The nature and role of internal auditing in North America has radically altered over the past decade or so. No longer seen as a back-office compliance department, there just to check accounts payable or perform mundane administrative processes, the cutting-edge audit function is increasingly regarded by audit committees and regulators as a trusted advisor. Many chief audit executives (CAEs) have a seat at the top table, advising the C-suite on emerging and strategic risks and helping management mitigate those threats to the organization’s objectives.
Internal audit has had to work to implement those changes to its role and status, and I have great respect for the courage and determination that takes. But not all internal audit functions are operating at that level. That could be because stakeholders do not fully understand what internal audit does — or can do — and continue to underinvest and undervalue their audit functions. Or, it may be because internal auditors do not always push as hard as they might to fulfill what can be a daunting and uncomfortable role.
My theme as chairman of The IIA’s North American Board over the coming year is “Find Your Voice.” Specifically, I want all internal auditors to reflect on, develop, extend, and communicate the true value they can provide to their organizations. In finding their voices, auditors will be able to achieve their full potential in serving their organizations, and they will be ensuring their ongoing relevance in a rapidly changing world.
There are two major trends that make my message urgent. For the first time in many years, there is an emphasis in the U.S. government on deregulation. This is a radical change from the increasing levels of rulemaking and regulatory scrutiny the profession has faced since the turn of the century.
Both the U.S. Sarbanes-Oxley Act of 2002 and the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, as well as countless other pieces of regulatory reform, have tended to emphasize the compliance function of internal audit. If stakeholders, especially in the energy and financial sectors, for instance, see internal audit as a box-ticking function, it is largely as a result of these requirements.
Since Donald Trump became president, an estimated 600 regulations have been eliminated, according to George Washington University’s Regulatory Studies Center. High-profile examples include the partial repeal of the Dodd-Frank Act, the repeal of the Affordable Care Act individual mandate, and the Federal Communications Commission privacy rules.
If internal audit’s key stakeholders, including audit committees, believe that most of internal audit’s value comes from ensuring the organization complies with regulations, it does not bode well. They may believe that if the regulations disappear, internal audit will not be needed. This could not be further from the truth. Indeed, while regulations may be eliminated, the risks addressed by them will continue to exist. If anything, risks and the related need for internal audit services increase in a deregulated market. Still, it appears conditions are not prime for internal auditing to become a mandated function within organizations in the foreseeable future.
A recent IIA global study on the regulation and licensing of internal audit reveals a consensus among stakeholders that, for several reasons, governments should not regulate or mandate internal audit. Regulation can take away decision-making from management and the board, say respondents to the study.
Regardless, this has not stopped The IIA from moving ahead with a strategy to advocate for a comply-or-explain mandate for publicly traded companies. Under such a mandate, organizations would have to report whether they have an internal audit function and how it is resourced. If they do not have an internal audit function, they would have to explain how they are mitigating risks. Such disclosure provides an increasingly active investor community vital information about a company’s approach to risk management. But in the interim, internal audit should become an integral part of an organization as the result of a carrot, not a stick.
The second major trend revolves around advances in artificial intelligence (AI), robotic process automation, and other technologies that threaten to replace compliance-based auditing. Internal auditors should fully grasp the implication of such automated auditing. Thomas Sanglier’s recent book,
Auditing and Disruptive Technologies, published by The IIA’s Internal Audit Foundation, rightly argues that to thrive in the near future, audit departments will need to adopt and adapt to such advances. Staying relevant to organizations will mean moving up the value chain so that audit is operating at a strategic level. Technology will process the data.
This is why internal auditors need to tell their stakeholders how valuable effective, strategic, risk-based auditing can be. We can help them see the bigger risk picture by getting involved in supporting the strategic objectives of our organizations. Granted, AI will replace some of the traditional roles and tasks that internal audit has performed, but, in my view, it would be a welcome relief to move away from the humdrum compliance work and start focusing exclusively on what really matters — start focusing, in short, on value.
Internal auditors should make full use of The IIA’s advocacy tools to inform their stakeholders of the value an effective function can provide. These include the
Global Advocacy Platform: Pillars of Good Governance and the
- The Three Lines of Defense in Effective Risk Management and Control
- The Role of Internal Auditing in Enterprise Risk Management and Control
- The Role of Internal Auditing in Resourcing the Internal Audit Activity
- Internal Audit’s Role in Good Governance (available later in 2018)
In addition, auditors can take advantage of relevant Internal Auditor magazine articles (InternalAuditor.org) to get up to date in best practices and share those with their stakeholders, where appropriate. Some recent examples include:
- “5 Steps to Marketing Your Audit Department”
- “Your Personal Brand”
- “Board Matters”
- “The Dynamics of Interpersonal Behavior”
There are many definitions of
value, because the concept changes over time as the demands on internal audit evolve. The IIA’s International Professional Practices Framework is a good place to start. It says, “the internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance.”
Putting those sound principles into practice can be more difficult than it might first seem. For example, what is relevant assurance? How can internal audit become more involved in strategic objectives and risks if that is not what stakeholders seem to be expecting? And how do stakeholders understand the value that internal audit can offer?
There is some truth to the idea that internal audit’s value resides in the eye of the beholder — the board, management, regulators, and other external parties. But we cannot be a passive recipient of those views if they do not mesh with contemporary practice. There is a real risk that stakeholder expectations are based on outdated notions of internal audit.
For example, one of my stakeholders is an incredibly knowledgeable individual — a former Big Four partner who is heavily involved in his own professional bodies. Recently, I told him we were doing the annual risk assessment and he surprised me by asking why internal audit was doing so. I explained how performing our own risk assessment helps internal audit create a risk-based audit plan and helps the organization achieve its strategic goals. I was glad that he had come to me because, frankly, I assumed he knew what internal audit did.
The first step to defining your voice is to create a value statement. Examples might include, “external auditors audit the past, we audit the future.” Or, “internal audit assists the board and management in accomplishing their responsibilities.” Or simply, “internal audit helps make the organization more successful.” Be sure to consult internal audit’s stakeholders. Creating a value statement is most effective when the process engages all involved. It is an opportunity to build understanding within the audit team about how audit is perceived and to explain to stakeholders the value internal audit could be offering where that is poorly understood.
Any value statement has to be addressed to the audience it is intended to inform — so while I urge auditors to advocate and educate stakeholders, they must do so in a language that is free from jargon. Because I work for a not-for-profit organization, my audit committee is made up of members of our community. That includes some financial experts, but also a Baptist minister, a real estate agent, and a couple of other individuals who do not have finance and business backgrounds. While they are smart people, I need to be able to explain internal audit’s value in a way that makes it easy for me to demonstrate what we have achieved through our work for the business. Creating a clear and well-understood definition of internal audit’s value for all stakeholders is a powerful tool.
Walking the Talk
In addition to advocating for an enhanced role and communicating with, and listening to, stakeholders, internal auditors need to deliver on their promises. Each of us needs to be the best internal auditor he or she can be. That involves being well-educated about the technical aspects of internal auditing, being up-to-date on current and emerging trends, and making a solid commitment to improve and update those soft skills that are crucial to our roles. Internal auditors should be certified to demonstrate their professionalism. Also, I am a big advocate of volunteering in the profession, of joining local chapters or committees and getting involved. I have benefited greatly on both counts. I am up-to-date on best practices and emerging issues in internal audit, and my organization has benefited from the technical skills I have obtained through my participation. At the same time, I have met some amazing people and developed some great friendships.
One area that CAEs often overlook is using external quality assessments as a challenge to the board. All internal audit departments should undertake periodic quality assessments, as mandated by The IIA’s Standard 1312, which says an external quality assessment must be performed every five years. I accept that it can be a difficult process to go through, but it can also be a tool for change. Presenting the results of such a review to stakeholders can support the CAE’s constant requests that the function be involved in more strategic and challenging work. If CAEs know they are not using audit staff most effectively, the quality review will reflect that in an evidence-based way. It is another way CAEs can find their voice and demonstrate that the audit committee can get real value from its audit function.
Being the best can be challenging and sometimes lonely. It can take time, effort, and patience to get the message through that internal audit is a forward-looking and progressive part of the business when those around you do not necessarily share or understand that view.
To stand in front of a stakeholder and say, “I’m supposed to be involved in strategic initiatives and have a seat at the table” is not always successful or well-received. To further support auditors, The IIA’s North American Board is putting more emphasis on advocating for members — an approach I will continue and extend where possible. It is no longer enough for The IIA’s advocacy to focus on attending meetings in Washington, D.C., to try to influence legislation and advocate for better governance. Although this is incredibly important and we continue to push initiatives with the U.S. Securities and Exchange Commission and other regulators, The IIA also is appealing directly to stakeholders. For example, we are hoping to partner with organizations like the National Association of Corporate Directors (NACD) to make sure they have the tools to inform their members about what they should be looking for from their internal auditors. Many audit committee and board members belong to the NACD and similar bodies. There are many other organizations that serve CEOs, chief financial officers, and other groups, and The IIA North American Board will be advocating and educating on the value internal audit can provide to their members. I urge internal auditors to also advocate for themselves — to “find your voice.” The IIA has many tools to assist you in this endeavor. For example, send copies of IIA advocacy documents to your stakeholders (see “Advocacy Tools,” page 38). Sometimes it is more objective and compelling when it comes from a third party.
Finding Internal Audit’s Voice
Obviously, what I have set out as my theme will take more than a year to achieve. But working together as a profession, and with our key stakeholders, we can help internal audit find its voice — and its place — to foster success and create opportunities in our organizations and beyond.
The 2018–19 North American Board ChairmanKaren Brady began her career with Ernst & Young in New Orleans and has served in various executive positions, including controller and chief audit executive within the hospitality industry. She is a Certified Internal Auditor and Certified Fraud Examiner and has her Certification in Risk Management Assurance.
Today, Brady is the corporate vice president of audit and chief compliance officer for Baptist Health South Florida. Baptist Health is the largest, not-for-profit health-care organization in South Florida, including 10 hospitals and over 50 outpatient facilities spanning four counties. With more than 18,000 employees and over 3,000 physicians, Baptist Health is considered one of the nation’s top employers, according to Fortune’s 100 Best Companies to Work For. It also has been recognized by the Ethisphere Institute as one of the World’s Most Ethical Companies for the past eight years. Brady has been with Baptist Health for over 25 years and during that time has implemented a robust, award-winning Internal Audit and Compliance department.
In addition to serving as North American Board chair and as a Global Board member, she has volunteered at The IIA in various capacities for many years. For example, she is a past conference chair (2011), Learning Solutions Committee chair (2011–2013), and Global Professional Development chair (2015–2017).
Brady also is past president of the Florida Health Care Compliance Association. Recognizing the importance of giving back to the community, she serves as chair of the Finance and Audit Committee on the Board of Riverside House, a charitable organization that helps guide men and women convicted of crime toward becoming productive citizens through a nondenominational, faith-based approach.
She is a fitness enthusiast and enjoys her morning runs. In her spare time, she enjoys travel, hiking, and water sports with her husband Jim.