Adapt and overcome: The evolving strategic role of internal audit

Board and audit committee key takeaways

• Internal audit adapts its role to effectively address different risks. The role internal audit plays must consider:

1. whether a risk is emerging, evolving or relatively static
2. the degree of maturity and/or change taking place within the organization's environment. 

• Which roles internal audit plays is a question about the internal audit role because it provides the function direction related to how much time the Board and Audit Committee expect the function to dedicate to each role.
• Most internal audit functions see their role progress as they mature and strive to create and protect more value for the organization. As a function matures, and the control environment of an organization strengthens, internal audit will be more adept at creating or protecting value outside the traditional assurance role. However, the traditional assurance role must remain intact as part of internal audit’s area of responsibility.

The strategic evolution of internal audit

Internal audit has long been ingrained as a core function in most mid-size and large private and public companies and is a critical element of a robust three lines model. As a risk environment continues to become more complex and the pace of change continues to accelerate, those in the industry often talk about the need to shift away from the traditional assurance role, in which internal audit reports on “what went wrong,” and shift toward a forward-looking advisory role where feedback is provided to stakeholders in real-time. What can get lost in that conversation is the importance of the traditional assurance role.

A traditional assurance role is often appropriate when a risk is relatively static, and the internal control environment is mature. However, such a role would likely not be fit-for-purpose for risks that an organization is or may become exposed to that are emerging or evolving rapidly and in which the internal control environment is either relatively immature or changing in response to a risk.

The role of internal audit is one grounded in what role internal audit should be playing, when they should play it and how much time should they be spending in each of their roles. The answers to these questions will be different for every organization and will likely change over time as the risk environment changes and evolves.

What are the four roles of internal audit?

The four roles of internal audit, as explained in the below table, are not mutually exclusive, and internal audit must be flexible enough to adapt and step into different roles at different times to address the key risks to the organization most effectively. In doing so, internal audit can elevate its brand with key stakeholders, support the achievement of key strategic objectives and contribute to the long-term success of the organization.

What role should internal audit play and when?

Internal audit should consider two primary factors when assessing what is the most appropriate role for it to play:

• Level of change within the risk environment: For an individual risk area, internal audit should consider whether a risk is static, evolving, or emerging.
• Level of maturity and/or change in the organization's environment: Internal audit should consider whether the risk management approach and control environment is established / mature or whether management is making changes either as part of the maturity of the organization or in response to a known or potential change in the risk environment.

Explore the key roles that internal audit can play

Click on each quadrant for a scenario that demonstrates each role’s unique offerings beyond traditional assurance.

Final considerations - what boards and audit committees should be asking about the roles of internal audit:

• When was the last time we refreshed the internal audit role and how would the current role evolve as we consider more closely the four roles of internal audit?
• Does our internal audit function play each of the roles, and are we aligned with the chief audit executive on how much time we would expect internal audit to spend in each of these roles? How may our expectations change in the future?
• Does our internal audit function have an operating model that provides the agility needed to step in and out of different roles and does it have the capabilities required to engage with the business effectively, particularly when stepping out of the traditional assurance role?
• How may the four roles of internal audit impact how we measure the performance of internal audit, and the value internal audit is enabling for the business?

For more information on this topic or to connect with an internal audit professional, contact us.