Internal Audit 0

Yüklə 2,33 Mb.
Pdf görüntüsü
ölçüsü2,33 Mb.

Internal Audit 3.0

The future of Internal Audit is now

April 2018


Internal Audit 3.0


Assure. Advise. Anticipate.













Internal Audit 3.0

The future of Internal Audit is now

What’s often missing is the realization that 

organizations and the business environment have 

changed in material ways, which demand innovation. 

Without applying new approaches, an Internal Audit 

function is rendered behind strategic and technological 

developments, unable to meet stakeholder needs, 

and ill-equipped to deal with emerging risks. By the 

same token, embracing innovative approaches helps 

keep the function ahead of developments. Innovation 

positions Internal Audit to anticipate and then respond 

effectively to stakeholder needs, and equips the 

internal auditors, themselves, to address emerging 

risks in a helpful and impactful manner.

We have long been encouraging Internal Audit to 

adopt new tools and techniques and to develop 

capabilities needed to effectively respond to today’s 

challenges. It is equally important for Internal Audit 

to develop a coherent vision for both the profession 

and the function. Such a vision is essential in order to 

drive needed changes and prioritize initiatives for the 

function and the organization as a whole.

Through consultation with audit committee chairs, 

executives, chief audit executives and business leaders, 

we have developed a blueprint which aims to clarify 

the expectations of Internal Audit, codifying the most 

important components. 

We call it Internal Audit 3.0, the next generation of 

Internal Audit, a function as attuned to the challenges 

of emerging risks, technologies, innovation, and 

disruption as the organization itself; a function fully 

able to assist in safeguarding processes and assets as 

management pursues new methods of creating and 

delivering value.

As with any useful new release of an operating system 

or application, Internal Audit 3.0 updates that which 

needs updating, offers new features and functionality, 

and retains and leverages the best of past versions. 

Internal Audit 3.0 may therefore be considered an 

innovative “operating system” that enables the Internal 

Audit profession and function to better meet both 

existing and emerging needs.

Where we’ve been

Until recently, the Internal Audit profession has not faced 

the need to innovate, let alone reinvent itself. We can 

trace the birth of modern Internal Auditing – ”Internal 

Audit 1.0” – to the founding of the Institute of Internal 

Auditors (IIA) in 1941 – and trace “Internal Audit 2.0” 

to Sarbanes Oxley and its impact on the accounting 

profession (Figure 1). Along the way, developments such 

as the COSO framework, improved capabilities such as 

IT internal audit and data analytics, and supplementary 

guidance to improve the profession following the global 

financial crisis helped move the profession forward.

As organizations hurtle into an increasingly technology-driven, innovation-oriented, 

risky, and disruptive future, where is Internal Audit? Very often, despite ongoing efforts 

to meet stakeholders’ growing list of needs, the answer is: playing catch-up.


Internal Audit 3.0  | The future of Internal Audit is now

Figure 1. Key Internal Audit milestones

Now, however, as we approach the end of a decade 

of unsettling uncertainty, organizations face evolving 

strategic, reputational, operational, financial, 

regulatory, and cyber risks. And there is a need to 

constantly innovate in order to compete (Figure 2). 

The world is entering the fourth industrial revolution 

where new technologies, digitalization, and artificial 

intelligence are dramatically changing the business 


The types, complexities, and inter-dependencies of 

risks associated with the fourth industrial revolution, 

and the speed at which they emerge are new. The 

pressures to evolve in order to create and deliver 

value are new. The strategies, practices, and 

technologies that organizations employ are new. All 

of which are compelling Internal Audit to adopt a new 

vision of its role and remit, to maintain its relevance 

in providing impactful assurance and advisory 

services to organizations.

Failure to act will allow the risks that the organization 

faces to outpace Internal Audit’s skills and 

capabilities. On the flip side, however, taking action 

will position Internal Audit to create and deliver new 

value to its stakeholders, just as the organization 

strives to do so for its constituents.

Although Internal Audit’s service emphasis and 

delivery models must be updated, its central 

purpose remains much the same: to assure and 

advise. However, in our view, the most successful 

Internal Audit functions will also anticipate, and 

through proactive assurance, help organizations 

keep pace with and get ahead of emerging risks.





The birth of modern

internal auditing with the 

establishment of the IIA

COSO Integrated 

Control Framework

IT Internal Audit

Supplementary guidance 

following the Global 

Financial Crisis

Cyber Risk

Sarbanes Oxley

Data Analytics

Integrated Audits

and SME support

2017 IIA 

Standards update


Internal Audit 3.0  | The future of Internal Audit is now















Organization model





Social media








Cash flow


Internet of Things




Artificial intelligence





Figure 2. Organizations face increasing uncertainly on multiple fronts





The birth of modern

internal auditing with the 

establishment of the IIA

COSO Integrated 

Control Framework

IT Internal Audit

Supplementary guidance 

following the Global 

Financial Crisis

Cyber Risk

Sarbanes Oxley

Data Analytics

Integrated Audits

and SME support

2017 IIA 

Standards update


Internal Audit 3.0  | The future of Internal Audit is now

Assure. Advise. Anticipate.

These three – assure, advise, and anticipate – constitute the triad of value that Internal 

Audit stakeholders now want and need. This has been borne out in numerous Deloitte 

external quality assessments (EQAs) conducted for Internal Audit functions in a range 

of industries, in interviews with more than 200 senior executives and audit committee 

chairs, and in numerous Deloitte research surveys with chief audit executives and 

heads of Internal Audit



These key sources of opinion have clearly said that:

Assurance constitutes and remains the core role of 

Internal Audit. Yet the range of activities, issues, and 

risks to be assured should be far broader and more 

real-time than they have been in the past. Assurance on 

core processes and the truly greatest risks is essential 

but so is assurance around decision governance, the 

appropriateness of behaviors within the organization, 

the effectiveness of the three lines of defense (LoD), and 

oversight of digital technologies. Assurance is central to 

Internal Audit’s role but must not be the limit.

Advising management on control effectiveness, 

change initiatives, enhancements to risk management 

related to the three LoD and other matters – including 

business effectiveness and efficiency – falls well within 

Internal Audit’s role and stakeholders’ expectations. 

All sources confirm that a strong advisory role is key to 

maximizing the value of Internal Audit.

Anticipating risks and assisting the business in 

understanding risks, and in crafting preventative 

responses, transforms Internal Audit from being a 

predominantly backward-looking function that reports 

on what went wrong to a forward-looking function 

that prompts awareness of what could go wrong, and 

what to do about it, before it happens. Internal Audit 

becomes more proactive and, through its assurance and 

advisory roles, helps management intervene before risks 


We’ll examine these three dimensions of value in more 

depth in this document, and, for now, simply assert 

that delivering on the assure, advise, anticipate value 

proposition calls for more innovative, technology-driven 

approaches – hence, Internal Audit 3.0.

Internal Audit 3.0 – System overview

Assure, advise, and anticipate form the core value 

proposition of Internal Audit 3.0, covering the basics 

while advancing into activities that will deliver new 

value to the organization. The three darkly shaded 

areas – and the brief descriptors under assure, advise, 

and anticipate – designate the core features of Internal 

Audit 3.0 in Figure 3.

The assure, advise, anticipate value proposition is 

enabled through:


• Digital assets, which have already begun to transform 

Internal Audit work, and are about to revolutionize it


• Skills and capabilities, which position Internal Audit to 

improve the interface with stakeholders and better 

meet their needs


• Enablers, which engage the system to deliver new 

value in desirable ways


Internal Audit 3.0  | The future of Internal Audit is now

Figure 3. Internal Audit 3.0 – System overview

Intelligent assurance     

Core processes

Skills & capabilities




Purple person


Next generation 




Automated core 


Agile IA

High impact 


Response teams 

Change catalyst

Digital assets


3 LoD





by design

During change

Truly greatest 





3 LoD




Risk sensing




Automated QA           


Risk learning

Thinking that the same people operating in the same 

way with the same resources can deliver the value 

that stakeholders need now, let alone going forward, 

amounts to a failure of imagination. Internal Audit 

3.0 challenges Internal Audit leaders to stretch their 

thinking, methods, and relationships to new, broader, 

deeper dimensions. To adopt the elements of Internal 

Audit 3.0, functions have to truly understand what 

stakeholders value and work in ways that help improve 

quality, drive efficiencies, and re-think traditional 


This publication introduces select aspects of Internal 

Audit 3.0 with other elements covered in detail through 

separate publications, such as Agile Internal Audit


. For 

further information on Internal Audit 3.0, please see our 

contacts page at the end of this document and access 

our latest thinking at

In the pages that follow, we explain further what 

Assure, Advise and Anticipate means in the context of 

Internal Audit 3.0.


Internal Audit 3.0  | The future of Internal Audit is now


Internal Audit 3.0  | The future of Internal Audit is now


The core – but not the limit – of Internal Audit

The “Assure” component of Internal Audit 3.0, includes six broad features in which the 

function can provide value (Figure 4).

Core processes – unlocking value through 


Internal Audit planning aims to balance assurance 

around two features – core processes and the truly 

greatest risks to the organization. Internal auditors can 

cover only so many processes per year and often default 

to performing audits on a rotational basis in order to 

find time to also provide assurance around the greatest 

risks. Yet stakeholders need both types of assurance 

– assurance that core financial and operational 

processes in areas like procurement, payables, payroll, 

and health and safety are working properly, and 

confidence that the organization’s truly greatest risks 

(e.g. cyber, digitalization, change management, etc.) are 

appropriately managed – on a more continual basis.

Now, what if – using digital assets – core assurance 

could be automated, significantly reducing the 

resources needed to cover these traditional, core 

processes on a more continual basis? Automated 

core assurance harnesses analytics, robotic process 

automation (RPA), and artificial intelligence (AI) to 

monitor controls and flag non-conformance in real 

time. Combine this with automated reporting, and 

Internal Audit can communicate non-conformance to 

the business so they can remediate immediately, rather 

than only being able to check the controls every few 

years under a rotational audit plan scenario.

Figure 5 illustrates the contrast between the traditional 

approach and automated core assurance.

The chief benefits of automated core assurance are 

that it:


• Eliminates the tradeoff between core process 

assurance and strategic risk coverage (Internal Audit 

can deliver both)


• Enables allocation of resources to address the truly 

greatest risks


• Frees resources to analyze why issues 

occur, including behaviors that contribute to 

noncompliance, and to remediate issues


• Shifts Internal Audit’s role from identifier of issues 

to partner in developing solutions, because audits 

begin with known issues


• Enables Internal Audit to leverage its knowledge, 

position, and experience to help the business to 

improve processes and controls

Figure 4. Six features of assure

Figure 5. Traditional assurance versus automated core assurance

Traditional approach

Automated core assurance approach

Audit and 






Issues and 


Core processes


Truly greatest 





3 LoD







Root cause 






Internal Audit 3.0  | The future of Internal Audit is now

Automated core assurance is an important element 

within Internal Audit 3.0. It automates what can be 

automated, and applies human resources where they 

will yield the greatest value, while providing more 

effective assurance. It also exemplifies Internal Audit 3.0: 

in that it leverages technologies such as analytics and 

RPA to provide real-time monitoring and testing, while 

repositioning Internal Audit from reporter of historic 

issues to strategic business partner.

Assurance around behaviors

Management and employee behaviors drive risk. 

Luckily, with Internal Audit 3.0, Internal Audit is 

positioned to provide assurance around behaviors in 

three key areas: individual accountabilities and whether 

people are fulfilling theirs, operational discipline and 

whether people understand and implement controls, 

and ownership of remediation within the second- and 

first-line functions. Assurance in these three areas can 

significantly deepen insight into people’s attitudes and 

conduct around risk and controls. 

Assurance around digital technologies

Many organizations are adopting new and emerging 

digital technologies. The rise of robotics and AI presents 

new and specific risk areas that are less understood.

Internal Audit urgently needs to address new and 

emerging digital technologies from an assurance 

standpoint because the threats posed by people 

writing, purchasing, and adopting apps and other 

digital capabilities, including those related to the 

Internet of Things (IoT), are real and here now.

This is where new skills and capabilities, and internal 

auditors with different skills and experiences, will be 

needed, including ‘purple people’ who possess a mix 

of business and technology skills, and understand 

cognitive systems in a business context. Additionally, 

Internal Audit functions may need more ‘polymaths’ – 

experts who can ask the right questions, understand 

stakeholder needs, see the real risks, and embrace 

new ways to provide assurance. This is not just about 

having someone review the governance around, say, 

application development and data access; it’s about 

having people who can understand the risk exposures 

created by the nature of a specific AI or RPA application 

and the assumptions being made about them. These 

skills are in short supply, but quite necessary.

“ Automated core assurance is an 

important element within Internal 

Audit 3.0. It automates what can 

be automated, and applies human 

resources where they will yield the 

greatest value, while providing more 

effective assurance.”


Internal Audit 3.0  | The future of Internal Audit is now


Internal Audit 3.0  | The future of Internal Audit is now

The “Advise” component of Internal Audit 3.0 comprises four broad features in which 

the function can deliver new and needed value (Figure 6).


Maximizing value to stakeholders

Figure 6. Four features of advise

Enhancements to the three lines of defense

In Internal Audit 3.0, functions advise the second and 

first lines of defense on ways to improve their own 

assurance capabilities. While still maintaining their 

objectivity and independence, internal auditors can 

provide advice and share methods and tools. The 

goal is to provide assurance where it can be done 

most efficiently and effectively – and as close as 

possible to real-time. Regarding independence (see 

sidebar), Internal Audit should clearly not be making 

management decisions or designing the controls it 

will be auditing. But it is completely legitimate, and, in 

our view, squarely within the function’s role, to assist 

the first and second lines in improving their own 


Internal Audit 3.0 can usefully shift certain assurance 

activities to the first and second lines, but this must 

be done properly. For example, if internal auditors 

develop an analytical tool, which could be adopted 

by the first and second line, care should be taken to 

make sure appropriate safeguards are in place, but this 

should not preclude functions from sharing knowledge 

and tools for the benefit of the wider organization. 

The approach will differ for different industries and 

different organizations.



by design



During change

3 LoD




Success factor 

or limiting factor?

In our experience, too many internal auditors 

use “independence” as a crutch, as an excuse 

to stay in their lane and avoid offering insights 

and opinions when most stakeholders have said 

that is what they truly want. This can relegate 

the function to reporting on the past, which is 

not the wave of the future.

Independence is important and must not be 

disregarded, but Internal Audit functions can 

make informed decisions about which types of 

advisory services do not compromise functional 

or individual auditor independence. 

Typically, Internal Audit advisory services 

require the function to provide a point of view, 

challenge management, or deliver real-time 

insights. Such services can join the dots which 

others don’t see in their entirety, connect 

people, and be a catalyst for change. Internal 

Audit functions have a privileged position 

within organizations, and not making use of this 

position is a missed opportunity. 

Independence means freedom from conditions 

that create the risk of bias – and freedom to 

have a point of view and to provide insights 

supported by data, research, peer practices, 

and experience. Using “independence” to opt 

out of assisting the business benefits no one. 

Under Internal Audit 3.0, functions can respect 

independence whilst advising the business 

through promoting objectivity, integrity, and 



Internal Audit 3.0  | The future of Internal Audit is now

Control effectiveness

Assurance around control design effectiveness is 

table stakes; the most useful advice for the business 

comes at the time the controls are being designed. 

The business benefits far less when Internal Audit 

weighs in with only a review of control design after 

implementation. Internal auditors should observe 

those projects and provide real-time feedback. 

Safeguards to preserve independence can and should 

be established, by the business units or committees 

in question and by Internal Audit, but Internal Audit 

should be at the table and provide its control expertise 

during the design phase.

Advising during change

Internal Audit should also have a seat at the table on 

strategic projects and transformation initiatives, not 

only to provide assurance on change projects but to 

contribute to the quality of discussion by calling out 

concerns, challenging management’s approach to 

risk management and advising on ways to enhance 

and provide assurance. In financial services in some 

jurisdictions, Internal Audit has the right to attend 

Executive Committee meetings and other key 

management decision-making venues, for this very 

purpose. This doesn’t always happen now.

Assurance by design

Internal Audit can help management to implement 

mechanisms in the business that eliminate or reduce 

the need for the second or third line to provide 

assurance on processes or controls. The ideal situation 

would be to reach a point where the system, rather 

than a control that could be worked around, simply 

generates non compliance reports. The basic question 

is: How can we design-in and build-in mechanisms 

that reduce the amount of assurance that human 

beings have to provide? This advice stands apart from 

the issue of providing reviews and assurance around 

how well a control mitigates a risk. In fact, the goal of 

assurance by design interlocks with, and supports, 

the goals of real-time assurance and reporting, and 

automated core assurance.

Indeed, virtually all features of Internal Audit 3.0 

interlock and support one another.

“ Internal Audit can help management to implement  

mechanisms in the business that eliminate or reduce the  

need for the second or third line to provide assurance on 

processes or controls.”


Internal Audit 3.0  | The future of Internal Audit is now


Internal Audit 3.0  | The future of Internal Audit is now

Risk sensing: Viewing the risk landscape

Currently available risk sensing platforms monitor 

risk indicators based on internal or external data, 

or combinations of the two. For example, many 

organizations monitor social media for customer 

sentiment and reputational risks, or newsfeeds and 

regulatory filings, and apply analytics to identify themes 

and trends. Financial services and large industrial 

companies monitor central bank policies to anticipate 

interest rate movements, and the impacts on their 

businesses. Many organizations monitor internal 

management information to identify trends in financial 

or operational performance, customer behavior, 

product defects, and other issues that could affect the 


Risk sensing, which combines advanced analytics 

with human judgment, provides a panoramic view of 

risk, extending well beyond traditional risk registers 

of identified risks. Risk sensing focuses on emerging, 

often unknown risks, and thus stands among the key 

capabilities for anticipating issues and problems and 

delivering insights. Risk sensing also enables real-time 

and continuous risk assessment, moving away from 

the traditional annual risk assessment approach. Used 

effectively, risk sensing can help enhance Internal 

Audit’s understanding of risk and focus assurance 

activities accordingly. 

Risk learning: Getting to why

Risk learning, or cognitive risk anticipation, applies 

analytics to risk events and surrounding factors 

to tease out causal relationships. If a risk event 

occurs, analysts can examine what else occurred 

before, during, and after the event. Over time, by 

applying pattern recognition and root cause analysis 

to a growing database of events and factors, the 

organization can isolate correlations, sequences 

of events, and causes and effects. This positions 

management to take proactive steps to avoid or 

mitigate risk events. It also positions Internal Audit to 

conduct proactive assurance work related to those 

steps. Risk learning takes both Internal Audit and the 

organization well beyond the limits of traditional risk-

based planning, while reducing the level of “unknown 

unknowns” that management faces. 

Upgrading to Internal Audit 3.0

Digital assets, skills and capabilities, and other enablers 

are what make Internal Audit 3.0 a reality. 

How an Internal Audit group develops, accesses, 

and deploys digital assets, skills and capabilities, and 

enablers will depend on the function, organization, and 

stakeholders. The essential first step here is to develop 

a shared vision for Internal Audit 3.0 and then to chart 

a path toward realizing that vision.

For some, this has involved Agile Internal Audit – our 

method of applying practices from agile development 

to Internal Audit work – which has already begun to 

revolutionize forward-thinking functions, as explained 

in our related publication. For others, it may be risk 

sensing, or automated core assurance. Internal Audit 

3.0 is about helping Internal Audit functions to keep 

pace with change, create value, remain relevant, and 

enhance impact and influence. 


Delivering forward-looking insights

With unparalleled access to information within the organization, increasing capabilities 

to use external data, and an enterprise-wide view of the organization, Internal Audit 

is in the ideal position from which to anticipate risks and issues that could affect the 

organization’s ability to reach its goals. 


Internal Audit 3.0  | The future of Internal Audit is now

The inevitability of change

As the saying goes, “There are those who make things 

happen, those who watch things happen, and those who 

ask, ‘What happened?’”

The stakes are too high, for both Internal Audit and the 

organization, for Internal Audit to be in the latter group.

Stakeholder needs have become clear enough for 

Internal Audit to engage in true transformation. And 

that is what is called for, in the context of a vision for 

the function and its role in the organization. With a 

vision – collaboratively developed, clearly articulated, 

and strongly supported – functions can upgrade to 

Internal Audit 3.0, providing stakeholders with its true 


We have repeatedly seen well-developed visions 

and diligent follow-through work. In our Chief 

Audit Executive transition labs, in Internal Audit 

transformation initiatives, and in projects that 

promulgate automated assurance, advanced analytics, 

Agile Internal Auditing, and high-impact reporting, we 

have seen Internal Audit leaders and staff embrace 

change, raise stakeholder expectations, and then 

deliver on those expectations.

The future of Internal Audit has become clear, and the 

time to upgrade is now.

“ The future of Internal Audit has become clear, and the time 

to upgrade is now.”


Internal Audit 3.0  | The future of Internal Audit is now

Terry Hatherell

Global Internal Audit Leader


Kris Wentzel

Americas Internal Audit Leader


Peter Astley

EMEA Internal Audit Leader  


Porus Doctor

Asia Pacific Internal Audit Leader 

Sandy Pundmann

United States Internal Audit Leader 






Sarah Adams

Global IT Internal Audit Leader 




Neil White

Global Internal Audit Analytics Leader 

David Tiernan

UK Internal Audit Innovation Lead


Please contact our team if you would like to discuss or need help defining the future of your Internal Audit function.


Internal Audit 3.0  | The future of Internal Audit is now

1.  Evolution or irrelevance: Internal Audit at a crossroads Deloitte Global Chief Audit Executive Survey, Deloitte Development LP, 2016



Understanding Agile Internal Audit:


Putting Agile Internal Audit into Action:




Internal Audit 3.0  | The future of Internal Audit is now

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee 

(“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally 

separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. 

Please see to learn more about our global network of member firms.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member 

firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering 

professional advice or services. Before making any decision or taking any action that may affect your finances 

or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be 

responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2018. For information, contact Deloitte Touche Tohmatsu Limited.

Designed and produced by The Creative Studio at Deloitte, London. J15021

Document Outline

  • Internal Audit 3.0
    • Assure. Advise. Anticipate.
  • Assure
  • Advise
  • Anticipate
    • Contacts

Yüklə 2,33 Mb.

Dostları ilə paylaş:

Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur © 2023
rəhbərliyinə müraciət

    Ana səhifə