The world as we know it is rapidly changing. For example, 3D printing devices are revolutionizing design and manufacturing; automated drones are transforming the way goods are delivered; big data analytics are enabling people to slice and dice through mountains of data to uncover new insights; mobility and the cloud are changing the way we work; and the Internet of Things is connecting people and devices in exciting new ways.
As these changes occur, risks are also emerging and changing at a tremendous pace. What does that mean to us, as internal auditors? Can we continue doing things the same way as before or should we be responding to change in an agile and nimble manner? Are we stuck on hindsight, evaluating the risks of the past, or are we focusing on insight (managing the risks of today) and foresight (anticipating the risks of tomorrow)?
Richard Chambers, President and CEO of the IIA, recently blogged about the need to “audit at the speed of risk.” The truth is that competitive risks, technology risks, economic risks, and other external risk factors are constantly changing and internal auditors must find a way to keep pace.
In this context, what are some of the things that internal auditors should be doing to create and preserve value for their organizations?
The Internal Auditors of Tomorrow
In KPMG’s 2014 survey of global audit committee members, more than 80 percent of survey respondents said that the internal audit’s role should extend beyond the adequacy of financial reporting and controls to include other major risks and challenges faced by the company. Yet, only 50 percent of respondents said that internal audit has the skills and resources to be effective in the role they envision.
A few years ago, PricewaterhouseCoopers (PwC) reported that, “…risks have shifted, and expectations have risen, and all internal audit functions need to rise to this new floor: providing assurance on a broader range of critical risks and clearly communicating deeper insights, all while staying in complete alignment with stakeholder expectations.”
These observations continue to ring true today. Boards and management teams are increasingly calling on internal auditors to address the risks that matter to them (the board and executive management) and are relevant to the achievement of corporate objectives. That requires a fundamental shift in the way internal audit traditionally does things.
The internal auditors of the future can be differentiated by their ability to:
- Provide assurance on today’s and tomorrow’s risks;
- Focus on macro-level risks, while still covering micro-level risks, or causal factors contributing to significant enterprise-level risks;
- Develop a vision of emerging risks;
- Deliver insights, opinions, and advice in a far timelier manner;
- Add value by helping improve operations instead of just identifying areas of weakness; and
- Leverage technology to better monitor risks and to improve the quality, efficiency, and value of intelligence obtained through audits and continuous monitoring efforts.
Here are a few best practices of how to achieve these goals and expectations:
Integrate with the Enterprise Risk Management (ERM) function to continuously monitor risks
The IIA and RIMS have advocated a stronger alliance between risk management and internal audit, saying, “The two functions make a powerful team when they collaborate and leverage one another’s resources, skillsets, and experiences to build risk capabilities within their organizations.”
The key is to link audit plans with the strategic objectives, management’s assessments and evaluations of risk, and first line-of-defense key indicators and metrics (e.g., KPIs and KRIs). We should share insights and promote and strengthen risk practices within the organization to better achieve stakeholder expectations. Also, we should meet with the ERM function regularly to identify the most significant risk areas, so that targeted actions can be taken.
Shift to dynamic audit planning
Gone are the days when audit plans were developed just once a year. Today’s boards and management teams want information – assessments and recommendations for improvement – about the risks they are managing as they lead the organization. Those are the risks of today and tomorrow, not the risks as of the end of the prior year.
Annual audit plans cannot ensure that internal audit is assessing the risks that matter to the success of the organization. So, make sure that audit plans are continuously updated in response to the changes in risks and business environments. Dynamic audit planning requires technologies to monitor the emergence of new risks and identify changes in existing risks.
Also, we need to enhance audit efficiency and run the Internal Audit division at least as efficiently as the CFO runs finance. Identify what the team can stop doing without impacting their services. Cut out any activities that are non-essential or failing to add sufficient value.
Do your homework
Take the time to understand the activity or function that needs to be audited. This way, it becomes easier to spot key trends, ask valuable questions of auditees, and identify ways to address the more significant risks to the enterprise.
Study the data. For instance, look at performance indicators. If the organization has failed to achieve a performance goal, it’s very likely that a risk isn’t being managed properly, or a control isn’t working as it should.
If data is scant or unavailable, the auditor can provide enhanced value to the organization by identifying information ‘holes’ and recommending enhancements so the resulting intelligence may not only help the business itself, but also the auditor in their understanding of the activity or risks.
Don’t just report but communicate
Audit reporting is not simply about writing an audit report. It’s about communicating results in a way that is timely, relevant, and useful to stakeholders. Identify what needs to be communicated, to whom, and when. Focus more on their needs for information than on what you want them to know. There is a huge difference! Use the language of the business so that they will not only be able to understand but will be able to relate what you say to the strategies and objectives they are pursuing.
How can internal audit communicate more quickly, meeting the needs of stakeholders for the information they require to run the business successfully? Consider integrating internal audit reporting into the metrics and tools that management uses (such as dashboards), so that they can take assessments and recommendations into account and make decisions to steer the organization towards success.
Train auditors to use their eyes, ears, and mind
While many audit activities can be performed with technology, we still need human intelligence to get the most value out of an audit. Train auditors not only to use technology, but also to sharpen their innate abilities such as the power of human observation. Many auditors are so well trained that as soon as they walk into a facility, they can tell if the place is run well or not. Perhaps they’ve noticed materials scattered around gathering dust, or the employees looking tired and lethargic.
Well-trained auditors also understand the importance of listening. In fact, we say to our teams, “Don’t meet people to talk, but to listen.” Management has many insights that can be of value to auditors if we would only listen and take the time to understand what they say.
Auditors should also be developing their critical thinking skills – reasoning, evaluating, problem solving, analyzing, and decision-making – in order to provide creative, quick, and valuable solutions to stakeholders.
Leverage technology to enhance audit efficiency and effectiveness
As organizations grow larger and more diverse, and the velocity of risk and growing new risks are more apparent, internal audits are becoming increasingly complex. Fortunately, as eluded to in our earlier discussion, technology has advanced so much that it cannot only simplify audit activities, but also improve the quality of results. With today’s technology, both generalized tools used by the organization (such as by financial analysts) as well as tools specifically for auditors and risk professionals, the auditor has the ability to access and analyze tremendous volumes of data (both inside and outside of the organization.
Here are some of the key benefits of using a technology infrastructure:
- Enables a standardized method of gathering closer-to-real-time inputs for audit planning, audit project execution, and reporting. Aligns audits with risks and organizational goals for optimal value.
- Facilitates a consistent, risk-based approach to internal audits.
- Provides closer-to-real-time risk insights and intelligence through powerful reporting and analytics tools, either directly or though integration with other 3rd party analytics tools.
To achieve these benefits, let’s look at some of the key aspects that a technology infrastructure should have. A centralized platform level data architecture is particularly important as it enables multi-dimensional mapping of risks that matter to the organizational structure to first, the enterprise’s objectives and strategies, and next, to where the risks live (business units, processes, projects, and IT applications, suppliers, etc.) – then last, to the expected risk mitigants (e.g., controls, policies and other documents). With this data structure, the workflows related to activities to monitor and report (i.e., process design reviews and audit test) may be overlayed onto this relational data structure. This integrated approach helps in understanding the relationships between various data elements, and enables more targeted and focused audits.
Many organizations have already started to build a centralized library mapping all their risk and audit data together. Others have a gone a step further and integrated their audit systems with external information sources (e.g. KPIs, supplier scorecards, and social media monitoring applications) to pull, push, and link data in a way that enables auditors to get a truly in-depth view of top risks and control weaknesses across the enterprise.
In a bid to improve the efficiency of audit activities, internal audit divisions are replacing their siloed tools and spreadsheets with audit systems that can streamline and automate audit workflows across the enterprise. This allows them to minimize redundancies, save time and effort, and focus their attention on more important activities such as analyzing audit results, and gaining management agreement on the appropriate mitigating actions.
Reporting tools have also become essential to audits. Risk scorecards provide historical and real-time risk ratings across the enterprise. Advanced reporting and dashboard functionalities roll up risk and audit data from various business units, summarizing the results and observations, and highlighting critical information. Rich analytics help derive valuable business intelligence that, in turn, enables boards, and management teams to make more informed decisions.
Other tools that provide value to audits include offline audit capabilities (which allow auditors to record their findings in remote areas without access to the corporate network, and later synchronize their data with the central audit repository), as well as mobile audit apps (which enable auditors to record their findings, attaching evidence in multiple formats, on the go from the convenience of their tablets or mobile devices).
Famed sculptor and artist, Michelangelo once said, “The greatest danger for most of us is not that our aim is too high and we miss it, but that it is too low and we reach it”.
Perhaps, it’s time for us as internal auditors to start aiming higher – to keep pace with the risks and environmental changes around us, to deliver timely insights that matter to the business, and to better address the needs of our boards and executives. It’s then that we can be true assets and enhancers of our organizations.
Norman Marks – Evangelist and Mentor in Internal Auditing, Risk Management, and Corporate Governance
Mr. Marks, CPA, CRMA is an evangelist for “better run business”, focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He was the chief audit executive of major global corporations for twenty years and is a globally recognized thought leader in the professions of internal auditing and risk management. In addition, he has served as chief risk officer, compliance officer, and ethics officer, and managed what would now be called the IT governance function (information security, contingency planning, methodologies, standards, etc.). He ran the Sarbanes-Oxley Section 404 (SOX) programs and investigation units at several companies. Mr. Marks is a member of the review boards of several audit and risk management publications (including the magazines of ISACA and the IIA), a frequent speaker internationally and the author of multiple award-winning articles.
Kristen Gantt – Regional Vice President Industry Solutions, MetricStream
Ms. Gantt has made it her passion to make a difference with firms who are seeking greater risk transparency, and to optimize their risk management capabilities. For nearly three decades, she has helped guide her clients and the companies she’s worked with through GRC / ERM process improvement and other risk management efforts, by staying ahead of the curve with emerging technologies, risk data structures and other solutions.
Ms. Gantt started her career as an Internal Control Analyst with Chase, and spent a number of years with JPMorgan and other major financial institutions as a Sr. Audit Manager / Audit Director. She then focused her efforts into risk advisory consulting — building trusted advisory relationships and delivering GRC related solutions with numerous global Banks, Broker/Dealers, Asset Management and Insurance firms, primarily in the New York metro area. She accomplished this by starting and build out Jefferson Wells’ (now Expiris) New York office financial institutions consulting practice, further expanding her efforts to start-up UHY Advisors – NY Enterprise Risk Advisory Services (ERAS) practice, as well as her own firm, ATS (‘Anticipate-the-Shift’) Solutions, LLC. Ms. Gantt further established the joint venture with RiskBusiness International to extend risk taxonomy and Key Risk Indicator libraries to both GRC tools companies and with financial institutions in the Americas.
Ms. Gantt is a CPA, resides in New Jersey with her husband, and is an avid sailboat racer – the ultimate team sport!