United Kingdom

Driving value out of Internal Audit 

Internal Audit has to drive value creation. At KPMG we believe this is about delivering the optimum level of assurance for the lowest cost, and in doing so, freeing up vital resource. Heads of Internal Audit are more accountable than ever before for demonstrating that their key risks and issues, and subsequent risk management processes, have the right level of assurance. CFOs are keen to avoid damaging shareholder value due to unnecessary risk exposure, but equally, do not want to pay the price of diminishing assurance returns.

Internal Audit transcript:

Speaker :

Paul Sawdon
Head of Internal Audit


Every single day and every single week there’s a new headline.  I think it’s fair to say that we’re leaving in reasonably volatile economic conditions, certainly over the last few years, and I see no visible signs of that stopping now.   In that context I sincerely hope that every organisation is reappraising exactly what it’s doing in the assurance space to reconfirm and revalidate that it’s risk processes and its related assurance activity over those risks are sufficiently joined up and understood by the right people.


I’ve seen assurance operate in silos.  I think you’re seeing much less of that now, I think you’re seeing a widespread acknowledge that transparency must be valuable and must drive cost downwards, freeing up resources to go and attack other areas.


I feel really strongly that assurance is extremely valuable and driving value from that is the key.  So it’s not just rolling plans forward that have been built five years ago that are now completely out-of-date.  It’s absolutely interfacing with stakeholders and understanding the business really clearly to then build the correct programmes to manage the risk in a controlled way.

We live in an extraordinarily rapidly changing world; things move on really, really quickly so  I think, you know, the best practice is clearly to embrace those new ideas, to rapidly take on new developments in technology or even just academic thinking and then reappraise very regularly exactly what that programme looks like.  I mean there’s nothing worse than tick-box auditing.  I suppose from time to time, in organisation to organisation you will still see that tick-box auditing taking place and for me that’s a big problem because that’s definitely not adding value unless you’re absolutely sure there’s nothing changing in the economic environment, the market place or your business, which means that its absolutely right to continue with the same old, same old.


You have to keep evolving, you have to keep challenging what you’re doing and you have to keep reappraising the techniques that you’re using and in that sense I think that all Heads of Internal Audit, all organisations struggle.  I think where you’re seeing great practice you’ve got people looking forward to 2017, 2018, thinking about what Internal Audit might look like then and sort of literally working backwards from there. A business plan, which I think we would take for granted, if one was running a business but doesn’t necessarily flow through into Internal Audit thinking in the ordinary course.


Where it’s been done well, there’s a heavy focus on the GRC elements of that activity so making sure that the governance aspects, and the risk aspects, and the control aspects are kind of all tied together.  And particularly in that context of making sure you’ve got real stakeholder buy in both upwards and downwards in the organisation so that it’s real, so that you are actually focussed on the correct risks so that the assurance activity is sort of making genuine decisions about whether assurance is required over those issues or not, ie it’s not happening in isolation.  I think that’s kind of key.


In terms of sort of moving forward in methodologies, a lot of that really is around technology.  You’re seeing more and more use of data analytics.  It’s not rocket science but equally if you don’t use it and you don’t drive value from it, then you’re stuck in the past.  So I think it’s evolutionary, not revolutionary, but it’s absolutely driving those new techniques.


Whilst there will always be some sort of mechanism to link risks back to activities signed off by boards, sometimes you don’t really see that being a real and alive function mechanism, call it what you will, it’s a process but no one’s really signed up to it.  I think where that happens, as you’d expect, it is possible for the Internal Audit activity to then become displaced from the real issues and the real risks facing the business.


I’d like to believe that all forms of assurance will begin to integrate and work together more effectively.  I think some of that may depend on where the regulatory environment may go and I think it will also sort of depend more broadly on Barnier or on sort of what you might describe as external factors.  But it’s clear that everybody’s going to be focussed on driving value and that’s going to involve making sure you get value for the spend, and if you’re in that space, breaking down fiefdoms and joining together different assurance activities, whether that be Health & Safety, Sustainability, External Audit, Internal Audit, risk work, whatever it might be, just making sure that everything’s done transparently must be the way forward.


We do have a leading, high performance Internal Audit team in KPMG, there’s absolutely no Question of that – we’ve got some really, really, high quality people.

Tick-box style auditing is simply not acceptable in today’s environment. All organisations are facing a myriad of constantly changing pressures, brought about by economic volatility, regulatory changes, market pressures or simply organisation development. Today’s high performing Internal Audit departments are those that are successful at embracing change by continuously appraising and revalidating their internal audit programmes. What does your Internal Audit function need to look like to best serve your business in a changing world?


There are real rewards for those organisations that are able to breakdown functional silos and drive high levels of transparency, whether that’s between the internal audit, external audit, sustainability, health and safety or other risk functions. Our team of Internal Audit and Risk specialists can help to ensure that you are tackling the right risks, improve and align your governance, risk and control frameworks, and ensure that there is the right level of stakeholder buy-in from the board down. We can provide independent advice to your Board, the Audit Committee, Management and Regulators on your organisational risks and the state of your controls, and work with you to implement any improvements that are needed.


These situations can be particularly complex and critical in the world of joint ventures, where we work closely with KPMG's specialist JV team. Read more about our joint ventures services


Issues that you may be facing

  • Management concern over the risk exposure for key processes or controls
  • Management intend setting up a new Internal Audit function
  • Poorly valued or no in-house Internal Audit function
  • Little or no senior Internal Audit experience
  • Risk areas are identified where the Internal Audit function does not have the required subject matter expertise
  • Acquisition or considerable business change in the pipeline
  • Mandatory regulatory compliance requirements
  • Large companies operating in many countries or experiencing significant growth
  • Lack of career opportunities for an in-house team to move into the business

Our services

  • Review of the effectiveness of your Internal Audit function (KSPRint)
  • Internal Audit Outsourcing and Co-sourcing
  • Risk Management
  • Internal Controls Assurance
  • Training Tools and Techniques
  • Internal Audit Secondments
  • Data Mining and Data Analytics
  • Self Assessment (KSAT)





Paul Sawdon

Paul Sawdon

Head of Internal Audit

KPMG in the UK


020 7311 8169

Email Paul