Over the next five podcasts, Matt Kelly and I will be exploring the future of internal audit, compliance and analytics. In Part I, we introduce the topic, explaining why internal audit (IA) is in the midst of a profound transformation, how this transformation will enable to move past its traditional detect function into a more proactive prevent role and how all of these transformations will lead to a more robust, operationalized risk management process.

Kelly believes IA is in midst of profound transformation. He explained IA itself is getting better and better technology. It has much more data analytics capability, so they can do a lot more with the data and do it faster but, at the same time, all the other departments in an organization, whether it’s marketing, legal, compliance or operations, are receiving that same advance in technology too. This means other departments that IA is supposed to keep an eye on is also advancing with their technology too. Subsequently, their ability to throw off new data that can be analyzed is increasing exponentially at the same time. Kelly termed this as the “datafication” of the business process.

This is coupled with Boards of Directors wanting more bang for their buck out of the IA budget. This translates into the questions of how does IA add strategic value? The answer is a bit of a delicate thing because as IA works for the Board of Directors, it is supposed to be an independent and objective reviewer of business processes and of risks to the business. One of its functions is to recommend ways to reduce risks to acceptable levels. However, with this datafication it becomes much easier for IA to become much more of an analysis function to do more risk monitoring.

The tech revolution is creating more ability to move beyond traditional audit duties of Sarbanes-Oxley (SOX) compliance, such as the confines of just reviewing financial statements and specific processes at fixed increments every few years. Does this mean that IA can move from a detect function to a more proactive prescriptive function? Kelly believes, “The question is to what degree should it, because there are always going to be these questions about how Internal Audit functions maintain their independence.”

Interestingly, Kelly believes that while the Boards of Directors are directly driving this change, the ultimate pressure is coming from a wide variety of players, including shareholders, regulators, consumers and other stakeholders. All these groups want to see the Board do a better job of managing strategic risk and not be caught with its collective jaw hanging off the floor when a scandal hits an organization. This pressure on Boards of Directors is driving them to ask for more and somewhat different approaches by IA. Kelly believes IA is being pushed beyond its traditional boundaries to “help Boards fulfill a new mission” to help more in the overall risk management process.

This process is also helped by the maturation of the IA function in its control design and testing requirements deriving from SOX. Technology has helped it move away from simple spreadsheets to more sophisticated reporting tools. Now IA has the ability to better interpret the information coming out from these controls. This will allow a greater operationalization of risk throughout an organization. IA can work with business process owners to write algorithms to allow greater self-monitoring of risks at the business or functional unit levels. They can then work to oversee the entire process to make sure the business processes stay within acceptable or defined risk parameters and report back to the Board of Directors.

In Part II we consider the three steps of evolution that IA must go through to move to a more robust role in the overall risk management process.