Can internal audit cope with transformational change?

EY’s Rosana Bianchi asks whether internal audit functions are ready to deal with transformational change and provides a perspective from the financial services sector.

Over the last few decades, the financial services sector has gone through a period of significant change. The falling barriers to entry in the financial services industry have increased the number of competitive services and products being offered.

Disruptive technology is challenging the dominance of traditional operating models and distribution channels. The continuous evolution of the regulatory framework, in an attempt to eliminate distortions in financial markets, is resulting in a new focus on the importance of corporate culture, market integrity and the fair treatment of customers.

This continuously evolving landscape is forcing financial organisations to rethink the way they do business and to embark on large-scale transformation programmes. But, are these organisations ready to cope with this change?

In many cases, the simple answer is ‘no’. The benefits of transformational change could be significant, but they do not come without risks. In fact, various items of research undertaken over the last few years suggest that the failure rate of transformation programmes in the financial services sector is still very high with less than 50% of these delivering the intended benefits.

So, why do so many programmes fail? And, what is this suggesting on the effectiveness of Internal Audit to readily cope with transformational change?

One of the factors to consider when understanding why many change programmes fail to deliver the intended benefits is the lack of (or limited) independent and effective oversight and assurance by the third line of defence.

The Chartered Institute of Internal Auditors (CIIA) recommendations for effective internal audit in the financial services sector, issued in 2013, have raised the bar. They highlight the need to evolve the mandate of internal audit from traditional auditing of processes and controls, to delivering insights and foresight towards an organisation’s strategic decision making processes and key corporate events.

However, notwithstanding the efforts made since the publication of the CIIA’s recommendations, understanding the risks associated with transformational change requires a shift in mind-set, internal brand and mandate that not all Internal Audit functions are ready to make.

So, what should internal audit do to readily cope with change and help organisations realise the intended benefits associated with transformation programmes?

First, think out of the box

Internal audit’s mandate should explicitly involve a more active role in assessing and evaluating strategic risks. To do so, internal auditors need to demonstrate an agile and flexible mindset and to understand the risks associated with the strategic direction of the business and what this involves from a transformational change perspective.

Second, step out of the comfort zone

Internal auditors need to rethink the way they audit. The risk profile of transformation programmes changes over time. As current risks evolve and new risks emerge, a sense of urgency to audit at the speed of risk is vital to meet the needs of key stakeholders.

This also requires revising the overall internal audit lifecycle, from audit planning through reporting as well as developing non-traditional audit techniques to ensure they timely reflect the evolving risk profile of transformation programmes.

Third, invest in people

Internal auditors aligned to auditing change must have the appropriate skills, experience and knowledge to be recognised as trusted business advisors and to be able to speak the same language as the business. Internal audit staff aligned to the transformational change initiatives should have necessary skills, experience and knowledge appropriate for this type of work.

Fourth, think holistically

Change programmes usually have various sources of assurance that often operate in isolation. This makes it difficult to identify gaps in the assurance coverage being provided and to leverage potential synergies to avoid duplication of activity. In this context, internal audit needs to understand the respective roles and responsibilities and form a holistic view of the assurance being provided to these programmes.

The environment is rapidly changing. Internal audit needs to catch up with the evolving risk landscape and the need to move away from traditional auditing to auditing what is strategically critical for the organisation.

It’s time to confront new and unfamiliar risks. It’s time to drive a shift in internal audit’s mandate and mind-set. The time to act is now.