Article

Adapt and overcome: The evolving strategic role of internal audit

Jan. 24, 2024 · Authored by Anthony Casey, Benjamin Quigley

Board and audit committee key takeaways

Internal audit adapts its role to effectively address different risks. The role internal audit plays must consider: 1) whether a risk is emerging, evolving or relatively static, and 2) the degree of maturity and/or change taking place within the organization's environment.
Which roles internal audit plays is a question about the internal audit role because it provides the function direction related to how much time the Board and Audit Committee expect the function to dedicate to each role.
Most internal audit functions see their role progress as they mature and strive to create and protect more value for the organization. As a function matures, and the control environment of an organization strengthens, internal audit will be more adept at creating or protecting value outside the traditional assurance role. However, the traditional assurance role must remain intact as part of internal audit’s area of responsibility.

The strategic evolution of internal audit

Internal audit has long been ingrained as a core function in most mid-size and large private and public companies and is a critical element of a robust three lines model. As a risk environment continues to become more complex and the pace of change continues to accelerate, those in the industry often talk about the need to shift away from the traditional assurance role, in which internal audit reports on “what went wrong,” and shift toward a forward-looking advisory role where feedback is provided to stakeholders in real-time. What can get lost in that conversation is the importance of the traditional assurance role.

A traditional assurance role is often appropriate when a risk is relatively static, and the internal control environment is mature. However, such a role would likely not be fit-for-purpose for risks that an organization is or may become exposed to that are emerging or evolving rapidly and in which the internal control environment is either relatively immature or changing in response to a risk.

The role of internal audit is one grounded in what role internal audit should be playing, when they should play it and how much time should they be spending in each of their roles. The answers to these questions will be different for every organization and will likely change over time as the risk environment changes and evolves.

What are the four roles of internal audit?

Anthony Casey

Principal

Benjamin Quigley

Principal

Role	Description	Insights
Traditional assurance	Providing an independent and objective view on current state control environment by assessing current and historical performance of control activities	All internal audit functions have this role as part of their role regardless of level of maturity. Providing the board, audit committee and management with an independent perspective on the effectiveness of the control environment is at the core of internal audit's purpose. Most internal auditors feel comfortable in this role, but it can be limiting when it is the only role they play.
Proactive assurance	Accelerating the audit process during a period of organizational change or working with the organization to improve the control environment where there are weaknesses	This is the role most internal audit functions gravitate toward as they seek to elevate their brand and create / protect more value for the business. Internal audit has expertise in risk and controls, and traditional assurance capabilities can be applied in a different capacity. What is different is the mindset of internal audit needs to shift to working with the business to align on what needs to change and how to change it in a practical, meaningful and sustainable way
Risk foresight	Identifying a potential future issue and gaining consensus with the business to further assess business implications and/or take action to address when action was either missing or moving slower than needed	This is a role internal audit functions should embrace as it advances because it offers the function the ability to have an impact on the organization outside individual audit projects. It requires internal audit to be intellectually curious, exercise strong business acumen and translate risks that are not fully understood within the industry (nor sometimes even acknowledged by the organization) into potential impacts. It is critical that internal audit have a strong brand as a trusted advisor and possess advanced skills and diverse capabilities to play this role effectively.
Business collaborator	Working with the organization to understand an emerging or evolving risk area as well as its potential impacts on the organization and develop a plan to address those risks	This role is an evolution of the "risk foresight" role and is typically pursued by more advanced internal audit functions. Many functions struggle to gain alignment on whether this role is part of their responsibility and how much time to dedicate to playing this role. Addressing risk as an organizational collaborator often requires access to a wide range of subject matter expertise and the development of new capabilities, including advanced technologies. Risk areas are often new or complex. Traditional audit approaches are less applicable, and innovative audit techniques (e.g., scenario planning, training/educations, facilitated session, simulations, etc.) must be embraced.

Adapt and overcome: The evolving strategic role of internal audit

Board and audit committee key takeaways

The strategic evolution of internal audit

What are the four roles of internal audit?

Anthony Casey

Benjamin Quigley

Related sections

What role should internal audit play and when?

Explore the key roles that internal audit can play

Final considerations - what boards and audit committees should be asking about the roles of internal audit: