Main Menu

How Internal Audit Helps Organizations Manage Risks


At our Q1 Advisory Risk Briefing, “Internal Audit: Helping Organizations Manage Risk,” on Thursday, March 11, Advisory Partner Amy Ribick moderated a panel discussion featuring some of our internal audit subject matter experts.

Alan DeVaughan, IT Manager, Advisory Services; Keenan McKinney, Manager, Advisory Services; and Christine Pedroli, Data Analytics Manager, Advisory Services; discussed three main topics: understanding the internal audit function; leveraging your internal audit resources, skill sets and technology capabilities; and considering today’s role of the internal audit function in assisting in the management of organization risks and the future of internal audit.

Understanding the Internal Audit Function

The panelists first discussed the importance of understanding the internal audit function, noting that internal audit services are relevant to organizations of any size or complexity. Internal audit exists to enhance and protect your organization’s value by providing risk-based and objective assurance, advice, and oversight. The panelists further noted that internal audit assists in managing fraud risks, which can indiscriminately impact any organization.

Internal audit can help an organization achieve its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Three Lines of Defense Model

In order to understand how internal audit fits into an organization’s structure, the panelists recommended referencing the Three Lines of Defense Model. The Three Lines of Defense Model designates roles and actions to three primary groups involved in effective risk management: management, governing body, and internal audit. The Three Lines of Defense Model aims to ensure that there are no gaps in the risk management process; rather, each group follows its own specific duties to effectively and efficiently manage risk.

In the Three Lines of Defense Model, the governing body provides overall responsibility for the stewardship of the organization; it sets the culture and tone for your organization. Meanwhile, management is responsible for executing the overall strategy of your organization through its various functions and related controls. Internal audit provides the governing body with objective assurance that allows it to meet its oversight responsibilities.

Internal Audit Sourcing Options and Scope of Services

A comprehensive audit function can provide a full range of services to your organization that assist with risk management. Choosing the right audit sourcing model is essential to optimize business workflows. There are typically three primary audit structures:

  1. In-house
  2. Co-sourcing
  3. Full outsourcing

Determining which structure is the best for your organization may depend on its size and complexity, applicable regulatory requirements and the financial resources available to your organization to support an internal audit function.

With an in-house audit function, it may be difficult to provide the greatest value to the organization, maintain adequate staffing levels, and simply not fiscally feasible to hire technical and subject matter experts. For many organizations, most appropriate and cost-effective option is to partner with a team of internal audit experts through either a co-sourcing or full outsourcing arrangement.

A “sourcing” arrangement can provide access to a wide variety of services – performance of construction audits, fraud investigations, IT audit, data analytics and more – that help you address the specific risks and needs facing your organization.  The organization benefits from the expertise as desired throughout the year as well as technology advancements offered by the internal audit service provider. 

Leveraging Your Internal Audit Resources, Skill Sets and Technology Capabilities

Just as the ongoing COVID-19 pandemic has impacted organizations, it has also impacted internal audit functions. As such, it may be worth taking a second look at your current internal audit function to ensure that it meets your organization’s ever-changing needs. 

Many organizations that shifted to working remotely as a temporary practice during the pandemic are now considering making that shift permanent. Yet, a recent poll from The Institute of Internal Auditors (IIA) suggests that roughly 75 percent of internal audit teams are without a modern audit technology solution. This severely impacts the auditors’ ability to operate efficiently in a remote environment.

Internal audit teams need to re-evaluate their tools and technology resources to make sure they still align with the company’s current position. Considering automation tools where possible and any necessary process changes should be a key focus for organizations as they pivot toward a post-pandemic future, particularly if they plan on remaining remote for the months and years ahead. Potential changes might include:

  • Utilizing real-time video or real-time cameras for activities that would ordinarily require a physical presence
  • Adopting tools like Adobe Sign to electronically sign contracts and get any signature approvals that you may need
  • Implementing collaboration tools like OneDrive, Teams or a secure FTP site to enable you to share or transfer your files and have a centralized workspace

If your organization has faced recent staff reductions, you may also want to leverage other staff from neutral departments within your organization to assist with your audit function.

How Internal Audit Can Assist in the Management of Organization Risks – and the Future of Internal Audit

When your organization considers today’s role of the internal audit function and the future of internal audit, one important component to consider is the risk assessment. The purpose of the audit risk assessment is to identify the organization’s highest or most significant risks to achieving its objectives and to ensure that internal audits and limited resources are focused on those high-risk areas.

Traditionally, a risk assessment is performed once annually. However, in today’s rapidly changing risk landscape, it’s not uncommon for the highest and most significant risks to change. As a result, the best-in-class audit functions are evaluating their risks more frequently and using data to monitor risks and business activity in a more timely manner.

A significant benefit of implementing a dynamic risk assessment approach is that a fluid, flexible and robust audit plan can easily align with the ever-evolving risks that your organization may face well into the future.

In addition to encompassing a dynamic risk assessment approach, future audit functions will also likely focus on automating repetitious audit procedures, collaborating with process owners throughout the organization to identify key pain points and process limitations and using machine learning to analyze historic data to strategically plan for future and potential future risks.

Ultimately, understanding the role of the internal audit function, leveraging the internal audit resources at your disposal and building a dynamic and agile intern al audit function that can pivot with the needs of the organization is crucial to operating efficiently and mitigating risk both now and in the future.

If you’re interested in hearing more about this topic and were unable to attend the live webinar, click here to access the recording.

Brown Smith Wallace can help your organization manage the internal audit function that best suits your needs. If you have questions or need assistance, please feel free to reach out to Alan at 314-824-5278 (,  Keenan at 314-983-1316 (, Christine at 314-983-1261 ( or Amy at 314-983-1347 (


Back to Page