businesswoman showing audit reports on tablet

Internal Auditors Must Evolve or Perish, Deloitte Report Says

Aug 3rd 2016
Share this content

Internal audit is at a crossroads, and its chief executives must provide guidance about their organizations’ future needs through strategic planning and risk management.

In other words, it’s time to evolve or perish. That’s the tough message in Deloitte’s “Evolution or Irrelevance” report on its 2016 survey of chief audit executives (CAEs).

Organizations “need internal auditors to apply their rigor, objectivity, independence and skills in new ways,” the report states. Internal audit must go beyond providing information and advice, and financial and operational controls. “CAEs must now lead their functions to take the next critical steps,” the report states.

How? The key lies in using analytics in smarter ways, taking it up a few notches from just the basics to risk assessment and business insights. And everyone – audit committee and executive team – has to be on board with this.

"The need to enhance analytics tools and techniques stands out among the most urgent priorities for Internal Audit", said Neil White, Internal Audit Analytics leader for Deloitte Global. "While using analytics to deliver audits more efficiently is an important goal, the survey results lead us to believe Internal Audit should capitalize on the wealth of available data to deliver more insightful views of business issues and risks."

Here’s a sampling of how serious more than 1,200 CAEs in 29 countries and eight industries consider this:

  • The majority (85 percent) expect their organizations to face moderate to significant changes in the next three to five years, and 79 percent predict the same for Internal Audit.
  • But only 28 percent say Internal Audit has a big impact in the organization and 16 percent say it has little or no influence.
  • More than half (57 percent) say their Internal Audit groups lack sufficient skills to meet stakeholder expectations of insight, effective support in decision-making and efficient audits.
  • While most use analytics, only 24 percent consider their use to be at the intermediate level and 7 percent say it’s advanced.
  • Most (66 percent) use basic analytics, such as spreadsheets, or none at all.
  • Internal Audit will expand in the next three to five years, most likely through risk anticipation (39 percent) and data analytics (34 percent) as the key drivers.
  • More than half (58 percent) expect to use analytics in at least half of their audits during the next three to five years. More than a third (37 percent) say they’ll move to high usage-employing analytics in at least 75 percent of audits.
  • Use of dynamic tools is expected to increase from 7 percent to 35 percent in easily understood presentations of data, such as heat maps, bubble charts and interactive graphs.
  • About half (55 percent) expect advisory services to increase.
  • Strategic planning reviews are expected to increase in the next three years, and 70 percent say they’ll evaluate risk management – up from 54 percent during the past three years.
  • Formal rotation programs are expected to double and the percentage of guest auditor programs could increase by 50 percent. About a third (33 percent) say co-sourcing also will increase. This is all due to inadequate skills, a talent shortage and the need for specialists in risk, cybersecurity and other areas, the report states.

The report also offers six ways that CAEs can be change agents and prove their value.

  1. Determine how to increase impact and influence.
  2. Incorporate analytics.
  3. Make reports more visual.
  4. Explore how to handle talent and skill shortages.
  5. Bolster strategic planning and risk management.
  6. Win the support of the C-suite and audit committee chairperson

Replies (1)

Please login or register to join the discussion.

By [email protected]
Aug 4th 2016 12:44 EDT

The language in the article's headline seems greatly over dramatized. "Perish"? All organizations representing the $19.3T of market capitalization on the NYSE are required to have an internal audit function as detailed in the NYSE Manual, Section 303.A.07. Whether outsourcing or not, if IA is scheduled to prospectively perish, someone better reconsider the requirement below:

(c) Each listed company must have an internal audit function.

Commentary: Listed companies must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the listed company's risk management processes and system of internal control. A listed company may choose to outsource this function to a third party service provider other than its independent auditor. While Section 303A.00 permits certain categories of newly-listed companies to avail themselves of a transition period to comply with the internal audit function requirement, all listed companies must have an internal audit function in place no later than the first anniversary of the company's listing date.

Thanks (2)