Boards still largely think of internal audit as a control function rather than a resource they can call upon for help on a wide range of strategic and risk-related issues, say senior internal auditors. Several leading figures from the profession attended the National Association of Corporate Directors Global Board Leaders' Summit last month in Washington, D.C., and all of them were taken aback by the presenters' lack of reference to internal audit and corporate governance. They were surprised at the absence of discussion on contributions the function could make to a range of key emerging risk issues, including cyber risk, corporate social responsibility, and climate risk.
Nancy Haig, head of internal audit and compliance at a professional services firm in New York, and a member of The IIA's North American and Global boards, says that directors are "still missing a trick" by overlooking the contribution internal audit can make to assisting in the governance process. "In most of the talks that I attended, speakers regularly said that they wanted more risk assurance, and they wanted to be better informed, but they rarely said that they sought help from internal audit to deliver this," she says. "It just didn't seem to occur to any of them that internal audit is an excellent resource to call upon for this kind of work."
The audit leaders who attended the event agree that internal audit's capabilities appear largely underappreciated by members of corporate boards. They point to the need for change and for increased board awareness regarding the important role practitioners can play in organizational governance.
Haig says that directors seem to view internal audit as a function that just checks financial controls, noting that they overlook how much more the profession can provide. "It is a key internal resource that can help review whether there are sound processes in place for determining corporate strategies, and how best to implement them," she says. "Internal audit can help identify future risks to the business and suggest approaches to mitigate them. These are all crucial elements of good corporate governance, but directors may still not be making the best use of the skills that internal audit has to offer."
Haig suggests that, in some organizations, there may be too much focus on determining what directors' responsibilities are rather than on how support functions such as internal audit can help directors, as well as management, achieve their goals. "This is an area that may be ripe for change," she notes.
Benito Ybarra, chief audit and compliance officer at the Texas Department of Transportation in Austin, Global IIA board member, and chair of The Institute's North American Board, says the relationship between internal audit and the board needs some work to ensure better outcomes. Typically, he says, communication between the two is largely "one-way," with internal auditors working to make the most of the board members' limited time through varying methods of communication and boards not fully understanding the potential breadth of an internal auditor's role.
"Board members understand that internal audit exists within the organization, but it is a function that is assigned to the audit committee," Ybarra says. "It doesn't usually occur to them to call upon the function to do anything that the audit committee has not already agreed upon. The board's primary function is oversight of the organization, with the organization's leadership within its focus — not internal audit."
Internal audit can also face challenges stemming from its reporting relationships. Many chief audit executives find themselves reporting functionally to the board or audit committee, but administratively to the chief financial officer or other members of the organization's management team. "This inhibits the internal auditor from gaining access to the CEO and limits their perspective regarding the organization's strategy," Ybarra says. "This can negatively impact the internal auditor's ability to formulate and position the function's skill set to ensure alignment and focus on advancing the organization."
Another part of the problem, Ybarra says, is that some internal auditors can be reluctant or "too timid" to participate in discussions involving strategy, risk management, culture, and governance. The profession may be associated more with what it won't do rather than what it is capable of doing.
"Boards can be frustrated by internal audit," Ybarra explains. "Executives get tired of hearing that internal audit can help identify risks but can't provide solutions for managing them."
As a result, it's time for the profession to "step forward," Ybarra asserts. He says that internal auditors should focus on "ways it can say 'yes'" more often, rather than saying that something does not fall within their remit, or citing independence, expertise, or resource issues. "Saying 'yes' more often can result in advancing yourself, the organization, and the profession much more than limiting yourself to being in a documentary in which you can't participate," he says.
Ybarra adds that internal audit functions should position themselves to be trusted advisers that can provide ideas and solutions and think about how to add value in the same way that a consultant would do. "Internal auditors need to understand what boards are focusing on, the problems they are facing, and think of ways of helping," he explains. "It is not tenable anymore to take a step back from these kinds of discussions. They need to think more strategically and about the contribution they can bring to the table. In short, they need to do and deliver more."
A recent IIA report, OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk, provides insight on how internal audit can make contributions along these lines. Citing misalignment on risk among board members, executive management, and internal audit, the report points to deficiencies in the completeness and quality of information flow to boards as a potential cause. Suggested internal audit remedies include asking board members if they are comfortable that the information provided to them is complete, accurate, and timely, and reviewing certain board materials, such as those involving mission-critical risks, to verify and communicate whether any information is incomplete or inaccurate.
Neil Frieser, senior vice president, Internal Audit, at telecommunications company Frontier Communications in Norwalk, Conn., and IIA North American Board member, says that if internal audit wants to engage board members' hearts and minds, they need to increase awareness about how the organization can leverage its skills.
"Reminding boards what kind of work we already do will only achieve so much," Frieser says. "We need to educate them about where the profession is heading and the new areas of focus that we are interested in working on. We need to demonstrate proficiency in key areas such as data analytics, robotic process automation, cyber risk management, business ethics, corporate reputation, and environmental risk awareness. As a profession, we need to show that we are more than a function that just looks at compliance and internal controls — we need to give them confidence that we understand how the business works, identify obstacles to achieving established business strategy, and how we can help the board fulfill its duties."
He also points out, however, that time allotted for interaction with board members can be very limited and notes the importance of being thoughtful about agenda items and crisp in the delivery of information.
The best way to get the board's attention, Frieser says, is for internal auditors to be thought leaders and advocates for their functions and the profession. "If we want to raise our status, we need to make sure we truly engage the board at a higher level than we have done historically," he says. "We need to show what we can do and be accountable for it."