Global Internal Audit Survey 2023 — Irish Edition

Seeing through walls to find new horizons.

Man on cliff looking at stars and sky
  • Issue
  • 15 Minute Read

Megatrends such as technology, geopolitics, climate, supply chain, regulation and workstyle reform are driving rapid change and creating a ‘risk multiverse’ that organisations must navigate. Internal Audit (IA) is uniquely positioned to help organisations connect the dots and find a way through the risk and complexity. Our Global Internal Audit Survey report, including Ireland, highlights how IA can evolve, add value and remain relevant with insights and strategies for IA leaders, the Board and business executives as well as second line leaders. We also explore the characteristics of a group of pioneers who lead the way in IA and share the aspirations of Irish IA functions to increase their maturity level and invest more in technology and data capabilities.

Pioneers leading the way

Throughout this report, we will refer to a group of respondents we call ‘pioneers’. The group, which represents 8% of respondents, was identified based on three characteristics:

  1. They are very effective at raising significant risks and challenges their organisations have not yet considered;
  2. They are in the top quartile for the percentage of effort spent on strategic risk areas; and
  3. They are in the top quadrant for the percentage of work effort delivered using innovative and agile methods.

The pioneer group is small, but this reflects the nature of pioneers—those that break new ground. It is also a reality of a more globalised and connected world—standing out and being seen becomes harder, both for IA and organisations as a whole. Our data shows that pioneers stand out from their peers in several dimensions, including the number of strategic risks they cover, the outcomes they achieve from technology investments and the confidence that they have the right talent now and in the future.

Currently, none of the Irish respondents are classified as ‘pioneers’. However, encouragingly, the data shows that:

  • most (54%) Irish IA functions have aspirations to increase their maturity level and invest more in technology and data capabilities during the next one to three years; and

  • Irish IA functions would like to expand their efforts in covering more strategic areas (additional 9%) and implementing innovative and agile audit methods (additional 23%) in the next one to three years.

1. Megatrends are creating a complex and interconnected risk multiverse

IA is uniquely positioned to help organisation’s navigate risk and change

Company killers

PwC’s 26th Annual CEO Survey found that nearly one in five Irish CEOs do not expect their company to be in business in ten years if they continue on their current path.

Today’s megatrends are driving rapid global change in areas like technology, geopolitics, climate, supply chains, regulation and workstyle reform. These changes are not occurring in isolation; they are interconnected, interwoven and ‘stacking up’ to create complex risks. In other words, organisations are facing a new reality—a ‘risk multiverse’.

This complexity is amplified by the globalised nature of modern markets, faster information flows, and more sophisticated expectations of consumers, regulators and stakeholders—and greater consequences for failing to meet these expectations. This brings more blindspots and new types of disruption—or ‘company killers’.

The result can be that organisations slow down, lose confidence in their strategy and roadmap, and cannot steer quickly through change or avoid hazards. This can mean disruption at best or obsolescence at worst. This is forcing organisations to speed up transformation and change their core strategies.

A chance for IA to shine

Organisations will need different approaches, skills and technology to succeed in this new reality. For IA, it means they are needed more than ever. Our survey showed Irish respondents ranked IA’s top attributes as

  1. risk and controls mindset;

  2. independence and objectivity;

  3. professional scepticism; and

  4. collaborative approach.

Enhanced by IA’s organisational reach, this unique combination makes IA ideally placed to help organisations connect the dots and navigate risk and complexity.

When equipped with the right technology, vision and talent, IA’s ‘superpowers’ not only protect value, they also create value by ensuring the organisation can capture the upside of risk.

Our survey found that, in addition to better governance, more risk awareness and stronger internal control, Irish executives believe that a high-performing IA function can help:

  • enhance corporate culture to deliver the organisation’s value and purpose;
  • optimise business processes and systems; and
  • obtain trust from external stakeholders, including investors, regulators and customers.

Ultimately, this can mean that organisations have the confidence to adjust their risk appetite to take more risks and move quicker—all of which is critical in responding to megatrends and remaining viable as an organisation.

This means IA leaders must be bold. They must voyage into uncharted territory where there is no roadmap.

Responding to the megatrends

We see examples of IA functions tackling today’s megatrends. The Global Internal Audit Survey provides examples of IA’s response to supply chain disruption, rapid IT modernisation and the acceleration of artificial intelligence (AI).

For Ireland, however, the data shows that while we lag in addressing most megatrends in our IA plans, we are ahead of the global average in terms of addressing two megatrends:

  1. cyber security and information management (85% vs 68%); and

  2. sustainability and climate change (49% vs 44%).

Supply chain disruption

One example of multi-layered complexity is the recent supply chain disruption. This caused a crisis where demand was difficult to forecast, goods were hard to source, transportation was hard to find, and routes were backlogged and unpredictable. Volatility rippled throughout the supply chain and introduced significant risks to business models and processes, putting it high on the agenda for many organisations.

Our survey found that 33% of Irish IA functions address supply chain disruption in their audit plan (versus 47% globally), and 21% plan to do so in the next one to three years (versus 34% globally). Many, however, wonder how they can tackle risks and disruptions with such scale and speed.

Andy Banks, PwC Ireland’s Internal Audit Leader, highlights that “While much responsibility to manage supply chain risk falls on the first and second line, the third can add value by sharing insights, advising on risks and providing assurance over what the second line is doing.”

IA realises that to address the speed of these risks, all parts of the business need to be aligned with second and third lines of defence working alongside the business to ensure communication is fluid and early warning (or ‘risk-sensing’) systems are built-in. For IA, this could include working with compliance to automate supplier due diligence processes, leverage third-party intelligence data and refocus vendor audits and monitoring. IA can use its vantage point to look across the end-to-end supply chain, challenge the robustness of resilience and business continuity arrangements, and ensure that management has stress-tested the supply chain for blind spots or weaknesses, such as supplier dependencies.

Rapid IT modernisation

Accelerated by the COVID-19 pandemic, many organisations have had to turn to technology to help adapt their strategies and commercial and operational models to remain viable. This has forced IA functions to reflect on how they can keep pace with this change and reconsider where in the change lifecycle they should be involved. The investments that organisations have made in recent years—from large enterprise resource planning (ERP) system implementations to the introduction of AI, machine learning, automation and cloud solutions—mean old IA approaches may no longer work, and new skills are needed. This includes approaches to new risks around responsible AI, collaborating with outside specialists or with guest auditors from the business. It also means being bold enough to stop IA activity that adds little value.

“The IA survey highlights the considerable opportunity that exists for IA functions to be equipped with the right set of technology capabilities, but also with the need to understand emerging technology at rapid speed,” says Richard Day, Head of Risk Assurance, PwC Ireland.

AI accelerating fast

The rapid emergence of AI marks the beginning of a new phase of IT modernisation. Traditional AI is advancing, and Generative AI (GenAI) is so powerful and easy to use that it’s poised to change business models and revolutionise how work gets done. Many risks have already emerged in decision-making, privacy, cybersecurity, regulatory compliance, third-party relationships, legal obligations and intellectual property. This is explored further in PwC’s Managing the risks of generative AI publication.

IA will be key in addressing these risks and helping ensure the upside risk and RoI from AI can be realised. This includes providing stakeholders with confidence that there is a responsible governance framework around AI and appropriate controls are embedded in underlying processes. This may require IA to step outside its comfort zone and become involved earlier in the change lifecycle to assess whether the organisation’s AI strategy is appropriate and transformation risks are being addressed.

In parallel, IA has to determine how to harness the potential of AI and other technology, like robotic process automation (RPA), to evolve its own capabilities and ways of working. In the past 12 months, just 10% of Irish IA functions have invested in RPA or AI for use within the function. Many IA functions are still grappling with adopting and using more basic technology, like audit workflow or analytics tools, and the arrival of AI is causing many IA leaders to reflect on how best to approach it. Some IA functions have ‘hit a wall’ with their technology strategy as the returns from previous investments have not always met expectations—or they are not clear on the actual problem they are trying to solve with technology. We explore this further in section five of this study.

Levelling up: actions to consider

Reconcile the current IA plan with the known and emerging megatrends to identify any that might not be addressed and discuss with the audit committee, stakeholders and second line if this is the right approach.

For transformation initiatives in the organisation, such as the introduction of AI, consider who assures the alignment of business strategy, transformation objectives, implementation activities and the measurement of intended outcomes. Connecting the dots and spotting misalignments often require an objective viewpoint.

2. IA needs more involvement in strategic areas to remain relevant

IA can choose to provide new strategic value or risk becoming irrelevant

A door being opened 

PwC’s recent Irish CEO Survey asked CEOs what they consider the top threats to their business. Inflation and macroeconomic volatility topped the list. Our IA Survey shows, however, that over 60% of Irish IA functions are not addressing these two top threats in their audit plan, and 41% have no plans to do so at all.

Over 70% of Irish IA functions are still focused on traditional risk areas and implementing traditional audit methods. The remainder are focused on strategic areas and innovative and agile audit methods. This lags behind global peers, where IA functions typically demonstrate a balanced distribution of traditional and strategic or innovative approaches.

If IA is not tackling an organisation’s greatest threats, how can it be considered the last line of defence? It may be that IA does not believe it’s within its mandate to address specific areas. For some, these threats are perceived as not auditable; for others, IA may lack the confidence or skills to tackle them.

The good news is that Irish functions have an appetite and ambition to drive a more balanced approach in the next one to three years, and the door has been opened for IA to expand their involvement in other areas. Our survey shows that many Irish business leaders want more strategic engagement with IA early and proactively, with 72% wanting IA to be involved during the risk identification and assessment stage and nearly 50% seeking IA involvement in management strategy and planning. The global and local results are more or less on par, as shown in the graphs below. This may be driven by many factors, including the complexity of today’s risks, the need to provide comfort to others, awareness of the benefits of better governance, and/or recognition of IA’s value and potential.

Strategic risks are not always easy to see and sometimes differ from those documented in the risk register. They will also be specific to each organisation, so IA needs to have the right board and executive relationships—and sufficient opportunity to talk—to understand what matters. IA must be willing to challenge strategic decisions when risks indicate that a course correction is needed. However, to do this effectively, IA may need to reposition itself with stakeholders and be willing to have different conversations to be heard.

Examples of strategic areas some IA functions are auditing

  • Digital transformation, including the alignment of the IT and business strategy, adoption and use of AI (and its responsible use), and reliability of data used in strategic decision-making.
  • Mergers and acquisitions (M&A), including robustness of due diligence and approval processes, financial model reliability, coverage and quality of risk data used, process and controls integration, and appropriateness of the criteria used to measure synergies and RoI.
  • Research and development (R&D) and product design, including spend controls, alignment to business strategy, and incorporation of technology and data. This is particularly important for industries where R&D approaches have changed over recent years, such as the pharmaceutical sector.
  • Workforce transformation, including its impact on oversight, risk and control ownership, customer response, and risks in meeting other strategic objectives, such as talent and skill gaps.
  • Inflation, including inflation risk mitigation, budgeting and forecasting processes, hedging programmes, pricing adjustments and, procurement strategies (e.g. long-term contracts, and alternative sourcing models).
  • Macroeconomic volatility, including macroeconomic risk assessments and risk mitigation plans, consideration in strategic plans, physical location / production / vendor concentrations and supply chain resiliency plans, business continuity and crisis response plans, and insurance coverage analysis.

Pioneers are 38% more likely than peers to provide proactive advice on emerging risks.

Management wants better risk conversations

Our survey indicated that IA has the opportunity to have more high-quality, open and frequent conversations with management about risk. More than half of Irish IA leaders indicate frequent, high-quality risk conversations occur with the audit committee chair, the CFO, CEO, CRO, CIO/CTO and COO. There is still room for improvement for high-quality conversations—and not just progress updates—with more senior leaders, particularly for those who do not have these yet.

The benefits of better risk conversations can include new insights on emerging risks, more focused and timely assurance, and a fresh perspective on other opportunities. Our survey found that the percentage of business, risk and compliance leaders in pioneering organisations reporting good quality and frequent risk conversations with the IA leader is nearly 30 points higher than non-pioneers (63% vs 36% overall). This is where the pioneers can challenge the status quo and shine a light on alternative paths. This can help the business course correct where necessary, particularly for the one in five Irish CEOs who worry about the longer-term viability of their organisation.

Examples of how IA can have better risk conversations

The definition of ‘better’ will differ from stakeholder to stakeholder, but we have seen effective IA teams engage with their stakeholders by:

  • offering a viewpoint and commentary on new or draft business strategies and plans. IA can maintain objectivity while still offering a perspective based on their cumulative experience and ability to see risk differently;
  • authoring discussion papers or presentations on emerging risk areas or topics outside regular audit reports that offer an ‘early warning’ or prompt discussion. Our survey found that half of IA functions are authoring position papers on new risks, trends or regulations;

  • summarising findings from multiple audit reports into broader root causes and themes at a company level. This can also be mapped to trends in the industry;

  • bringing other expertise from first or second-line teams or external advisors to broaden debates and offer different perspectives (for example, in topical or risk workshops);

  • sharing materials from industry or technical sources and/or communities of interest. This can help highlight industry-level trends or emerging risks; and

  • agreeing ‘value-based’ metrics and key performance indicators (KPIs) for IA so it can be measured against the value it adds to stakeholders.

Pioneers spend an average of 66% of their focus and effort on strategic areas versus 30% of the Irish IA functions.

Levelling up: actions to consider

Review previous strategic change initiatives and at what point IA became involved. Consider what additional value could have been generated if IA had been involved earlier, and reflect this in the approach for current or future initiatives.

The right mix will differ for each organisation but it should be by design, not accident. This can involve asking stakeholders what is important to them. Using a simple matrix to plot what effort is spent on traditional versus strategic risk areas and the type of audit approach taken can be a simple way of setting the right balance.

Some IA functions have moved from formal stakeholder meetings (with agendas and minutes) to more agile conversations and have become bolder in adding views not necessarily backed by audit evidence.

Use visualisation tools to present elevated insights and show how IA connects the dots across risks and organisational silos. Vary the nature, timing and extent of reporting to fit different needs and stakeholders.

Illustrative quadrant showing IA risk focus and approach

GX IA Table

Percentages are illustrative only and each organisation needs to decide the right balance for them.

3. IA can be a unifying force

IA can harness and multiply the expertise of others to benefit everyone

Working alone will always result in blind spots

Most significant corporate failures have resulted from something the organisation either didn’t see coming or didn’t understand. Risks are not always easy to see—they can sometimes be too big (e.g. geopolitical, macro-economic, industry-wide) or buried in complex and multi-layered technical areas (e.g. regulatory, cyber, commercial). When they occur, the consequences can be seen in every part of the organisation, and often externally, which can impact reputation.

IA’s unique vantage point and risk mindset means that it is able to ‘see through the walls of the organisation’ and shine a light on areas others might not see clearly. It cannot, however, see everything all the time. It is unlikely that any one function has the skills, experience and capacity to cover the diversity of risks organisations face. Traditionally, IA functions relied on guest auditors or co-sourcing to bring in the required expertise and, while this is still necessary to reinforce IA’s capabilities, IA also needs to be confident that nothing is missed at an organisational level. This is particularly relevant to industries impacted by significant disruption to commercial models, complex reform or new technological advancements, such as the pharmaceutical, energy and financial service sectors.

The good news

The good news is that our survey showed that organisations have at least five second-line functions on average, such as information/cybersecurity, enterprise risk management and compliance functions. Over 50% of Irish respondents noted significant changes in their second-line capabilities in the last three years. In particular, they have levelled up in areas such as information/cybersecurity, ESG management, and enterprise risk management.

The strengthening of the second line represents an opportunity for IA to harness these skills and maximise the power of combining different capabilities But locally, there is work to do: just over half (54%) of Irish IA functions show strong alignment with the first and second lines on key risks and issues.

While the data in the chart above is encouraging and on par with the global view, Irish respondents recognise that there is room for improvement. 44% believe that IA has only partial alignment with other lines of defence on key risks and issues while  3% are unsure of the level of alignment. This gives IA a strong mandate to take the lead in creating a unified view and finding new ways to leverage the different capabilities in the organisation.

The concept of ‘assurance maps’, which provide a consolidated view of how comfort over key risks is being addressed across the organisation, has gained traction in the profession. While the second-line challenges and performs a critical role in its oversight of risk, compliance and internal controls, IA is in a position to provide an independent and objective assessment and elevate issues beyond management to the audit committee.

Pioneers are finding ways to make this approach mutually beneficial to IA and the business, including having combined teams to pool experience and add credibility to tackle tough or strategic areas like environmental, social and governance (ESG), M&A or digital transformation. These require IA to draw on a wide variety of capabilities, including those relating to IT and cyber, legal, people and change or human resources, finance, treasury, commercial, product development, tax and marketing.

Practically, this can involve a range of different approaches, such as:

  • jointly preparing an assurance map and aligning activity plans;

  • ensuring the links between mission statements, charters and strategies are clear (and it is understood how they fit together in the overall governance structure);

  • authoring risk papers together to brief or update stakeholders;

  • aligning risk taxonomies and control libraries, or sharing research and reference materials;

  • co-investing in technology, such as enterprise governance, risk and compliance (eGRC), data analytics and visualisation tools;

  • co-developing or sharing automation and scripts used in assurance activities;

  • talent-sharing programmes, such as secondments and guest auditors; and

  • forming communities of interest on specialist or topical matters, such as ESG.

Done well, such actions allow IA and others to achieve a ‘multiplier effect’ that adds up to better risk coverage, greater efficiency and more valuable insights. In other words, they become more than the sum of their parts. This can also have the benefit of showcasing to the audit committee and board the value of integrated assurance, and opens the door to better engagement.

A ‘risk shield’ around the organisation

A shield is only as strong as its weakest part. In today’s world, where risks can come from all directions, an organisation’s foresight and defense needs to be 360 degrees. As organisations assemble different capabilities and embrace new technology, they may also need to look differently at their internal structures, including how the three lines work together to increase agility, break down silos and remove blind spots to ‘see through walls’.

While it is critical that objectivity remains one of IA’s core superpowers, it should consider where the activities of each line intersect and overlap, how communication flows between them, and what this means for the organisation’s resilience as a whole. This involves being clear on responsibilities, the control and assurance mechanisms that exist, and the new opportunities to collaborate.

Changing the way we see IA and risk

Global IA Survey Diagram

Levelling up: actions to consider

Work with the other lines to map the different control and assurance activities performed to determine where there is duplication, blind spots and opportunities to collaborate. Make the output visible to others to help close any gaps and support investment decisions.

Identify and collaborate with any CoEs, or similar pools of experience, that may exist in your organisation. Examples include cybersecurity, data and operational excellence groups. These can provide economies of scale, optimise methodologies and promote innovation.

Bigger organisations may have the capacity to pull together cross-functional teams or interest groups on key risk or technical areas such as ESG, AI, or cyber. Similarly, encourage those in the second and third lines to get involved with professional or industry groups to build experience and get fresh ideas.

4. IA’s human ‘superpowers’ are more important than ever

IA must develop new technology skills while keeping human capabilities at its core

The human touch

Professional scepticism, a risk and controls mindset, and objectivity are long-standing IA skills and remain the foundation for its future. As the scale and complexity of risks change, IA will need more nuanced human skills to have meaningful and strategic conversations with its stakeholders. Our survey found that a smaller portion of Irish executives (8%) ranked strategic thinking and creative thinking, flexibility and agility as key strengths of IA, versus 19% globally. Further, none of the Irish respondents have highlighted technological capabilities such as the use of RPA, AI and GRC tools, as a key strength of IA, while 17% of global respondents recognised this capability.

Technology skills will remain critical and should continue to evolve, but they must be balanced by the human side of the equation. Important attributes include strengthening strategic thinking as well as creative thinking, agility, flexibility and empathy. This will also be particularly important as changes from AI and other emerging technology give organisations access to data that they might not have either had access to before or been able to collate manually.

If there is no one able to interpret this data, turn it into information and view it through a risk and assurance lens, it will remain unused in the real world. The ability to effectively relate to people in one-on-one meetings and turn interviews into conversations rather than interrogations is also key.

Talent sourcing and retention will need more innovative approaches

Just 38% (versus 45% globally) of Irish executives are very confident that IA has the talent and skills the function will need in the next three to five years. They rank being unable to recruit and retain the right talent as IA is not seen as an attractive career as the top barrier that could prevent IA from achieving the outcomes the organisation wants.

The stakes are high. Turnover and re-skilling are challenges, and our 2023 Irish Workforce Hopes and Fears Survey indicates that despite leadership efforts in the last year, employee retention continues to be a significant issue. 22% of Irish workers plan to change jobs in the next 12 months and 26% of employees with specialist training believe the skills required to do their job will change significantly over the next five years.

Levelling up: actions to consider

Conduct a current and future state skills assessment. Determine how auditor capabilities can be aligned to support the organisation’s future vision and strategy, and risk profile.

Create an upskilling and sourcing strategy. Consider including guest auditor, leadership development, and rotation and secondment (internal and external) programmes to create diversity and new thinking. Consider co-developing this strategy with the second line.

Plan for succession and the transition of key talent. Use this as a way to set development paths and promote different types of skills and experience in line with the IA, talent and business strategies.

Create learning pathways for different roles and ensure there is sufficient recognition and incentives for individual upskilling, and celebrate accomplishments among the team. Tap into the organisation’s training programmes around leadership and soft-skills.

Identify individuals in the first and second lines who demonstrate the right mindset and have the right skills to augment those of IA on particular topics. Obtain support from business leaders for rotational programmes. The quid pro quo is that teams will benefit from new perspectives and experiences. This can also be an effective way of disseminating better risk awareness across the organisation.

5. IA can boost its RoI by changing its approach to technology

The window is closing for IA to adopt the next wave of technology innovation

Technology investment is not delivering the desired benefits

In 2019, PwC’s Internal Audit State of the Profession Study focused heavily on IA data and technology. We have subsequently seen a lot of activity in this area. However, the RoI has not been realised. Just 8–15% of Irish IA functions (versus 21–23% globally) have achieved the desired benefits from their various technology and data investments over the last 12 months.

IA’s greatest use of technology and data has been for individual audits at the risk planning/scoping and testing execution phases. Some have made great strides in integrating data into IA processes, and are seeing the benefits. Conversely, most Irish IA functions report that they are not using data and technology to a great extent in any area, and are trailing behind their global counterparts even though local IA functions are ahead in terms of investments made in the last 12 months. Despite this, local IA functions remain optimistic as they plan to invest more than their global counterparts in IA team member training, data analytics tools and resources, and specialist external service provider support in the next one to three years (as seen in the next chart).

There could be multiple reasons why RoI is falling short, but these can include:

  • Strategy: the technology is driving the strategy, rather than the strategy driving the technology. This is a common pitfall and requires pausing to reconsider and remap activities to the business and IA strategy, objectives and intended outcomes. In other words, what problem or opportunity is the technology really being used to address, and is this realistic?
  • Measurements for success: IA has not defined the right KPIs to measure success. The outcomes might be there, but no one is measuring them.

  • Status quo: the technology changes, but people’s way of working remains the same. Resistance to change is common and can stop teams from reaping the full benefits of new technology. The introduction of visualisation software, for example, can optimise audit work and present new insights. However, some IA functions either don’t present the output or use it in a traditional report format, which can reduce its impact.

  • Siloed: the technology is operated in isolation, not connected to other data sources in the organisation or accessible and visible to others. For example, IA might have a sophisticated workflow and issue tracking tool, but if audit findings are still manually collated and emailed in spreadsheets to stakeholders, its value is hidden behind a wall.

  • Duplication (and confusion): investment in similar or competing technology is made in different parts of the organisation, resulting in duplication. This can lead to confusion over which should be used, prioritised and invested in.

Speeding up

The advancement of AI is redefining what is possible for organisations, business functions and individuals. IA leaders have discussed the potential value of automation and AI for years, yet 75% of Irish executives—inclusive of IA leaders—say that IA has not invested in AI and has no plans to do so in the next three years.

There could be various reasons for this. It could be fatigue from other technology investments, or it may be that IA leaders just don’t know how or where to get started. There are, however, risks to inaction, including becoming irrelevant as others move forward.

As organisations continue to change and adopt AI, IA needs to evolve in parallel. If IA doesn’t understand AI, how can it understand the many risks arising from it, or provide comfort over them? What would stop the business from trying to forge on ahead without the comfort IA provides or get this directly from GenAI itself? And, if so, what might the consequences be (seen or unseen)?

The time horizon will vary and depend on when, and how, each organisation adopts AI. At some point, budget and resource capacity will constrain IA from covering an expanding risk landscape and technology will be needed to drive greater efficiency. Moreover, if IA waits too long to recruit knowledgeable talent, those individuals may become hard to find or attract in a more competitive market.

No one knows for sure where AI will lead, but many have an educated view and IA needs to be at the forefront of that thinking. The resources available to IA functions vary significantly, but there is still an opportunity—or even a necessity—to make forward strides in embedding technology through all that IA does.

A financial services perspective: lots done, but more to do

As historical barriers such as older bespoke and inflexible systems improve, many IA functions are investing more to capitalise on new opportunities. 51% of financial services firms have invested in IA team training and upskilling on data and technology in the past 12 months, for example, and 46% plan to do so in the next one to three years. Here are some examples of measures taken:

  • A financial markets infrastructure firm put its entire team, including the chief audit executive (CAE), through data analytics training with a focus on its benefits, the art of the possible and practical tips to deliver quality insights.

  • An investment bank embarked on a generative AI pilot. By using natural language processing and training a large language model, the pilot aimed to replace a large amount of manual testing. Early indications are that it could save up to 8,000 hours annually.

  • A bank implemented an audit management system comprising a much more open platform than traditional systems. This enables the team to build digital assets that automatically plugs enterprise data directly into their system for continuous risk assessment and testing.

Technology is not the panacea. It can accelerate the availability of information, but human experience and judgement is needed to turn it into trusted insights. GenAI is driving real opportunities for change, but a machine cannot (yet) identify the difference between right and wrong.

Our study highlights that pioneers have invested in a larger number of capabilities and are more likely to have achieved multiple, tangible outcomes from these investments. For instance, pioneers are 59% more likely to provide elevated insights, such as benchmarking and trend analysis. One IA function, for example, was an early adopter in building global data analytics capabilities and infrastructure. This includes a dedicated team focused on data, software tools and its own ‘data marts’ (which were recently moved to the cloud to dramatically improve processing time). This allowed for the use of internal and external key risk indicators in risk assessments and audit planning activities, and helped prioritise entities and audits.

These benefits can be compounded and multiplied. The more technology and data is woven into the fabric of IA, the more it can be connected end-to-end to increase efficiency and effectiveness. Only 6% of organisations globally, however, use the full range of technology and data techniques outlined below to a great extent, so there is still plenty of latent potential to unlock. It is clear from our findings that Irish IA functions are yet to catch up with their global counterparts in this area. The largest discrepancies in the areas of technology and data technique deployment relate to visualisation to support enhanced reporting, benchmarking and trend analysis, and forensic data analysis.

Levelling up: actions to consider

Explore opportunities with other functions to co-invest in technology and leverage data sources and tools that may already exist (such as eGRC, analytics, workflow and visualisation tools) or could be co-developed together. This can also involve sharing assurance techniques and automation, such as monitoring routines and analytics scripts.

Work with the business and second line to establish connections to ERP and other systems to facilitate the efficient and effective extraction of data into risk, compliance and audit tools to support audits and monitoring.

Create a strategy to move towards more proactive continuous auditing and monitoring from discrete, point-in-time audits. This should include looking for opportunities to connect data across end-to-end processes to help provide broader and more strategic, company-wide insights.

Define the roadmap for how AI—and AI auditing—will be implemented. Find ways to collaborate with the broader organisation to upskill together and jointly consider associated risks.

When evaluating or implementing a new technology, list the activities in IA and beyond that you will start, stop or continue. This is important so the real benefits can be considered.

Speed up and shine, or slow down and fade away

Pioneers rarely have a template

PwC’s IA Maturity Continuum, introduced in prior IA studies, provides a model to help IA and its stakeholders determine where they are in their maturity journey, and where they want to evolve based on their mandate and vision. Our survey shows the following view of IA Maturity:

There is a positive outlook as more and more organisations want IA to become a ‘trusted advisor’ in the next three years (54% vs 35% globally). This would involve providing new and proactive advice on risks and initiatives that are strategic to the organisation, and being confident in using technology to achieve this.

IA’s role in providing assurance and confidence is the common denominator at any level of maturity—this is fundamental. The differentiator between success and failure, value and irrelevance, comes down to how effectively IA can understand what its stakeholders want, shine a light on what they may not see or understand, and break down barriers to assemble and connect the right technology and capabilities across the organisation.

There is, however, no one-size-fits-all approach. Pioneers rarely have a template. This means that each organisation needs to have clarity on where they are now, and where they want to be in the near, mid, and long-term. The success of IA will depend on its ability to use its superpowers to listen, interpret, challenge and knit together the views of different stakeholders.

Staying relevant 

Just as CEOs recognise the imperative to keep their strategy and business model viable, IA has the obligation to continually evolve and remain relevant.

When pioneers look at risk and change, they see opportunity; when they look at complexity, they see a path forward that avoids hazards and gives the organisation confidence to speed up. Our survey affirms that high-performing IA functions are driving broader business outcomes and more value than ever before. Executives agree that stronger governance and risk awareness (56%) and more robust and efficient internal controls with fewer failures (56%) are outcomes that result from high-performing IA functions.

Pioneers are more likely to rank the following outcomes among their top three:

  • New strategic business opportunities, such as cost reduction or revenue-generating initiatives.
  • Greater success in transformation programmes, such as digital and workforce transformation.
  • Greater resilience and the ability to predict or manage disruption.

These are outcomes that any organisation would value, but that can remain hidden behind walls if IA and the business are not willing to climb them together, look up, speak up, and see things differently.

Expect more from Internal Audit

Explore our services

Contact us

Andy Banks

Partner, PwC Ireland (Republic of)

Keith Power

Partner, PwC Ireland (Republic of)

Tel: +353 86 824 6993

Marian Barry

Director, PwC Ireland (Republic of)

James Scott

Director, PwC Ireland (Republic of)

Tel: +353 87 144 1818

Follow PwC Ireland