It Takes Courage and Curiosity

There is no doubt that internal audit can play a crucial role — but to confront tough issues and high-risk areas head-on, internal auditors must step out of their comfort zone and make their voices heard. Thus, my theme as 2024-2025 chair of The IIA’s Global Board of Directors is “Ask Questions.”

How Do We Approach New Technologies?

One of the key challenges internal audit faces is understanding the threats — and opportunities — introduced by new technologies. Many of the emerging risks around artificial intelligence (AI), the cloud, and cybersecurity may initially seem scary to many internal auditors who believe they lack the skills, experience, and resources to deal with them. However, to avoid auditing emerging technologies is to turn a blind eye to some of the greatest threats that our organizations face.

Internal auditors often get derailed by their own self-doubt or by difficult stakeholders who imply auditors need to know how to write the underlying code of an algorithm or configure a server to assess risk. Internal auditors cannot be experts in everything, nor do they need to be.

Instead, internal auditors should rely on an area where they are experts and ask questions about controls. Internal audit needs to ensure there are others in the organization who are addressing the risks related to new technologies and that these people or functions are identifying, mitigating, and leveraging them as appropriate.

In this case, internal audit needs to ask the function responsible for overseeing these emerging technologies what risks it has considered and how it intends to address them. If the function establishing the controls can’t answer those questions, then internal audit has already identified a fundamental issue that it needs to report on and help with.

The same control concepts internal audit would use for assessing something as routine as financial transactions and the separation of duties are applicable here. So, for an emerging technology, internal auditors can apply the same concept by ensuring the person who writes the code can’t also approve it. Having two people involved — one writing the code and another reviewing and approving it for use in the production environment — acts as a control to prevent malicious or unintentional mistakes being baked into the code.

Basic control concepts apply to just about any process. Finding the similarities between technology audits and more familiar types of audits will take away the scare factor that can cause internal auditors to shy away from risk areas they are uncomfortable with — areas that could potentially have a massive impact on the business.

Why Follow Topical Requirements?

To further answer internal auditors’ questions about emerging technologies, The IIA recently released its first Topical Requirement for public comment: Cyber-security. The Global Internal Audit Standards’ Topical Requirements will provide insight into a range of high-risk areas, such as fraud and third-party risk management, and give internal auditors a solid basis for auditing in these areas. The Requirements also are meant to provide more assurance to regulators, investors, and stakeholders about how pervasive and persistent risk areas are being identified, controlled, and managed.

At their core, Topical Requirements have a very simple concept. For example, if an audit function is carrying out a cybersecurity audit, the document provides a list of standard governance, risk, and control topics internal auditors must consider. The Requirements set a base standard for internal auditors to follow and provide a level of basic assurance in these areas.

The Topical Requirements are not intended to be exhaustive, but they are meant to empower internal auditors to review some heavy risk areas. They push internal auditors to ask: “If we aren’t considering the controls contained in the Topical Requirements — or if we are avoiding putting these areas under our audit plans — why is that the case?”

Asking questions and getting answers are key to internal audit’s work. As strategic assurance providers, internal auditors can’t shy away from areas that might be difficult or push them out of their comfort zones. Audit plans always need to be mapped to the key risk areas of the business.

How Do We Tell Stakeholders What We Do?

As we are called upon to move into new areas and deliver more, the professional standing of internal auditors is paramount. As a profession, we need to ask ourselves whether our key stakeholders really understand what internal audit is, what it does, and what it can deliver.

Internal audit is not alone in this challenge. Other professions, such as cybersecurity professionals, have faced similar struggles, but they moved from being a confusing (and expensive) technology problem to gain standing and recognition by demonstrating their value to the business. The internal audit profession can do the same.

To achieve this, the profession needs to advocate its value to stakeholders both within and outside the organization. The board and audit committee need to understand the value internal audit brings to the organization — not only in terms of financial risks, but also increasingly with nonfinancial challenges and opportunities.

And, the profession should be top of mind when regulators are drafting rules and regulations around governance, risk, and control — understanding that internal audit  can help instill confidence and support the public interest. Internal auditors need to demonstrate that they are focusing on the biggest risks to the organization, such as cybersecurity, AI, and third-party risk management. Once the profession makes its voice heard, people will understand the value it brings.

How Do We Remain Relevant?

To make sure internal audit continues to be equipped to focus on the biggest risks, it needs to ask whether the profession is attracting new talent with a broad range of skills. Many internal auditors come through the traditional accounting route, and while that will likely remain a popular choice, accounting skills are now just one skill among many.

Audit functions require internal auditors with backgrounds as varied as the organizations and industries they support, with expertise in healthcare, technology, or the environment, for example. The profession needs to offer a broad range of skills to ensure it remains relevant as a key source of in-house assurance.

Internal auditors also must become better technical experts in key areas. This does not refer solely to IT skills (though they are important). Technical expertise can refer to niche regulatory requirements relating to operational resilience, for example, or other areas such as environmental, social, and governance (ESG) or data privacy. Internal audit needs to ask questions to understand the key risks underpinning these issues so the function knows what it is dealing with, what controls are in place, and how opportunities can be potentially leveraged to deliver value.

Currently, some of these areas may be lower priority compared to, say, Sarbanes-Oxley compliance and reviewing financial controls. However, to stay relevant and reduce the risks organizations face, internal auditors must have the ability to rebalance priorities as risks change.

Internal auditors also need to look at issues like disruption and the impact it could have on the business from two perspectives — positive disruption and negative disruption. For example, is the disruption something like AI, which turns existing practices on their head but also affords massive potential opportunities? Or, is the disruption like ransomware that can halt operations and cost millions to remedy?

Strategy is going to become a much bigger area of focus for internal audit. As the function aligns with the strategic goals of the organization, internal auditors will need to look at strategy in terms of the big picture to question whether it works and is “disruption proof.”

While management will decide strategy, audit functions will always need to probe, question, and challenge whether the strategy makes sense. Have decisionmakers thought through the risks and controls to position the organization to achieve the best outcomes and competitive advantage? Are the organization’s governance bodies questioning what other opportunities it might realize or forego if it follows this path? What should the organization be focusing on more/better than it does now?

When internal audit asks questions about strategic objectives, boards will have greater assurance that the strategy can work and deliver the desired goals. To offer the board support, internal audit needs to question whether its audit plans are aligned with the organization’s strategic goals.

How Is The IIA Helping?

The new Global Internal Audit Standards provide a pathway for internal auditors to question whether they are providing the best assurance they can. Standard 9.2, Internal Audit Strategy, requires the CAE to develop and implement a strategy for internal audit that supports the organization’s objectives and aligns with the expectations of the board, senior management, and other key stakeholders. The CAE must periodically review the strategy with the board and senior management.

In addition, The IIA’s newly released Internal Audit: Vision 2035 report creates a comprehensive and integrated vision of the internal audit profession’s future. The report sets out what skills and expertise auditors should have, as well as what approach they should take to meet future challenges and needs (see articles throughout this issue).

The document has five key recommendations for internal auditors:

1. Embrace technology. 
2. Expand internal audit’s scope to give more time and resources to other issues such as ESG.
3. Shift perspective from hindsight to foresight and increase focus on advisory services. 
4. Connect with strategy. 
5. Grow the talent pipeline.

Many audit functions already are making progress in these areas, but internal audit must do more. According to The IIA’s latest North American Pulse of the Profession, for example, there is a huge discrepancy between the number of audit teams researching the future use of AI (43%) and those actually using it (15%). Given the opportunities that AI can deliver for internal audit’s work, this is a situation that needs to be addressed.

What’s Your Plan?

In my year as global chair, I will work with The IIA to ensure internal auditors feel empowered to ask questions — both of The Institute and within their organizations. This will ensure they can do both what the profession is telling them to do and what the organization/board expects of them. The IIA will advocate more effectively for the profession around the world and make it clear the value internal auditors can add to the organization.

We want to unify the profession so that it is more standardized and has “one voice.” Leveraging the institutes, we will coordinate more closely and effectively so The IIA has a bigger voice in which to be heard. This will make the profession much more powerful.

How Can We Make Our Mark?

There are tremendous opportunities for the internal audit profession to make its mark — not only in terms of pushing for better corporate governance, but also in promoting internal auditors as vital, trusted, and strategic advisors. As the need for better, deeper, and more real-time assurance increases, so too do the opportunities for internal audit to add greater value and get involved in new areas.

The profession must move to where new risks are emerging and ask questions to ensure the focus is where management thinks the key risks and opportunities lie. Internal audit’s focus needs to be on always looking forward and asking questions of management, our governance bodies, our profession, and ourselves.