Organizations around the world, in nearly all industries, have experienced some degree of stress or turmoil caused by the global economic recession. In this environment, internal auditors are playing a vital and growing role in monitoring and helping improve organization-wide systems, processes and controls. This role likely will continue to grow in the next few years as organizations address not only financial pressures, but also regulatory pressures that governments impose in response to the financial crisis.
With this is mind, the April 2009 MIS SuperStrategies conference in Las Vegas, included a panel discussion that moderately focused on, “Internal Audit and its Formidable Challenges.” As sometimes happens on these panels, one question in particular grabbed the panel’s attention and led to a lively discussion. The answers sparked by the question, “What do you think are the greatest challenges in the next three to five years?” proved to be the basis of this article.
The answers that follow distill thoughts from the entire panel:
- Carolyn Sloan, CPA, Vice President, Internal Audit, Temple-Inland;
- Robert A. King, CPA, CISA, CFE, Vice President, FedEx Corporation;
- Sandra L. Cartie, CPA, Chief Audit Executive, Bristol-Myers Squibb Company;
- Karl Riem, CPA, CISA Senior Vice President, Senior Audit Director, Wells Fargo; and
- Robert B. Hirth, Jr., CPA, CA, Managing Director, Protiviti.
The responses to this question appear below in no particular order of importance.
1) Focus internal audit work so that it is risk-based, not just transaction-based – This means internal audit must look at the true risks the organization faces. For example, supply capability risk is often overlooked or underappreciated in many organizations. Internal auditors need to evaluate key suppliers’ economic viability and business models to make sure they have the infrastructure to remain reliable suppliers as market and financial conditions change. Furthermore, it is often necessary to evaluate the suppliers’ own suppliers. If we look at the current upheaval in the automotive and financial sectors, we see how the supply chain can be easily threatened.
2) Harness data analytics and use data in the planning process to structure audits that add real value – This relates to becoming more risk-focused, in that the proper use of data and analytics can focus audits on what is really important to the company. Even today, despite investments in technology designed to collect, extract and analyze data, many audits provide less value than they should. This is because they target things that pose little risk and therefore are not important to the organization.
3) Internal auditors and their organizations need to quickly adapt to new regulatory environments – During this last year, we have seen a flurry of new regulations announced or proposed in the banking, insurance, credit card and mortgage industries, to name just a few. A good example is the call for greater accountability for the hundreds of billions of dollars of TARP (Troubled Asset Relief Program) funds the U.S. federal government approved in 2008. We know the regulatory environment will continue to change as lawmakers and regulators try to address the economic downturn and financial scandals. Internal auditors must be prepared to address these changes.
4) Ensure that governance risk and compliance (GRC) is an integral part of the enterprise risk methodology – Organizations must elevate GRC to make sure it has a visible place with leadership as risks in total are assessed.
5) Think of smarter ways to use technology – Much of this relates to how we train and make internal auditors more technologically savvy.
6) Ensure strong internal controls are in place when downsizing is a reality – This includes creating proper segregation of duties where controls may be reduced due to layoffs and ensuring the organization invests in hard controls, which includes confirmation, attestation and validation against the key and emerging risks.
7) Move to continuous auditing – Continuous auditing enables auditors to closely evaluate key performance indicators and critical processes, allowing them to recognize issues as early as possible.
8) Strategize communications between internal audit and executive management, and between internal audit and the audit committee of the board – Because of financial and regulatory pressures, there will be a greater need to keep executive management and the audit committee aware of what is happening in a timely manner.
9) Make internal audit a more strategic part of the business – This means moving internal audit away from a “just compliance role” to helping the organization proactively build strategies that are well controlled.
10) Sustainability – Internal audit should help build an organization that has an exemplary level of timely and pertinent output and accountability for risk.
11) Internal auditors need to think and act more creatively – The challenge will be to take a step back from the corporate structure to ask if things make sense. The objective will be to return value to the organization – quantitatively and qualitatively – by getting away from metrics that really do not measure value, such as number of audit reports issued. Remember, the quality of reports and importance of what is audited matter more than number of audits performed.
12) Integrate fraud detection and prevention into internal audit strategies – PCAOB guidance and recent changes to The IIA Standards justifiably require that fraud risk be incorporated into our strategic thinking. Wherever that risk exists inherently or residually, auditors must test that key controls are functioning at an acceptable level.
13) Develop a strategy to recruit people from non-traditional areas, thus hiring people who know the business and have intellectual curiosity and appreciate proper controls – Bringing such people into the internal audit organization broadens the perspective of the department and injects energy and enthusiasm that might be missing.
Two other challenges, which were not raised during the panel discussion but came up as part of the conference, are also relevant to this article. The first was broached by Laura Hartman, Professor at the Institute for Business and Professional Ethics at DePaul University in Chicago. The second was raised by Glenn Sumners, CIA, CPA, CFE, DBA, Director of the Center for Internal Auditing at Louisiana State University.
14) Make sure ethics budgets are protected in difficult times – There is always a temptation to shrink such budgets during tough times. But as the numerous scandals that have come to light since the financial crisis began have shown – and as the reaction of lawmakers and regulators indicates – the public and their representatives are in no mood to stand for more breaches of the public trust.
15) Challenge the status quo – Audit must not be afraid to go against the grain and sometimes be a voice of reason and raise unpopular red flags, noting imbalances between risks and controls. This is particularly relevant to this era.
We can expect demands for more openness from the public and regulators in coming years. We can also expect a greater need for candor within organizations. This means internal auditors must have regular and honest communication with the audit committee. Good communication makes it easier to raise bad news as soon as issues arise and to go against the corporate grain, if needed, to challenge long-established practices and assumptions. This communication should start now with efforts to educate the audit committee of what to expect from lawmakers, regulators and the public and to set strategies to meet those expectations. This early effort will carry organizations a long way.