Transcript | Achieving Audit Relevance – with Andrew Struthers-Kennedy and Angelo Poulikakos

Top-performing internal audit groups share similar traits: They focus more on streamlined, tailored, impactful communications and reporting. They evolve and adapt routinely, and they push themselves to find and build talent and resources from both within and outside their organisations. But guess what? Fewer than six in 10 internal audit functions have access to the talent they need across any of the 12 Next-Generation Internal Audit competencies in Protiviti’s proprietary model.

This is Kevin Donahue, a senior director with Protiviti, welcoming you to a new edition of Powerful Insights. These are some of the key findings from Protiviti’s latest Next-Generation Internal Audit survey. We conducted our study online in the fourth quarter of 2022 and had more than 550 internal audit leaders and professionals from around the world respond. Our results are detailed in our report Achieving Audit Relevance, available at Protiviti.com.

I had the great pleasure of speaking with two Protiviti global leaders about some of the highlights from this study. They are Protiviti Managing Directors Andrew Struthers-Kennedy and Angelo Poulikakos. Andrew serves as the global leader for our Internal Audit and Financial Advisory practice, while Angelo is the global leader for our Technology Audit practice.

Angelo, thanks for joining me today.

Thanks for having me, Kevin.

Andrew, great to speak with you as well.

Same, Kevin. Always great to be with you.

Andrew, let me toss you the first question here: When it comes to relevance for CAEs and the internal audit function, our research shows that impactful communications, including high-impact reporting, are the most important contributor to achieving this relevance in the eyes of leadership — the board, and the C-suite. What do you think it takes to deliver high-impact communications, and where do you find internal audit functions lagging, on average?

I 100% agree with that. From all of the interactions we have and the feedback we hear, and from the surveys that we conduct on this topic and what it takes to drive and increase relevance and value for internal audit practitioners in the internal audit function. Knowing your audience is a key point — recognising that the needs are very different across the range of stakeholders and report recipients that internal audit interacts with. Those vary from control operators and control executors all the way to executives and board members trying to focus reporting on what each of those stakeholders needs to know and using communication tools like the five C’s — making sure communications are conversational, clear, concise, connected, correct, focusing on the things that the stakeholders really need to know to take action given their role.

A few critical elements to consider in communications: Are they clear and concise? Are they relevant and timely? Are they appropriately personalised or customised? Increasingly, are they making use of data? Are they data-driven? Are they making use of visual aids and/or graphics where appropriate? Are they connected back and aligned back to key risks and objectives that the audit activity is seeking to address, and are they in a format that allows for interactive and dynamic content?

Of the areas I just mentioned, in a webinar that we conducted, we asked some polling questions, and coming through fairly clearly in the responses were data-driven being a priority, clarity and conciseness being a priority, and relevance and timeliness. At least two of those three, internal audit functions have an opportunity to continue to drive improvement around — in particular, the use of data, the use of visual aids, the use of graphics and reporting, and timeliness of reporting and communicating at the speed of the findings that we identify and at the speed of the risk of the organisation.

I would only add one other area, which is focusing the communications on value creation, and how can internal audit contribute to areas of meaningful improvement for the business? Are there any cost-saving opportunities? Are there any opportunities to add efficiency into a process? And risk mitigation is always key. But too often, we’ll see audit reports focused on documentation-oriented findings, where the folks performing a business process are doing the right thing — they may not be documenting what they’re doing, and sometimes that becomes too much the focal point of the report: anything the department can do to focus on demonstrating opportunities for value creation by the business.

And one thing I find interesting in my role in marketing thought leadership development, I’m being told increasingly that our communications, our messages, have to be concise and impactful and resonate with an audience that may have an attention span of one minute. And this is consistent with what you’re saying around internal audit reports as well, where all of us seem to be dealing with an audience that is not interested in doing a deep dive right away. You need to get to the point, and do it impactfully.

That reinforces the need to grab the attention of the stakeholder. That stakeholder could be a control operator who needs to have a very different set of information to take specific action. Or it could be an executive or a board member who needs to perhaps understand the issue at a higher level and make a broader set of decisions associated with it. Grab their attention, tell them the three things that they need to know — be very clear, be very direct, be very concise. To the extent that you can support that with data, that’s tremendously helpful. Those are some things that we see consistently as opportunities for improvement and we see as opportunities to create tremendous value in the communication cycle for internal audit practitioners.

Data is a key theme here, and it’s a good lead-in to our next question. Angelo, another key finding from our study is that skills and capabilities in next-generation enabling technologies — process mining, AI, machine learning, advanced analytics and automation — continue to lag. In many ways, such technologies seem to be the future, or at least a critical part of it, in internal audit. Why is there not more progress being made in these areas?

It’s true that despite the strong potential these technologies can bring to the internal audit function, progress has been a lot slower than anticipated. I joined the profession about 20 years ago, and I feel like we are still talking about bringing analytics into the internal audit function. There are a few reasons, and first, there still is a lack of understanding and expertise in these technologies, specifically among internal audit professionals. This knowledge gap, it can make it challenging to identify the right use cases and to integrate these technologies effectively within existing audit processes.

There’s been such advancement in technology in general. You’re always hearing about new tools, new techniques, and that has outpaced the speed at which internal audit professionals can learn and adapt. When you consider the time and the priorities of an internal audit function, at their core, they’re focused on driving compliance and risk management. They do not have as much time to focus on learning cutting-edge technologies. Part of that might be because there’s a lack of a targeted time and training programs specifically tailored for internal auditors, helping them acquire these skills.

Another reason is the investment that’s needed in time and in resources. We’ve been hearing it for several years, but organisations continue to face budget constraints, competing priorities, and they sometimes struggle to justify the ROI for some of these initiatives that may involve learning a new technology or, more important, implementing some new technology, with an internal audit context. And there could also be that resistance to change within organisations that we hear about quite often.

During the same webinar Andrew was alluding to, we talked a lot about ChatGPT, we talked a lot about large language models, and the consensus was, these tools and

technologies have not been adopted, despite them being very easily accessible to the community. Legitimately, there are concerns around data security, compliance and potential biases as they relate to AI and machine learning algorithms. But also, internal auditors, by their very nature, tend to be risk-averse. That likely contributes to them not wanting to adopt something new, because it is changing the way they’ve traditionally done things and they’re worried about failing to meet goals on other priorities that they may have in place.

One of the things that we consistently hear around barriers to progress or things that inhibit progress, at least at speed, is the challenge of competing priorities. There’s so much that’s expected of internal audit functions these days: Complete the plan — and that includes addressing established risks as well as those in emerging areas and those requiring increasingly deep technical knowledge. Keep up with the evolving risk landscape and the organisation’s transformation efforts, allowing the function to audit at the speed of risk. Focus on delivering high levels of value and relevance; hire, train and retain talent; and be available to support management requests and provide advisory and consultative services.

Keeping up with all of those activities is more than many internal audit functions have the capacity to handle. Layering in exploration, adaptation, adoption of new technologies, layering in transformation efforts and innovative initiatives, that’s a legitimate challenge for many functions. Finding ways to transform, adopt, adapt and innovate incrementally and through iteration, identifying team members that are legitimately interested and enthusiastic and are showing a level of aptitude toward these emerging risk areas, topics and technologies is a good way to help drive progress, and then trying to embed the exploration and use of these into routine activities and execution is another method we’ve seen as a way of making progress.

The good news is, there continues to be advancement in these technologies, and they’re becoming more and more easy to use and they’re going to become more

integrated into Office products that we’re already familiar with. Microsoft made an announcement about them, introducing a platform called Copilot, which will be an AI on your day-to-day applications, whether it’s Outlook, Word, Excel or PowerPoint. And it’s going to help enable auditors and help them accelerate some of their day-to-day activities. The good news is, the technology is going to be, in some ways, forced on the internal functions, because they’re going to become embedded as part of their day-to-day tools that they’re already used to using.

A common response to conveying the need to address these areas might be, “Well, we don’t have time. We have too many competing priorities.” But from what you said, an appropriate response might be, “This is an opportunity not only to improve your function but also engage your people in a challenging assignment to enable them to reach and give them some rewarding experiences.”

That’s 100% right. And we also see and hear, including through survey results, that there’s very strong support from executives and board members around upskilling, driving transformation efforts, pursuing innovation initiatives. Board-level and C-suite-level stakeholders are highly supportive and even have frankly heightened expectations around internal audit’s use and pursuit of the things we’ve been talking about. Elevating the challenge in finding capacity, time and space to pursue to the execs and to the audit committee is something we would strongly recommend. Put it on the agenda, have an open discussion around it, seek support in getting access to additional resources or reprioritising, and ensure that if it can’t be prioritised in the near term, that’s well understood and is mutually agreed on.

Andrew, let’s dig a little more into these areas of innovation and transformation. Our research indicates that evolving how the internal audit function coordinates and aligns with other assurance functions, and having an internal audit strategy that is better defined and aligned to the overall organisation, are the two top transformation priorities

for internal audit organisations over the coming year. These two priorities align very much with the broader objective to grow internal audit’s relevance, don’t they?

Yeah, and this links back to the risk-alignment item we’ve talked about, and ensuring that there’s a level of consistency in how activities are being communicated across the lifecycle, from risk identification and assessment — What risks are identified and prioritised? What rating systems are being used? How is the full body of knowledge of risk, knowledge of the organisation, being considered in individual project scopes? What’s been included and excluded? Why? Where is the coverage coming from? Is it coming from core internal audit activities, from activities of other assurance functions, so on and so forth — to even individual project reports and reports to executives and board members.

That risk alignment, that connectivity, that consistency across the assurance function is one of the ways in which we talk about getting better-aligned assurance. There are tons of opportunities to drive improvements around that and increase the alignment of internal activities with and for the overall organisation through improved communication.

You can have the best content in the world, but it’s not worth much if it can’t be communicated effectively. That rings true here. And aligned assurance is about fundamentally robust collaboration, coordination and communication. The strategic-alignment point is about having good processes to understand and then be responsive to the strategy of the broader organisation, key initiatives and evolving risks, and align the internal audit activities to those strategic priorities, key initiatives and evolving risks the organisation is focused on.

Angelo, let’s pivot back to the technology side of the equation. Andrew brought up a point earlier about board interest and engagement in these areas of innovation and transformation. Our study revealed an interesting finding: Board members and senior executives, 84% of them support acquiring or developing the necessary talent and skills related to next-gen-enabling technology capabilities in the internal audit function. Can you talk about the role technology tools play in building the internal audit function’s relevance with the board and with senior executives and with stakeholders throughout the organisation?

Technology now, more than ever, plays a key role in enhancing internal audit’s relevance with the board, senior executives, other stakeholders across the organisation. It does this in a number of ways. The most obvious is, you think of advanced analytics technologies like process mining, automation — they ultimately enable internal audit functions to be more efficient and effective, provide a lot more meaningful insights, data-driven insights. It helps reduce their manual effort so they’re more focused on the underlying risks, understanding the root cause of any types of issues.

In many ways technology is going to become more and more crucial. Internal audit can’t just be taking a sample-based approach when they’re evaluating a high-risk area. Ultimately, this technology is going to help drive more insightful, timely, accurate, comprehensive audits that hopefully are valued by the stakeholders you were mentioning. I was talking about individual audit activities, but a lot of these technologies also will help enhance the risk assessment process. That’s going to help allow audit to be focused on the areas of most strategic importance and highest risk facing the organisation.

We know internal audit departments have a budget. So at least now, with technologies like process mining or advanced analytics, as internal audit is building their audit plan for the year, they’re going to be focused on the most critical aspects of the organisation and, hopefully, those that are in alignment with the strategy or the barriers that could prevent that strategy from realising.

Andrew was talking about high-impact reporting and communication. As you could imagine, having access and understanding how to apply advanced visualisation techniques and reporting tools allow internal audit to present their findings in a more compelling way, in a more concise manner, and that’s very important.

Our attention spans, thanks to the way things are trending with social media, have only shortened. To the extent internal audit could summarise three key points on a one-pager, that’s going to be really well received by executives and the board. A lot of internal audit functions, their number one goal is to move to a mode of continuous auditing, continuous monitoring, and some of the next-gen technologies that we’re seeing are going to help allow and enable that.

That’s going to get internal audit to a position where we’re not just waiting for the audit in Q3 or Q4 to reveal opportunities for improvement, but rather, we have real-time reporting capabilities. Technology, in many ways, is crucial for internal audit teams to stay relevant, and the bar is only rising.

This has been a terrific discussion. Thank you both. A reminder for our audience: Our full research report, Achieving Audit Relevance, is available on the Protiviti website, and the link will be in the show notes as well.

I have a final question that I’ll have both of you answer, and it’s a big one: We can’t end our discussion without touching more on talent. There are so many eye-opening findings in our research. Top people-related concerns include the ability to recruit qualified candidates, retain people, upskill and train the team. On average, fewer than six in 10 internal audit functions have access to the talent they need across any of the 12 primary Next-Gen Internal Audit components.

Andrew, I’ll have you respond first: What does the current talent landscape look like in internal audit? And what do CAEs need to do to ensure that they have the necessary talent and skills to elevate their function’s relevance?

First, it would be hard for anyone to argue that talent isn’t a top priority. There’s no audit function — no business function, really — that can execute against their objectives without sufficient capacity and without the right capability. And internal audit is certainly not any exception. In fact, the extent to which internal audit is expected to develop and

have access to necessary talent is more acute than we see in many other business functions.

Just given the role they play within and for the organisation, expected to be able to go in and engage on a very broad range of topics, often at significant levels of depth, being able to keep up with the rapidly evolving and emerging set of risks and priority areas, being increasingly technology-savvy and data-savvy, complementing that with very strong soft skills around communication, project management, leadership capabilities and many more, there is a legitimate challenge.

Internal functions and leaders need to have a solid people and talent and upskilling strategy and tap into the legitimate interest and enthusiasm and desire for learning that exists in all of the teams that we see and interact with, because there is a tremendous interest and desire to learn more about all the topics that we’ve talked about and that are of focus for the internal audit function. Having a solid strategy around upskilling and learning and development is important.

Being focused on core and emerging risks areas such as fraud, cyber, ESG, AI, data governance, regulatory frameworks, compliance — those make up a large percentage of internal audit plans across industries. And the internal audit leaders and functions need the skills and experiences to match. They need to hire from increasingly varied backgrounds. That is something we strongly encourage as well to train team members in increasing breadth and depth of skills. That’s just a few areas that we’re seeing, that internal audit leaders are being are very focused on this and are acknowledging the need to continue to build capability, using techniques to do that.

Andrew, when you were mentioning diversifying internal audit’s talent acquisition strategy, sometimes I think of myself: I was a computer engineer, and I fell into the career of internal audit. And my educational background has caused me always to be interested in breaking things and putting them back together. CAEs should be thinking about diversifying the type of candidates that they’re looking for if they’re rotating in candidates from other departments, if the organisation has some type of data science

department or cybersecurity department, thinking about ways of introducing those types of resources, even if on a temporary basis, into the function, but also thinking about what schools the organisation might be recruiting from and the types of degrees that could help and enable the department.

Another method that I know we do internally within our firm, but I don’t necessarily always see most internal audit organisations do, is assessing skills and competencies and having a focus on doing that in a methodical manner. Too often, we make too many assumptions around what people should know versus what they actually know. Having some type of skills assessment process or making it a living process to take into account the evolving organisational context, emerging risks, advancements in technology — not only understanding where our skills are within the department but also where our interests are at.

It helps when you could align individuals to focus on areas that they’re passionate about and you’re not just pushing the same training agenda to everybody, but you’re establishing more targeted training programs that allow the team to upskill in areas that align with their interests. This could be a focus on technology like we were talking about earlier around analytics, process mining, AI, or it could cover various technology audit domains such as cybersecurity and the cloud, or it could cover different aspects of the business and the industry.

But ultimately, that is an area that needs a lot of focus. It requires the department to establish a learning culture and to devote the time toward that. We know, as internal audit professionals, we need to keep up with our CPE credits to maintain some of our certifications. And organisations that take this seriously do embrace a learning culture. They do allocate plenty of time throughout the year for folks to take training. Often, we’re called on to deliver training to various internal audit teams, so they’ll need to leverage external resources.

Being in internal audit is a fun place to be. You get to learn about a lot of different things, but ultimately, the organisation needs to allow for some of that learning as well.

My thanks to Andrew and Angelo for their informative and interesting insights into this whole area of achieving audit relevance. The takeaways for me: Concise, impactful communications are the name of the game, especially with a busy board and C-suite audience. Internal audit functions need to engage in the right technology tools starting today, and they need to build the right people and skills and talent in their organisation to enable that to happen. For more information, I encourage you to visit Protiviti’s website and read our full report Achieving Audit Relevance. And, as always, I encourage you to please subscribe to our Powerful Insights podcast series, and review us wherever you get your podcast content.