Etihad Airways Quells Conflict, Quantifies Internal Audit Value by Tracking Revenue Enhancements and Cost Improvements
Company Headquarters — United Arab Emirates
Number of Countries Operates in — 70
Number of Employees in Company — 24,000+
Industry — Airline
Annual Revenues — US$6.1 billion (as of 2013)
Number in IA Function — 35
Number of Years IA Function Has Been in Place — 8
IA Director/CAE Reports to — Chairman of the Audit Committee
“I strongly believe that if we, as auditors, do not evolve and change, we will soon become obsolete. Ninety percent of the job I did 10 years ago has been automated.”
- Harsh Mohan
Etihad Airways (Etihad) is the national airline of the United Arab Emirates (UAE). Established in 2003, it operates out of a hub at Abu Dhabi International Airport. In its first decade, it grew to more than US$6 billion in revenue, with 111 flights serving 67 countries; today, Etihad is the second-largest carrier in the UAE, behind Emirates.
In addition to its flagship, Etihad Airways holds equity interests in seven other airlines, including Aer Lingus, airberlin, Air Serbia, Air Seychelles, Alitalia, Jet Airways and Virgin Australia. It also operates a global loyalty company and holds majority ownership in the loyalty companies of several airline partners, as well as a number of flight support services.
Etihad’s internal audit function was created in 2007. Harsh Mohan joined the audit group in 2011 and has been senior vice president, audit, compliance and risk, since 2013. In that role, he serves as chief audit executive and also oversees compliance and risk. He reports directly to the chairman of the board’s audit committee, and administratively to the president and chief executive officer. Etihad Airways’ team of internal auditors is divided into five specialties, with one group handling internal audit for the flag-ship airline, another overseeing internal audit for airline partners, a compliance group, IT assurance and risk assessment.
“When I joined the audit group, there was an ‘us versus them’ attitude,” Mohan says. “It was a very traditional internal audit function, and there were many differences between management and internal audit.”
Drawing on his background as a business transformation consultant, Mohan implemented a more collaborative approach, making sure auditors praised managers for their accomplishments, explained the significance of any adverse findings and prioritized recommendations according to business value.
Seek First to Understand
As independent and objective observers with access to every corner of an organization, internal auditors are uniquely positioned to acquire a deep understanding of operational intentions, historical outcomes, strengths, weaknesses, opportunities and threats. Mohan used that knowledge to align his team’s audit goals with stakeholder objectives so that, whenever possible, they make recommendations that help stakeholders achieve their objectives, instead of presenting them with technically correct but strategically insignificant laundry lists of corrective actions.
“Every report that comes to my desk must have a ‘so-what’ and a ‘why’ answer,” Mohan says.
Mohan sits as an observer in Etihad Airways’ strategy/decision-making group, so he has a clear understanding of the company’s strategic objectives. He passes that understanding along to his direct reports monthly to align them with the organization’s business plan and ensure they are auditing the right risks.
“We work with the audit committee, too, so that they have a full view and vision of what we are doing,” Mohan says.
In 2014, the internal audit function at Etihad Airways gave back $66 million to the organization in profit enhancement initiatives – the yield from about 100 audit assignments and recommendations, including revenue and cost improvements, as well as process changes. That’s a pretty specific dollar figure – and Mohan says that’s by design.
“Each of our findings or recommendations has a measurable value-add,” he explains. “Once an audit has been completed and management has agreed to make a recommended change, it goes to the project management office, and they track it.”
That’s not to say internal audit has become disproportionately focused on profit-finding initiatives. “You need to be an auditor first,” Mohan says. “That needs to be the foundation of what you do. But when you spend all that time reviewing systems, controls, processes and transactions, you also should always be looking for ways to use that knowledge to add value through process improvements, enhancements and change.”
A Mandate for Change
Having worked in consulting and in turnaround projects for airlines, Mohan says he came to internal audit with a mindset focused on business risk controls. One of the first changes he made was to migrate away from referring to his area as “internal audit,” now calling it “assurance” instead.
It’s a subtle change, but significant. “Assurance” is more closely aligned with Etihad Airways’ goal of leveraging internal audit knowledge for strategic insight, casting internal audit in the role of trusted adviser. “That kind of change doesn’t happen without the support from the highest levels of the company,” says Mohan.
He adds, “We have a very strong tone at the top, from the PCEO [president and chief executive officer] down through the C-suite, when it comes to governance, compliance, ethics and low tolerance for fraud. That kind of support gives us a lot of leverage in terms of acceptability.”
It also requires leadership from within internal audit. “My predecessor and I have both worked toward that end,” he says. “All of our audits are based on risk assessments.”
Beginning in 2011, the internal audit function began meeting in the third quarter of every year to review the risks on their radar and adjust their audit plan accordingly. The group operates on a three-year strategic plan, calibrated annually to prioritize high and high-velocity risks.
“If the risk is high, and the velocity is also high, we give it full priority and assign one, two or three audits,” Mohan says. “We also look to see if the controls are really effective and what we can do to mitigate the risk from our side.”
New Rules – New Tools
Mohan’s vision of an agile, risk-focused, value-driven internal audit function includes new hiring standards, new expectations for continuing education, more training, greater specialization and new automated tools to facilitate continuous audit and deep data analysis.
On the hiring front, Mohan says, “Anybody who comes to my group has to have a professional designation – such as a certified public accountant, master of business administration or certified internal auditor – which gives me the basic indication of a professional background.” Once those qualifications are confirmed in a potential hire, he looks for “business sense and a can-do attitude, rather than people with very rigid profiles.”
Mohan believes in continuous development for himself and his staff of auditors. He holds four off-site training sessions each year focused on emerging issues. In addition, anyone attending a conference or seminar is required to share learnings with the rest of the team in a one-hour to two-hour summary.
His team has been equipped with specialized tools to increase the scope of their analytic reach and the depth and nuance of their findings. Automated auditing tools have also aided in collaborative reporting to continuous data analysis.
“We’ve taken the drudge work out of our auditing cycle,” Mohan says. “I strongly believe that if we, as auditors, do not evolve and change, we will soon become obsolete. Ninety percent of the job I did 10 years ago has been automated.”
Etihad Airways’ continuous auditing tools monitor critical functions, collecting raw data from various sources every 15 days – reservation data, ticketing data, financials, personnel and flight performance, among others.
A root cause analysis into a refund anomaly resulted in a substantial reduction in refund abuse. Data analysis found that a few agents were locking up excessive inventory, only to refund a high percentage of the sales they had made. The fix recommended by internal audit – a refund fee – substantially reduced refunds, contributing approximately $3 million to the company’s bottom line.
Audits are performed at the business-unit level, as well as at the process level, according to how a particular risk presents itself. IT risks have become so significant for Etihad that they command their own specialized audit team, which provides IT assurance across the group. This team also conducts penetration testing, looking at virtual clouds and recommending rapid response plans to ensure client data and intellectual property are reasonably safe and that any breach could be rapidly detected and remediated.
Accountability Is Key
Etihad Airways conducts internal client satisfaction surveys after each audit engagement to measure management’s attitude toward the internal audit function. Mohan says satisfaction has increased substantially in the past year as conflict has been replaced with collaboration. The audit function is also reviewed by senior management and the audit committee.
Independence and objectivity are especially important in a collaborative environment, where internal audit is vested in the outcomes as a key performance indicator. Mohan says extra care is given to ensure objectivity is not compromised.
“Every assignment we take, we have to review that to make sure our independence is not compromised,” he says. “The result is reported to the audit committee in summary format every quarter. That report is visible to the PCEO – and all other stakeholders. We give a recommendation, but we are never responsible for the implementation. We don’t own the rectification/mitigation action.”
As an audit executive in a state-owned enterprise, Mohan is subject to an extra layer of scrutiny. The Abu Dhabi Accountability Authority, which serves as auditor general of Abu Dhabi, provides guidelines and support to the internal audit department of all state-owned enterprises. They also audit the work of these internal audit departments. The Authority had a say in Mohan’s appointment, and his continued employment depends on meeting their high auditing standards. They conduct annual audits, and if an internal audit function does not meet the standards in two consecutive audits, it will have direct consequences for the annual performance evaluation of the head of internal audit.
“That’s a pretty good incentive to keep everything in an upright manner,” Mohan says.