How to Future Proof Your Internal Audit Department.

In today's rapidly evolving business landscape, the Internal Audit function faces unprecedented challenges and opportunities. The increasing reliance on data, the proliferation of Artificial Intelligence (AI) systems, and the ever-present need for robust risk management necessitate a proactive approach to ensure the continued relevance and effectiveness of Internal Audit. The IIA Standard and, crucially for our context, the new IIA

UK Code explicitly call for Internal Audit teams to build capacity in critical areas like Data Analytics and the auditing of AI systems, including having the trained resources to undertake these activities.

As an internal audit consultancy, we understand the pressures faced by Heads of Internal Audit (HIAs) in navigating this complex environment. This blog post provides a detailed roadmap for defining a future strategy over the next two years, leveraging the principles of the IIA UK Code to ensure your Internal Audit department remains a vital and forward-thinking function.

The Imperative for Future-Proofing: Aligning with the IIA UK Code

The IIA UK Code provides a robust framework for effective internal audit. Several principles within the Code directly support the need for future-proofing, particularly those relating to:

• Purpose, Authority and Responsibility: Ensuring Internal Audit's mandate allows for the exploration of emerging risks and technologies.

• Independence and Objectivity: Maintaining an unbiased perspective when evaluating new systems and data.

• Proficiency and Due Professional Care: This is where the explicit requirement for data analytics and AI auditing capabilities resides. The Code mandates that internal auditors must possess the knowledge, skills, and competencies needed to perform their responsibilities effectively, which now includes these specialised areas.

• Quality Assurance and Improvement Programme: Continuously assessing and improving the effectiveness of the internal audit activity, including its ability to address future risks.

By focusing on building capabilities in Data Analytics and AI auditing, the HIA directly addresses the "Proficiency and Due Professional Care" principle of the IIA UK Code, demonstrating a commitment to ensuring the team has the necessary skills to provide relevant and insightful assurance.

Defining Your Two-Year Future Strategy: A Roadmap for the Head of Internal Audit

The following outlines a practical two-year strategy for the HIA to future-proof their Internal Audit department, aligned with the IIA UK Code:

Year 1: Building the Foundation

The first year should focus on assessment, foundational training, and initial steps towards integrating data analytics and AI considerations into the audit process.

Phase 1: Assessment and Planning (Months 1-3)

• Skills Gap Analysis: Conduct a thorough assessment of the current internal audit team's skills and knowledge in data analytics, AI, and related technologies. Identify specific gaps and areas for development. This should include both technical skills (e.g., statistical analysis, machine learning basics) and understanding the business applications of these technologies.

• Stakeholder Engagement: Engage with key stakeholders across the organisation (e.g., IT, Finance, Operations) to understand their current and planned use of data analytics and AI. Identify key AI systems, data sources, and potential audit areas.

• Define Future Vision: Based on the skills gap analysis and stakeholder engagement, define a clear vision for the future state of the Internal Audit department in terms of data analytics and AI auditing. What capabilities are essential? What level of expertise is required?

• Develop a Roadmap and Budget: Create a detailed roadmap outlining the specific steps, timelines, and resources required to achieve the future vision. This should include budget allocation for training, tools, and potential recruitment.

Phase 2: Foundational Training and Tool Exploration (Months 4-9)

• Data Analytics Training: Implement foundational data analytics training for the entire internal audit team. This could include:

  • Introduction to data analytics concepts and methodologies.

  • Basic statistical analysis and data visualisation techniques.

  • Hands-on training with relevant data analytics software (e.g., Excel with Power Query/PivotTable, open-source tools like Python/R, or dedicated audit analytics platforms).

• AI Awareness Training: Provide introductory training on AI concepts, including:

  • Different types of AI (e.g., machine learning, natural language processing).

  • Common AI applications within the organisation.

  • Key risks and controls associated with AI systems (e.g., bias, transparency, data privacy).

• Tool Exploration and Pilot: Research and evaluate various data analytics and potentially AI auditing tools. Consider conducting pilot projects with selected tools to assess their suitability for the department's needs.

Phase 3: Initial Integration and Targeted Recruitment/Upskilling (Months 10-12)

• Integrate Basic Data Analytics: Begin incorporating basic data analytics techniques into existing audit engagements. This could involve using data to identify trends, anomalies, or outliers in key audit areas.

• Identify AI Audit Opportunities: Based on stakeholder engagement, identify specific AI systems that could be subject to initial audit reviews. Focus on understanding the system's purpose, data inputs, algorithms, and key controls.

• Targeted Recruitment or Upskilling: Based on the skills gap analysis and the defined future vision, consider recruiting individuals with specific data analytics or AI expertise. Alternatively, identify high-potential team members for more in-depth upskilling in these areas.

Year 2: Embedding and Enhancing Capabilities

The second year should focus on embedding data analytics and AI auditing into the core audit processes and further developing the team's expertise.

Phase 1: Advanced Training and Methodology Development (Months 13-18)

• Advanced Data Analytics Training: Provide more advanced training in data analytics, potentially focusing on specific areas relevant to the organisation's risks (e.g., predictive analytics, machine learning for fraud detection).

• AI Auditing Methodology Development: Develop specific audit methodologies and procedures for reviewing AI systems. This should consider areas such as:

  • Governance and oversight of AI development and deployment.

  • Data quality and integrity for AI models.

  • Algorithm bias and fairness.

  • Transparency and explainability of AI outputs.

  • Security and access controls for AI systems.

• Specialised Tool Implementation: Based on the pilot projects, implement selected data analytics and potentially AI auditing tools across the department.

Phase 2: Embedding into the Audit Plan and Knowledge Sharing (Months 19-24)

• Integrate into the Audit Plan: Ensure that data analytics and AI auditing are explicitly considered and incorporated into the annual audit plan. Allocate resources and time for these activities.

• Conduct Dedicated AI Audits: Perform dedicated audits of key AI systems identified in Year 1, utilising the newly developed methodologies and trained resources.

• Knowledge Sharing and Collaboration: Foster a culture of knowledge sharing within the internal audit team regarding data analytics and AI auditing. Encourage collaboration on projects and the sharing of best practices.

• Continuous Improvement: Regularly review and refine the strategy based on lessons learned and evolving organisational needs. Seek feedback from stakeholders and the audit committee on the value and impact of the enhanced capabilities.

Key Considerations for Success:

• Tone at the Top: Strong support from senior management and the audit committee is crucial for the successful implementation of this strategy.

• Collaboration: Effective collaboration with IT and other business functions is essential for accessing data and understanding AI systems.

• Flexibility: The strategy should be flexible and adaptable to changes in technology and the organisation's risk profile.

• Focus on Value: Always emphasise the value that data analytics and AI auditing bring to the organisation in terms of improved risk management, control, and governance.

Conclusion: Future-proofing your Internal Audit department is not just a desirable goal; it is a necessity in today's dynamic environment. By proactively building capabilities in Data Analytics and AI auditing, as mandated by the IIA UK Code, the Head of Internal Audit can ensure their team remains relevant, effective, and a trusted advisor to the organisation. This two-year strategy provides a practical framework for achieving this, enabling Internal Audit to provide valuable insights and assurance in an increasingly data-driven and AI-powered world. As internal audit consultants, we are here to support you on this journey, helping you navigate the complexities and build a future-ready internal audit function.