Connect Support Advance

White Paper

Internal Audit as
a Key Agent of
Change
2024

This resource was prepared after the ‘Global Internal Audit Standards’ were published in 2024

Level 5, 580 George Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E [email protected] www.iia.org.au

© 2022 - The Institute of Internal Auditors - Australia

 Internal Audit as a Key Agent of
Change
Contents change in the organisation. While internal audit has no
authority to issue instructions, they have a role to convince
Introduction 2 those with authority of the necessity of change, and to
- Purpose 2 monitor implementation progress.
- Case study 2
Discussion
Discussion 2 Issue
- Issue 2
The issue to be addressed in this White Paper is:
- What is an Agent of Change? 2
How can internal audit become a key agent of change
- What are Examples of Agents of Change? 2
within their organisation?
- Organisation Change 3
- Why Key Agent of Change? 3 What is an Agent of Change?

- Why Internal Audit as a Key Agent of Change? 4 An agent of change can be defined as:
- How Does Internal Audit do This? 4 A person or persons from inside or outside an
- What are Key Agent of Change Benefits? 5 organisation who help the organisation transform its
- What are Key Agent of Change Attributes? 6 operations, activities and culture through strategic and
Conclusion 6 people-centric innovation, improvement and focused
development. Also referred to as transformational
- Summary 6
leaders or change agents.
- Conclusion 6
The Institute of Internal Auditors-Australia
Bibliography and References 6
Agent of change can extend to the internal audit
Purpose of White Papers 7
profession because of opportunities internal audit work
Author’s Biography 7 can bring to influence change in their organisation.
About the Institute of Internal Auditors–Australia 7
What are Examples of Agents of Change?
Copyright 7
Disclaimer 7 The term ‘agent of change’ has been in use for some time
– it can apply:
Introduction
Purpose › In a local, national or international context.

The purpose of this White Paper is to discuss why and how › In an organisation or any group of people working
internal audit may progress from a ‘traditional’ internal together for a common purpose.
audit service approach to become a key agent of change › From a strategic or process perspective.
in their organisation.
An agent of change is someone who promotes change
Background such as:
The role of internal audit is to strengthen the organisation’s › A diplomat who negotiates a ceasefire
ability to create, protect and sustain value. They do this
› Consultants
by providing information about current conditions, the
implications of those conditions, and advice about how to › Counsellors
deal with them.
› Innovators
Further, internal audit has an obligation to pursue agreed
› Inventors
actions to ensure they are completed and appropriately
address the conditions identified. › People who challenge the status quo

In this process, internal audit seeks to bring about positive › People who help you jump through hoops

© 2024 - The Institute of Internal Auditors - Australia 2

 Internal Audit as a Key Agent of
Change
› Public servants who clear red tape Why Should Internal Audit be a Key Agent of Change?

› Researchers An ‘agent of change’ can be strategic or process related.

We have used the term ‘key agent of change’ in this
› Teachers
White Paper in relation to internal auditors because of
› Trainers the significant strategic impact internal auditors can have
› Union leaders who negotiate pay rises across their organisations.

Organisation Change The term ‘key agent of change’ truly belongs to the
internal audit profession which has coverage of the entire
Drivers for change include such things as: organisation – but the term does not necessarily apply to
› Competitive markets and industry sectors. all internal auditors. In the 2021 book ‘Agents of Change
– Internal Auditors in an Era of Disruption’ (Chambers &
› Changing risk environment.
Perez) the authors observe:
› Organisations shifting to knowledge-based
Only 2 in 10 respondents view themselves as agents
operations.
of change who partner with executive management to
› Rapid advances in technology that require continuous drive change that creates value’.
business change and skill development.
Historically, internal auditors have not generally acted,
› Need for enhanced control environment because of or been perceived, as agents of change. Many internal
technology risk. auditors have been content to adopt a ‘this is how we’ve
always done it’ compliance approach without considering
› Workplace cultures focused on teamwork,
the real impact they could make on their organisations.
empowerment and innovation.
Internal audit is in a privileged position to influence change
According to Kotter (2007) in his seminal work in
within their organisation. They are in a position to convince
organisational change management, there are eight
management of the imperative for change and the
necessary stages in the process of making change in an
necessary strategy for making that change. While they will
organisation:
not be the party responsible for implementation, internal
› Create a sense of urgency. audit is in a position to advise on the best approaches and
to monitor implementation progress.
› Build a guiding coalition.
Internal audit is well-placed to be a key agent of change
› Form a strategic vision.
because it:
› Enlist a volunteer army.
› Is situated independently outside the management
› Enable action by removing barriers. structure and can be free of influence and bias from
› Generate short-term wins. management – management are the ones who
put systems in place and are likely to be reluctant
› Sustain acceleration. to change what they themselves designed and
› Institute change. implemented.

These stages exist in all changes whether they are at the › Is objective – an unbiased mental attitude that allows
strategic level or the process level of an organisation. internal auditors to make professional judgments,
Internal audit can have a direct role in each of these fulfill their responsibilities, and achieve the purpose of
stages. internal auditing without compromise

› Gets around and has a helicopter view of the

organisation.

› Works collaboratively with management to provide

© 2024 - The Institute of Internal Auditors - Australia 3

 Internal Audit as a Key Agent of
Change
analysis and facilitate options and solutions. skills are needed now and into the future, and formulating
mechanisms for obtaining them.
› Is not limited to assurance services but can provide
advisory and management requested services at the Finally, the chief audit executive should take steps to build
time they are needed. trust in internal audit. Principle 11 ‘Communicate Effectively’
of the ‘Global Internal Audit Standards’ addresses this
› Can provide real-time forward-looking services
in some detail. It involves building relationships, and
especially for ‘in flight’ major projects and business
communicating clear and reliable information.
initiatives.
How Does Internal Audit Generate Change?
How Does Internal Audit Become a Key Agent of
Change? Create a sense of urgency – It is critical for internal
audit to provide a convincing case for any change they
The first and most important step is to deliver internal audit
recommend. This is based on internal audit’s identification
services that matter to the organisation. The ‘Purpose
of issues and risks, and their analysis of implications
of Internal Auditing’ as set out in Domain I of the ‘Global
for the organisation. Internal audit must convince
Internal Audit Standards’ (International Internal Auditing
management at an appropriate level that change is
Standards Board, 2024) is to strengthen “the organisation’s
necessary.
ability to create, protect and sustain value by providing the
board and management with independent, risk-based, and Build a guiding coalition – Internal audit must convince
objective assurance, advice, insight and foresight”. This operational management the change is needed and they
means: have practical suggestions for implementation.

› Clearly building the internal audit plan around the Form a strategic vision – In convincing management that
organisation strategy and strategic risks / objectives change is both necessary and achievable, the internal
and associated risks – instead of an internal audit auditor will present a vision of how the organisation will
plan created directly from an audit universe and work after the change, and how the change will benefit the
based upon ‘we didn’t do that topic last year so we’d organisation and make it better than before.
better do it this year’.
Enlist a volunteer army – This should not be taken too
› Forward-looking internal audit services – rather than a literally – it is about obtaining organisational buy-in.
purely historical-based approach. Things do not happen just because a manager says they
should. In developing recommendations or action plans,
› Delivering real insights to the audit committee and
the internal auditor will have spoken to those who actually
executive management – not just a list of things that
do the work and who will be affected by the change. If
need fixing.
these people see their ideas within the changed process,
› Providing management requested services at the time they will be well-disposed towards it.
they will be really useful – not in the next internal
Enable action by removing barriers – The primary
audit plan when it will be too late.
barrier is often inertia, so continual monitoring or progress
Global Internal Audit Standard 9.2 ‘Internal Audit Strategy’ towards the change is important. It may be necessary to
emphasises that internal audit must have a strategy identify and address specific barriers such as organisation
that supports the strategic objectives and success of the structure / appropriate tools / lacking information
organisation. necessary to do the job. Internal audit monitoring of action
Secondly, Internal Audit must be, and be seen to be, plan implementation must not be a process of simply
competent to deliver necessary services. Individual reporting management’s commentary, it must go further to
internal auditors must hold appropriate qualifications and analysis and assistance.
work to maintain and develop their knowledge, skills and Generate short-term wins – Some recommendations and
experience. Part of the chief audit executive’s obligation in action plans have an extended timeframe for completion.
developing an internal audit strategy is determining what

© 2024 - The Institute of Internal Auditors - Australia 4

 Internal Audit as a Key Agent of
Change
They should be structured in a way that enables some implementation can help sustain this process.
immediate and obvious improvement. Short-term success
Institute change – The internal auditor should consider the
is a reward for those undertaking the work.
need for post-implementation follow-up. This might be a
Sustain acceleration – It is possible some will interpret formal review or might simply be informal enquiry at a time
early success as indicating the change is successful after implementation is completed. The internal auditor
and requires no further action. It is important to follow should assure themselves the new process is achieving its
the process through to formal completion. Once purpose, is properly documented, and fully incorporated
again, ongoing monitoring of management action plan into the training and quality programs of the business area.

What are Key Agent of Change Benefits?

Benefits from internal auditors being a key agent of change may include:

Benefits Description
For the Organisation
Help Build a Better Organisation › Offer internal audit services that have a real impact on
the organisation and its success.
› Offer forward-looking internal audit services especially
for ‘in flight’ major projects and business initiatives.
› Offer a range of internal audit services with each
one specifically chosen to provide the most optimum
approach and outcome for the individual topic.
› Provide advisory and management requested services
at the time they are needed.
› Drive innovation for new and enhanced ideas and
ways of working.
Move from ‘Problem Finder’ to ‘Problem Solver’ › Apply a solution-oriented lens to everything internal
audit does.
Achieve Engaged Stakeholders › Work in a collaborative partnership with management
for enhanced outcomes.
› Co-ordinate with stakeholders to ensure a shared
understanding and co-ordinated approach.
For Internal Audit
Innovate and Work Smarter › Implement agile approaches to reduce internal audit
service delivery time and impact on the organisation.
› Deploy technology to automate manual auditing
techniques for superior results benefiting internal
audit and the organisation.
Enable Technology › Implement internal audit digital strategy and constantly
evolve to leverage technology for enhanced
assurance.
Become an Internal Audit Employer of Choice › Become an internal audit function with a good
reputation where candidates want to work.
Celebrate Success › Professional bodies recognise internal audit as ‘best
in class’ through invitations to share experiences /
technical publications / awards.

© 2024 - The Institute of Internal Auditors - Australia 5

 Internal Audit as a Key Agent of
Change
What are Key Agent of Change Attributes? Conclusion
Not every internal auditor is likely to become an agent of Summary
change – necessary attributes may include:
Internal audit is well-positioned to step up to become a
› Advanced soft skills – ‘What’s the best way to engage key agent of change in their organisation. Internal auditors
in this situation?’ can make a choice – continue to work ‘business-as-usual’
› Business acumen – ‘Do we have appropriate by pointing out control issues that need to be fixed or
knowledge of business principles and practices to expanding upon this to provide internal audit services that
make decisions and take the right actions?’ identify and contribute to organisation change.

› Collaboration and engaging with advanced facilitation Conclusion

skills – ‘Let’s all work on this together’. Internal audit is in a central position to influence change
› Inquisitive and questioning nature – ‘Why are things within their organisation. This includes convincing
done this way?’ management of the imperative for change and the
necessary strategy for making that change. If internal audit
› Lateral thinker – ‘Let’s think outside the box’. does not take up this challenge, they are not providing the
› Improvement-focused and solution-oriented – ‘Is there best internal audit service.
a better way of doing this?’ Bibliography and References
› Problem solver – ‘What’s the problem to be solved Bibliography
here?’
Chambers, R. & Perez, R., 2021. Agents of Change:
› Strategic communicator – ‘How can this drive Internal Auditors in an Era of Disruption. s.l.:Internal Audit
achievement of organisation strategy and objectives?’ Foundation.
› Strategic mindset – ‘What’s the big picture here?’ Cialdini, R., Wissler, R. & Schweitzer, N., 2003. The Science
At what point do internal auditors know they’ve become a of Influence: Using six principles of persuasion to negotiate
key agent of change? When: and mediate more effectively. GPSolo, 20(6), pp. 36-37.

› There is increase in management requests for internal International Internal Auditing Standards Board, 2016.
audit services. International Standards for the Professional Practice of
Internal Auditing. [Online]
› Cost savings and recoveries are identified.
Available at: https://www.theiia.org/en/standards/what-are-
› Internal audit analysis identifies trends. the-standards/mandatory-guidance/standards/

› Systemic issues are identified by internal audit and International Internal Auditing Standards Board, 2024.
remedied by management. Global Internal Audit Standards. [Online]
Available at: https://www.theiia.org/globalassets/site/
› Good practices are shared by internal audit and
standards/globalinternalauditstandards_2024january9_
adopted by management.
printable.pdf
› Percentage of advisory work as part of internal audit
Kotter, J. P., 2001. What Leaders Really Do. Harvard
plan increases year-on-year.
Business Review, 79(11), pp. 85-96.
› Percentage of internal audit plan focused on change
Kotter, J. P., 2007. Leading Change: Why transformational
initiatives increases year-on-year.
efforts fail. Harvard Business Review, Jan, 85(1), pp. 96-103.

© 2024 - The Institute of Internal Auditors - Australia 6

 Internal Audit as a Key Agent of
Change
Purpose of White Papers About the Institute of Internal Auditors–
A White Paper is a report authored and peer reviewed Australia
by experienced practitioners to provide guidance on a The Institute of Internal Auditors (IIA) is the global
particular subject related to governance, risk management professional association for Internal Auditors, with global
or control. It seeks to inform readers about an issue and headquarters in the USA and affiliated Institutes and
present ideas and options on how it might be managed. It Chapters throughout the world including Australia.
does not necessarily represent the position or philosophy
of the Institute of Internal Auditors–Global and the Institute As the chief advocate of the Internal Audit profession,
the IIA serves as the profession’s international standard
of Internal Auditors–Australia.
setter, sole provider of globally accepted internal auditing
Author’s Biography certifications, and principal researcher and educator.

This White Paper written by: The IIA sets the bar for Internal Audit integrity and
professionalism around the world with its ‘Global Internal
Andrew Cox MBA, MEC, GradDipSc, GradCertPA, Standards’ and associated professional guidance.
DipBusAdmin, DipPubAdmin, AssDipAcctg, CertSQM,
PFIIA, CIA, CISA, CFE, CGAP, CSQA, MACS Snr, MRMIA The IIA-Australia ensures its members and the profession
as a whole are well-represented with decision-makers and
Andrew Cox is Manager of Technical Services at the influencers, and is extensively represented on a number
IIA-Australia, responsible for technical matters including of global committees and prominent working groups in
contributions to the body of knowledge around Australia and internationally.
governance, risk management and internal audit.
The IIA was established in 1941 and now has more than
He was previously a chief audit executive at significant 230,000 members from 190 countries with hundreds of
organisations. He further developed the internal audit local area Chapters. Generally, members work in internal
external quality assessment process in Australia and has auditing, risk management, governance, internal control,
performed more than 300 of these in corporate and public information technology audit, education, and security.
sector organisations in Australia, Bahrain, Brunei, Kuwait,
Qatar, Saudi Arabia and the United Arab Emirates. Copyright
He has made presentations on internal auditing in forums This White Paper contains a variety of copyright material.
in Australia and internationally and has taught internal Some of this is the intellectual property of the author, some
auditing in Australia and other countries. He co-authored is owned by the Institute of Internal Auditors – Global or
the IIA-Australia publication ‘Internal Audit in Australia’ and the Institute of Internal Auditors – Australia. Some material
co-authored ‘Audit Committees – A Guide to Good Practice, is owned by others which is shown through attribution and
3rd edition’ issued by AICD / AUASB / IIA-Australia. He referencing. Some material is in the public domain. Except
contributed to ‘Sawyer’s Internal Auditing, 7th Edition’. for material which is unambiguously and unarguably in
the public domain, only material owned by the Institute
He is independent chair or member of a number of audit
of Internal Auditors – Global and the Institute of Internal
committees.
Auditors – Australia, and so indicated, may be copied,
Michael Parkinson BSc(Hons), GradDipComp, PFIIA, CIA, provided that textual and graphical content are not altered
CISA, CRMA, CRISC and the source is acknowledged. The Institute of Internal
Auditors – Australia reserves the right to revoke that
Michael is an internal auditor and risk management
permission at any time. Permission is not given for any
consultant in private practice. He has more than 30
commercial use or sale of the material.
years of experience in a range of government and
non-government environments. He has been active Disclaimer
in the development of risk management and internal
auditing standards and guidance for more than 10 years. Whilst the Institute of Internal Auditors – Australia has
Michael has practiced in Australia and South East Asia attempted to ensure the information in this White Paper is
and currently serves on a number of Audit and Risk as accurate as possible, the information is for personal and
Management Committees. educational use only, and is provided in good faith without
any express or implied warranty. There is no guarantee
Michael has been the recipient of the IIA–Australia Bob given to the accuracy or currency of information contained
McDonald Award and the IIA-Global Victor Z Brink Award in this White Paper. The Institute of Internal Auditors –
for services to the profession of internal auditing. Australia does not accept responsibility for any loss or
This White Paper edited by: damage occasioned by use of the information contained in
this White Paper.
Farah George Araj CIA, CPA, CRMA, CFE, PFIIA, QIAL

© 2024 - The Institute of Internal Auditors - Australia 7