As a change-agent, internal audit has a lot going for it, but many internal audit functions need to upgrade their skills.
Written by Terry Hatherell, Deloitte global internal audit leader
INTERNAL AUDIT plays a critical role in the corporate governance of an organisation. Strong impact and influence creates real value and helps ensure internal audit not only provides the independent assurance demanded by stakeholders, but also helps their organisations prepare for the future.
But surprisingly, in Deloitte’s recently-released global survey of over 1,200 chief audit executives (CAEs), internal audit was found to not yet have the extent of impact and influence desired―or required. They also highlighted two key factors needed to strengthen impact and influence: an improved skill base and a greater use of analytics within internal audit activities.
As detailed in Deloitte’s new report “Evolution or irrelevance? Internal Audit at a crossroads,” only 28% of survey respondents believe their internal audit functions have strong impact and influence in their organisations, and 16% feel their functions have little to no impact and influence.
This and many other report findings point to a need for internal audit to change, or be changed. As a change-agent, internal audit has a lot going for it: independence, objectivity, integrity, an enterprise-wide vantage point and direct lines to management and the board.
But many internal audit functions need to upgrade their skills. More than half of CAEs—57%—were not satisfied their teams have the skills needed to be effective and to deliver on stakeholder expectations. Could this be limiting their impact and influence? Quite likely.
The most frequently cited skill gaps occur in specialized information technology, such as cyber, cloud and mobile computing; and data analytics.
Our findings indicate that addressing gaps in data analytics should be a high priority for most Internal Audit groups. The function has unfettered enterprise-wide access to data as well as responsibility for improving operational, control, risk management, and governance processes. But internal audit needs analytics capabilities if it is to use that data to fulfill those responsibilities.
Those capabilities enable internal audit not only to provide insight and foresight regarding business operations, risks, and management initiatives, but also to conduct internal audits more efficiently. Increased efficiency can lead to more available resources for reviews of important areas such as culture, information technology, risk management and strategic planning.
But according to our survey, 55% of internal audit groups are using analytics at a basic level, 24% at an intermediate level, and only 7% at an advanced level. The internal audit community has been discussing the importance of using analytics for several years now and the fact that the majority are still operating at the basic level is concerning and suggests the need for a greater sense of urgency.
To get beyond basic sampling, data profiling, and data quality reviews, CAEs should consider the following steps:
CAEs have sounded the alarm bells and illuminated a path forward. It is now incumbent on CAEs and their stakeholders to seize the opportunities for a much stronger and impactful internal audit moving forward.