Building a More Secure Structure, Brick by Brick, at Under Armour
Company Headquarters — United States
Number of Countries Operates in — 20+
Number of Employees in Company — 7,800
Industry — Apparel
Annual Revenues — US$2.33 billion (as of dec. 31, 2013)
Number in IA Function — 6
Number of Years IA Function Has Been in Place — 8
IA Director/CAE Reports to — Chair of the Audit Committee of the Board of Directors
“ We wanted to build an internal audit partner for the business, not a check-the-box function. Here we are eight years later, and we feel we have done exactly that.”
- Jonathan Schwartz
Under Armour, the U.S.-based company specializing in the development, marketing and distribution of branded performance apparel, footwear and accessories, has a mission: Make all athletes better through passion, design, and the relentless pursuit of innovation. Elysa Lipsky, the director of internal audit for Under Armour, and Jonathan Schwartz, the senior director of risk management, also have a mission – to help the company enact positive change.
Internal audit at Under Armour operates within the risk management function, and is staffed by six full-time auditors, including Lipsky. The internal audit team seeks to add value to the company by completing the global internal audit plan, helping management comply with Sarbanes-Oxley, and acting as a business partner on key initiatives.
From 2004 to 2013, Under Armour grew from fewer than 400 employees to nearly 8,000 and from US$204 million to US$2.33 billion in revenue. The company continues to expand globally and evolve its product offerings and channels of distribution.
“When the internal audit function was created in 2005 at Under Armour, the company was preparing to go public in November of that year,” Lipsky says. “We were here to establish Sarbanes-Oxley and a baseline control environment. At the time, we co-sourced with a leading global accounting and consulting firm to supplement our limited resources. Fast-forward a decade, and now we’re self-sufficient and in full partnership with the business. It’s a total transformation from a SOX-compliance function to a full scope internal audit business partnership,” Lipsky says. Schwartz adds, “We’ve come full circle and are now determining a longer-term strategy to help us increase our global reach, matching that of our business and operations.”
Over the past 10 years, audit leaders’ skill sets have changed, too, from traditional controls testing to more strategic auditing and risk management rooted in a comprehensive understanding of the business. “Today, our auditors have to know what to look for – it’s a broad-based endeavor,” Lipsky says.
Sheer growth led to better skills
According to Schwartz, sheer growth led Under Armour to leverage the internal audit department as a primary strategic resource. “We had to cover more ground, and we had to learn the business,” he says. “As the business pulled us into more significant projects, we were given the chance to really showcase our skill sets. This led to even more demand on our time and resources. The result of these efforts is that we have raised our visibility in the organization.”
“I think that in many organizations this type of internal audit visibility and partnership is limited,” Schwartz adds. “It’s likely not a lack of skills, but a lack of marketing within the organization. Partnership with the business is hard-fought. It takes time to build internal audit’s stature within the organization, but it’s something you have to be committed to doing, project by project. Virtually every communication between the internal audit team and the business either builds partnership or detracts from it. We live by this rule and always try to add value, even in small ways,” he says.
“You are either a traditional ‘gotcha’ auditor or you are not,” Lipsky continues. “For us, adding value has happened organically. When we started building our annual audit plan in the beginning of each year, we would meet with the business unit owners and describe the audits we completed the previous year for them and for other parts of the business. As those discussions took place, we showed the value we can add and the relationships we’ve built. We started asking, ‘If you had resources to perform a project for your part of the business, what would it be?’ The answers generally shed light on risks in their operations and opportunities for us to showcase our skill sets to solve their problems, not just manage organizational risks. If you want to build partnerships with the business, you have to make your work relevant to the business leader. The best way to do that is to help solve their problems and make their operations stronger.”
“It has been a hard-fought victory over the last decade,” Schwartz says. But it took time. We had to show the business the value we bring, every day. Under Armour continues to grow globally at a rapid pace. There is no ‘halo effect’ from work we’ve done the past eight years. We continue to be challenged to understand the changing risks of our growing business so we can add value for our business leaders.”
Building a safe house and better skills
Lipsky and Schwartz use the metaphor of securing a house: When you build a new house it is important to install a security system. Rather than the reactive approach of installing a security system after a crime has occurred, it’s smarter to consult a professional who has the insight to build the security structure into the house from the beginning.
Today, the fact that the business units at Under Armour call the internal audit function before they experience problems shows that they understand the true value of the function. “It takes a lot of work to build that level of trust,” Schwartz says.
“The internal audit profession has to continue driving the development of necessary skill sets in its internal auditors,” says Lipsky. “There is a need to understand the things that impact our profession, such as increased levels of PCAOB (Public Company Accounting Oversight Board) scrutiny on external auditors, high-profile retail fraud cases, and the changing regulatory environment in the global markets. Not a board meeting goes by that data security and data privacy are not topics. Internal audit has to develop points of view on many topics of concern for the board. Our internal audit team steps up to meet this evolving challenge.”
Integrating risk management
Schwartz plays an approximate chief risk officer role for Under Armour, with internal audit, risk management and compliance under the risk umbrella. He also functions as the ethics officer and leads the global insurance group. “I have a hybrid role,” he says. “Internal audit’s independence is fiercely protected under this structure. But the integration of all the risk management functions, including internal audit, provides a broad view of risk.”
“We wouldn’t be a risk function if we didn’t try to implement ERM (enterprise risk management). We’ve taken our lumps like many other risk organizations,” he says. “We tried to launch ERM three years ago, and the company was not ready for it – it was too theoretical, not practical enough. It wasn’t linked to the strategy process, so risks didn’t have enough meaning. Now, we are doing it organically. We are building our infrastructure and our approach to ERM brick by brick, right alongside the strategy team.”
Integrating and formalizing risk management into the audit plan and audit processes have not changed the role of internal audit at Under Armour, but they do begin to tie together all the company’s risk management components. “Internal audit is stronger and more focused by having its connection to the other risk functions,” Schwartz says.
In terms of creating synergies with external auditors and senior management, Lipsky says, “You have to be realistic, and you have to be honest. Things are never going to be perfect. As our founder and chief executive officer, Kevin Plank, says: ‘Perfection is the enemy of innovation.’ We focus on understanding key risks and prioritizing our efforts.”
Under Armour, like many businesses, operates in fast-changing regulatory environments. In the coming decade, internal auditors will be required to understand new risks and controls, and not just at a superficial level. Auditors will have to focus on specific risks that, if the company is ill-prepared, will seem to crop up overnight. “It’s going to be more specialized because of the increasing speed and scrutiny,” says Lipsky. “This could drive more industry-specific, or even geography-specific, auditors and certifications.”
Schwartz adds, “We are a digital company now. Every company is. This new digital environment ushers in emerging risks, such as those associated with social media and the immediate impact on reputation and brand. Internal audit at Under Armour plays a role in social media, e-commerce and cloud computing. This reality significantly changes the way we look at operations and risks in general. We have to be flexible, keep open lines of communication with our business leaders, and develop relationships with third parties to gain expertise in those areas.”
Lipsky would like to see more universities embrace the internal audit profession. “All The IIA chapters have academic relationships,” she says. “I participate on the Board of Governors for the Baltimore chapter. I would like to see the internal audit profession connect more with business schools to include undergraduate courses in internal audit and risk management. Internal auditing is a good profession – challenging and rewarding. We should get the word out.”