RSM Australia

8 ways to reinvent internal audit

  1. Reposition the focus from the “how to” to the “outcome”.
  2. Innovate ways to partner with stakeholders to reach the desired outcome.
  3. Embed the need for business acumen in order to provide practical advice and insight which creates value.
  4. Step beyond the comfort zone to become well-informed in corporate knowledge.
  5. Dare to harness technology to devise new and efficient ways of auditing.
  6. Communicate and provide insights and advice to stakeholders in areas that resonate with their concerns and interests to build trust and get buy-in.
  7. Engage stakeholders continuously to bridge any gaps in expectations and priorities.
  8. Drive the integration of the three lines of defence to achieve a consistent understanding of organizational risks towards a collective governance effort.

What is internal audit?

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.
It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

A change of mindset

In recent times, Internal Audit has developed beyond the provision of assurance to stakeholders and is gaining recognition as a “business partner” and “change agent” to provide management and the board with advice and where necessary, insight.
To successfully focus on enhancing and protecting organisational value, Internal Audit needs to first turn its attention towards the outcome, and start engaging its stakeholders in partnership not only to enhance and protect but also to create value, if it has not already done so.

This gives Internal Audit the opportunity to explore innovative ways to create value, which is particularly important where resources are limited, but expanding needs and changing expectations.

Internal Audit enhances and protects organisational value by providing risk-based and objective assurance, advice and insight.

Reinvention through alignment

The existing Three Lines of Defence model provides a simple and effective way to enhance communications on risk management and control by clarifying essential roles and responsibilities.

Each of these three “lines” plays a distinct role within the organisation’s governance framework:

  1. Management control is the first line of defence in risk management.
  2. The various risk control and compliance oversight functions established by management are the second line of defence.
  3. Internal Audit is the third.


There is a need to look holistically at what each line has done to achieve an overall improvement in governance. Drawing all parties from their respective silos and their veil of independence will enable an organisation to agree on, and work towards, a common language and definition of risks.

Communicate, communicate, communicate

Communication skills at all levels is critical to the success of Internal Audit.

Starting with using the right language to express views and risks for different stakeholders (including regulators) on essentially the same message, Internal Audit can educate the board and influence different stakeholders at the right level and right time. Internal Audit can also help align and bridge any governance gaps for the first and second lines.

Being able to communicate effectively with different stakeholders by sharing insightful perspectives with them also gives Internal Audit a platform to market the value proposition of the function. This assists in becoming a trusted advisor and valued business partner to management.

Different times, different needs

Today’s Internal Audit faces many different challenges and expectations. Strong leadership and communication skills are essential in order to address and influence various stakeholders (board, management, and regulators) and lines of defence on common risks and governance goals.

Internal Audit is expected to provide assurance and also advice and insight, which requires broad and deep business knowledge and competency across different areas beyond financial and operational controls.

It is essential that Internal Audit align its activities with business strategies and objectives. Increasing regulatory requirements and cross border business operations supported by extensive use of IT have also necessitated the requirement for additional Internal Audit skill-sets.

It is critical that Internal Audit and Chief Audit Executives (CAEs) have the right mindset and optimism to face a possible confidence crisis from such daunting challenges. The ability to quickly adapt and respond to changing needs of Internal Audit is imperative.

Embrace technology

Just as technology advancements have allowed businesses to flourish, Internal Audit can also take advantage of the new digital world.

Lower technology costs and more user friendly features means Internal Audit can benefit from innovative approaches, such as continuous auditing rather than point-in-time audits, and use of data analytics for comprehensive versus sample testing. Internal Audit’s internal processes can be further automated, and efficient automated controls can be embedded in operations for review as required.

This simultaneously enhances Internal Audit’s collaboration with operational units who can then assume ownership of the developed checks and controls and further improve on them. With the right approach and tools, Internal Audit can explore predictive auditing for more targeted and efficient reviews.