The world in which we live and work continues to change at an accelerating pace. As it changes, CAEs need to constantly ask whether they should make changes to their practices. The fact that something has been seen as successful in the past, even when stakeholders applaud the value it has contributed, does not mean complacency should follow.
According to KPMG’s 2015 Global Audit Committee Survey, only 40 percent of audit committee members are satisfied that internal audit delivers the value to the company it should, down from 45 percent in 2014. Another 38 percent are somewhat satisfied. Moreover, a member of multiple boards in New Zealand wrote in an August 2015 blog post about his experience with internal audit functions, saying internal audit was focusing only on compliance and financial reporting, and that, “Almost all of [internal audit] findings are mundane operational compliance issues.”
Leading CAEs are adapting their practices and making contributions to the understanding of emerging and strategic risks; they also have a very broad remit from their audit committee. When it comes to internal audit providing more value to the organization it serves, each CAE and his or her stakeholders need to decide what is needed for their organization — for some, an overhaul may be in the cards.
Enterprise Risk-Based Auditing
In recent years, internal audit has moved from the traditional risk-based approach of building audit plans to addressing risks in processes and at locations (risks that matter to operating management) to auditing the critical risks to the organization referenced by KPMG (those that matter to the board and top management) — enterprise risk-based auditing. This has meant leveraging the organization’s risk assessment (assuming management has an acceptable risk management system in place) to 1) understand the organization’s goals, objectives, and strategies for achieving them; 2) understand the related risks; and 3) provide assurance and advisory services that help the organization succeed by managing those risks effectively. The process involves not only sharing assurance and traditional recommendations, but also insights and ideas. It’s about recognizing that there is little value in helping managers avoid the occasional stumble compared to the greater value of helping it take the right level of the right risks — risks to the corporate objectives. The board and top management view the internal audit department as making a positive contribution to success, not just helping them remain in compliance or make improvements in processes.
Years ago, the internal audit department rarely provided the board or top management with information that led the organization to change its strategies. The more advanced internal audit department of today focuses on issues that are critical to the success of the organization as a whole. Identified problems get the immediate attention of leadership because they represent obstacles or opportunities that matter to the board and executive team. Nowadays, the effective internal audit department rarely performs an audit where identified significant issues would not merit the prompt attention of leadership.
Today’s internal audit department has moved from the outdated concept of basing its audit plan on an audit universe to basing it on a risk universe, with its eyes on the future rather than the past. Its audit plan includes audits of risks that matter now and in the near-term, rather than the traditional audits of history. Internal audit is aligned with a board and executive team that is looking at how it can manage and lead the organization in the present and into the future.
The effective CAE has moved to update the audit plan almost continuously, at the speed of the business and the risks to its objectives. He or she is constantly listening to management and ensuring that every audit scope focuses on the risks of today and tomorrow.
While CAEs care deeply about being perceived as an objective provider of internal audit services, they also care about being considered as performing services that matter. Traditional barriers built to protect internal audit independence are challenged: Do they pose a threat to objectivity, and do they inhibit the department from doing what is necessary for the organization to succeed? Barriers to value are torn down.
In fact, effective CAEs measure success, at least in part, through the success of the organization. CAEs know that by addressing critical risks to the organization’s strategies and helping it seize opportunities as they arise, they are making a valuable contribution to that success.
|How to Align the Audit Plan|
- Consider how the audit plan and the process for developing and maintaining it should be changed so that it includes, on a continuing basis, engagements designed to address the risks that matter to the success of the organization. What will be needed to ensure internal audit is aware of changes in risk, such that elements of the plan should be changed — audits added, changed, or removed — timely?
- Discuss the extent to which the risk-based plan can leverage management’s risk management system.
- Determine how often the board and senior management will be updated on significant changes in the audit plan.
- Obtain the approval of the board and senior management for the change, explaining how it will provide them timely information on issues relevant to the achievement of organizational goals and strategies.
- Implement the change, paying special attention to communications within internal audit and with management across the organization.
- Monitor the risk-based audit planning process by obtaining feedback from stakeholders on whether the engagement and its results were relevant to their management and oversight of the enterprise, and understand why the audit plan was not updated when risks changed and the plan did not.
Working With the Board
The prevailing model has internal audit reporting functionally to the audit committee (or equivalent) and administratively to a senior officer. Board structures are changing and internal auditors are being asked to do more. Does it make sense to continue to limit internal audit to working with the audit committee, even one that has expanded beyond financial reporting and financial management to include oversight of the risk management?
For example, if there is a compliance committee, the effective CAE provides its members with the information they need on the condition of compliance-related processes and risks. If the organization establishes a risk committee to oversee management’s processes for managing risks to the enterprise’s objectives and strategies, the effective CAE participates in every meeting, just as he or she does with the audit committee.
|Steps to Working With the Board|
- Talk to the chair of the audit committee and others as appropriate, such as the lead independent director and the chairs of the governance, risk, and compliance committees.
- Understand the value and possible issues should internal audit’s functional reporting line change. Consider the option of reporting to the lead independent director, or to a combination of committees, such as audit, risk, and compliance. If a combination, who would take the lead when it comes to oversight of the internal audit function?
- Consider the option of internal audit continuing to report functionally to the audit committee, but attending and providing periodic reports to other committees.
- Consult with senior management, such as the CEO, chief financial officer, and board secretary, to obtain their opinions.
- After agreement has been obtained with all interested parties, modify the internal audit and board committee charters as needed.
Today’s executives and managers receive information through dashboards, emails, and even text messages. Yet, most internal audit departments continue to send stakeholders long, written reports (at best, attached to emails) that make the reader find the time to absorb and understand the large amounts of information shared with them.
In fact, The IIA’s International Standards for the Professional Practice of Internal Auditing does not require that an audit report be issued at the end of each engagement. Instead, it requires internal audit to communicate the results of its work.
The traditional audit report is several pages long, although on occasion it may resemble a small book with an executive summary. It is carefully crafted to express an opinion (usually) and influence management to make valuable changes in its business processes. Unfortunately, that careful crafting takes time and may delay the message to stakeholders.
If internal audit is focused on risks that matter, it is only logical that the sooner its assessment, insights, and suggestions for change are communicated, the better. But the traditional audit report, even if reduced to a one- or two-page executive summary, might take weeks or more to draft, discuss with lower levels of management, and then issue.
The effective CAE communicates at speed. He or she has taken the time to learn what stakeholders need to know. The CAE understands what is important for them to hear and doesn’t waste their time with what is not. While the internal audit report was once considered a product, today’s effective CAE sees the report as just one way to communicate. Instead of using the audit report to document the results of the audit and to tell the stakeholders what is important to internal audit, the CAE communicates what the stakeholders need to know. He or she recognizes that operating management has already been informed at the engagement closing meeting and senior management and the board don’t need to see much of what is traditionally included. They need to know:
- If there is anything to worry about, because it may impact critical business strategies and plans.
- If there is anything to do or monitor at their level because there is a risk that appropriate action may not be taken.
While sharing more with the busy executive or board member may be tempting, it is not necessary. Today’s CAEs know how busy they are, and that by respecting their time, when CAEs do share information with them, they are far more likely to pay attention. They know that the CAE will only report what they want and need to know.
Conveying this information through a phone call, in a meeting, or even in a short email may sometimes be sufficient. Integrating time-critical information into an executive’s routine for receiving updates may be even better. For example, can the results of an audit be included in the executive’s daily dashboard, signaling, perhaps through an alert or red light, when there is an issue that needs his or her prompt attention?
To do this requires that the engagement closing meeting include commitments by operating management to act on agreed issues. If they are sufficiently important to discuss and management has agreed action is necessary, there is no need to wait until the recommendations are communicated formally.
The successful internal audit department recognizes that it and management have limited resources. Therefore, it avoids work that does not represent value to its primary custome — following Lean principles. That includes sharing what matters in a phone call rather than spending time on a long audit report.
By eliminating unnecessary work, the internal audit department can complete more audit engagements and deliver more valuable insights to leaders of the organization.
|Actions for Effective Communication|
- Meet with internal audit’s stakeholders at the board, executive, senior, and operating management level. Understand their needs for information: What do they need and when and how can it best be delivered and readily consumed? Explain the shift from an internal audit reporting process to a communications process.
- Determine how to meet those varied needs, such that they receive all the information necessary (in their view) to their success — and no more — when they need it.
- Consider a strategy where communications with operating management revolve around the audit closing meeting.
- Understand when it is appropriate to delay communications with more senior management or the board until a formal audit report has been completed, and when it is necessary to communicate promptly.
- Design a communications process that is efficient to prepare, easy to consume by the reader, actionable by management, and timely. This may require multiple levels of communications vehicles.
- Before implementing any change, share the plan with all interested parties and obtain not only their feedback, but also their agreement.
- Monitor the success of the change by meeting with stakeholders and determining whether the new communications meet their needs.
A Competitive Advantage
While I was CAE of Tosco Corp., the president of our largest division told a visiting politician that one of the reasons the company was succeeding was because internal audit gave him a competitive advantage. This was because internal audit gave him assurance that it focused its work on the risks that were critical to his division’s success and that the company’s business processes could be relied on to manage risks at acceptable levels. Where they needed improvement, audit worked with management to identify the appropriate corrective actions. The board agreed, knowing that audit’s continuously updated audit plan would address the critical risks to the organization.
While the audit reports were streamlined, if I were still in the role of CAE, I would look to change them today by working with the key executives to understand how they receive important information from their direct reports and how they monitor the state of their business. Where possible, I would integrate audit assessments into that information flow, supplemented by meetings or phone calls.
In this virtual, connected world, the value of face-to-face meetings has not diminished. Personal contact with stakeholders not only to communicate what they need to know and when they need to know it, but also to ensure a constructive conversation on internal audit’s assessment and insights on the business, goes a long way. Successful CAEs, after all, are always looking to help executives and the organization succeed. It is only through these interactions that he or she will know what needs to change — and the cycle continues.
When an internal audit function is able to provide the assurance and advisory services needed by the board and executive team, helping them lead the organization to success, it is reaching its potential. The effective CAE streamlines the function to do more, faster. He or she not only addresses the issues critical to organizational success, but also communicates valuable information clearly and rapidly — at the speed of the business. The ability to get away from old, outdated thinking and processes and adapt to meet changing business priorities is the foundation of a successful internal audit department.