Feature article Risk management

The evolving role of internal audit

by CARMEL MORTELL Partner, Risk Assurance,, and LAKSHI PRABHAKARAN Associate Director, KPMG

The internal audit function is expanding from a traditional compliance role to an more strategic role.
It is critical that IA functions build a close working relationship with senior management and secures
visible support from their audit committee.
IA functions also need to focus on addressing the technological advancements which will influence the
audit process.

In the eyes of an internal auditor, the internal audit (IA) function of the past, present and
future look very different.

The IA function of the past typically played a traditional compliance role with a team of generalist auditors,
churning out repetitive audits focused on financial and compliance matters to report to the audit
committee and other stakeholders that the organisations processes and procedures were designed and
operating effectively and in-line with relevant laws and regulations.

While these expectations of the audit committee and other stakeholders have not changed they are also
wanting more, IA now has the ability and a real opportunity to play a strategic role to contribute more by
providing insight, identifying and addressing emerging risks and adding real tangible value to
stakeholders and the organisation.

While IAs mandate and role has and is changing in our minds and hopefully actions, so far we have been
unable to communicate this successfully to our stakeholders and the broader organisation. Survey results
indicate we are still predominantly seen to provide financial savings and compliance feedback.

Survey highlighting the differing perceptions of Internal Audit within organisations

Governance Directions April 2018 117

 unable to communicate this successfully to our stakeholders and the broader organisation. Survey results
Feature article Risk we
indicate management
are still predominantly seen to provide financial savings and compliance feedback.

Survey highlighting the differing perceptions of Internal Audit within organisations

Source: Key Risks for Internal Audit, KPMG CH, September 2017.

The traditional internal audit function

As technology advances at an ever increasing pace, the proliferation of data is overwhelming and
regulations become increasingly more complex, the risks facing organisations also climb exponentially
and emerge with impact at a speed we have never experienced before. If we truly want to play a key role
in supporting and guiding our organisations through this change and be able to articulate and
demonstrate the strategic role that IA can play we need to understand where IA began, how we have
changed and where we are going.

Significant technological developments through digitalisation, data analytics,

robotics, and artificial and automated intelligence have and will change the way
we all do business.

Let’s take a step back and think about a traditional IA function from ten years ago. We would likely see a
team comprised mainly of auditors with generalist IA skills with a few technology auditors, and probably
bottom heavy in seniority reporting to the chief internal auditor who would have a direct line to the CFO
and audit committee to communicate the results of historical audits on a quarterly basis. The expectation
of IA from its stakeholders would be to conduct retrospective annual reviews providing comfort that the
controls in place over the finance, compliance and regulatory processes were designed and operating
effectively based on a ‘checks and balances approach’. Similar to the expectations of external auditors,
IA would come into the business during an audit, carry out the required procedures and disappear until
the next review was scheduled. It would be unusual for IA to have much involvement in the day-to-day
business and a leadership seat at the table with senior management to contribute to the strategy and
steering of the organisation.

The pace and impact of technological and data growth is not to be taken lightly. Significant technological
developments through digitalisation, data analytics, robotics, and artificial and automated intelligence
have and will change the way we all do business. With this comes the changing needs of our customers
who have more knowledge, information and options at their fingertips than ever before. Hand in hand with
this comes the exponential increase in regulation and exposure to new types of and increased risk
across all sectors and industries. As a result, IA’s stakeholders now need IA to ‘balance a broad
118 understanding of regulatory and financial reporting requirements with a detailed knowledge of the current
business issues, risks and controls that affect their organisations.’
who have more knowledge, information and options at their fingertips than ever before. Hand in hand with
this comes the exponential increase in regulation and exposure to new types of and increased risk
across all sectors and industries. As a result, IA’s stakeholders now need IA to ‘balance a broad
understanding of regulatory and financial reporting requirements with a detailed knowledge of the current
business issues, risks and controls that affect their organisations.’

The internal audit function of the future

So how does this impact the role and mandate of IA in an organisation? Well not surprisingly, the IA
function of the future is already starting to take shape. More and more we are seeing IA developing
strong relationships with the senior executive and governing bodies of their organisation, with regular
face-to-face meetings with the chair of the audit or risk committee. With visible support from the audit
committee and the board, IA now often has a seat at the table with senior management as a key leader
of the organisation to drive and steer the direction of the business. IA is beginning to be seen as a
partner with the business with ongoing consultation and communication with stakeholders, outside of
interactions during audits, as an objective and insightful sounding board who has a strong understanding
of the organisation, its people and their behaviours, and the increasing risks it faces. It is not unusual for
IA to have a place on steering committees to provide advice and guidance during major project rollouts
to ensure risks are addressed upfront during implementation, rather than playing the role of a
retrospective compliance reviewer and with involvement sometimes considered as an afterthought.

While IA continues to provide assurance, it is expected to also add value to the

business by providing insight to improve efficiency and give the business a
competitive advantage.
What insights do most companies receive from their IA today; what insights would be of most value?

Source: Seeking value through Internal Audit, KPMG International, 2016.

The IA function of the future needs to balance its knowledge and focus of reviews on ensuring regulatory
and financial processes and procedures continue to meet the required standards, but must also have a
very strong and detailed understanding of the organisation and its operations across all levels, current
issues, emerging and existing risks, and more broadly be aware of what other organisations are facing
within the same industry and outside so it can educate its own stakeholders and be ready to react quickly
to tackle these issues within its own organisation if and when necessary. While IA continues to provide
assurance, it is expected to also add value to the business by providing insight to improve efficiency and
give the business a competitive advantage.

Regulatory developments, stakeholder expectations, and increasing business

and operational risks have all contributed to a broader and more complex
Governance Directions April 2018 119
mandate for IA functions.
 Regulatory developments, stakeholder expectations, and increasing business
Feature article Risk management
and operational risks have all contributed to a broader and more complex
mandate for IA functions.

Regulatory developments, stakeholder expectations, and increasing business and operational risks have
all contributed to a boarder and more complex mandate for IA functions. They are finding this balancing
act between supporting supervision and adding value, increasingly challenging.

With the increased mandate and role of IA, there is a need to work closely with other assurance providers
across the lines of defence through a combined assurance model. Working together the lines of defence
will be able to provide more coverage across the risks of the organisation, improve efficiency through not
duplicating efforts, share skills and knowledge leading to more value add and insight to the organisation.
There is a still a long way to go in establishing this combined assurance approach — a survey conducted
in Europe across a number of IA functions indicates that currently ‘only 19 per cent formally place reliance
on other assurance providers’.

The structure and shape of the IA team

As the requirements of IA change, so too will the structure and shape of the IA team. Subject matter
experts (SME’s) with a deep knowledge of areas such as technology, operational risk, data analytics,
and regulatory risk are becoming increasing more valuable and core to a successful IA function with
generalist auditors being more interchangeable and making up less of the core team. Auditors with
previous business experience from the organisation are also increasingly more valuable and becoming
core to the IA team, allowing IA to tap into and grow its understanding of the inner workings of the
business to provide meaningful and valuable insight and guidance. In the same survey conducted in
Europe across a number of IA functions, ‘26-50 per cent of IA team members had prior business
experience from within the organisation’.

The impact of technological advancements

IA functions also need to focus on addressing the technological advancements which will impact how we
audit. Data analytics needs to become embedded in our day-to-day operations and become a skill and
tool for all auditors. We need to be able to understand and address IT related risks efficiently and
effectively. Resources with these capabilities are still few and far between so we need to begin educating
and training up our existing resources to make sure we have at least some capability for the future.
Survey results indicate that almost all respondents are overwhelmingly using data analytics to support
audit activities in less than 50 per cent of their audits.

Implementing an element of assessing and understanding risk culture or the

behavioural elements of controls in place at your organisation within an audit
gives further insight and understanding into what is driving and impacting
behaviours and ultimately motivating compliance.
What percentage of the audits use data analytics to support audit activities?

120
 gives further insight and understanding into what is driving and impacting
behaviours and ultimately motivating compliance.
What percentage of the audits use data analytics to support audit activities?

Source: Threading the needle, KPMG International, February 2018

As we enter into an uncertain future with increased and unknown risks emerging, the expectations of a
successful IA function only continue to grow more in complexity and depth. On our journey to become an
IA function of the future, we need to first make sure we have the right mindset — we need to be ready for
change and accept that it is imminent and there is no negotiating this. As an IA function we need to
embrace new techniques and ways of doing things. Data-driven audits add significant value and insight
into the business and we need to upskill ourselves and our teams to make use of the significant amount
of data at our fingertips to add depth and insight to our audits. Employing the use of LEAN principles in
IA also adds a different dimension — with a need for IA to add value to the organisation, applying LEAN
brings recommendations for efficiency and a resulting competitive advantage. Implementing an element
of assessing and understanding risk culture or the behavioural elements of controls in place at your
organisation within an audit gives further insight and understanding into what is driving and impacting
behaviours and ultimately motivating compliance —bringing a different perspective to your stakeholders
as part of IA findings.

Change is upon us, and with this so have the expectations of an effective and successful IA function. We
need to have in-depth knowledge of our organisations and a strong grasp of the overall environment so
we can provide valuable insight and guidance on existing and emerging risks to add value, bring
efficiency and give our organisations a competitive advantage. IA needs to have a team of strong
auditors with broad and wide-ranging skills and capabilities who can utilise various tools and techniques
and are willing to constantly adapt and learn to keep up with the pace of change so we can continue to be
relevant, objective and valuable.

Carmel Mortell can be contacted on (03) 9288 5845) or by email at cmortell@kpmg.com.au. Lakshi Prabhakaran
can be contacted on (03) 9288 5935 or by email at lprabhakaran@kpmg.com.au

Material published in Governance Directions is copyright and may not be reproduced without permission. The
views expressed therein are those of the author and not of Governance Institute of Australia. All views and
opinions are provided as general commentary only and should not be relied upon in place of specific accounting,
legal or other professional advice.

Governance Directions April 2018 121

Copyright of Governance Directions is the property of Copyright Agency Limited and its
content may not be copied or emailed to multiple sites or posted to a listserv without the
copyright holder's express written permission. However, users may print, download, or email
articles for individual use.