We live in an “always on,” 24/7 society. Our devices keep us continually connected, businesses are available around the clock, and fast turnaround cycles are the norm. We expect uninterrupted access to information and rapid delivery of products and services. Our world is hyperconnected and in constant motion.
As part of this new reality, risk and change have become corporate constants. New risks are always emerging, requiring internal audit to continually scan the horizon and keep pace with the latest developments. We need to be constantly aware of what’s happening in the organizational environment, the regulatory environment, and the profession. And we need to do all of this at the blistering speed of today’s business world.
Thus, I have chosen the theme “Audit Never Sleeps” for my IIA chairmanship. In this day and age, internal auditors cannot afford to rest on their laurels. We must provide innovative and proactive pathways for improvement and continuously offer solutions. We should take every opportunity to strengthen our brand, build trust, and cultivate relationships. We need to be ever-vigilant in our approach to risk and never diminish our focus. Internal audit’s ability to remain relevant hinges on ceaseless attention to the priorities of the organizations we serve.
My theme connects as well to the founding place of The IIA — New York, “the city that never sleeps.” Since The Institute’s inception in midtown Manhattan 75 years ago, internal auditors have worked tirelessly and passionately to meet the evolving expectations of stakeholders. We need to continue that momentum, and build on it, as we work toward serving our clients in the current age of constant activity and perpetual movement. By honing our communication skills, adopting an integrated mindset, doing the right thing, focusing on strategy, and keeping an eye toward the future, we can help pave the way toward an even more proactive, business-centric focus.
Effective communication is crucial to our work with stakeholders. Management and the audit committee expect us to provide insights into the business, and those insights need to be delivered in a way that is not only heard but also clearly understood.
In part, internal audit’s ability to communicate hinges on its relationships outside the audit function. Without strong relationships, even the best messaging and insights can fail to reach the intended audience, or fall on deaf ears. Internal auditors need to invest in relationships, making every effort to get to know their clients. We cannot be content merely to sit in our offices or meeting rooms with audit peers — we must venture into the business areas and talk to those we serve in the organization. We should take every opportunity to communicate not only on a formal basis but also informally — especially with key stakeholders — to learn about new or changing developments. Having breakfast, lunch, or even just a cup of coffee with senior leaders or business-unit managers can be an excellent starting point for ensuring our voice is heard.
Of course, effective communication not only requires us to be adept at sharing information — we must also listen carefully to what our clients say. Recognizing the importance of this skill, more than 90 percent of respondents from The IIA’s 2016 North American Pulse of Internal Audit survey say their audit function factors active listening into its training or recruiting efforts.
We must listen “between the lines” to hear core messages. A good listener truly understands what the client says and helps assure that his or her message is received. Practitioners who possess this skill improve the quality of audit information gathering, as well as enhance the audit function’s image as a reliable partner that recognizes the concerns and priorities of the organization.
Adopt an Integrated Mindset
|The Global Board|
As 2016-2017 global IIA chairman, I plan to work diligently with my fellow senior volunteers in supporting The Institute’s long-term strategic plan, helping to ensure internal audit professionals will be universally recognized as indispensable to effective governance, risk management, and control. That goal involves five main components:
Professionalism The IIA will lead the profession through the development of timely and relevant knowledge, global guidance, and career path guidelines.
Advocacy The IIA will raise the profile of, and demand for, the profession to ensure it is recognized as an indispensable resource by key stakeholders.
IIA as Leader The IIA will be recognized as the leading voice for internal auditing.
Capacity The IIA will collaborate globally to expand the capacity of the profession.
Sustainable Value The IIA will deploy both financial and business models that generate sustainable value for members.
I look forward to helping The Institute guide this plan from vision to reality, and to steering our profession toward increased relevance and influence in the future.
Integrated auditors possess an array of competencies. While a traditional accounting or finance background is certainly valuable to the audit function, there are many other abilities that enable us to address the risks affecting our organizations.
Cyber breaches and privacy/information security issues continue to plague organizations of all types. As recent global surveys demonstrate, cyberrisk is a top-of-mind risk for boards and management; together with the rapid speed of disruptive innovation of new technologies, these are major challenges for internal auditors today and are increasingly on our stakeholders’ radar. The question for internal auditors is whether we have the technical knowledge to assess and address these types of emerging risks. We must continually invest in broader IT knowledge to meet the expectations of our key stakeholders and to ensure an integrated skill set. One pathway will be through intensive training to build a solid foundation within the audit team. Beyond engaging IT auditors, there is a need for basic or even higher levels of IT knowledge for every internal auditor. However, for some audits or investigations in the IT area, organizations will continue to need to outsource the relevant IT knowledge from an external provider.
Applying soft skills can be just as important to our success as technical abilities — perhaps even more so. Integrated auditors can, for example, navigate the political climate of the organization skillfully and approach problems with a focus on solving them through compromise. They are effective negotiators dedicated to finding common solutions for the well-being of all stakeholders.
Approaching our work with an expanded frame of reference involves not just skill sets, but a way of thinking — an integrated mindset. Auditors who see their work through the lens of multiple perspectives will be much better able to appreciate the big picture, providing a valuable asset to the organization. This holistic view, in turn, will be reflected in our primary work product, the audit report, and in our advisory services. Audit work looks much different, and offers less value, when produced from a myopic, one-dimensional point of view.
Of course, no individual practitioner can possess comprehensive audit skills — and that’s where integrated auditing applies to the whole team. Collectively, audit groups need the right people with the right backgrounds and skills. Moreover, they need to work closely and cooperatively, with great emphasis on information sharing, to enhance the team’s ability to leverage integration. Having the right mixture of practitioners in the audit function, and integrating team input effectively, builds a solid basis for success.
Do the Right Thing
Our work also must be guided by a strong focus on ethics. But ethical behavior involves much more than just adhering to rules or standards — practitioners must conduct audits with transparency. The audit process should always be clear and precise, well-documented with traceable evidence, delivered with sound judgment and assessments, and truthful.
Building a foundation of transparency takes time. It requires continual communication with stakeholders and working extensively to educate them on the audit process. Moreover, it involves recognizing that transparency goes beyond conducting our work in an honest manner. In other words, someone can be honest without necessarily demonstrating transparency. We need to be clear in our intentions and show precisely how our work adds value to the organization. And we must do this on an ongoing basis, with every client interaction.
Ethical behavior also means acting with integrity. Practitioners need to demonstrate soundness of character, professionalism, and respect for clients. We need to adhere to The IIA’s Code of Ethics and maintain the highest standards of behavior at all times. By modeling integrity, we can have an influence on ethical conduct beyond the audit function, setting an example for the rest of the organization. Internal auditors should be the standard bearers for ethical practice.
Auditors also need to approach their work with a strategic focus. Yet according to The IIA Research Foundation’s most recent Internal Audit Common Body of Knowledge study, 43 percent of audit plans are not well-aligned with organizational strategy. This finding represents a significant improvement opportunity for the profession.
Remedying any deficiencies in our strategic alignment requires focused effort. It is our responsibility to ask about the organization’s strategy and to make sure we understand it. For example, the CAE can ask to participate in organizational strategy sessions — even if only as a guest without voting rights — to hear what’s being discussed. Alternatively, he or she could simply obtain the minutes from those sessions if in-person attendance is not feasible.
Without an understanding of organizational strategy, audit work can only be performed blindly, leaving practitioners disconnected from the work of the organization. The entire audit team needs to be aware of the strategy, as it will help inform their day-to-day work with clients.
Focus on the Future
In tandem with our strategic sensibility, internal auditors must be able to anticipate what’s coming down the pike. Historically, our profession has focused on the events of the past — we would determine what mistakes were made and help the organization avoid repeating them. But today, much more is required.
We need to consider key risks our organizations may face and share these perspectives with stakeholders. That way, our clients can better prepare for those challenges, or opportunities, before they materialize. Looking ahead enables us to warn of pending disasters stemming from insufficient attention to business risks, or leverage new growth opportunities that may have escaped management’s radar.
Internal auditors must proactively seek out information that will help them understand what lies ahead. Finding opportunities to interact with the board and management to assess their concerns and priorities is an important part of that process. Within industries that face steep regulatory challenges, auditors also should maintain good relationships with regulators to obtain a sense of what’s to come in the way of requirements.
Internal auditors can often further gauge upcoming regulations, and stay abreast of other issues on the horizon, by exchanging knowledge with industry peers. I meet with other insurance industry CAEs, for example, two to three times each year to share information and best practices. At our last meeting, we discussed how new regulations like the European Union’s Solvency II Directive impact our strategy as an internal audit department and our day-to-day work. These meetings keep me apprised of upcoming issues and help me add value to the organization’s risk management process.
Practitioners at all levels of the audit function need to stay attuned to what’s on the horizon through their work with individual business areas. During my audit team’s weekly meetings, we share knowledge obtained through client interactions to ensure we collectively have a better understanding of current and future undertakings. We also place considerable emphasis on audit training — another key to remaining future focused. Training should not be sporadic — it should consist of ongoing, continuous learning. Knowledge of the latest trends affecting internal audit gives us visibility regarding what’s to come and better equips us to provide the foresight our stakeholders require.
Rise to the Challenge
In 2015, The IIA released a revised version of its International Professional Practices Framework, aimed at helping practitioners navigate through change and ever-growing business challenges. As a member of the task force that helped develop the revision, I strongly believe in the framework’s Mission Statement for the profession: “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” Simply put, it is our responsibility to shape the perception of internal audit and to elevate the profession to an even higher level.
Throughout my chairmanship, I want to share my own views, experiences, and challenges. But I would like to hear from you, as well. There are numerous, diverse pathways to achieving our mission. Regardless of your career level, department size, or industry, it is my personal goal to listen to internal auditors around the world and obtain a range of views on the profession.
We need to work tirelessly and passionately in our pursuit of excellence, and we must be ever-vigilant in finding opportunities to add value. Together, we can raise the bar for internal audit and ensure the continued relevance of our profession. I look forward to hearing your stories and to sharing this journey with each of you.