Achieving High Performance in Internal Audit: How valuable is internal audit to your organisation?

Achieving High Performance in Internal Audit: How valuable is internal audit to your organisation?

Achieving High Performance in Internal Audit

Organisations across the corporate, not-for-profit and government sectors are increasingly requiring all their internal functions to justify their contribution to the business in terms of the ‘value’ they deliver. This has caused a shift to performance measures based on impact and value, a reduction in ‘cost centres’ with an expectation that all organisational functions become ‘value centres’, and a requirement that reports and Board papers demonstrate value delivered.


Introduction

Over the past decade, the Institute of Internal Auditors-Australia (IIA-Australia) and Protiviti have published a series of research papers documenting key trends and issues facing the internal audit profession in Australia.

Our research has consistently shown that organisations expect internal auditors to ‘add value’ to the organisations they
serve. Yet, it is also clear from our research, that this expectation has not been consistently met by our profession
over the past decade.

In 2018, our research has focussed on identifying the most significant current challenges for internal audit practitioners
in adding value, and how senior leaders of the profession are managing them.

The pace of technology, industry disruption and changing social values all demand that today’s organisations keep up with new commercial realities and community expectations. Corporate culture is on every regulator’s radar. Unethical conduct can unravel the most powerful brand. And cybersecurity risk plagues every organisation with a database.

Organisations need advice and support to manage these pressing challenges. Internal audit plays a vital role in helping
organisations to survive, thrive and add corporate value in this precarious environment. But how mature and effective are its capabilities? 

This report explores these themes and is based on the findings of roundtable discussions held by the IIA-Australia and
Protiviti in March 2018. The roundtables brought together Chief Audit Executives (CAEs) and leaders from organisations
across a range of industries including services, technology, health, energy, professional services and government
and was designed to reveal how senior practitioners are approaching these contemporary challenges.

Executive Summary 

Major themes emerging from this year’s research:

  1. The internal audit profession has become so focussed on the management of process quality and risk protection that it has lost sight of a key objective of internal audit: to ‘add value’. While other C-suite executives are expected to demonstrate their return on investment, internal auditors are typically not held accountable to the same extent. To be trusted advisors to the C-suite and business leaders, internal auditors must balance their focus on risk, compliance and assurance with value-generating activities that support business efficiency and performance. There is a need to measure value and effectiveness (not just satisfaction) to prove the value and meet the accountability obligation.
  2. It is clear the profession, and organisations more generally, need to lift capability and innovation in providing assurance around culture.The pervasiveness of culture to effective organisations is forcing internal auditors to consider how assurance or advice is provided around culture. It is being discussed in Boardroom and by regulators around the country as a major source of risk. Yet few auditors have undertaken audit activity around their organisation culture. APRA is driving organisations in the financial services sector to do work in this area, however the financial services CAEs in our research noted that its work in this space was challenging. The greatest challenge will be actually influencing the culture of an organisation – this will require deep insights and effective collaboration with the business leadership. There is no denying however that this must be an area of consideration for any audit program.
  3. In a highly disruptive environment, internal auditors are struggling to keep up, have a view, and be heard on strategic issues of responding to disruption. The tangible threat of disruption to organisational performance and value has heightened the importance for business leaders and internal auditors alike, to stay relevant in a fast-moving business environment. Understanding business needs and ensuring internal audit has the skills and knowledge to grasp commercial issues and anticipate disruptive trends are key strategies to stay ahead of the curve. CAEs are seeking to achieve this by cultivating stronger relationships with the business and improving business acumen through internal audit rotation programs or collaborative audits and seeking in-demand skills for the internal audit team. However, Internal Auditors are struggling to keep up, have a view, and be heard. 
  4. Cybersecurity auditing features in many audit programs, but there are questions of its effectiveness. Cybersecurity risk assurance continues to be a strong focus for internal audit. CAEs have an increased level of confidence their audit coverage of cybersecurity is appropriate for the organisation’s risk. However, the continuing occurrence of cyber-security breaches raises a question of effectiveness of that audit activity – auditors are struggling to keep up with the threat vectors which are continually changing. CAEs note the lack of IT-skilled directors on boards as a significant challenge for IT oversight.
  5. Auditors need to be innovative in accessing the right technical skills for audits to add value. Access to technical and specialist skills has become a routine challenge for CAEs as businesses become more complex and specialised. Internal audit teams are responding with creative strategies such as ‘joint venturing’ audits with business units and implementing rotation programs to ensure the right technical expertise is at hand.
  6. Leading internal audit teams are adopting ‘agile’ work practices and innovative audit approaches and reporting mechanisms in a quest to improve audit efficiency and audit value. Practices such as continuous monitoring, daily stand-up meetings, flattening team hierarchies and collaborative solution development have been found by some audit functions to reduce audit turnaround times by up to 30 percent. Business leaders consider the benefits from more timely assurance and advice to be more valuable than the exclusive delivery of ‘traditional’ internal audits.
    CAEs are seeking to demonstrate the value of internal audit by building capabilities in data analytics and insightful visual reporting as well as providing advisory services such as root cause analyses that allow the business to identify and remediate critical issues.

Auditing for value

Organisations across the corporate, not-for-profit and government sectors are increasingly requiring all their internal functions to justify their contribution to the business in terms of the ‘value’ they deliver. This has caused a shift to performance measures based on impact and value, a reduction in ‘cost centres’ with an expectation that all organisational functions become ‘value centres’, and a requirement that reports and Board papers demonstrate value delivered.

However, internal audit is typically not held to this standard. Our profession is continuing to deliver audit reports, identify controls and provide contested advice, but the measures by which most internal audit functions are held to account are not value-driven. Over time, this may alienate the Chief Audit Executive amongst their peers.

Today, a growing number of leading organisations are demanding a return on their investment in internal audit. Leading internal audit functions are now developing performance measures tied to ‘value’. To be successful in this environment, internal audit must split its focus between improved management of risk as a source of value, and activities that improve performance and efficiency of the business. Each on its own is considered myopic – but together they provide a balanced lens to the business which senior executives and leaders see as valuable.

CAEs maintain that the over-riding question is how internal audit can stay relevant in a fast moving business environment. Some solutions include:

  • Understanding what internal audit’s stakeholders want and value, and obtaining the capabilities to meet their needs
  • Rotating capable people from the business into the internal audit function. This ensures that internal audit is valuable and in touch with commercial realities. This approach has been particularly successful in bigger organisations with larger internal audit teams and where there is genuine senior executive sponsorship of the rotation program. One CAE suggested that internal audit can endeavour to ‘sell’ the value of a rotation program to executives and the rest of the business by positioning the function as an incubator for future leaders.
  • To be effective, the next generation of executives need to understand risk, culture and governance and internal audit can be an important training ground for these skills.

Auditing the ‘hot button’ issues

In 2018, the bar continues to rise on corporate integrity. Regulators are intensifying their scrutiny of organisational culture in a bid to reduce corporate misconduct. Meanwhile, reports of senior executives pursuing inappropriate relationships with staff have tainted the reputations of organisations that are otherwise household names. Technology risk is also escalating as businesses struggle with the ramifications of progress and the outcry from data security breaches.

Business leaders and CAEs alike are grappling with how best to manage these hot button issues. The roundtables explored the diverse strategies CAEs are using to manage these risks.

CULTURE

All CAEs participating in the roundtables accept that a positive culture is critical to foster the kind of values and behaviours that enable the organisation to achieve its goals, generate value and avoid damaging risks. All agreed that ‘culture’ must therefore be an important focus for internal audit.

Organisations that have yet to introduce culture audits reported the following as their key obstacles:

  • Resistance from the business. For instance, contentions from the human resources department that internal audit was encroaching on their engagement surveys
  • Lack of capability or methodology for auditing culture
  • Insufficient foundational work done on culture-setting. Some CAEs noted that their organisations had yet to articulate their desired culture or design the framework to achieve it.

However, the majority of CAEs reported that their organisations were generally receptive to the idea of culture audits.
Suggested approaches to promote positive engagement from the business included:

  • Implementing a gentle transition process where concepts related to culture are gradually introduced into audit reporting. This may include reporting on the quality of communication and awareness of key risks. These indicators would then roll up into a more formal opinion about whether expectations are being met, with education and training recommended where shortcomings are identified 
  • Framing the culture review as a vital risk management and value-generating tool in order to obtain executive support and buy-in. 

INAPPROPRIATE BEHAVIOUR FROM EXECUTIVES

In recent years, some organisations have attracted negative publicity and public outrage from allegations that their ‘star
performers’ or senior executives have over-stepped professional boundaries by sexually harassing or pursuing inappropriate personal relationships with staff or associates. Such scandals can damage the reputations of timehonoured organisations in an instant. What then, is internal audit’s role in monitoring staff behaviour?

CAEs maintain that it is first and foremost, management’s responsibility to set standards for staff behaviour in
the workplace. Nonetheless, they agree that once those policies are established, internal audit has a role in auditing staff
awareness of and adherence to codes of conduct and conflicts of interest. Internal audit should also assess whether staff
know what to do when they encounter misconduct in the workplace. This should extend to investigating whether existing reporting and whistleblowing processes are sufficiently robust and independent to safeguard the organisation’s integrity.

CYBERSECURITY

Cybersecurity risk has been a priority issue for internal auditors for many years now. Awareness of cyber threats is high and over the years, many organisations have taken steps to protect themselves from data breaches. Consequently, while the threat of breaches remains very high, it is equally true that the levels of assurance companies have implemented to control this risk are also higher than ever. All CAEs participating in the roundtables felt confident that their audit coverage of cybersecurity was appropriate for their organisation’s level of risk. However, it was acknowledged that making the judgement of whether risk and assurance were correctly matched, was challenging.

CAEs also noted that IT audit skills are becoming highly specialised. As a result, many CAEs routinely resort to outsourcing specialist IT audits. However, an ongoing challenge in the area of IT oversight is the lack of IT skills on boards. CAEs emphasised that the issue was becoming critical and that boards must act sooner rather than later to appoint more directors with strong IT skills.

DISRUPTION

Disruption can mean the death of a business or the dawning of a greenfield opportunity. Whatever its impact, there is no doubt that today’s CAEs must have disruptive influences firmly on their radar. The CAEs we consulted noted that if the disruptive source carries a financial risk, internal audit should examine its impact through scenario testing to ensure it is adequately controlled. The vulnerability of the organisation to the risk in question will also affect the priority given to the audit.

While internal audit clearly has a responsibility to keep up to date, several CAEs noted that non-executive directors too must ensure they bring a robust external perspective and relevant industry knowledge to bear when setting audit plans. In fact, the CAEs we consulted stated that they would like their audit committees to be more probing and challenging and to provide more input into developing and identifying gaps in audit plans.

Contemporary challenges for IA functions

SKILL SHORTAGES

Managing skill shortages is a fact of life for today’s CAEs. As businesses grow in complexity and specialisation, it is an
ongoing challenge to ensure internal audit teams have the technical capabilities to cover new subjects as they emerge.

To fill skill gaps, CAEs are continuing to turn to traditional outsource or co-source arrangements using professional service firms and consultants. The CAEs report that in the current environment, their businesses are generally supportive of bringing in external expertise as a source of valuable advice.

Some CAEs have resorted to hiring specialist staff with the required technical expertise and training them up in internal
audit. The consensus was that ‘retrofitting’ a technical expert with audit skills is far simpler than teaching internal
auditors complex technical skills. As one CAE put it, ‘it’s far easier to teach a network engineer how to audit than
to teach an internal auditor network engineering’.

Despite this, several CAEs report a preference for rotating subject matter specialists from the broader business into
the internal audit team. One CAE stated that 60 per cent of her team comprises staff from other parts of the business. The benefits of this solution lie in promoting business engagement with internal audit, while simultaneously improving the value, insights and service internal audit delivers to the organisation.

There is also a trend for CAEs to collaborate with the business on specialised audits. On this model, the business supplies the technical expert while the internal audit team contributes its knowledge of control and assurance to jointly develop a reasonable approach to the audit.

FUNDING

Many CAEs reported an increase in funding for their function this year, citing an escalation of regulatory change
in their industry and rising volumes of work as the most common drivers. Those whose funding decreased considered the fall to be a reflection of the business’ risk appetite and its desired level of assurance, a perception of lack of value being delivered, as well as a broader commercial imperative to ‘cut costs’. While other participants reported no change to their budget, nevertheless, internal audit was still being expected to ‘deliver more value’.

FINDING EFFICIENCIES

A common challenge for CAEs is the pressure to ‘do more with less’. CAEs noted that the organisation can reduce its emphasis on internal audit by ensuring the threelines of defence model is working well. Equally, if assurance is centrally coordinated and integrated so that the organisation has a comprehensive view of who is providing assurance over which parts of the business, this can reduce duplication and the risk of ineffective audits. However, participants noted that in the real world, particularly in larger organisations, this does not always occur.

Many CAEs are also embracing new, more agile ways of working which have proven successful. These include shifting to continuous monitoring, holding daily ‘check-in’ meetings with stakeholders to promote faster fact-finding and audit reporting, and continuous report writing.

The more innovative internal audit teams are going further by trialling the concept of ‘agile audits’ with great success. One CAE explained that to embrace agility, the team needed to revolutionise their way of thinking and working. They
adopted an 80:20 mindset in relation to audits, allowing them to stop when they felt they had done enough, and
importantly, reserving the freedom to shift their focus quickly if needed. They retired the traditional ’12-month
audit plan’ in favour of taking a more responsive ‘macro’ view. They freed up communication with stakeholders by
holding daily ‘stand-up’ meetings to agree facts and provide updates. They also ‘right-sized’ the audit team by removing work hierarchies and ensuring the ‘right’ person is on the task regardless of their seniority. In addition, audit reports are now written in a room together rather than by isolated individuals each having to clear multiple time-consuming levels
of review.

It was estimated by the CAE of this organisation, that the adoption of agile practices has reduced audit turnaround
times by 30 per cent. Given these significant advantages, it would be worthwhile for internal audit teams to consider how to incorporate agile practices into their working routine.

ADVISORY VS ASSURANCE

CAEs continue to aspire to be trusted advisers to the business and senior executives. To achieve this, it was agreed
that good stakeholder engagement is vital. That is, internal audit must identify what business leaders value,
and have the capabilities to deliver to their expectations.

Demonstrating the value from internal audit to the business is also important. Some CAEs report success from using
data analytics and effective dashboards to provide the business with useful real-time insights into performance and trends, to enable better business decisions.

Several CAEs are also endeavouring to push the boundaries of their advisory role, by deploying internal audit teams
to investigate further the root cause of problems through retrospective audits, thereby helping the business to identify solutions and create value when opportunities come to light. However, it was considered that approach generally works best where the internal audit team possesses solid frontline skills and knowledge acquired by working with business line staff through rotation programs.

While internal audit’s advisory role may be making a comeback, CAEs also caution against losing sight of bread and butter assurance responsibilities in their quest for recognition from the C-suite.

Opportunities and priorities for the year ahead

When asked to name their single greatest priority for the coming year, the CAEs’ responses reflected four main themes:

ENHANCING THE VALUE OF INTERNAL AUDIT

CAEs will be employing a range of strategies to demonstrate the value of internal audit to the business. These include upskilling the team in sought-after technical areas, increasing their relevance through improved data and dashboard reporting, and expanding internal audit’s advisory function into areas such as root cause analysis. The goal of being seen as a trusted and independent advisor remains as strong as ever.

SKILLS DEVELOPMENT

CAEs will be seeking to develop the skills of their internal audit teams through training, recruitment and rotation programs. Specifically, there will be a strong emphasis on building data analytics capabilities.

IMPROVING EFFICIENCY AND AGILITY

Making things ‘faster, easier and better’ is a mantra for many CAEs. Many will be trialling and adopting leaner, more agile audit practices as well as introducing more automated processes in order to answer the call for quicker delivery of quality audits and a range of service offerings.

PUTTING ‘CULTURE’ ON THE AGENDA

All CAEs recognise the important link between culture and risk management. As a result, many will be renewing their
efforts to include culture reviews on the audit agenda in the coming year.


FURTHER INFORMATION

The “Achieving High Performance in Internal Audit” study aims to capture developments and trends in the internal audit profession. The report is available on our websites: www.iia.org.au and www.protiviti.com.au.

 

'Achieving High Performance in Internal Audit' report is available on www.iia.org.au and www.protiviti.com.au

 

Download

Previous Editions

 

Ready to work with us?

Mark Harrison
Mark Harrison
Managing Director
+61.408.661.325
Linked