ICAEW.com works better with JavaScript enabled.
Exclusive

Internal audit and the capability challenge

Author:

Published: 27 Sep 2024

Exclusive content
Access to our exclusive resources is for specific groups of students, users, subscribers and members.
Internal audit has always been at the forefront of safeguarding corporate integrity. But as the business environment continues to change rapidly, internal auditors face evolving expectations.

When a group of Internal Audit Directors gather to discuss their most pressing concerns, one subject usually dominates – the challenge of attracting, developing and retaining the talent necessary to build effective teams and respond to that ever-changing business environment. 

There is nothing new in this. For many years internal (and external) audit leaders have grappled with how to access the skills they need, particularly around technology. And how to ensure their auditors have sufficient capability to understand the complex business models, commercial issues and emerging risks that they are auditing.

Rising expectations and governance pressures

Expectations of internal audit have heightened. The Guidance to the UK Corporate Governance Code 2024 contains more than 40 references to internal audit, reinforcing its importance. With this greater recognition comes greater responsibility. Internal audit functions need to step up and evidence they can deliver what directors need – with courage and rigour.

Risks are real and manifesting with visible consequences. The pandemic reminded us things can happen that we thought were unimaginable. Organisations need to be prepared and resilient. Internal auditors need to be agile, with the ability to assess emerging risks with limited precedent to guide them.

There are many moving parts. Within the profession we have new IA Standards and a refreshed UK Code of Practice. Beyond this the regulatory landscape is becoming more complex for many sectors. We will soon have further fraud risk obligations. Issues from data protection to the alphabet soup of environmental reporting are more challenging.
Internal auditors can no longer rely solely on traditional testing models or conventional reporting.

They must adapt to more complex expectations, which require a more nuanced approach, particularly in areas like culture and behaviour, where the risks are less tangible.

Technology and the pace of change

Technology is no longer simply about managing systems – although that was pretty challenging. It’s about understanding cyber risks, artificial intelligence, and machine learning, all of which are evolving at unprecedented pace. Even the deepest experts struggle to stay current. Compounding the challenge is the legal context where the law often assumes that technology is infallible, giving it primacy over humans.

Rebuilding trust amid public disclosures

High profile scandals - think Post Office, Grenfell, contaminated blood - have eroded trust and openness between the functions set up to get to the truth. Directors’ failure to listen and act on early warnings has further complicated these relationships, creating a culture of fear and defensiveness. Internal auditors need real diplomacy and experience to navigate these sensitive issues, particularly dealing with areas like culture that is inherently challenging to quantify. 

The shift to cultural and behavioural audits

Today, internal auditors are expected to assess culture – which is intangible and difficult. Traditional testing methods fall short. Traditional reports are met with defensiveness. HR functions are generally more disconnected from audit than almost any other part of the business.

As auditors move into this space, they need to be cautious about the potential for misunderstanding and unintended consequences. This enables their insights to foster positive change that responds to the most critical operational, financial and regulatory risks facing the organisation. Internal audit must rise to the challenge of understanding the business in a way that is equivalent to first- and second-line colleagues. 

Evolving resourcing models

To meet these growing demands, resourcing models in internal audit continue to evolve. Co-sourcing remains a great way to access specialist skills that do not exist within the function. Companies are increasingly likely to have more than one partner – often using a larger firm alongside niche boutiques with specialists that have first-hand experience, particularly in areas like cultural and behavioural expertise.

There is an increasing trend in the rotation of individuals through the function, on long or short-term assignments as well as for individual audits. One approach, pioneered by Unilever, almost exclusively rotates business individuals from across the organisation into internal audit. Not only do they bring their fresh perspective, but their time in internal audit equips them to understand the broader group context and risks, while building relationships and networks. 

Larger internal audit functions are integrating specialist skills in areas such as behaviours, data and cyber with traditional audit. This recognises, for example, that behavioural auditors are specialists in their own right. They bring behavioural science into an audit context – creating the ability to challenge and benchmark alongside HR professionals. 

The emergence of fractional models

In addition to traditional resourcing approaches, fractional models are emerging as a more dynamic solution. Borrowed from legal and finance sectors, this model involves hiring senior consultants or niche firms for specific projects. It offers a cost-effective way to access expertise without the complexity of large-scale engagements and avoids the need to onboard junior resources for whom there may not be sufficient work.

Conclusion: the way forward

To navigate these challenges, internal audit functions need clarity of purpose and a deep understanding of needs in both technical skills and characteristics of the individual. The evolution of resourcing models brings an opportunity for more dynamic, efficient teams that can better respond to the complex and growing risks facing business today.
Ultimately, internal audit functions must embrace these changes and continue to adapt, so they remain not only relevant, but indispensable to the organisations they serve.