Crystal balls are notoriously cloudy. The details of the future — in internal auditing and every other professional discipline — make precise prognostication virtually impossible. That’s why some companies launch products that ultimately find no audience. And it’s why some entities are blindsided by new legal risks or regulatory challenges. Indeed, predicting what any profession will look like in the future can be a dicey proposition.
But if the right group of experts is assembled, trends emerge from even the murkiest of crystals. And when the best minds in internal audit recently discussed how their profession will change in the next 12 months, a common theme of increased analytics use in all areas of internal audit, and in most areas of the enterprise, came to light. Staffing may be different next year, too, and the mix of skill sets at your morning strategy sessions may change. As well, stakeholder expectations will probably continue in the same direction they’ve been headed lately — up — and auditors will likely hew more and more to the Three Lines of Defense model. If predictions bear out, the coming year could be one of significant progress and change for the profession.
Analytics Takes Hold
But perhaps the biggest operational change internal auditors will likely face in the next four quarters is major movement forward in the way risks are identified, as many departments are in various stages of implementing data analytics and predictive modeling to mine the past for clues to the future. It’s a discipline that’s revolutionized other departments in many organizations, and internal audit is ripe for a radical process restructuring that better uses IT to do the heavy lifting.
“Appropriately, the emphasis has continued to be on internal audit departments’ ability to expand their data analytics capabilities,” says Harold Silverman, vice president, Internal Audit, at The Wendy’s Co. in Dublin, Ohio. And internal auditors aren’t the only ones developing that skill set in most organizations. “Analytics is being used in the first and second lines of defense as well,” he says, “and I see a growing role for internal auditors in auditing the use of these tools by other functions in the organization.” In The IIA’s Three Lines of Defense model, management control is the first line of defense in risk management, the various risk control and compliance oversight functions established by management are the second, and independent assurance is the third (see “Three Lines of Defense” below.)
The Three Lines of Defense
More internal audit departments than ever will hew to the Three Lines of Defense model next year, van Wyk predicts. “I believe we will, over the next year, see coordination among all the lines of defense as the maturity of an organization’s risk management processes synchronizes with the second and third lines of defense,” he says. “This whole concept is getting good airtime from executive management, and this now translates to a good understanding by executive management and the board of what internal audit’s role is in the assurance arena, and how it provides relevant assurance over key risks.”
Internal audit can do its part to help facilitate better coordination across the three lines by obtaining agreement among the parties on the roles and responsibilities of the second and third lines; by leveraging the results of each line; by fostering ongoing interaction and coordination between the second and third lines; and by modifying internal audit plans routinely in response to new risk. “This is not an end process,” van Wyk says. “Rather, with enhanced coordination among the lines of defense, benefits will result for the organization’s stakeholders and will result in a much stronger risk and control environment.”
van Wyk adds that internal auditors will need to show courage in challenging all the lines of defense to think more holistically about key risks. “They’ll need to assist in adopting a different mind-set around opportunities presented by risk, as much as the threats,” he says.
That scenario fits well with the general push to maximize the internal audit resource. “Internal audit is always under pressure to do more with less,” says Larry Harrington, vice president, Internal Audit, at Raytheon Co. in Waltham, Mass., “and you will see greater use of data analytics to increase audit coverage without increasing costs. You will also see internal audit leverage more work from the second line of defense.”
Internal audit is criticized by some for looking backward, not forward, he adds, so some organizations will take the next step and turn data analytics into predictive analytics. “Many departments are early on the maturity curve with respect to data analytics,” he says, “so few internal audit departments will be doing predictive modeling in 2015, but you will see the profession moving in this direction, albeit slowly.”
Charlotta Hjelm, CAE at Svenska Kraftnät, an electricity and natural gas public utility based in Sundbyberg, Sweden, agrees. “The tools for data analytics are more available today — and I think it will be integrated in internal audit and in our organizations.” As for predictive modeling, Hjelm says if it entails high-level, strategic scenario analysis, meaning internal audit would work very closely with the C-suite and the board to help predict different outcomes, then she can see this as part of internal audit’s future as well.
For medium and small companies, says Frank O’Brien, vice president for Internal Audit, Business Ethics, and Integrity at Olin Corp., based in East Alton, Ill., resources can be scarce, and finding people to perform data analytics can be difficult. His internal audit shop is making an effort to work some analytics into its workflow, he adds, but outsourcing can get expensive. “If the benefit would catch up with the cost, I would love to do some predictive analytics, but I don’t have the capability — and I don’t know anyone who does.” That presents an opportunity for internal audit staffers of tomorrow.
“Companies are going to need the capability to analyze data and predict trends, and someone who can do that can make a ton of money,” O’Brien says. “If you’re forward-looking and 22 years old, you might think about that.”
However it’s applied, data analytics could well impact internal audit department head counts next year, Hjelm says. Many departments will, before hiring more people, use consultants, or build more automation and data analytics into their processes, she predicts (see “Audit Automation” below).
That will be especially true at larger organizations with a great deal of data at their disposal, according to O’Brien. “I can’t hire somebody who does data analytics full time,” he says. “If you have 100 auditors all over the world, you might have two or three doing analytics. But if I dedicate one person to that, it gives too much weight to that area.”
Internal audit shops that don’t have a global presence may also see some additional funding for internal auditors to conduct data analytics, agrees J. Michael Peppers, CAE at the Austin-based University of Texas System. “Many of my colleagues in the public sector report a stable budget position as it relates to headcount,” he reports, “but an increase in support for acquiring specialized audit resources when it is appropriate.” In the university setting, he notes, these resources include IT, forensics, and construction contract compliance. As well, he says, “I’m now seeing uses such as data analytics design and reporting and, in health care, areas such as coding and patient billing.”
Silverman sees internal audit department head counts expanding — in shops that know what they’re doing. “Departments that don’t add value will be expected to get their work done with fewer resources,” he says. “Departments that recognize stakeholder needs and add value will continue to be competitive in adding resources.”
The increasing emphasis on data analytics that many observers point to won’t happen without an underlying emphasis on automation in general. Hence, the automation of internal audit processes could change next year as business process automation throughout the enterprise increases. “Even if internal audit could support automation,” Charlotta Hjelm notes, “process automation should stem from within the business, not internal audit.”
Harold Silverman sees automation in all aspects of business continuing to expand, and notes that internal audit departments needn’t worry about being replaced by machines. “Best-in-class departments will be able to use the tools and techniques available,” he foresees, “but not lose the human side of performing an audit.”
New technology brings new risks, though; internal auditors expect a heightened focus on fraud risk as more internal audit processes occur digitally. “We are moving toward a more automation-driven environment,” Sonia Thomas notes.
O’Brien agrees. “It depends on the maturity of the internal audit function in your organization,” he says. “If your organization is just now recognizing the need, internal audit resources and head count may rise.” That happened after the financial crises in 2001 and 2008, he notes, when hiring in internal audit departments spiked, then leveled off.
Other factors will affect next year’s staffing levels as well. Hjelm notes, for example, that she expects internal audit budgets in Scandinavia to stay relatively stable, except for the bank and insurance companies, which are expected to increase their budgets because of “more stern legislator demands.” As well, Harrington points out, even if internal audit budgets increase with inflation only, “the best internal auditors are in huge demand, so there will be upward pressure on salaries.”
Anton van Wyk, partner at Pricewaterhouse Coopers LLP in Sunninghill, South Africa, sees the need for CAEs to hone their negotiation skills to provide a more informed, confident voice at the budget table. Increased demands on internal audit’s time in giving a broader assurance view — as well in ensuring stakeholder expectations are met in a rapidly changing world — demand better, relevant skills, he explains, and that costs money. “CAEs need to seek more funding,” he says, “but they will have to be prepared to answer difficult questions.”
Indeed, while some observers say head counts and operating budgets in internal audit departments likely won’t rise much in 2015, the skills mix might change considerably. More internal auditors will come from nontraditional backgrounds, such as engineering, supply chain, and contracts, Harrington predicts, and that diversification will strengthen the overall business acumen of the department. “Internal auditors will also further strengthen their analytical and critical thinking skills, their information technology skills, and their data analytics, risk management, and communication skills,” he says. “They’ll learn the value of branding and work to enhance their brand throughout the organization.”
Sonia Thomas, director, Internal Audit, at First Command Financial Planning in Fort Worth, Texas, also sees internal auditor skill sets evolving next year. “I think we have started branching out from the normal ‘accountants,’” she says. “I tend to find that psychologists, engineers, and management majors make good auditors. They are people ‘readers,’ detail-oriented and organized, and have certain social skills that are characteristics of good auditors.” She adds that whatever these individuals may be lacking in one skill, she can teach them with the right amount of attention, direction, and motivation.
Audit leaders will likely want to give careful consideration to skill resources, as internal audit departments will almost certainly face rising stakeholder expectations next year — if only because there’s more for internal audit to do. “As industry changes, expectations will rise,” Thomas comments. “Firms expect internal audit to be one step ahead of the curve and knowledgeable to mitigate various risks. It will be more demanding: increased reporting and additional involvement in emerging risks.”
“More” is the operative word, Peppers agrees. “More than ever, I hear of stakeholders challenging their chief audit executives to expand from the role of value protection to that of value enhancement,” he says. “My use of ‘expand from’ rather than ‘move from’ is intentional. We can’t abandon our responsibility to provide the core assurance services we have historically delivered.”
O’Brien adds that while companies aren’t explicitly saying they want more from internal audit, they do expect auditors to provide assurance on new and emerging risks.
“In other words,” he says, “management won’t be asking internal audit to do more than what it’s doing. Management will simply want internal audit to do what they pay us to do — assess risks and make sure they’re managed.”