Assessing Retail Industry Results from the 2012 Internal Audit Capabilities and Needs Survey
THE TERRAIN FOR RETAILERS IS UNFAMILIAR AS WELL AS UNEVEN – PITTED WITH NEW RISKS, NEWLY EMPOWERED CUSTOMERS AND THE RELATIVELY NEW NEED TO PROVIDE A SEAMLESSLY CONSISTENT CUSTOMER EXPERIENCE ACROSS PHYSICAL, ONLINE, MOBILE AND SOCIAL CHANNELS. RETAILERS CONTINUE TO ADJUST TO THESE AND OTHER FACTORS THAT HAVE CREATED A “NEW NORMAL.”
Late last year, a brief but noteworthy “Occupy Amazon” campaign materialized among a vocal collection of small retailers. This reaction to another competitive salvo initiated by the online retail behemoth reflects the frustrations many traditional retailers, both large and small, have experienced while adjusting to a new competitive landscape.
The terrain for retailers is unfamiliar as well as uneven – pitted with new risks (the threat of becoming a showroom for the online competition, for example), newly empowered customers and the relatively new need to provide a seamlessly consistent customer experience across physical, online, mobile and social channels.
Retailers continue to adjust to these and other factors that have created a new normal. Although consumers are spending again following the worst global economic downturn in decades, their behavior has changed in a fundamental way. The shop-till-you-drop mindset that prevailed during much of the past two decades appears unlikely to return anytime soon.
Add to these challenges the need to intensify existing cost-reduction efforts, and it becomes clear why some retailers are preoccupied with the competition, as a Consulting magazine article describes:
To compete with Amazon, a technology company that invested heavily in fulfillment and logistics during its early years (and was bashed by skeptical Wall Street analysts for doing so at the time), traditional retailers, which may currently invest 1 percent to 3 percent of revenue in their IT infrastructure, must find ways to cut more costs to fund technology upgrades as well as projects designed to create singular customer experiences.1
Given this environment, it is not surprising that many retailers are using the word “transformation” to describe their largest operational initiatives. These efforts and the sizeable changes being delivered pose new challenges for internal audit functions. New opportunities for fraud arise during periods of intense change, when new and traditional risks also tend to intensify.
The retail industry findings of Protiviti’s 2012 Internal Audit Capabilities and Needs Survey indicate that internal audit functions and their leaders are playing key supporting roles in a variety of strategic demands while working diligently to increase the efficiency of risk management activities and core business processes.
Specifically, the retail industry survey findings suggest that internal audit’s activities over the next year will center on four overarching priority areas:
- Increasing the use of technology to audit key business process controls (e.g., HR records management, IT asset management) more effectively
- Addressing and managing existing and emerging risks holistically
- Enhancing efficiency through technology-enabled auditing
- Nurturing internal collaboration and networking externally
In all, the results from respondents in the 2012 Internal Audit Capabilities and Needs Survey present a picture of retail internal audit functions that are prioritizing their activities and deploying their skills in order to balance tactical requirements with strategic contributions – much as retail organizations as a whole must balance cost-reduction efforts with the development and execution of new customer experience strategies.
RESULTS AND ANALYSIS
Within the retail industry, the power some well-known competitors wield is taking a back seat to the influence that newly empowered consumers wield. Today, customers can compare prices and services at the swipe of a smartphone screen. And well-connected customers can immediately broadcast their retail experiences related to prices, service and satisfaction via their extended social networks.
This shifting power equation has driven many retailers to strengthen their focus on the customer’s experience. Creating and maintaining a truly differentiated customer experience requires investments in technology and data analytics. These transformative initiatives don’t come cheap. To fund these activities, many, if not most, retailers are taking significant costs out of other parts of the business through process improvement initiatives, greater use of outsourcing and other changes – all of which affect the internal audit function.
On the efficiency front, internal audit functions must continue to do more with less. This pressure affects many loss prevention programs, which face resource constraints (and some retailers continue to suffer higher losses, as a result of cutbacks in this area). On the transformation front, periods of flux often give birth to new and/or heightened risks, as well as a growing potential for fraud.
To support the enterprise in its drive to reduce costs while transforming and fostering greater customer experience innovation, retail internal audit functions are striving to add value by focusing their efforts on the following four key areas:
1. Increasing the Use of Technology to Audit Key Business Process Controls (e.g., HR Records Management, IT Asset Management) More Effectively
Internal audit’s use of technology represents an important tool in its mission. By leveraging technology to audit business process controls, internal auditors can help increase the efficiency and effectiveness of business processes, freeing up resources throughout the business to devote more time to developing additional efficiency improvements, as well as new services and other innovations.
To assess the extent to which internal audit is leveraging technology in its audit work, respondents were asked to assess, on a scale of one to five, the degree to which their organizations use technology to audit 36 business process controls, with one indicating no use and five representing extensive use. For each area, they were then asked to indicate whether they believe their level of use is adequate or requires improvement, taking into account the circumstances of their organization and industry.
The results suggest that there is significant potential for improvement in the area of technology-enabled auditing. In fact, internal audit functions within retail organizations appear to lag behind other departments in terms of using technology (for more on this topic, see “Special Section: How Internal Auditors Are Using Technology” in the master 2012 Internal Audit Capabilities and Needs Survey report). This is the case across all major industries. The overall responses to this survey show that a majority of internal audit functions are not using a software tool to administer their audit processes; among those that are, many are not leveraging these tools to their fullest extent.
Within the retail industry, internal auditors indicated that they want to increase their use of technology to support activities that specifically relate to the potential for fraud in the organization; the proliferation of technology (approved technology as well as employee-owned gadgets and applications) throughout the organization; and other risks with potentially major bottom-line impacts.
In light of the proliferation of new technologies in organizations today, it is incumbent upon the IT organization to keep careful track of devices, tools, software and other technologies that have been deployed throughout the organization to potentially thousands of employees. As a result, it is therefore incumbent upon the internal audit function to audit and test controls related to the policies for these tools and devices, including security and privacy, change control, and data integrity. Physical security is equally important. When “little” gadgets disappear, significant financial losses can result, or worse; in the event of a security or data breach that occurs due to ineffective IT asset management, potentially devastating regulatory noncompliance and/or reputation damage can occur.
In terms of fraud, retail internal audit professionals clearly are looking to do a better job of capitalizing on technology-enabled auditing to monitor controls over areas more prone to fraudulent activity, such as access controls, HR records management, and book and physical inventory differences.
The high “Need to Increase Use of Technology” rankings for auditing business processes such as purchasing/ purchase orders, vendor negotiation and setup, inventory master control, and receiving represent further indicators of ongoing fraud-related concerns among internal auditors and their organizations, and the power and leverage of using technology to assist them.
Vendor negotiation and setup, for example, typically requires the entering of vendors into a company’s enterprise resource planning (ERP) system. This key transaction makes those vendors “go live” and allows for disbursements of funds to those organizations, albeit with the requirement of various approvals. It is possible that certain payments could be unauthorized or even fraudulent.
The survey results suggest that a continuing desire to increase the use of technology in auditing business process controls is a certainty.
2. Addressing and Managing Existing and Emerging Risks Holistically
Within the General Technical Knowledge category, retail internal auditors indicated that they are wrestling with a wide range of familiar and emerging risks across several domains.
While many of the familiar risks relate to fraud (fraud risk management), information technology (IT governance), efficiency demands (Six Sigma) and overall governance (corporate governance standards), the two top improvement priorities relate to relatively new challenges: social media applications and cloud computing, respectively.
Social media applications and cloud computing have opened up a new world of unknowns in terms of security breaches, privacy vulnerabilities and other risks. Most areas of the organization, including internal audit, are in the process of figuring out how to manage and monitor these technologies and the related risks effectively.
In addition to learning as much as possible, as quickly as possible, about social media and cloud computing use throughout the organization, retail internal auditors confront numerous governance, risk and compliance (GRC) challenges.
Consider one key priority for internal auditors in retail organizations – reporting on controls at a service orga- nization. For years, internal audit teams and/or their compliance partners simply had relevant vendors com- plete SAS 70 audits. SAS 70 gained new importance as an internal controls tool (related to financial reporting) following the passage of Sarbanes-Oxley. The standard later gained use as a data privacy and security tool (a use that the AICPA questioned) as cloud computing began to flourish. Last year, however, the American Insti- tute of Certified Public Accountants (AICPA) replaced its long-standing SAS 70 auditing standard.
Due to this standard change, many internal audit functions within retail organizations must now invest time in figuring out which components of SSAE 16 – Service Organizational Control (SOC) audits are most relevant, and in place, for numerous individual vendor situations: SOC 1 Type I and Type II audits, which most resemble SAS 70 audits, or SOC 2 or SOC 3 audits, which relate to data privacy and data security risks.
To be sure, this issue represents only one of many improvement priorities within the many different areas in internal audit’s purview.
Bulging internal audit workloads, as well as the rapid rise of “big data” in retail and the need to manage this information effectively and in accordance with federal and state laws and regulations, may help explain why country-specific enterprise risk management (ERM) frameworks figured as a top priority. This suggests that internal audit functions (and their retail enterprises), in response to issues and challenges resulting from “big data” management, want a better understanding of these frameworks as they look to manage their GRC requirements in a more integrated, and therefore more efficient, manner.
Indeed, other important improvement priorities survey respondents selected – such as Six Sigma – confirm a prevailing shift toward a more efficient and overarching approach to risk management.
Not surprisingly, survey respondents rate their competency on newer GRC priorities lower than they rate their competency on more familiar GRC priorities. For example, retail respondents rated their competency in IIA Practice Guide: Assessing the Adequacy of Risk Management higher than they rated their social media applications competency.
These General Technical Knowledge improvement priorities drive home the fact that internal auditors in retail intend to strengthen their knowledge of emerging GRC areas while simultaneously sharpening their ability to address existing risk areas in a more integrated and efficient manner.
3. Enhancing Efficiency Through Technology-Enabled Auditing
Consistent with findings from the past several years of the Internal Audit Capabilities and Needs Survey, continuous auditing, continuous monitoring and computer-assisted audit tools (CAATs) figure as top priorities for chief audit executives and their internal audit functions within the retail industry. Continuous auditing
and CAATs consistently have been ranked among the top areas identified as in need of improvement since 2008. This is a strong indicator of the rapid evolution and rising prevalence of technology in business today. However, many retail organizations still have not fully embraced the use of technology tools as part of their audit processes, which suggests there may be lack of training in these areas for their internal auditors.
Furthermore, the use of these and other technologies and technology-fueled audit approaches (e.g., statistically based sampling) enables internal auditors within retail organizations to review or test vast amounts of data on a daily basis. This efficiency is extremely important during a period in which many retailers continue to seek ways to reduce costs while also freeing up resources for more strategic endeavors.
The survey results also show fraud – and more specifically, fraud: fraud risk, fraud: auditing and fraud: fraud detection/investigation – remains a top improvement priority of internal audit functions within the retail industry.
These survey results indicate that retail companies are looking to their internal audit functions to devise efficient and cost-effective ways to monitor these activities and review and analyze this data on a continuous basis. Fortunately, there are a variety of auditing technologies available to accomplish this. The key is to enable internal audit team members, through education and training, to use them effectively and efficiently.
The bottom line is that there is an ongoing movement in the internal audit profession away from manual, time-intensive and, in many ways, inefficient auditing (relative to today’s demands) and toward technology-enabled auditing practices that facilitate reviews of virtually every transaction and piece of data on a continuing basis, when warranted. Of particular note, recent reports of alleged bribery and corruption risk in the retail industry, together with an increasing focus from the U.S. Department of Justice on fraud cases, have sent a strong signal that corruption risk can affect global companies in all industries, including retail and consumer products manufacturers with retail outlets. A key strategy for identifying, managing and monitoring fraud risk is the use of technology-enabled auditing. Yet with new technologies and innovations being introduced at a rapid rate, CAATs and continuous auditing, as well as continuous monitoring, very likely will continue to rank as top priorities for internal audit functions in future capabilities and needs surveys.
4. Nurturing Internal Collaboration and Networking Externally
Respondents were asked to assess, on a scale of one to five, their competency in 24 areas of personal skills and capabilities (again, with one being the lowest level of competency and five being the highest). For each area, they were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their organization and industry.
A quick glance at the top priorities under Personal Skills and Capabilities indicates that internal auditors within the retail industry remain committed to elevating their performance in three ways:
- Forging stronger, more collaborative relationships with the audit committee of the board of directors (as well as other corporate directors and the executive leadership team)
- Developing select skills related to technology, time management and relationship-building
- Strengthening their function’s overall capabilities through outside networking and practices-sharing
In terms of board relationships, survey respondents noted they remain committed to improving their collaboration with audit committee members. In a more personal context, the skills development priorities support and align with other survey results. For example, making greater use of CAATs, continuous auditing and other technology-driven auditing approaches represent top functional improvement priorities, while using/mastering new technology and applications mark top personal skills improvement priorities.
Many of these improvement priorities – such as leadership, persuasion, high-pressure meetings, dealing with confrontation, and negotiation – also reflect the ongoing evolution of the internal audit function. Few, if any, effective internal audit departments operate in a silo today. A growing number of functions have embraced an “immersive role” as they work closely with business partners to address threats and opportunities throughout the enterprise.
From a personal perspective, it is no longer sufficient for internal auditors in the retail industry to step out of the old silo mindset and into a new, more immersive role. Instead, internal auditors in retail appear eager to ensure that their collaborations with all of the different parts of their organizations are as strong as possible so that they can thrive in their new roles.
From a functional perspective, internal audit can no longer simply work through a list of tasks and activities each year. Instead, the function’s work has become less task-focused, more collaborative and more strategic. And the quality of this collaboration matters, just as the experience of a retailer’s customer matters, perhaps more so than ever before.
1Krell, Eric, “The Reality of New Retail,” Consulting magazine, February 13, 2012.
About the Survey
Each year, Protiviti conducts its Internal Audit Capabilities and Needs Survey to assess current skill levels of internal audit executives and professionals, identify areas in need of improvement and help stimulate the sharing of leading practices throughout the profession. This year, survey respondents answered close to 200 questions in the following categories: General Technical Knowledge, Audit Process Knowledge, Use of Technology in Auditing Business Process Controls, and Personal Skills and Capabilities. Manufacturing industry respondents also were asked to address a fifth category of questions: Manufacturing-Specific General Technical Knowledge. The results, which are based on information provided by all respondents (who numbered more than 800), are contained within the overall survey report (available at www.protiviti.com/IAsurvey).
In each category, respondents were asked to assess, on a scale of one to five, their competency in different skills and areas of knowledge, with one being the lowest level of competency and five being the highest. They were then asked to indicate whether they believe they possess an adequate level of competency or if there is need for improvement, taking into account the circumstances of their organization and the nature of their industry.