New report finds that the forces causing an overhaul of the internal audit role are just beginning to take shape

If you thought that the upheaval in the internal audit profession and the rapid pace of change that has recast the internal audit function at many companies is starting to settle down, think again. A new report from Big Four audit firm EY finds that the transformation of internal audit is really just beginning.

While the EY report, “Are We Nearly There Yet?” focuses on financial services firms and their response to the Financial Crisis of 2007 and 2008, the underlying principles are affecting internal audit departments in several industries. And internal audit in financial services has acted in many ways as a leading indicator of what to expect in other industries as scrutiny by regulators and others increases.

"Factors suggest that internal audit has much more change ahead. Firms' risk-governance models are undergoing significant change, with a strong and effective three-lines-of-defense model at the heart of regulators' intentions," the report's authors wrote. "Ongoing prudential and conduct regulatory reforms will continue to heavily impact internal audit, as will material changes to firms' strategies and business models."

The report concludes that a revamped internal audit function is a requirement for banks and other financial services firms to finally put the failings of the financial crisis behind them. "A successful transformation is critical," the report states. "An effective internal audit is integral to sound risk governance and a key enabler for directors and executive management to fulfill their own governance responsibilities. Past failings in controls and risk management have cost firms and the industry dearly in fines, settlements and reputation. "

According to the report, there are three broad trends that are accelerating the pace of change at internal audit shops at financial services firms.

  • The Reform of Risk Governance: "This transformational journey will have a significant effect on internal audit. It will need to assess how well the governance framework is working as a whole and will need to report on the embedding of risk-appetite frameworks across all dimensions of risk, the quality and reliability of risk information, and the effectiveness of governance in all parts of the business."

  • Implications of ongoing regulatory reform in prudential and conduct: "Ongoing regulatory reforms continue to drive other major changes. In the prudential area, firms have made significant efforts to adhere to new capital, liquidity and leverage requirements. Yet, regulators are now pushing to have these changes fully embedded in the firm's governance model."

  • Change to business models: "Perhaps the most important driver of change for internal audit is the fundamental change taking place to business models. Financial services firms face formidable challenges to redesign, implement and manage a business model that generates sustainable returns that are acceptable to investors and meets growing supervisory requirements.

Likewise, the report finds four factors that can help internal audit complete the necessary transformation to address the challenges that companies are facing.

  • Testing the Framework, Not the Controls: "Internal audit needs to reposition itself to perform the type of work that enables it to express an independent and objective view on the effectiveness of the risk management processes operated by first- and second-line functions. Only by exception should internal audit be the first to test."

  • Not Taking Anything as Given: "In some ways, the previously constrained mandate and scope of internal audit greatly curtailed its ability to evaluate the full context for risks and controls. Traditionally, a firm's strategy, business mix, or suite of products and services was taken as a given; internal audit focused on business processes to manage risks that arose as a consequence. This is no longer adequate."

  • Being Involved Early, Not After Key Design Decisions Have Been Made: The pace of change and financial-technology innovation necessitates internal audit being engaged at the outset of designing new projects, technologies, products and services. This ensures that their input has the most impact and allows internal audit to ensure that technical requirements for continuous monitoring are built in from the beginning.

  • Creating Risk-Based, Not Coverage-Based, Audit Plans: Internal audit should spend more time on high-risk areas and should use a comprehensive set of continuous monitoring techniques — rather than standard audits for every entity — to ensure integrity and enable fast responses when risk increases.