New regulations, technologies and risks are upon us. The business environment is continuously changing, but changes these days may be happening faster than ever before. Internal audit’s responsibilities have been growing just as fast, and they are expected to keep growing as new challenges emerge.
With this in mind, we asked participants in two separate panel discussions I moderated at a MIS SuperStrategies conference what they think will be the greatest challenges internal audit leaders will face over the next three to five years. We also asked how such challenges could be effectively addressed. The participants were internal audit executives from the Metropolitan Transit Authority of New York, U.S. House of Representatives, Vanguard Group, Protiviti Inc., Clear Channel Communications, Metropolitan Atlanta Rapid Transit Authority, Talbots Inc., Georgia-Pacific LLC, and Coca-Cola Co.
Participants stressed that they have noticed the rate of change in the profession is so rapid that some risks (and their impacts) have substantially changed in the recent past. They also noted, almost universally, that chief audit executives (CAEs) are being asked to do more audits and address more risks without commensurate increases in resources.
Because of the speed and size of changes in the business environment and budget constraints within organizations, CAEs should strive for constant contact with the audit committee. Furthermore, they should continually update the audit committee regarding significant findings and new strategic and emerging risks. Other updates should provide the committee information on progress toward meeting the audit plan, audit findings that are not being resolved in acceptable time frames, and staff changes.
Ultimately, the goal of these audit committee contacts should be to show how every audit relates to an organizational risk. The education process is vital because more departments report to the audit committee. It is critical that committee members understand how internal audit is making itself relevant to the organization.
Greater audit committee involvement also increases the likelihood of internal audit success. If the audit committee knows what is happening and is asking the right questions to the right people, it sends a strong message throughout the organization. A caring management helps expedite implementation.
As internal audit departments have progressed from being Sarbanes-Oxley transaction checkers to enterprise risk management (ERM) addressers, the function’s human resource needs also have changed. Departments need to be staffed by people or have access to people (i.e., co-sourcing) who can audit the effectiveness of the key controls. Having more than just certified public accountants in the department is critical.
I believe every department should have someone who has been audited on staff. So many of the risks we are now addressing are not financial. These additional risks often require people with different company and industry knowledge to quickly recognize and understand them. A broader knowledge base makes the internal audit function more effective and valuable to the organization.
CATALOGUING THE CHALLENGES
The following responses of the CAE panelists are in no particular order of importance. An issue that may be a top priority in one internal audit department may be a lower priority in another department, but it is noteworthy that some of these audit executives – and, in some cases, virtually all of them – offered the following responses:
Focus on emerging risks; continually look at data to see shifts in business risks early on in the process.
Have people in the department with the necessary skills to quickly notice shifts in the risk environment. The profession has changed from being mainly transaction-based, as it was in the early days of SOX, to more risk-based. CAEs need to have people with the talent to recognize and address strategic and emerging risks. Smaller departments should develop networks throughout the organization to help them identify risks.
Use and leverage technology and integrate analytics. The audit process is being challenged as we learn more about the benefits of incorporating data analytics into the planning stage. Companies are using this ability to do continuous auditing with technology to identify those key controls to validate data. CAEs need to do more to build cohesive teams. They must develop strategies for blending different generations’ approaches. GenX’ers are more computer-oriented, whereas GenY’ers are more hard copy- oriented, with different communications preferences.
Address strategic risks. This is an area where more audit committees are asking internal audit departments to devote resources to understanding strategic changes, recognizing risks, and having a team qualified to address those risks.
Adapt to the rapidly changing control environment. To do this, internal audit departments need to partner with management to ensure proper hard controls, validations, confirmations, attestations and segregations of duties are allocated to the greatest risks. Ask if management is investing its key controls where the greatest risks exist and changing the key controls as new risks need to be addressed.
Form alliances with risk partners. Develop a cohesive strategy with representatives of other groups in the organization that also deal with risks. These could include the chief risk officer, chief compliance officer, chief ethics officer, chief legal officer and human resources executive. Doing so can help develop a comprehensive roadmap of the enterprise risks.
Be relevant and indispensable. The internal audit department must use resources in ways that benefit the organization. Create an annual plan that truly addresses key risk factors for the organization and goes after the “whales and not the minnows.” Everything the department does should be important to the organization.
Focus on key risks. Concentrate on high-probability, high-impact risks and high-probability, low-impact risks. Eliminate low-probability and low-impact risks from annual plans and audits.
Do the right thing. Audit executives emphasize being above reproach and not afraid to ask hard questions. As the fiduciary representatives of the audit committee, CAEs must be trusted by everyone in the organization with whom they come in contact. Sometimes a CAE is faced with a difficult and unpopular decision. To execute such decisions the CAE has to be respected and cannot look away from potential frauds or ethics violations, regardless of the level of the persons involved.
Satisfy needs of the audit committee. The Internal audit department must be set up as a go-to resource for the committee. CAEs must keep their audit committees abreast of what the department is doing. CAEs also need to be attuned to and in discussions with the committee members’ concerns. At a minimum, there should be monthly communication between the CAE and the audit committee chairman.
Keep up with the pace of change. The CAE has to keep abreast of the changes in the organization and how they could affect the risks that need to be addressed. Change can come from your own processes and entity-level controls and within industries and regulatory environment.
Be a talent source for the organization. Have the right skill set. One way to achieve this is to move people in and out of the department, so there is a mix of experience with new staff. Every department needs to have a certain amount of turnover to bring in people with new ideas, fresh perspectives and new strategies.
Manage costs as responsibilities increase. The days of nearly unlimited budget increases that internal audit departments often saw in the years immediately following the enactment of the Sarbanes-Oxley Act are over. CAEs must manage limited resources with more acumen. Eliminate what the department might not need, increase the use of technology, be smart about travel and spend training funds wisely. Using interns, hire from within and develop homegrown talent to blend with outsiders to manage costs. Use department staff in more financially sensitive ways.
Be a strong partner in minimizing exposure to fraud. Redefine integrated auditing to include financial, IT and fraud risk assessments, then be aggressive wherever there is a high risk of fraud to the organization, whether from internal or external sources. SOX highlighted the need for internal audit to be proactive in addressing fraud. Fraud risk should be addressed in planning for every audit. Every internal audit group should conduct a fraud risk assessment and address the key risks annually.
A NEW SET OF PRESSURE
Think back to just 10 years ago, when we had to deal with the new demands of SOX. Remember the pressure. Today the profession faces pressures resulting from new regulations, technologies and business processes.
Internal audit departments that can anticipate and take steps to address the key challenges they’ll likely face in the next few years will make themselves more valuable to their organizations. That, in turn, will make their organizations more stable and trusted by the public.
The challenges and responses outlined by the 10 CAEs who participated in the SuperStrategies panel discussions no doubt reflect the challenges virtually all internal audit departments can expect to encounter, to one degree or another.
About the Author:
Joel Kramer is managing director of the internal audit division of MIS Training Institute.