Skip to main content

The global order of the last 40 years is changing.

Russia’s unprecedented invasion of Ukraine is the biggest geo-political event since the Second World War. European security architecture is shifting before our eyes, with the historically militarily unaligned Baltic states Sweden and Finland now moving to join NATO to better protect themselves. The Western sanctions slapped on Russia in retaliation, as well as the West’s weapons pouring into Ukraine, have been equally unprecedented.

These changes are seismic and will have ramifications for a long time to come. The future is looking increasingly uncertain and volatile, but what does this mean for the public sector? How should it best guard against future challenges and mitigate any risk to its role in supporting communities with essential services?

Good decision making is central to ensuring the public body will be able to weather any storm – but this cannot happen without accountability, transparency and good governance arrangements in place. This is where internal audit plays a key role. CIPFA believes that internal audit is vital in supporting public bodies reach their goals. Better audit means better public services.

The public sector’s assurance requirements are shifting. The pace of technological change, continuing funding pressures, changing demographics, soaring inflation and the need to tackle climate change are all contributing to evolving pressures on local authorities. Despite these challenges, they must continue to demonstrate responsible stewardship of public funds to build public trust. In this complex web of obligations and challenges, where does this leave internal audit? Why is it often overlooked or misunderstood by organisations? And why does it often not get the respect it deserves?

We wanted to find out.

CIPFA conducted an extensive survey of internal auditors and their public sector clients to try and gain a better understanding of the current state of internal audit in the UK and beyond. The survey received a strong response, with 831 submissions and we also hosted a series of roundtable discussions. The findings form the basis of our ‘Internal audit: untapped potential’ report. The research concludes that where internal audit is operating effectively, it is already supporting the organisation in meeting its goals. But this is not happening everywhere, and the report identified areas where internal audit’s potential impact is not being maximised.

Increasing the impact of internal audit on an organisation is essential if it is allowed to become more effective. But what do we mean by ‘impact’? We define it as ‘internal audit’s ability to support the organisation in achieving its strategic objectives and goals.’ Some of the main areas to assess whether internal audit is having an impact include good engagement with senior managers, whether internal audit’s priorities are clearly aligned with organisational ones, providing timely and meaningful assurance, the ability to challenge constructively and the freedom to be dynamic and change focus.

Our research finds that the impact of internal audit on an organisation is defined by three  interlinking factors. They are the quality of the internal audit team, the audit framework they work with and the actual organisation in which they operate. Each of these factors will shape expectations of what internal audit can and should deliver.

Broadly, the report found that 93% of internal auditors thought that they contributed to the effective management of the organisation, while 88% of clients agreed. This is promising, and a clear improvement on our 2008 survey when we asked them the same question. Back then, only 87% of internal auditors and 60% of clients believed that internal audit supports the management of an organisation. Significant progress has been made in closing the perception gap between auditors and clients. But this doesn’t tell the whole story.

The research identified specific areas where management do not recognise or fully understand the impact that internal audit has. Almost three-quarters (73%) of heads of internal audit who responded believed that they acted as an independent critical friend, but only 43% of management agreed with this. Perhaps of more concern, our research identified only 35% of audit committee members thought that internal audit provided this role. Ninety one per cent  of heads of internal audit said they provide advice on new systems and developments, but only 62% of managers agreed. This disparity in how internal audit’s impact is currently viewed is common across a range of different services and roles provided by internal audit – with clients consistently believing internal audit’s input is significantly less than what the heads of internal audit believe. 

The more management understands the role of internal audit, the more expectations they will have of it. Higher expectations means that internal audit becomes more intrinsically valuable and more relevant to an organisation, ensuring its continued place at the top table and an increased impact.

Perhaps one of the best ways to significantly increase the impact that internal audit makes is to look to the future. We asked respondents to identify three key areas that internal audit should focus on in the future which will have the greatest impact on the organisation. Cybersecurity was the top priority, with just under 60% of respondents wanting internal audit to focus on this key strategic area in the next three years. Just over 50% identified digitisation and data use within organisations as the next most important area while 47% thought that climate change and sustainability would be important areas of focus for internal audit professionals. 

The area of internal financial risk, which internal audit has traditionally provided assurance in, such as payroll and income, are generally already well managed with little exposure to risk. So, does internal audit still have a role to play in mitigating financial risk? Thirty-five per cent of respondents said they thought financial viability was a key area for the future. This includes more strategic areas such as financial resilience and medium- and long-term financial strategies – both of which carry considerable risk to the organisation. Without seeking to influence the financial policies themselves, internal audit can provide vital independent assurance to decision makers to allow them to take on more risk and be more ambitious. 

The report recommends that internal audit should take a more strategic role in areas of future importance, which may be outside of its traditional activity, if it is to have a real impact on the organisation. Of course, audit professionals cannot be expected to become experts in areas such as cybersecurity and climate change, but they can provide independent assurance, critical analysis, strategic advice, promote transparent decision making, put in place good governance arrangements and help to mitigate risk in all of these areas.

This is why it’s vital that audit professionals continue to keep up with the pace of change themselves. Organisations must invest in continually upskilling their internal audit teams with life-long learning, continuing professional development and expose them to developing areas of strategic interest. If internal audit is to keep up with the pace of change in an organisation, then it starts with giving those teams the skills they need.

The report makes four key conclusions if internal audit’s impact is to increase. They are:

  • Successful organisations need to have robust and effective management and governance in place, including a good understanding of their assurance needs
  • Internal audit managers must become better advocates for their teams, and promote the contribution of internal audit throughout the organisation. This way, managers and clients will better understand its impact
  • Internal audit must be kept independent to achieve maximum impact in an organisation. Having a direct reporting line into the leadership team is vital
  • Any discussions of public sector policy issues, such as financial, sustainability or cybersecurity, should acknowledge the importance of assurance. This will help to raise the expectations of internal audit’s clients

Internal audit can have a bright future. Although the world is in a particularly uncertain phase, and organisations’ assurance requirements are rapidly changing because of this, internal audit can still make a significant impact and provide a valuable service. But to do this, it must keep up with the pace of change.

It’s also the client's responsibility to understand their assurance requirements, and how good governance can help public sector bodies achieve their obligations and goals.

Good public financial management is at the heart of delivering, and improving, essential public services, while ensuring value for money. Robust internal audit can help facilitate this. By working together, organisations and heads of internal audit can better prepare for an increasingly uncertain future.