Disruptions affect us all, whether they are internal, such as new technology implementation, or external such as new business models, new forms of competition, or regulatory changes. These significant, quickly developing, and potentially unanticipated events create risk and opportunity that demand the attention and resources of the business.
Unlike other risks, the speed at which disruptive events can appear and with which the business needs to react, doesn’t lend itself to the notion of internal audit having a year or two to identify related risks, understand them, get projects on an audit plan, and conduct the audits. If auditors don’t help the business address disruption-related risks as they occur, the business will charge ahead, potentially increasing risk or bypassing opportunity.
Stakeholders view internal audit’s involvement in disruptive events as necessary and meaningful, and their expectations of practitioners continue to rise. The more auditors do, the more stakeholders realize what internal audit is capable of doing, and the more stakeholders ask of them. PwC’s 2017 State of the Internal Audit Profession study indicates that the vast majority of stakeholders would like internal audit to be more involved: 77 percent of board members and 68 percent of management say the profession’s level of involvement in disruption is not sufficient. This presents an opportunity for internal audit to deliver increased value by being involved early in the process and bringing a risk mindset to the business as it sets its strategy and tactics.
Early and consistent involvement in disruption requires internal audit to get ahead of disruption and be flexible and responsive as it occurs (see “Rethinking Internal Audit” at right). To do so, the department needs to build certain traits into its DNA to create the agility needed. Agile internal audit functions are those that are adding significant value in areas of disruption by demonstrating six traits.
1. Be Forward Thinking
|Rethinking Internal Audit|
With stakeholder expectations evolving, internal audit leaders need to help their internal audit functions think differently and push beyond standard objectives and deliverables. To paraphrase Albert Einstein, one can’t keep doing the same things over and over again and expect different outcomes. Audit leaders must think more strategically about where they are operating today and what their ideal state would be by asking themselves:
- Is the internal audit function doing anything different today than it did three years ago?
- Are those differences marginal or more transformative?
- Is internal audit realizing value from those changes?
- Should audit leaders rethink how they are measuring the department’s value?
- Is transformation and disruption within internal audit required to remain relevant to the business?
One thing that distinguishes internal audit functions that have developed the agility to embrace disruption is that they appear to have a broader view of what is deemed an “auditable risk” than their less agile peers. This is evidenced by their consistent involvement across many disruptors. These functions are twice as likely as their peers to be involved in less traditional, but high-value areas such as helping the organization respond to operational disruption, changes in business strategy, brand and reputation incidents, and digital innovation. They also are far more likely to be involved early in the disruption and strategic business decision-making cycle. They do more to help their organizations proactively manage disruption before processes are fully developed. Moreover, they provide a point of view around disruptive events beyond identifying existing process or control gaps, and they are twice as likely to assist in identifying the potential for a disruptive event to occur.
The key to becoming agile is being more proactive than reactive. That means staying on the forefront of potential business disruption and recognizing that priorities may change quickly during the year — 84 percent of agile internal audit functions are mindful of disruption risk and include the possibility as part of audit plan development (vs. 50 percent of less agile survey respondents), according to the State of the Internal Audit Profession study.
Use a Strategic Planning Process Define how the department will change its processes, technology, and talent to keep pace with the business. This process is more than an administrative “nice to have;” it’s a road map to internal audit’s vision. These changes will take time, budget, and stakeholder buy-in.
Think Differently About Internal Audit’s Risk Assessment Process Many organizations are doing away with a robust, annual risk assessment interview/survey process and incorporating more frequent processes such as semi-annual or quarterly assessments. Consider whether internal audit interacts enough with key stakeholders throughout the year to keep a more real-time view of likely disruptions and the top risks to the business.
Reassess Internal Audit’s Risk Universe This assessment can confirm whether the risk universe captures emerging risk areas and more holistic risk topics that may not yet be embedded within company operations. If the universe is merely capturing everything that exists within the organization today, it is hard to anticipate what disruption-related risks could be coming. These risks, by nature, are ones that may not have an “owner” yet, and therefore are often missed in functionally organized risk universes. One way to mitigate omitting key risks is to formally link the risk universe to the organization’s strategic goals.
Create Flexibility in the Audit Plan If there is no room left in the plan after accounting for recurring activities, then it is difficult to find time for more value-added, risk-based projects aligned to disruptive risks. Allocate a percentage of the audit plan to more proactive and strategically aligned audits, of which disruptive events are a part. Also, allocate a portion of the plan to ad-hoc, management requests, or a “buffer” category to gain flexibility during the year as issues arise.
2. Be Inclusive
Driving collaboration often falls upon internal audit because of its unique vantage point within the organization. When done well, this responsibility makes it easier for both management and the audit committee to understand the broader risk landscape and delineate between the lines of defense. It also unites the lines of defense in addressing disruption-related risks as they materialize. Given the organization’s size, maturity, and industry, the internal audit function may be serving across multiple lines of defense at the same time. But even then, there is an opportunity to promote a common risk universe and risk language by:
- Inventorying all of the organization’s various second-line or risk-oriented functions within the first line. Understand what other risk assessments are being performed by those teams and if there is opportunity for alignment.
- Adjusting the frequency and nat-ure of communications between the second-line functions to understand whether any overlap or duplication exists, as well as whether there are opportunities to transition certain risk activities back to the second line.
- Reassessing how the department audits the second line of defense and whether that could impact the “reliance” strategy internal audit places on such functions. Some internal audit functions adopt criteria where partial or full reliance can be considered over certain risks monitored by the second line to free up time for internal audit to focus on high-risk, strategic, or disruptive topics.
3. Be Business Minded
Stakeholders and chief audit executives (CAEs) agree that internal audit functions should comprise future business leaders. Business acumen positions internal audit functions to help their organizations manage disruption. The question that many organizations struggle with is: Do you hire auditors and teach them the business, or do you hire from the business and teach them how to audit? In either scenario, the ultimate goal is to develop business-minded professionals who operate true to internal audit’s mandate and professional standards. Internal audit should:
Evaluate the training and development balance among general soft skills, internal audit methodology and approaches, IT technical skills, and business acumen. Some internal audit functions have embedded auditors within the business as it is developing new projects and services to bring a risk-and-controls mindset, while concurrently learning more about the business.
Build business acumen through the recruitment of diverse backgrounds, degrees, and certifications to promote more organic knowledge sharing among the team.
4. Be Flexible by Design
Alternate audit procedures and reporting options allow flexibility in delivering important messages to management and the board without the burden of self-imposed constraints. Methodologies are helpful, but internal auditors need to reflect on whether their actions are focused on risk understanding and reduction or self-imposed protocols. Many internal audit functions are adding value — particularly in the area of disruptive risks — through assurance and consulting activities such as delving into the likelihood of specific risks to their organization and assessing the organization’s readiness to respond to emerging risks. Several use the term health checks for these services.
Inventory the Categories of Projects in the Audit Plan Consider the mix of proactive/reactive evaluations, emerging/existing risk focus, short/long durations, and equal/variable coverage. Use the inventory to determine whether the mix embraces a risk-based and value-adding mentality. Some internal audit functions have difficulty breaking the historic cadence of hitting every location or every department in a set time frame, but the objective is managing risk where it is most likely to manifest, not ensuring full coverage.
Evaluate the Nature and Timeliness of Internal Audit’s Procedures Assess whether they are tailored to project needs or predefined protocols. Do all projects have a similar planning and fieldwork duration? Does the department use the same testing techniques across every project? Is there such a long duration between when a project is identified, put on the audit plan, scheduled, performed, and reported that the relative risk has changed by the time it is ultimately reported on, reducing the project’s impact? If the audit committee requested an evaluation of a select risk topic by the following week, could internal audit mobilize, assess, and provide a point of view in time?
Expanding internal audit’s procedures can account for variation and support a risk-based, critical-thinking mentality. The PwC study shows that 73 percent of agile internal audit functions change course and evaluate risk at the speed required by the business, compared to 37 percent of less agile survey respondents.
Rethink the Notion of Internal Audit Reports Some projects simply don’t require a full audit report, and others may not warrant a rating. Highly regulated industries have limits to this flexibility, but even in those situations, there is an opportunity to reflect on how protocols are set and whether they are focused on the importance of the message without being overly restrictive or bogged down in wordsmithing.
5. Be Data-enabled
The more data-centric businesses become, the more data analysis will become a primary internal audit skill. Analytics should be embedded throughout the audit life cycle in risk assessment, audit planning, fieldwork, and reporting to improve internal audit’s business insights. How much more is internal audit doing with data now than three years ago? What improvements has it realized? Is internal audit investing in the right resources and training to further advance its capabilities? Consider using data analytics to:
- Help internal audit teams understand traditionally unauditable risk areas, such as those associated with business disruptions, by analyzing trends and correlations that are not evident through process understanding or controls testing — allowing for more direct exception-based analysis.
- Gain deeper insights that increase the value stakeholders perceive from internal audit projects, such as through expanded coverage, outlier identification, and more targeted root cause analysis.
- Broaden coverage while reducing the need for on-site visits across geographically dispersed locations. This can provide a more comprehensive view of risks and comparable analysis not achieved through a rotational visit model.
6. Be Talent Ready
Because of the changing risk landscape, keeping pace with the broader capabilities now needed within internal audit is difficult and highly competitive. Some organizations turn to third parties to close internal audit talent gaps, stay contemporary with evolving skill needs, and flex with business change. Others use internal resources to flex with business needs. Is internal audit’s current talent model agile? Do audit leaders know where their skills gaps or key dependencies are? Can internal audit respond quickly to a variety of risk needs or management requests, such as those related to business disruption?
- Identify opportunities to create more agility within internal audit’s overall talent strategy. Some of these departments employ a core team and leverage personnel from the business or cosource providers to flex up or down at select times or on specific projects.
- Assess whether internal audit is leveraging its cosource providers in the most meaningful ways. Internal audit functions that add value are using sourcing in more substantive ways than simply accessing its capacity.
Changing with the Business
Internal auditors don’t always give themselves enough credit for what they can contribute. At the end of the day, the profession’s role is to help identify and mitigate risk for the organization. Given the tumultuous business environment, that mitigation strategy may require more proactive and real-time evaluations of risk. Regardless of whether internal auditors are doing so to deal with disruptive forces or to improve existing activities, creating more agility in their operations is beneficial.
Internal audit remains one of the few departments that is able to take a holistic view across the business. That gives auditors a unique perspective from which to provide a point of view around risk management procedures. Perform a self-assessment. How agilely can the internal audit function operate? Where does the department stand in demonstrating the traits necessary to drive value for the business? Identify the steps internal audit plans to take this year, be aggressive with change, and continue to evolve