Elevating Internal Audit Maturity: Technology, Innovation, and Zero-Based Budgeting

Introduction

“Progress is impossible without change, and those who cannot change their minds cannot change anything.” – George Bernard Shaw

Many organisations face challenges in evolving their internal audit function to be more efficient and technologically advanced. As the former CEO of SWAP Internal Audit Services, we were fortunate to have both the budget and the headroom to invest in efficient processes supported by technology, and I’ve witnessed firsthand the benefits that a mature internal audit can bring: enhanced governance, risk management, and control processes that position the organisation for success.

Through years of discussions with my network, I’ve found that most internal auditors desire improvement, but they often feel frustrated by outdated processes and limited use of technology. 

For those looking to increase the maturity of their internal audit function, I applaud you, and I’d like to share a five-level maturity model and strategy for moving from one level to the next. 

By weaving together the principles of zero-based budgeting, innovative technology adoption, and a structured maturity progression, we can create a clear, practical roadmap for evolving the internal audit function into a mature, technologically advanced, and highly efficient operation. By following this roadmap, you’ll be well-positioned to conform with the Global Internal Audit Standards (GIAS) emphasis on strategic planning, resource management, and continuous improvement. 

I firmly believe that we all have the opportunity to improve at any level. My hope is that you’ll learn practical steps to enhance your audit processes, optimise resources, and leverage technology for better risk management — no matter where you fall on the maturity curve.

Overview: 5 Levels of Internal Audit Maturity

Let’s start by highlighting concisely the five maturity levels (Initial, Infrastructure, Integrated, Managed, Optimizing), then explore concrete steps to advance from one to the next. 

Level 1: Initial

The internal audit function operates with ad hoc processes and activities, lacking formal methodologies and consistency. It is reactive, with minimal focus on governance, risk management, or adding value to the organisation.

Level 2: Infrastructure 

The internal audit function has a charter and established methodologies for repeatable processes. However, it only partially conforms to the Standards, with inconsistencies in applying methodologies.

Level 3: Integrated

The internal audit function’s role and independence are documented in the charter. It is an established provider of assurance and advisory services, coordinating with other providers. Methodologies and controls are well established and uniformly applied, achieving general conformance with the Standards. The function is well managed, with clear roles, responsibilities, and accountability. There is a focus on risk-based auditing, with audit plans aligning with organisational objectives. The chief audit executive manages and reports on the function, implementing a quality assurance program and using key performance indicators to monitor and improve effectiveness.

Level 4: Managed

The internal audit function’s strategy aligns with organisational objectives. It provides comprehensive, coordinated services, ensuring clear communication and alignment of governance and risk management processes. The chief audit executive uses a data-driven approach for audit management. Internal auditors leverage data analytics and technology to enhance efficiency and effectiveness. The function integrates quantitative and qualitative data to achieve strategic objectives and continuously improve. Continuous improvement initiatives optimise audit processes, delivering greater value and strategic advice to the organisation.

Level 5: Optimizing

At the highest maturity level, the internal audit function is optimally positioned with full independence and a comprehensive mandate. The chief audit executive and the function understand the organisation’s strategy and governance, risk management, and control processes, driving positive change. The function evolves to address emerging issues and future needs. Processes and communications are optimised, focusing on innovation, insight, foresight, and strategic value. Internal auditors provide proactive, forward-looking insights and advice to the board and senior management, supporting the chief audit executive in identifying themes across governance, risk management, and control processes.

Step-by-Step Process to Evolve the Internal Audit Function

Moving From Level 1 (Initial) to Level 2 (Infrastructure): Current State Assessment

Moving from Level 1 (Initial) to Level 2 (Infrastructure) involves transitioning from ad hoc, inconsistent processes to having a charter and established methodologies for repeatable processes.

As a first step, I recommend that you conduct a zero-based budgeting review to justify all existing internal audit resources, activities, and tools from a fresh baseline. This method will help you identify and eliminate redundant or outdated activities, freeing up funds for critical areas such as technological investments and training.

Additionally, identifying current technological gaps and evaluating affordable foundational tools like basic data analytics platforms is crucial for establishing a baseline of the internal audit function’s current state. Starting pilot programs for continuous monitoring tools can help understand how real-time data can complement traditional audit cycles. These steps will ensure a fully rationalised budget and resource model, initial data analytics capabilities, and a roadmap for future technological investments.

Action Items:

• Conduct a zero-based budgeting review.
• Identify current technological gaps and evaluate affordable foundational tools.
• Start pilot programs for continuous monitoring tools.

Moving From Level 2 (Infrastructure) to Level 3 (Integrated): Strengthening Internal Controls and Processes 

Moving from Level 2 (Infrastructure) to Level 3 (Integrated) involves transitioning from having a charter and repeatable processes with some inconsistencies to becoming a well-established, independent provider of assurance and advisory services with well-documented roles, standardised methodologies, and a focus on risk-based auditing aligned with organisational objectives.

Expanding your training for your internal auditors on risk-based auditing, analytics, and technology-enabled audit techniques is essential. Introducing continuous auditing processes, leveraging automated data extraction and basic visualisation tools to identify and report risks in near-real-time, can significantly enhance your internal audit function’s ability to identify and report risks. Aligning audit plans dynamically with emerging risks and ensuring that resource adjustments are justified through analysis is also crucial. These steps lead to standardised risk-based methodologies, consistent use of RPA for repetitive tasks, and dynamic audit plans that reflect current risk profiles.

Action Items:

• Expand training for internal auditors on risk-based auditing, analytics, and technology-enabled audit techniques.
• Introduce continuous auditing processes with automated data extraction and visualisation tools.
• Align audit plans dynamically with emerging risks and justify resource adjustments through zero-based analysis.

Moving From Level 3 (Integrated) to Level 4 (Managed): Developing a Comprehensive Audit Framework 

Moving from Level 3 (Integrated) to Level 4 (Managed) involves transitioning from being a well-established, independent provider of assurance and advisory services with standardised methodologies to aligning the audit strategy with organisational objectives, using data-driven approaches and technology to enhance efficiency, and fostering a culture of continuous improvement and innovation.

Incorporating a governance, risk, and compliance (GRC) platform to centralise risk data, audit findings, and control testing results is my recommendation. Using machine learning models to identify patterns in audit data and prioritise areas with higher potential risks can also enhance your internal audit function. Regularly reassessing resource allocation using a zero-based approach ensures that all investments in technology, staff, and external services are justified by their contribution towards your audit goals. These steps provide for a GRC platform operational and integrated into daily workflows, AI-driven insights used to shape audit priorities, and consistently optimised resources.

Action Items:

• Integrate a governance, risk, and compliance (GRC) platform.
• Use machine learning models to identify patterns in audit data.
• Regularly reassess resource allocation using a zero-based approach.

Moving From Level 4 (Managed) to Level 5 (Optimising): Embedding Continuous Improvement and Innovation 

To deliver the final step, Level 5 (Optimising), involves transitioning from aligning the audit strategy with organisational objectives and using data-driven approaches to achieving optimal positioning with full independence, a comprehensive mandate, and a focus on innovation, foresight, and strategic value, driving positive change and addressing future needs.

Therefore, your internal audit function’s strategy should align with your organisation’s strategy and objectives. You will use data-driven approaches, data analytics, and technology tools to enhance audit efficiency and effectiveness. Establishing a culture of innovation where auditors are encouraged to experiment with new tools, techniques, and approaches is crucial. You may partner with external experts and vendors to remain at the cutting edge of audit technology, but maintaining a clear framework for cost-justification and return on investment (ROI), is also recommended. These steps position the internal audit function as a strategic advisor to the organisation, using advanced technology to proactively enhance governance, risk management, and controls.

Action Items:

• Establish a culture of innovation within the internal audit function.
• Partner with external experts and vendors to stay at the cutting edge of audit technology, ensuring cost justification and ROI.

Ready to Move to Your Next Level? 

I believe the integration of zero-based budgeting, technological innovations, and a structured maturity progression is essential for evolving any internal audit function into a mature, technologically advanced, and highly efficient operation. This approach ensures that resources are optimised, risks are effectively managed, and the audit function adds strategic value to the organisation. 

I would recommend that CAEs share and discuss this approach with the Audit Committee, supported by the audit strategy, and start by assessing their current state and progressively implementing the steps outlined in this article. By following this roadmap — and I know it works! —  internal audit functions can achieve higher maturity levels, leading to better governance, risk management, and overall organisational performance. It’s a win-win and can be a very exciting journey.