Audit in the future – 2022 and beyond

As part of our Achieving High Performance in Audit whitepaper discussion panel, we Looked back at the pace of change in the IA sector since the late 1940s, and saw a significant acceleration in the issuance of guidelines. In those early days, there were decades between new guidance. Today, we often see multiple changes during the course of a year. The nature of the guidelines has also changed. What was initially rigid is now more evolved. We are asking IA departments to do more than assurance: to be increasingly involved in firms’ strategic decisions. Where the primary focus was once on protecting the ‘firm’, it is now on protecting all stakeholders – and even society at large. So, we can see that IA has a critical role to play in the health of existing organizations and in the success of new ones.

For example, the current rate of patent filings in the USA is twice the level of pre-pandemic filings. This shows that there has been an incredible amount of innovation during this period – something that often happens during major crises. Audit’s traditional risk and control functions are well placed to play an active role in the future. Our role is to maintain an even keel. Therefore, when changes are happening quickly, our senior management, audit committees and board members want to know that everything is under control. IA teams are ideally placed to test the design and operational effectiveness of change, including new initiatives, products and technology.

What challenges does IA face? As a sector, we certainly need to move from just focusing on core assurance. Our job is still to make sure that the firm is compliant with rules, laws and professional standards.: this has been fairly rigid and well-framed for a long time. We are now moving to providing advice and being part of the solution. Some stakeholders – both IA and senior management are not yet ready to ask the audit function to step into an advisory role, and are concerned about the implications for audit independence. We need to face this risk and step up, showing the value we are capable of delivering. Even when there is willingness to change, it is still a challenging task.

There is no rule book for IA advisory work. So, it’s not surprising that firms are struggling to balance assurance and advisory roles in a fast-moving environment. Where should our focus be? IA teams should be reviewing their risk assessment and identification plans more often. As our poll showed, annual reviews are the most common. This is no longer sufficient, particularly when we are living in a period of change. Here are some guides as to what we can do:

1. Continue leveraging on the risk assessment but review more frequently and in more depth. This is a valuable document, yet how many people look at it – not just for information but also to see if it is still relevant?
2. Increase IA’s role in identifying issues. We should not rely on first and second lines of defense to report to us. We need to get more involved and come up with some solutions. This could help some of the issues we identify to stagnate over coming years rather than being actively resolved.
3. Are we using our IA data to its full capacity? We issue findings and recommendations, and in the process we collect a great deal of useful data, including root cause, risk type, control breakdown process, business lines and geography. There are almost certainly correlations or relationships between these data that can help us to be more efficient and deliver more value. So we should make sure that this data is accurate and that we are more proactive about analyzing. Some firms are already applying AI to this data to speed up the process of finding relationships – it helps to drive more action.

This is where automation can come into play – managing time-consuming repeatable processes. For example, SOX control testing takes a lot of time, but this is an activity that can be automated. The time gained can then be applied to adding more value to engagements and providing professional advice and judgement. Similarly, IA teams can investigate automating eligibility criteria, which should be an easy win. Advisory work should be seen as an advantage for IA rather than a limitation. Let’s show our organizations the underlying value of our work – moving beyond the control assurance function to sharing our experience and expertise to advance the organization’s goals. And finally, we need to be nimbler. It was interesting to see from the poll that the typical length of an audit project is between one and two months. We need to work on reducing audit times. We work in fast-changing environments that require fast reporting.

A recent survey showed that, on average, it takes six months for audit results to be reported at the highest level. News from six months ago is not useful to an organization – it wants to know what is happening now. IA reports need to shift from reporting what went wrong in the past to what could go wrong in the future. This is particularly important in the light of high-impact events that may have previously been categorized as ‘low likelihood’ but are now becoming more common. All of these things will help you to be prepared for changes to audit and future-proof your organization. If growth is in the near future of your organization, we can help you to expand your team. Find out more on our services page – we have service models tailored to suit any hiring requirements, no mater the size or scope. Co-author - Nareg Kalaydjian, Chief Internal Audit Officer, ICBC