting some to reconsider how organisations are run. Management academics acknowledge that their research is based “on an understanding of organisations that dates back to the 1950s, 1960s and 1970s” 3. This sees control as coercive as opposed to enabling, with a focus on formal rather than informal control mechanisms, and where controls are singular not holistic.

All three forms of control, which I am sure we all recognise as still prevalent, not least in the public sector, are, the academics argue, “increasingly outdated for modern organisations as both organisations and the world has changed”. Prompted by the need to deliver products and services more quickly, with a preference by employees for greater empowerment, modern organisations are restructuring to be less hierarchical, more fluid, flatter, using technology to enable teams to stay aligned.

These shifts have significant implications for internal audit. The purpose, as expressed in the CIPFA’s Public Sector Internal Audit Standard, is “to improve the effectiveness of risk management, control and governance processes” and so “enhance and protect organisational value”. With organisations changing, along with the nature of control, to become less formal and more dynamic, that does not alter our core purpose but, rather, the way we achieve it.

Transforming internal audit

‘Whatever the organisational paradigm, delivering essential services at best value to the taxpayer will remain paramount in the public sector’

Whatever the organisational paradigm, delivering essential services at best value to the taxpayer will remain paramount in the public sector. That will continue to require effective risk management, controls and governance. It is the way they are exercised that will need to be adjusted to meet the pace of change today, with internal audit needing to transform alongside .

We in the internal audit function are exploring and planning for what that means, for the methods, technology and skills needed. That in turn has implications for professional training and the continuous development of our people.


‘The pace at which risks are changing requires more agile internal audit methods, that provide a real-time insight so swift adjustments can be made’

The pace at which risks are changingw requires more agile internal audit methods that provide a real-time insight so swift adjustments can be made by management.

Traditional methods, of taking time to negotiate terms of reference, conducting fieldwork over a number of weeks, preparing a well-crafted written report and agreeing written recommendations, no longer work if findings are to be relevant in dynamic environments.

Such environments require a model that sees internal auditors both integrated more into the fabric of the business – analysing and commenting in the moment – and working more closely as communities of practitioners, sharing learning and insights across organisational boundaries for the good of the profession. How results are presented also needs to be dynamic, enabling management to drill down into the details as needed.

These changes present real challenges for internal audit, in how we remain truly independent and objective, how we respect confidentiality, and how and when we record our assessments and recommendations. Critically, the three lines of defence risk becoming blurred, raising questions about how to maintain them in the modern world or, more significantly, whether the model itself needs rethinking.


Data analytics are already changing how we audit, enabling a swift analysis of whole populations rather than samples and automatically flagging anomalies in the application of controls. But what about artificial intelligence (AI) and robotics? What do they mean for internal audit, both in how to audit them and in harnessing them in audit practice?

Ben Hammersley, a “futurist”, warns that AI trains itself using existing data and so mirrors and even magnifies human bias. A critical role for internal audit, then, becomes auditing the culture and relationships in an organisation to understand those biases and the risks they present. Internal auditors in turn need to understand their own culture and biases, as the audit team of the future will undoubtedly include robots which have learned from existing audit data.

A further implication to our world, where data is king, is for internal audit to help organisations understand the data they hold and the risks they present. All organisations face exposure, either through accidental data loss or malicious intent by individuals, competitors or hostile nations – it may be blackmail or worse. Hammersley declares internal audit to be “the last bastion of self-defence”, with its role to protect the objective truth of an organisation, finding out what could be known about it, however unsavoury, before others do.


New methods and technologies call for new skills. The internal auditor of the future will work with robots and humans in their teams, challenging traditional management techniques. They will be agile and flexible, in where and how they work, and even more intellectually nimble given the faster pace and increased complexity of their environment. Analysis will be automated, focusing the human auditor on interpretation and communication. An understanding of culture, relationships and the psychology of change will come to the fore. And all internal auditors, as a minimum requirement, will be “tech savvy”.

But let’s not forget the core skills of today’s auditor – curiosity, an ability to create coherence from complexity, independence of mind, high ethical standards, influencing skills and the resilience needed to stand up to scrutiny and conflict. The need for these skills remains, creating a solid foundation from which our people can become the auditors of tomorrow.

External audit meets internal audit

I cannot close without mentioning external audit. Not least given the focus of this Perspectives. Internal audit cannot regard itself as immune from the recent and continued scrutiny of, and recommendations for, external audit. I shall leave others to debate whether internal audit will itself become regulated and comment on two elements only: lessons from the Kingman review of the Financial Reporting Council, and the current government-sponsored review by Sir Donald Brydon on the quality and effectiveness of audit .

Internal audit practices would do well to heed the recommendations of the Kingman Review, in particular: prioritising work on the basis of risk; acting in a forward-looking manner and anticipating as well as acting on emerging governance and audit risks; advancing innovation and quality improvements; promoting brevity and comprehensibility in reporting and being proportionate; and balancing the costs and benefits of recommended actions. I’d like to think we do these already, but there is always room for improvement and being reminded of their importance is helpful.

The perceived widening of the “audit expectations gap” – the difference between what users expect from an audit and the reality of what an audit is and what auditors’ responsibilities entail – is the catalyst for the Brydon review. Recent company failures have brought this in to sharp relief.

Such an expectations gap exists with internal audit too – we’re often judged by the things we miss, rather than what we spot and improve. I await the report with interest, eager to see what lessons may be applied to internal audit.

Some suggest that the improvements being sought in external audit, with calls for it to become more strategic and forward-looking, will reduce the role of internal audit or indeed erode it completely. By contrast, the role and significance of internal audit looks set to increase. The pace and complexity of modern organisations requires more real-time insight by those who are of the business, but remain professionally objective, and that’s internal audit. But to fulfil that role in a dynamic environment, internal audit needs to change – and change quickly.

New generation internal audit has the potential not only to anticipate risk, but in doing so to also influence policymaking and service provision. The boundaries for public sector internal audit lie somewhere between helping organisations do things right and ensuring they do the right things. But where exactly? I look forward to the debate.

  • Executive perspectives on risk 2019, Protiviti. Download the report at
  •  Harnessing the power of internal audit, Chartered Institute of Internal Auditors. Download the report at 3
  • Cardinal, L; Kreutzer, M; Miller, C (2017), “An inspirational view of organizational control research: re-invigorating empirical work to better meet the challenges of 21st century organizations”, Academy of Management Annals


Did you enjoy this article?


Perspectives: Public Audit latest