Internal Audit Month Is Also a Time to Reflect on Our Future

May is Internal Audit Month, created to advance global awareness of internal audit’s role and value. In the shadow of the growing risk exposure gap, however, internal audit has fresh reasons to want to raise the profile of the profession. After all, if our organizations don’t understand and appreciate our vital work (or worse yet, if they don’t survive), will we still be the ones doing it in ten years?

Organizations will always need what internal audit is capable of doing — but they may not need internal auditors to do it. That’s why Internal Audit Month is also a time for us to reflect on our profession, and to plan strategically about where we want to go. If we aren’t focused on our future, we have no opportunity to influence it.

The Value of Strategic Planning

Nobody knows what the future holds. In an audit duel on Jon Taber’s Audit 15 Fun podcast, my friend and fellow internal audit thought leader Norman Marks and I agree on this much. Where our views diverge is on the value of strategic planning amid such uncertainty. Whereas Norman believes that uncertainty prevents internal audit teams from making effective strategic plans more than a year out, I have long been an advocate. 

Strategic plans aren’t there to provide all the answers, but rather to help us ask the right questions, and identify the levers we have to respond effectively to the uncertainty. Strategic plans are also a key mechanism for proactively managing and transforming the internal audit function — a view reinforced by the Global Internal Audit Standards’ new strategic plan requirement.  

Risk Will Endure — But Will Internal Audit?

Jeff Bezos said in a 2012 interview that he is frequently asked, “What’s going to change in the next ten years?” He suggested that “What’s not going to change in the next ten years?” is the better question to ask, “because you can build a business strategy around the things that are stable in time,” giving the examples of low prices, fast delivery, and vast selection. Bezos continued, “When you have something that you know is true, even over the long term, you can afford to put a lot of energy into it.”

I don’t know how internal audit will be different in ten years. But we can ask ourselves how it won’t be different and plan around our conclusions. 

For example, organizations will always face risks. Accordingly, leaders of organizations will always seek assurance and advice about the effectiveness of risk management processes, controls, and governance. The pertinent question is whether internal audit will be the preferred source, since organizations can gain assurance in myriad ways (e.g., AI, consultants, second-line roles, external assurance providers). 

To Avoid Obsolescence, Avoid Complacency

The biggest risk I see to internal audit’s future is not from outside, but from within. If we become too comfortable with what we do and how we do it, failing to see the strategic risks on the horizon threatening our future, we fall victim to a dangerous sense of complacency.

Complacency is not a strategy. The mentality of “if it ain’t broke, don’t fix it” has no value here, because what “ain’t broke” today could nonetheless become irrelevant or obsolete tomorrow. To that end, I see various ways internal auditors can avoid complacency: 

• Transform your mindset. As I often say, true transformation starts with mindset. Embrace complexity and ambiguity, understand that risk and change are the only constants, and forge a culture of experimentation and continuous learning. 
• Embed innovation and growth. Use your strategic plan to set a course for growth, including exploring and implementing new technologies and ways of thinking. Expand your skills and capabilities and those of your team (e.g., while I don’t believe AI will replace internal auditors, internal auditors who don’t use AI may well be replaced).
• Be more proactive. Instead of simply reacting, anticipate and prepare for critical risks and challenges (e.g., talent management, regulatory changes, AI use/governance, cybersecurity), and regularly seek stakeholder feedback.
• Rediscover your courage and step out of your comfort zone. As David Hill points out in the linked blog, the Standards’ addition of “professional courage” to the ethical principles comes at an ideal time. Use your voice, share your perspectives, and be an agent of change. 

A Strategic Plan for Internal Audit’s Role

Internal auditors should cultivate recognition of our role and value year-round, not just one month per year. But change must start at home, because the biggest uncertainty facing the profession isn’t whether organizations will need what internal audit does, but whether they’ll need us to do it. We must strategically plan what internal audit’s role will be, including how we’ll differentiate ourselves from other sources of assurance. As the inimitable Yogi Berra quipped, “If you don’t know where you’re going, you’ll end up somewhere else.”