Grappling With the Future of Internal Audit

On Oct. 20, Compliance Week and auditing firm Crowe Horwath hosted an editorial roundtable on the future of internal auditing at the Ritz-Carlton Central Park Hotel in New York City. The forum was moderated by Compliance Week Editor-in-Chief Matt Kelly, and featured Crowe Horwath partner Jonathan Marks, who heads the firm’s fraud and ethics practice. The article below explores some of the issues discussed.

Without question, the internal auditing function is experiencing profound transformation these days. But transforming into what still seems a mystery.

At a recent Compliance Week editorial roundtable sponsored by Crowe Horwath, we gathered a dozen internal audit executives from large companies across a span of industries to ask how they are helping their businesses get a stronger grip on risk. Yes, they all said, top management does want (and need) help with risk management … but perfecting internal audit’s role in that strategic challenge is still more art than science.

THE PANELISTS

The following executives participated in the Oct. 20 roundtable exploring the future of internal auditing.

Jonathan Marks,

Partner,

Crowe Horwath

Kelly Browne,

VP, Internal Audit,

Prudential Financial, Inc.

David Camputo,

SVP, Chief Audit Executive,

Endurance Specialty Holdings

Sandra Cartie,

Chief Audit Executive,

Bristol-Myers Squibb Co.

Robert Crook,

VP, Internal Audit,

Loews Corporation

Glenn Cusano,

VP, Audit and Process Effectiveness,

JetBlue Airways

Debbie Fogel Monnissen,

General Auditor,

MasterCard Incorporated

Neil Frieser,

VP, Internal Audit,

Frontier Communications

Jane Hurd,

VP, Audit Services-Corporate,

K. Hovnanian Homes

Timothy Koob,

Manager, Global Projects,

DuPont

Donna Passal,

VP, Internal Audit,

The Children’s Place

Bob Pemberton,

General Auditor,

IBM Corporation

Carmelo Seguinot,

VP, Corporate Audit,

Arrow Electronics Inc.

Timothy Koob, head of audit and compliance at DuPont, sounded a common theme. His department works with various others in DuPont to help the manufacturing giant diagnose its risks. “By partnering with the corporate risk owners, we work to design our audits to review key elements to the risk management plan,” he said.

But that cooperation doesn’t mean the task is easy. The challenge, Koob said, is “how to take a risk area and make it into an auditable event.”

Without question, roundtable participants said, boards of directors do now see their responsibility in terms of managing risk rather than just checking up on senior executives. And almost universally, boards and CEOs are drafting their internal audit functions to help with enterprise risk management. But what internal auditors are doing to help with risk management varies widely.

At telecom company Frontier Communications, for example, no single “chief risk officer” exists. Instead, Neil Frieser, vice president of internal audit, works with the chief financial officer to administer Frontier’s ERM process. The two present an annual risk assessment to the board, plus another assessment in the course of the year to review how well management is mitigating risk.

“We present to the audit committee and board on ERM, and we use ERM as one of the key inputs to our annual audit plan process,” Frieser says.

One question for companies just starting to tackle enterprise risk management is whether to place responsibility for risk oversight with the full board, the audit committee, or some dedicated “risk committee.” Roundtable attendees saw pros and cons to each idea. Some worried that audit committees have enough work as it is; others said assigning risk management to a separate risk committee might leave other board directors unaware of the company’s full risk profile.

Donna Passal, head of internal audit at retailer The Children’s Place (which is just starting an ERM effort), took the view that ERM oversight should belong the entire board. Likewise, Frieser says that historically the audit committee has taken point on risk management at Frontier, “but it is now a consistent topic on the board agenda.”

Even companies with mature ERM programs are still adjusting their efforts. Even those with mature ERM efforts are making adjustments to their approach. Bristol Myers Squibb recently shifted from a bottom-up risk assessment process to a more “top-down, shareholder based approach, focusing on the risks that could have the highest impact to shareholder value,” said Chief Audit Executive Sandra Cartie.

How does it work? Bristol Myers’ audit services group (which Cartie directs) is responsible for risk management awareness, implementing the ERM infrastructure and leading regular discussions with business units to ensure that key risks are included on the company’s ERM heat map. Each of those risks is “owned” by a member of Bristol Myers’ management council, and that person is responsible for overseeing and monitoring the ERM strategy and infrastructure for that risk.

Another major chore for internal auditors these days is simply identifying those key risks the company must manage.

David Camputo, head of internal audit at reinsurer Endurance Specialty Holdings, says that is his team’s current project. To do that, and as part of Endurance’s risk-assessment process, Camputo says the company is conducting focus groups and surveying asking employees about their own key risks and plans—and then comparing those answers to a list of key risks top management has already drawn up.

Crowe Horwath’s Jonathan Marks, head of the firm’s fraud and ethics practice and co-host of the roundtable, warned that a full-bore “boil the ocean” approach to risk won’t work.

“When we talk about ERM, we’re talking about the one risk—either alone or that can create a domino effect—that will shut you down,” he said. “It’s the black swan or the impact of the highly improbable. That’s what companies have to manage to.”

Marks said corporate culture is the driving force behind how effectively an ERM program will work. “Corporate governance, specifically communication and trust, help keep everything glued together,” he says.

The Nuts and Bolts

Many roundtable attendees said they are focusing on how technology can help them achieve broader coverage in their audits. At K. Hovnanian Homes, the internal audit team is only doing risk-based audits, “and we’re using automated tools to get to continuous auditing and continuous monitoring,” said Jane Hurd, vice president of audit services.

Likewise, Cartie said Bristol Myers Squibb has seen success using data analytic tools in its audits. “One of our strategies is to use data analytic tools to audit low-risk transactions, obtaining 100 percent coverage of the population, and redeploying people to the high-risk areas,” she explained.

Neil Frieser of Frontier Communications explains his company’s approach to risk management.

Carmelo Seguinot of Arrow Electronics offers his thoughts; at right is Sandra Cartie of Bristol-Meyers Squibb.

Robert Crook of Loews Corp. states his views. At left are Timothy Koob of DuPont and Robert Pemberton of IBM; at right is Debbie Fogel Monnissen of Mastercard.

For certain types of activity, Cartie said, Bristol Myers has been able to audit 100 percent of its North American transactions. What’s next? Implementing continuous controls auditing and monitoring, so her team can cut back on travel, she said.

At the same time, some attendees said they are also taking stock of their department’s talent, to make sure they have the right auditors doing the right jobs.

“Performing a skills profile review is a one of my top priorities,” said Bob Pemberton, who was named general auditor at IBM Corp. only in August. “We do have a strong skill set today, but there are always gap areas that need to be addressed.” Big Blue’s internal audit function is mainly organized by geography, he said, but it also has specialized teams dedicated to IT infrastructure and applications. “That’s an area where we’re always chasing to get fresh skills.”

Pemberton and others said they also worry about language skills, to keep pace with business operations in overseas locations.

Echoing Pemberton’s concern, Marks said a “skills capability assessment” is a critical first step toward transforming an internal audit department into a more risk-centric one.

Roundtable participants also said they are considering the idea of upgrading their departments’ expertise, possibly by bringing in subject-matter experts from the outside.

“So many of these risks areas … are judgmental—things that are more art than science,” one executive noted. “Finding the right expertise, whether it’s co-sourced or in-house, to be able to appropriately gauge the effectiveness of local risk management is a struggle.”

And one last question some pondered: If internal audit departments do end up playing a greater role in shaping a company’s ERM program, and then later audit that program’s effectiveness—does that create a conflict of interest? Nobody was quite sure.

“If the audit team owns too much, it compromises their ability to evaluate that process,” one executive said. “We think about it in terms of lines of defense. Management is the first line of defense; ERM and other risk-based processes are the second line of defense. Audit is the third.”