case study examples for internal audit

Knowledge hub
Corporate Governance
Industry News
Inside Apollo Solutions

Audit case studies: lessons from real-world audit failures and success stories

If you’re an auditor, you’ve probably achieved your fair share of success stories – perhaps ...

By Nana Obeng & Tom Edwards & Yasmin Wilks

Audit case studies: lessons from real-world audit failures and success stories

If you’re an auditor, you’ve probably achieved your fair share of success stories – perhaps you’ve witnessed a few failures too.

As the saying goes, we learn from our mistakes, and audit case studies, both failures and successes serve as valuable insight. Real-life audit examples provide us with lessons on what to do and what to avoid, enabling organisations to improve their audit processes.

Ready to discover some real-world examples? Here’s our pick of a few high-profile cases…

When things go wrong

(1) enron corporation.

The Enron scandal and the subsequent collapse of the Enron Corporation serves as a stark reminder of audit failure and corporate misconduct. Possibly the most high-profile scandal ever unearthed, the Sarbanes-Oxley Act (SOX) of 2002 was passed as a result of scandals such as this, WorldCom, Tyco, and Global Crossing.

Enron's auditor Arthur Andersen was heavily criticised for failing to detect fraudulent financial reporting. And lots of lessons can be learned from this example.

Firstly, Enron’s case highlights the importance of auditors maintaining independence from the companies they audit to ensure unbiased assessments. But it also reminds us of the importance of whistle-blower protection – where there are safeguards in place, organisations will encourage openness and provide the confidence for individuals discovering financial irregularities to expose them. And Enron finally emphasises how crucial regulatory oversight is in holding auditors accountable and preventing corporate fraud.

(2) Toshiba

We’ve all heard of Toshiba , a renowned multinational conglomerate, manufacturing a wide variety of consumer and business products. Despite the company’s famous success, this chapter of their story is not one of their finest.

In July 2015, Toshiba experienced an internal audit failure that spotlighted the gap between good corporate governance structure and its practical implementation. It led to Toshiba Corp’s president, Hisao Tanaka, and his two predecessors quitting after investigators found that the company had inflated earnings by $1.2 billion between 2009 and 2014.

Regardless of a sound governance structure, the organisation suffered from a massive financial scandal, highlighting the importance of proactive internal auditing to identify and prevent financial irregularities.

(3) Ernst & Young

Even the largest professional services companies are sometimes at the centre of an audit scandal. And in the case of Ernst & Young , these kinds of scenarios serve as a reminder of the importance of a robust auditing process for even the biggest of players.

EY was fined $11.8 million for audit failures in 2016. USA regulator SEC found that EY’s audit team repeatedly failed to detect fraudulent activity for more than four consecutive years. Additionally, it was reported that EY’s team failed to take effective measures in minimising known recurring tax-related problems.

This case emphasises the critical role auditors play in scrutinising high-risk areas and addressing known deficiencies. And underscores the importance of due diligence and thoroughness in audits.

(4) WorldCom

The WorldCom scandal is another example of a colossal audit failure. Arthur Andersen, the same auditor implicated in the Enron scandal, failed to detect a massive accounting fraud at WorldCom.

What can we learn from this tale? Well, attentive auditing is essential, and auditors need to exercise a blend of vigilance and scepticism when assessing financial statements. This example also points to ethical responsibility, underscoring auditors’ moral and ethical duty to report financial irregularities.

Like Enron, WorldCom’s case was instrumental in regulatory reforms, like the Sarbanes-Oxley Act which increased corporate accountability.

Getting it right

(1) apple inc.

Tech giant Apple is widely recognised for its financial transparency and internal controls. Their financial audits consistently reflect strong performance and accountability. Key takeaways from Apple's success include their transparency – Apple publishes detailed financial statements and reports that are easily accessible to the public, building trust with investors and stakeholders. They also have a set of robust internal controls and processes in place, minimising the risk of financial mismanagement or fraud.

The organisation’s MD Tim Cook says , “We do the right thing, even when it’s not easy.”

(2) Microsoft

Microsoft's another great example of a business with transparency and accountability at its core. The tech leader has consistently demonstrated exemplary corporate governance and financial reporting .

Their success highlights several valuable lessons, including the significance of disclosure. Microsoft provides comprehensive financial disclosures, offering investors a clear picture of their financial health. And they’ve also got their finger on the pulse when it comes to risk management , with practices in place that have been instrumental in ensuring long-term financial stability.

Microsoft carries out consistent and regular financial audits , to maintain trust and transparency with all of their stakeholders.

(3) Johnson & Johnson

Johnson & Johnson's another example of a profound commitment to transparency . The healthcare multinational is renowned for its sense of responsibility when it comes to ethical conduct.

Key takeaways include their strong ethical leadership – an essential asset for fostering a culture of compliance and accountability.

They also boast hardy compliance programs , proving that investing in this area can help detect and prevent financial misconduct. Stakeholder communication is another factor in Johnson & Johnson’s audit success, and open comms are encouraged to build trust and confidence.

What can we learn from all these case studies? The need for thoroughness, vigilance, transparency, ethical leadership, and continual improvement in auditing are essential. They emphasise the importance of not just having a good corporate governance structure, but also ensuring its effective implementation. And by learning from both successes and failures, we can strive to build a corporate environment that prioritises (financial) integrity and compliance with relevant regulatory, legal, and industry standards – and, of course foster trust and prevent costly failures.

Are you looking for high-calibre talent with the skills to protect you from audit mishaps? Let’s chat about your needs. Or perhaps you’re an audit professional looking to help companies grow their audit capabilities? If you’re looking to progress your career and safeguard an exciting, growing business, get in touch , or check out our latest roles .

The costly lessons learned from 5 real-life FinCrime cases

Sign up to our newsletter

Ready to get started.

Cookie Policy
Privacy Policy
Terms & Conditions

Upload your CV today!

Internal Audit in Practice Case Studies

Report – Value for money

Date: 24 Apr 2013

The Institute of Internal Auditors and the NAO released a set of case studies illustrating some of the key principles of effective internal auditing, taken from a range of public and private sector organisations (including British Telecom, Department for Work and Pensions, EDF etc).

The case studies are grouped under: applying internal audit resources; scope of internal audit; auditing projects; the relationship with the audit committee; risk-based internal audit; and evaluating internal audit.

Internal-audit-in-practice-case-studies.pdf (.pdf — 966 KB)

Latest reports

Investigation into military support for ukraine.

Report Value for money

Defence and national security

Tackling tax evasion in high street and online retail

HM Revenue and Customs Accounts 2023-24

Report Financial audit

Money and tax

Home Posts IIA-Australia White Paper – Internal Audit Strategy – A Case Study

IIA-Australia White Paper - Internal Audit Strategy – A Case Study

	Abdulaziz Al Hidery MAcc, MITMgt, BAcc, CIA, CRMA, SOCPA Saifeldin Ali BCom, CIA, CRMA
	2024
	Internal Audit
	White Paper
	The purpose of this White Paper is to show, through a practical case study, how an internal audit function can continually move forward as the organisation changes and can successfully adapt internal audit services to help build a better organisation. This White Paper describes the methodology applied to develop an Internal Audit Strategy for Internal Audit Division at Elm Company. It has practical application to all internal audit functions who seek to stay in front with best practice solutions specifically designed for their organisation into the future.

	All
	Intermediate

A Guide to Effective Internal Management System Audits by Andrew Nichols

Get full access to A Guide to Effective Internal Management System Audits and 60K+ other titles, with a free 10-day trial of O'Reilly.

There are also live events, courses curated by job role, and more.

CHAPTER 7: RISK BASED INTERNAL AUDIT CASE STUDIES

The following case studies give examples where an internal audit was focused on ensuring resolution of a situation that put the organization at risk, by focusing not simply on compliance to documents, but by looking to process performance, cause/effect, and the “sequence and interactions” of the processes of a management system.

Get A Guide to Effective Internal Management System Audits now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Don’t leave empty-handed

Get Mark Richards’s Software Architecture Patterns ebook to better understand how to design components—and how they should interact.

It’s yours, free.

Check it out now on O’Reilly

Dive in for free with a 10-day trial of the O’Reilly learning platform—then explore all the other resources our members count on to build skills and solve problems every day.

The global body for professional accountants

Search jobs
Find an accountant
Technical activities
Help & support

Can't find your location/region listed? Please visit our global website instead

Middle East
Cayman Islands
Trinidad & Tobago
Virgin Islands (British)
United Kingdom
Czech Republic
United Arab Emirates
Saudi Arabia
State of Palestine
Syrian Arab Republic
South Africa
Africa (other)
Hong Kong SAR of China
New Zealand
Our qualifications
Getting started
Your career
Sign-up to our industry newsletter
Apply to become an ACCA student
Why choose to study ACCA?
ACCA accountancy qualifications
Getting started with ACCA
ACCA Learning
Register your interest in ACCA
Learn why you should hire ACCA members
Why train your staff with ACCA?
Recruit finance staff
Train and develop finance talent
Approved Employer programme
Employer support
Resources to help your organisation stay one step ahead
Support for Approved Learning Partners
Becoming an ACCA Approved Learning Partner
Tutor support
ACCA Study Hub for learning providers
Computer-Based Exam (CBE) centres
ACCA Content Partners
Registered Learning Partner
Exemption accreditation
University partnerships
Find tuition
Virtual classroom support for learning partners
Find CPD resources
Your membership
Member networks
AB magazine
Sectors and industries
Regulation and standards
Advocacy and mentoring
Council, elections and AGM
Tuition and study options
Study support resources
Practical experience
Our ethics modules
Student Accountant
Regulation and standards for students
Your 2024 subscription
Completing your EPSM
Completing your PER
Apply for membership
Skills webinars
Finding a great supervisor
Choosing the right objectives for you
Regularly recording your PER
The next phase of your journey
Your future once qualified
Mentoring and networks
Advance e-magazine
Affiliate video support
About policy and insights at ACCA
Meet the team
Global economics
Professional accountants - the future
Supporting the global profession
Download the insights app

Can't find your location listed? Please visit our global website instead

CPD technical article

23 December 2021

Auditing culture - a case study by Barclays Bank

Multiple-choice-questions

Alison Smith

Understanding what culture is and why it is important gives you a view as to why there is a need to audit culture as an element. learn some practical tips from this barclays case study., reading this article and answering the related questions can count towards your verifiable cpd if you are following the unit route to cpd and the content is relevant to your learning and development needs. one hour of learning equates to one unit of cpd. we suggest you use this as a guide when allocating yourself cpd units..

At a series of focus group meetings with ACCA members working in internal audit in 2016, ACCA found that culture is seen as a challenging and subjective topic but an area of interest for all members. In response to this feedback, ACCA UK’s Internal Audit Network invited Barclays Bank to present a webinar on how to audit culture.

Alison Smith - a Director in Barclays Internal Audit - presented the webinar in February 2017 and this CPD article covers some of the highlights of the content.

Understanding what culture is and why it is important gives you a view as to why there is a need to audit culture as an element. There are different approaches to auditing culture within the financial services sector, before you even consider approaches used in other industries. However having a view of the Barclays approach may help readers to develop some ideas on what they can do in their own organisations. Any approach will need to evolve over time but it can be difficult to know where to start.

What is culture?

There are many definitions of organisational culture but McKinsey coined arguably the most well-known over 50 years ago - ‘culture is the way that we do things around here’. That culture is driven predominantly by the attitudes and beliefs of the people that work within the organisation and are usually set at a high level within the organisation - the ‘tone from the top’.

Structurally, the espoused organisational culture and values tend to come down through organisational policy and standards. Barclays is not alone in having such values written down and communicated regularly both internally and externally. However an organisational culture is much more than that – it means actually living those values (and the behaviours that are driven from those values) on a day to day basis.

The organisational culture determines the approach to risk management – the risk culture being the values, beliefs, knowledge and understanding about risk, shared by a group of people with a common intended purpose, in particular the leadership and employees of an organisation (Institute of Risk Management). For Alison, the risk culture is both a product of the organisational culture but also a determinant of overall organisational culture.

Fundamentally the culture is about doing the right thing – not because it is written down in those policies and procedures but because it is the right thing to do.

Why is culture important?

Culture is important because the regulators say so, the IIA and ACCA say so, but most importantly, because poor organisational culture has been identified as one of the root causes of poor behaviour in corporates and has caused harm to both customers and reputation. Alison’s view is that managing culture is a vital issue for boards to ensure that not only are they setting the right tone at the top but that all employees are acting in accordance with their organisation’s ethics and values.

Within the financial services industry, stakeholders including regulators are keenly focused on culture within their observations and much has been written and researched by industry commentators, rule setters and implementers. The Group of 30 report Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform and the Financial Reporting Council’s report Corporate Culture and the Role of Boards are good examples. Investors have now taken a keen interest – just as they took an interest in CSR and organisations contributing to the community, investors are taking in interest in the cultural elements of an organisation.

In these reports there is considerable reference to the importance of having a strong three lines of defence within an organisation and the role of internal audit in assessing the culture, challenging it, and highlighting to management where there may be cultural failings.

Barclays approach

The failings of culture within the financial services industry have been well documented. Barclays took a stand very early on in 2012 to look at a transformational programme. Part of that programme was around culture and values within the organisation and setting up a common purpose of ‘helping people to achieve their ambitions - in the right way’. The purpose is supported by five values – Respect, Integrity, Service, Excellence and Stewardship.

The transformation programme was about ensuring that these values were lived on a daily basis and not just espoused. The first activity that Barclays undertook to embed those values throughout the organisation was to have all 140,000 colleagues to spend half a day talking about what those values meant – not from a theoretical perspective but what they meant to individuals. This allowed colleagues to engage with those values, consider whether they were values that they had personally as individuals, identifying which ones were challenging to fulfil on a day to day basis in their roles, and highlighting the ones they felt were particularly important for their role and area of the organisation.

The tone from the top was critical to its success - the chief executive and executive team provided time for all of the 140,000 colleagues to attend these courses so they could start to engage with those values. After that, Barclays built their values into all elements of the employee lifecycle from recruitment to performance management. Recruitment was not just based on what candidates could do but also the values that they held. Once the right people were recruited, their induction into the organisation reinforced the values that were important to Barclays.

Existing employees were helped to engage with the values through a change in the performance management process - objectives were set not just on what people would deliver but also how they would deliver, with a real focus on values. That involved educating employees and their managers, but it meant that employees were rewarded and incentivised on the basis of the values of the organisation.

Alison’s early thinking around culture started with a paper that was produced by the Financial Stability Board ( Guidance on Supervisory Interaction with Financial Institutions on Risk Culture - A Framework for Assessing Risk Culture ) that highlighted four critical elements required to achieve cultural change and drive culture throughout an organisation. Open communication channels were critical, as was the tone from the top, so that people felt they were empowered to challenge and escalate. Accountability through clear roles and responsibilities, and incentives that reinforce the maintenance of desired risk management behaviour were the other two critical elements highlighted as necessary for a sound risk culture.

It was recognised that colleagues would need support for difficult decisions where there was potential for conflicts of interest. As well as training on the values, colleagues were also trained in ‘the Barclays Lens’ – a decision making tool for assessing the impact of decisions on all stakeholders.

Why do we audit culture?

Alison provided real life examples of how the culture of an organisation can overcome controls = illustrating why it is so important to audit culture. One example was the accident that happened on the Smiler ride at Alton Towers in 2015 - engineers failed to notice a carriage that had stopped mid-way around the ride. They assumed that there was a problem with the computer and over-rode the stop mechanism setting another train in motion and into the empty carriage with tragic consequences. The culture overcame the controls in that example - a culture that did not give sufficient weight to warning signs to the point where it was felt that they could be ignored.

Who should do a culture audit?

A culture audit is a different beast to auditing processes and controls, so there is a need to consider the skillsets that the internal audit function need to be able to deliver those audits. With culture audits, observation on the behaviour of people is core. You can understand the culture either through surveys, through speaking with people, or through observation - some of the techniques used for assessing controls.

With that in mind, it may not take much additional training for internal auditors to be able to look at culture within an organisation. More important is having the right mind set - being open to thinking about what is happening within your organisation, why things work the way they do, and being able to challenge that. You could consider whether those skillsets already exist within the organisation – not just necessarily within internal audit - and whether it is possible to up-skill people, or work in multi-disciplinary teams.

How do we audit culture?

There are different ways to tackle audit of culture. Some organisations have gone down the route of bringing in specialist skills into internal audit – such as organisational psychologists that may be able to help with understanding behaviours and the culture within an organisation. Another consideration under ‘how’ is whether there are certain areas that you might want to deep dive into to understand the subcultures within the firm, or at the other extreme, looking at it more globally in terms of what messages are coming from very senior colleagues.

Barclays internal audit approach

During the transformation process, Alison was working in multi-disciplinary teams -principally risk, HR and compliance - on how they were going to start to think about culture and how they were going to measure the impact of the cultural change programme that was happening within the firm. An argument had to be made for why it was necessary to measure the impact - which was to know that the culture was changing in the way they wanted it to and that the values were really being lived on a day to day basis inside the business. That was the genesis of three-pronged Barclays internal approach as illustrated by the diagram below.

The first element was initially to audit the way that the business was thinking about how it would measure the cultural change. Now that there is a cultural measurement framework in place, it is about auditing that framework. Alison’s team has recently conducted the first review of auditing the measurement framework and that will be reported to the board. That audit was at a group level - over the next 12-18 months, her team will start to look at not just the measurement but also how that framework is being used and how the metrics provided by the framework are used.

The second element is around the drivers and enablers of cultural change – all the aspects around the employee life cycle mentioned earlier. It is possible to audit recruitment processes, the way that employees are inducted into the firm and the objectives that are set for people (is there anything within those objectives that may be contrary to the culture we are trying to establish). Disciplinary and grievance processes can be audited and assessed for any indicators about organisational culture. Attrition levels within the organisation can also be assessed for any cultural reasons driving those attrition levels.

The final element is termed ‘audit everywhere’. For any standard business audit, a management control approach is conducted – so as well as giving an assessment for the control environment, the area is also assessed for its management control approach. This looks at risk culture and how effective management is in unearthing issues and then fixing them. It looks at their approach to risk management – to controls – and how they ensure that people within their part of the organisation really understand what their responsibilities are in relation to operating control and also escalating where controls are not working as they should do.

Regular reporting of the audit results to the audit committee ensure this is reviewed by the board.

Exploring behavioural observation tools

Alison and her team are considering different ways to evolve their approach to auditing culture. With every approach, their aim is to ensure that they act as a true third line of defence rather than doing anything that would be expected of the first or second line. As part of evolving their approach, they are starting to explore techniques that can be used to better equip their auditors to observe behaviour -including the use of ethnography* as promoted by the Banking Standards Board as a different way to observe culture. This is not necessarily another element but it is a possible means of improving assessment around their management control approach.

Access the webinar and Q&A session .

ACCA culture-governance tool

The ACCA culture-governance tool seeks to support organisations with their culture goals. ACCA developed this tool on the basis of research conducted since 2012 under a global initiative called Culture and channelling corporate behaviour . Under this initiative ACCA held a series of international roundtables in London, New York, Dubai and Bengaluru alongside a survey of ACCA’s global membership, to which close to 2,000 members responded. A number of reports were produced.

Subsequent research inspired by the findings called Effective speak-up arrangements for whistle-blowers also informed the development of the tool.

The ACCA culture-governance tool aids organisations review culture and determine the course of change.

*Ethnography is the systematic study of people and cultures. It is designed to explore cultural phenomena where the researcher observes society from the point of view of the subject of the study. The resulting field study or case report reflects the knowledge and the system of meanings in the lives of a cultural group.

Useful links

Make a payment
ACCA Rulebook
Work for us
Supporting Ukraine

Using this site

Accessibility
Legal & copyright
Advertising

Send us a message

Planned system updates

View our maintenance windows

Internal Audit Effectiveness: Multiple Case Study Research Involving Chief Audit Executives and Senior Management

February 2017
EDPACS 55(1):1-17

Johannes Gutenberg-Universität Mainz
This person is not on ResearchGate, or hasn't claimed this research yet.

Abstract and Figures

Discover the world's research

25+ million members
160+ million publication pages
2.3+ billion citations

Abdalwali Lutfi

Mehtab Çelik

تامر أحمد محمد مرسي
عبدالوهاب نصر عيسى
شحاته السيد شحاته

Fatemeh Khodabandehlou
Tedi Rustendi
Elnaz Vafaei
Hajinder Singh

J MARKETING

Grit Laudel

MacGregor Alan
Astrid Geis
Hermann Simon

G. Randolph Just

Mario J. Maletta

Bryan K. Church

Torsten Gonschorek
Recruit researchers
Join for free
Login Email Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google Welcome back! Please log in. Email · Hint Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google No account? Sign up

Accounting and Business Consultants, LLC | 800-930-2923

Case Studies

Case study #1, sox compliance – auditing expertise and resources provided to a pharmaceutical company.

An SEC-registered pharmaceutical public company and large accelerated filer with revenue increases from approximately $150 million to $600 million in 3 years required additional internal auditing expertise and resources to meet new and changing compliance and internal control requirements. READ FULL STUDY >>

Case Study #2

Merger and sap implementation – accounting expertise, resources and an interim controller required by an electronic material manufacturer in the electronics industry.

A manufacturing company with significant revenue growth over several years and approximately $500 million in revenue was implementing an SAP system and required additional accounting resources and an interim controller during the implementation project and after. READ FULL STUDY >>

Case Study #3

Sap implementation – accounting resource and project management leadership for a medical imaging products manufacturer .

A privately held US manufacturing company of medical imaging products with approximately $1 billion in revenue with offices in Delaware, Europe, Australia and Japan was implementing SAP and required an interim management resource to assist with the FI module configuration and testing and with project management of the implementation and training efforts in Sydney, Australia. READ FULL STUDY >>

Case Study #4

Internal controls expertise, training and project planning for an oil company.

An African oil company with approximately $12 billion in revenue and multiple subsidiaries wanted to provide in-house training to approximately 50 key accounting and audit executives and managers. The Company also required assistance developing a Company-wide internal control project implementation plan. READ FULL STUDY >>

Case Study #5

Outsourced sox compliance and internal audit expertise for a real estate management company.

An SEC-registered real estate public company with approximately $15 million in revenue required outsourced internal auditing expertise to handle all compliance and internal control requirements. The company had limited accounting personnel and required best practices in implementing COSO and control monitoring solutions. READ FULL STUDY >>

Case Study #6

Implementation of it policies, procedures, and controls for a pharmaceutical manufacturing company.

A public company in the pharmaceutical industry experienced significant growth over several years and required enhanced IT policies and procedures and adoption of a security and availability controls framework. READ FULL STUDY >>

Case Study #7

Soc 2 audit for an it managed services provider.

A large customer of an IT service organization providing outsourced managed services required an SOC 2 audit. READ FULL STUDY >>

Case Study #8

It sox controls documentation for european pharmaceutical company.

A large privately owned European pharmaceutical company with over $3 billion in revenue and limited experience with SOX compliance in the USA required audit expertise to document IT controls relative to IT operations for a division being purchased by a US company. READ FULL STUDY

Case Study #9

Reconciliation project leadership, expertise and resources provided to a nationwide bank.

A large public company financial institution with over $11 billion in assets and approximately $800 million in revenue had a breakdown in reconciliation procedures for automated processing of transactions by an outsourced processor. The Bank required expertise and resources to resolve control weaknesses and investigate unreconciled prior year processing errors and irregularities. READ FULL STUDY

Case Study #10

Sox and internal control project management leadership and resources provided to an energy company.

A large public energy company with $6 billion in revenue and multiple subsidiaries was required to document and implement internal controls throughout the company and at various locations for Sarbanes Oxley (SOX) requirements. READ FULL STUDY

Case Study #11

Audit expertise and resource for a regional water company.

A local public water company, with $77 million in revenue and $431 million in assets, acquired property and certain equipment pursuant to an acquisition agreement with a local municipality. Management required an independent auditor to perform steps to ensure certain aspects of the agreement were adhered to and reports provided were reliable. READ FULL STUDY

Case Study #12

Compliance assistance and resource provided to a world wide bank operating in delaware.

A worldwide bank with operations in Delaware required assistance with strategic planning and research efforts relating to compliance with the Community Reinvestment Act (CRA). The Delaware bank has assets approximating $28 billion and interest and other revenue of $2.8 million. READ FULL STUDY

Case Study #13

Outsourced sox services provided to an sec public company.

An SEC-registered public company on the verge of bankruptcy required outsourced internal auditing expertise to handle all compliance and internal control requirements. The company had limited resources and accounting personnel and required an efficient approach to ongoing Sarbanes Oxley (SOX) Compliance efforts. READ FULL STUDY

Case Study #14

Document procedures, risks and controls for a manufacturing division of a large public company. assist with accounting for carve out transaction.

A large public company helicopter manufacturing division with limited accounting and compliance personnel was required by its corporate headquarters to document procedures for business processes and to identify financial reporting risks and controls in those processes. At the same time, management required assistance in carving out a line of business for a sale transaction. READ FULL STUDY

Case Study #15

Special projects and reconciliation specialist for a nationwide bank.

A large public company financial institution required an audit and reconciliation specialist to lead various special projects and reconciliation efforts throughout the bank. READ FULL STUDY

Case Study #16

Provided internal controls expertise, leadership, and resources to a full solution security services company.

A public company and nationwide provider of full solution security services and revenue approximating $140 million required expertise, leadership and resources to implement the May 2013 COSO Framework, assist the company in documenting its risk assessment, enhance business process documentation and controls, including IT and entity level controls, and to assist in developing ongoing monitoring plans and separate evaluations. READ FULL STUDY

Contact Us Now

Send a message through our website and we'll be in touch soon.

SEND US A FILE

Use our secure file sharing system to safely send us your files

Send File »

CLIENT CASE STUDIES

We've helped many businesses just like yours with controls and compliance.

Learn More »

Academia.edu no longer supports Internet Explorer.

To browse Academia.edu and the wider internet faster and more securely, please take a few seconds to upgrade your browser .

Enter the email address you signed up with and we'll email you a reset link.

We're Hiring!
Help Center

INTERNAL AUDITING CASE STUDY

Related Papers

Farah Adiba

individual assignment

Contemporary Accounting Research

Joseph Carcello , Terry Neal

... We thank Scott Bron-son, Jon Hansen, Katherine Hansen, Beverly Hudler, Shelly Kane, Stacy Mastrolia, Fred Muchunu, Hazel Ryon, and Beth Swang for their assistance in transcribing, tabulating, and cod-ing the interview data. ...

1 Pursuant to paragraph 7.4.3 of the Procedures for the Audit Scheme (resolution A.1067(28)), this document contains in the annex a consolidated audit summary report (CASR) on the final eight audits conducted under VIMSAS and the transitional arrangements. 2 The CASR, which is intended to facilitate the attainment of two of the objectives of the Scheme as contained in paragraphs 5.2.3 and 5.2.4 of the Scheme's Framework, has been developed to reflect the findings identified during audits, which in themselves provide valuable lessons for Member States and would enable the Organization to further consider the effectiveness and appropriateness of its legislation. 3 The Framework and Procedures for the Scheme do not stipulate the format and method for the distribution of a CASR. As is now the established practice, the report is issued once a year as a Council document during the first year of a biennium and as an Assembly document during the second year. The report now contains findings and the related corrective action undertaken or proposed by the audited State, the root cause for each finding, areas of positive development, areas for further development, as well as any best practice identified during the audit.

Maandblad Voor Accountancy en Bedrijfseconomie

philip wallage

Quality in primary care

Keith Stevenson

Robert Denham

internal audit in india

Vivek Mishra

Internal Audit Foundation

Rainer Lenz

6/24/2020 New Internal Audit Foundation Report Challenges Internal Auditor Functions to Be Value Drivers This new Internal Audit Foundation report, based on the findings of a global survey and in-depth interviews with world-class internal audit functions, addresses the question, “What is the added value of internal auditing?” It suggests concrete pointers on how to define and measure added value, and how to communicate that value to stakeholders. The findings in this report, one of the Internal Audit Foundation’s first crowdfunded research efforts (learn more), are based on a global survey and in-depth interviews with key individuals and chief audit executives of diverse organizations considered to have best-practice internal audit functions. The results suggest a maturity model that distinguishes “governance, risk, and control (GRC) partner,” “trusted advisor,” and “value driver” as growing roles of the internal audit function. This approach can help internal audit functions clarify what the added value of internal audit should look like, how chief audit executives (CAEs) and key stakeholders can measure the success of the function, and how internal auditors and CAEs can communicate that added value to stakeholders. The idea of internal auditing being a value driver means it adapts to circumstances at the speed of risk, takes a seat at the table, and offers unique insights and foresight that can contribute to discussions about corporate culture, strategy, operations, and decision making. The report’s authors, Marc Eulerich, CIA, and Rainer Lenz, CIA, QIAL, conclude that internal auditors should become value drivers if they are not already aspiring to do so. https://na.theiia.org/news/Pages/New-Internal-Audit-Foundation-Report-Challenges-Internal-Auditor-Functions-to-Be-Value-Drivers.aspx

Loading Preview

Sorry, preview is currently unavailable. You can download the paper by clicking the button above.

RELATED PAPERS

Rajendra P Srivastava

Martin Francis

Current Issues in Auditing

Pamela Roush

Kapil Dhaka

Hendra Hermawan

Danique Brown

Joanna Przybylska , Waldemar Rydzak , Jacek Trębecki

Hossain, D. M. and Khan, A. R. (2007), Audit committee: a summary of findings of some existing literature, The Cost and Management, Vol. 34, No. 5, pp. 40-57. (Bangladesh)

DEWAN MAHBOOB HOSSAIN

Gerald Goldhaber

Sanjeev Kumar Sahu

nabil Hageb

James Bierstaker

Steven Firer

Studies in Business and Economics

mayar mohamed

diana ghozali

AUDITING: A Journal of Practice & Theory

Robin Radtke

Analele Universităţii Constantin Brâncuşi din Târgu Jiu : Seria Economie

Cosmin Matis

Agronomy Journal

We're Hiring!
Help Center
Find new research papers in:
Health Sciences
Earth Sciences
Cognitive Science
Mathematics
Computer Science
Academia ©2024

Global (EN)
Albania (en)
Algeria (fr)
Argentina (es)
Armenia (en)
Australia (en)
Austria (de)
Austria (en)
Azerbaijan (en)
Bahamas (en)
Bahrain (en)
Bangladesh (en)
Barbados (en)
Belgium (en)
Belgium (nl)
Bermuda (en)
Bosnia and Herzegovina (en)
Brasil (pt)
Brazil (en)
British Virgin Islands (en)
Bulgaria (en)
Cambodia (en)
Cameroon (fr)
Canada (en)
Canada (fr)
Cayman Islands (en)
Channel Islands (en)
Colombia (es)
Costa Rica (es)
Croatia (en)
Cyprus (en)
Czech Republic (cs)
Czech Republic (en)
DR Congo (fr)
Denmark (da)
Denmark (en)
Ecuador (es)
Estonia (en)
Estonia (et)
Finland (fi)
France (fr)
Georgia (en)
Germany (de)
Germany (en)
Gibraltar (en)
Greece (el)
Greece (en)
Hong Kong SAR (en)
Hungary (en)
Hungary (hu)
Iceland (is)
Indonesia (en)
Ireland (en)
Isle of Man (en)
Israel (en)
Ivory Coast (fr)
Jamaica (en)
Jordan (en)
Kazakhstan (en)
Kazakhstan (kk)
Kazakhstan (ru)
Kuwait (en)
Latvia (en)
Latvia (lv)
Lebanon (en)
Lithuania (en)
Lithuania (lt)
Luxembourg (en)
Macau SAR (en)
Malaysia (en)
Mauritius (en)
Mexico (es)
Moldova (en)
Monaco (en)
Monaco (fr)
Mongolia (en)
Montenegro (en)
Mozambique (en)
Myanmar (en)
Namibia (en)
Netherlands (en)
Netherlands (nl)
New Zealand (en)
Nigeria (en)
North Macedonia (en)
Norway (nb)
Pakistan (en)
Panama (es)
Philippines (en)
Poland (en)
Poland (pl)
Portugal (en)
Portugal (pt)
Romania (en)
Romania (ro)
Saudi Arabia (en)
Serbia (en)
Singapore (en)
Slovakia (en)
Slovakia (sk)
Slovenia (en)
South Africa (en)
Sri Lanka (en)
Sweden (sv)
Switzerland (de)
Switzerland (en)
Switzerland (fr)
Taiwan (en)
Taiwan (zh)
Thailand (en)
Trinidad and Tobago (en)
Tunisia (en)
Tunisia (fr)
Turkey (en)
Turkey (tr)
Ukraine (en)
Ukraine (ru)
Ukraine (uk)
United Arab Emirates (en)
United Kingdom (en)
United States (en)
Uruguay (es)
Uzbekistan (en)
Uzbekistan (ru)
Venezuela (es)
Vietnam (en)
Vietnam (vi)
Zambia (en)
Zimbabwe (en)
Financial Reporting View
Women's Leadership
Corporate Finance
Board Leadership
Executive Education

Fresh thinking and actionable insights that address critical issues your organization faces.

Insights by Industry
Insights by Topic

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Advisory Services
Audit Services
Tax Services

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

Our Industries

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

What sets us apart

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Relevant Results

Sorry, there are no results matching your search., case studies.

See how KPMG has helped organizations transform themselves to compete more effectively.

Innovation insights
Enterprise-wide Innovation

Explore client stories

Redefining what’s possible in the pursuit of health equity

Helping Morehouse School of Medicine globalize its impact and modernize its capabilities

Thinking ahead for even faster global growth

A KPMG Ignition session makes the difference as Brown & Brown insurance accelerates HR, finance, and IT transformation

Fraud protection comes first as a banking software provider eyes cloud transformation

KPMG delivers speed to value through an elegant orchestration layer

A new leader reimagines the tax function

KPMG helped an industrial equipment manufacturer map the road to its future-state tax department

An innovative workshop session plants the seeds for change and growth

KPMG Ignition helps the Crop Science division of Bayer make the changes that matter for finance transformation

Uber rethinks the rules of the road. Again.

KPMG’s flexible, listen-to-design approach extends a legacy of tax technology innovation.

Meet our team

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement .

Job seekers

Visit our careers section or search our jobs database.

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Move fast, think slow: How financial services can strike a balance with GenAI

Take on Tomorrow @ the World Economic Forum in Davos: Energy demand

Perspectives from the Global Entertainment & Media Outlook 2024–2028

Climate risk, resilience and adaptation

Business transformation

Sustainability assurance

The Leadership Agenda

Global Workforce Hopes and Fears Survey 2024

The s+b digital issue: Game over to game on

The New Equation

PwC’s Global Annual Review

Committing to Net Zero

The Solvers Challenge

Loading Results

No Match Found

PwC Global Internal Audit Study 2023

Seeing through walls to find new horizons.

15 minute read

For more than a decade, PwC has conducted global surveys with Internal Audit (IA) leaders and their stakeholders. Our 2023 survey was our largest ever. It captured views from 4,680 IA leaders (41%), board members and executives in the business (37%), and second line risk (11%) and compliance (11%) leaders. It covered 81 countries across a wide range of industries.

Playback of this video is not currently available

How this study can help you

Our IA studies have helped to capture new ideas, stimulate debate, and unlock new opportunities for IA functions to evolve, add value, and remain relevant. The insights shared in this report can help not just IA leaders, but those who rely on IA’s ‘superpowers’ to give them confidence, and help see risk differently.

Update or create your IA strategy
Support case for investment and change initiatives
Have different conversations with stakeholders on new risks or topics
Identify ways to achieve better return on investment (RoI) from technology
Train your IA team and plan your talent strategy

Board and Business Executives

Generate ideas to maximise the value you get from IA
Identify blind spots or strategic areas where you may need assurance
Increase collaboration between first, second, and third line to increase efficiency and effectiveness
Have different conversations with IA on new risks or topics

Second Line Leaders (Risk, Compliance, etc.)

Challenge risk coverage based on new or emerging threats
Identify strategies for collaboration with IA
Consider data and technology that could be shared or co-developed
Brief your team on new IA trends and identify opportunities for cooperation in talent models

Five key findings

Our survey highlighted five compelling findings. Each is explored further in this report, focusing on why they matter to IA and its stakeholders, the value to the organisation, and practical tips to address them.

1. Megatrends are creating a complex and interconnected risk multiverse

Recent megatrends are creating risks in new areas that are unprecedented in scale and complexity. IA is uniquely positioned to give the organisation confidence to navigate these challenges and find a new direction—and new opportunities.

2. IA needs more involvement in strategic areas to remain relevant

Driven by increased complexity and higher stakes, business executives are opening the door for IA to help them address more strategic areas. IA can choose to engage differently with its stakeholders to provide new strategic value, or risk becoming irrelevant.

3. IA can be a unifying force

First and second line have ‘levelled up’ their capabilities and response to risk. IA can help combine expertise across the organisation to harness momentum and forge something stronger together.

4. IA’s human ‘superpowers’ are more important than ever

Technology has become exponentially more sophisticated, providing organisations with access to more data and opportunities than ever before. IA must continue to evolve its human capabilities to ensure it can turn data into decisions, build new relationships, and help others to see risk differently.

5. IA can boost its RoI by changing its approach to technology

Technology investment in recent years has not yielded the returns many have expected and the next wave of technology is already here. IA needs to recalibrate its approach and work with others to unlock the potential of technology; but the window is closing fast.

“Whilst today’s world and its risks are more connected than ever, the level of complexity and pace of change can mean it’s hard to focus and see clearly what’s important. Many organisations still have functional silos that are rigid and hard to traverse, information and data that is difficult to access or trust, and communication gaps that are behavioural and tough to change. Together, these create ‘walls’ that restrict agility, stifle innovation, and limit the power of working as one organisation. The interwoven themes explored in this study will show that IA’s objectivity and ability to ‘connect the dots’ means that it has the potential to ‘see through’—and ultimately break down—these walls, to create new value, and give its stakeholders the confidence to navigate the risk multiverse.”

Pioneers leading the way

Throughout this report we will refer to a group of respondents we call ‘Pioneers’. The group, which represents 8% of respondents, was identified based on three characteristics: (1) they are very effective at raising significant risks and challenges the organisation has not yet considered, (2) they are in the top quartile for percentage of effort spent on strategic risk areas, and (3) they are in the top quadrant for percentage of work effort delivered using innovative and agile methods.

The Pioneer group is small, but this reflects the nature of pioneers—those that break new ground. It is also a reality of a more globalised and connected world—standing out and being seen becomes harder, both for IA, and organisations as a whole. Our data shows that Pioneers stand out from their peers in a number of dimensions, including the number of strategic risks they cover, the outcomes they are achieving from technology investments, and confidence that they have the right talent now and in the future.

IA is uniquely positioned to help the organisation navigate risk and change

Company killers.

Today’s megatrends are driving rapid global change in areas like technology, geopolitics, climate, supply chains, regulation, and workstyle reform. These changes are not occurring in isolation, but rather they are interconnected, interwoven, and ‘stacking up’ to create complex risks. In other words, organisations are facing a new reality—a ‘risk multiverse’.

This complexity is amplified by the globalised nature of modern markets, faster information flows, and more sophisticated expectations of consumers, regulators, and stakeholders—and greater consequences for failing to meet these expectations. This brings with it more blindspots and new types of disruption—or ‘company killers’.

The result can be that organisations slow down, lose confidence in their strategy and roadmap, and are unable to steer quickly through change or avoid hazards. This can mean disruption at best, or obsolescence at worst. This is forcing organisations to speed up transformation and change their core strategies. PwC’s 26th Annual CEO Survey found that nearly 40% of global CEOs do not think their organisations will be economically viable in ten years’ time if they continue on with their current strategy.

A chance for IA to shine

To succeed in this new reality, organisations will need different approaches, skills, and technology. For IA, it means they are needed more than ever. Our survey showed respondents ranked IA’s top attributes as its (1) risk and controls mindset, (2) independence and objectivity, and (3) business knowledge and experience. Enhanced by IA’s organisational reach, this unique combination makes IA ideally placed to help organisations connect the dots and navigate risk and complexity.

When equipped with the right technology, vision, and talent, IA’s ‘superpowers’ can not only protect value, but also create value by ensuring the organisation can capture the upside of risk. Our survey found that, in addition to better governance, more risk awareness, and stronger internal control, executives believe that a high-performing IA function can help:

Optimise business processes and systems
Provide confidence to make better and faster management decisions
Obtain trust from external stakeholders, including investors, regulators, and customers

Ultimately this can mean organisations have the confidence to adjust their risk appetite to take more risks and move quicker—all of which is critical in responding to the megatrends and remaining viable as an organisation.

For IA, This means that IA leaders must be bold. They must voyage into uncharted territory where there is no roadmap.

Responding to the megatrends

We are seeing examples of IA functions pushing forward to tackle today’s megatrends. The following are examples of IA's response to supply chain disruption, rapid IT modernisation, and acceleration of Artificial Intelligence (AI).

(i) Supply chain disruption

One example of multi-layered complexity has been the recent supply chain disruption. This caused a crisis where demand was difficult to forecast, goods were hard to source, transportation was hard to find, and routes were backlogged and unpredictable. Volatility rippled throughout the supply chain and introduced significant risks to business models and processes, putting it high up on the agenda for many organisations.

Our survey found that 47% of IA functions address supply chain disruption in their audit plan and 34% plan to do so in the next one-to-three years. Many, however, are wondering how they can tackle risks and disruption that occur with such scale and speed.

Claire Qian, PwC’s Risk and Compliance Leader for Chinese Mainland & Hong Kong SAR, highlights that, “While much responsibility to manage supply chain risk falls on the first and second line, the third can add value by sharing insights, advising on risks, and providing assurance over what the second line is doing.” IA realises that to address the speed of these risks, all parts of the business need to be aligned, with second and third line working alongside the business to ensure communication is fluid and early warning (or ‘risk sensing’) systems are built in. For IA, this has included working with Compliance to automate supplier due diligence processes, leverage third party intelligence data, and refocus vendor audits and monitoring. IA can use its vantage point to look across the end-to-end supply chain and challenge whether resilience and business continuity arrangements are robust, and management has stress-tested the supply chain for blind spots or weaknesses, such as supplier dependencies.

(ii) Rapid IT modernisation

Accelerated by the COVID-19 pandemic, many organisations have had to turn to technology to help adapt their strategies and commercial and operational models to remain viable. This has forced IA functions to reflect on how they can keep pace with this change, and reconsider where in the change lifecycle they should be involved. The investments that organisations have made in recent years—from large enterprise resource planning (ERP) system implementations, introduction of AI, machine learning, automation, and cloud solutions—have meant old IA approaches may no longer work, and new skills are needed. This includes approaches to new risks around responsible AI, collaborating with outside specialists, or with guest auditors from the business. It has also meant being bold enough to stop IA activity that is not adding much value.

The pharmaceutical, life sciences, and medtech industry, for example, has experienced rapid growth and groundbreaking innovation in recent years. This has included streamlining and automating research and product development, leveraging technology for clinical trials, and a shift towards remote interactions. This has changed the strategic and commercial landscape for organisations—and patients—but also forced IA functions to reflect on their own approaches. “The IA survey highlights the considerable opportunity that exists for IA functions to be equipped with the right set of technology capabilities, but also with the need to understand emerging technology at rapid speed,” says Brian Long, PwC’s Pharmaceutical & Life Sciences Sector IA Lead.

“Our Internal Audit team believes that technology & digitisation is the only way for us to support the mission and vision of Moderna to create transformative medicines and commit to innovation. By adopting a digital mindset and building strong relationships with our digital teams, we have aligned our vision with the company's strategy. I am confident that by ‘digitising everywhere’, we will provide better assurance and meaningful insights to all our stakeholders.”

(iii) AI accelerating fast

The rapid emergence of AI marks the beginning of a new phase of IT modernisation. Traditional AI is advancing, and Generative AI is so powerful and easy to use, it’s poised to change business models and revolutionise how work gets done. A wide array of risks have already emerged, including risks to decision-making, privacy, cybersecurity, regulatory compliance, third-party relationships, legal obligations, and intellectual property. This is explored further in PwC’s Managing the risks of generative AI publication.

IA will be a key facet of addressing these risks and helping ensure the upside and RoI from AI can be realised. This includes providing stakeholders with confidence that there is a responsible governance framework around AI and appropriate controls are embedded in underlying processes. This may require IA to step outside of its comfort zone and become involved earlier in the change lifecycle to assess whether the organisation’s AI strategy is appropriate and transformation risks are being addressed.

In parallel, IA has to determine how to harness the potential of AI and other technology, like RPA, to evolve its own capabilities and ways of working. In the past 12 months, just 27% of IA functions have invested in RPA or AI for use inside the function. Many IA functions are still grappling with adopting and using more basic technology, like audit workflow or analytics tools, and so the arrival of AI is causing many IA leaders to reflect on how best to approach it. Some IA functions have ‘hit a wall’ with their technology strategy as the returns from previous investments have not always met expectations—or they are not clear on the actual problem they are trying to solve with technology. We explore this further in section 5 of this study.

“A successful IA function is always changing and evolving, leveraging technology, thinking of new ways of working and continuing to change its operating model to flex with business strategy.”

Levelling up: Actions to consider

Map to the megatrends.

Reconcile the current IA plan with the known and emerging megatrends to identify any that might not be addressed and discuss with the Audit Committee, stakeholders and second line if this is the right approach.

Understand the purpose, not just the process

For transformation initiatives in the organisation, such as the introduction of AI, consider who is providing assurance over the alignment of business strategy, transformation objectives, implementation activities, and measurement of intended outcomes. The ability to connect the dots and spot misalignment can often require an objective viewpoint.

IA can choose to provide new strategic value or risk becoming irrelevant

A door being opened .

PwC’s Global CEO Survey asked CEOs what they consider to be the top threats to their business. Inflation and macroeconomic volatility topped the list. Our Global IA Survey shows, however, that nearly 50% of IA functions are not addressing these two top threats in their audit plan, and one in 10 have no plans to do so at all. Just 6% said their IA plans are addressing the full spectrum of threats.

If IA is not tackling an organisation’s greatest threats, how can it be considered the last line of defence? It may be that IA does not believe it’s within its mandate to address some of these areas. For some, these threats are perceived as not auditable and for others, IA may lack the confidence or skills to tackle them.

The good news is that the door has been opened for IA. Our survey shows that many business leaders want more strategic engagement with IA early and proactively with 68% wanting IA to be involved during the risk identification and assessment stage and over 50% seeking IA involvement in management strategy and planning. This may be driven by a multitude of factors, including the complexity of today’s risks, the need to provide comfort to others, awareness of the benefits of better governance, and/or recognition of IA’s value and potential.

Strategic risks are not always easy to see, and are sometimes not the ones documented in the risk register. They will also be specific to each organisation, so it’s important for IA to have the right Board and executive relationships—and sufficient opportunity to talk—to understand what matters. IA must be willing to challenge strategic decisions when risks indicate a course correction is needed; however, to do this effectively IA may need to reposition itself with stakeholders and be willing to have different conversations in order to be heard. At Pepkor in South Africa, for example, IA positions itself close to the organisation’s strategy and holds frequent discussions with management regarding key strategic risks. Wikus Theunissen, Chief Audit Executive, shares that “IA has steered away from a typical audit plan. Instead, 30% to 40% of the audit plan is agile, which allows IA to respond to urgent risks.”

Examples of strategic areas some IA functions are auditing

Digital transformation , including the alignment of the IT and business strategy, adoption and use of AI (and its responsible use), and reliability of data used in strategic decision-making
Mergers and acquisitions (M&A) , including robustness of due diligence and approval processes, financial model reliability, coverage and quality of risk data used, process and controls integration, and appropriateness of the criteria used to measure synergies and RoI
Research and development (R&D) and product design , including spend controls, alignment to business strategy, and incorporation of technology and data. This is particularly important for industries where R&D approaches have changed over recent years, such as the pharmaceutical sector
Workforce transformation , including its impact on oversight, risk and control ownership, customer response, and risks in meeting other strategic objectives, such as talent and skill gaps
Inflation , including inflation risk mitigation, budgeting and forecasting processes, hedging programs, pricing adjustments, procurement strategies including long-term contracts, and alternative sourcing models
Macroeconomic volatility , including macroeconomic risk assessments and risk mitigation plans, consideration in strategic plans, physical location / production / vendor concentrations and supply chain resiliency plans, business continuity and crisis response plans, and insurance coverage analysis

Pioneers are 38% more likely than peers to provide proactive advice on emerging risks.

Management wants better risk conversations

Our survey indicated that IA has the opportunity to have more high quality, open, and frequent conversations with management about risk. It shows that only 36% of stakeholders classify their risk conversations with IA leaders as of sufficient quality and frequency. While more than half of IA leaders indicate frequent, high quality risk conversations take place with the audit committee chair, the CFO, CEO, CRO, and CCO, only 8% indicated ‘good quality and frequent interaction’ across all relevant stakeholders.

“When you are doing audits and providing assurance to a business that is trying to be disrupting and innovating, you have got to come with the right attitude and calibrate transparency, risk, and box-ticking—and box-ticking is not always the right way to go.”

The benefits of better risk conversations can include new insights on emerging risks, more focused and timely assurance, and a fresh perspective on other opportunities. Our survey found that the percentage of business, risk, and compliance leaders in pioneering organisations that report having good quality and frequent risk conversations with the IA leader is nearly thirty points higher than non-Pioneers (63% v 36% overall). This is where the Pioneers can challenge the status quo and shine a light on alternative paths. This can help the business course-correct where necessary, particularly for the almost 40% of global CEO’s who worry about the longer-term viability of their organisation.

Practically, this may mean changing the format and style of stakeholder meetings, engaging earlier when a new strategic initiative is being considered, and communicating more frequently outside of the normal audit cycle. It can sometimes be as simple as IA asking its stakeholders to explain their business strategy, priorities, and expectations for the future.

Paula Adkison, Senior Vice President of Internal Audit at McKesson, highlights the significant ways in which her organisation aligns with management. IA sits on the executive oversight committee which brings a better purview of strategic initiatives, and helps IA align its activities more closely to strategy. IA’s risk assessment process begins with an interview with the CEO, and broader Executive Operating Team, which gives IA the perspective to get a better pulse on risk across the organisation. Adkison spends a lot of time with business leaders, as does her team. Conversations centre around what trends and risks each are seeing, and what might be worrying the business. As Adkison says, “Our partnership with the business is important. IA asks questions and looks holistically and the business isn’t always able to do that. We weigh the high risks and we don’t waste our time doing insignificant things. The reaction we get from the business is positive.”

Examples of how IA can have better risk conversations

The definition of ‘better’ will differ from stakeholder-to-stakeholder, but we have seen effective IA teams engage with their stakeholders by:

Offering a viewpoint and commentary on new or draft business strategies and plans. IA can maintain objectivity whilst still offering a perspective based on their cumulative experience and ability to see risk differently

Authoring discussion papers or presentations on emerging risk areas or topics, outside of regular audit reports, which can offer an ‘early warning’ or prompt discussion. Our survey found that half of IA functions are authoring position papers on new risks, trends or regulation

Summarising findings from multiple audit reports into broader root causes and themes at a company level. This can also be mapped to trends in the industry

Bringing other expertise from first or second line teams, or external advisors, to broaden debates and offer other perspectives; for example, in topical or risk workshops

Sharing materials from industry or technical sources and/or communities of interest. This can help highlight industry-level trends or emerging risks

Agreeing ‘value-based’ metrics and Key Performance Indicators (KPIs) for IA, so it can be measured against the value it adds to stakeholders

Pioneers spend an average of 66% of their focus and effort on strategic areas versus 42% of others.

“For us, this is not about second guessing or auditing the strategy, but about working from a deep understanding of the business and its strategic direction. We need to know what can really hurt the company, both now and in the future. Understanding where the danger lies in emerging risks and in those that can be taken for granted; we should never lose sight of the fundamentals. This requires strong connection with the business , and collaboration — bringing the collective strengths of the function. My team needs to be ahead of the business, learn continuously, make judgments, and have real agility. We need to put ourselves out there and that can be challenging, but incredibly valuable for the company and rewarding for us when we get it right.”

Get involved early

Look back at previous strategic change initiatives and at what point IA became involved; consider what additional value could have been generated if IA had been involved earlier, and reflect this in the approach for current or future initiatives.

Reconsider effort spent on strategic risks

The right mix will be different for each organisation, but it should be by design and not by accident. This can involve asking stakeholders what is important to them. Using a simple matrix to plot what effort is spent on traditional versus strategic risk areas, and the type of audit approach taken, can be a simple way of setting the right balance.

Shake up the communication style

Some IA functions have moved from formal meetings (with agendas and minutes) with stakeholders to more agile conversations, and have become bolder in adding views not necessarily backed by audit evidence.

Relook at how information is being shared in conversations and meetings

Use visualisation tools to present elevated insights and to show how IA is connecting the dots across risks and organisational silos. Vary the nature, timing, and extent of reporting to fit different needs and different stakeholders.

Illustrative quadrant showing IA risk focus and approach

Percentages are illustrative only and each organisation needs to decide the right balance for them.

IA can harness and multiply the expertise of others to benefit everyone

Working alone will always result in blind spots.

Most significant corporate failures have resulted from something the organisation either didn’t see coming, or they didn’t understand. Risks are not always easy to see—they can sometimes be too big (e.g. geopolitical, macro-economic, industry-wide) or buried in complex and multi-layered technical areas (e.g. regulatory, cyber, commercial). When they occur, the consequences can sometimes be seen in every part of the organisation, and often externally, which can impact reputation.

IA’s unique vantage point and risk-mindset means that it is able to ‘see through the walls of the organisation’ and shine a light on areas others may not clearly see. It cannot, however, see everything, all of the time. It is unlikely that any one function has the skills, experience, and capacity to cover the diversity of risks organisations face. Traditionally, IA functions have relied on guest auditors or co-sourcing to bring in the required expertise and, whilst this is still necessary to reinforce IA’s capabilities, IA needs to also be confident that nothing is missed at an organisational level. This is particularly relevant to industries that have been impacted by significant disruption to commercial models, complex reform, or new technological advancements, such as the pharmaceutical, energy, and financial service sectors.

The good news

The good news is that our survey showed that organisations have at least five second line functions on average with which to collaborate, and most have strengthened their capabilities and ‘levelled up’ over the last three years.

The strengthening of the second line represents an opportunity for IA to harness these skills and maximise the power of combining different capabilities; however, there is work to do: just over half (52%) of IA functions show strong alignment with first and second line on key risks and problems.

Business executives recognise that there is room for improvement with 49% believing that IA does not have strong alignment with the other lines on key risks and problems. This gives IA a strong mandate to take the lead in creating a unified view and finding new ways to leverage the different capabilities in the organisation.

The concept of ‘assurance maps’, which provide a consolidated view of how comfort over key risks is being addressed across the organisation, has gained traction in the profession. While the second line challenges and performs a critical role in its oversight of risk, compliance, and internal controls, IA is in a position to provide an independent and objective assessment and elevate issues beyond management to the Audit Committee. Pioneers are finding ways to make this approach mutually beneficial to IA and the business, including having combined teams to pool experience and add credibility to tackle tough or strategic areas like Environmental, Social, and Governance (ESG), M&A, or digital transformation. These require IA to draw on a wide variety of capabilities, including those relating to IT and cyber, legal, people and change or human resources, finance, treasury, commercial, product development, tax, and marketing.

Practically, this can involve a range of different approaches, such as:

Jointly preparing an assurance map and aligning activity plans
Ensuring the links between mission statements, charters, and strategies are clear (and it is understood how they fit together in the overall governance structure)
Authoring risk papers together to brief or update stakeholders
Aligning risk taxonomies and control libraries, or sharing research and reference materials
Co-investing in technology, such as eGRC, data analytics, and visualisation tools
Co-developing or sharing automation and scripts used in assurance activities
Talent sharing programmes, such as secondments and guest auditors
Forming communities of interest on specialist or topical matters, such as ESG

Done well, such actions allow IA and others to achieve a ‘multiplier effect’—adding up to better risk coverage, greater efficiency, and more valuable insights. In other words, they become more than the sum of their parts. This can also have the benefit of showcasing to the Audit Committee and Board the value of integrated assurance, and opens the door to better engagement.

“IA can be like translators—interpreting and communicating risks and issues between different parts of the business, including the Board and Executives, who may have a different perspective, experience or background. This means IA can help to join the dots when there is a risk—or an opportunity.”

A ‘risk shield’ around the organisation

A shield is only as strong as its weakest part. In today’s world, where risks can come from all directions, an organisation’s foresight and defense needs to be 360-degrees. As organisations assemble different capabilities and embrace new technology, they may also need to look differently at their internal structures, including how the three lines work together to increase agility, break down silos, and remove blind spots to ‘see through walls’.

Whilst it is critical that objectivity remains one of IA’s core superpowers, it should consider where the activities of each line intersect and overlap, how communication flows between them, and what this means for the organisation’s resilience as a whole. This involves being clear on responsibilities, the control and assurance mechanisms that exist, and the new opportunities to collaborate.

Changing the way we see IA and risk

The energy sector’s multiverse reality

Geopolitics and economic volatility have delivered a massive shock to global energy markets and fueled a global energy and cost-of-living crisis. This has made it challenging for organisations to balance profitability and growth with their customer and broader social responsibilities. This disruption sits on a backdrop of climate change, intense competition, regulatory reform, and technological change in energy generation, delivery and use.

This is contributing to a shift in audit focus towards commercial and operational resilience. Our survey found that, within three years, executives in the energy, utilities, and resources sector expect IA to spend 51% of its focus and effort on strategic risks. Marco Galioto, PwC’s Energy Sector IA Lead, summarises, “The sector is balancing many different strategic challenges. IA plays a critical role in helping the business respond. In a complex risk multiverse, IA should sit right in the middle”. For IA to be effective in this role, it needs a clear line of sight through the organisation (across different levels, functions, regions, and systems) and down the energy supply chain, including third parties relied upon. This involves providing comfort over its commercial strategy, response to regulation (and deregulation), and the huge volumes of data flowing through the ‘pipes’ of the organisation.

Some organisations are investing in data scientists, process mining, and visualisation software to help address the challenge, and increasing collaboration between the lines. In one case, dashboards built by IA were then replicated in the business to help them enhance controls and monitor things they couldn’t see before. There is, however, more work to do. Our survey found that, in the past 12 months, only 25% of IA functions in the sector have invested in RPA or AI, and only 20% have invested in 'centres of excellence' or dedicated hubs focused on technology and data. The good news is that change has begun, and the first steps are always the hardest.

Map your assurance

Work with the other lines to map the different control and assurance activities performed to determine where there is duplication, blind spots, and opportunities to collaborate. Make the output visible to others to help close any gaps and support investment decisions.

Tap into Centres of Excellence (CoEs)

Identify and collaborate with any CoEs, or similar pools of experience, that may exist in your organisation. Examples include cyber security, data, and operational excellence groups. These can provide economies of scale, optimise methodologies, and promote innovation.

Connect to communities of interest

Bigger organisations may have the capacity to pull together cross-functional teams or interest groups on key risk or technical areas, such as ESG, AI, or cyber. Similarly, encourage those in the second and third line to get involved with professional or industry groups to build experience and get fresh ideas.

IA must develop new tech skills while keeping human capabilities at its core

The human touch.

Professional scepticism, a risk and controls mindset, and objectivity are long-standing IA skills and remain the foundation for its future. As the scale and complexity of risks change, IA will need more nuanced human skills to have meaningful and strategic conversations with its stakeholders. Our survey found that a smaller portion of executives ranked strategic thinking (19%) and ability to challenge constructively (23%) as key strengths of IA.

“Ultimately you find insights by talking to people. This requires good communication skills, empathy, and being able to speak the same language as the auditees. The business has the mindset of wanting to learn from mistakes and they know that IA can help them do that.”

One CAE we interviewed indicated that two of the most important strengths an internal auditor can have is the ability to effectively relate to people in one-on-one meetings and to turn interviews into conversations rather than interrogations.

Technology skills will remain critical, and should continue to evolve, but they must be balanced by the human side of the equation. Important attributes include strengthening strategic thinking as well as creative thinking, agility, flexibility, and empathy. This will also be particularly important as changes from AI and other emerging technology give organisations access to data that they might not have either had access to before or been able to collate manually. If there is no one able to interpret this data, turn it into information, and view it through a risk and assurance lens, it will remain unused in the real world. PwC’s UK Internal Audit Leader, Justin Martin, likens this to a conductor in an orchestra: “They have to understand the audience, musicians, and instruments, and how they work together to create the music. The difference might be that AI increases the complexity of the instruments and speed the music is played”.

Talent sourcing and retention will need more innovative approaches

Just 45% of executives are very confident that IA has the talent and skills the function will need in the next three to five years. They rank the lack of IA resources, skills, and expertise to cover key risk areas as the top barrier that could prevent IA from achieving the outcomes the organisation wants.

The stakes are high. Turnover and re-skilling remain challenges; PwC’s 2023 Global Workforce Hopes and Fears Survey of 54,000 workers indicates that despite recessionary worries and rising unemployment in some regions, 26% of employees are likely to change jobs in the next 12 months, and 58% of employees with specialist training believe the skills required to do their job will change significantly over the next five years.

The IA function at PT Bank Rakyat Indonesia Tbk has what it calls a cross-border program with the first and second line. IA personnel can move to an operational unit or business division and then return to IA after gaining greater business insight, and vice versa. Triswahju Herlina, CAE, notes that, "by utilising various backgrounds and points of view, IA is able to provide broader, and more valuable, insights to stakeholders as a strategic business partner."

Whether sourcing from inside or outside of the organisation, most IA leaders would agree that finding and retaining talent is challenging. That is why Marie-Pauline Lauret, Chief Risk Assurance Officer, Philip Morris International, believes the only way to attract talent is to have an appealing proposal—a state of the art vision and function—and show staff and recruits they are contributing to shaping the future. “Talented and engaged people want to make an impact, so if you have an attractive proposition you will get them on board,” she says. “Sustainability, for example, is just becoming integrated fully into risk functions, and Philip Morris IA is building a five-year program, thinking far ahead to be able to work on the right ESG topics to build preparedness for the future. I'm sharing our vision around embedding ESG risks into ERM, and making talent part of the process is helping to generate excitement and attract people to be part of it.”

“Sometimes to be better auditors, we need to stop thinking like auditors.”

Identify skills gaps

Conduct a current and future state skills assessment. Determine how auditor capabilities can be aligned to support the organisation’s future vision and strategy, and risk profile.

Establish a talent strategy

Create an upskilling and sourcing strategy. Consider including guest auditor, leadership development, and rotation and secondment (internal and external) programs, to create diversity and new thinking. Consider co-developing this strategy with the second line.

Consider succession

Plan for succession and transition of key talent. Use this as a way of setting development paths and promoting different types of skills and experience in line with the IA, talent, and business strategies.

Incentivise self-driven learning

Create learning pathways for different roles and ensure there is sufficient recognition and incentives for individual upskilling, and celebrate accomplishments among the team. Tap into the organisation’s training programmes around leadership and soft-skills.

Assemble other superheroes

Identify individuals in the first and second line who demonstrate the right mindset and have the right skills to augment those of IA on particular topics. Obtain support from business leaders for rotational programs. The quid pro quo is teams will benefit from new perspectives and experiences. This can also be an effective way of disseminating better risk awareness across the organisation.

The window is closing for IA to adopt the next wave of technology innovation

Technology investment is not delivering the desired benefits.

In 2019, PwC’s Internal Audit State of the Profession Study focused heavily on IA data and technology, and PwC has subsequently seen a lot of activity in this area; however, the RoI has not been realised. Just over 20% of IA functions have achieved the desired benefits from their technology and data investments over the last twelve months.

IA’s greatest use of technology and data has been for risk assessment activities, audit planning, and continuous monitoring. Some have made great strides in integrating data into IA processes, and are seeing the benefits. Conversely, nearly a third of IA leaders report they are not using data and technology to a great extent in any area , including scoping or testing activities in individual audits.

There could be multiple reasons why RoI is falling short, but these can include:

Strategy: The technology is driving the strategy, rather than the strategy driving the technology. This is a common pitfall and requires pausing to reconsider and remap activities to the business and IA strategy, objectives and intended outcomes. In other words, what problem or opportunity is the technology really being used to address, and is this realistic?
Measurements for success: IA has not defined the right KPIs to measure success. The outcomes might be there, but no one is measuring them.
Status quo: The technology changes, but people’s way of working remains the same. Resistance to change is common and can stop teams from reaping the full benefits of new technology. The introduction of visualisation software, for example, can optimise audit work and present new insights; however, some IA functions still either don’t present the output, or use it in a traditional report format, which can reduce its impact.
Siloed: The technology is operated in isolation, not connected to other data sources in the organisation, or accessible and visible to others. For example, IA might have a sophisticated workflow and issue tracking tool, but if audit findings are still manually collated and emailed in spreadsheets to stakeholders, its value is hidden behind a wall.
Duplication (and confusion): Investment in similar or competing technology is made in different parts of the organisation, resulting in duplication. This can lead to confusion over which should be used, prioritised and invested in.

Speeding up

The advancement of AI is redefining what is possible for organisations, business functions and individuals. IA leaders have discussed the potential value of automation and AI for years, yet 52% of executives, inclusive of IA leaders, say that IA has not invested in AI and has no plans to do so in the next three years.

There could be various reasons for this. It could be fatigue from other technology investments, or it may be that IA leaders just don’t know how or where to get started. There are, however, risks to inaction, including becoming irrelevant as others move forward.

As organisations continue to change and adopt AI, IA needs to evolve in parallel. If IA doesn’t understand AI, how can it understand the many risks arising from it, or provide comfort over them? What would stop the business from trying to forge on ahead without the comfort IA provides or get this directly from generative AI itself? And, if so, what might be the consequences (seen or unseen)?

The time horizon will vary and depend on when, and how, each organisation adopts AI. At some point, budget and resource capacity will constrain IA from covering an expanding risk landscape, and technology will be needed to drive greater efficiency. Moreover, if IA waits too long to recruit knowledgeable talent, those individuals may become hard to find or attract in a more competitive market.

No one knows for sure where AI will lead, but many have an educated view, and IA needs to be at the forefront of that thinking. The resources available to IA functions vary significantly, but there is still an opportunity—or even a necessity—to make forward strides in embedding technology through all that IA does.

A financial services perspective: lots done, but more to do

As historical barriers such as older bespoke and inflexible systems improve, many IA functions are investing more to capitalise on new opportunities: 51% of financial service firms have invested in IA team member training and upskilling on data and technology in the past 12 months and 46% plan to do so in the next one-to-three years. Examples of measures some have taken include:

A financial markets infrastructure firm put its entire team, including the CAE, through data analytics training, with a focus on its benefits, the art of the possible, and practical tips to deliver quality insights.

An investment bank embarked on a generative AI pilot. By using Natural Language Processing and training a Large Language Model, the pilot aimed to replace a large amount of manual testing. Early indications are that it could save up to 8,000 hours annually.

A bank implemented an audit management system comprising a much more open platform than traditional systems. This enables the team to build digital assets that automatically source enterprise data directly into their system for continuous risk assessment and testing.

Technology is not the panacea. It can accelerate the availability of information, but human experience and judgement is needed to turn it into trusted insights. Generative AI is driving real opportunities for change, but a machine cannot (yet) identify the difference between right and wrong. “In a world where doing the right thing matters more and more, the human touch is critical,” says Steve Frizzell, PwC’s Global Financial Services IA Lead.

“At Elevance Health our ERM has crossover and collaboration with IA in identifying risks. We work collaboratively in identifying emerging risks, such as AI, and partner with our business owners to be ahead of the game. For example, in partnership with our Responsible AI function through an IA/ERM risk assessment, we identified opportunities to enhance and strengthen our governance and internal control structure associated with our use of AI. The company immediately responded and devoted more resources to our Responsible AI team to develop a robust program.”

Our study highlighted that Pioneers have invested in a larger number of capabilities and are more likely to have achieved multiple, tangible outcomes from these investments. For instance, Pioneers are 59% more likely to provide elevated insights, such as benchmarking and trend analysis. One IA function, for example, was an early adopter in building global data analytics capabilities and infrastructure. This includes a dedicated team focused on data, software tools, and its own ‘data marts’ (which were recently moved to the cloud to dramatically improve processing time). This has allowed internal and external key risk indicators to be used in risk assessment and audit planning activities, and help prioritise entities and audits.

These benefits can be compounded and multiplied. The more technology and data is woven into the fabric of IA, the more it can be connected end-to-end to increase efficiency and effectiveness. Only 6% of organisations, however, are using the full range of technology and data techniques outlined below to a great extent, so there is still plenty of latent potential to unlock.

Co-develop and co-invest in technology

Explore opportunities with other functions to co-invest in technology and leverage data sources and tools that may already exist (such as eGRC, analytics, workflow, and visualisation tools) or could be co-developed together. This can also involve sharing assurance techniques and automation, such as monitoring routines and analytics scripts.

Connect the pipes

Work with the business and second line to establish connections to ERP and other systems to facilitate the efficient and effective extraction of data into risk, compliance, and audit tools to support audits and monitoring.

Shift to continuous auditing

Create a strategy to move towards more proactive continuous auditing and monitoring from discrete, point-in-time audits. This should include looking for opportunities to connect data across end-to-end processes to help provide broader and more strategic, company-wide insights.

Build AI into IA’s technology strategy

Define the roadmap for how AI—and AI auditing—will be implemented. Find ways to collaborate with the broader organisation to upskill together and jointly consider associated risks.

Start, stop, continue

When evaluating or implementing new technology, list the activities in IA and beyond that you will start, stop or continue. This is important so the real benefits can be considered.

Speed up and shine, or slow down and fade away

Pioneers rarely have a template.

PwC’s IA Maturity Continuum, introduced in prior IA studies provides a model to help IA and its stakeholders determine where they are in their maturity journey, and where they want to evolve, based on their mandate and vision. Our survey shows that whilst most organisations currently categorise their IA maturity as a ‘Problem Finder’ (12%), ‘Assurance Provider’ (23%) or ‘Problem Solver’ (30%), more and more organisations want IA to become a ‘trusted advisor’ in the next three years (35%). This would involve providing new and proactive advice on risks and initiatives that are strategic to the organisation, and being confident in using technology to help achieve this.

IA’s role in providing assurance and confidence is the common denominator at any level of maturity—this is fundamental. The differentiator between success and failure, value and irrelevance, comes down to how effectively IA can understand what its stakeholders want, shine a light on what they may not see or understand, and break down barriers to assemble and connect the right technology and capabilities across the organisation.

There is, however, no one-size-fits all approach. Pioneers rarely have a template. This means that each organisation needs to have clarity on where they are now, and where they want to be in the near, mid, and long term. The success of IA will depend on its ability to use its superpowers to listen, interpret, challenge, and knit together the views of different stakeholders.

Staying relevant

Just as CEOs recognise the imperative to keep their strategy and business model viable, IA has the obligation to continually evolve and remain relevant.

When Pioneers look at risk and change, they see opportunity; when they look at complexity, they see a path forward that avoids hazards and gives the organisation confidence to speed up. Our survey affirms that high-performing IA functions are driving broader business outcomes and more value than ever before. Executives agree that stronger governance and risk awareness (42%), and more robust and efficient internal controls (with fewer failures) (39%), are outcomes that result from high-performing IA functions.

Pioneers are more likely than others to rank the following outcomes among their top three:

New strategic business opportunities, such as cost reduction or revenue generating initiatives.

Greater success in transformation programmes, such as digital and workforce transformation.

Greater resiliency and ability to predict or manage disruption.

These are outcomes that any organisation would value, but ones that can remain hidden behind walls if IA and the business are not willing to climb them together, look up, speak up, and see things differently.

Download a copy of the study

Find out more about pwc’s internal audit services and other insights, pwc global internal audit study: real-time benchmarking.

Our benchmarking tool allows you to answer a subset of questions from this year’s survey and compare your responses against the global data.

Benchmark yourself now

We have Internal Audit teams globally who are ready to talk to you. Please contact those listed here or speak to your local PwC team.

Shaun Willcocks

Global Risk Markets Leader, Global Internal Audit Leader, Partner, PwC Japan

+81 (0)90 6478 6991

Sophie Langshaw

Australia Internal Audit Leader, Partner, PwC Australia

+61 41 052 0548

Carlie Persson

Canada Internal Audit Leader, Partner, PwC Canada

+1 780-441-6700

Chinese Mainland and Hong Kong Internal Audit Leader, Partner, PwC China

+852 2289 1953

Richard Thomas

EMEA Internal Audit Leader, Partner, PwC Switzerland

+41 79 816 27 00

Kathrin Kersten

Germany Internal Audit Leader, Partner, PwC Germany

+49 69 9585 1201

Justin Martin

UK Internal Audit Leader, Partner, PwC United Kingdom

+44 (0) 7881 802 336

US Internal Audit Leader, Partner, PwC United States

+1 (630) 209 6384

Laura Koelzer

US Internal Audit Partner, PwC United States

+312 502 9594

Martin Lozier

US Internal Audit Director, PwC United States

+1 517 937 1605

We welcome your comments

Your request / feedback has been routed to the appropriate person. Should you need to reference this in the future we have assigned it the reference number "refID" .

Thank you for your comments / suggestions.

Required fields are marked with an asterisk( * )

Please correct the errors and send your information again.

Tick this box to verify you are not a robot

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

Legal notices
Cookie policy
Legal disclaimer
Terms and conditions

As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, e-discovery, and cybersecurity service provider. The Vestige team that you know and trust will continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow us to serve you and your clients even better.

I.t. auditing : sample cases – representative matters.

Case Studies
I.T. Auditing : Sample Cases -…

The following audit case studies highlight several matters for which Vestige was retained that involve I.T. Auditing Services. Each of these I.T. audit case studies are real matters that we have worked, but for privacy and confidentiality purposes, any identifying information has been sanitized from our auditing samples. Learn how Vestige LTD has provided assistance in various I.T. auditing cases below.

Publicly Listed Professional Services Firm

Our client, a public company, subject to SEC regulation, had both a robust Internal Audit Department as well as its outside audit firm (one of the Big 4). While the Internal Audit Department had financial auditors on staff and had a handful of individuals that dabbled in I.T. Reviews, it became evident that the level of expertise needed for such a complex environment exceeded their internal resources. Over the years the organization has had to deal with a number of regulatory requirements, including: Sarbanes-Oxley (SOX) compliance, HIPAA, PCI, and FINRA, to point out a few. Vestige became involved as an extension of this organization’s Internal Audit Department, providing a wide range of I.T. audits and assessments for a number of the organization’s divisions and separate business entities. Reporting through the Internal Audit Department, we were able to closely coordinate our efforts with the financial auditors to provide the organization with an even better overall assessment of the organization’s risks. Beyond that, we provided our client confidence with moving forward on its external audits, knowing that issues were identified and addressed internally in ample time to remediate the controls and show that they had been in-place and working over a period of time. It was even reported to us that the external auditor was able to rely upon much of our work product due to its completeness, accuracy and quality of findings, thereby saving our client substantial fees in having to undergo additional scrutiny and testing by the external audit firm.

Institute of Higher Education

Vestige has complemented the Internal Audit Department of a four year college that caters to more than 30,000 students and has several campuses. The Internal Audit Department is on the smaller side (2-4 auditors) and has no one that specializes in I.T. Auditing. While it is void of this important function within its internal resources, it does have one of the financial auditors who has shown an interest. As a result, not only has Vestige partnered with the University to conduct the I.T. component of its audits, but we have provided some additional ancillary services to assist with the training of this individual. For example, as part of our engagement we have created the audit programs for some of the areas of concentration, as determined by the organization’s risk assessment. Vestige initially conducted an audit of one of these areas, completed our documentation and also created add-on audit programs, custom-tailored to the University, and provided these along with training to the internal resource for them to conduct on-their-own. In this manner, the University is not only gaining Vestige’s expertise as it relates to the identification of risks and the conducting of the I.T. audits, they are also gaining important knowledge and resources to build up their own internal expertise.

Large Conglomerate

For more than 12 years, Vestige has provided outsourced I.T. Auditing to a large ($1B+ revenue) conglomerate. Throughout the years, this organization has maintained its own Internal Audit Department of 8-10 financial auditors. They had previously attempted to recruit, hire and retain IT Auditors, but were never successful at keeping these individuals long enough to gain any of the efficiencies and insight that someone gains by being in the environment an extended period of time. Frustrated with this approach, the conglomerate originally sought our services out to augment the internal I.T. auditor’s experience, to act as a reviewer and to mentor the individuals on the I.T. Auditing side since the balance of the Internal Audit Department was financially-focused. Eventually it became evident that the organization was in a vicious cycle of recruiting, hiring, training and then losing these individuals and turned to Vestige as an outsourced solution providing full I.T. Auditing services as part of its Internal Audit Department and its 20+ individual portfolio companies.

Outside Accounting Firm

As a Public Accounting firm, our client provides external audit functions to thousands of clients. Like so many other regional and local accounting firms, our client has financial auditing expertise, but does not have the internal resources from an I.T. Auditing focus. Since the introduction of the AICPA’s Statement of Audit Standards 94 (SAS.94) in May 2001, reliance upon auditing “around” the technology involved in a financial system is no longer acceptable and auditing firms have had to rely upon and develop expertise in being able to audit the actual technology. As most auditors are financially-focused, there is a wide dearth of expertise as it relates to the I.T. Auditing component. Vestige has complemented these firms’ needs by partnering with them to jointly provide comprehensive audits that focus on the financial and the I.T. components. This has included routine financial audits, but has also included specialized I.T. audits such as SAS70s (deprecated) and SSAE16/SOC-type compliancy reports.

All Related Articles

What Is A Written Information Security Policy and Why Does My Company Need One?

Document Authentication: A Primer

Wrapping Up a Forensic Analysis

Responding to Litigation Holds with a Defensible Preservation Plan

Related white papers.

View All White Papers

So You Need to Comply with NIST 800-171 & CMMC

Related case studies.

View All Case Studies

Cleveland, OH

330.721.1205
800.314.4357
855.839.9084

Columbus, OH

Pittsburgh, pa, new york, ny, hq: sacramento.

916.449.2821

This site uses cookies, for more information, review our privacy policy .

Utility Menu

Site Search

Reminder: Analyzing Cost Principles Course Next Tuesday

Dear Research Administrators, This is a friendly reminder about the upcoming Analyzing Cost Principles (University-wide) course happening next Tuesday. Don’t miss this opportunity to deepen your understanding of cost principles and how to apply them effectively on federal awards. Below are the session details and registration information:

Date/Time/Format: Tuesday, September 24th, 2024 /1:00pm- 3:00pm / Live Virtual Training

Description : This course incorporates activities and case studies to help participants think through complex questions regarding allowability of costs on federal awards and how non-compliance with cost principles can lead to audit findings. We will also consider how internal controls play a role in ensuring cost principles are applied when charging federal awards. Activities include budget analysis, allowability Q&A, and an audit case study.

Learning Objectives:

Apply cost principles and knowledge of the regulatory framework and internal controls to ensure responsible spending
Identify and interpret appropriate policies and guidelines to ensure expenditure compliance
Anticipate problematic costs to prevent audit findings

Audience : Research Administrators

Pre-Requisites : We strongly recommended Cost Principles and Direct Costs on Sponsored Awards (University-wide) for participants. Please note, this course is not foundational and achieving objectives is based on participation.

Registration : Please register for this course on HTP.

Welcome to the OSP Blog!

Please note that policies and guidance are subject to revision, and specific policies and guidance referenced in past blog posts may have been updated since the posts' original publication dates. If you have any questions regarding whether a policy or guidance referenced in an older blog post is still in effect, please visit the Policies and Guidance section of our website or contact your OSP representative .

Blog posts by month

September 2024 (1)
August 2024 (9)
July 2024 (10)
June 2024 (6)
May 2024 (5)

IMAGES

PPT
Audit Report
Ebook audit case study
Ebook audit case study
Internal Auditing Case Study Example
Ebook audit case study

VIDEO

How to Study Chapter-9 Audit of Different Types of Entities
Final Audit Integrated Case Studies Video 4
CASE STUDY OF AUDIT CHAPTER 11🎯
Ch-13 Audit of Hotels
Period 13 Audit Test
How Long Does SEO Take To Work?

COMMENTS

PDF Internal Audit in Practice
internal audit and undertaking a risk based approach to internal audit. The examples are not necessarily meant to represent best practice but are intended to showcase a range of responses to the demands placed upon internal auditors. We hope they will be a valuable tool to promote new ideas and support the development of your internal audit ...
Internal audit: A case study of impact and quality of an internal
Even though internal audit function (IAF) are an important player in internal control, however, there is little academic knowledge about their impact. Based on a single-case study in a large financial institution, this paper explores to what extent and how IAF affect internal controls. Furthermore, it assesses whether IAF add value to the company.
Audit case studies: lessons from real-world audit failures and success
In July 2015, Toshiba experienced an internal audit failure that spotlighted the gap between good corporate governance structure and its practical implementation. It led to Toshiba Corp's president, Hisao Tanaka, and his two predecessors quitting after investigators found that the company had inflated earnings by $1.2 billion between 2009 and ...
Internal Audit in Practice Case Studies
The Institute of Internal Auditors and the NAO released a set of case studies illustrating some of the key principles of effective internal auditing, taken from a range of public and private sector organisations (including British Telecom, Department for Work and Pensions, EDF etc). The case studies are grouped under: applying internal audit ...
Audit and assurance case study questions
How to approach Advanced Audit and Assurance. The first article in this series of two on Paper P7 case study questions discussed question style, what to look for in the requirements, how higher-level skills are tested, and the meaning of professional marks within a question requirement. This second article goes through part of a typical Section ...
PDF CASE STUDY AUDIT PLANNING & RISK ASSESSMENT 1. INTRODUCTION
1. INTRODUCTION. The objective of this case study is to reinforce the messages contained in the Audit Planning & Risk Assessment Guide through the completion of a practitioner based case study that will cover the following key stages in the audit planning and risk assessment cycle: Identification of the Audit Universe and related objectives;
Audit and assurance case studies
<div style="background: #fbfbfb; color: red; border: 1px solid #DCDCDC; width: 95%; margin: 20px auto; padding: 20px; text-align: center; font-size: 16px; font-weight ...
IIA-Australia White Paper
Extract/Description. The purpose of this White Paper is to show, through a practical case study, how an internal audit function can continually move forward as the organisation changes and can successfully adapt internal audit services to help build a better organisation. This White Paper describes the methodology applied to develop an Internal ...
Internal Audit Co-sourcing Success Story
Solution. Jefferson Wells was chosen not only for its co-sourcing solution, but also based on its reputation, references, experience and "chemistry.". Upon selection, Jefferson Wells proposed a co-sourcing audit arrangement that would not only serve to supplement the client's existing audit group, but also enable Jefferson Wells to deploy ...
Chapter 7: Risk Based Internal Audit Case Studies
The following case studies give examples where an internal audit was focused on ensuring resolution of a situation that put the organization at risk, by focusing not simply on compliance to documents, but by looking to process performance, cause/effect, and the "sequence and interactions" of the processes of a management system.
Auditing culture
In response to this feedback, ACCA UK's Internal Audit Network invited Barclays Bank to present a webinar on how to audit culture. Alison Smith - a Director in Barclays Internal Audit - presented the webinar in February 2017 and this CPD article covers some of the highlights of the content. Understanding what culture is and why it is ...
Internal audit: A case study of impact and quality of an internal
This study, based upon four Belgian case studies, provides insights on (1) what drives the audit committee to look for the support of the internal audit function; and (2) what makes the internal ...
Applying the Agile manifesto and principles to internal audit
Sep 30, 2019 · Authored by John Romano. In this article series, The Agile Internal Audit Journey, Baker Tilly specialists define Agile, walk through its applications to internal audit and offer lessons learned through case study approaches. In the first article, Agile auditing: transforming internal audit to add greater value, we discussed the ...
(PDF) Internal Audit Effectiveness: Multiple Case Study Research
Cahill, E. (2006), Audit committee and internal audit effectiveness in a multinational bank subsidiary: a case study, Journal of banking regulation , Vol. 7, pp. 160-179.
Audit Case Studies
An SEC-registered real estate public company with approximately $15 million in revenue required outsourced internal auditing expertise to handle all compliance and internal control requirements. The company had limited accounting personnel and required best practices in implementing COSO and control monitoring solutions. READ FULL STUDY >>.
Case Studies in Internal Auditing
As illustrations of the foregoing, three groups of case studies are presented: 1. Routine internal audit functions. 2. Special assignments to determine the ef- ficiency of an operation. 3. Special investigations of fraud and theft. The experiences and practices utilized are for the most part drawn from our own company.
(PDF) INTERNAL AUDITING CASE STUDY
Club Tineri Giurgiu. Download Free PDF. View PDF. INTERNAL AUDITING CASE STUDY Institute of Internal Auditors Atlanta Chapter Case Competition - October/November 2017 Your team is the internal audit team for a company within an industry of your choice. Your team has been requested to present a briefing to the audit committee of the board of ...
Case Studies
An innovative workshop session plants the seeds for change and growth. KPMG Ignition helps the Crop Science division of Bayer make the changes that matter for finance transformation. Uber rethinks the rules of the road. Again. KPMG's flexible, listen-to-design approach extends a legacy of tax technology innovation.
PDF Common Internal Audit Findings and How to Avoid Them
Audit Steps. Step 6: Management Response - A draft audit report will be submitted to the management of the audited area for their review and responses to the recommendations. Management responses should include their action plan for correction. Step 7: Closing Meeting - This meeting is held with department management.
Global Internal Audit Study 2023
Study. 15 Minute Read. For more than a decade, PwC has conducted global surveys with Internal Audit (IA) leaders and their stakeholders. Our 2023 survey was our largest ever. It captured views from 4,680 IA leaders (41%), board members and executives in the business (37%), and second line risk (11%) and compliance (11%) leaders.
I.T. Auditing Case Study Examples
For more than 12 years, Vestige has provided outsourced I.T. Auditing to a large ($1B+ revenue) conglomerate. Throughout the years, this organization has maintained its own Internal Audit Department of 8-10 financial auditors. They had previously attempted to recruit, hire and retain IT Auditors, but were never successful at keeping these ...
Reminder: Analyzing Cost Principles Course Next Tuesday
We will also consider how internal controls play a role in ensuring cost principles are applied when charging federal awards. Activities include budget analysis, allowability Q&A, and an audit case study. Learning Objectives: Apply cost principles and knowledge of the regulatory framework and internal controls to ensure responsible spending