Historically, internal audit has followed an established process and a set of pre-defined checklists to review compliance with standard controls, procedures, and policies. While this traditional approach has undoubtedly been useful in delivering assurance, internal audit can add greater value to the business by being proactive, expanding its scope, and adopting more agile methods. Organizations today want to know if something is going wrong or can go wrong in their business well before it actually does. The senior management and board expect audit to provide insights on strategic initiatives, risks, and compliance issues that can impact business performance. To meet these expectations, and be treated as valued strategic advisors, auditors need to find a balance between the twin objectives of value protection and value creation.
Now, more than ever, internal auditors are needed at the executive and boardroom table. But to acquire this privilege, auditors must be able to provide insights that the business values – insights that impact performance and growth, highlight the risk profile of the company, and help the board and senior management make informed strategic decisions.
For a long time, auditors have followed a fixed course: they have looked at auditable entities, and performed risk assessments to chart an audit plan. But with the growing need to focus on the bigger picture, auditors need to be more strategic – to look at multiple departments, examine inter- and intra-departmental processes, and identify possible issues, frauds, and control failures. They also need to evaluate the effectiveness of the risk and compliance frameworks established by the second line of defense. The aim for auditors should be to gain a broader view of the business by understanding both enterprise-level and department-level risks, while also determining the interconnections between these risks, and the effectiveness of risk taxonomies that are followed. This knowledge can be used to better identify and mitigate risks, and to manage compliance violations that can impact business performance. Today, there are rising global concerns around company ethics and integrity, data privacy, and cybersecurity.
According to a 2017 BDO Cyber Governance Survey, 79% of public company directors report that their boards are more involved with cybersecurity than they were 12 months ago, and 78% say they have increased company investments to defend against cyber-attacks. Risk velocity has also increased in today’s global, interconnected world. Organizations need auditors to provide timely, proactive insights that can help them prepare for and manage all these risks in an efficient manner.
To be treated as a trusted strategic advisor, internal audit must evolve to do the following:
Be agile: Audit should be agile because businesses today are dynamic. Navigating the shifting sands of internal and external environments, while still being relevant, requires audit to keep pace with the world, as well as with the changes within the organization. Audit planning should be agile enough to incorporate not only external risks and regulations, but also internal changes, including new business models and new technologies.
Progress from assurance to advice and insight: While assurance is necessary, audit must also be able to deliver timely business advice and insights to be considered a valued partner to the board and an indispensable part of the strategy table. While insights on cost reduction and operational efficiencies are certainly helpful, the board and senior management will also welcome ideas on how to improve business performance, revenue, brand reputation, and valuation.
Share actionable information: Providing data that the board or management cannot act on makes audit simply a spectator during strategic discussions. Delivering actionable information, on the other hand, will make business functions sit up and take note of audit’s value
Communicate better: Audit may have important information to share, but this data needs to be communicated in a way that highlights the risks to the organization, and emphasizes their impact on business performance and reputation. Auditors should always view information from the decision-makers’ lens, and communicate it accordingly.
Help the business with early warning signals: By increasing visibility into enterprise risks, auditors can help organizations better understand key strategic and emerging risks, and take the necessary steps to insulate business operations. As risk and compliance management are moved to the first line of defense, auditors will play a crucial role in helping these frontline units understand how to manage their processes better, mitigate risks, and drive performance
Adopt technology: There are multiple new technologies to help auditors simplify audits, leverage transactional and process-level data to identify frauds, and analyze the gathered data to generate valuable business insights. By leveraging real-time data from other systems, and identifying risk or compliance patterns, auditors can predict potential risks, control failures, and audit issues
Upskill: To provide better insights and strategic advice, auditors need to improve their skills in multiple areas. They need to know more about the business domain, emerging risks, and current and emerging business models. Analytics is an important area that auditors need to focus on to correlate data, identify patterns, and conduct behavioural analyses of employees.
Organizations are adopting digital technologies faster than ever before. But with these new technologies come multiple types of risks such as cybersecurity risks, data privacy risks, and third-party risks, as well as new regulations such as the General Data Protection Regulation (GDPR). Auditors need to be able to include all these risks and compliance requirements in their audit plans, while assessing the use and management of new technology. It’s audit’s responsibility to ensure that there are enough controls and processes in place, and that employees have understood the published policies, and are trained to follow them. Auditors also need to determine if there are comprehensive plans in place for risk mitigation, business continuity, and incident response.
In 2017, Kobe Steel, a major Japanese steel manufacturing company, was rocked by reports of a massive data-fudging scandal that allegedly led to sub-quality steel being shipped to more than 500 firms. Those affected by the scandal included big names in the auto industry such as Toyota, Nissan, and Honda, as well as Boeing in the aerospace industry. It’s a scandal that arose from the company’s overzealous pursuit of profits, and as the first quarter of 2018 ended, the impact of the incident became clearer: Kobe Steel’s CEO and Chairman, Hiroya Kawasaki, stepped down, as the company strove to resolve a deepening crisis, and repair its fractured corporate culture. Culture is key in building a successful business. Auditing culture requires a different skill set: auditors need to understand how culture is embedded into employees’ objectives and goals, and how these objectives will be achieved. Auditors also need to adopt relevant tools, approaches, and technologies to capture employee behaviour.
Auditors need to adopt a dynamic approach to audit planning that incorporates various types of risks. The plan should be agile and adaptable to changes in risk with a focus on both today’s and tomorrow’s risks. MetricStream recently conducted a survey on the state of internal audit in 2018. More than 86% of the respondents reported that risk ratings or scores are one of the top four criteria based on which an auditable unit or entity is included in the audit plan. The other three criteria include open issues or audit findings from previous audits, regulatory considerations, and KPIs or KRIs from various IT systems.
While the majority of the respondents (77%) indicated that they change their audit plans based on requests from the executive management, board, or audit committee, 60% said that they change their audit plans based on changes in the risk environment.
All assurance functions are tasked with ensuring that organization-wide risk and control structures are effective, and that risks and compliance obligations are identified and addressed on time. However, there are differences between these functions when it comes to guidelines, reporting responsibilities, level of independence, and the reliability of assurance. With the responsibility for assurance shared between the three lines of defense, there needs to be effective collaboration between them i.e. audit, risk and compliance, as well as business units. Through better coordination, assurance providers can ensure proper coverage of risk and compliance, reduce the duplication of effort, and provide confidence to the senior management and board.
Internal auditors are in an ideal position to gather and correlate information about different business processes, organizational objectives, risks, controls, and technologies. Using this data, they can provide valuable insights on ways to improve the business. But to get there, internal auditors will first need to understand the bigger picture, improve their skills, and find ways of providing faster, more actionable information to the senior management and board.