In an issue of The Bulletin three years ago, Protiviti introduced what we then called the “future auditor vision” to describe a chief audit executive (CAE) who is taking definitive steps toward making The Institute of Internal Auditors’ (IIA) vision of “an independent, objective assurance and consulting activity that adds value and improves an organisation’s operations” a reality. Last year, another issue of The Bulletin revisited the future auditor vision to corroborate its relevance against the increasing expectations of internal audit stakeholders as reported by the Global Internal Audit Common Body of Knowledge (CBOK) survey.
The IIA’s comprehensive definition of internal auditing frames this conversation. That definition states that internal audit should “[help] an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” In this issue of The Bulletin, we elaborate on the future auditor’s advancement of the relationship with the audit committee of the board of directors (or its equivalent) on three distinctive but interrelated fronts — risk, value and communications. Our thinking is derived from our various client experiences as well as from roundtables we have facilitated with seasoned CAEs. Of necessity, the interrelated nature of the three fronts gives rise to ideas that overlap to some extent.
The Focus on Risk
The future auditor views risk comprehensively through the lens provided by the organisation’s business objectives, strategy and operating model as a context for developing and executing a top-down, risk-based audit plan. The future auditor reaches beyond the traditional internal audit scope on operational, compliance and financial reporting matters in a variety of ways, as discussed below.
Thinks strategically. By identifying risks that create barriers to the organisation’s achieving its objectives, the future auditor takes the high road of applying a strong business context and strategic thinking when engaging key stakeholders. This approach directs attention to the risks that truly matter to executive management and directors. With the organisation’s strategy and business model as a context when proposing top-down, risk-based audit plans and evaluating risks and risk management capabilities, the future auditor can engage in high-end, high-touch activities such as facilitating management’s risk appetite dialogue, assessing the continued validity of strategic assumptions, and evaluating the organisation’s strategic alignment and progress toward executing the strategy.
Fosters early alert reporting. Alerting management of emerging risk issues is a high priority to the future auditor, whether through existing processes and systems supporting activities targeted in the audit plan or through mechanisms instituted by the audit team. Offering insights on changing environment, regulatory and risk scenarios is critical in these volatile times.
Considers the “unknown unknowns.” The reality of today’s environment is that management and the board can never be certain that they know everything they need to know. Risk assessments influenced by group think and overconfidence and dwelling on past trends and experiences rather than by a forward-looking process emphasising current and anticipated dynamics lead to rehashing proverbial “known knowns” on a risk map year after year. Shuffling known risks around on a map adds little insight for decision-making unless there are inherent challenges with managing them. Accordingly, the future auditor’s audit plan emphasises the identification of key issues of which management and directors may not be aware.
Focus on Risk
1. Think more strategically when analysing risk and framing top-down, risk-based audit plans.
2. Provide early warning on emerging risks.
3. Tell directors something they don’t know.
4. Watch for signs of deteriorating risk culture.
5. Strengthen the lines of defense that make risk management work.
6. Remain vigilant with respect to fraud.
In doing so, the future auditor undertakes a comprehensive risk focus. Therefore, consideration of issues affecting execution of the strategy is of paramount importance, e.g., changes to the company’s risk profile, assessment of how new technological trends are impacting the business model, evaluation of the enterprise’s ability to respond to the unexpected, and identification of significant non-financial reporting, operational and compliance issues.
Serves as the watch guard of risk culture. From time to time, the future auditor may use self-assessment techniques, internal surveys, focus groups and other techniques in addition to audit procedures (risk culture audits) to understand the current state of the entity’s risk culture, ascertain whether any significant gaps exist versus the desired culture, and identify specific steps to rectify those gaps. Gaps may arise from such matters as unusual risk taking, inappropriate compensation incentives, delays in remediating control deficiencies, effects of attrition and budget cuts on the control structure, evidence of eroding core values, and continued significant policy violations.
Strengthens lines of defense. The future auditor focuses on the performance of the primary risk owners and independent risk management and compliance functions in fulfilling their respective responsibilities as the first and second lines of defense. If necessary, the auditor provides effective challenge to these parties through observations and recommendations for improving their effectiveness in discharging their responsibilities. He/she also considers the effectiveness of escalation protocols in elevating significant issues to senior management and the board for timely resolution.
Maintains vigilance against fraud. The future auditor conducts periodic risk assessments and evaluations of the organisation’s anti-fraud and corruption program using data mining and analytics techniques applied to transactional data. These reviews enable the auditor to obtain insights into the operating effectiveness of internal controls and identify indicators or patterns signifying possible fraudulent activity requiring further investigation.
The focus on risk lies at the core of much of what internal audit is expected to do. Applying a risk lens to the formulation and execution of the audit plan and reporting on its results enable the future auditor to evaluate enterprise risk, engage in constructive interactions with key stakeholders and contribute to the risk topics of interest to the C-suite and board.
The Focus on Value
One could argue that internal audit adds value simply by discharging its responsibilities in a cost-effective manner. We have no quarrel with this view. However, the challenge to think strategically leads the future auditor to another opportunity — to think beyond the scope of the audit plan and deliver tangible value. The future auditor considers the implications of audit findings across the organisation with a business context that ensures the work of planning, executing and reporting on the audit plan is relevant to executive management and the board. There are a variety of ways the future auditor focuses on value.
Focus on Value
7. Look to the broader picture when considering enterprise-wide implications of audit findings, providing trend information and other insights.
8. Collaborate effectively with other independent functions focused on managing risk and compliance.
9. Leverage data analytics and technology-enabled auditing capabilities.
10. Improve the control structure, including the use of automated controls.
11. Advise on improving and streamlining compliance infrastructure.
12. Improve information for decision-making across the organisation.
13. Address the four C’s – culture, competitiveness (cost-effectiveness), compliance and cyber.
14. Focus on the audit committee’s responsibilities, as noted in the charter and authorised by the board.
15. Be ready for the question, “How has internal audit added value?”
Looks to the broader picture. In executing a top-down, risk-based audit plan, the future auditor looks beyond the scope inherent in the plan by “connecting the dots” of individual audit findings to identify patterns, insights, and emerging issues and trends that lead to stronger, more practical and harder-hitting observations and recommendations. Focusing on the bigger picture positions internal audit to maximise value, even in areas outside the scope of the audit plan.
Collaborates with other functions. The future auditor recognises the inefficiencies of multiple requests to process owners from multiple independent risk, compliance and assurance functions. Therefore, coordinating roles, responsibilities, and audit and oversight plans, as well as sharing risk information and available resources, represent best practise.
Leverages advanced auditing capabilities. In a digital world, the future auditor recognises the opportunity to embrace analytics if he/ she has yet to embark on that journey. The “analog” approach to auditing has little use in an increasingly digital world. Our recent research notes that data analytics is gaining a foothold in internal auditing, with two out of three departments utilising analytics as part of the audit process. However, most internal audit shops are still in their “analytics infancy” as a strong majority assert that their analytics capabilities are at the lower end of the maturity spectrum. Not surprisingly, the more mature analytics capabilities are, the greater value they’re perceived to deliver. In addition, the future auditor views technology-enabled auditing capabilities as a top priority. Such capabilities include data mining and analysis, self-assessment tools, continuous auditing/monitoring, customised dashboards, exception reporting, and computer-assisted audit tools (CAATs).
Evaluates the control structure. The future auditor considers the implications of change on the control structure. Our research notes that cybersecurity, cloud, mobile technology and big data are top-of-mind for many CAEs. These and other technology-related risks dominate the priority lists as business and digital transformation is drawing more attention across multiple sectors. In heavily regulated industries, there are opportunities to simplify, focus and automate controls to maximise cost-effectiveness while also providing reasonable assurance control objectives are achieved. Thus, the future auditor contributes value through:
- Benchmarking best practises and providing observations on industry risks and trends as well as input on designing and improving internal control.
- Talking beyond the symptoms identified in individual audits by offering a position on what the identified issues might mean from a governance, risk oversight or culture standpoint.
- Articulating impact of control issues in alternative ways (an assessment of potential velocity-to-impact, social media impressions and reputational impact, for example), if unable to quantify impact.
- Offering commentary on recent relevant events (e.g., ransomware attacks — has the organisation been impacted, what is our exposure, what are we doing to prevent them?).
- Automating ongoing controls monitoring to foster timelier, comprehensive continuous auditing.
Streamlines the compliance infrastructure. Due to proliferating operating silos, control ownership gaps and overlaps, fragmented and diffused reporting of risk and control data, conflicting stakeholder expectations, and a lack of entity-level transparency in how the compliance infrastructure is actually functioning, there are myriad opportunities for the future auditor to recommend ideas to make compliance more agile and efficient.
Improves information for decision-making. The best decisions emanate from reliable information. Accordingly, the future auditor takes every opportunity to understand the nature of the performance metrics, measures and monitoring systems used to manage specific areas under audit, including at the entity level, and assess the quality of that information and recommend improvements to enhance quality. In addition, to generate value-added insights, the future auditor may deploy analytics tools to create lead performance indicators and trending metrics to signal when risk events might be approaching or occurring.
Addresses the four C’s. The future auditor is well aware of the hot issues with which directors are concerned and aligns the top-down, risk-based audit plan accordingly. To that end, there are four areas that provide an excellent starting point for internal audit:
- Culture — As noted earlier, watch for signs of a deteriorating risk culture.
- Competitiveness — Armed with a strong business context, address the underpinnings of what makes the organisation competitive in the marketplace, particularly with respect to cost-effectiveness and efficiency issues.
- Compliance — Broaden the focus of the audit plan on important compliance matters and the quality of the related reporting.
- Cyber — Focus on the risks of major importance; cyber risk is at center stage for many companies at this time.
Focuses on the committee’s responsibilities. Topical areas germane to the auditing cycle — risk assessment, annual audit planning and coverage, reporting results, issue follow-up, and evaluation of internal audit resource requirements — should be aligned with the board’s agenda priorities and meeting frequency and be responsive to all topics in the committee charter that are relevant to internal audit’s scope. If the audit committee has risk oversight responsibilities, the future auditor is focused on the relevancy of the top-down, risk-based audit plan to the committee’s oversight priorities.
Prepares for the big question. Finally, the future auditor expects the question regarding how internal audit has added value and is prepared to respond. One idea on value: Always plan to incorporate an education piece in the audit committee package, such as an article, a few slides from a conference or a crisp, informative one-page summary of a particular opportunity or issue.
One added point: It is often helpful to understand the audit committee’s composition and various directors’ backgrounds, e.g., other board and management positions they hold and other companies they serve. The risks and external environment trends affecting those companies and the industries in which they operate present sources of questions the directors may raise. Directors with a “Big 4” background may receive their former employer’s thought leadership publications from which they source trends and topics for discussion with their peers on the board. Accordingly, it may make sense to stay current with that literature.
The above examples are intended to be illustrative in summarising ways the future auditor positions his/her function to contribute value. They are not intended to be exhaustive.
The Focus on Communications
According to the CBOK study, board members generally rate the quality and frequency of internal audit’s level of communication at a high level. For example, a strong majority of board members give high scores for the quality (83 percent) and frequency (81 percent) of internal audit’s communications. That’s a great foundation on which to build.6
In sustaining effective communications, the future auditor focuses on communications with the audit committee and the enterprise’s information for decision making. Below we discuss how.
Reports directly to the audit committee. The future auditor’s positioning within the organisation is vitally important to his or her delivery against elevating expectations. Access to senior management and the board, stature within the organisation, and effective escalation protocols have always been keys to positioning. CAE direct reporting to the audit committee is vital.
Interacts with directors outside of customary settings. The future auditor seeks opportunities to participate in board settings beyond the traditional audit committee meetings. What board settings are “relevant” in this context must be defined by directors to fit the organisation’s specific needs and may vary in different countries and regions due to different board structures, cultures and internal audit skillsets. For example, the CAE can:
- Proactively engage the audit committee chair, as necessary, throughout the year to deepen the relationship. Lunch or dinner once or twice a year, a standing monthly call, and inviting the chair (or the full committee) to meet the internal audit team in an informal setting are ways to facilitate engagement.
- Invite the chair to meet with the audit team and present his or her view of the company, current developments, the critical risks, the role of internal audit, and the audit committee’s oversight role.
- Seek opportunities to serve as a channel for knowledge and insight to the audit committee on hot topics.
- Be aware of the key responsibilities of the audit committee as set forth in the committee charter and offer input, when appropriate, to help the committee complete its annual responsibilities.
The point is that increased access to, and more frequent interaction with, the board broadens the CAE’s perspective and elevates the stature and visibility of internal audit.
Expands the emphasis on assurance. There are different sources of assurance available to the audit committee. Accordingly, the future auditor distinguishes and draws upon the sources of assurance provided by those who report to management and/or are part of management, those who report to the board (including internal audit), and those whose reports are directed to external stakeholders (e.g., the external auditor). Audit committees value being educated as to the available sources of assurance.
Focus on Communications
16. Report directly to the audit committee.
17. Interact with directors in relevant non-traditional board settings, as appropriate.
18. Expand the emphasis on assurance through effective communication with management and the board.
19. Prepare effectively for audit committee meetings.
20. Apply best practises to ensure effective presentations with the audit committee.
Applies best practises to maximise effectiveness of presentations. The future auditor gets to the point, focuses on what directors need and want to know, provides relevant results, and covers other matters if requested. He/she presents audit findings as if the responsible business owner were in the room (and, optimally, they would be). The public domain is replete with many ideas for effective presentations to directors; following are six of our favorites:
- Appearances are everything — Make pre-reads and presentation materials visually appealing and focused on the key takeaways.
- Tell the story — Summarise key messages and encourage discussion; synthesise data into key themes, observations and action items.
- Keep it short — Be concise and to the point; distill the message into an elevator pitch and be ready to comment on specifics if asked.
- Speak with authority — Look committee members in the eye, pause for questions but don’t linger, and speed up or slow down the presentation cadence based on director feedback.
- Respond to questions with direct responses — With respect to questions for which the answer isn’t known, take an action point to follow up to obtain the information; for questions that are or should be directed to management, pause to allow management to respond.
- Be a team player — If executive management wants to own a particular issue and bring it up to the audit committee, let them; as noted earlier, consider having business stakeholders join the meeting to co-present on the findings of a particular review (e.g., have the CIO or CISO co-present on the results of a cyber audit).
The experienced CAE knows that any board presentation may need to be curtailed due to time limitations. So be prepared for that.
Summary: Time to Raise the Bar
Because audit committees are different from organisation to organisation, not all of the above points may be relevant to a specific committee’s needs. However, we believe that the future auditor’s three-pronged focus on risk, value and communications applies to most any audit committee. As executive management and board expectations of the internal audit function continue to rise, progressive CAEs must adapt and continuously upgrade the capabilities of their functions to keep pace.
The 20 ideas presented above on how the future auditor considers risk, contributes value and maximises the effectiveness of communications represent definitive steps forward for any CAE. As noted in the beginning, our suggested focus on risk, value and communications of necessity overlaps. Accordingly, it is not surprising that some of the various ideas serve multiple purposes. While not intended to be all-inclusive, these 20 suggestions could be used to benchmark a CAE’s and internal audit function’s modus operandi. Any gaps should be carefully considered by the CAE as a potential enhancement opportunity.
We believe that CAEs who embrace the future auditor vision are better positioned to serve the needs of executive management and the board through their comprehensive risk-focus, forward-looking emphasis on value, and crisp, targeted communications. As progressive CAEs take the lead to up their game, they pave the way toward realising the internal audit profession’s full potential.