When Apple launched the iPhone back in 2007, major players in the sector failed to respond. Less than a decade later, former market leader Blackberry has all but disappeared and the iPhone — together with another competitor that joined the fray shortly after Apple, Google's Android — commands more than 96 percent of the global market.
That is just one example of how fast revolutions in the business landscape can occur today. If organizations are not thinking ahead, the risks are huge. If they are thinking ahead, the opportunities can be grasped at unprecedented speed.
There is no doubt that internal auditors are ideally positioned to play a leading role in the success of their organization. They have a unique understanding of how business goals and strategic objectives interact with potential risks across the entire enterprise. Communicating that perspective to the board and having the resources and skills to manage the organization's response to such risk is of critical value.
However, the results of the CBOK 2015 Global Internal Audit Practitioner Survey suggest internal auditors are in danger of not grasping and acting on this key insight in a timely way — in short, they risk losing their leadership position and surrendering it to others.
Driving Success in a Changing World: 10 Imperatives for Internal Audit, which is based on the findings of the CBOK survey, offers key insights to internal auditors on the opportunities and pitfalls for their role in today's fast-paced world. It shows that to thrive, auditors must play a leading role in their organizations, beat the gap in expectations that has arisen between some departments and their stakeholders, and invest in excellence (see "10 Imperatives for Internal Audit").
Play a Leading Role
To play a leading role in the success of their organization, internal auditors must anticipate the requirements of stakeholders. Occupying this position requires auditors to improve communication channels with stakeholders, particularly consulting with them during the annual audit planning and the evaluation of audit's work.
10 Imperatives for Internal Audit
Group 1: Play a Leading Role
- Anticipate the needs of stakeholders
- Develop forward-looking risk management practices
- Continually inform the board and audit committee
- Be courageous
Group 2: Beat the Expectations Gap
- Support the business' objectives
- Identify, monitor, and deal with emerging technology risks
- Enhance audit findings by greater use of data analytics
- Go beyond The IIA's Standards
Group 3: Invest in Excellence
- Invest in Yourself
- Recruit, motivate, and retain great team members
When auditors fail to engage key stakeholders in their annual audit planning, conflicting expectations arise. Only 56 percent of CAEs say they consult their audit committee, for example, in such auditing planning; only one in three compare audit outcomes against specific expectations agreed with stakeholders. If internal auditors are not measuring the success of their work against the known needs of their stakeholders, how can they be sure that work is relevant and effective?
As well as being in tune with stakeholders, auditors must assess the likely impact of possible future events — including their second- and third-order consequences — on their organization's strategies and operations. Assuring the board that the organization is able to deal with fast-moving emerging risks requires an understanding of the strategic, business, legal, and compliance risks of the organization; in-depth knowledge of the business; and high levels of competence in technology tools. To many, this expertise in risk management is a new competency to master, but to stakeholders, it is the new price of entry for the qualified CAE.
Auditors with these skills are uniquely placed to provide such assurance. As Theresa Grafenstine, inspector general, U.S. House of Representatives, Washington D.C., says in the 10 Imperatives report: "While executive managers understand what is important to their departments individually, internal audit should have the overarching view of things and understand corporately what the big risks are to the entire organization."
Auditors must also help inform the board of upcoming risks and have the courage to present stakeholders with the unvarnished truth about the organization's shortcomings and how they can be addressed. Pressure to water down findings can be intense. Almost three in 10 (29 percent) of CAEs say they have experienced a situation where they were directed to suppress, or significantly modify, a valid internal audit finding or report. But to gain the right level of credibility across the business, auditors must follow through threats of escalation and have the courage to speak the truth.
Beat the Expectations Gap
Amazingly, only 55 percent of overall respondents to the CBOK survey say their internal audit department is either fully, or mostly, aligned with the strategic plan of their business. This disengagement with the business is a major factor in explaining why so many stakeholders rate the internal audit function's performance lower than CAEs do. Auditors need to ask how strategically misaligned departments can deliver and unambiguously demonstrate the value their work provides.
If audit work is to be seen as critically important to boards and management, it must be directly relevant to those strategic goals. Every audit report should explicitly identify the relevant strategic objectives that it seeks to address and conclude whether risk management controls exist and are effective.
One area where the expectations gap is most evident is the disconnect between the board's perception of IT risk and how the issue is dealt with by audit departments. Global businesses say digital technologies are the No. 1 evolving risk — especially cyberrisk and social media. But the number of departments that say they spend extensive time on these audits is low (see "Cybersecurity and Social Media Auditing"). Even if internal audit departments are world-class by most standards, they need to audit such areas at the right time — preferably before problems arise.
In many cases, auditors say they do not have the technical training or analytic skills to tackle these issues. For example, only 55 percent of auditors consider themselves to be advanced or expert-level in data mining — a key area where they can share skills with the business to both improve management's ability to monitor its own risks and help audit move into a more strategic role. Those auditors who offer to share skills are usually pushing at an open door.
But when it comes to developing cyberskills, only 14 percent of CAEs say they are recruiting or building skills in this area — despite the fact that over the next two to three years, those same respondents expect audit activity in cybersecurity to increase by 74 percent. Without a better understanding of how cyberrisk could affect the business and how that risk is changing daily, internal audit departments could struggle to remain relevant in this area. In fact, cybersecurity is so important and changing so quickly that if the CAEs do not have the skills within their organizations, they should strongly consider co-sourcing.
Although using The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) is an excellent way of assuring the board that the audit department is serving the organization well, only just over half of CAEs say their organization follows them in full. This is also a missed opportunity.
As Gabriel Benavides Ramirez, director of internal control and anti-corruption auditing, General Audit Office of Mexico City, explains in the 10 Imperatives report: "The chief audit executive can use the Standards to inform the Board of its responsibilities and to paint a holistic picture of the business and the risks it is facing. The Board can be confident in internal audit's objective insights into the business because the Standards provide a specialized and systematic approach to providing such assurance."
Invest in Excellence
There has never been a better time to be an internal auditor, but to reap the full rewards, individuals need to invest in their own development. Unfortunately, the CBOK global survey shows that 53 percent of internal audit training programs offered by employers are poorly structured or delivered on an ad hoc basis. And while internal auditors in these organizations cannot rely on their employers for training, complacency among many individuals for keeping abreast of global developments and acquiring new skills is commonplace. The majority of auditors spend only between 21 and 40 hours a year on training — the same as 10 years ago — according to the global survey. It is hard to believe that amount of time is adequate for internal auditors to keep abreast of global developments and remain relevant to their organizations.
It is no wonder highly skilled individuals are at a premium. Financial and personal returns on self-investment are soon rewarded. Developing so-called soft skills is an obvious way to get ahead. That is because while most training programs score well on providing internal audit skills, other business-critical skills lag behind (see "What Is Included in the Training Program for Internal Audit?")
CAEs need to act as role models and ensure their departments recruit, motivate, and retain great team members. They need to cast their net wider to develop teams comprising people able to understand and anticipate the rapidly changing business environment. That will entail ensuring greater diversity in the backgrounds and capabilities of team members.
The lessons from the business world — from companies such as Apple and BlackBerry — teach us that the rewards and risks have never been more greatly opposed. It is hard to be mediocre and survive. If internal auditors are to play a leading role in today's world, they need to step up to the plate now.