Jérôme Sosnowski, Partner | Risk Advisory et Bert Glorieux, Director | Risk Advisory . Deloitte

Jérôme Sosnowski, Partner | Risk Advisory et Bert Glorieux, Director | Risk Advisory . Deloitte

Evolving stakeholder expectations and a fresh perspective on risk management are prompting an important shift in the role of the internal audit function in many organisations. New demands from the board, senior leaders, and regulators are requiring internal auditors to refocus their efforts beyond the traditional approach and requirements.

Such a shift could enable internal audit with the objectivity of its perspective and the rigour of its processes – to bring value to the business in new ways. The need to evolve and innovate is essential to address the challenges of today’s disruptive environment.

Internal audit’s existing organisation, wide perspective, and specific mandate – as well as its access to all areas of the business, both personnel and resources – uniquely positions it to expand its role.

The importance of internal audit for the Commerce, Industry and Public Sectors in Luxembourg

The internal audit function has become a pillar of internal control and prudential supervision specifically for:

1.     Regulated entities such as banks and professionals from the financial sector (PFS), as well as alternative investment fund managers (AIFM), which CSSF pays particular attention to;

2.     Listed companies who are required to follow and implement principles of corporate governance issued by the Luxembourg Stock Exchange.

Establishing an efficient internal audit function is vital in order to support the organisation’s stakeholders in fulfilling their increasing responsibilities in terms of effective corporate governance.

As third line of defence, reporting directly to the Board of Directors and/or Audit Committee, the internal audit is uniquely positioned to:

- Provide an independent assessment of the organisation’s risk management, governance, and internal control processes;

- Add value by providing assurance on the design and effectiveness of the overall internal control framework.

Three Defensive Lines Deloitte

Three Defensive Lines Deloitte

From safeguarding to value creation

Considered as a means of assisting organisations with safeguarding corporate assets and enforcing corporate policies to preserve value, internal audit is expanding its traditional role to focus on value creation. With this in mind, leading organisations are taking a risk-based approach to their role as independent advisors. Essentially internal audit can expand its scope beyond finance and other aspects of the COSO framework such as internal controls, fraud prevention, and enterprise risk management.

Organisations can no longer afford to operate in static mode and the role of internal audit can no longer act as a distinct and reactive – it must be dynamic and capable of anticipation and adaption to change. However, this must be done within a strict regulatory framework to promote and enable a trusted, safe, sound, and resilient organisation that meets the expectations of its customers, shareholders, and regulators.

Key risks and focus areas in 2021

With the backdrop of the wider economic and social challenges presented by the global pandemic, the expectations of internal audit functions continue to grow. In particular, in order to adapt to an evolving risk landscape, agility in the audit approach is essential. At times, the audit plan needs to be flexed; the methodology and audit approach must be adapted to remote working environment. Internal audit functions should consider the impact of an organisation’s business and operational resilience arrangements as well as its ability to operate remotely in the context of an organisation’s risk profile. The key questions posed to senior management continue to be: “Is the organisation aware of the current emerging risks it faces?”

To support internal audit functions, we have identified and compiled key thematic areas, hot topics, and related risks that should be considered in developing an internal audit plan.

1.     Staff well-being and talent management;

2.     Business resilience;

3.     Risk management;

4.     Fraud and the exploitation of operational disruption;

5.     Third party risk management;

6.     Cyber security and data privacy;

7.     Digitalisation and intelligent automation;

8.     Regulatory changes;

9.     Data management and analytics.

The need for a new approach

Internal audit functions are seen as business partners adding value to the business and the organisation beyond compliance. The management of companies that have an internal audit function should have a general understanding of its role and contribution. Boards of medium to large organisations that do not have an internal audit function should assess the need at least annually.

As regulatory compliance responsibilities have expanded, regulators and various rating agencies have adopted evaluation criteria including enterprise risk management (ERM). The resulting need for enhanced rigor, transparency, and a consolidated view of risk management capabilities has become paramount. The internal audit function must develop a new approach and fresh strategies as businesses are created and sloughed off, processes evolve, technologies are adopted, and regulatory demands fluctuate.

To discover in more detail how organisations can establish and improve their internal audit functions, visit our Deloitte internal audit page for Commerce, Industry and the Public Sector in Luxembourg, .