Redesigning Internal Audit

Key Takeaways

• Amazon Layoffs: Hundreds of AWS jobs cut after warnings that generative AI adoption would reduce the workforce.
• Microsoft Restructuring: 9,000 jobs eliminated in latest round of cuts, less than 4% of global staff, tied to AI investments and agility goals.
• Internal Audit Adaptation: Functions must be designed around the risk universe, not a static audit universe.
• Agility in Design: People, processes, and technology must evolve in step with changing risks and opportunities.
• Future of Audit: Traditional models may lose relevance; CAEs and boards must embrace radical change to stay ahead.

Deep Dive

In this article, Norman Marks reflects on how internal audit must evolve in step with the rapid changes reshaping global businesses. Drawing on his own experience as Chief Audit Executive at Tosco Corporation, Marks argues that internal audit should be designed around the risk universe rather than static frameworks, emphasizing flexibility, agility, and a willingness to rethink traditional models in the face of AI-driven transformation.

Adapting Audit to an AI-Driven Future

Companies across the world are changing. Some are changing in response to changes in the economy, while others are changing in response to changes in technology. The point is that they are changing. That is not a surprise as we are hearing about layoffs and changes in direction all the time. For example:

• SAN FRANCISCO, July 17 (Reuters): Amazon (AMZN.O) cut at least hundreds of jobs in its Amazon Web Services cloud computing unit, just a month after CEO Andy Jassy warned that adoption of generative AI tools would trigger a workforce reduction.
• The Olympian, July 15: Redmond-based Microsoft announced it is laying off about 9,000 employees, weeks after cutting another 6,000. The company said it is boosting agility by reducing management layers, coinciding with recent AI investments. The latest round of layoffs amounts to less than 4% of Microsoft’s global workforce. A spokesperson explained, “We continue to implement organizational changes necessary to best position the company for success in a dynamic marketplace.”

What does change like this mean for internal audit? Here’s the principle I believe in: Internal audit should be designed to deliver the valuable assurance, advice, and insight the organization needs.

That design includes the people, processes, organization, technology, resources, and methods that will optimize value. As the organization and its assurance needs change, the internal audit function and its methods should be reassessed and may need to be redesigned.

Lessons from Tosco Corporation

Over my decade-long tenure as CAE of Tosco Corporation, the company and its business changed frequently. It grew from $2 billion to $48 billion, from one refinery in California to eight across the US, from barely break even to highly profitable. From risk-averse (cash meetings twice a day) to using derivatives for hedging and even careful speculation.

Its business, risks, opportunities, processes, systems, leadership, and organization all changed. Several times.

The risks and opportunities in my risk universe changed (I discarded the concept of an audit universe a long time ago, as we exist to provide assurance on the management of risks and not the management of auditable entities). The greatest risk was where there was change, and there was a lot of change.

I changed the design of the internal audit in line with the change of the company. From one team in Northern California, we grew to five teams. I added technology auditors as the pace of technology change accelerated, with as many as 30% of my IA staff being techies and one was a former systems programmer. I added an auditor with an engineering degree and another with derivatives trading experience.

In other words, my IA design was flexible and agile.

Risk vs. Audit Universe

While some design their audit plan based in part on an audit universe and in part on the resources they have, I design (and modify) the internal audit function based on what is in the risk universe.

While some look for technologies to automate their current audit frameworks and methodologies, I adopt the methods best suited to deliver the assurance my customers need and the technologies necessary to do so effectively and efficiently. Some are selecting the best hammer and looking for nails.

I see what needs to be done and then select the best tools for the job. As companies and their processes, etc. change, so does what needs to be done by internal audit. That means that the way I design my audit function, perform work, and equip it with people, tools, and other resources must change too.

The Big Questions

Will the typical internal audit model with traditional engagements and traditional reporting survive? Will IIA’s GIAS be relevant in the new world we are entering? I don’t know. Do you? Will it enable the agile, flexible, innovative, AI-equipped, and risk-taking internal audit function of today and tomorrow?

Are CAEs and boards sufficiently imaginative and creative to design the optimal internal audit function of today and tomorrow—recognizing that it will continue to change as the business changes?

Are you making the necessary, maybe radical, and certainly uncomfortable change in your internal audit function? Or are you mired to the spot, hoping all you have to do is use AI to streamline your auditing?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.