In 2016, Deloitte undertook a global internal audit research study on the future of internal audit (IA). More than 1,200 chief audit executives (CAEs) participated in this study, a response that signifies their deep interest in the changes affecting IA, and in understanding how they should respond. Spanning 29 countries and a wide range of industries, this research gauged CAEs’ opinions about their functions’ status, capabilities, activities, roles, and resources currently and over the next three to five years. The results of the survey reveal that CAEs understand that IA faces the need to evolve, yet many are struggling with how to act on that understanding.
These results of the survey (captured in Deloitte’s Evolution or Irrelevance. Internal Audit at a Crossroads. Deloitte’s Global Chief Executive Survey) reveal important findings for public sector internal audit functions to consider.
CAEs recognize the need for change. The status quo is not an option when 85% of CAEs expect their organization to change moderately to significantly in the next three to five years, and nearly as many (79%) expect a similar change in IA.
Internal Audit needs more impact and influence. Only 28% of CAEs believe that their functions have strong impact and influence within the organization. A disturbing 16% noted that IA has little to no impact and influence.
Gaps in skills must be addressed. More than half of CAEs (57%) are not convinced that their teams have the skills and expertise needed to deliver on stakeholders’ current expectations—let alone future demands.
Use of alternative resourcing models expected to expand. Significant increases in the use of guest auditor and rotation programs are expected to occur, with the use of rotation programs expected to double in the next three to five years.
Analytics presents major opportunities. While 86% of respondents use analytics, only 24% use them at an intermediate level and 7% at an advanced level. Most (66%) use basic, ad hoc analytics (e.g. spreadsheets) or no analytics. CAEs see talent gaps and accessing quality data as key barriers to greater use of analytics.
In contrast, over the next three to five years, 58% of respondents expect to be using analytics in at least 50% of their audits. An impressive 37% expect to move to high usage— employing analytics in at least 75% of audits. Use of text is expected to decrease (from 78% to 58%) as dynamic visualization tools increase dramatically (from 7% to 35%).
Internal Audit Advisory services will expand. More than half of respondents (55%) expect the proportion of future-focused advisory services they provide to the organization to expand over the next three to five years.
Innovation is important too. CAEs cited risk anticipation (39%) and data analytics (34%) as the two innovations most likely to impact IA over the next three to five years.
Reviews of strategic planning and risk management will increase. While only about one-third of IA groups have evaluated their organization’s strategic planning process in the past three years, over half expect to do so in the next three to five years. A strong increase is also expected in the number of IA groups reviewing their risk management function.
Stable internal audit budgets may present challenges. Half of CAEs expect their budgets to remain stable and another one-third expect them to increase somewhat, which may not be sufficient to address the increasing demands on IA.
Internal Audit needs more impact and influence. A look at specifically identified skills gaps helps to explain why CAEs are not satisfied with their groups’ capabilities and perhaps why those groups lack impact and influence. The top five gaps in capabilities were found to be: fraud prevention, innovation, model risk, data analytics and specialized IT. These skills are critical as they will enable IA to respond to the top priority areas of analytics and innovation, and to key risks.
How The Ontario Internal Audit Division (OIAD) Has Reacted
The Ontario Internal Audit Division (OIAD) actively participates on national jurisdictional committees including the Government Internal Auditors Council of Canada (GIACC) which supports the exchange of information, practices and the ongoing strengthening of IA across Canada. The OIAD specifically has been addressing key changes affecting IA.
The OIAD has seen greater demand to get more involved at the planning of an engagement. There is also an increasing demand to provide advisory services. Ontario has seen this trend extensively and delivers focused efforts on understanding clients’ business through consultations and development of risk-based audit plans.
Participation on Ontario Public Service (OPS) committees as advisory members allows OIAD to keep abreast of emerging challenges and issues, and provide timely advice. In today’s changing environment, it is vital that IA offers a balance between assurance and advisory services; targeting a respective 60-40 split, allows it to be flexible based on the needs of its clients. OIAD supports the OPS with a sustainable strategy to ensure long term success with an Enterprise Risk Management approach. This includes performing comprehensive consultations and reviews with the risk management community and providing continuous support for IA industry research and implementation strategies.
OIAD’s Forensic Investigation Team (FIT) provides dedicated and timely services related to cybersecurity, fraud and information technology to its clients. The division also has a team specializing in IT efforts, that provides independent reviews and advice on large scale I&IT projects.
Innovative resourcing models can help address skills gaps. Alternative staffing models, when properly implemented, can do much to help IA address skills gaps, acquire expertise, and gain influence and impact within the organization. For example, co-sourcing or occasional use of external resources enables IA to secure specialized skills, additional capacity, and just-in-time flexibility without long-term investment.
Guest auditor programs bring in individuals with an in-depth understanding of the audit matter. Rotation programs bring similar benefits, cycling talent from the business through IA and vice versa. Better use of alternative staffing models, when properly planned and implemented, can do much to help IA address skills gaps, acquire expertise, and gain influence and impact within the organization.
OIAD’s increasing participation on the Agency IA Communities of Practice provides advance knowledge across the government with respect to analytics, better practices, techniques and understanding which supports capacity building within agencies and government funded entities.
To minimize skill gaps, OIAD established programs such as a Leadership Development Program and a Job Shadow Program which facilitate the strengthening of core leadership competencies and personal attributes. OIAD also supports professional development and capacity building initiatives; including the establishment of a Professional Development Committee and an extensive internal course curriculum. OIAD is also recognized as a Chartered Professional Accountants (CPA) designated Pre-approved Program.
In addition, the Ontario government has established a pre-selected pool of contracted vendors to provide IA services to support client ministries by supplementing internal expertise that will benefit clients’ business needs.
Internal audit needs to innovate to make changes in its approaches and activities. IA is not currently known for aggressive innovation; however significant opportunities exist to increase the efficiency and value of the IA function through innovation. Stakeholders want IA to use predictive and sensing tools as well as other emerging technologies to gauge the likelihood of success or failure, and to identify ways to increase the chances of success.
The Ontario Government has shown a strong commitment to the continuous improvement of service delivery to the public. In 2015, it created a Centre for Excellence for Evidence-Based Decision Making to build capacity to assess how programs are performing, using evidence to inform choices and create change with increasing transparency and accountability. OIAD continues to demonstrate the alignment of its efforts with the government’s overall focus by keeping abreast of industry practices and emerging trends.
More specifically, OIAD continues its efforts to make positive changes with its clients by implementing a robust Enterprise-Wide Lessons Learned reporting system which allows for wider distribution of lessons drawn from engagements conducted across all service teams. Clients derive so much value that the demand for lessons learned reports has resulted in more frequent reporting.
Both private and public sectors have acknowledged the importance of relying on advance techniques for analyzing data throughout the audit process to produce efficiencies and better detect fraud or mismanagement. Using data analytics helps auditors analyze data earlier, identify risks and anomalies, and better understand their clients. Analytics support forward looking auditing by anticipating risks and predicting/preventing anomalies in a timely manner. FIT has been strategically positioned to play a lead role in supporting data analytics transformational opportunities and also supports service delivery efficiencies through risk-based prioritization and effective client communication. FIT’s Fraud Risk Report shares themes with key internal stakeholders and supports annual audit planning.
Overall, we noted the importance of embracing change and opportunities. This situation calls for vigorous, focused, well-planned responses, and each CAE must develop a response tailored to their organization. As a community, it is essential that IA network and share better practices. Through its participation with GIACC and other organizations, OIAD has found this practice invaluable.
Simon O’keefe is a Partner in the Enterprise Risk Services (ERS) Practice At Deloitte. Rick Kennedy is Chief Internal Auditor and ADM in the Ontario Treasury Board Secretariat.