Ongoing professional development is essential for today’s internal auditors, says Brian Christensen, a member of Protiviti’s executive leadership team who reviewed results of the company’s 2013 Internal Audit Capabilities and Needs Survey in a recent webcast.
“We are seeing increasing demands to improve operational processes, to ensure proper risk management and controls, and to stay informed on the changing dynamics of business and technology,” Christensen said.
At the same time, internal auditors are enjoying a broader range of career paths and becoming innovative thinkers in order to meet the needs and challenges of a changing environment.
Christensen was joined in the webcast by Kevin McCabe, former chief audit executive for Wells Fargo & Co., and Michael Thor, managing director in the internal audit and financial advisory solution practice at Protiviti and information technology lead for its mid-America practice.
The survey – the seventh in a series – was designed to assess how internal auditors perceive their current capabilities, where they see the need to improve, and how they prioritize such needs. It specifically addresses social media and processes, general technical knowledge, audit process knowledge, and personal skills and capabilities. More than 1,000 professionals from various industries and positions provided input.
SOCIAL MEDIA AND AUDIT PROCESSES
Survey respondents identified social media as the top need-to-improve area, primarily due to its rapidly growing use throughout the enterprise and the attendant risk it brings. Over the past two years, Thor says, organizations have rapidly incorporated an outpouring of social media applications, and new ways to use the tools crop up weekly.
Among the top tangible risks associated with social media and the audit process are disclosure of company information, ethical use of social media, disclosure of employee information, approved use of social media applications, information security, an organization’s purpose in using social media, approved use of community forums, and employee training.
“The need to address strategy, purpose and a coordinated approach is critical to the successful use of social media and in preventing undue risks,” says Thor.
Those surveyed indicated that social media risk already is on their radar. Fifty-five percent reported that they are or will be addressing social media in next year’s audit plan. The top-three ranked areas of risk were brand or reputation damage, data security, and regulatory compliance.
Eighty-four percent of survey participants said social media risk management capabilities were either ineffective or moderately effective; however, successful auditing in this area yielded a number of perceived benefits, the top three being the ability to monitor reputation risk, to identify risks earlier and to reinforce overall business strategy.
Roadblocks to surmount include inadequately trained staff, perceived risk, lack of management support, inadequate technology and lack of IT support.
Thor calls social media one of the newest and most exciting areas that auditors are diving into – a medium in which a lot of organizations have a variety of exposures. Internal auditors need to think through these risks to see how they can address them with existing internal audit plans and practices. That starts with how the organization utilizes social media risk, which is often a hard question to answer, according to Thor.
“Every internal audit department is going to need an expert on social media,” McCabe observes. “You will be paid a premium if you get to know what your company is doing in this area. If you’re still junior enough that you are being assigned to specific audits, I would really suggest this be an area to volunteer.”
GENERAL TECHNICAL KNOWLEDGE
Survey respondents ranked social media applications as the top need-to-improve area of competency in terms of technical knowledge. Others involved keeping up with recently enacted IIA Standards, technical support and cloud computing.
Comparing 2013 results to 2011 results, those surveyed reported the highly dynamic nature of social media opportunities for organizations – but also a host of new security, privacy, legal and reputation risks for internal audit to recognize, understand and monitor. Applying a rigorous and regimented process for identifying and modifying social media presents a difficult challenge for the internal audit function. Similarly, dynamic knowledge areas inside and outside the organization require improvement, whether it’s harvesting big data or responding to the external needs of upcoming changes in framework such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO). In addition, changes in IIA Standards and supporting technical knowledge will require an auditor to remain diligent in their day-to-day activity.
The trend is similar for chief audit executives, whose responses mirror those of the general internal audit constituents as a whole. A three-year comparison shows social media and cloud computing have risen in prominence – an indication that auditors are getting more comfortable with those concepts. General technical knowledge of the COSO internal control framework and other changes also remain high among CAEs and their staff.
With the recent release of the 2013 COSO Framework, the COSO cube has been expanded and updated to provide implications of other changing governance structures within organizations. These conditions call upon auditors to understand the governance oversight, globalization and overall enterprise risk. Auditors at all levels are starting to recognize that they can be instrumental in helping to educate and dedicate the framework to their organization.
AUDIT PROCESS KNOWLEDGE
Thor says survey responses to queries about audit process knowledge identified fraud detection/investigation, prevention and monitoring as key priorities for improvement. And for the fourth consecutive year, data analysis tools and computer-assisted audit tools (CAATs) surfaced as need-to-improve areas. It’s no surprise, he notes in the webcast, considering the increasing number of organizations that continue to collect larger volumes of bigger varieties of data at a faster rate than ever.
Internal audit plays a key role by working with organizations to assess and manage big data-related risk. Specifically, internal auditors must audit processes related to governance, classification, retention and security; at the same time, auditors are users of big data. Availability of all this information to IA provides an opportunity to use it in audit scoping, audit execution, continuous monitoring and fraud monitoring.
In addition, as more tools are released, the need for internal audit to be current on the newest technologies increases. Comparing 2013 with 2011, CAE process knowledge results reveal that auditing IT and new technologies ranked number two on the CAEs’ list of priorities. As new technologies involving cloud computing and tools around development, productivity, and modeling technologies are adopted more quickly than in the past, there’s a need for IT to understand them and their associated risks. For internal audit, this becomes a challenge.
Comparing process knowledge by company size, Thor says it is noteworthy that internal auditors in mid-size companies link quality assurance and improvement together as a high need-to-improve review area. This is reflective of a mature internal audit department, one having a defined QA review process in place in accordance with IIA Standards. Many of these organizations may meet the five-year QAR requirements but often fall short of having a defined internal review process.
Thor says many organizations, when looking at big data, have focused on how to manage risk associated with such centralized data and the additional risks that occur around security, compliance, segregation of duties and continuity.
“I think internal audit organizations have been quick to make sure they are addressed in their audit plan,” Thor says. “However, we’re also seeing a focus of how internal audit can use big data more effectively themselves to become more efficient and more proactively identify risk to the organization by mining the data.”
The focus recently has been on fraud risk and how to better leverage this data to identify and mitigate the serious problem. The Association of Certified Fraud Examiners in 2013 reported that companies lose $3.5 trillion to fraud each year. It is a risk that every organization, regardless of size or structure, must address.
There are more opportunities now for auditors to leverage technology. Previously, we looked at subsets of information; now we can examine real-time data across the entire organization and do full sample-set testing. Organizations must find more ways to effectively use the tools available to them.
PERSONAL SKILLS AND CAPABILITIES
The survey polled 19 areas of personal skills and capabilities. Among them, dealing with confrontation, negotiation, persuasion, high-pressure meetings, and public speaking rank as top areas for improvement.
“I think this may be surprising when you think of it in historic context,” Christensen says. “The stereotypical expectation of an auditor was someone who is technically oriented, head’s down, who [doesn’t] bring things forward. Expectations have changed, and now the priorities we’re seeing in an auditor’s profile is one who is more collaborative, more proactive and even looks at some of the strategic functions of the organization. Whether you’re looking at experienced CAEs or auditors at the entry level, the auditor of tomorrow needs to be artful in working with others. It’s no longer acceptable just to be a technical expert hunkered down in the cube.”
Comparing results over the past three years, the personal skills and capabilities internal auditors acknowledge as key areas for improvement in 2013 reflect the functional strategies and challenges they confront. The transformative nature of social media, ongoing economic volatility and the ever-quickening pace of business change appear to be motivating the focus on relationships within the organization and how auditors deal with people. This year’s results also point to strategic thinking as a critical priority, suggesting another positive development for the profession: internal audit is being called on more often to provide insight and analysis before strategic decisions are made, and ultimately those decisions include key considerations related to risk and opportunities.
Looking to the concerns of the CAE, they are consistent with results of prior years – the key difference between the CAE and the overall internal audit results is that the CAEs are seeking to develop more board committee relationships, outside contacts and networking opportunities. Mastering new technology and applications also ranks high among them. From the perspective of company size, one can see a pattern of deep personal skills in dealing with difficult areas such as confrontation, negotiation and persuasion – soft skills that are ever in-demand.
When you break it down, it’s still about people, Christensen says. The outlook for internal audit is very positive; the people element has never rated higher.
The 2013 Internal Audit Capabilities and Needs Survey provides plenty of food for thought on the importance internal auditors assign to professional development in the light of a rapidly changing environment with new challenges at every turn.
As the webcast speakers succinctly put it: due to the increasingly complex and integrated nature of business and the internal business processes, fewer companies can afford the inefficiencies that occur when business functions, units and teams operate in silos. To monitor and analyze business processes effectively, internal audit must work in an increasingly collaborative fashion with virtually all areas of the organization.
Click here to listen to the recorded version of the March 2013 webcast and view the examples discussed in this article. You also have the opportunity to benchmark yourself against other organizations.
Register for future Protiviti webinars by following this link.
This article was written by Thomas Witom.