Is internal audit meeting stakeholder expectations? Is the board doing what it can to ensure that internal audit is appropriately resourced so it can meet expectations? Below, we share input from active directors in a global survey regarding their expectations of, and the implications of those expectations for, internal audit.
A year ago, Protiviti released an issue of Board Perspectives: Risk Oversight that introduced to the board community what we described as the “future auditor” vision.1 It called for chief audit executives (CAEs) and their functions to strive to become more anticipatory, change-oriented and adaptive. The premise of the vision is that such behaviors are in great demand because internal audit functions must anticipate and respond to a constant stream of new challenges – many of which deliver uncertain and still-unfolding risk implications, from emerging technologies and the effects of business transformation initiatives to rapidly evolving business conditions. The message was clear: Change is the order of the day, and internal audit must keep pace.
Recently, the world’s largest ongoing study of the internal audit profession – the Global Internal Audit Common Body of Knowledge (CBOK) – was conducted by The Institute of Internal Auditors (The IIA) and Protiviti to ascertain expectations from key stakeholders regarding internal audit performance. The study sought input from members of audit committees all over the world about their expectations. We think all directors will find the study findings of interest, as they add further impetus to the future auditor vision.
Below, we outline six imperatives for internal audit from the CBOK study based on feedback from audit committee members.2
Focus more on strategic risks – According to the CBOK study, two in three board members believe internal audit should have a more active role in evaluating the organization’s strategic risks. Study respondents indicated that internal audit should:
- Focus on strategic risks, as well as operational, financial and compliance risks, during audit projects (86 percent);
- Periodically evaluate and communicate key risks to the board and executive management (76 percent); and
- Alert operational management to emerging issues and changing regulatory and risk scenarios, as well as identify known and emerging risk areas (66 percent).
Therefore, CAEs and their functions must focus sufficiently on the bigger picture to think more strategically when evaluating risks, proposing risk- based audit plans and formulating audit findings. By understanding the organization’s business objectives and strategy, and identifying risks that create barriers to the organization achieving its objectives and executing its strategy successfully, the CAE increases internal audit’s value proposition.
There are many ways to demonstrate strategic thinking in addition to identifying and anticipating barriers to success. For example, internal audit can suggest updates to the company’s risk profile to reflect changing conditions; understand how new technological trends are having an impact on the company’s business model; consider the continued validity of strategic assumptions in the face of market changes; and/or escalate dysfunctional situations that may give rise to unacceptable risks to management and the board. These high-end, high-touch activities impact internal audit’s contributions to enterprise risk evaluations, formulation of audit plans and access to the C-suite.
Think beyond the scope – The challenge to think strategically leads to another challenge: thinking beyond the scope of the audit plan. Thinking beyond scope means, for example, the auditor should:
- “Connect the dots” when considering enterprisewide implications of the findings of multiple audits, particularly findings with significant business model underpinnings;
- Broaden the focus on operations, compliance and nonfinancial reporting issues; and
- Watch for patterns or signs indicating a deteriorating risk culture.
By focusing more broadly on the implications of audit findings, and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.
Add more value through consulting – In today’s era of slower economic growth, a high premium is placed on operational effectiveness and efficiency. The CBOK study respondents picked up on this point, as nearly three in four (73 percent) recommended that internal audit consult and advise on business process improve- ments. Consulting reaches beyond internal audit’s traditional ways of helping the organization. For example, 71 percent of responding board members suggested that internal audit facilitate and monitor effective risk management practices executed by opera- tional management. Almost two-thirds (64 percent) suggested that internal audit identify appropriate risk management frameworks, practices and processes.
Consulting activities by internal audit can result in:
- Strengthening of the lines of defense that make risk management work;
- More effective collaboration with other independent functions focused on managing risk and compliance;
- Leveraging technology-enabled auditing;
- Improvements in the control structure, including greater use of automated controls; and
- Suggestions for improving and streamlining compliance.
The above list is not intended to imply that there aren’t other ways to add value through consulting. The point is that the consulting opportunities are real.
Facilitate effective, high-quality communication – Board members generally rate internal audit’s communication at a high level. For example, a strong majority of directors give high scores for the quality (83 percent) and frequency (81 percent) of internal audit’s communication. That’s good news and a great foundation on which to build.
In sustaining effective communication, internal audit focuses on improving communication with key stakeholders and the enterprise’s information for decision-making. For example, with respect to the latter, internal audit can assess the reliability of performance metrics and monitoring systems the organization has in place; use analytics tools to create lead performance indicators and trending metrics to signal when risk events might be approaching or occurring; and recommend automation of key controls or selected processes to enable effective monitoring.
Elevate stature and perspective – Positioning the CAE and internal audit within the organization is vitally important to their meeting elevated expectations.
Access and perspective have always been keys to positioning. Access has typically been attained through direct reporting to the audit committee, as well as to the C-suite. But beyond these reporting lines, the CBOK study reports that two in three board members rank the CAE’s participation in board settings beyond the traditional audit committee meetings as the most effective strategy for broadening his or her perspective. The board settings that are “relevant” in this context must be defined by directors to fit the organization’s specific needs, and answers may vary
in different regions across the globe due to different board structures, cultures and internal audit skill sets. However it’s defined, increased access to and more frequent interaction with the board broadens the CAE’s perspective and elevates the stature and visibility of the internal audit function. It also enables the CAE to establish relationships with directors, understand their views on addressing competing audit priorities and earn the right to be viewed as a source of insight.
CAE direct reporting to the audit committee is cited by 55 percent of board members as the second-highest-rated access strategy. Perhaps this gateway can be enhanced by granting the CAE “red phone” access to the audit committee. Such escalatory authority can be a useful tool to directors if the CAE proactively exercises it to bring important matters to the attention of both executive management and the board on a timely basis.
Align with stakeholder expectations – In most organizations, not all stakeholders see things the same way or want the same value from internal audit. This reality creates a significant challenge for CAEs in terms of building consensus. While directors may not expect their company’s CAE to address all of the above imperatives, at least initially, they should periodically assess whether internal audit is doing what matters.
The CAE bears the brunt of the responsibility for addressing this challenge by articulating the value that a top-down, risk-based audit plan contributes to the organization, and by providing an assurance and advisory perspective that the board, executive management and other stakeholders can understand.
Our assertion is that CAEs who embrace the future auditor vision are better positioned to demonstrate value contributed to executive management and the board. The board can facilitate this transition by articulating clear expectations of the CAE and ensuring that he or she is positioned within the organization with the requisite resources to deliver on those expectations.
Questions for Boards
Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:
- Does the board periodically evaluate the scope of internal audit’s activities and discuss whether modifications are needed in view of changes in company operations and the business environment? Is the board getting the insights it needs?
- Does internal audit provide adequate attention to strategic risk issues? Does it provide insight regarding strategic uncertainties and barriers to the organization’s execution of the strategy?
- Does internal audit have an appropriate mix of consulting and assurance activities?
- Does internal audit have the stature and access necessary to maximize its effectiveness?
How Protiviti Can Help
Protiviti is a global leader in providing comprehensive internal audit services. We work with audit executives, management and audit committees at companies of virtually any size, public or private, to assist them with their internal audit requirements. This can include starting and running the activity for them on a fully outsourced basis or working with an existing internal audit function to supplement its team when it lacks adequate staff or skills in key areas. Our service offerings support our clients’ transition to the future auditor vision mentioned in this article.
1“Ensuring Internal Audit Is Doing What Really Matters,” Issue 68 of Protiviti’s Board Perspectives: Risk Oversight, June 2015, available at www.protiviti.com.
2“Six Audit Committee Imperatives: Enabling Internal Audit to Make a Difference,” by Jim DeLoach and Charlotta Löfstrand Hjelm, A CBOK Stakeholder Report, the CBOK study conducted by The IIA and Protiviti, 2016, available at www.theiia.org/CBOK. Note that all statistics cited in this issue of Board Perspectives: Risk Oversight are sourced from the CBOK study.
Board Perspectives: Risk Oversight (Issue 82)