It's a cliché but companies are under tremendous pressure at the end of the second decade of the 21st century. Digital disruption and shifting business ecosystems and, in some industries, increased regulatory and customer scrutiny, are having a profound impact on business models. But these pressures (and the changes implemented to address them) are also impacting companies' risk profiles and risk functions, who are struggling to be agile and adapt. Now more than ever, the goal posts in risk management are mobile. In the midst of tech-enabling client internal audit functions, PwC decided to confront this dilemma head-on. ALM Intelligence's senior analyst Tomek Jankowski spoke with PwC's Dhiraj Malhotra, and Lauren Massey (Internal Audit, Compliance & Risk Management Solutions Principals, PwC US) and Mike Maali (Internal Audit, Compliance & Risk Management Solutions Leader, PwC US) about that process, and how PwC is helping clients transform internal audit.
ALM Intelligence: What are the key changes in how you view assurance and risk management, and the internal audit role in particular?
Maali: We need to push the envelope further. The changes required are both strategic and operational, functions need to transform their value proposition to stakeholders and operationally change what they do, not just how. With today's decreased cost of technology, user-friendly functionality, and technology aptitude of those entering the workforce, the opportunities for risk management functions to drive greater value are vast. Internal audit functions are largely data-enabled:
They may scope an audit and use data to execute it, likely using analytics only within execution. Leading internal audit functions are data-driven, they use data capabilities to transform the audit lifecycle into a dynamic, continuous process; extending their use of analytics beyond a historical review. In fact, analytics is a core competence of leading internal audit functions. Using data and technology, like automation and artificial intelligence, allows IA to move from a passenger to a driver that can determine the fastest path to effective risk management while providing assurance and insights on risks and business issues that are strategic to an organization.
In this model, the three lines of defense move away from siloed risk management, toward coordinated enterprise-wide risk assurance activities that are driven by a common sense of purpose, agile and dynamic assessment and testing, and continuous monitoring. Risk functions collaborate digitally and take advantage of data and technology to drive synergies, providing stakeholders with strategic and comprehensive insights on risks and making predictive and prescriptive correlations in ways that have not been possible before
ALM Intelligence: How does this impact Internal Audit departments and their relationship with key stakeholders? How has the traditional group of stakeholders evolved?
Malhotra: When internal audit is proactively identifying and detecting risks to help their organization manage exposure, it can drive greater value for their current stakeholders but will also be involved in new areas, partnering with new stakeholders. The results of our 2019 Risk in Review Study show that the most dynamic, digitally fit risk functions deliver more value to their organizations. As internal audit is a key part of an organization's digital transformation, it is likely that stakeholders such as Heads of Transformation or Chief Innovation Officers, whom may not have been as active with internal audit, may now be more engaged. These opportunities allow internal audit to show its dexterity in business acumen, technology and risks, and to pro-actively drive value for the organization.
Internal audit departments have come a long way in increasing their value but board members want more. Leaders want internal audit to demonstrate beyond compliance and finance functions how their work influences business performance, creates more resiliency in management controls, while easing compliance efforts. Boards demand a comprehensive view of risk and the assurance that controls, systems and processes are in place to proactively identify and manage the evolving risk landscape—think of how quickly good or bad information can go viral, whether performance or customer service related.
ALM Intelligence: What changes in talent do you expect and what should Internal Audit departments be thinking about today?
Massey: It is important to remember that this journey will take time, and will require a number of key, tangible building blocks along the way. It is also vital that the journey be guided by a formal transformation plan, that includes talent strategy. With formalized direction and purpose, activities that are not contributing to the function's pursuit of its vision can be avoided. At PwC, we are investing in a comprehensive digital workforce transformation strategy to build the "digital fitness" of all of our 50,000 people, equipping them with a broad base of knowledge across a variety of domains—such as data, analytics, AI and automation, blockchain, and design thinking—that we believe are critical for business people today and in the future. With an agreed upon plan and road map in hand, internal audit can start working on actions that are needed to begin moving the function forward today:
Upskill and inject new talent. Not all internal auditors need to be data scientists, but they do need to understand data sources to assess data quality and derive insights.
Find the right fit for new and emerging technologies. It is easy to run towards a shiny new tool but understanding how a technology fits within a department, and the broader organization, will be critical. With the right talent mix, internal audit can better evaluate new tools and technology.
ALM Intelligence: What are the biggest benefits you expect from this shift ?
Malhotra: Internal audit can transform its value to the organization in previously unforeseen areas, becoming a more effective asset for the CFO through increased risk coverage, higher quality processes, and cost effective operating models, and the main beneficiaries are stakeholders. As internal audit focuses on maximizing their ROI and expanding coverage, traditional practices that created lag, such as time delays on reporting, will fade and allow the function to evolve. Metrics such as "audit plan completion" and "hours in execution" will become a thing of the past. As internal audit adopts new data- and technology-driven capabilities and service offerings, such as continual auditing of critical controls and real-time dashboards, reporting will be focused on risks metrics and real-time business insight.
Aligning with the other lines of defense to develop a common point of view on risks can allow internal audit to better focus its assurance activities. Joint investments across the lines of defense in technology (e.g., common analytics tools and data lakes) and skill sets can help achieve common goals more quickly and cost-effectively.
ALM Intelligence: How's the market reacting to this approach?
Maali: PwC clients are excited about challenging the status quo. Some embrace the vision fully, while others are taking a gradual approach, depending on factors such as their industry, regulator expectations, the complexity and needs of the business, and how quickly the larger enterprise is changing. The reality is that every internal audit function can move toward this vision—one built on a strong, data and technology driven foundation in collaboration with other lines of defense. This sets the stage for organizations to be smarter risk takers, with their internal audit functions in lock step. But internal audit departments need to act now and harness the rapid pace of change as an opportunity to elevate their seat at the table.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.