Adapt and overcome: The evolving strategic role of internal audit

Board and audit committee key takeaways

• Internal audit adapts its role to effectively address different risks. The role internal audit plays must consider:

1. whether a risk is emerging, evolving or relatively static
2. the degree of maturity and/or change taking place within the organization's environment. 

• Which roles internal audit plays is a question about the internal audit role because it provides the function direction related to how much time the Board and Audit Committee expect the function to dedicate to each role.
• Most internal audit functions see their role progress as they mature and strive to create and protect more value for the organization. As a function matures, and the control environment of an organization strengthens, internal audit will be more adept at creating or protecting value outside the traditional assurance role. However, the traditional assurance role must remain intact as part of internal audit’s area of responsibility.

The strategic evolution of internal audit

Internal audit has long been ingrained as a core function in most mid-size and large private and public companies and is a critical element of a robust three lines model. As a risk environment continues to become more complex and the pace of change continues to accelerate, those in the industry often talk about the need to shift away from the traditional assurance role, in which internal audit reports on “what went wrong,” and shift toward a forward-looking advisory role where feedback is provided to stakeholders in real-time. What can get lost in that conversation is the importance of the traditional assurance role.

A traditional assurance role is often appropriate when a risk is relatively static, and the internal control environment is mature. However, such a role would likely not be fit-for-purpose for risks that an organization is or may become exposed to that are emerging or evolving rapidly and in which the internal control environment is either relatively immature or changing in response to a risk.

The role of internal audit is one grounded in what role internal audit should be playing, when they should play it and how much time should they be spending in each of their roles. The answers to these questions will be different for every organization and will likely change over time as the risk environment changes and evolves.