Once upon a time, internal audit departments were busy enough with reviewing financial statements and Sarbanes-Oxley compliance. But as company risks have exploded in recent years, the modern audit department has had to reconfigure its skills and priorities to match.
Today's internal audit department is—or at least, should be—focusing far more on the top risks and strategic objectives of the organization and assuring the audit plan is carefully aligned with those risks and objectives, says Richard Chambers, president and CEO of the Institute of Internal Auditors. “The modern audit function has a keen understanding of the risks in an organization and how to craft a program of audit coverage that addresses those risks while simultaneously meeting the expressed needs of stakeholders,” he says.
To meet that standard, internal auditors need to have a much greater understanding of how the business works, Chambers says. That's a stark departure from the audit function of 2004 or 2006, when audit departments kept plenty busy confirming financial statements and rooting out weaknesses in internal controls over financial reporting. “Today internal audit needs to understand not only how to count the beans, but they need to know how those beans are grown, harvested, and processed,” he says.
Little surprise, then, that as audit table risks have exploded (corruption, privacy, regulatory, reputation, and more), internal auditors now need to develop deeper relationships with executives in the company who are closer to those risks.
“I tell chief audit executives they need to change the way they are facing their stakeholders,” says Bill Watts, a partner with the risk consulting group at audit firm Crowe Horwath. “We see it as a 360 approach—managing outward across the entire organization,” he says. “It means walking more slowly through the halls, and listening to and understanding what others are doing.”
Developing those relationships with various stakeholders could mean more informal interactions, such as meeting over coffee, says Warren Stippich, a partner with Grant Thornton and national leader of the firm's practice on governance, risk, and compliance. “Beyond the formal reporting mechanisms, internal auditors should be able to catch up periodically with the CFO or the audit committee chairman in a more informal setting,” he says. “In those casual conversations, when someone is not on guard or not in defense mode, the discussion flows.”
Denny Beran, director of audit for retailer J.C. Penney, says audit executives must assure that the various stakeholder groups in the company (senior management, line management, the board) view the audit department as experts on risk and control. “We need to be catalysts to assure the organization has an effective risk-management process in place,” he says. “What are the top risks that we are most concerned with, that could derail us from meeting our business objectives?”
At Ontario-based power company Hydro One, Chief Risk Officer John Fraser says he reaches out to the top 10 to 12 executives at least annually to get their assessment of top risks, then focuses the audit plan on those areas. He needs to question at least that many key people to get a full view of the risks, Fraser says. “So when you go forward with the audit plan, it has the leadership team's engagement and acceptance,” he says. “That's different from the old days when you just put together your own plan.”
“Today internal audit needs to understand not only how to count the beans, but they need to know how those beans are grown, harvested, and processed.”
—Richard Chambers,
President and CEO,
Institute of Internal Auditors
Internal auditors are taking a seat at the table more often to discuss risks and objectives, says Brian Gregory, president and senior managing director for CBIZ Risk & Advisory Services. That elevated role enables internal auditors to become more proactive in meeting objectives, he says. As an example, “If a company has a goal to increase EBITDA by 5 to 10 percent, internal audit can go out to the business units and ask what we can look for to help achieve that objective,” he says.
In addition to engaging more with stakeholders and focusing on risks, modern internal audit departments are making greater use of the latest technology, experts say—including continuous auditing and continuous monitoring, which had been more theoretical than practical in the 2000s. “Monitoring tools and exception reports can home in on key areas that need focus,” Beran says. “The days of small samples of 100 items are past us. Auditors need to look at the total population and look for anomalies in the data.”
Targeting Technology
Stippich agrees, but says that internal auditors could make much greater use of technology than they do currently. “The modern internal audit function is going to cover a lot more area with a lot less effort by using technology,” he says. “Right now it gets a lot of lip service but I don't think it's used as effectively as it could be.” Internal auditors can do much more with data analytics, he says, such as using a continuous monitoring approach to the company's enterprise resource planning system.
Better use of technology would let auditors monitor key areas of focus on a more routine basis, perhaps even daily, Stippich says. As an example, auditors could use technology to track and flag any receipts that produce negative margins or credit limits that have been exceeded. Those are potential red flags that something could be amiss, he says.
Another important element of building a modern internal audit function is to acquire the right talent, Chambers says. Many internal audit departments already are fishing for operational experience more than traditional audit skills to achieve broader, deeper audit coverage, he says. Some find that expertise not only through hiring, but also through co-sourcing or sub-contracting arrangements with other departments. “The risks are so dynamic and so diverse, it may not be practical for an internal audit function to be fully staffed with all the skills it needs,” he says.
To keep up with the increased demands of the function, some audit executives are seeking the support of their peers. John Barresi, vice president of internal audit and financial controls for Tiffany & Co., says he stays abreast of emerging issues outside the company by engaging in peer networking. “I get a lot of value out of meeting and discussing with my peers what they're doing or seeing or responding to,” he says. It's especially helpful to stay on top of emerging issues like data privacy or data protection laws in other countries, he says.
No comments yet