Staying Ahead of the Digital Curve at Delta
Company Headquarters — United States
Number of Employees in Company — Approximately 80,000
Industry — Airline
Annual Revenues — US$40.7 billion (as of Dec. 31, 2015)
Number in IA Function — 19, plus co-sourcing
Number of Years IA Function Has Been in Place — 7 for post-merger team
IA Director/CAE Reports to — Audit Committee Chairman
“ Some people complain about Gen Y, Gen X and millennials, but I have had great experiences with professionals from these demographic groups. I am in awe of how hard they work, how effective they can be and how smart they are.”
- Kiko Harvey, Vice President of Corporate Audit and Enterprise Risk Management
Delta Air Lines has enjoyed a groundswell of popularity in recent years, which has helped the carrier earn a spot on many sought-after lists. In 2016, for example, Delta was named to Fortune’s top 50 Most Admired Companies list, and was voted the most admired airline by Fortune for the fifth time in six years. Delta has also ranked number one in the Business Travel News Annual Airline Survey for five consecutive years.
With its global network, Delta provides service to 324 destinations in 58 countries on six continents. From its headquarters in Atlanta, Georgia, the airline employs 80,000 people and serves 180 million customers annually.
Kiko Harvey has been the vice president of corporate audit and enterprise risk management (ERM) at Delta since March 2009. The corporate audit team is centralized, but global in scope, and focuses attention on Delta’s major business areas: commercial sales, cargo operations, alliances and joint ventures, airport customer service, fleet, flight operations, in-flight services, fuel operations, real estate and construction, technical operations, regional jet operations, marketing, international operations, and subsidiaries such as a private jet business, global staffing service, and a vacation travel service.
The corporate audit team consists of 19 full-time auditors who receive additional co-sourced support from an internal audit service provider. The team’s goals are varied. In the short term, the auditors are focused on completing the team’s risk-based audit plan. Long term, they are focused on technology changes and emerging risks within the global business environment. “We oversee ERM for Delta,” Harvey says. “We align our audit plan with the work that we do for ERM. Our most important goal overall is to add value in every way we can through meaningful recommendations achieved through practical and thoughtful audit work.”
Starting an Audit Group From the Ground Up
Harvey brought a previously outsourced audit team in-house when she joined Delta shortly after Delta’s merger with Northwest Airlines. This was not the first time she had formed an audit team. In 2001, Harvey started Starbucks Corporation’s first internal audit function, which was up and running in less than four months.
At Delta, the team was fully staffed within six months with the former outsourced service provider delivering additional support. She says the goal of the function from the outset was “never to fall into the role of being the company cop – but rather, to add value as a strategic business partner.”
Today, seven years after the department was established, Harvey says that corporate audit has become a sought-after group of advisers within Delta. “Delta businesses ask us to look into a variety of issues, from auditing agreements with international joint ventures to performing data analytics across large data sets,” she says.
According to Harvey, Delta’s culture focuses on compliance, and the corporate audit team helps the company to maintain the culture. “When we point out areas that need improvement, we receive support and follow-through from our leaders,” she says. “We are never ignored. We work collaboratively with leadership and across business units to solve problems and strengthen controls. They want us to have the resources we need to do our jobs well.”
In addition to maintaining a compliance focus, Delta is also highly control-conscious. “Management’s role is to identify the steps to take and controls to implement to address risks. Our role is to tell management if the controls they have outlined are effective and operating as designed,” Harvey says. “We perform that assurance.”
It’s this level of interaction between corporate audit and management that has facilitated Harvey’s success in creating an effective audit team. “When I go to conferences and hear other chief audit executives (CAEs) talking about their organizations, I realize that some do not have the kind of open and regular communication that I have with my leadership team,” she says.
Harvey continues, “For example, I’ve learned that some CAEs do not have regular conversations with their audit committee chair outside of the audit committee meeting. But it’s so important to establish a one-on-one relationship with the chair, since they are your boss. You need to know what is important to them and use their input to shape your audit approach. It worries me that some organizations are not making sure that’s happening.”
Digital at Delta
As a company, Delta tries to be ahead of the technology curve. “We have been proactive along several technology streams within the airline industry,” Harvey says. “Our flight attendants use smartphones to facilitate in-flight purchases by passengers, so we have to ensure mobile data security related to credit card transactions while in flight. We have to look at how we issue the smartphones, how we decommission them, and how we can wipe them of the content if they’re lost. Those types of concerns are all new – smartphones onboard was not really a consideration in 2009.”
A host of digital tools have been added to the airline’s operations in the past several years, according to Harvey. “Pilots now carry electronic flight bags rather than heavy suitcases filled with paper, and electronically enabled aircraft rely on wireless connections for downloading flight plans,” she says. “There are many areas of modernization in all aspects of this industry, and all have some element of risk. Risks can be controlled – if the risks are known and planned for.”
Harvey adds, “One of the biggest risks today is employee awareness related to cybersecurity. Employees can infect their device – and our devices – by simply clicking on a link in an external email and infecting the device with malware. There are more exposure points today than in years past. When attackers cannot get into your system because of the strength of your firewalls, they target human behavior to get in. It’s important to continually train and test your employees to raise awareness and to prevent these doors from opening.”
Harvey cites two key benefits to using technology to enhance corporate audit’s work. “The first benefit is that we are more efficient in our work streams – and the ability to be mobile, working and collaborating, regardless of location, is a big part of that efficiency,” she says. “The second benefit is that we are better communicators. For example, using data visualization software means we can create visually rich, easy to understand testing approaches that highlight transaction outliers and unexpected patterns. Once our audits are complete, we can export these tools to the business units for their use. This helps us create an environment of continuous monitoring at Delta – empowering our employees through technology.”
Data Security: Technology Is Everywhere
As an airline, Delta takes concerns about all forms of security very seriously. To this end, the corporate audit team has a strong partnership with the cybersecurity group at Delta. “There are many layers of risk related to cybersecurity,” Harvey says. “We start with a risk assessment. We look at policies and procedures, access points, and governance. Our cybersecurity team then performs monitoring and scans on a variety of processes and data streams, and we independently do the same as part of our audit plan.”
Harvey believes that it is corporate audit’s task to figure out where they fit into the cybersecurity landscape. “Do we check the checkers to see if they are performing?” Harvey asks. “Or do we rely on the checkers and just review their results? There has been a significant amount of coordination between corporate audit and the cybersecurity team to date, but we are still evolving our relationship.”
Corporate audit, corporate compliance and cybersecurity recently jointly hosted a “Cyber Summit” with the help of industry experts, which included representatives from operations, legal, IT, compliance, corporate security, technical operations and maintenance. They reviewed cloud security, heard from former FBI and TSA leaders on cybersecurity risks, data privacy, third-party risk, insider threats, and cyber-resiliency in case of attack. “It was an excellent summit and fostered additional cross-functional communication,” she says. “The feedback was very positive.”
It’s Harvey’s belief that since technology is everywhere, it’s everyone’s job to be aware of how to use it and to recognize risks. “We ask people throughout the organization to think about potential risks and be proactive about them,” she explains. “We don’t want people to wait for an audit to find out what to do in the face of a threat – we want them to be prepared.”
Next Generation of Critical Thinkers
Harvey says she is pleased with the professionals Delta is bringing into the organization. “Some people complain about Gen Y, Gen X and millennials, but I have had great experiences with professionals from these demographic groups,” she says. “I am in awe of how hard they work, how effective they can be and how smart they are. I think they tend to embrace change well, and they work quickly and understand data. In fact, they seem to have a natural tendency to look at and not be swayed by large amounts of data. They are critical thinkers.”
“The only criticism – and this is not a criticism I have with my team, but I watch out for it with less-experienced people – is that they can be very trusting. They need to remember to verify that something is true,” Harvey says. “I always ask the question: How do you know? Auditors have to examine, and re-examine, their results. They cannot accept things at face value. The advice I give to auditors is ‘don’t audit by conversation.’”