Is the Traditional Internal Audit Project Losing Its Relevance?

The majority of traditional Internal Audit projects were of one basic type: the audit. That’s changing. Most Internal Audit teams are doing more advisory work than ever before.

As a result, Internal Auditors need to reimagine what assurance work can be. As more teams provide assurance on new and emerging risk areas, they should be delivering forward-looking assurance over future success — not backwards-looking assurance, highlighting what went right and wrong. 

That means traditional assurance-focused Internal Audit projects are becoming less relevant.

A Key Conversation for Internal Audit’s Future

This theme keeps coming up at the Internal Audit Collective — in roundtables, forum discussions, casual conversations, and this newsletter. 

After all, would we be talking about changing Internal Audit’s name if many teams didn’t feel that the name no longer matches what they do? 

The profession is making big strides toward being more risk-focused. Our remits and toolkits are expanding. At the same time, the new Global Internal Audit Standards differentiate less between assurance and advisory requirements than the old IPPF.  

Internal Auditors who aren’t following these industry changes will miss out. 

They’ll miss key opportunities to deliver more value. 

They’ll miss a pivotal chance to redefine who they are.

They’ll miss important chances to help their organizations when Internal Audit’s help is needed more than ever.

Sure, some people may not know how to carry out the advisory projects that they should be doing. But some don’t know when to use an advisory project versus when to use an Internal Audit project. And unfortunately, some don’t even know they could be doing advisory projects.

Long story short, the key for Internal Auditors now is understanding their organizations’ new and emerging risks and how they can participate. 

So, when should we use a traditional Internal Audit project? When would an advisory project be more appropriate? And in those cases, what are the acceptable types of projects and services we can use? 

Today, we’ll look at the binary of assurance vs. advisory, offering a basic framework to help you determine what type of advisory projects you may be able to use. Different project types involve distinct foundational elements and levers. We’ll also provide high-level overviews of key advisory-related projects commonly cited in the Internal Audit Collective community.

When to Use an Internal Audit Project

Step one is figuring out when a traditional Internal Audit project does or doesn’t suffice.

The age-old Internal Audit project — rooted in its independence and objectivity — goes well with processes that (1) have been around for a while and (2) are managing known risks.

When NOT to Use an Internal Audit Project

In what situations is a traditional Internal Audit project NOT the right tool? Key indicators include  management requests, less formalized procedures, and — most importantly — new and emerging risks. 

Some of the biggest risks to our organizations are not the known risks, but the new and emerging risks. In most cases, management hasn’t established appropriate processes, policies, or other mechanisms to manage these risks effectively. 

It’s not because of negligence. It’s just not on their radar. 

As Internal Auditors become more risk-focused, these projects are taking more of our time.  

An Internal Audit Director on the Internal Audit Collective shared that her team is spending increasing amounts of time on consulting projects outside the scope of their audit plan. It’s challenging to know how to frame these services and showcase their value — all while ensuring that Internal Audit’s advisory efforts are focused, meaningful, and aligned with organizational priorities. After all, as another CAE commented in the thread, “I find that [consulting] can take up a lot of time at the Director and above level if you aren’t clear of your focus and priorities.”

That brings us to step two: Determining which type of service it IS appropriate to provide.

On the Internal Audit Collective, different teams shared their different categories; all are valid. Organizations have wide-ranging needs and different ways of talking about things. 

But my goal here is to simplify. The four basic categories below can help guide your thought process. 

Bucket #1: Emerging Risks Unknown by the Company 

This category comes into play when a risk is unknown to the company and it could be key. 

Example Projects

In these cases, Internal Audit can help their organizations by:

• Researching and understanding whether the risk could have a significant impact on the organization’s success by conducting research using external sources (e.g., guidance from subject matter experts, content from industry-specific sources).
• Using your research to create awareness of the risk’s potential impacts with your organization’s leaders, including both threats and opportunities. The goal here is ensuring that the organization has an opportunity to take advantage of potential upsides and protect themselves from potential downsides. 

Deliverables

Memos, considerations, and/or slide deck showcasing opportunities and threats.

Level of Effort

Lower level of effort, but ongoing as the risk becomes more pronounced.

Bucket #2: Emerging Risks Known by the Company

If a key risk is known and relevant but no actions have been put in place to manage it yet, Internal Audit can advise and help establish governance processes if/as needed. 

Example Projects

In his excellent book Auditing and Disruptive Technologies, Tom Sanglier lays out a game plan for how Internal Auditors can participate in helping organizations understand and manage emerging risks related to disruptive technologies like generative AI. This may include the following project types:

• Advising on and documenting a pilot program and roles and responsibilities, helping determine whether and how the risk should be mitigated or capitalized upon.
• Monitoring and reporting on the performance of the pilot program, providing feedback to the business.

The most important aspect is the cross-functional collaboration and perspective that Internal Audit can bring to pilot process development and governance. Teams that prefer to be more independent would likely volunteer their resources toward pilot or rollout monitoring and oversight (versus actually participating).

Deliverables

Governing documents outlining roles, responsibilities, goals, and objectives of the pilot program. Ongoing status updates.

Level of Effort

Akin to participating in an enterprise-wide governance program or strategic project (i.e., three to six months of part-time involvement).

Bucket #3: Key Risks Beginning to Be Managed

When a key risk is known and processes are being established to manage it, Internal Audit has a wide range of opportunities to assist. 

Example Projects

Vail Resorts VP of Internal Audit James Wilson, Jr., put together a masterful matrix showcasing the various engagements his team can provide; he recently shared it on the Internal Audit Collective. The example Internal Audit projects below are inspired by Jim’s Service Suite. This type of categorization can be great for helping stakeholders understand the range of assistance your team can offer.

• Pre- or post-implementation reviews, providing assurance that the processes either (a) will be designed to manage the risk as intended or (b) are managing the risk effectively. 
• Gap assessments (e.g., inconsistent policies and procedures, current vs. future state) comparing actual performance against potential or desired performance to identify gaps and recommend steps to bridge them. 
• Targeted assessments (e.g., risk assessment, maturity assessment, operational improvements), assessing existing risks, processes, and/or controls to advise management on process improvement opportunities to increase efficiencies and reduce risk. 
• Targeted support for a specific business objective in which final decision-making is management’s responsibility (e.g., process and controls documentation, training, fraud examination, compiling research and information, project management support).
• Quick-hit consulting focused on ad hoc requests, providing risk mitigation advice in the form of brief risk or business insights. 

But you don’t have to stop here. These ideas represent some of the more common advisory-type engagements. However, there are more opportunities being discussed in the Internal Audit Collective community.  

Deliverables

Memos, reports, status updates, maturity models, and/or other agreed-upon deliverables.

Level of Effort

Similar to traditional audit projects, these projects would likely require planning, fieldwork, and reporting phases. Time should be allocated accordingly. 

Bucket #4: Key Risks Managed on an Ongoing Basis

If a key risk is known and processes already exist to manage it, Internal Audit can audit those processes.

Yep, this is the traditional, old-school Internal Audit project — the audit. No explanation needed here. You got this.

Time to Look Forward, Not Backward

If we want to improve our stature in our organizations, we need to stop telling people what they’ve done wrong, and start providing advice on whether their actions are setting them up for success.

To achieve this, more Internal Audit leaders should:

• Be aware of the other types of projects they can perform.
• Invest time in socializing that portfolio of services.
• Hold themselves accountable for having a broader mix of traditional assurance vs. advisory services.

The future won’t be 100% advisory services, because some of our organizations’ biggest risks have been around for ages and aren’t going anywhere (e.g., cybersecurity, hiring for the right skill sets, third-party risk management, business continuity). 

But the future is always uncertain. 

Internal Audit can be a key player in helping organizations prepare for it.