Internal auditors have a once-in-a-lifetime opportunity to combine technology, new ways of working and the lessons learned from Wirecard. If they do, then a much brighter future awaits, and everyone will benefit
Cast your mind forward to 2025
The coronavirus pandemic has been imprinted on the national psyche and profound changes to the economy continue to influence the way we live and work.
Jobs have been sadly lost, but new, rewarding ones have been created, and the extremes of global capitalism have been tamed for collective benefit.
Public health has also moved up the agenda, businesses are more focused on the welfare of people, and the seeds of collaboration sown in 2020, are growing.
For Michelle Holmes, managing director in Protiviti’s internal audit business, something approaching utopia has taken place in her industry.
“In five years’ time the concept of agile and continuous auditing will be embedded,” she says.
“We won’t stand up any operational process without thinking about the objectives and mitigating the risks. We’ll do that in a manner that is built in, automated, and doesn’t rely on a team of people to check it every time.”
Next generation audit, with real-time assurance will also become… well, real, she says. A two-day effort will be completed in two hours using a video record and a common view of a business risk will be presented more quickly.
This means the traditional three lines of defence set up to understand risk – operations, compliance, and internal audit – are working together more closely. The barriers of the past have been broken down and relationships forged at a time of crisis have been strengthened.
Internal audit leads now have the capacity to lift their heads above a series of operational reviews. The new head space allows them to help leadership teams understand the bigger risks, and opportunities, of a changing world.
Internal audit in 2025 hasn’t just broken down the boardroom door, it’s now in the room, with a permanent seat at the table.
How will we reach utopia?
This vision is possible, Michelle believes, because of three things that have come together in 2020.
The acceleration of technology across all industries; the speed of business change, and collaboration, brought about the coronavirus pandemic; and the collapse of a German payments business that was once the darling of European fintech.
“What I have seen over this period of time is a lot of collaboration,” she says. “We don’t live in a world where the first line of defence sets something up, the second comes in and checks it, and after two years, internal audit has a look.
“We don’t have time for that. We’ve had to respond immediately.”
Michelle tells the story of a mortgage services provider she is working with. The business, which employs 100 people, moved from just ten people working remotely, to the entire workforce setting up at home overnight back in March.
There wasn’t time for one team to go in and have a look at the risks first. The board asked everyone to work on the project together and get it done quickly because they had no other choice.
“We want to get to a place where we have integrated assurance, where we’re not all looking for the same thing,” she adds. “It’s OK if one team looks at something, but the other doesn’t.
“But historically people have protected their work to justify their existence. In our profession, the agility comes in when we explore how to divide and conquer, instead of operating in a sequenced line.”
For two clients, where Michelle is also the head of audit, the board and risk committees were meeting more regularly in the early stages of the pandemic. Leadership teams wanted constant and frequent updates on the changing risk profile of their business. They wanted to know how something was being done, who was involved and how risks were being calibrated.
They weren’t happy to take one view; they wanted everyone involved. This meant that committees expanded with representation across the three lines of defence.
Overcoming pushback, with the help of Wirecard
While it has been an exciting time for Michelle and the internal audit profession, the stereotype of being a watchdog or policeman, has been harder to shift in some cases.
She shares another story of a payments business, which is growing quickly, and trying to balance the pace of a startup with the responsibility of handling people’s money.
“I have been working with this client on change management and how they put processes into the production environment without causing harm,” says Michelle.
“If you look at the regulator’s focus on operational resilience, they are asking businesses to look through the lens of the company, customer, and the broader market.
“In the first instance, this client was only looking at the impact on the company, and if the customer couldn’t access something, for example. But they weren’t looking at those elements together and they weren’t looking at the broader market.”
While Michelle was explaining the benefit of taking this approach, the company thought she was just trying to add more checklists. But instead she said to them: “No, I don’t want to add another checklist; I want you to understand how you are going to mitigate a particular risk.”
They replied by saying: “We don’t worry about a change going into production that brings the system down.”
“Well, why don’t you worry?” was her response. “Articulate that to me. If your basis for that comfort is reasonable, I’ll back away; if not, I will keep pushing you.”
Then Wirecard happened…
The German payments business, which has been the subject of a five-year investigation by the Financial Times, collapsed in June 2020. There was a €1.9bn hole in the company’s balance sheet, and an accounting scandal that had spread across the world.
At its height, shares in the business had valued Wirecard at more than €24bn, and it was part of an elite club at the top of the Dax 30 index, making it an automatic investment for pension funds around the world.
But a report by accountancy firm KPMG in April 2020 revealed it couldn’t verify that most of the profit made by the business between 2016 and 2018 was genuine. It also queried around €1bn of cash balances. The beginning of the end was well underway.
On 22 June, the company acknowledged the scale of the problem, and said that the €1.9bn probably didn’t exist. Just three days later it hit the buffers, announcing plans it would file for insolvency.
“In my next conversation with this client, I asked: why are you not the next Wirecard?” says Michelle.
“You can argue with me all you want, but that company is gone. Those engineers don’t have a job; they don’t have a job because there was a control that wasn’t in place.
“So, does that make it real for you, why we talk about these controls?”
That changed the conversation totally, and instead of being more adversarial, she says they are now working together to develop pragmatic solutions.
Are people changing their minds about internal audit?
The internal audit profession is clearly changing, and these trends have been catalysts to move it along more quickly.
There is technology available to automate part of the job; the way we work has undergone a radical shift and forced companies to collaborate remotely; and the high-profile collapse of Wirecard has certainly focused people’s minds.
So, Michelle’s message to businesses, is clear.
“Don’t go back; don’t see the practices you have implemented now as a stop gap to when you get back to the office,” she says. “The old normal doesn’t exist anymore, the new normal is normal.
“When we got over the peak, and some meetings were tailing back to once every month or six weeks, some people were asking us: ‘do you still need to attend?’ Absolutely ‘yes’ is the answer.
She adds: “The biggest challenge historically is to never cross the line, never challenge where you might be perceived as taking on management responsibility. But we are all bright smart people who want to do the right thing and we approach the situation assuming others do as well.”
As the risks that businesses face become more complex, with new horizons developing almost daily, how they manage them will become even more significant. That’s why Michelle’s vision of utopia has been taking shape in her head. The evidence above suggests it could happen, but these ideas still need commitment beyond this month, or even this year.
“In my twenty years working in this profession, I have seen it done effectively a handful of times,” she adds.
“For me that would be utopia, where more people are looking beyond operational processes and core things that happen every single day. They would be exploring things that are softer, more nebulous and really require judgment – like culture, governance and, importantly, innovation.”
The countdown to 2025 has well and truly started.
In the next and final article in this series, we will explore the changing nature of risk and how companies can cope with the uncertainty of global trends. It’s time to reimagine the way we look at risk.
Click below to view the entire series