Internal auditing should be about tomorrow,” Charlotta Hjelm, chief internal auditor at the Swedish insurance co-operative Länsförsäkringar, Stockholm, says. “If the function focuses mainly on financial audits, it is mostly looking at what happened yesterday and today.”
Hjelm says boards and audit clients are looking to their chief audit executives (CAEs) to provide assurance over their forward-looking operations and strategies — no more so than in areas of rapid change, such as product launches or IT initiatives. As a result, functions that have historically concentrated on auditing controls over financial information have been pushed out of their comfort zones and into the fuzzier world of nonfinancial auditing.
“If you are conducting financial audits, things are black and white,” Hjelm says. “The controls are right or wrong.” So-called nonfinancial audits, on the other hand, may be concerned with improving the efficiency of business processes, or the quality of services. Auditors working in those areas need adequate knowledge of the business and its functions — from human resources and sales, to supply chains and customers. “If a business wants to be the best, most efficient, and offer the highest quality of goods or services, that can be hard to define,” she says.
This lack of clarity has an impact on internal audit. If an organization’s goal setting is not precise, auditors can struggle to grasp what separates the most important audit area, for example, from the slightly less important. Moreover, risks in dynamic areas of the business can change rapidly, impact business processes in other parts of the business and prove difficult to cover comprehensively. Internal audit teams working in nonfinancial areas of the business need a wider range of technical skills, broader soft skills, and deeper business knowledge. But the rewards of engaging in these areas include providing better insight to the business on the quality of its operations and the risks it faces tomorrow.
Aligning With the Business
The shift in emphasis from static, backward-looking audits has come from boards and from the profession itself as it has sought to win that coveted seat at the top table. In fact, over the past 15 years internal auditors in most sectors have been aligning themselves more closely with their organizations’ strategies. According to Driving Success in a Changing World: 10 Imperatives for Internal Audit, a 2015 report from The IIA containing the most recent figures, globally 57 percent of audit departments say they are aligned fully or mostly to their business’ goals and objectives. As that percentage continues to grow, increasing numbers of auditors will be moving into those dynamic areas of the business that need assurance most — whether they are primarily financial in nature or not.
This realignment to auditing nonfinancial areas has led to a shift in approach that places greater value on what audit findings mean to the business than whether or not the organization is compliant with regulations. In regulated areas such as finance, for example, boards still want to know whether they are compliant with Solvency II — a European Union directive that focuses primarily on capital obligations for insurance firms — where there is a clear role for traditional internal audit, Hjelm says. “But they also want to know how much it will cost, whether we have the resources to do what is necessary, how it will affect the strategic plan, and whether I have audited the right areas.” Communicating on such a wide range of issues clearly has become an important dimension of Hjelm’s work.
Malcolm Zack, who has led audit teams in the consumer, payments, foodservice, mail, entertainment and travel sectors and now heads Zack Associates, an internal audit consultancy based in London, says he has been auditing nonfinancial areas of the businesses in which he has worked for more than
20 years. Over that time, he has worked across a range of areas including IT audit, contingency planning, health and safety, codes of conduct, supplier risk, buying and merchandising, and social media, to name just a few. But he agrees with Hjelm that more recently boards have been encouraging internal auditors to move into areas where the business is changing rapidly because that is where the big risks can be.
“In recent years, I’ve been working more and more on business change projects, and project and program assurance,” he says. “New products and systems are where the higher risks are, and the ongoing auditing of those has become very important.”
He sees that trend intensifying in the coming years with auditors becoming more focused on the commercial and operational significance of their findings in such dynamic areas, rather than just on the financial data itself. Because finance is only one element the board needs assurance on, Zack says, that has changed the composition of many audit teams away from accountants and pure audit specialists. Experts in project management, IT, or human resources, for example, could be needed as much as technical auditing ability. An audit team in one financial institution Zack was familiar with, for instance, employed psychologists on its team during an audit of its culture.
“This has been a shift for the profession,” he says. “We are being asked to give a view of risk and controls across the entire organization potentially.” That requires the audit team to be staffed by a core of experienced auditors supported by a more fluid mix of people from different specialist areas and cultures to provide depth of knowledge in the area being audited, he says.
Shift in Focus
The difference between a financial audit and a nonfinancial audit can be one of focus, explains Phil Tarling, an internal audit consultant based in South East England, U.K., and former vice president, Internal Audit Capability, and head of the Internal Audit Centre of Excellence at global telecommunications firm Huawei Technologies. In one supply chain audit he was involved in, for example, when goods did not ship in time by sea, they were sent at greater cost by air. The financial findings were significant, but the nonfinancial part of the audit also showed that the supply chain was poorly structured and included recommendations on how to fix the problem.
“In nonfinancial auditing, you need people to understand that the business exists to make a profit and that cost has a negative impact on its ability to do so,” he says. “Not all auditors think that way, and not all people working in the business do either.”
That is why Tarling is cautious about bringing people with business acumen, or with subject-area expertise, into the audit function. “When you say ‘business acumen,’ do you mean that people understand the way things are done, or the way they should be done?” he asks. He warns that external staff from the business can bring with them negative baggage and may be too caught up in the minutiae of their role to see the bigger picture, or to imagine different ways of working.
“It means you have to work a lot harder to get the right people on the audit team,” he says. Going back to his supply chain example, he would recommend hiring someone who possesses high-level experience with establishing a supply chain and training him or her in audit and risk. Smaller audit functions would need to cosource such staff with an internal audit provider and transfer knowledge to the core team during the project, he says.
Trends in auditing nonfinancial areas are coming under the spotlight from regulators, standard setters, and business groups mulling over the causes of the financial and economic crash of 2007 — the effects of which are still felt today in the form of historically low interest rates and slow growth in many countries. The consensus among groups such as the International Integrated Reporting Council (IIRC) is that many businesses did not understand how the risks within their businesses are related to each other and to the wider business world. Providing some form of coordinated assurance over all nonfinancial aspects of corporate activity can be achieved by integrated reporting (<IR>).
The IIRC’s International <IR> Framework argues that, too often, companies have disjointed reporting practices that are driven more by regulation than by business need. That has led to a fragmented approach to what is reported. What is needed, the framework says, is <IR> delivered to shareholders and stakeholders that provides a complete picture of the business and its risks, which is underpinned by integrated thinking.
“Integrated thinking is the active consideration by an organization of the relationships between its various operating and functional units and the capitals that the organization uses or affects,” the framework says. “Integrated thinking leads to integrated decision-making and actions that consider the creation of value over the short, medium, and long term.”
The IIA recently articulated internal audit’s potential role in the integrated thinking arena. Its project concluded that internal audit’s holistic purview of the organization uniquely positions it to support integrated thinking’s goals of strategic decision-making, planning, and delivery in a way that considers the perspectives of the business, its various stakeholders, and the resources needed to create wealth.
“Internal auditing is focused on the same central concerns that prompt the move toward integrated thinking and enhanced external reporting,” says Anton van Wyk, a former IIA board chairman who led the organization’s integrated reporting task force. “By providing well-informed insight, advice, and assurance, consistent with The IIA’s Core Principles for the Professional Practice of Internal Auditing, internal auditors can have a significant contribution to make in supporting their clients in their journey to integrated thinking.”
Connecting the Dots
Some practitioners agree. Karem Obeid, CAE, Tawazun Economic Council in Abu Dhabi, United Arab Emirates, says boards have become more sophisticated in their understanding of what internal audit can offer — especially the function’s ability to create value by driving business improvement and advising on risk in dynamic areas of the organization. “If as an auditor you get involved in benchmarking integrated thinking and reporting at an early stage,” Obeid says, “you can be the facilitator that helps join the dots across the whole organization and beyond.”
He sees taking on the role of driving the integrated thinking project as a great way of demonstrating the value that internal audit can add to the business. It can also help the audit team better direct its work and resources to where they are most needed, and enable internal audit to serve the organization as a trusted advisor.
Auditors can do this by building on their experience of auditing nonfinancial areas of the business, says Obeid — who contributed to the IIA white paper, Global Perspectives and Insights: Beyond the Numbers — Internal Audit’s Role in Nonfinancial Reporting. But, he adds, integrated thinking is a project that has challenges. The CAE and his or her team, for example, must understand the business both from a technical and practical point of view. Those with many years of nonfinancial audit experience will be better placed to see how the risks in different areas — often called silos — are related and how they may be audited across the business. Others would require a steep learning curve.
Second, integrated thinking and the reporting it produces need to serve a wider range of stakeholders — both within and outside the business. Although most internal auditors are effective at dealing with the board, management, and some other functions — such as risk and compliance — few have experience in dealing directly with external stakeholders, such as customers and external pressure groups.
“Internal auditors need to communicate more with stakeholders, not just through business meetings, but through social media, socializing in person, and getting to know the culture and mind-sets of these groups,” Obeid says. “Also, the audit team has to increase among those groups an awareness and understanding of audit’s role — and the importance of following The IIA’s Standards.”
One area of rapid change in the integrated reporting world is that of climate-related financial disclosures. Although a paper published in June by the U.S. Financial Stability Board (FSB) relates to financial services businesses, it is a good example of how important governments now view the environmental impact of investor decisions on society. The paper, Task Force on Climate-related Financial Disclosures: Overview of Recommendations, proposes enhanced, voluntary disclosures on how each organization’s governance, strategy, risk management, and metrics help it report accurately and effectively on climate-related risks.
For Richard Goode, an executive director in the Americas Climate Change and Sustainability Services practice at EY, the paper is a clear indication of how government agencies and investors are increasingly asking to see proof of an organization’s “social license to operate.” According to the EY Center for Board Matters, more than half of the shareholder proposals during the 2017 proxy season related to environmental and social issues — in other words, pressure is growing for companies to demonstrate their social, ethical, and environmental credentials.
“This is a key area for internal audit to act as a trusted business advisor,” he says. “Business managers are asking internal auditors to help them articulate what their nonfinancial risks are and how well their sustainability programs are being put in place and run.”
Goode adds that while internal auditors can take a leading role, they should avoid an emotional plea to senior leadership and the board. “Speak the language of risk, collate and analyze the data, benchmark within your industry and among standout performers in other industries, and prove what is important and why.”
Trusted Nonfinancial Advisor
Goode stresses the importance of having the right expertise to help tackle the more technical aspects of such nonfinancial areas. On the other hand, the lack of such expertise should not be used as an excuse for inaction.
“Make sure you get the topic on the risk register and talk to the business about what risks they are facing in that area,” he says. “Talk to managers, institutional investors, and stakeholders and put together an honest materiality assessment.” If the risk is real and material, the resources are likely to follow, he adds.
Hjelm agrees. “The more success you have in these nonfinancial areas, the more trusted you will be to do less testing,” she says. “You will be providing true insight for the company about their potential future risks and helping the company make money tomorrow. Besides, as an internal auditor it’s much more rewarding to help people and have fun while doing it.”