Internal Audit Insights 2019 - High-impact areas of focus - Deloitte

Page created by Rebecca Curry

Uncategorized

English

Like
Share
Embed
Fullscreen
Slides
Download HTML
Download PDF
Abuse

←

→

Page content transcription

If your browser does not render page correctly, please read the page content below

Internal Audit Insights 2019 - High-impact areas of focus - Deloitte

Internal Audit Insights 2019
High-impact areas of focus

Deloitte’s 2018 Global Chief Audit Executive survey found that
Internal Audit groups having the most impact and influence in their
organizations also tend to be the most innovative.1 Not content
with doing the same things in the same ways, they learn how to
deliver the assurance, advice, and risk anticipation that stakeholders
need, when they need it, and they use whatever new methods and
technologies they need to do that. If you think about it, this is the only
way for Internal Audit to fulfill its mission and remain relevant as the
organization evolves.
So, we’ve taken innovation as the theme of our 2019 edition of Internal
Audit Insights: High-impact areas of focus. Look to these areas and
suggested steps as you consider your internal audit activities for the
year ahead. And bear in mind that Internal Audit groups around the
world across all industries are already using these ways of increasing
their organizational impact and influence, and the value they deliver
to their stakeholders.

1 The innovation imperative: Forging Internal Audit’s path to greater impact and influence—
Deloitte’s 2018 Global Chief Audit Executive survey report, Deloitte, 2018

Internal Audit Insights 2019 | High-impact areas of focus

Table of contents

             Agile Internal Audit                  Workforce of the future

           Integrated assurance                    Continuous risk assessment

              Evaluating culture                   Automating assurance

                                                   Applying robotic process automation
     GDPR assurance and advice
                                                   and cognitive intelligence

                                                   Auditing the risks of
            Cyber Internal Audit
                                                   disruptive technologies

                                    Take courage

                                                                                                                           3

Internal Audit Insights 2019 | High-impact areas of focus

Agile Internal Audit

Innovative Internal Audit groups have been Steps to consider: Agile calls for no special
actively adopting agile methods, with benefits technology, only a willingness to work in a
that can be summed up in three words— different way. This means not only learning new
better, faster, happier.2 Better because audit ways of working together but also unlearning
results are more linked to business risks and what we have been practicing for years. This
relevant to stakeholder needs. Faster because is not just a change within Internal Audit; you
internal auditors work with stakeholders in also need to bring your key stakeholders on
a collaborative, focused, iterative manner to the journey. Carefully planned pilots are almost
quickly identify what they need—and don’t always successful, particularly when they
need—to do. Happier because they are include experienced agile coaches. Then, you
working as a team with autonomy to determine will need to consider transformation, moving
how to get the work done and are allowed to fast enough to capitalize on the momentum
focus on the task at hand. Agile directs teams but deliberately enough for the organization
to higher risk areas and higher value work, to absorb and sustain the change. Specific
and helps the function to attract, develop, and areas of organizational change management
retain talent. Internal auditors use more of their to consider will include the physical space
capabilities and feel more engaged, because for your teams (to create more collaborative
they are. As a result, Internal Audit teams who work areas), performance measurement
experience agile almost never want to revert and rewards (to assess the performance of
to traditional methods. However, adapting teams as well as individuals), and your target
agile methods to Internal Audit work presents organizational structure (to define new roles
predictable hurdles. In assisting Internal Audit versus titles, and a flatter structure).
groups on their agile journeys, we have learned
that pilot projects are relatively easy, but
achieving transformation is more challenging—
yet clearly achievable.

2
Becoming agile: A guide to elevating internal audit’s performance and value –Part 1: Understanding agile internal audit,
Deloitte, 2017

Internal Audit Insights 2019 | High-impact areas of focus

Integrated assurance

Organizations’ responses to risk events and                  value, or cling to existing methods. However,       inefficient. But under a set of defined drivers
regulatory mandates have often resulted in                   any Internal Audit group seeking to increase        of value, you can identify key risks to value
assurance activities that can be characterized               its impact and influence while decreasing           and develop risk themes that enable you to
as narrowly focused, redundant, costly,                      stakeholders’ assurance fatigue should              organize assurance activities across the three
intrusive to the business, and unrelated to                  seriously consider integrated assurance.            lines, and ultimately develop more relevant
drivers of value and performance. Integrated                                                                     assurance reports. In general, we see five
                                                             Steps to consider: The essential lead-off
assurance aims not only to rationalize                                                                           benefits that support integrated assurance:
                                                             question is: Are each of our assurance activities
assurance activities and achieve efficiencies;                                                                   better value for the investment in assurance,
                                                             focused on what matters most? The answers
it also aims to direct assurance activities to                                                                   reduced burden on the organization, more
                                                             will reveal the extent to which they are linked
where they will create the most value for                                                                        reliable business outcomes, improved coverage
                                                             to strategic value and business objectives.
the organization.3 Yet organizations often                                                                       on enterprise risks, and greater insights into
                                                             That, in turn, will shed light on whether
have difficulty adopting, or even properly                                                                       business strategy and operations. Any of these
                                                             assurance is actually supporting the creation
framing, integrated assurance. It should not                                                                     constitutes a valid reason to consider moving
                                                             and preservation of value. To the extent that
be confused with combined assurance, which                                                                       toward integrated assurance.
                                                             it is not, those activities should be redirected
typically either rolls up existing reports or bogs
                                                             or stopped. The next question is, Which of
down in ultimately futile mapping exercises.
                                                             the three lines of defense is conducting which
Integrated assurance aims to align assurance
                                                             assurance activities—and how well? This will
activities around the drivers of value in the
                                                             reveal instances of over-assurance, assurance
organization and to create visibility into risks
                                                             fatigue, inefficiency, and lack of coordination.
and the effectiveness of risk management,
                                                             Work then moves on to establishing a new
while boosting efficiency. Despite its many
                                                             organizing principle for assurance—the drivers
benefits, integrated assurance often faces
                                                             of value. These are not necessarily obvious
barriers to adoption. Chief among these are an
                                                             and, when they have not been clearly defined,
organization’s tendency to misunderstand it,
                                                             it’s natural that assurance activities become
overestimate its complexity, underestimate its

3
 Integrated risk assurance - Get a clearer understanding of the risks affecting business value, Deloitte, 2018

                                                                                                                                                                                                              5

Internal Audit Insights 2019 | High-impact areas of focus

Evaluating culture

Culture supports business strategy and must                        in the planning and scoping of internal audit            including setting
be actively understood and managed. Risks                          activities. Internal Audit can also act as a             the tone at the top,
to culture occur when there’s misalignment                         valued business partner in providing advice              sending the right
between the organization’s values and leaders’                     to management regarding its culture risk                 cultural messages,
actions, employees’ behavior, or organizational                    framework.                                               and aligning incentives
systems. Deloitte’s global research shows                                                                                   with values. Internal Audit
                                                                   Steps to consider: Many companies have some
that 86 percent of executives rate culture as                                                                               can also provide assurance
                                                                   processes for monitoring culture, such as
very important or important and 82 percent                                                                                  services by embedding an
                                                                   employee engagement by HR, insider threat
see it as a potential competitive advantage.4                                                                               assessment of culture into all audit
                                                                   monitoring by security, and other second-
Yet only 12 percent of organizations believe                                                                                segments with the goal of assessing whether
                                                                   line initiatives. But they also need an overall
they are creating the right culture. Culture has                                                                            the culture is enabling the area to achieve
                                                                   program for managing culture, based on a
also become key to success and performance,                                                                                 organizational goals as well as the risks of a
                                                                   practical framework. Deloitte’s framework
as well as a source of legal and reputation                                                                                 local culture breakdown. Many auditors find
                                                                   encompasses employee engagement, behavior,
risks. Internal Audit can help management                                                                                   culture to be a theoretical concept as it is by
                                                                   and insider threats as well as management’s
and the board drive the right culture, which is                                                                             its nature subjective. Yet the risks are real and
                                                                   efforts to build a positive culture and manage
essential amid today’s ongoing digitalization,                                                                              can be quantified, and efforts to do so work
                                                                   culture risk—and monitoring of market
intense media and regulatory scrutiny, and                                                                                  particularly well over time.
                                                                   signals that reflect reputation. Internal Audit’s
heightened oversight expectations. As the
                                                                   advisory role can be crucial in the absence
third line of defense, Internal Audit has a
                                                                   of, or in development of, a formal program
traditional assurance role to play in evaluating
                                                                   for managing and evaluating culture. Internal
management’s program for evaluating culture.
                                                                   Audit can provide guidance on steps that
Internal Audit can also play a very important
                                                                   management and the board can take to
role in assessing culture which yields important
                                                                   develop a program or elements of one,
insights for stakeholders and can be invaluable

4
 Auditing Culture: Assessing risk and providing internal audit assurance on the tangibles and intangibles of culture; IIA
presentation by Cary Oven, Partner, Deloitte US and Michael Schor, Partner, Deloitte US, May 15, 2018.

6

Internal Audit Insights 2019 | High-impact areas of focus

GDPR assurance and advice

The European Union’s (EU) General Data                may have supported the organization’s GDPR            tests to determine the extent to which privacy
Protection Regulation (GDPR) raises the bar for       initiative by taking a risk-based approach to         by design has been achieved, and suggest
data privacy for any EU organization collecting       addressing requests and requirements and              ways it can be achieved more efficiently and
or processing data on individuals, or non-EU          emphasizing key systems, as well as proving           effectively. All areas of the business must be
organization doing business in the geography.         assurance and advice while developing Data            accountable for protecting data, managing the
GDPR is a risk-based regulation that does not         Privacy Impact Assessment or third party data         risks, and evidencing that they are doing so—
prescribe how to protect customer data; rather,       hand-off processes. The regulation involves the       real opportunities to provide advisory
it sets expectations in terms of the data, based      business in managing compliance.                      services. Also, if a business intends to change
on its sensitivity and the potential risks. Instead                                                         its collection or handling of data, GDPR must
                                                      Steps to consider: The compliance date has
of a uniform response, the regulator seeks                                                                  be considered. Internal Audit can assist the
                                                      passed, however the GDPR journey has
customized approaches that protect the types                                                                organization with gauging the data needs, risks,
                                                      only begun. Similar to any other system of
of data the organization processes, geared                                                                  and processes and procedures required for
                                                      compliance, the GDPR compliance program is
to the risks posed to the data. So, the GDPR                                                                compliance, noting that this
                                                      a continuous process not an end state in itself.
program must be geared to the sensitivity                                                                   is as much a business and cultural matter as
                                                      GDPR-related audits should be incorporated
of the data and the potential impact of risks                                                               it is a technology and compliance matter. In
                                                      into the annual risk assessment and internal
on the individual and the organization. The                                                                 addition, companies and internal auditors
                                                      audit planning processes, as undertaken
organization determines how to design and                                                                   currently not affected by GDPR
                                                      for other regulatory compliance assurance
run the GDPR compliance program, and how to                                                                 should consider it a wakeup
                                                      activities. Internal Audit holds the responsibility
evidence that it has done so. Most of the work                                                              call as we expect other
                                                      to become educated on the privacy by design
of readying the organization to comply with                                                                 jurisdictions around the
                                                      and mandated responses to data subjects
GDPR, which went into effect on May 25, 2018,                                                               world to consider and
                                                      of the regulation, or to leverage a third party
has been driven by the data privacy function,                                                               adopt similar legislation.
                                                      with the required subject matter expertise in
working with other stakeholders to define how
                                                      order to complete these audits. Internal Audit
best to manage compliance. However, GDPR
                                                      should perform activities to identify gaps in
requirements make it impossible to build and
                                                      the program, recommend improvements, and
manage compliance only in the privacy function
                                                      provide updates to key stakeholders. Perform
and then hold it accountable. Internal Audit

                                                                                                                                                                                                          7

Internal Audit Insights 2019 | High-impact areas of focus

Cyber Internal Audit

As the strategic importance, risks, and Steps to consider: Start with a cyber emerging issues. Each
opportunities of cyber increases, Internal Audit security governance assessment because Internal Audit group
needs to adapt if it is to continue to provide governance sets the entire framework and must make the “buy,
value to the organization. This entails a shift tone for the cyber security program and build, or rent” decision
from IT and compliance-based approaches to a for operationalizing cyber security. Then regarding capabilities.
more risk-based approach to cyber. In making drill down into specific areas of concern to Organizations, such as ISACA,
this shift, most Internal Audit groups find the organization, while considering tools can be excellent sources of
covering all cyber issues challenging, mainly and measures already in place to address information, training, and certification.
due to lack of resources and depth of skills. specific risks. These areas might include data In addition, co-sourcing arrangements with
As the gap between organizational needs and protection, identity and access management, external experts can enable Internal Audit
Internal Audit resources grows, the function cloud security, and risk monitoring. A cyber to assess threats, prepare and execute audit
can feel overwhelmed and unsure how to risk assessment can then target those specific plans, and acquire skills through knowledge
proceed. Despite this, Internal Audit cannot domains. Also, assess the maturity of the transfer.
ignore cyber risk due to its criticality. It can also cyber risk program, risks associated with each
be challenging to communicate cyber risks domain, and audit relevance. Realize that
in the language of the audience—the audit while Internal Audit priorities may differ from
committee, the board, and senior executives. those of the CIO or CISO, these groups must
Yet decision makers need to understand the work together to ensure a holistic approach to
business risks and potential negative impacts addressing cyber risk. Develop an audit plan for
of cyber. Responsibility for cyber security the coming quarters and years based on the
permeates all business units and functions, assessment and risk ranking of the domains,
which means the related governance must and specify the scope of each audit—for data
span the organization and all three lines of protection, identity and access management,
defense must be involved—and their roles and and so on. Assess the audit plan and scoping
responsibilities clarified. at least annually for continued relevance amid

Internal Audit Insights 2019 | High-impact areas of focus

Workforce of the future

Two powerful trends are shaping the future                        establish an appropriate governance model                     and independent contractors. When
of work: rapid adoption of automation and                         geared to addressing the risks inherent in                    developing the internal audit plan and specific
cognitive technologies, and the increasing use                    these talent models and technologies. The                     audit programs, keep in mind areas with
of alternative staffing models. These trends are                  days when most workers were full-time, on-site                heightened risk in an extended workforce.
raising questions as to who is doing the work                     employees are past.                                           These might include ways in which the
(on or off balance sheet talent) and where the                                                                                  company manages off-balance sheet workers’
                                                                  Steps to consider: Internal Audit must
work is being performed (on-site or remotely).                                                                                  performance, intellectual property exposures,
                                                                  understand and review how the organization
Both trends present new risks for organizations                                                                                 and compliance with company policies and
                                                                  is engaging with all talent sources, from the
to address and new opportunities for Internal                                                                                   procedures. Lastly, Internal Audit should
                                                                  policy, procedural, and physical workplace
Audit. For their part, Internal Audit functions                                                                                 periodically update its own automation
                                                                  perspectives. Be prepared to alert
have been embracing alternative sourcing                                                                                        methods and alternative talent models to keep
                                                                  management to the risks of mobile workers
models for years, such as guest auditors,                                                                                       pace with organizational change.
                                                                  using their own or the organization’s devices
co-sourcing, rotational programs, and more
                                                                  as well as regulatory and tax issues—and to
recently crowdsourcing; indeed, about three-
                                                                  provide assurance and advice accordingly.
quarters of Internal Audit groups use some
                                                                  Maintaining a strong culture becomes more
form of alternative sourcing model.5 As the
                                                                  challenging with a dispersed workforce, so
larger organization changes the ways in which
                                                                  emphasize the need to define and manage
it sources, engages, and compensates talent
                                                                  culture; for example, culture assessments
and as historical uses of talent evolve into
                                                                  should perhaps include part-time employees
automation opportunities, management must

5
 The innovation imperative: Forging Internal Audit’s path to greater impact and influence, Deloitte’s 2018 Global Chief Audit
Executive research survey, Deloitte, 2018 < https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Risk/
gx-ra-cae-survey-2018.pdf>

                                                                                                                                                                                                                              9

Internal Audit Insights 2019 | High-impact areas of focus

Continuous risk assessment

The traditional audit planning process is of                  which can also conduct its own continuous        of higher risk areas and
limited value in assessing risks in today’s                   risk assessment. While Internal Audit should     revisit the annual audit
disruptive environment. Continuous risk                       not absorb management’s risk identification      plan at least quarterly,
monitoring, assessment, and tracking can help                 responsibilities, the function should have the   based on the changing risk
Internal Audit to direct its resources to where               tools needed to form a view and alert the        landscape and output from
they’re most needed—a valuable departure                      organization to emerging risks.                  continuous risk assessment.
from rotational audit plans. This approach                                                                     Internal Audit can itself use risk
                                                              Steps to consider: Use output from second-line
can change the dynamic with stakeholders,                                                                      sensing or output from second-line
                                                              risk assessments to develop more dynamic
enabling Internal Audit to more effectively                                                                    sensing and publicly available data to develop
                                                              audit plans and work with second-line
anticipate risks and advise management.                                                                        an outside-in view of risk. For example, a
                                                              functions on what is, and should be, monitored
Leading functions are moving toward real-                                                                      retailer’s reviews of social media data found
                                                              and why, as well as on forms of monitoring
time risk monitoring via technology-enabled                                                                    negative sentiment, much of which pointed to
                                                              and how output is used. Identify areas where
risk sensing, analytics, and visualization                                                                     the logistics provider, indicating the need to
                                                              you can develop or access KPIs, controls,
tools. Continuous risk assessment can                                                                          enhance third-party controls and assurance.
                                                              and risk indicators critical to a business or
leverage, but is not limited to, continuous                                                                    Such data can also pinpoint competitors’
                                                              function. Use output to maintain ongoing
monitoring of controls. It can begin with using                                                                problems. All of this positions Internal Audit
                                                              conversations with stakeholders. Recommend
automated mechanisms in an ERP system to                                                                       to advise the business on risks that may
                                                              ongoing risk assessment around variables
ensure that controls are effective; however,                                                                   otherwise not even be known.
                                                              such as employee engagement and customer
continuous risk assessment ideally extends
                                                              sentiment. Use continuous risk assessment to
to ongoing monitoring and assessment of a
                                                              answer questions related both to assurance
broad range of risks across the enterprise,
                                                              (Has management identified and addressed
from external and internal factors. While
                                                              all risks?) and advisory work (How could
continuous risk assessment usually sits in
                                                              management enhance the organization’s
second-line functions, the output should
                                                              approach to risk management and
definitely be considered by Internal Audit,
                                                              governance?). Aim for more frequent audits

10

Internal Audit Insights 2019 | High-impact areas of focus

Automating assurance

Leading Internal Audit groups are aiming to Steps to consider: Consider creating cross-
automate core assurance to the greatest extent functional teams that can use pre-determined
possible. This is primarily because automation strategies to identify automation opportunities
leads to higher levels of assurance as larger across the lines of defense. The quick wins
populations of transactions can be tested are typically in core business processes
and controls can be continuously audited. (for both SOX controls and operational
Automated assurance also enables movement controls), such as accounts payable, travel and
of assurance-related activities to the second entertainment, payroll, and general ledger,
line—to compliance, cyber security, risk and in IT. Automating these “low-hanging
management, and similar functions—or to the fruit” activities can build confidence in key
first line, where the risks should be managed stakeholders who are instrumental in the
and where people can act on the results. broader deployment of automated solutions.
Internal Audit would then adjust its procedures As key assurance activities are automated, an
to provide the necessary independent infrastructure must be established to ensure
assurance in these areas. There is a secondary that these functions are operating as expected.
benefit of automating assurance activities— A key component of this infrastructure is
reallocation of limited resources and potential an operating model that addresses issue
cost savings. Many leading Internal Audit monitoring, escalation, and remediation.
organizations are shifting focus from mainly Management should implement strong
assurance work to providing more advisory governance over these activities, including
and anticipatory services to their organizations. testing automated solutions and instituting
Automating core assurance functions can free effective change management controls.
up time and capacity to support this shift.

Internal Audit Insights 2019 | High-impact areas of focus

Applying robotic process automation
and cognitive intelligence
Having already established analytics programs                      improved resource allocation, reduced costs,                 enhanced governance,
encompassing data science, visualization,                          higher quality, and enhanced value.                          change management
and predictive analytics, many Internal Audit                                                                                   processes, continuous
                                                                   Steps to consider: First, develop a well-defined
groups have started to advance toward robotic                                                                                   testing and monitoring,
                                                                   vision and strategy for automation. This begins
process automation (RPA) and cognitive                                                                                          exception handling, and
                                                                   with identifying where and how automation
intelligence (CI) tools (collectively RPA&CI)                                                                                   proper training. Third, develop
                                                                   technologies can be embedded into Internal
to drive efficiency, expand capacity, boost                                                                                     a target-state operating model to
                                                                   Audit activities and reasons for doing so.
quality, and extend audit coverage. While fewer                                                                                 support and sustain automation. This
                                                                   This vision and strategy can span a single
groups have applied machine learning and                                                                                        model should be a natural extension of the
                                                                   application or an entire transformation. Likely
artificial intelligence (AI), all of these disruptive                                                                           existing operating model, but also consider
                                                                   areas to automate include test steps within
technologies are winning acceptance as                                                                                          ways in which automation will affect the
                                                                   a single audit or process, a data extraction
innovators and early adopters continue to                                                                                       interplay of people, processes, and technology
                                                                   process to supply standardized information
prove their value throughout the internal audit                                                                                 and call for changes in each of those
                                                                   for use within multiple processes or audits, or
lifecycle. For example, some Internal Audit                                                                                     components.
                                                                   operational activities such as hours tracking,
groups have piloted AI to identify emerging
                                                                   board reporting, or managing certifications
threats for risk assessments, utilized natural
                                                                   and CPE credits. Whatever the goal, a strategy
language generation for automated report
                                                                   should be articulated and communicated
writing, or leveraged automation to drive
                                                                   up front. Second, build an infrastructure to
efficiencies in SOX testing.6 Those finding
                                                                   support deployment of automation capabilities.
the greatest success adopt a systematic
                                                                   This will facilitate effective implementation,
approach that considers the operating model,
                                                                   ongoing maintenance, and risk mitigation.
infrastructure, and use cases across the audit
                                                                   Ensure that the operating and governance
lifecycle, and then develop and launch pilot
                                                                   framework aligns to enterprise standards
projects. This approach enables Internal Audit
                                                                   and leading practices within the organization.
to plan phases of adoption and to realize
                                                                   Some key infrastructure components include

6
 Adopting automation in internal audit: Using robotic process automation and cognitive intelligence to fortify the third line
of defense, Deloitte, 2018 

12

Internal Audit Insights 2019 | High-impact areas of focus

Auditing the risks of disruptive technologies

Driven by the need to create value and drive                       ethnicities of people, for example in loan                           other stakeholders, get involved in pre-
efficiencies, organizations continue their rapid                   approval or customer service processes,                              implementation and provide input on the
adoption of disruptive technologies, such as                       generating unexpected effects, unanticipated                         risks and the organization’s ability to address
robotic process automation and cognitive                           consequences, and unusual risks.                                     them and on leading practices for driving
intelligence. While adoption, both in the                                                                                               performance and value. As an advisor, Internal
                                                                   Steps to consider: Internal Audit should
business and in Internal Audit, is spreading                                                                                            Audit should also weigh in on documentation
                                                                   balance their assure, advise, and anticipate
fastest in financial services,7 innovative                                                                                              and the risk assessment process, and consider
                                                                   responsibilities in this area. In providing
organizations across all industries are using                                                                                           adopting the Agile Internal Audit framework.
                                                                   assurance, get involved early as the
these technologies, or at least considering                                                                                             Internal Audit should focus on anticipating
                                                                   organization adopts disruptive technologies
them. Yet neither the organization nor                                                                                                  risks associated with these technologies by
                                                                   and the second line of defense modernizes
Internal Audit is always prepared for the                                                                                               using data analytics and risk sensing tools
                                                                   its approach to controls testing. This will help
new risks, which can be easily overlooked or                                                                                            to proactively identify emerging risks and by
                                                                   Internal Audit to provide assurance that isn’t
misinterpreted when enthusiasm drives rapid                                                                                             running crisis simulations to reveal potential
                                                                   duplicative. Practical considerations for Internal
adoption. Internal Audit must understand the                                                                                            lapses in the organization’s ability to respond.
                                                                   Audit to add valuable assurance include
risks of these technologies in the organization,
                                                                   having access to testing procedures and
advise management on those risks, and
                                                                   independently reviewing sampling test cases,
provide assurance that they are being
                                                                   results generated, and issues logged. Also,
adequately addressed. For example, while
                                                                   review the exception monitoring and handling
bots—automated technology applications
                                                                   process and provide assurance on the design
driven by rules-based algorithms—can do
                                                                   and operating effectiveness of applications
repetitive tasks at much faster rates than
                                                                   of the technologies. Encourage stakeholders
humans, they can also proliferate errors at
                                                                   to perform an annual recertification of the
much faster rates. In addition, as machines
                                                                   design and implementation of automation
“learn” a process they may also learn to
                                                                   technologies. In advising management and
discriminate against certain classes or

7
 Auditing the risks of disruptive technologies: Keep the tempo, A forward look at Internal Audit in banking and securities, Deloitte,
2017 

                                                                                                                                                                                                                                     13

Internal Audit Insights 2019 | High-impact areas of focus

14

Take courage
At this point, the main impediments       terms, tools, and approaches. It takes
to Internal Audit making more rapid       commitment and courage to pursue
progress through innovation are           innovation. That commitment must
limitations born of legacy mindsets.      originate with Internal Audit leaders,
Chief Audit Executives, other Internal    who must then develop the courage
Audit leaders, senior management          to initiate innovative changes, within
and audit committees must work to         themselves and within their Internal
change mindsets in their functions        Audit groups.
and organizations—and, often, within
themselves. The evolving nature of
Internal Audit work lends itself to new
methods enabled by new technologies
and new ways of working with
stakeholders. Yet too many Internal
Audit groups and leaders are mired
in traditional roles and relationships.
That can create resistance to new

Global Internal Audit Leadership

Peter Astley                                 Kristopher Wentzel                             Porus Doctor
Global Internal Audit Leader                 Internal Audit Leader, Americas                Internal Audit Leader,
Internal Audit Leader, EMEA                  kwentzel@deloitte.ca                           APAC
pastley@deloitte.co.uk                       +1 416 643 8796                                podoctor@deloitte.com
+44 20 7303 5264                                                                            +91 22 6185 5030

Neil White                                   Sandy Pundmann                                 Sarah Adams
Internal Audit Analytics                     US Internal Audit Leader                       IT Internal Audit
Global Leader                                spundmann@deloitte.com                         Global Leader
nwhite@deloitte.com                          +1 312 486 3790                                saradams@deloitte.com
+1 646 436 5822                                                                             +1 713 982 3416

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms and their related entities. DTTL (also referred to
as “Deloitte Global”) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see
www.deloitte.com/about to learn more.

Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our network of member firms
in more than 150 countries and territories serves four out of five Fortune Global 500®companies. Learn how Deloitte’s approximately 264,000 people make an
impact that matters at www.deloitte.com.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the
“Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect
your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever
sustained by any person who relies on this communication.

© 2019. For information, contact Deloitte Touche Tohmatsu Limited

You can also read