Booz Allen Hamilton Internal Audit: Value-Adding Partners from the Beginning
Company Headquarters — United States
Number of Countries Operates in — 17
Number of Employees in Company — 23,000
Industry — Management and Technology Consulting Services
Annual Revenues — US$5.8 billion (as of March 31, 2013)
Number in IA Function — 13
Number of Years IA Function Has Been in Place — 5
IA Director/CAE Reports to — Audit Committee and Chief Financial Officer
“ There should not be a timeline for adding value – you need to be adding value all the time.”
- Sandra Masino
Sandra Masino is the recently appointed director of internal audit of Booz Allen Hamilton Holding Corporation (NYSE: BAH), the parent company of the strategy and technology consulting firm that provides management consulting, technology, and engineering services to the U.S. government in defense, intelligence and civil markets, and to major corporations, institutions and not-for-profits. Masino oversees a team of 13 full-time auditors, supplemented by external contract providers. She reports to the audit committee and the company’s chief financial officer.
The mission of the internal audit team is to provide independent objective assurance and consulting for Booz Allen Hamilton (Booz Allen), while adding value and capturing opportunities for improvement through effective risk management and governance.
In the current Booz Allen corporate structure, the internal audit function is only five years old. In 2008, Booz Allen Hamilton Inc. spun off its old commercial consulting business as a separate company, and Booz Allen Hamilton Holding Corporation was formed as the successor to Booz Allen’s much larger government consulting business. The commercial business retained most of the legacy internal audit group; Booz Allen Hamilton Holding Corporation (Masino’s company), now a FORTUNE 500 public company, had to build its own.
“The last five years have been focused on a shorter-term goal of setting up an internal audit function for Booz Allen,” Masino says. “First, we focused on Sarbanes-Oxley compliance because we wanted to become a public entity. That goal – along with executing our audit plan and achieving IIA compliance – has been our focus. We have come a long way in those five years.”
Now that the function is operating as planned, Masino intends to balance Sarbanes-Oxley work with other areas of audit focus and reviews. “The company is launching an ERM (enterprise risk management) program, and we have purchased a risk compliance tool that we are implementing,” she says. “We also want to advance our auditing technique by using more sophisticated measures such as data mining and continuous auditing. All of this adds up to significant change in the past several years, for our company and our internal audit group.”
During the past few years, the fundamental internal audit skill set needs have not changed. “What has shifted is the pace and expertise required in our work,” Masino says. “So I think it’s critical to have co-sourcing outside partners. Given the level of expertise and rapid deployment needed, it’s simply not cost-effective to fully staff for every situation. We have a core audit team, but we reach out to external resources when we need them. I think that’s happening more and more across industries in the overall execution of internal audit. Internal audit leaders have had to recognize that and tap into the right relationships. Success in internal audit today requires savvy management and a flexible approach.”
Always adding value
When the focus of Booz Allen’s internal audit expanded over the past few years, beyond Sarbanes-Oxley, it touched on the core values of the company, such as ethics and compliance. “We are seen as the experts in process and controls,” Masino says. “In terms of adding value, we have felt valued and part of the management team from the beginning. Culturally that understanding has always been in place. Whereas other companies look at internal audit as a police force, that was never the case here.
“I think companies miss that opportunity when they do not tie the internal audit work to the organization’s top-tier ERM concerns and mitigation opportunities – focusing on those issues that are keeping management awake at night,” she adds.
The ability to stay plugged in to management issues is largely dependent on where the internal audit function is in this growth spectrum. For Masino and her team, getting plugged in meant first getting the company SOX-compliant, setting up the function, and conducting client satisfaction surveys to analyze and improve performance. Along the way, the audit work itself was becoming more and more value-adding. “The point is, there should not be a timeline for adding value,” she says. “You need to be adding value all the time.”
Now, as a strategic resource for Booz Allen, the internal audit team is able to enter into selected transactions early in their life cycle to build control insights into the process. “When we get pulled into strategic discussions, or into larger-impact audits, we can leverage our past experience, tools, methodologies and risk language,” Masino says. “In doing this, we can guide these strategic initiatives to proactively build in strong controls.”
Trends with impact
Trends important to Masino and her team include those that broaden the concept of control beyond being strictly the purview of the internal audit function – such as the codification and publication of guidelines related to ERM and governance, risk and compliance (GRC). “These guidelines and concepts put forth that risk management is everyone’s job,” Masino says. “They have changed the expectation of what internal audit is doing.” This does not mean lessening the requirements of internal audit, but rather making it clear that everyone owns risk management.
“This also means that we have to be aware of business challenges and change,” she adds. “Proactive involvement in key governance committees and routine touchpoints, particularly with senior management, are important.”
Technology, good and bad
While it is inarguable that technology has had a significant impact on the internal audit profession over the past 10 years, Masino believes that there has been both an upside and a downside to the inroads it has made. “The positive aspect is the advancement of electronic mediums, for example, the ability to apply more real-time and robust audit tests, the evolution of work paper creation tools, and the development of more sophisticated information sharing. Connecting across geographies, increasing efficiencies this creates opportunities for us.”
On the more challenging side, the fast-paced nature of technology creates risk, particularly in reputation. The advancement of social media means the impact to a company’s reputation can be quick, negative and widespread. The Booz Allen audit plan is constantly reevaluating the company’s focus on these types of risk to keep pace with this continuous change.
“Information security is also a top-of-mind concern for most every business today,” Masino says. “It’s critical that the internal audit function helps the business in an increasingly complex cyber threat landscape. We focus on information security in our audit program. The basic security concepts in cybercrime are the same as traditional threats, but given the sophistication of today’s environment, you have to make sure that internal audit is well-coordinated with the IT organization. When an audit is in its planning phase, it’s important to arrange for the skills and the tests to validate that the right things are actually working.”
To this end, Masino has created two audit teams: business process and IT. “We have five people in our function devoted to this IT area. Having these skills in-house, making that investment, has made a big difference.”
Everyone owns risk management
“Ten years ago we were all reeling from SOX,” Masino says. “We didn’t understand it. We were not clear on internal audit’s role. There were so many questions: ‘How should we work with external auditors? How do we best interpret the published regulations?’ This was a huge focus for me 10 years ago. As a public company we have figured this out; we are still rightsizing but at least we know how to do it.”
In the upcoming decade, the focus will shift again. “At Booz Allen, everyone owns risks and controls,” she says. “Internal audit is just one piece of the risk management framework. We need to advance our collaborative risk management efforts to optimize the company’s position. For example, our five auditors cannot manage the IT risks of a company; the pace of technology and the rate of change mean that everyone who has a hand in IT in the company has to have a risk mindset. A coordinated plan is also necessary so that everyone is not testing or pulling samples on the same thing. Organizations benefit from having a unified risk management platform and language.”
She adds, “The challenge is to balance the investment in people, tools and technology so that internal audit can be as efficient and effective as possible. Just as important is integrating, collaborating and coordinating with other risk management functions across the enterprise. This helps us to be more proactively involved in the beginning − and more valuable over time.”