Internal audit of the future: regulatory reset

Regulation reset: new regulatory requirements will see the C-suite turning to internal audit for vital assurances, with a possible UK version of Sarbanes-Oxley creating personal responsibility for internal controls.

In a series of articles, we look at how we believe internal audit will change in the next five years. We have previously examined the changing make-up of the team, and how data analytics and artificial intelligence will drive the digital agenda, one that will become increasingly focused on ESG risks. We have also looked at how the latest innovations will generate far more creative ways of communicating internal audit’s messages and enjoyed a swift plunge into the metaverse at the same time.

In this latest article, we examine the regulatory ‘reset’ that will ultimately push greater assurance responsibilities on to the board, which will turn to internal audit for detailed assurance. Before putting pen to ‘corporate paper’, board members will seek added assurance that internal audit will be able to tackle.

  • Audit reform
  • Market demands
  • Increasingly complex regulation demands
  • Unforeseen challenges, for example, supply chain pressures and cost of living crisis
  • ‘Interesting’ times ahead

As a result of increasing oversight pressures, corporate scandals and rising demand from external stakeholders, there has been a push towards greater regulatory requirements over the whole audit process. While much attention has focused on the role of external audit, their internal counterparts will not escape the glare of reform. Whether directly or indirectly, internal audit professionals are set for a sea change in scrutiny and increased responsibilities.

Irrespective of whether current government proposals are enacted – at the time of writing we are still awaiting a formal timetable – there will still be much that internal auditors can push forward in the future on a ‘no-regrets’ basis. Markets will demand action over additional assurance even if legislation does not hit the statute books anytime soon.

Internal audit has always operated within a regulatory framework. But what will change in the coming years is the degree of complexity of that framework – whether formally defined by regulations and standards, or informally by growing stakeholder demands.

Combined with changing working patterns, shifting geopolitical and macroeconomic trends, growing awareness of cyber security and increasing focus on ESG, this regulatory pressure will ensure that the years ahead will certainly be ‘interesting’.

The growing focus on ESG reporting, and therefore regulation, will inevitably lead to a broadening of internal audit’s workload, and an increase in expectations. Internal audit will be expected to report on compliance with new regulations as well as offer assurance over emerging issues such as supply chain risk managementcyber security and data protection, issues that can only become more complex in the future.

Boards and their audit committees will need to understand these changes. But they will also need assurance that these changes are being embedded throughout the organisation. This will require a change in mindset – while maintaining independence, internal audit will increasingly work alongside other risk assurance functions, external auditors and those responsible for corporate governance to provide this additional comfort.

For this to work, the future becomes more fluid. Internal auditors will grow accustomed to greater flexibility. The rigid structures of planning, walk-throughs, testing, issue identification, issue agreement, management responses, and final opinions will have to adapt, particularly in a world of real-time information and data analysis.

All the while operating within an evolving regulatory environment, internal audit will face challenges and opportunities in equal measure. The trick will be to anticipate regulatory change to allow greater time to adapt existing and adopt new processes.

If the internal audit function is only thinking about these changes now, then the next five years could be challenging. Instead, scanning the regulatory horizon and planning for change will open up new opportunities to embed internal audit as a trusted adviser or critical friend throughout the organisation.

Read the other articles in our internal audit series here.