The Future Auditor Revisited

The Future Auditor Revisited

Just over two years ago, Protiviti released an issue of The Bulletin that introduced what we call the “future auditor” vision.1 This vision was then (and still remains) based on a definition framed by The Institute of Internal Auditors (The IIA), which asserts that internal auditing is “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” The IIA’s definition points to an endgame to which every progressive chief audit executive (CAE) should aspire. It states that internal auditing “helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” The focus is unmistakably comprehensive.2

We use the term “future auditor” to describe a CAE who takes definitive steps toward making The IIA’s vision a reality within the organization he or she serves. Recent empirical evidence corroborates the relevance of this vision among internal audit stakeholders. Given this recent data, we dedicate this issue of The Bulletin to revisiting this notion of the future auditor and its implications to internal audit’s value proposition and delivering to stakeholder expectations.

The Future Auditor Vision

When we articulated our vision in 2014, we suggested that the future auditor:

  • Be positioned to be objective with regard to the enterprise’s operating units, business processes and shared functions, and vested with a direct reporting line to the board of directors or a committee of the board;
  • Understand the organization’s business objectives and strategy and think strategically in identifying risks that create barriers to the organization achieving its objectives and executing its strategy successfully;
  • Be authorized to evaluate and challenge the design and operating effectiveness of the organization’s governance, risk management and internal control processes that address its critical risks; the future auditor also creates value by making recommendations to strengthen those processes and by keeping the appropriate executives and directors informed about open matters;
  • Use a lines-of-defense perspective to ensure that risk management and internal control are functioning effectively;
  • Articulate the value a risk-based audit plan contributes to the organization, providing an assurance perspective that the board and executive management can understand;
  • Maximize the use of technology to achieve efficiencies in assessing risk, expanding audit coverage, automating critical internal controls, tracking issues, providing exception reports, and mining and analyzing data to draw meaningful insights regarding emerging risks and process and control performance; and
  • Possess escalation authority and proactively exercise that authority to bring important matters to the attention of executive management and the board on a timely basis.

With these responsibilities and independent positioning in place, the future auditor’s relevance is assured. He or she is recognized throughout the organization as a positive change agent and provides a valued source of objective insights to executive management and the board regarding the critical enterprise risks, risk management capabilities and opportunities for improving the effectiveness and efficiency of activities that matter most to the organization’s success.

To some stakeholders and practitioners, the above responsibilities may be nothing new and merely depict what CAEs are doing now or should be doing. We agree that some CAEs, particularly in financial services, actively embrace the future auditor vision. Our view is that every CAE has the opportunity to self-assess his or her value against the future auditor vision and determine whether gaps exists and, if so, whether those gaps are due to positioning, scope  or  skill sets.

No doubt, operating the internal audit function in accordance with the profession’s standards3 is vitally important. But the future auditor’s primary focus is on value contributed in the eyes of the board and executive management. To that end, in 2014 we suggested 12 ways the future auditor contributes demonstrable value.

Since 2014, the world’s largest ongoing study of the internal audit profession – the Global Internal Audit Common Body of Knowledge (CBOK) – was conducted to obtain expectations from stakeholders regarding internal audit performance. As a result of the CBOK study, we added three more ideas to our list of suggestions for the future auditor. The resulting summary of 15 ways the future auditor establishes and sustains the relevance of internal auditing illustrates definitive steps toward addressing ever-expanding stakeholder expectations. Below, we outline six imperatives for internal audit from the CBOK study based on feedback from members of audit committees worldwide regarding their expectations of the CAE and the internal audit function.4

Focus More on Strategic Risks

According to the CBOK study, two in three board members believe internal audit should have a more active role in assessing and evaluating the organization’s strategic risks. A strong majority of responding CEOs (71 percent) provided similar feedback. Therefore, the future auditor must focus sufficiently on the bigger picture to think more strategically when evaluating risks and proposing risk-based audit plans.

By understanding the organization’s business objectives and strategy and identifying risks to the organization’s success in achieving its objectives and executing its strategy, the future auditor increases internal audit’s value proposition to key stakeholders. To this end, the future auditor leverages the proverbial “hall pass” to meet with business, functional, process and risk owners regularly, so that he or she is in a position to offer substantive views and insights to executive
management and directors on risks to achieving objectives and executing the strategy, including emerging risks.

How the Future Auditor Focuses More on Strategic Risks
1.    Thinks more strategically when analyzing risks and framing audit plans
2.    Provides early warning on emerging risks

 

Among the specific avenues designated by board members in the CBOK study for internal audit to improve its role in assessing and responding to strategic risks facing the organization, the top two responses, by far, were (a) focusing on strategic risks as well as operational, financial and compliance risks during audit projects (86 percent), and (b) periodically evaluating and communicating key risks to the board and executive management (76 percent).

Using a solid understanding of the organization’s strategy and business model as a context, the future auditor can:

  • Identify and anticipate barriers to the successful execution of the strategy, including emerging risks;
  • Facilitate the risk appetite dialogue at the highest levels of the organization;
  • Suggest updates to the company’s risk profile to reflect changing conditions;
  • Understand how new technological trends are having an impact on the company;
  • Consider the validity of strategic assumptions as well as plausible or extreme scenarios that could invalidate one or more critical assumptions, forcing a revisit of the strategy and business model;
  • Evaluate the organization’s strategic alignment and progress toward executing the strategy; and
  • Escalate dysfunctional situations giving rise to unacceptable risks to management and the board.

These high-end, high-touch activities impact the future auditor’s contribution to enterprise risk evaluations, formulation of audit plans and access to the C-suite. With respect to emerging risks, 66 percent of the CBOK study respondents noted that internal audit should alert operational management to emerging issues and changing regulatory and risk scenarios, as well as identify known and emerging risk areas.

Think Beyond the Scope

The challenge to think strategically leads the future auditor to another challenge: to think beyond the scope of the audit plan and individual audit projects. This means the future auditor “connects the dots” by considering the implications of audit findings across the organization so that audit communications are responsive to a business context that is broader than the expressed or implied boundaries set by the audit plan. Just because a gratuitous comment regarding a customer, supplier, competitor or other issue is not in scope does not mean that the audit committee and other stakeholders in the organization do not want to hear about it, particularly if it and other similar comments suggest a pattern or trend that has strategic, cultural or performance underpinnings.

The future auditor understands that a deteriorating risk culture presents a formidable hurdle to sustaining risk management performance and effective internal control. Because risk culture often evolves as the organization evolves, from time to time, the future auditor may use self-assessment techniques, internal surveys, focus groups and other techniques to understand the current state of the organization’s risk culture, ascertain whether any gaps against the desired risk culture exist and identify specific steps to rectify those gaps.

More important, individual audit findings may reflect on the state of risk culture. For example, discovery of unusual risk-taking, continued delays in remediating control deficiencies, budget cuts leading to  sustained deferred maintenance, instances in which core values are not applied and a pattern of policy violations in specific areas, among other factors, may offer useful insights when considered together.

How the Future Auditor Thinks Beyond the Scope
3.    “Connects the dots” when considering enterprisewide implications of audit findings
4.    Broadens the focus on operations, compliance and nonfinancial reporting issues
5.    Watches for signs of a deteriorating risk culture

 

The point is that audits are not a check-the-box exercise. By having a view of the big picture through regular interaction with the board and thinking more strategically, the future auditor focuses more broadly on the implications of audit findings and thinks beyond the scope to deliver stronger, more practical and harder-hitting recommendations aligned with what key stakeholders are seeking. In addition, the future auditor looks to broaden the focus of the audit plan on operations, compliance and nonfinancial reporting issues, particularly those of highest relevance to the execution of the strategy.

According to the CBOK study results, 21 percent of the respondents indicated that internal audit does not communicate which risks or activities of the organization are not covered by the audit. Stakeholders are always interested in what isn’t covered by the audit plan, consistent with their interest in knowing what they don’t know. Accordingly, the future auditor is prepared to address why uncovered matters are not addressed.

Thinking beyond scope also pertains to matters covered by the audit plan. When reporting on audit findings, the future auditor is prepared to address broader questions from senior executives and directors, such as:

  • What is the real meaning of these findings? Is there a broader message we should be aware of?
  • How are we driving value from our compliance and assurance activities? For example, are there improvements to our processes that we need to make as we remediate our deficiencies?
  • How do these findings relate to other areas of our business? As leaders of the organization, what are we missing?
  • Are there potential crisis events that we haven’t thought about and for which we are unprepared to respond?

Add More Value Through Consulting

Internal audit need not be limited to assurance. In today’s era of slower economic growth, a high premium is placed on operational effectiveness and efficiency. The CBOK study respondents picked up on this point, as nearly three in four (73 percent) recommended that internal audit consult and advise on business process improvements.

Consulting reaches beyond the traditional ways that internal audit can help the organization, such as evaluating the  risks resulting from changing operations and assessing the necessary enhancements to controls that should be in place. For example, 71 percent of the responding board members suggested that internal audit facilitate and monitor effective risk management practices by operational management to assist with risk oversight. Almost two-thirds (64 percent) suggested that internal audit identify appropriate risk management frameworks, practices and processes.

How the Future Auditor Contributes Value Through Consulting
6.    Strengthens the lines of defense that make risk management work
7.    Collaborates effectively with other independent functions focused on managing risk and compliance
8.    Leverages technology-enabled auditing
9.    Improves the control structure, including the use of automated controls
10.    Advises on improving and streamlining compliance

 

Given the magnitude and pervasiveness of changes many organizations are undergoing, including the effects of business transformation initiatives driven by advances in digital technology and other factors, the future auditor’s emphasis on consulting becomes even more important. We list five examples of how the future auditor contributes value through consulting:

  • Strengthens the lines of defense that make risk management work by ensuring that the primary risk owners  and  independent  risk management and compliance functions are performing their respective functions in ensuring risks are effectively managed. This perspective also considers the tone of the organization and effectiveness of senior management and the board in addressing escalated matters.
  • Collaborates effectively with other independent risk management and compliance functions focused on managing risk and compliance by coordinating roles, responsibilities, and audit and oversight plans, as well as sharing  risk  information  and  available resources.
  • Leverages technology-enabled auditing on multiple fronts to broaden audit and risk coverage and enable more audit emphasis on strategic issues and critical enterprise risks (e.g., self-assessment tools, continuous auditing and computer-assisted auditing techniques, data-mining tools, advanced analytics, customized dashboards, exception reporting capability, and automation of ongoing controls monitoring and issue tracking).
  • Improves the control structure, including the use of automated controls by evaluating the control structure and identifying opportunities to eliminate, simplify, focus and automate controls to maximize cost-effectiveness while also providing reasonable assurance that control objectives  are achieved.
  • Advises on improving and streamlining compliance to address consulting opportunities in specific compliance domains due to proliferation of operating silos, control ownership gaps and overlaps, fragmented and diffused reporting of risk and control data, unaligned stakeholder expectations, and a lack of entity-level transparency in how the compliance infrastructure is actually functioning.

In listing the above, we do not intend to imply there aren’t other ways to add value. The point is that the consulting opportunities are real.

Facilitate Effective, High-Quality Communication

Board members generally rate the quality and frequency of internal audit’s communication at a high level. For example, a strong majority of board members give high scores for the quality (83 percent) and frequency (81 percent) of internal audit’s communication. That’s good news and a great foundation on which to build.

How the Future Auditor Facilitates Effective, High-Quality Communication
11.    Improves information for decision-making across the organization
12.    Expands the emphasis on assurance through effective communication with management and the board
13.    Remains vigilant with respect to fraud

 

In sustaining effective communication, the future auditor focuses on communication with key stakeholders and the enterprise’s information for decision-making. For example, the future auditor:

  • Improves information for decision-making across the organization by assessing the reliability of performance metrics and monitoring systems the organization has in place; using analytics tools to create lead performance indicators and trending metrics to signal when risk events might be approaching or occurring; and recommending automation of key controls or selected processes to enable effective monitoring.
  • Expands the emphasis on assurance through effective communication with management and the board by distinguishing  the  sources of assurance  provided by those who report to management and/or are part of management; those who report to the board (including internal audit); and those whose reports are of interest to external stakeholders (e.g., the external auditor).
  • Remains vigilant with respect to fraud through periodic enterprisewide  risk  assessments  and  evaluations  of the organization’s anti-fraud and corruption program by using  data  mining  and  analytics techniques to analyze transactional data, obtaining insights into the operating effectiveness of internal controls, and identifying indicators of, or patterns signifying, possible fraudulent activity requiring further investigation.

Elevate Stature and Perspective

The future auditor’s positioning within the organization is vitally important to his or her delivery against elevated expectations. Access and perspective have always been keys to positioning. Access has typically been attained through direct reporting to the audit committee, as well as to the C-suite. But beyond these reporting lines, the CBOK study reports that two in three board members rank a CAE’s presence in appropriate board or board committee meetings as the most effective strategy for broadening perspective. This suggests an opportunity for boards to consider whether the CAE should participate in board settings beyond the traditional audit committee meetings.

What board settings are “relevant” in this context must be defined by directors to fit the organization’s specific needs, and answers may vary in different regions across the globe due to different board structures, cultures and internal audit skill sets. Regardless, increased access to and more frequent interaction with the board together broaden the CAE’s perspective and elevate the stature and visibility of the internal audit function. The CAE is then, in turn, better able to establish relationships with directors, understand their views on addressing competing audit priorities and earn the right to be viewed as a source of insight. 

How the Future Auditor’s Stature and Perspective Are Elevated
14.    Reports directly to the audit committee
15.    Interacts with directors in relevant nontraditional board settings, as appropriate

 

CAE direct reporting to the audit committee is cited by 55 percent of board members as the second-highest-rated access strategy. Perhaps this gateway can be enhanced by granting the CAE “red phone” access to the audit committee. Such escalatory authority can be a useful tool to the audit committee if the CAE proactively exercises it to bring important matters to the attention of both executive management and the board on a timely basis.

Align Stakeholder Expectations

In most organizations, not all stakeholders see things the same way, or want the same value from internal audit. The future auditor bears the brunt of the responsibility to bring executive management and business owners in alignment regarding internal audit’s mandate and performance. By articulating the value that a top-down, risk-based audit plan contributes to the organization and providing an assurance perspective that the board, executive management and other stakeholders can understand, the future auditor works with stakeholders to ensure that internal audit performance is measured appropriately.

When the future auditor is present at the appropriate board and management meetings, this is easier to accomplish.

Summary: Striking the Right Balance

The future auditor vision is all about taking concrete steps toward making the future state envisioned in The IIA’s definition of internal auditing a reality. In doing so, the future auditor enhances the value of the internal audit function. This perspective is important because, in our view, the expectations of executive management and the board of directors about the internal audit function continue to rise; therefore, progressive CAEs must continuously upgrade the capabilities of their functions to keep pace with higher expectations.

The CBOK study provides a context for the target. It suggests that audit committees desire that the CAE and internal audit function think more broadly and strategically, move beyond assurance to provide value-added consulting and advisory services, and continue to deliver to expectations. To address these imperatives, we have suggested 15 ways the future auditor contributes value. These suggestions represent definitive steps forward for internal audit in applying the full scope of The IIA’s definition of internal auditing.

While our 15 suggestions are not intended to be all-inclusive, we think enough of them to recommend that if significant gaps exist between the expectations of the board and management and the CAE’s performance against those expectations, the CAE should consider those gaps as a potential opportunity to enhance internal audit’s value proposition.

Should the CAE implement all 15 of these suggestions? How does the CAE balance taking on new value-added audit initiatives with existing audit priorities? No doubt, there are multiple priorities in any audit plan, including “must do” activities (e.g., regulatory compliance and financial reporting controls compliance), risk-based activities linked to the organization’s strategies and objectives, core assurance activities rotated over several audit periods, and specific management requests (e.g., investigations and special projects). The CAE aspiring to the future auditor vision not only understands these various demands, but also optimizes the allocation of resources to each. Depending on the organization, the mix of consulting relative to assurance might range from 20 to 50 percent.

15 Ways the Future Auditor Contributes Value
1.    Thinks more strategically when analyzing risks and framing audit plans
2.    Provides early warning on emerging risks
3.    “Connects the dots” when considering enterprisewide implications of audit findings
4.    Broadens the focus on operations, compliance and nonfinancial reporting issues
5.    Watches for signs of a deteriorating risk culture
6.    Strengthens the lines of defense that make risk management work
7.    Collaborates effectively with other independent functions focused on managing risk and compliance
8.    Leverages technology-enabled auditing
9.    Improves the control structure, including the use of automated controls
10.    Advises on improving and streamlining compliance
11.    Improves information for decision-making across the organization
12.    Expands the emphasis on assurance through effective communication with management and the board
13.    Remains vigilant with respect to fraud
14.    Reports directly to the audit committee
15.    Interacts with directors in relevant nontraditional board settings, as appropriate

 

Yes, finding the appropriate balance is a challenge. But CAEs who embrace the future auditor vision are better- positioned to demonstrate to executive management and the board the value contributed by internal audit through their comprehensive risk focus and forward-looking, change-oriented and highly adaptive behavior. It is up to progressive CAEs to take the lead and show the way toward fulfilling the profession’s full potential.

1The Future Auditor: The Chief Audit Executive’s Endgame,” Issue 6 of Volume 5 of Protiviti’s The Bulletin, April 2014, available at www.protiviti.com.
2See The IIA’s definition of internal auditing.
3See The IIA’s International Standards for the Professional Practice of Internal Auditing, effective January 1, 2013.
4Six Audit Committee Imperatives: Enabling Internal Audit to Make a Difference,”  by Jim DeLoach and Charlotta Löfstrand Hjelm, A CBOK Stakeholder Report, the CBOK study conducted by The Institute of Internal Auditors and Protiviti, 2016. Note that all statistics cited in this issue of The Bulletin are sourced from the CBOK  study.
Click here to access all series

Ready to work with us?