The Future of Internal Audit: 5 Trends from the IIA International Conference

This July, Workiva’s governance, risk and compliance (GRC) team was thrilled to join the IIA International Conference in Amsterdam as a diamond sponsor, where one topic was on everyone's minds: the future of internal audit. 

Wondering what you missed? Here’s an in-depth rundown of the hottest internal audit trends covered during the event. 

5 Emerging Changes in Internal Audit

The role of the internal auditor has been experiencing significant transformation on a global scale. While still seen as a police figure by some, they are now increasingly being recognised as a central business collaborators and value drivers.

This shift is down to both evolving perspectives and changing circumstances. Today’s leaders recognise that an accurate understanding of where their organisation stands is more valuable than rigid rule enforcement. Meanwhile, the external landscape has completely transformed, calling for a more nuanced and tailored approach to business. 

To understand where things are heading, let’s take a closer look at five key areas in flux and how they are impacting the profession. 

Change #1: AI is introducing new risks and opportunities

For internal auditors around the world, the advent of artificial intelligence (AI) technology looms large—and for good reason. For some time now, technology has been in place to speed up, automate and ease the burden of internal audit. As AI tools become increasingly advanced, they will be able to provide valuable input into audit planning, testing and reporting, and auditors are likely to leverage these in tackling their most complex challenges.

“AI is expected to affect accountants and auditors significantly”. 

Anthony Pugliese, IIA President

However, while new technology delivers crucial efficiencies to teams, its associated challenges require monitoring. One noted example is the emergence of new or morphed cybersecurity risks, alongside changing roles and team structures throughout the company.  

What this means: Internal auditors need to place themselves at the forefront of technological developments

AI will reshape not only how internal audits are conducted but also what needs to be audited and when. By providing a clear view of how the evolving risks and opportunities of the landscape intersect with the rapidly changing requirements, goals and reality of their company, they can place themselves as a key advisor at the forefront of change. 

While frameworks for auditing AI, such as the one published by the IIA, are essential for helping manage emerging risks, internal auditors must also consider the transformational opportunities new technology presents—not only to their organisation but also to their position within it. 

Change #2: Approaches to technology will define a company's success

According to the ECIIA's 2023 Risk in Focus report, cybersecurity and information security remain the top threat identified by internal audit leaders.

As new tools using AI and robotic process automation (RPA) emerge, organisations need to be aware of how they are being used by employees—both officially and unofficially—in order to stay ahead of potential risks.  

However, while caution remains essential, an emerging risk has been identified: fear of technology. 

As several 2023 IIA international speakers highlighted, new technology now presents such significant potential benefits to organisations that a tech-fearful attitude within leadership should be considered a risk. Increasingly, the tools a company adopts (or ignores) will be pivotal to its success—and, often, these decisions will be shaped by human emotion.

“If left unmonitored, emotional responses can turn into barriers to innovation and progress. We all need to ask ourselves: Am I a digital asset or a digital liability within my organisation?”

Rohit Talwar, CEO of Fast Future

What this means: Internal auditors need to understand, monitor and track human relationships with technology 

With technology now essential to an organisation's growth, internal auditors need to help their company reap the benefits while also mitigating unwanted risks. This requires both an up-to-date knowledge of new tools that might affect the business and a clear understanding of how their organisation currently relates to technology. 

To truly understand a company’s relationship with technology, internal auditors should be able to answer the following questions: 

• What level of risk is the organisation willing to take on?
• How are individuals within the company already using new tools (both officially and unofficially) to speed up their tasks? 
• On an emotional level, how does leadership feel about new technology?
• Which processes within the organisation are ready to be automated, and which aren’t? 

Change #3: Values and company culture are now recognised as material to growth

Once considered a ‘nice to have’, it is now widely accepted that organisations with a strong handle on their culture outperform their competitors. 

The IIA defines company culture as “the invisible belief systems, values, norms and preferences of the individuals that form an organisation”. Corporate teams, just like cities, towns and families, have their own distinct ways of thinking and acting. From an internal audit perspective, this has historically been viewed through the lens of enabling compliance and preventing fraud—but now, a broader range of factors need to be considered. 

Today’s shareholders, customers and employees are all increasingly concerned with the ethics of the companies they engage with. From the environmental impact of the company’s activities to the core values it places ahead of making a profit and how its employees are treated, stakeholders are keen to know whether the image a company projects is upheld throughout the organisation, with failure to uphold these values leading to material losses. 

What this means: Internal auditors need to assess company culture 

Internal auditors can help provide a detailed and realistic view of where a company’s external values and internal culture either align or diverge, identifying key areas of risk. Frameworks published by the IIA and the Institute of Business Ethics provide helpful guidance on how to internally audit company culture and ethics, but should be used in conjunction with the internal auditor’s understanding of their company.

As with approaches to technology, being able to provide context and practical insight into the daily reality of the company and its culture will become increasingly invaluable to business leaders. 

Change #4: Disruption is now the norm

Another important change organisations have been facing is a considerable increase in external disruption. While the past three years might seem like an extreme example of this, global leaders agree that major disruptive events are likely to become more frequent and severe. 

Here, internal audit teams can help their organisations stay prepared for challenges in the face of an unpredictable external landscape. By remaining informed of potential destabilising factors and regularly assessing the organisation’s level of preparedness, internal auditors can have a measurable impact on how their company fares in times of crisis. 

What this means: Internal auditors need to help establish a “living plan” for times of crisis 

While it may not be possible to predict every future scenario, internal auditors can help their company assess selected areas in the face of potential change and can provide insights on the organisation's overall level of resilience.

“[Have a] living plan—not one that exists on paper, but one that actually works in practice”.

Kees Roks, Chief Audit Officer, Novartis

Maintaining an agile disruption plan with regular testing, training and consideration of new routes is the main lesson Novartis learnt from the COVID-19 pandemic. He also stresses the importance of dynamic materiality, which recognises that the significance and risk levels of certain factors can fluctuate over time. 

One way to do this is by viewing various aspects of the business through the lens of diversification. Taking a detailed look at supply chain routes, office and factory locations, talent pools, tools and resources, customer bases, industries and sectors and more, where is the company limited to a narrow range of options? Could more alternatives be considered? 

Change #5: ESG and sustainability metrics are being monitored more closely than ever

Strong governance over ESG practices has been a hot topic of discussion among business leaders for some time now. While emerging legislations and frameworks are a major driver for change, strong ESG controls are increasingly becoming an investor expectation. Organisations are having to track far more material information than they once did. That information needs to be accurate, timely and verifiable—not only for reporting but also to make fundamental business decisions. 

What this means: Internal audit needs to be brought into the process as early as possible 

Companies gearing up to meet specific standards are being advised to immediately start establishing how they will get the data they need and how they plan to verify it. By setting up the right processes, tools and controls for their ESG metrics today, businesses enable themselves to gather the material, high-quality knowledge they will need to survive and thrive. Rather than being there to flag when things go wrong, internal audit should be involved as early as possible, leveraging their industry knowledge and understanding of the organisation to help set them up for success.      

How should internal auditors respond to these changes? 

As the nature of the profession continues to transform, how can internal auditors ensure they stay ahead in their profession?  

Tip 1: Continue building a relationship of trust within your organisation

To truly understand the reality of their organisation, internal auditors need to continue cultivating a bond of trust between themselves and their colleagues. Establishing a culture of openness and psychological safety will not only help in monitoring compliance, but in achieving a full and realistic picture of where the organisation stands and where it's going. This will help you provide essential context to leadership by bringing accurate insights to data interpretation. 

Tip 2: Stay informed of external developments 

With emerging technologies, increasing levels of disruption and higher expectations surrounding ESG and company culture, internal auditors will need to take on a proactive role in the face of external changes. These might include geo-political risks, corporate regulations and shareholder attitudes and expectations. Staying informed about the wider landscape, what's around the corner and how it might affect your organisation will help you stay ahead of both emerging risks and opportunities.

Tip 3: Get involved at decision-making stages

While maintaining a level of independence is important, internal auditors can be invaluable in helping design controls, make key business decisions and choose new tools. By combining their understanding of the external landscape with their on-the-ground knowledge of the company, they can provide invaluable guidance that will help shape the future of the organisation. 

As organisations are pushed to establish more stringent controls over their ESG reporting practices, now is the time for internal auditors to get involved at the early stages of the process, continue to build strong relationships throughout their company and secure their seat at the decision-making table.