Internal audit has long been ingrained as a core function in most mid-size and large private and public companies and is a critical element of a robust three lines model. As a risk environment continues to become more complex and the pace of change continues to accelerate, those in the industry often talk about the need to shift away from the traditional assurance role, in which internal audit reports on “what went wrong,” and shift toward a forward-looking advisory role where feedback is provided to stakeholders in real-time. What can get lost in that conversation is the importance of the traditional assurance role.
A traditional assurance role is often appropriate when a risk is relatively static, and the internal control environment is mature. However, such a role would likely not be fit-for-purpose for risks that an organization is or may become exposed to that are emerging or evolving rapidly and in which the internal control environment is either relatively immature or changing in response to a risk.
The role of internal audit is one grounded in what role internal audit should be playing, when they should play it and how much time should they be spending in each of their roles. The answers to these questions will be different for every organization and will likely change over time as the risk environment changes and evolves.
The four roles of internal audit, as explained in the below table, are not mutually exclusive, and internal audit must be flexible enough to adapt and step into different roles at different times to address the key risks to the organization most effectively. In doing so, internal audit can elevate its brand with key stakeholders, support the achievement of key strategic objectives and contribute to the long-term success of the organization.
Internal audit should consider two primary factors when assessing what is the most appropriate role for it to play:
Click on each quadrant for a scenario that demonstrates each role’s unique offerings beyond traditional assurance.
For more information on this topic or to connect with an internal audit professional, contact us.