The New Internal Audit Model

Internal Audit (IA) Department is being challenged like all organizations. IA is typically chartered to provide financial statement assurance, evaluate internal controls, assess operational effectiveness, compliance to laws, regulations and company policies.  But the challenge is the expansion of the audit universe, new regulations, increased technology risks, and of course, budget constraints. It is the chief audit executives role to continuous review company risk profiles and determine best and agile operating model for best effectiveness and efficiency.
The 3 IA model is:

• In-house or employees – which including recruiting staff / talent and conducting all audits, planning and maintenance of technology and methodology
• Cosourced function – blend of employees and supplemented 3rd-party providers to address gap in skill or resources while taking advantage of 3rd-party investment in technology, methodology and knowledge
• Fully outsourced – where providers are held responsible from planning to execution / audits with the direction of the audit committee and executive IA management

No one solution fits all, and really depends on various constituents and their expectations, according to Crowe Horwath: Audit Committee (plan / risk management), Executive Management (plan / financial risk / business value), External Auditors (emerging market growth / changing regulations), Internal Auditors (skills/training), and Functional  Management (understanding business / major program assistance)
IA maturity categories: Basic, Evolving, Established, Advance, and Leading.  The spectrum from basic to Leading involve, for example, Basic solely focusing on compliance risk and auditors skills not aligned with organizational audit needs, risk assessments not aligned with other risk functions or does not reflect company profiles, and use of technology is fairly limited.  Conversely an Advance focuses on compliance risk, cost reduction, and risk that affect business objectives.
An IA transformation is founded on the 3 practices:

1. Using others’ work to leverage other compliance, financial, and operating reports which will allow focus on other problems and reduce costly audits
2. Hold process owners accountable is key to being most effective and when IA is evaluating the controls, monitoring performance, and providing recommendation 
3. Providing continuous coverage based the 4 principles below to ensure resources/time is focused on the key items while maintaining demand.

4 IA Principles:

1. Compliance – implementation of periodic checks (of managers, employees, 3rd-parties) and implementing risk indicators for actionable results/reports
2. Assurance – increased focus on nonfinancial areas including IT Security, customer data, and intellectual property
3. Performance Improvement – shift of audit plans to expectations and more tangible value to organization to provide and recommend best practices through mixture of internal controls, automated processing and value-add activities within processes
4. Risk Identification – leveraging enterprisewide perspective that identify emerging risk and vulnerabilities while linking to strategic objectives, and through integrated risk assessments 

Article source: Crowe Horwath