What are the biggest risks organizations will face next year?
Joyce For many, cybersecurity, data management, and third-party vendor compliance will remain the biggest immediate concerns. Recruitment and retention of skilled employees will be an ongoing challenge. However, we are living in an unusually high period of general uncertainty. The economic and political environments, extreme weather, trade relations, regional military action, etc., all create the potential for “black swan” type risk events that auditors should be thinking about. This may require revising traditional risk assessment approaches to reflect the potential impact of these uncontrollable events.
Ybarra The continual rise of automation, robotics, and the less-than-predictable geopolitical climate will impact how organizations do business and will challenge their resilience. There will be more pressure to ensure operating strategies and staff are agile and flexible enough to withstand a potential recession, impacts to supply chains, and a changing workforce. The talent and platforms that are creating value today may need to quickly shift and adapt as things change more rapidly.
What risks do digital transformation initiatives present organizations?
Ybarra Organizations must ensure that digital transformation initiatives are prioritized and measured based on the criticality of their data assets. Undisciplined approaches that do not consider classification, access, and data security could incur more costs than the transformation is projected to save. Ensuring key players are involved in the development and execution of initiatives is critical to achieving higher success rates.
Joyce The first risk would be failing to recognize the need to transform one’s business model quickly enough, and to establish a clear vision of the desired end state. The second risk would be failing to effectively manage these projects. These transformative projects tend to exceed expectations regarding complexity, budget, resource demands on personnel, scope creep, etc. Equally vital is ensuring a flawed process is not digitized in the hope that greater use of technology alone will create value. Like most large projects, a digital transformation initiative requires clearly established objectives that support the stated strategy, adequate resources and support from senior management, continuous supervision, measurable metrics to gauge progress, and contingency and parallel operational capabilities to mitigate delays.
What opportunities does the recent change to the Statement on the Purpose of a Corporation offer internal audit?
Joyce You are referring to the Business Roundtable’s announcement in August 2019, when more than 180 CEOs committed to lead their companies for the benefit of all stakeholders. This represents a significant conceptual shift from their prior corporate governance statements, which have historically emphasized shareholder primacy as the dominant stakeholder. While it remains to be seen how effective this emphasis will eventually be, the idea that putting customers first, investing in employees and their local communities, engaging fairly and ethically with suppliers, and long-term value creation are directly connected to ultimately positive shareholder returns is certainly one that can be supported through internal audit assurance of the specific goals established to achieve measurable results.
Ybarra The potential here is huge, as it calls for the focus of the organization and its leaders to be broader than providing shareholder value. Auditors will need to consider how organizations generate value, in addition to their focus on revenue and expense drivers. For instance, concluding on the organization’s ability to “support the communities in which we work” could be a monumental challenge for some internal auditors; however, focus on areas like this could help further differentiate and elevate an internal auditor’s role and highlight those with dynamic abilities. It will be increasingly important for auditors to communicate with boards and leadership to ensure focus in assessing progress in these areas is supported and aligned with expectations.
What role should internal audit play in providing assurance over the information going to the board?
Ybarra The mission criticality and necessity of information going to the board should be assessed by internal audit and included, to some extent, in its engagement plan. Boards provide oversight and key approvals based on the information they are provided, and they must be assured that the information can be relied on. Deeper discussions with the executive team and audit committee regarding this level of assurance must occur to ensure their engagement and support.
Joyce Clearly, recent survey results have demonstrated an inconsistent confidence level that boards receive the information they need to effectively manage strategic risks. To that end, chief audit executives (CAEs) might start by validating their audit committee’s comfort with the level, depth, and timeliness of information they currently receive to satisfy their oversight responsibilities. Are the internal processes that compile this information designed to promote accuracy and transparency? What information provided is highly valued, and what information is ignored, or found not to be relevant? Obviously, time and effort should be devoted to facilitating those information streams that most directly relate to the board’s strategic and governance accountabilities.
How can internal audit help address toxic cultures in an age when corporate behavior is under the microscope?
Joyce There should be no tolerance in today’s world for toxic corporate behavior. It drives away good employees, and will ultimately damage or destroy organizations that fail to identify and correct it. Internal audit is in an ideal position to continually assess the ethical and compliance environment within their organizations, and report opportunities for resolving gaps. They can partner with their compliance, legal, and human resource functions to ensure that employees are encouraged to report potential wrongdoing, and are supported and protected when they do so. They can ensure that any appropriate corrective or disciplinary action is applied timely, fairly, and consistently at all levels. They can measure the actions and examples set by senior management, and reinforce their critical responsibility to serve as behavioral role models. They can ensure that dialogue at the audit committee level includes frank discussions on these subjects when applicable.
Ybarra No. 1 is to take a position on identifying and rooting out issues with the culture. Auditors can get stymied by seeking undeniable criteria on which to base their conclusions. It will take: 1) creativity and communication to formulate and agree on the elements of culture that will be evaluated; 2) conducting engagements or including evaluation of these elements in every audit engagement; and 3) having the courage to report results, offer potential solutions, and follow up to ensure effectiveness and sustainability.
What skills should CAEs be looking for in new internal audit hires going forward?
Ybarra In evaluating potential hires, CAEs should be looking for an ability to listen, process, and demonstrate understanding before offering solutions. I’ve run across too many internal auditors who have answers before the problems are even identified. The mark — and genesis — of internal auditors is in their ability to listen. It’s a basic skill that we need to continue to practice and teach.
Joyce In many respects, the attributes of an effective new auditor haven’t changed much in my 36 years in the profession. Basic technical skills will always be required, and the emphasis on adopting and maximizing emerging technology will continue to grow. Having a problem-solving and inquisitive nature also are important. However, soft skills are ultimately what sets a great auditor apart from an average one. The ability to effectively communicate, both verbally and in writing, is more difficult to teach a new auditor than how to sample accounts payable invoices, for example. Much of our job should be engaging with operational staff in a manner that makes them comfortable enough to share information and explain processes in a way that we may not have identified on our own.