Today’s business environment is unfamiliar terrain for many. Companies are expanding into new markets, making acquisitions, forming joint ventures, radically innovating their product and service portfolios, and entering new sectors. In total, nearly 70 percent of companies have gone through, or are going through, a business transformation in response to market shifts, according to PricewaterhouseCoopers’ (PwC’s) 2015 State of the Internal Audit Profession study. Another 12 percent anticipate doing so in the next 18 to 24 months. With such dramatic business transformation underway, companies inherently face new and more complex risks.
In periods of transformation, it is critical for the internal audit function to remain relevant and risk focused by concentrating on the right risks at the optimal time in the process. Internal audit can execute against that mandate through proactive involvement in strategic initiatives.
Setting Itself Apart
At those organizations where senior management and the board see internal audit departments as contributing significant value to their companies, internal audit is more often involved in the most important business initiatives. In fact, according to the PwC report, these internal audit functions are involved in transformational initiatives up to twice as frequently as their peers. Among those functions viewed as contributing significant value to the business, many are involved in key areas, ranging from the implementation of new privacy and security strategies, to cost-reduction initiatives and new product and service development.
There is a clear correlation between stakeholder perception of value and proactive involvement from internal audit on strategic initiatives. As such, nearly half of highly valued internal audit functions are providing that proactive perspective compared to 19 percent of less-valued internal audit functions.
This does not mean that internal audit is providing input on what the strategic initiatives should be. Rather, internal audit is proactive in providing input on risks related to critical company initiatives and in advising on processes, governance, and controls ahead of the risks’ occurrences.
Areas in which more than half of highly valued functions are “ahead of the risk” (or providing a proactive perspective on risks that arise from strategic initiatives) include innovation, marketing and sales strategies, increases in risk management and compliance investments, changes in technology, geographic expansion, and even the overall business model, itself. The same correlation is evident at the other end of the value spectrum, with those functions not adding as much value more often involved reactively in initiatives — by auditing processes and controls after risk occurrence.
As leading internal audit functions align more closely with the strategic direction of the company and provide proactive perspectives on risk, stakeholders quickly realize that the value internal audit brings is measured by the risks that are identified, discussed, and effectively mitigated or accepted while moving the organization forward — or by the speed at which decisions can be made with a more holistic understanding of risk — rather than the number of audit reports issued or findings identified.
Proactive advice can present in many forms. Through close involvement, internal audit has a constant presence within the business. If an audit plan is in place, it should be flexible and constantly evolving, depending on the risks facing the organization. Advice doesn’t necessarily have to emerge in the form of an audit, and communication doesn’t necessarily have to appear in a traditional audit report. Highly valued internal audit functions are consistently taking four steps to ensure their involvement:
- Participating regularly in strategic planning discussions with company executives to keep internal audit’s efforts aligned with the direction of the business and to prompt pertinent risk discussions early on. Organizational goals are actively changing, and regular participation in strategic planning discussions helps internal audit provide proactive guidance on new initiatives, as well as plan how it will deliver future value to the organization.
- Aligning internal audit teams the way the business is structured to gain a better understanding of the business and foster deeper relationships within the organization. Internal audit may be aligned to business segments or to functional groups, or, in some organizations, have a matrixed organization where auditors align to both a line of business and a functional unit. As a consistent point of contact for the business, auditors build relationships and establish an open communication channel through which they build business acumen and provide advice on risks on an ongoing versus periodic basis.
- Harmonizing more closely with other risk and compliance management functions to ensure one common focus on risk, particularly risks related to the strategic direction of the company. Better alignment can result in less risk management fatigue among participants — reducing the potential for having the same groups audited repeatedly. It can also result in enhanced efficiency — the lines of defense have better visibility into the information produced by the other lines, and as a result are better able to leverage their work.
- Building stakeholder support from the top. Internal audit’s involvement in strategic initiatives is driven by support from chief executives and the audit committee, arising from the consistent value derived from internal audit’s involvement. Value delivery results in stakeholder support, which results in even greater opportunity to deliver value. To initiate this cycle, internal audit looks for opportunities to go above expectations and engage with the business in innovative new ways. When internal audit and its stakeholders work together to determine how and where internal audit should be contributing, it can result in not only better alignment to the overall business objectives and direction, but also efficiency and greater value derived from internal audit deliverables.
The Right Talent
It is clear that to consistently add value and execute on the strategy of aligning the internal audit function to the business and to the business’s strategic initiatives, the function must comprise resources with deep business acumen and both industry and technical skills. Without a foundation built on the right talent, the function is limited to executing only up to its existing capabilities — not striving to deliver the value it should. Top performing talent enables internal audit to focus on the risks associated with the strategic direction of the business so it is sought out as a major participant in the business’ strategic initiatives.
Build a Roadmap
Even though most internal audit functions have identified the need to evolve their departments in some way — by managing new risks, adding new skills, collaborating with other risk functions, and applying technology — few have a plan in place to attain those objectives. Without such a plan, it’s difficult to stay clear on internal audit’s vision and mission and take the necessary steps to evolve the function. Internal audit should begin with a roadmap.
Internal audit can move toward more proactive involvement in strategic initiatives today. Concurrently, it can initiate a strategic planning process that advances its capabilities in alignment with broader business imperatives. Internal audit then has a roadmap from which it can develop talent, drive better alignment, invest in technology, and deliver even greater value.
|Strategically Aligned Audit Functions|
Internal audit functions are innovating and aligning with critical business strategies in diverse ways. Departments are adapting to the changing risk environment to remain valuable contributors to the business.
- At a financial institution, involvement in strategic initiatives goes hand-in-hand with working across lines of defense. Internal audit meets regularly with risk management, compliance, and other second-line-of-defense leaders to discuss work being performed, synergies that may be accomplished, and where they can better align. In collaboration with enterprise risk management (ERM), internal audit follows the ERM framework and assesses emerging risks for the organization. As ERM identifies risks, internal audit is part of the evaluation process and can provide input about other potential emerging or key risks to the organization.
- At a financial services company, internal audit has purview over all key initiatives but is not actively involved in every one of them. Internal audit rates the risks associated with initiatives and engages more deeply in those with the highest residual risk. Internal audit reviews project plans and milestones, reports to management and the audit committee, and provides an independent perspective on the status of the key initiatives and the risk profile as they progress.
- One health industries organization is significantly increasing its use of outsourcing to third parties for cost management and progressively entering into growth-focused joint initiatives. As those programs launch, internal audit becomes engaged early in each process. For example, because intellectual property is shared between companies in the joint initiatives, internal audit assesses the third party’s processes and controls for their levels of data security and privacy. As the number of such programs increases, internal audit reallocates its resources and shifts its skill sets to monitor the new risks associated with those relationships.
- Internal audit’s involvement in major initiatives at a retail and consumer organization starts with meeting with the strategic initiative owners and facilitating working sessions focused on possible new risks embedded in each initiative. The focus in these sessions is on identifying risks that could significantly affect the company and on defining specific mitigating strategies. Once the business has determined the metrics that will define both the success of the initiative and the management of the risks, the metrics get evaluated by internal audit and then monitored quarterly.
- Proactive involvement depends on internal audit’s awareness of initiatives and engagement with stakeholders. To accomplish that, the internal audit function of one technology company follows a matrix organization structure with resources aligned by product and business process. That specialty enables the internal audit team leads to foster deep relationships with the product teams, keep active vigilance on the business, and more effectively understand and identify new and emerging risks.