Global Internal Audit Study

Download as pdf or txt
Download as pdf or txt
You are on page 1of 40

1 PwC Global Internal Audit Study 2023

Global Internal Audit Study 2023

Seeing through walls


to find new horizons
2 PwC Global Internal Audit Study 2023

For more than a decade, PwC has conducted global IA Leaders Board and Business Second Line Leaders
surveys with Internal Audit (IA) leaders and their Executives (Risk, Compliance, etc.)

stakeholders. Our 2023 survey was our largest ever. Update or create your Generate ideas to Challenge risk
It captured views from 4,680 IA leaders (41%), IA strategy maximise the value coverage based on
you get from IA new or emerging
board members and executives in the business Support case for threats
(37%), and second line risk (11%) and compliance
investment and Identify blind spots
change initiatives or strategic areas Identify strategies for
(11%) leaders. It covered 81 countries across a wide Have different
where you may need collaboration with IA
assurance
range of industries. conversations with Consider data and
stakeholders on new Increase collaboration technology that could
risks or topics between first, second, be shared or co-
How this study can help you and third line to developed
Identify ways to increase efficiency
Our IA surveys have helped to capture new ideas, stimulate debate, and unlock achieve better return Brief your team on
and effectiveness
new opportunities for IA functions to evolve, add value, and remain relevant. The on investment (RoI) new IA trends and
insights shared in this report can help not just IA leaders, but those who rely on IA’s from technology Have different identify opportunities
‘superpowers’ to give them confidence, and help see risk differently. conversations with IA for cooperation in
Train your IA team on new risks or topics talent models
and plan your talent
strategy
3 PwC Global Internal Audit Study 2023

Five key findings


Our survey highlighted five compelling findings. Each is explored further in this report, focusing on why they matter to IA and its stakeholders, the value to the organisation, and
practical tips to address them.

Finding Why this is new What this means for IA

1
Megatrends are creating a complex and Recent megatrends are creating risks in new areas IA is uniquely positioned to give the organisation
interconnected risk multiverse that are unprecedented in scale and complexity confidence to navigate these challenges and find a
new direction—and new opportunities

2
IA needs more involvement in strategic areas to Driven by increased complexity and higher stakes, IA can choose to engage differently with its
remain relevant business executives are opening the door for IA to stakeholders to provide new strategic value, or risk
help them address more strategic areas becoming irrelevant

3
IA can be a unifying force First and second line have ‘levelled up’ their IA can help combine expertise across the
capabilities and response to risk organisation to harness momentum and forge
something stronger together

4
IA’s human ‘superpowers’ are more important Technology has become exponentially more IA must continue to evolve its human capabilities
than ever sophisticated, providing organisations with access to ensure it can turn data into decisions, build new
to more data and opportunities than ever before relationships, and help others to see risk differently

5
IA can boost RoI by changing its Technology investment in recent years has not IA needs to recalibrate its approach and work with
approach to technology yielded the returns many have expected and the others to unlock the potential of technology; but
next wave of technology is already here the window is closing fast
4 PwC Global Internal Audit Study 2023

Pioneers leading the way


Throughout this report we will refer to a group of respondents we
call ‘Pioneers’. The group, which represents 8% of respondents, was
identified based on three characteristics: (1) they are very effective at
raising significant risks and challenges the organisation has not yet
considered, (2) they are in the top quartile for percentage of effort spent
on strategic risk areas, and (3) they are in the top quadrant for percentage
of work effort delivered using innovative and agile methods.

The Pioneer group is small, but this reflects the nature of pioneers—
those that break new ground. It is also a reality of a more globalised and
connected world—standing out and being seen becomes harder, both for
IA, and organisations as a whole. Our data shows that Pioneers stand
out from their peers in a number of dimensions, including the number
Whilst today’s world and its risks are more connected
of strategic risks they cover, the outcomes they are achieving from
than ever, the level of complexity and pace of change technology investments, and confidence that they have the right talent
can mean it’s hard to focus and see clearly what’s now and in the future.
important. Many organisations still have functional
silos that are rigid and hard to traverse, information
and data that is difficult to access or trust, and
communication gaps that are behavioural and tough
to change. Together, these create ‘walls’ that restrict
agility, stifle innovation, and limit the power of working
as one organisation. The interwoven themes explored
in this study will show that IA’s objectivity and ability
to ‘connect the dots’ means that it has the potential
to ‘see through’—and ultimately break down— these
walls, to create new value, and give its stakeholders the
confidence to navigate the risk multiverse.
Shaun Willcocks, PwC Global Internal Audit Leader
5 PwC Global Internal Audit Study 2023

Megatrends are
creating a complex
and interconnected
risk multiverse
IA is uniquely positioned to help the organisation
navigate risk and change

Company killers
Today’s megatrends are driving rapid global change in
areas like technology, geopolitics, climate, supply chains,
regulation, and workstyle reform. These changes are
not occurring in isolation, but rather they are
interconnected, interwoven, and ‘stacking up’ to
create complex risks. In other words, organisations are
facing a new reality—a ‘risk multiverse’.

This complexity is amplified by the globalised nature


of modern markets, faster information flows, and more
sophisticated expectations of consumers, regulators,
and stakeholders—and greater consequences for
failing to meet these expectations. This brings
with it more blind spots and new types of
disruption or ‘company killers’.
6 PwC Global Internal Audit Study 2023

The result can be that organisations slow down, lose When equipped with the right technology, vision, and
confidence in their strategy and roadmap, and are unable talent, IA’s superpowers can not only protect value,
to steer quickly through change or avoid hazards. This but also create value by ensuring the organisation can
can mean disruption at best, or obsolescence at worst. capture the upside of risk. Our survey found that, in
This is forcing organisations to speed up transformation addition to better governance, more risk awareness, and
and change their core strategies. PwC’s 26th Annual stronger internal control, executives believe that a high-
CEO Survey found that nearly 40% of global CEOs do performing IA function can help:
not think their organisations will be economically viable
in ten years’ time if they continue on with their current Optimise business processes and systems
strategy. Provide confidence to make better and faster
management decisions
A chance for IA to shine
Obtain trust from external stakeholders, including
To succeed in this new reality, organisations will need investors, regulators, and customers
different approaches, skills, and technology. For IA,
it means they are needed more than ever. Our survey Ultimately this can mean organisations have the
showed respondents ranked IA’s top attributes as confidence to adjust their risk appetite to take more
its (1) risk and controls mindset, (2) independence risks and move quicker—all of which is critical in
and objectivity, and (3) business knowledge and responding to the megatrends and remaining viable as
experience. Enhanced by IA’s organisational reach, this an organisation.
unique combination makes IA ideally placed to help
organisations connect the dots and navigate risk and This means that IA leaders must be bold. They must
complexity. voyage into uncharted territory where there is no Nearly 40% of global
roadmap. CEOs do not think their
organisations will be
economically viable in ten
years’ time
PwC’s 26th Annual CEO Survey
7 PwC Global Internal Audit Study 2023

47%
of IA functions
address supply
chain disruption in
their audit plan

Responding to the megatrends Q. Which, if any, of the following risks and challenges have been addressed in your organisation’s internal audit plan?​
Cyber security and information management
We are seeing examples of IA functions pushing
forward to tackle today’s megatrends. The following are 68% 27% 4% 2%
examples of IA’s response to supply chain disruption,
Business strategy and operating model (e.g. product strategy, sales channel disruption)
rapid IT modernisation, and acceleration of Artificial
Intelligence (AI). 57% 33% 8% 3%
Technology advancement (e.g. impact on business model and processes)
(i) Supply chain disruption
54% 37% 6% 3%
One example of multi-layered complexity has been the
Talent (e.g. labour skills shortage, workforce transformation)
recent supply chain disruption. This caused a crisis
where demand was difficult to forecast, goods were hard 50% 36% 11% 4%
to source, transportation was hard to find, and routes
Market and economic volatility (e.g. pricing and inflation, cost management)
were backlogged and unpredictable. Volatility rippled
throughout the supply chain and introduced significant 48% 35% 12% 4%
risks to business models and processes, putting it high Supply chain disruption
up on the agenda for many organisations.
47% 34% 14% 5%
Our survey found that 47% of IA functions address
Sustainability and climate change (e.g. ESG reporting)
supply chain disruption in their audit plan and 34% plan
to do so in the next one-to-three years. Many, however, 44% 42% 10% 3%
are wondering how they can tackle risks and disruption
External change (e.g. regulatory reform and compliance)
that occur with such scale and speed.
43% 39% 12% 6%
Claire Qian, PwC’s Risk and Compliance Leader for
Geopolitics (e.g. international relations trade agreements, sanctions)
Mainland China & Hong Kong, highlights that, “while
much responsibility to manage supply chain risk falls 32% 37% 23% 8%
on the first and second line, the third can add value
Already addressed Plan to address in the next 1-3 years No plans to address Unsure
Base: All respondents (4680)​
8 PwC Global Internal Audit Study 2023

by sharing insights, advising on risks, and providing


assurance over what the second line is doing.” IA
realises that to address the speed of these risks, all
parts of the business need to be aligned, with second
and third line working alongside the business to ensure
communication is fluid and early warning (or ‘risk
sensing’) systems are built in. For IA, this has included
working with Compliance to automate supplier due
diligence processes, leverage third party intelligence
data, and refocus vendor audits and monitoring. IA
can use its vantage point to look across the end-to-
end supply chain and challenge whether resilience
and business continuity arrangements are robust, and
management has stress-tested the supply chain for blind
spots or weaknesses, such as supplier dependencies.

(ii) Rapid IT modernisation


Accelerated by the COVID-19 pandemic, many
organisations have had to turn to technology to help
adapt their strategies and commercial and operational
models to remain viable. This has forced IA functions
to reflect on how they can keep pace with this change,
and reconsider where in the change lifecycle they should
be involved. The investments that organisations have
made in recent years—from large enterprise resource
planning (ERP) system implementations, introduction of
AI, machine learning, automation, and cloud solutions—
have meant old IA approaches may no longer work, and
new skills are needed. This includes approaches to new
risks around ‘responsible AI, collaborating with outside
specialists, or with guest auditors from the business. It
has also meant being bold enough to stop IA activity that
is not adding much value.
9 PwC Global Internal Audit Study 2023

27%
In the past 12 months,
just 27% of IA functions
have invested in RPA
or AI for use inside the
function

The pharmaceutical, life sciences, and medtech IA will be a key facet of addressing these risks and
industry, for example, has experienced rapid growth helping ensure the upside and RoI from AI can be
and groundbreaking innovation in recent years. This realised. This includes providing stakeholders with
has included streamlining and automating research and confidence that there is a responsible governance
product development, leveraging technology for clinical framework around AI and appropriate controls are
Our Internal Audit team believes that trials, and a shift towards remote interactions. This embedded in underlying processes. This may require
technology & digitisation is the only way for us has changed the strategic and commercial landscape IA to step outside of its comfort zone and become
to support the mission and vision of Moderna for organisations—and patients—but also forced IA involved earlier in the change lifecycle to assess
functions to reflect on their own approaches. “The IA whether the organisation’s AI strategy is appropriate and
to create transformative medicines and
survey highlights the considerable opportunity that transformation risks are being addressed.
commit to innovation. By adopting a digital exists for IA functions to be equipped with the right
mindset and building strong relationships with set of technology capabilities, but also with the need In parallel, IA has to determine how to harness the
our digital teams, we have aligned our vision to understand emerging technology at rapid speed,” potential of AI and other technology, like RPA, to evolve
with the company’s strategy. I am confident says Brian Long, PwC’s Pharmaceutical & Life Sciences its own capabilities and ways of working. In the past
12 months, just 27% of IA functions have invested in
that by ‘digitising everywhere’, we will provide Sector IA Lead.
RPA or AI for use inside the function. Many IA functions
better assurance and meaningful insights to are still grappling with adopting and using more basic
all our stakeholders. (iii) AI accelerating fast
technology, like audit workflow or analytics tools,
The rapid emergence of AI marks the beginning of a new and so the arrival of AI is causing many IA leaders to
Sanjay Sharma, VP Internal Audit, Moderna
phase of IT modernisation. Traditional AI is advancing, reflect on how best to approach it. Some IA functions
and Generative AI is so powerful and easy to use, it’s have ‘hit a wall’ with their technology strategy as the
poised to change business models and revolutionise returns from previous investments have not always
how work gets done. A wide array of risks have already met expectations—or they are not clear on the actual
emerged, including risks to decision-making, privacy, problem they are trying to solve with technology. We
cybersecurity, regulatory compliance, third-party explore this further in section 5 of this study.
relationships, legal obligations, and intellectual property.
This is explored further in PwC’s Managing the risks of
generative AI publication.
10 PwC Global Internal Audit Study 2023

Levelling up: Actions to consider


Map to the megatrends: Reconcile the current IA plan with the known
and emerging megatrends to identify any that might not be addressed
and discuss with the Audit Committee, stakeholders, and second line if
this is the right approach.

Understand the purpose, not just the process: For transformation


initiatives in the organisation, such as the introduction of AI, consider
who is providing assurance over the alignment of business strategy,
transformation objectives, implementation activities, and measurement
of intended outcomes. The ability to connect the dots and spot
misalignment can often require an objective viewpoint.

A successful IA function is always


changing and evolving, leveraging
technology, thinking of new ways
of working and continuing to
change its operating model to flex
with business strategy.
Jennifer Moak, SVP of Internal Audit,
Verizon
11 PwC Global Internal Audit Study 2023

IA needs more
involvement in strategic
areas to remain relevant
IA can choose to provide new strategic value or
risk becoming irrelevant

A door being opened


PwC’s Global CEO Survey asked CEOs what they
consider to be the top threats to their business. Inflation
and macroeconomic volatility topped the list. Our
Global IA Survey shows, however, that nearly 50% of
IA functions are not addressing these two top threats in
their audit plan, and one in 10 have no plans to do so
at all. Just 6% said their IA plans are addressing the full
spectrum of threats.

If IA is not tackling an organisation’s greatest threats,


how can it be considered the last line of defence? It may
be that IA does not believe it’s within its mandate to
address some of these areas. For some, these threats
are perceived as not auditable and for others, IA may
lack the confidence or skills to tackle them.
12 PwC Global Internal Audit Study 2023

Q. Thinking of the key risks and challenges in your organisation, at which stage(s)
would you ideally like Internal Audit to get involved?

The good news is that the door has been opened for Risk identification and assessment
IA. Our survey shows that many business leaders want
more strategic engagement with IA early and proactively
with 68% wanting IA to be involved during the risk 68%
identification and assessment stage and over 50%
Testing of process and control effectiveness
seeking IA involvement in management strategy and
planning. This may be driven by a multitude of factors,
including the complexity of today’s risks, the need to 60%
provide comfort to others, awareness of the benefits of
better governance, and/or recognition of IA’s value and Management strategy and planning
potential.

Strategic risks are not always easy to see, and are 56%
sometimes not the ones documented in the risk register.
They will also be specific to each organisation, so it’s Control design and implementation
important for IA to have the right Board and executive
relationships—and sufficient opportunity to talk—to 53%
understand what matters. IA must be willing to challenge
strategic decisions when risks indicate a course Investigation when issues occur
correction is needed; however, to do this effectively
IA may need to reposition itself with stakeholders and
be willing to have different conversations in order to
53%
be heard. At Pepkor in South Africa, for example, IA
Remediation and resolution of issues
positions itself close to the organisation’s strategy and

39%
holds frequent discussions with management regarding
key strategic risks. Wikus Theunissen, Chief Audit
Executive, shares that, “IA has steered away from a
typical audit plan. Instead, 30% to 40% of the audit plan Base: All respondents excluding ‘Not sure’ responses (4677)
is agile, which allows IA to respond to urgent risks.”
13 PwC Global Internal Audit Study 2023

38% Management wants better risk


Pioneers are 38% conversations
more likely than
peers to provide Our survey indicated that IA has the opportunity to have
Examples of strategic areas some IA functions proactive advice on more high quality, open, and frequent conversations
with management about risk. It shows that only 36%
are auditing emerging risks of stakeholders classify their risk conversations with IA
Digital transformation, including the alignment of the IT and business leaders as of sufficient quality and frequency. While more
strategy, adoption and use of AI (and its responsible use), and reliability than half of IA leaders indicate frequent, high quality
of data used in strategic decision-making risk conversations take place with the audit committee
chair, the CFO, CEO, CRO, and CCO, only 8% indicated
Mergers and acquisitions (M&A), including robustness of due ‘good quality and frequent interaction’ across all relevant
diligence and approval processes, financial model reliability, coverage stakeholders.
and quality of risk data used, process and controls integration, and
appropriateness of the criteria used to measure synergies and RoI

Research and development (R&D) and product design, including Q. Which of the following best describe the quality (e.g. depth, frequency, openness)
spend controls, alignment to business strategy, and incorporation of your conversations with your Internal Audit leader (e.g. Chief Audit Executive,
of technology and data. This is particularly important for industries Head of Internal Audit) in relation to addressing risk?​
where R&D approaches have changed over recent years, such as the
pharmaceutical sector 43% 18%
Workforce transformation, including its impact on oversight, risk
and control ownership, customer response, and risks in meeting other
strategic objectives such as talent and skill gaps

Inflation, including inflation risk mitigation approach, budgeting


and forecasting processes, hedging programs, pricing adjustments,
procurement strategies including long-term contracts, and alternative
sourcing models

Macroeconomic volatility, including macroeconomic risk


assessments and risk mitigation plans, consideration in strategic plans,
physical location / production / vendor concentrations and supply
chain resiliency plans, business continuity and crisis response plans, 36% 2%
and insurance coverage analysis
Good quality and frequent interaction Good quality interaction but infrequent
Basic or limited interaction No relationship
Base: Non-IA stakeholders (2787)​. Note: 1% difference due to rounding
14 PwC Global Internal Audit Study 2023

When you are doing audits and


providing assurance to a business The benefits of better risk Examples of how IA can have better risk
that is trying to be disrupting conversations can include new conversations
insights on emerging risks, more
and innovating, you have got to focused and timely assurance, The definition of ‘better’ will differ from stakeholder-to-stakeholder, but we
come with the right attitude and and a fresh perspective on other have seen effective IA teams engage with their stakeholders by:
calibrate transparency, risk, and opportunities. Our survey found
box-ticking—and box-ticking is not that the percentage of business, Offering a viewpoint and commentary on new or draft business
strategies and plans. IA can maintain objectivity whilst still offering a
always the right way to go. risk, and compliance leaders in
pioneering organisations that report perspective based on their cumulative experience and ability to see
Jason Davies, Chief Internal Audit risk differently
having good quality and frequent
Officer, NEOM
risk conversations with the IA leader
Authoring discussion papers or presentations on emerging risk
is nearly thirty points higher than
areas or topics, outside of regular audit reports, which can offer an
non-Pioneers (63% v 36% overall). This is where the Pioneers can challenge the status
‘early warning’ or prompt discussion. Our survey found that half of
quo and shine a light on alternative paths. This can help the business course correct
IA functions are authoring position papers on new risks, trends, or
where necessary, particularly for the almost 40% of global CEO’s who worry about the
regulation
longer-term viability of their organisation.
Summarising findings from multiple audit reports into broader root
Practically, this may mean changing the format and style of stakeholder meetings;
causes and themes at a company level. This can also be mapped to
engaging earlier when a new strategic initiative is being considered, and
trends in the industry
communicating more frequently outside of the normal audit cycle. It can sometimes be
as simple as IA asking its stakeholders to explain their business strategy, priorities, and Bringing other expertise from first or second line teams, or external
expectations for the future. advisors, to broaden debates and offer other perspectives; for
example, in topical or risk workshops
Paula Adkison, Senior Vice President of Internal Audit at McKesson, highlights the
significant ways in which her organisation aligns with management. IA sits on the Sharing materials from industry or technical sources and/or
executive oversight committee which brings a better purview of strategic initiatives, communities of interest. This can help highlight industry-level trends or
and helps IA align its activities more closely to strategy. IA’s risk assessment process emerging risks
begins with an interview with the CEO, and broader Executive Operating Team,
which gives IA the perspective to get a better pulse on risk across the organisation. Agreeing ‘value-based’ metrics and Key Performance Indicators (KPIs)
Adkison spends a lot of time with business leaders, as does her team. Conversations for IA, so it can be measured against the value it adds to stakeholders
centre around what trends and risks each are seeing, and what might be worrying the
business. As Adkison says, “Our partnership with the business is important. IA asks
questions and looks holistically and the business isn’t always able to do that. We weigh
the high risks and we don’t waste our time doing insignificant things. The reaction we
get from the business is positive.”
15 PwC Global Internal Audit Study 2023

For us, this is not about

66% second guessing or auditing


the strategy, but about working
from a deep understanding of
Pioneers spend an
average of 66% of their the business and its strategic
focus and effort on direction. We need to know
strategic areas versus what can really hurt the
42% of others company, both now and in the
future. We need to understand
where the danger lies in
emerging risks and in those
that can be taken for granted;
we should never lose sight of
the fundamentals. This requires
strong connection with the
business and collaboration–
bringing the collective strengths
of the function. My team needs
to be ahead of the business,
learn continuously, make
judgments, and have real agility.
We need to put ourselves
out there and that can be
challenging, but incredibly
valuable for the company
and rewarding for us when
we get it right.
Ralph Daals, Group Chief Auditor,
Zurich Insurance
16 PwC Global Internal Audit Study 2023

IA needs more involvement in strategic


2 areas to remain relevant

Levelling up: Actions to consider


Get involved early: Look back at previous strategic change initiatives
and at what point IA became involved; consider what additional value
could have been generated if IA had been involved earlier, and reflect
this in the approach for current or future initiatives.

Reconsider effort spent on strategic risks: The right mix will be


different for each organisation, but it should be by design and not by
accident. This can involve asking stakeholders what is important to
them. Using a simple matrix to plot what effort is spent on traditional
versus strategic risk areas, and the type of audit approach taken, can
be a simple way of setting the right balance.

Shake up the communication style: Some IA functions have moved


from formal meetings (with agendas and minutes) with stakeholders to
more agile conversations, and have become bolder in adding views not
necessarily backed by audit evidence.

Relook at how information is being shared in conversations and


meetings: Use visualisation tools to present elevated insights and to
show how IA is connecting the dots across risks and organisational
silos. Vary the nature, timing, and extent of reporting to fit different
needs and different stakeholders.
17 PwC Global Internal Audit Study 2023

IA can be a
unifying force
IA can harness and multiply the expertise
of others to benefit everyone

Working alone will always result in


blind spots
Most significant corporate failures have resulted from
something the organisation either didn’t see coming, or
they didn’t understand. Risks are not always easy to
see—they can sometimes be too big (e.g. geopolitical,
macro-economic, industry-wide) or buried in complex
and multi-layered technical areas (e.g. regulatory, cyber,
commercial). When they occur, the consequences can
sometimes be seen in every part of the organisation, and
often externally, which can impact reputation.
18 PwC Global Internal Audit Study 2023

IA’s unique vantage point and risk-mindset means that Q. Over the last 3 years, to what extent have you seen a change in the overall strength and
it is able to ‘see through the walls of the organisation’ capabilities of these second line functions?
and shine a light on areas others may not clearly see.
It cannot, however, see everything, all of the time. It is Information / Cyber Security or other IT governance function
unlikely that any one function has the skills, experience,
and capacity to cover the diversity of risks. Traditionally, 47% 38% 10% 3%
IA functions have relied on guest auditors or co-sourcing ESG Management (e.g. sustainability or environmental monitoring)
to bring in the required expertise and, whilst this is still
necessary to reinforce IA’s capabilities, IA needs to also 43% 42% 11% 3%
be confident that nothing is missed at an organisational Quality management (e.g. Supplier, engineering, product development program management)
level. This is particularly relevant to industries that have
been impacted by significant disruption to commercial 30% 44% 20% 3%
models, complex reform, or new technological Compliance
advancements, such as the pharmaceutical, energy, and
financial service sectors. 29% 46% 19% 4%
Internal Control
The good news
28% 44% 21% 5%
The good news is that our survey showed that
Enterprise Risk Management
organisations have at least five second line functions
on average with which to collaborate, and most have 27% 49% 16% 6%
strengthened their capabilities and ‘levelled up’ over the Inspection functions (e.g. health and safety)
last three years.
27% 42% 24% 4%
Financial Control (e.g. controllership with monitoring responsibility)

26% 44% 23% 5%


Legal (with risk or compliance monitoring responsibility)

22% 42% 29% 5%


Significant increase Some increase No change Some decrease Significant decrease
Unsure / Not applicable
Base: All respondents with applicable second line function (1590-3015)​
19 PwC Global Internal Audit Study 2023

49%
of business executives
believe that IA does not
have strong alignment
with the other lines on key
Practically, this can involve a range of different
risks and problems
approaches, such as:

Jointly preparing an assurance map and aligning


activity plans
The strengthening of the second line represents an Business executives recognise that there is room for
opportunity for IA to harness these skills and maximise improvement with 49% believing that IA does not have Ensuring the links between mission statements,
the power of combining different capabilities; however, strong alignment with the other lines on key risks and charters, and strategies are clear (and it is understood
there is work to do: just over half (52%) of IA functions problems. This gives IA a strong mandate to take the how they fit together in the overall governance
show strong alignment with first and second line on key lead in creating a unified view and finding new ways to structure)
risks and problems. leverage the different capabilities in the organisation.
Authoring risk papers together to brief or update
The concept of ‘assurance maps’, which provide a stakeholders
Q. To what extent do you think Internal Audit currently aligns consolidated view of how comfort over key risks is being
with the first and second line functions in your organisation to addressed across the organisation, has gained traction Aligning risk taxonomies and control libraries, or
address risk and solve business problems together? ​
in the profession. While the second line challenges sharing research and reference materials
and performs a critical role in its oversight of risk,
52% compliance, and internal controls, IA is in a position Co-investing in technology, such as eGRC, data
to provide an independent and objective assessment analytics, and visualisation tools
2% and elevate issues beyond management to the Audit Co-developing or sharing automation and scripts used
Committee. Pioneers are finding ways to make this in assurance activities
approach mutually beneficial to IA and the business,
including having combined teams to pool experience Talent sharing programmes, such as secondments
and add credibility to tackle tough or strategic areas like and guest auditors
Environmental, Social, and Governance (ESG), M&A,
or digital transformation. These require IA to draw on Forming communities of interest on specialist or
a wide variety of capabilities, including those relating topical matters, such as ESG
to IT and cyber, legal, people and change or human
44% resources, finance, treasury, commercial, product
Done well, such actions allow IA and others to achieve
a ‘multiplier effect’—adding up to better risk coverage,
development, tax, and marketing. greater efficiency, and more valuable insights. In other
No alignment
Some
 alignment (e.g. on certain topics, but ad hoc and not words, they become more than the sum of their parts.
sufficient) This can also have the benefit of showcasing to the Audit
Strong alignment on key risks and problems Committee and Board the value of integrated assurance,
Base: All respondents (4680)​Note: Remaining 2% comprises and open the door to better engagement.
‘Not sure’ responses and rounding
20 PwC Global Internal Audit Study 2023

A ‘risk shield’ around the organisation


Changing the way we see IA and risk​
A shield is only as strong as its weakest part. In today’s world, where
risks can come from all directions, an organisation’s foresight and
defense needs to be 360-degrees. As organisations assemble different
capabilities and embrace new technology, they may also need to look Risk Shield
differently at their internal structures, including how the three lines work
together to increase agility, break down silos, and remove blind spots to
‘see through walls’.

Whilst it is critical that objectivity remains one of IA’s core superpowers,


it should consider where the activities of each line intersect and overlap,
how communication flows between them, and what this means for
Board & Risk &
the organisation’s resilience as a whole. This involves being clear on
responsibilities, the control and assurance mechanisms that exist, and the
Management Compliance
new opportunities to collaborate.

Internal
Aligned Audit
Governance
IA can be like translators—interpreting
and communicating risks and issues
between different parts of the business,
including the Board and Executives,
Risk Multiverse
who may have a different perspective, Risk Buffer
experience or background. This means
IA can help to join the dots when there
is a risk—or an opportunity.
Roberto Delgado, Chief Internal Audit
Officer, Nissan Motor Co., Ltd.
21 PwC Global Internal Audit Study 2023

Q. Which of the following activities do you think would benefit from more Internal Audit
involvement and/or increased Internal Audit alignment with the first and second line functions
in your organisation?
Risk monitoring and assessment

57%
Design of governance and enterprise-wide risk management framework

49%
Development of business policies and control procedures

47%
IT system implementation

46%
Process re-engineering and optimisation initiatives

42%
Input into risk appetite and risk tolerance

41%
Crisis planning and response

40%
Training and upskilling activities

37%
Back office modernisation

25%
3% think all activities would benefit from more IA involvement

Base: All respondents excluding ‘Not sure’ responses (4675)​


22 PwC Global Internal Audit Study 2023

The energy sector’s multiverse reality


Geopolitics and economic volatility have delivered a massive shock to
global energy markets and fueled a global energy and cost-of-living crisis.
This has made it challenging for organisations to balance profitability
and growth with their customer and broader social responsibilities. This
disruption sits on a backdrop of climate change, intense competition,
regulatory reform, and technological change in energy generation, delivery
and use.

This is contributing to a shift in audit focus towards commercial and


operational resilience. Our survey found that, within three years,
executives in the energy, utilities, and resources sector expect IA to
spend 51% of its focus and effort on strategic risks. Marco Galioto,
PwC’s Energy Sector IA Lead, summarises, “The sector is balancing
many different strategic challenges. IA plays a critical role in helping the
business respond. In a complex risk multiverse, IA should sit right in the
middle”. For IA to be effective in this role, it needs a clear line of sight
through the organisation (across different levels, functions, regions, and
systems) and down the energy supply chain, including third parties relied
upon. This involves providing comfort over its commercial strategy,
response to regulation (and deregulation), and the huge volumes of data
flowing through the ‘pipes’ of the organisation.

Some organisations are investing in data scientists, process mining,


and visualisation software to help address the challenge, and increasing
collaboration between the lines. In one case, dashboards built by IA
were then replicated in the business to help them enhance controls
and monitor things they couldn’t see before. There is, however, more
work to do. Our survey found that, in the past 12 months, only 25%
of IA functions in the sector have invested in RPA or AI, and only 20%
have invested in ‘centres of excellence’ or dedicated hubs focused on
technology and data. The good news is that change has begun, and the
first steps are always the hardest.
23 PwC Global Internal Audit Study 2023

3 IA can be a unifying force

Levelling up: Actions to consider


Map your assurance: Work with the other lines to map the different
control and assurance activities performed to determine where there
is duplication, blind spots, and opportunities to collaborate. Make the
output visible to others to help close any gaps and support investment
decisions.

Tap into Centres of Excellence (CoEs): Identify and collaborate


with any CoEs, or similar pools of experience, that may exist in your
organisation. Examples include cyber security, data, and operational
excellence groups. These can provide economies of scale, optimise
methodologies, and promote innovation.

Connect to communities of interest: Bigger organisations may have


the capacity to pull together cross-functional teams or interest groups
on key risk or technical areas, such as ESG, AI, or cyber. Similarly,
encourage those in the second and third line to get involved with
professional or industry groups to build experience and get fresh ideas.
24 PwC Global Internal Audit Study 2023

IA’s human
‘superpowers’ are more
important than ever
IA must develop new tech skills while keeping human
capabilities at its core

The human touch


Professional scepticism, a risk and controls mindset,
and objectivity are long-standing IA skills and remain the
foundation for its future. As the scale and complexity of
risks change, IA will need more nuanced human skills to
have meaningful and strategic conversations with
its stakeholders. Our survey found that a smaller portion
of executives ranked strategic thinking (19%) and ability
to challenge constructively (23%) as key strengths of IA.
25 PwC Global Internal Audit Study 2023

Q. Which of the following do you consider to be the strongest attributes of your Internal Audit
department? ​(ranked top 3)

Risk and controls mindset

29%
One CAE we interviewed indicated that two of the most
Independence and objectivity
important strengths an internal auditor can have is
28% the ability to effectively relate to people in one-on-one
Business knowledge and experience meetings and to turn interviews into conversations rather
26% than interrogations.
Ability to understand complex business processes
Technology skills will remain critical, and should continue
24% to evolve, but they must be balanced by the human
Professional scepticism (e.g. ability to challenge constructively) side of the equation. Important attributes include
23% strengthening strategic thinking as well as creative
Collaborative approach thinking, agility, flexibility, and empathy. This will also
be particularly important as changes from AI and other
22%
emerging technology give organisations access to data
Communication skills (e.g. impact and empathy)
that they might not have either had access to before or
20% been able to collate manually. If there is no one able to
Creative thinking, flexibility, and agility interpret this data, turn it into information, and view it
19% through a risk and assurance lens, it will remain unused
Data analytical skills, including visualisation in the real world. PwC’s UK Internal Audit Leader,
Justin Martin, likens this to a conductor in an orchestra:
19%
“They have to understand the audience, musicians, and
Strategic thinking
instruments, and how they work together to create the
19% Ultimately you find insights by music. The difference might be that AI increases the
Technology capabilities, such as the use of RPA, Al. and GRC tools talking to people. This requires good complexity of the instruments and speed the music is
17% communication skills, empathy, played”.
People development (e.g. coaching, training) and being able to speak the same
15% language as the auditees. The
Transformation and business change expertise business has the mindset of wanting
14% to learn from mistakes and they know
Negotiation and dispute resolution that IA can help them do that.
13% Gary Burmiston, Senior Vice President,
Base: All respondents (4680)​ Corporate Audit, E.ON Energy
26 PwC Global Internal Audit Study 2023

IA Superpowers

Listening Strategic/critical/creative thinking


to hear and understand what really matters to tackle transformation and change and add value in
so we can focus and prioritise more strategic areas

Professional scepticism and objectivity


Empathy foundational to the objectivity that allows IA to see things
being able to put ourselves in the shoes of our stakeholders differently and provide confidence to others
to make our work relevant

Collaboration Social and communication skills


to reach out across the organisation, because the risk to forge the relationships that build trust to earn a seat
multiverse is too complex to tackle alone at the table, and have others listen when it matters

‘Risk-sensing’
to remain alert to internal and external data and trends
that can highlight and avoid risks before they are seen
Tech-enabled/analytical skills
being able to use technology and data practically to optimise
efficiency and offer new insights
Business acumen
to bring experience that supports the organisation’s
strategic objectives, underlying processes, and external
Agility market in which they operate
to be nimble and adapt to ways of working so IA
remains fit for purpose
Confidence
to speak up and address risks that others in the
organisation may not yet see before it’s too late

Continual evolution
Like the world around us, IA’s skills and capabilities need to keep
evolving and adapting. This requires a continual focus on professional growth
and an open mind. It may also mean changing how IA recruits, retains,
and develops talent.
27 PwC Global Internal Audit Study 2023

Talent sourcing and retention will The IA function at PT Bank Rakyat Indonesia Tbk has
what it calls a cross-border program with the first and
need more innovative approaches second line. IA personnel can move to an operational
unit or business division and then return to IA after
Just 45% of executives are very confident that IA has the
gaining greater business insight, and vice versa.
talent and skills the function will need in the next three Sometimes to be better
Triswahju Herlina, CAE, notes that, “by utilising various
to five years. They rank the lack of IA resources, skills,
and expertise to cover key risk areas as the top barrier
backgrounds and points of view, IA is able to provide auditors, we need to stop
that could prevent IA from achieving the outcomes the
broader, and more valuable, insights to stakeholders as thinking like auditors.
a strategic business partner.”
organisation wants. Suguru Watanabe, Internal
Whether sourcing from inside or outside of the Audit Director, Olympus

45%
The stakes are
organisation, most IA leaders would agree that finding
high. Turnover
and retaining talent is challenging. That is why Marie-
and re-skilling
Pauline Lauret, Chief Risk Assurance Officer, Philip
remain challenges;
Morris International, believes the only way to attract
of executives are very PwC’s 2023
talent is to have an appealing proposal—a state of the
confident that IA has Global Workforce
art vision and function—and show staff and recruits
Hopes and Fears
the talent and skills the they are contributing to shaping the future. “Talented
Survey of 54,000
function will need in workers indicates
and engaged people want to make an impact, so if
the next three to five that despite
you have an attractive proposition you will get them
years recessionary
on board,” she says,”Sustainability, for example, is
just becoming integrated fully into risk functions, and
worries and rising
Philip Morris IA is building a five-year program, thinking
unemployment in
far ahead to be able to work on the right ESG topics
some regions, 26% of employees are likely to change
to build preparedness for the future. I’m sharing our
jobs in the next 12 months, and 51% of employees with
vision around embedding ESG risks into ERM, and
specialist training believe the skills required to do their
making talent part of the process is helping to generate
job will change significantly over the next five years.
excitement and attract people to be part of it.”
28 PwC Global Internal Audit Study 2023

IA’s human ‘superpowers’ are more


4 important than ever

Levelling up: Actions to consider


Identify skills gaps: Conduct a current and future state skills
assessment. Determine how auditor capabilities can be aligned to
support the organisation’s future vision and strategy, and risk profile.

Establish a talent strategy: Create an upskilling and sourcing


strategy. Consider including guest auditor, leadership development,
and rotation and secondment (internal and external) programs, to
create diversity and new thinking. Consider co-developing this
strategy with the second line.

Consider succession: Plan for succession and transition of key


talent. Use this as a way of setting development paths and promoting
different types of skills and experience in line with the IA, talent, and
business strategies.

Incentivise self-driven learning: Create learning pathways for


different roles and ensure there is sufficient recognition and incentives
for individual upskilling, and celebrate accomplishments among
the team. Tap into the organisation’s training programmes around
leadership and soft-skills.

Assemble other superheroes: Identify individuals in the first and


second line who demonstrate the right mindset and have the right
skills to augment those of IA on particular topics. Obtain support from
business leaders for rotational programs. The quid pro quo is teams
will benefit from new perspectives and experiences. This can also be
an effective way of disseminating better risk awareness across the
organisation.
29 PwC Global Internal Audit Study 2023

IA can boost RoI by


changing its approach
to technology
The window is closing for IA to adopt the next wave of
technology innovation

Technology investment is not


delivering the desired benefits
In 2009, PwC’s Internal Audit State of the Profession Study
focused heavily on IA data and technology, and PwC has
subsequently seen a lot of activity in this area; however, the
RoI has not been realised. Just over 20% of IA functions
have achieved the desired benefits from their technology
and data investments over the last twelve months.

IA’s greatest use of technology and data has been for risk
assessment activities, audit planning, and continuous
monitoring. Some have made great strides in integrating
data into IA processes, and are seeing the benefits.
Conversely, nearly a third of IA leaders report they are not
using data and technology to a great extent in any area,
including scoping or testing activities in individual audits.
30 PwC Global Internal Audit Study 2023

Q. Which, if any, of the following outcomes have been achieved as a result of Internal
Audit’s investment in technology and data over the last 12 months?​

Able to provide more insights to the organisation

23% 41% 25% 4%


More efficient and impactful reporting (e.g. dashboards, visualisation)

22% 41% 26% 4%


Increased risk coverage (across audit plan or individual audits)

22% 40% 28% 4%


Increased efficiency (e.g. less audit effort to execute same testing)

22% 41% 26% 4%


Better risk targeting and scoping (e.g. less judgmental, data-led scoping)

21% 41% 28% 4%

Already achieved Partially achiieved Expect to achieve in next 1-3 years


Do not expect to achieve

Base: All respondents (4680) Note: ‘Unsure / Not applicable’ responses not shown
31 PwC Global Internal Audit Study 2023

There could be multiple reasons why RoI is falling short, Siloed: The technology is operated in isolation, not
but these can include: connected to other data sources in the organisation,
or accessible and visible to others. For example,
Strategy: The technology is driving the strategy, IA might have a sophisticated workflow and issue
rather than the strategy driving the technology. This is tracking tool, but if audit findings are still manually
a common pitfall, and requires pausing to reconsider collated and emailed in spreadsheets to stakeholders,
and remap activities to the business and IA strategy, its value is hidden behind a wall.
objectives and intended outcomes. In other words,
what problem or opportunity is the technology really Duplication (and confusion): Investment in similar or
being used to address, and is this realistic? competing technology is made in different parts of the
organisation, resulting in duplication. This can lead to
Measurements for success: IA has not defined the confusion over which should be used, prioritised, and
right KPIs to measure success. The outcomes might invested in.
be there, but no one is measuring them.

Status quo: The technology changes, but people’s


way of working remains the same. Resistance to
change is common and can stop teams from reaping
the full benefits of new technology. The introduction
of visualisation software, for example, can optimise
audit work and present new insights; however, some
IA functions still either don’t present the output,
or use it in a traditional report format, which can
reduce its impact.
32 PwC Global Internal Audit Study 2023
Q. Which, if any, of the following technology and data capabilities has your Internal Audit department invested
in during the last 12 months? ​Which, if any, does your Internal Audit department plan to invest in during the
next 1-3 years?

IA team member training and upskilling on technology and data

27% 18% 18% 37%


Data analytics tools and resource

25% 20% 16% 39%


Speeding up
Internal Audit management tools, such as workflow and tracking issue tracking
The advancement of AI is redefining what is possible 20% 24% 16% 40%
for organisations, business functions, and individuals.
IA leaders have discussed the potential value of Data visualisation software (e.g. to enhance reporting)
automation and AI for years, yet 52% of executives, 19% 18% 19% 44%
inclusive of IA leaders, say that IA has not invested in
AI and has no plans to do so in the next three years. Specialist auditing or monitoring tools, such as threat intelligence, fraud alert, or regulatory monitoring

18% 16% 18% 47%


Co-developing/co-investing in technology or data infrastructure with first and second line (e.g. shared data
repositories or monitoring tools)

18% 15% 18% 49%


Robotic Process Automation (RPA) or Artificial Intelligence (AI)

16% 11% 21% 52%


Specialist external service provider support

15% 17% 14% 54%


Leveraging company-wide GRC tools and ERP applications

14% 16% 17% 53%


‘Centres of Excellence’ / dedicated hubs focused on technology and data

12% 12% 16% 61%

Only 2% have invested across ALL tech/data capabilities during the last 12 months

Have invested in the last 12 months and have plans to in next 1-3 years
Have invested in the last 12 months but have no plans to in next 1-3 years
Have not invested in the last 12 months but have plans to in next 1-3 years
Have not invested in the last 12 months and have no plans to in next 1-3 years

Base: All respondents (4680) Note: 1% difference due to rounding


33 PwC Global Internal Audit Study 2023

There could be various reasons for this. It could be A financial services perspective: lots done,
fatigue from other technology investments, or it may
but more to do
be that IA leaders just don’t know how or where to get
started. There are, however, risks to inaction, including As historical barriers such as older bespoke and inflexible systems
becoming irrelevant as others move forward. improve, many IA functions are investing more to capitalise on new
opportunities: 51% of financial service firms have invested in IA team
As organisations continue to change and adopt AI, IA
member training and upskilling on data and technology in the past 12
needs to evolve in parallel. If IA doesn’t understand
months and 46% plan to do so in the next one-to-three years. Examples
AI, how can it understand the many risks arising from
of measures some have taken include:
it – or provide comfort over them? What would stop
the business from trying to forge on ahead without the A financial markets infrastructure firm put its entire team, including the
comfort IA provides or get this directly from generative AI CAE, through data analytics training, with a focus on its benefits, the
itself? And, if so, what might be the consequences (seen art of the possible, and practical tips to deliver quality insights.
or unseen)?
An investment bank embarked on a generative AI pilot. By using
The time horizon will vary and depend on when, and Natural Language Processing and training a Large Language Model,
how, each organisation adopts AI. At some point, the pilot aimed to replace a large amount of manual testing. Early
budget and resource capacity will constrain IA from indications are that it could save up to 8,000 hours annually.
covering an expanding risk landscape, and technology
will be needed to drive greater efficiency. Moreover, if A bank implemented an audit management system comprising a much
IA waits too long to recruit knowledgeable talent, those more open platform than traditional systems. This enables the team to
individuals may become hard to find or attract in a more build digital assets that automatically source enterprise data directly
competitive market. into their system for continuous risk assessment and testing.

No one knows for sure where AI will lead, but many have Technology is not the panacea. It can accelerate the availability of
an educated view, and IA needs to be at the forefront information, but human experience and judgement is needed to turn it
of that thinking. The resources available to IA functions into trusted insights. Generative AI is driving real opportunities for change,
vary significantly, but there is still an opportunity—or but a machine cannot (yet) identify the difference between right and
even a necessity—to make forward strides in embedding wrong. “In a world where doing the right thing matters more and more,
technology through all that IA does. the human touch is critical,” says Steve Frizzell, PwC’s Global Financial
Services IA Lead.
34 PwC Global Internal Audit Study 2023 Our study highlighted that Pioneers have invested in external key risk indicators to be used in risk assessment
a larger number of capabilities and are more likely to and audit planning activities, and help prioritise entities
have achieved multiple, tangible outcomes from these and audits.
investments. For instance, Pioneers are 59% more likely
to provide elevated insights, such as benchmarking and These benefits can be compounded and multiplied. The
trend analysis. One IA function, for example, was an more technology and data is woven into the fabric of IA,
early adopter in building global data analytics capabilities the more it can be connected end-to-end to increase
and infrastructure. This includes a dedicated team efficiency and effectiveness. Only 6% of organisations,
focused on data, software tools, and its own ‘data marts’ however, are using the full range of technology and data
(which were recently moved to the cloud to dramatically techniques outlined below to a great extent, so there is
improve processing time). This has allowed internal and still plenty of latent potential to unlock.

The percentage of Internal Audit departments using technology and data techniques (such as analytics and
automation) to a great extent to increase efficiency and effectiveness in the following areas:

Pioneers
Annual/periodic risk assessment and audit planning

At Elevance Health our ERM program 46% 63%


has crossover and collaboration with IA in Continuous auditing or monitoring
identifying risks. We work collaboratively Continuous auditing or monitoring
44% 65%
in identifying emerging risks, such as AI, Internal Audit performance monitoring (e.g. department Key Performance Indicators (KPIs))
and partner with our business owners
44% 66%
to be ahead of the game. For example,
Testing execution for individual audits
in partnership with our Responsible
AI function through an IA/ERM risk
Testing execution for individual audits
42% 61%
assessment, we identified opportunities to Risk planning and scoping for individual audits (e.g. preliminary analytics)

enhance and strengthen our governance 42% 58%


and internal control structure associated Investigations (e.g. forensic data analysis)
with our use of AI. The company Investigations (e.g. forensic data analysis)
41% 60%
immediately responded and devoted more Visualisation (e.g. to support enhanced reporting)
resources to our Responsible AI team to Visualisation (e.g. to support enhanced reporting)
40% 62%
develop a robust program.
Benchmarking and trend analysis (e.g. to support audit findings or provide insights)
Troy Meyer, Chief Internal Audit & Enterprise Risk 37% 59%
Management Officer, Elevance Health
Base: All respondents (4680)​
35 PwC Global Internal Audit Study 2023

IA can boost RoI by changing its


5 approach to technology

Levelling up: Actions to consider


Co-develop and co-invest in technology: Explore opportunities with
other functions to co-invest in technology and leverage data sources
and tools that may already exist (such as eGRC, analytics, workflow,
and visualisation tools) or could be co-developed together. This can
also involve sharing assurance techniques and automation, such as
monitoring routines and analytics scripts.

Connect the pipes: Work with the business and second line to
establish connections to ERP and other systems to facilitate the
efficient and effective extraction of data into risk, compliance, and
audit tools to support audits and monitoring.

Shift to continuous auditing: Create a strategy to move towards more


proactive continuous auditing and monitoring from discrete, point-in-
time audits. This should include looking for opportunities to connect
data across end-to-end processes to help provide broader and more
strategic, company-wide insights.

Build AI into IA’s technology strategy: Define the roadmap for


how AI—and AI auditing—will be implemented. Find ways to
collaborate with the broader organisation to upskill together and jointly
consider associated risks.

Start, stop, continue: When evaluating or implementing new


technology, list the activities in IA and beyond that you will start, stop
or continue. This is important so the real benefits can be considered.
36 PwC Global Internal Audit Study 2023

Speed up and shine,


or slow down and
fade away
Pioneers rarely have a template

PwC’s IA Maturity Continuum, introduced in prior IA studies,


provides a model to help IA and its stakeholders determine
where they are in their maturity journey, and where they want
to evolve, based on their mandate and vision. Our survey
shows that whilst most organisations currently categorise
their IA maturity as a ‘Problem Finder’ (12%), ‘Assurance
Provider’ (23%) or ‘Problem Solver’ (30%), more and more
organisations want IA to become a ‘trusted advisor’ in the
next three years (35%). This would involve providing new and
proactive advice on risks and initiatives that are strategic to
the organisation, and being confident in using technology to
help achieve this.

IA’s role in providing assurance and confidence is the


common denominator at any level of maturity—this is
fundamental. The differentiator between success and
failure, value and irrelevance, comes down to how effectively
IA can understand what its stakeholders want, shine a light
on what they may not see or understand, and break down
barriers to assemble and connect the right technology and
capabilities across the organisation.
37 PwC Global Internal Audit Study 2023

There is, however, no one-size-fits-all approach.


Q. Which of the following statements best describes the overall value and maturity of your Internal Audit
Pioneers rarely have a template. This means that each
department? Where would you ideally like your Internal Audit department to be within the next 3 years?
organisation needs to have clarity on where they are
now, and where they want to be in the near, mid, and
long term. The success of IA will depend on its ability to 35%
use its superpowers to listen, interpret, challenge, and
knit together the views of different stakeholders.
30%

23% 23%
21%
18%
16%
12% 13%

48%
7%
Assurance
Problem finder Problem solver Insight generator Trusted adviser
provider
Almost half of IA Reports basic exceptions Delivers objective In addition to providing In addition to helping In addition to generating
leaders (48%) are from audits of internal
controls, based on a
assurance over
processes, based on
objective
assurance, IA leverages
solve business problems,
IA provides deeper
new insights, IA is
trusted to provide
seeking to elevate static annual a risk-based audit plan expertise and technology perspectives and new proactive advice on
their IA department to audit plan to help the organisation
understand and solve
insights on meaningful
improvements and
emerging risks, strategic
initiatives, and critical
‘trusted advisor’ status problems opportunities business decisions—
within the next 3 years Now Next 3 years and uses technology to
help achieve this
Base: All respondents (4680)​Note: ‘Unsure’ responses not shown
38 PwC Global Internal Audit Study 2023

Staying relevant
Just as CEOs recognise the imperative to keep their Q. What are the most important outcomes your organisation could achieve by having
strategy and business model viable, IA has the a high performing Internal Audit department? ​(ranked top 3)
obligation to continually evolve and remain relevant.
Stronger governance and risk awareness
When Pioneers look at risk and change, they see
opportunity; when they look at complexity, they 42%
see a path forward that avoids hazards and gives the
More robust and efficient internal controls, with less frequent failures
organisation confidence to speed up. Our survey affirms that
high-performing IA functions are driving broader business
39%
outcomes and more value than ever before. Executives agree
that stronger governance and risk awareness (42%), and Optimised business processes and systems
more robust and efficient internal controls (with fewer failures)
(39%), are outcomes that result from high-performing IA 32%
functions.
Increased management confidence to make better and faster decisions
Pioneers are more likely than others to rank the following
outcomes among their top three: 31%
Increased trust from external stakeholders, including investors, regulators, and customers
New strategic business opportunities, such as cost
reduction or revenue generating initiatives.
30%
Greater success in transformation programmes, such as
Better corporate culture to deliver on the organisation’s value and purpose
digital and workforce transformation.

Greater resiliency and ability to predict or manage 29%


disruption. New strategic business opportunities, such as cost reduction or revenue generating initiatives

These are outcomes that any organisation


29%
would value, but ones that can remain hidden
behind walls if IA and the business are not Greater success in transformation programmes, such as digital and workforce transformation
willing to climb them together, look up, speak
up, and see things differently. 28%
Greater resiliency and ability to predict or manage disruption

26%

Base: All respondents excluding ‘Not sure’ responses (4667)​


39 PwC Global Internal Audit Study 2023

Contacts Shaun Willcocks


Global Internal Audit Leader
[email protected]
Kathrin Kersten
Germany Internal Audit Leader
[email protected]
We have Internal Audit teams globally +81 90 6478 6991 +49 69 9585 1201
who are ready to talk to you. Please contact Sophie Langshaw Justin Martin
those listed here, or speak to your local Australia Internal Audit Leader UK Internal Audit Leader
[email protected] [email protected]
PwC team.
+61 41 052 0548 +44 (0) 7881 802 336
Carlie Persson Mike Maali
Canada Internal Audit Leader US Internal Audit Leader
[email protected] [email protected]
+1 780 441 6700 +1 630 209 6384
Eric Yeung Laura Koelzer
China and Hong Kong Internal US Internal Audit Partner
Audit Leader [email protected]
[email protected] +1 312 502 9594
+852 2289 1953
Martin Lozier
Richard Thomas US Internal Audit Director
EMEA Internal Audit Leader [email protected]
[email protected] +1 517 937 1605
+41 79 816 27 00
www.pwc.com/gias
© 2023 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information
purposes only, and should not be used as a substitute for consultation with professional advisors. At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 152 countries with over 327,000
people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.

You might also like