Five years ago, Francie Frederick, general counsel to The University of Texas System’s (UT System) Board of Regents, says she was often confused about the difference between internal audit and compliance. In those days, she recalls, internal audit was frequently involved in testing compliance procedures, so the distinction between the two roles was not always obvious.
“I’ve been educated since then,” she says, “especially since we have moved as an organization from looking backward at what happened to looking forward to how things can be improved.”
As organizations such as the UT System have shifted their focus to the future, expectations of internal audit have changed. That has created the need for auditors to communicate with their business partners on a more strategic level, and to reassess the scope and nature of the work they do in response to evolving expectations.
A Trusted Adviser
The UT System’s audit team has been hard at work developing such a strategy — particularly because the function spans an educational establishment with multiple institutions. While compliance audits are important, Frederick says, she now expects more of audit. In particular, the function helps the university strengthen its business and operational practices, as well as enhance its operational effectiveness and efficiency.
“Because of its overview of the organization, audit is in a unique position to identify opportunities for improvement across the institution,” she says. “Ways we can be more efficient. Ways we, as 14 different entities, can collaborate more.”
She says J. Michael Peppers, the organization’s CAE, has been able to create a climate where people are open and sharing. That has been important to get managers at UT System’s different institutions working together.
Frederick wants to see audit as a team of trusted advisers — picking up on a term that has been bandied about in the profession for a while. For her, that means internal audit needs to have good technical skills and a sound knowledge of the business. But, more importantly, it needs to be able to communicate its findings clearly to the governing board and the institutional teams, defending them where necessary.
“There’s a rare group of people who excel in doing large public presentations, and I think your CAE has to be able to do that,” she says. “Being a good communicator involves as much listening as actually talking, so being an active listener is quite important, too.”
A Strong Skill Set
Striking the right balance of skills is difficult. “In today’s world especially, technical skills become hyper-critical, given the complexities of business, the use of systems as a tool, the global nature of a lot of organizations, and the operating requirements of a lot of different countries,” says Bill Chiasson. He is chairman of LeapFrog Enterprises, chairman of the Audit Committee of Fossil Group, and serves on several private company boards. But he emphasizes that these essential skills are only the foundation of what internal audit offers.
“On top of all that, the department needs a strong and positive culture of constructive dissatisfaction,” he says. He wants auditors to look at those areas that management struggles with, or is even embarrassed to tackle, because of past failures. That requires tact. He says he has encountered some managers who believe being successful entails identifying and dealing with everything without external help.
That’s why internal audit has to demonstrate to management that every engagement is based on a sense of mutual respect, he says, and a desire to improve the business’s performance. He says a good audit team takes its time in establishing that its findings are based on a sound understanding of the business, which generally means speaking to the appropriate manager early in the process.
“You cannot have internal auditors who hide problems from you,” he says. “That creates a horrible environment.” A strong, self-aware, experienced internal audit leader needs to be able to work with the business on identifying the problems and helping devise a workable solution that can be incorporated into the audit findings.
“Ten years ago, the internal audit mind-set tended to be that the CAE was looking for the one trophy he or she could hang on the wall that says internal audit identified the adjustment,” says Holly Millard, network senior vice president of Finance at the Indianapolis-based health-care business Community Health Network. “Now, it’s about identifying issues that help reduce risk for the organization and make a process better.”
That puts internal audit in the position of a business partner — but one that is independent of the organization. At Community Health Network, while the internal audit function reports internally to the executive vice president of general counsel, its primary reporting line is to the audit committee, which is an external third-party, independent from the organization.
Millard says that prevents any manipulation of the audit findings and has encouraged management to develop a response to each significant audit outcome. In addition, internal audit adds a risk exposure level to each report, from low to high, to better help the organization target its remedial actions.
She says she does not think the qualities that make a good internal auditor are likely to change too much in the future, but she does think audit needs to do more to prepare organizations for the ongoing impact of the digital world.
“Internal auditors need to get deeper understandings of application and general computer control,” Millard says. That means obtaining a better understanding of the technologies the organization employs and having the ability to think through the more complex risks associated with them. “It’s going to get increasingly sophisticated, and when you’re in a business that contains so much personal information, from a health standpoint, we are entering into a very different environment,” she explains.
Millard says CAEs will need to review their recruitment procedures to attract more “digital natives” — those who have grown up with the Internet. She says doing so will help internal auditors develop the right mind-set for the future and help them in their continuing quest to better serve their organizations.
Building a Relationship
Stakeholder expectations of internal audit are continuing to push the profession in new directions. Moving away from a narrow focus on compliance is part of that transformation, as is the need to develop a broader understanding of the business, and to hone and acquire new skills. And while it is impossible to see with certainty what the future holds for auditors, getting in better touch with their business partners should be high on the agenda.