Online Exclusive: Internal Audit’s Advisory Shift

Such changes are accelerating to the point where, in 10 years, the profession will look significantly different. Driven by rapid technological change, globalization, and heightened stakeholder expectations, internal auditors will become — and indeed must become to maintain compliance with the Global Internal Audit Standards — strategic advisors who offer insights and business solutions.

No change comes without uncertainty, however, and this transition is no different. For example, it is reasonable to question how an internal auditor could be expected to balance these new expectations with the assurance services it currently provides. Additionally, one might wonder how such a balancing act could be accomplished without impeding internal audit’s independence — also a core element of the Standards. Fortunately, these concerns need not cause distress, provided they are approached with foresight and strategic planning as the future of internal auditing rapidly becomes the present.

The Lay of the Internal Audit Landscape

The IIA’s Vision 2035 Report presents a clear picture of where the internal audit profession is heading. According to the data, today’s internal auditors, on average, dedicate 76% of their time to assurance-based services, and 24% to advisory services. In these respondents’ views of an ideal future, however, assurance-based services decline to 59% while advisory services increase to 41%. What was once a role that was defined primarily by assurance should soon, in the profession’s view, have dual responsibilities.

For many internal audit functions, this is already their reality. According to Vision 2035, 80% of senior professionals, including audit committee and board members, report that the board and senior management leverage internal audit to help achieve organizational objectives.

In practice, this change has a dramatic effect on virtually every element of the internal audit process. Crowe’s 2024 report, From Assurance to Advisory, outlines a few of these changes:

• Development of Risk Assessments. Assessment preparation will become a more active, evolving process built on an understanding of the audit area’s goals and the organization’s strategic objectives.
• The Audit Process. Audit testing and data sampling, as opposed to being purely transactional and done at a single point in time, will become more personalized based on the organization’s strategic plan and conducted using real-time, up-to-date monitoring dashboards and automation technology.
• Report Writing. Reports will extend well beyond capturing negative findings and observations and will prioritize more detailed, informed recommendations showing how the audit area aligns with other parts of the organization.

Sandy Pundmann, executive vice president, chief audit and risk officer at Warner Brothers, distills these changes down to internal audit having a greater understanding of the full scope of the organization’s overall goals. “The auditors that are only used to doing compliance and internal controls over financial reporting testing, also need to have business savvy,” she says. “They really need to understand how to peel back the onion and be curious and understand what they’re looking at. Technical skill sets are going to be important, but they must be combined with business acumen.”

Overcoming the Challenges of Change

The transition will not be seamless, and it presents several challenges. Hurdles an internal audit function may face in becoming both an assurance provider and an advisor include:

The perception that internal audit lacks the credibility to offer recommendations. Credibility is built over time through relationships, quality of work, and overall approach to audits. “Developing the advisory aspects of internal audit is about learning about the people, being a part of the people, and about being a part of the team,” says Mike Jacka, chief creative pilot at Flying Pig Audit, Consulting, and Training Solutions. As internal auditors develop a healthy reputation throughout the organization, stakeholders will come to understand better their intentions and the value internal audit could provide them.

Lack of resources or knowledge to provide recommendations. No department in the organization can fully keep up with modern organizational risk, but there are many advanced tools and programs available to help internal auditors in their effort. These tools can significantly improve an internal audit team’s ability to track controls, maintain and analyze evidence, enhance collaborations among the audit team and stakeholders, and identify critical informational or procedural gaps.

Handling time management with additional responsibilities. In this area, again, internal auditors can solve this issue with the aid of technology tools such as artificial intelligence, as well as one or more of the various Agile frameworks designed to maximize team collaboration, productivity, and efficiency. Deloitte’s recent article, “Is a Linear Approach to Internal Audit Out of Line?”, notes that “[The IIA] recommends workflows to be iterative, not linear. The IIA’s latest updates to the Global Internal Audit Standards foster greater flexibility in engagement work programs, emphasizing that steps may need to be done out of order or concurrently to optimize outcomes.”

Maintaining objectivity and independence. Taking on increasing advisory roles can raise questions about professional independence. Incorporating such new responsibilities into the audit universe requires detailed discussion and understanding of clear boundaries and controls. “The distinction lies in the level of involvement,” says Manuel Gutiérrez, founder of auditnotes.com. “The auditor observes, evaluates, and recommends from an independent position. The consultant designs and drives solutions. For this reason, if the auditor contributes to designing a control, the auditor should not evaluate it later.”

Change or Be Left Behind

Change can be confusing and certainly challenging, but few argue — especially in today’s risk environment — that it’s unnecessary. Agility, adaptability, and advisory service roles are the defining features of the model internal audit function moving forward. Internal audit needs to be equipped to perform in a way that always maximizes value or the organization.

“The future of internal audit will be defined by our ability to adapt, advise, and anticipate risks in real time,” said Anthony Pugliese, IIA president and CEO, in a recent episode of The Audit Podcast. “Assurance will always be our foundation, but advisory services are where we can truly help organizations thrive in a world of constant disruption.”