Internal Audit Transformation—Unearthing New Value
Lauren Massey Mike Maali
It’s a cliché but companies are under tremendous pressure at the end of the second decade of the 21st century. Digital disruption and shifting business ecosystems and, in some industries, increased regulatory and
customer scrutiny, are having a profound impact on
business models. But these pressures (and the changes
implemented to address them) are also impacting companies’ risk profiles and risk functions, who are struggling to be agile and adapt. Now more than ever, the
goal posts in risk management are mobile. In the midst
of tech-enabling client internal audit functions, PwC
decided to confront this dilemma head-on. ALM Intelligence’s senior analyst Tomek Jankowski spoke with
PwC’s Dhiraj Malhotra, and Lauren Massey (
Internal Audit, Compliance & Risk Management Solutions
Principals, PwC US) and Mike Maali (Internal Audit,
Compliance & Risk Management Solutions Leader,
PwC US) about that process, and how PwC is helping
clients transform internal audit.
: What are the key changes in how you
view assurance and risk management, and the internal
audit role in particular?
Maali: We need to push the envelope further. The
changes required are both strategic and operational,
functions need to transform their value proposition to
stakeholders and operationally change what they do,
not just how. With today’s decreased cost of technology,
user-friendly functionality, and technology aptitude of
those entering the workforce, the opportunities for risk
management functions to drive greater value are vast.
Internal audit functions are largely data-enabled:
They may scope an audit and use data to execute it, likely
using analytics only within execution. Leading internal
audit functions are data-driven, they use data capabilities
to transform the audit lifecycle into a dynamic, continuous
process; extending their use of analytics beyond a
historical review. In fact, analytics is a core competence
of leading internal audit functions. Using data and
technology, like automation and artificial intelligence,
allows IA to move from a passenger to a driver that can
determine the fastest path to effective risk management
while providing assurance and insights on risks and
business issues that are strategic to an organization.
In this model, the three lines of defense move away
from siloed risk management, toward coordinated
enterprise-wide risk assurance activities that are driven
by a common sense of purpose, agile and dynamic
assessment and testing, and continuous monitoring.
Risk functions collaborate digitally and take advantage
of data and technology to drive synergies, providing
stakeholders with strategic and comprehensive insights
on risks and making predictive and prescriptive
correlations in ways that have not been possible before
: How does this impact Internal
Audit departments and their relationship with key
stakeholders? How has the traditional group of
stakeholders evolved?
Malhotra: When internal audit is proactively identifying
and detecting risks to help their organization manage
exposure, it can drive greater value for their current
stakeholders but will also be involved in new areas,
partnering with new stakeholders. The results of
our 2019 Risk in Review Study show that the most
dynamic, digitally fit risk functions deliver more value
to their organizations. As internal audit is a key part
of an organization’s digital transformation, it is likely
that stakeholders such as Heads of Transformation or
Chief Innovation Officers, whom may not have been as
active with internal audit, may now be more engaged.
These opportunities allow internal audit to show its
Dhiraj Malhotra
