internal auditingIn my last blog, Redefining the Role of Internal Audit: Avoiding Redundancy, I outlined the dangers auditors face if they don’t innovate and adapt to today’s technological advances. I also proposed that internal auditors should respond with a paradigm shift—from being in the auditing business to being in the knowledge business.

What would this new role for internal auditors look like? Let me suggest another definition:

The role of internal auditors is to create, interpret, and disseminate as widely as possible reliable, fact-based knowledge on the status of risks and controls that impact business performance.

What’s different about this new auditing role?

  • “Auditing” becomes a means to an end, and not an end in itself. Auditors won’t be measured on the number of audits they produce. They will be measured on the amount of reliable knowledge they create and report.
  • Fact-based knowledge means opinions would be replaced by data.
  • Wide dissemination of fact-based knowledge would mean dashboards intended for consumers of the data would replace audit reports as we know them.
  • Quality would be measured by the completeness, accuracy, and relevance of knowledge created and reported.

“Audits” would be replaced by other tools

  • Census-based approaches, where entire populations of data spanning years and covering the enterprise are subject to analysis in seconds, would replace sample based approaches.
  • Continuous monitoring of controls, risks, and indicators would focus attention on performance and not on “control effectiveness.”
  • Predictive analytics would focus attention on the future and not the past.
  • “Auditable entities” would be replaced by strategies, objectives, processes, and risks.

How would internal audit performance be measured?

  • By its contribution to the performance of the business through the use of technology to improve business performance. Internal auditors would have a role in driving appropriate governance, risk, and compliance (GRC) technology into the business.
  • By driving down the cost of control through better control design (for example, analysis of controls by type like the COSO Category) and analysis of best practices control portfolios to drive down cost of control
  • By the rigorous analysis of incidents, events, and issues for identification of root causes of business risk
  • By the development of key risk indicators and key performance indicators that drive alerts and enhance business performance.
  • By fee-for-service based internal consulting and training of business managers and professionals in knowledge-based approaches to managing GRC.

Changes in technology demand auditing innovation

The technology to dramatically shift the role of internal auditors is here today and developing rapidly. The technology is not particularly useful for doing “audits” and speeding the documentation of working paper files. Today’s technologies are designed for creating knowledge, not audits.

The need for innovation in internal auditing is evident in every survey of internal audit customers I have seen in the last five years. “Hit and run” audits and “peek-a-boo” audit findings just don’t work anymore.

The vision of GRC is the integration of the activities of GRC professionals to streamline efforts, drive collaboration, and improve performance. But the lessons learned so far are that the activities of GRC professionals don’t lend themselves to integration, streamlining, or collaboration. The answer is to change the activities and the roles of the GRC professions.

I need some internal audit opinions. How are you using technology today in your internal audit practice? How happy are your customers? Do you see threats or opportunities from today’s technology? How is technology transforming your role as an internal auditor?