Is the Traditional Internal Audit Project Losing Relevance?
The traditional internal audit project, focused on backward-looking assurance, is becoming less relevant as organizations face new and emerging risks. Internal audit teams are increasingly engaging in advisory work, requiring a shift towards forward-looking assurance to help organizations navigate future challenges and opportunities. This article explores when to use traditional audits versus advisory projects and outlines a framework for different types of advisory services internal audit can provide.
The Evolving Role of Internal Audit
The landscape of internal audit is undergoing a significant transformation, moving away from solely traditional, backward-looking assurance projects. As organizations confront an accelerating pace of new and emerging risks, the demand for internal audit to provide forward-looking, proactive assurance and advisory services has intensified. This shift necessitates a re-evaluation of internal audit's project portfolio, emphasizing its role in helping organizations prepare for future success rather than just reviewing past performance.
Distinguishing Between Assurance and Advisory Projects
A critical challenge for internal audit professionals is discerning when a traditional audit project is appropriate versus when an advisory project would be more beneficial. Traditional audits are best suited for established processes managing known risks, leveraging internal audit's core principles of independence and objectivity. However, for new and emerging risks, management requests, or less formalized procedures, advisory projects offer a more agile and impactful approach. The article highlights that many internal audit teams are already dedicating significant time to consulting projects outside their traditional audit plans, underscoring the need for clear frameworks to define and articulate the value of these services.
A Framework for Advisory Engagements
The article proposes a simplified framework categorizing advisory projects into four buckets, providing guidance on when and how internal audit can engage:
- Emerging Risks Unknown by the Company: Internal audit can research and raise awareness of potential impacts (threats and opportunities) through memos and slide decks, requiring a lower, ongoing level of effort.
- Emerging Risks Known by the Company (but not yet managed): Internal audit can advise on establishing governance processes, documenting pilot programs, and monitoring their performance, akin to participating in enterprise-wide governance.
- Key Risks Beginning to Be Managed: This category offers a wide range of opportunities, including pre/post-implementation reviews, gap assessments, targeted assessments (e.g., risk, maturity), and quick-hit consulting for ad hoc requests. These projects often mirror traditional audit phases in terms of effort.
- Key Risks Managed on an Ongoing Basis: This is where the traditional, old-school audit project remains relevant, focusing on auditing existing processes.
By embracing a broader mix of traditional assurance and advisory services, internal audit leaders can enhance their stature within organizations, providing invaluable guidance on future-proofing strategies rather than solely identifying past shortcomings. This forward-looking perspective is crucial for internal audit to remain a key player in helping organizations navigate an uncertain future.
Read more