The first three years of the 2020s have been called “the era of permacrisis.” Constant upheaval from a pandemic, geopolitical instability, financial institution failures, and disruptive AI technology have created a wildly unpredictable risk landscape. During a recent Audit & Beyond conference, I talked about the need for audit professionals to transform how they think about their role in providing assurance to their organizations. This article focuses on the five key transformation objectives I believe internal audit teams should embrace in the next year.
1. Transform Our Mindsets
To keep up with the pace of change in a time of permacrisis, internal auditors must change how they think about their role within an organization. The transformation starts by embracing the modern world’s ambiguity and complexity. Instead of holding on to traditional audit techniques, internal auditors should seek out the changes that could impact their organizations to ensure we are helping management deal with risks appropriately. In line with this approach, internal auditors can adopt a client services mentality. By thinking of their work as a service provided to their clients instead of an audit performed by an auditee, internal auditors can forge a deeper relationship with the organization.
2. Strive for Impactful Stakeholder Communications
Impactful communication is the primary driver for a successful internal audit function. Strong communication spans all aspects of the organization – within the internal audit team, to peers in the second line of defense teams, the audit committee, the board, and external audit teams. To provide impactful communication to these stakeholders, the information should be relevant, risk-informed, concise, insightful, and timely. For internal auditors, this means providing succinct information on the state of risks and controls crafted for the recipient, based on current assessments, without a long time lag from when the internal audit started to communicating the results.
3. Enhance Capabilities to Identify Emerging Risks
Emerging risks are complex, arise with little warning, and are typically uncontrollable. Internal auditors need to be vigilant in looking for emerging risks. These can be known risks that evolve into new threats, known risks that are new to the organization, and risks that were never anticipated or faced before. Since emerging risks are so volatile, internal auditors can help organizations anticipate emerging risks by having open discussions with key stakeholders about potential risks from a framework perspective. I encourage internal auditors to collaborate with risk managers and others and to use the “PESTLE” framework to have systematic conversations covering political, economic, social, technological, legal, and environmental risks.
4. Improve Capabilities to Monitor Risks Continuously
Throughout the past year, I have stressed the importance of continuous monitoring and continuous risk assessment. As I often observe, simply relying on a quarterly risk assessment is like a security camera that only takes a picture four times a year when you really need a camera that is continuously watching a room. Instead of internal audit and other assurance providers each working in silos, these teams should work together to present a consistent view of the risk and control environment within the organization by aligning risk taxonomies and collaborating on risk assessments so senior leaders and the board are hearing the same message from the different teams.
5. Expand the Use of Automation and Analytics
Internal audit teams can leverage technology to get more out of the existing resources; specifically, auditors should expand the use of automation and analytics. I advise that to successfully implement these technologies, internal auditors should start by identifying their automation targets, building allies in the organization, getting executive sponsorship, and then demonstrating a quick win from the technology to justify the expense. Jumpstarting your automation and analytics program this way sets the audit team on a path to drive success through better assurance by leveraging these technologies to match the increasing volume and volatility of risk.
Collaboration Through Connected Risk
These five priorities will enable internal auditors to change how they think about risk and auditing. Stakeholders need forward-looking internal audit partners who lean into the uncertainty of emerging risk, engage in meaningful communication, use technology to cover more ground, and inspire a connected risk mindset. With a connected risk approach, internal auditors and others in the organization share information, work closely together, and gain a complete view of risk across the lines of defense. In this era of permacrisis, internal auditors can lead the charge in their organizations to ensure leaders are having critical conversations about the right risks and working toward the organization’s objectives.
Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Internal Audit Advisor at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.