Metaphorically speaking, the music internal auditors make — the key ways we perform in our roles and the insight we bring to each engagement — must be our own special song. Each organization is different — each board of directors, C-suite, chief audit executive, and internal audit professional — and so is every geography, market, and strategic plan. In each instance, we have a unique opportunity to demonstrate our strategic knowledge of the organization and our understanding of the various business environments we occupy.
We maximize that opportunity, and demonstrate the value of internal audit to the organization, when each person's contribution joins all the others' to create something that wasn't there before — not just a report, or an update, or an analysis, but information and knowledge, insight and foresight. Musically speaking, notes and beats combine to form a melody, the memorable part of a song that stays in our heads because it's catchy, or moving, or somehow more engaging than usual. Our internal audit melody consists of the advice, data, and background details we provide that contribute to the organization's success.
Of course, melody without harmony can seem detached and less relevant — and melody without rhythm can ramble without direction or emphasis. Music is most memorable when all the elements are in sync. Our input as internal auditors is much the same. When we
Audit in Tune, my theme as the 2019–2020 chair of The IIA's Global Board, we combine our growing influence and our ongoing grasp of the fundamentals of the profession.
Fine-Tuning Internal Audit
Successful audit professionals continuously fine-tune their audit approach and philosophy to adjust to rapidly changing conditions and to account for the evolving expectations of their stakeholders, whether we are auditing a business; a nonprofit organization; a university or school system; or a local, county, regional, state, or federal government entity.
As our influence and authority within our organizations continues to grow, we serve our stakeholders best, and keep earning our seat at the table, by building collaborative relationships with management and all other departments, including finance, IT, human resources, and legal, that help facilitate review and mitigation of key risks. I cannot overemphasize the specific merits of strong relationships with the organization's compliance function, if it's separate from internal audit. There's mutual benefit in working together to identify risk management opportunities that may not be evident to either function alone.
Indeed, our value proposition as internal auditors is built on maintaining a voice — and ongoing strong rapport and visibility — with the audit committee and senior management, and reinforcing the professional and standards-driven orientation of the function. That's what helps foster a corporate culture where our contributions are understood and respected. Forming and keeping those internal ties can be as simple a proposition as scheduling periodic lunches or meetings with relevant personnel; just about any format for keeping in touch will work, as long as it upholds the organization's cultural standards and the internal audit function's independence.
This is critical: We don't have to sacrifice our objectivity to successfully partner with our clients. Indeed, some of the best, most useful audit observations come from colleagues — the board, C-suite, line management, or hourly employees — who trust us.
Providing the Melody
The CIA designation I received more than 30 years ago means more to me now than ever. As our profession evolves and our influence grows, the CIA reflects our commitment to professional standards and confirms our value as trusted advisors to our growing network of stakeholders.
In fact, the relevance and impact those three letters represent today would have been hard to imagine when I completed my first internal audit in 1983. I remember when workpapers were prepared manually on narrative sheets and columnar pads, red and blue pencils were used for tic marks, and all reports were handwritten and left with the stenographers to be typed up later. Facsimile machines were the epitome of high tech.
At the time, I was in an internal audit position with JCPenney Co., where I benefited from outstanding training. Over time, I moved through the company’s Pittsburgh, Philadelphia, and Dallas offices. I’ve been with the Blue Cross Blue Shield Association (BCBSA) in Chicago since 1999, where I serve as the vice president, chief auditor and compliance officer. BCBSA is a national association of 36 independent, community-based, and locally operated companies that together cover more than 107 million members.
The scope of my internal audit work includes our Chicago and Washington, D.C., offices. We build an annual plan as a guide for addressing identified risks and then adjust it as necessary. Interestingly, many of the audits come in the form of management requests, which I consider validation that management perceives the value of our services. As compliance officer, I administer our internal code of conduct, business ethics training, conflict of interest process, and compliance helpline, and I am responsible for our national anti-fraud department, which supports the Special Investigation Units battling health-care fraud at each of the Blue Cross Blue Shield licensees. It is important to note that transparent and mitigating controls have been long established to maintain the independence of our internal audit function, despite these “second line of defense” responsibilities.
I was encouraged to volunteer for the IIA–Dallas Chapter shortly after becoming an IIA Audit Group member in 1989. Since my first committee assignment, I’ve filled an almost unbroken string of committee, officer, and local board roles, including serving as the IIA–Chicago chapter president and on various international and North American committees and assignments. I was the 2015–2016 chair of The IIA’s North American Board, which oversees all IIA operations in the U.S., Canada, and the Caribbean. During my term, we went through an intensive strategic planning session to make sure we synched appropriately with The IIA’s revised Global Strategic Plan.
The IIA’s Global Board — the governing body of The Institute — also has undergone a recent strategic refresh, and we’re better equipped than ever to manage The IIA, itself, and to provide the guidance and information that individual chapters and affiliates, as well as individual practitioners, count on us for every day. Our long-standing motto is Progress Through Sharing. My theme is Audit in Tune. I hope that when you combine those messages, what emerges is an orchestra of internal audit professionals helping each other achieve world-class results. Let’s have a great year.
For internal auditors to provide the melody behind their organization's success, they need the right instruments. That's where The IIA comes in. Ultimately, it is The IIA's responsibility to provide internal auditors with the information they need in advance — before challenges grow too large — so they can then provide real value and unique insights to their own stakeholders.
Challenging times loom, and The IIA stands ready to help internal auditors face them with streamlined organizational governance as nimble and flexible at the global level as individual internal auditors must be every day. When internal auditors turn to The IIA for support and assistance, The Institute must respond quickly with the required updates and details. Beginning two years ago, The IIA embarked on a comprehensive assessment of its own governance practices, benchmarking as it progressed against a wide variety of resources. Two of the key outcomes of that review were a significant reduction in the size of the Global Board — from 38 members to 17 — and elimination of the 10-member Executive Committee of the Board. In a sense, the entire 17-member new Board will function as an Executive Committee. Those changes were approved by the membership in May 2018, and they became effective with our Annual Business Meeting in July 2019.
Moving forward, one of the many expected outcomes of the change to a leaner, more-laser-focused approach will be a more nimble decision-making process at The IIA's Global Headquarters, so it can respond to emerging issues more timely, while maintaining a focus on the strategic issues involved in operating an enterprise this large. This enables the Board to provide forward-thinking guidance both to the organization and to the organization's members.
The IIA's reorganization and ongoing efforts are designed with rhythm and harmony in mind, too, of course. They're the other elements — "rhythm" is developing our skills at performing the basic functions of our profession, and "harmony" is expanding contact and colleague networks within our organizations — that combine with "melody" to create the music internal auditors make when they audit in tune.
In music, harmony is achieved with chords that move from beginning to middle to end, combining individual notes into richer, deeper sounds that blend multiple individual sonic expressions to tell a more impactful musical story. In internal auditing, harmony is the influential role auditors play in our organizations' success. Internal audit needs to be in lockstep with all of our stakeholders — and manage our audit processes in a way that's structured to hold everything together. That enables auditors to identify the key risks facing our organizations and ensure that our audits are timely, relevant, and responsive. This includes providing useful, meaningful advice on mitigating and exploiting those key risks, as appropriate.
At my organization, the Blue Cross Blue Shield Association, we're fortunate to operate in an environment with a strong ethics and control culture that supports the work we do — and that facilitates collaboration among colleagues with shared goals and interests. You might say we operate in a "harmonious" environment.
In music, harmony can come from a musical instrument or an orchestra, a voice or a choir. And if we audit in tune, the music we make can come in any format, as long as the right content is there. For example, when it comes to documenting our work, it doesn't matter whether our instrument of choice is a simple desktop application or a vendor-supplied workpaper tool — nor whether you're a solo act or part of the 100-plus member London Philharmonic Orchestra. At the end of the day, we all need efficient, professional, clear, and objective techniques to validate and support our audit observations and recommendations.
The Rhythm of the IPPF
The techniques internal auditors use, no matter how sophisticated, must be based on the basics of our profession. Every piece of music has a backbone of rhythm — it's the building block that supports a song. Similarly, when I talk about rhythm as part of my theme this year, I'm referring to internal audit's need to master and employ the fundamentals of the field as the processes we use, and the stakeholders we serve, continue to evolve. Indeed, as stakeholder expectations increase for many internal audit departments, we need to remember that credibility — one of our most valuable qualities — comes from both current knowledge and command of the basic skills that define a profession.
Demonstrating our command of the critical fundamentals of our work begins with the implementation of the International Professional Practices Framework (IPPF). The IPPF really should underpin everything we do as we engage in frequent and robust discussions with our audiences — our boards and audit committees, senior and operating managers, and, importantly, regulators. Consider the IPPF's Code of Ethics and
International Standards for the Professional Practice of Internal Auditing to be the sheet music from which we should all be playing. The functions it facilitates — our ability to proactively identify and prioritize corporate risks, maximize finite audit resources through efficient and innovative audit techniques, and develop value-added recommendations for enhancing operations to help management achieve its objectives — are tangible metrics internal auditors can demonstrate.
I'm also a relentless advocate for professional certification. Becoming more complete internal auditors requires us to support the Certified Internal Auditor (CIA) designation, a globally recognized symbol of professionalism that demonstrates our ability to play a leading role in elevating organizational success. The CIA reflects our commitment to continued professional growth and development and shows our value as trusted advisors. Truly, it plays an instrumental role in helping us make our mark on our organizations and our profession.
A Brand New Beat
We have the opportunity to maximize our results when we audit in tune. Enhancing our rhythms, harmonies, and melodies will be increasingly critical in the future. The key challenges we face — remaining relevant and increasing our value to stakeholders, given the pace of innovation and changing risks; providing consistent work product quality, given the varying maturity of the function globally; and the continuing need to increase our skills — will demand every resource we can command in response.
It's time for internal audit to move to a new beat — each department's and each practitioner's unique blend of industry insight and strategic smarts — in every geography The IIA represents. And it's time to take center stage for broader and broader audiences. But as we do so, we can't forget our fundamentals. Let's take on the challenges ahead as a band of professionals making our own kind of music.