It’s time for Internal Audit to disrupt itself

Disruption: it’s happening to every department and every sector of late. The key lesson is that you can embrace it and be ready for it, or be overwhelmed and caught out. That was the key takeaway from our recent Heads of Internal Audit forum held in Edinburgh.

During the session, Claire Reid Head of Assurance PwC in Scotland, discussed with Internal Audit professionals from across industry the impact that emerging disruptive factors are having on businesses and how the Internal Audit function can increase its value amidst disruption.

Change is becoming constant in a world of disruption fuelled by innovation, technology, economic volatility and megatrends. Risks that once seemed improbable, even remote, have become the norm.

PwC’s 20th CEO Survey found that CEOs are optimistic amidst uncertainty. However lack of trust in business, changing consumer behaviour, speed of technological change remain high areas of concern. Internal audit’s role needs to adapt to help businesses to stay ahead.

Claire spoke about the main themes discussed and shares some of the key considerations for Internal Audit.


What is disruption and what does it mean for businesses?

Claire Reid said:

“Disruption on some level is affecting all businesses – whether internally driven from changing technology or externally from regulatory changes. However it can also come with significant risk factors which need careful consideration.


Figure 1: Top five disruptions

PwC 2017 State of the Internal Audit Profession Study


PwC’s 2017 State of the Internal Audit Profession Study which interviewed nearly 1,900 respondents found that regulatory changes were the most frequent cause of disruption in the past two years and are expected to remain the most universally experienced disruption in the next three years.

“Evolving regulations such as anti-corruption, data privacy and security, and industry specific regulations were highlighted in interviews as sources of future disruption.

“Despite the prominence of regulatory changes, the organisational impact they cause has been perceived to be lower than that of other disruptive forces such as business transformations, financial challenges or technology advances.

“While it is impossible to identify all potential business disruptions, it is almost certain that at least some level of disruption will impact organisations during the course of each year." 

Redefining Internal Audit’s role

“Disruption can steer Internal Audit off-course, significantly impacting its ability to deliver and execute the core of the Internal Audit programme. It then becomes increasingly difficult for the function to stay aligned to the company’s top risks, effectively undermining the function’s ability to add value when arguably the business needs it most.

“Some Internal Audit professionals now view disruption as a normal business rhythm and are comfortable operating like this, while others plan for it using some contingency in their plan so that they can quickly respond.  

“Businesses need to anticipate and react to all kinds of change in order to survive and grow. Our 2017 State of the Internal Audit profession study found 23% of Internal Audit functions surveyed are deemed to play a valuable role in helping companies anticipate and respond to business disruption, which is above the global statistic of 18%. We call this group of respondents “Agile IA Functions”.

“The study also found however that internal audit functions are losing ground in trying to keep pace with stakeholder expectations. 75% of wider stakeholders believe that Internal Audit should be more involved in disruptions.

“But factors such as resources, lack of talent and evolving workforce, corporate culture and budget are making it increasingly difficult. Stakeholders, however, remain committed to wanting Internal Audit to play a greater, value-added role in the organisation.

“With businesses facing anticipated unprecedented disruption and change, the Internal Audit function has a vital role to help anticipate and respond quickly to disruptive events but speed and agility are key."

Agile IA Functions: Managing disruptions proactively

"Internal Audit remains one of the few departments still able to take a holistic view across the business, providing a unique perspective in being able to provide a point of view on risk management procedures even when they don’t come in the form of transactional controls.

"The role of Internal Audit is evolving and is becoming more agile in helping their organisation deal with disruption and more effective risk management.


Figure 2: Internal Audit involvement correlates with more effective management of disruption

PwC 2017 State of the Internal Audit Profession Study

“Agile Internal Audit functions are relevant across many disruptors, including rapidly emerging risk areas, not just those areas traditionally addressed by internal audit or compliance functions.

“For example, more than two-thirds are involved in brand and reputation incidents, technology advancements and changes in the business model.  Even more help the company deal with operational disruption and, of course, regulatory changes

“They also plan for disruption to occur and create flexibility in their planning and resource allocation, which enables them to address disruptive events when they happen. In addition, nearly half (49%) have increased or shifted internal audit budget to enable greater participation in areas of business disruption compared to just 27% of less adaptive functions.

“As disruption occurs, Agile Internal Audit functions help the business in a multitude of ways. For example, they more frequently provide a point of view around risks associated with disruptive events, coupled with advice on the process and controls design needed in response. Nearly half are even involved in identifying the potential for a disruptive event to occur.”

Making Internal Audit more agile

But what are the features which are helping Internal Audit functions to be agile and better equipped to support businesses in dealing with disruptions?

Some of the features emerging as distinctive include:

  • Much tighter collaboration across three lines of defence, driving more clarity in the the overall risk management process

  • Investing in both business and technical IQ, formally including training on the business as part of Internal Audit learning and education.

  • Creating more flexible Internal Audit processes and reporting that not only capture different approaches but also drive relevant and timely reporting to address the immediate business needs.

To find out more or discuss in more detail, contact Claire Reid, Head of Assurance PwC in Scotland. 


Claire Reid, Head of Assurance PwC in Scotland 

Contact us

General Enquiries

Scotland, PwC United Kingdom

Tel: (0)141 355 4000

Follow us: