The last few months have catapulted internal auditors into rethinking and reimagining how they can best serve their organizations. Most of us have experienced and witnessed businesses either progressing or regressing within this evolving risk landscape. So much has changed — perhaps permanently.
While life is about constant change, the pandemic has highlighted how rapid and deep change can be. Resilience in its basic form is the capacity to achieve your mandate in spite of the challenges those changes bring. Although many people see resilience as the capacity to bounce back, for me it also involves bouncing forward to a new state no matter how difficult that may seem during this time of crisis. In my year as chair of The IIA’s Global Board of Directors, I will work to help our profession “Reimagine Resilience.” For internal auditors and their organizations, resilience demands far-reaching transformation.
Challenges and Opportunities
The public health dimension of the pandemic has naturally been at the top of the current agenda; however, its other impacts have accelerated preexisting challenges for businesses. One of the key issues over the past few years has been business model transformation. The components of this complex trend can be summed up in a neat formula: D2C5. If D2 is data and digital, which represents what many business models are increasingly based upon, these factors are further shaped by five pressing influences:
- Customer expectations of online, real-time services backed up by fast fulfilment.
- A Competitive landscape that is highly dynamic and unpredictable.
- Culture and Conduct, which are molded by organizational philosophies and reputation.
- Compliance imperatives guided by the regulatory landscape.
- Cyber platforms that present risks and opportunities.
Each of these trends can have profound implications. For example, during the pandemic the control environment associated with the cyber world has rapidly evolved. It is often no longer predominantly on-site at the business. It has moved into homes and onto the cloud, making the cyber environment much more vulnerable. Layered over these immediate challenges are new geopolitical trends, climate change, and the fourth industrial revolution.
But threats bring opportunities for those ready and willing to grasp them. Throughout the pandemic, for instance, internal audit has had to find smarter ways of conducting audits and offering advice quickly through the effective use of technology. Many internal auditors have revolutionized their working processes and departments to operate in tandem with their businesses. They have become trusted business advisors and represent pockets of excellence throughout the world. Elsewhere, internal audit leaders must become more catalytic by encouraging innovation and smarter ways of working. They must realign their objectives with what is happening in their organizations.
I urge internal auditors to rise to the challenge by focusing on five core imperatives — technology, agility, collaboration, talent, and tenacity.
A Resilient Life
The theme of resilience resonates with me because I grew up in an orthodox, deprived family during the apartheid years in South Africa. Both of my parents died in middle age — an experience that forced me to derive independence from a young age. These events led to me constantly and tenaciously reimagine my future.
Today, I have more than 26 years of corporate experience, including working as an internal auditor in diverse industries, and I have become known as a change agent in the profession. For 16 years, I also served as a nonexecutive director of both public and private sector entities, which boosted my strategic and operational knowledge. Being an internal auditor has provided me with the best platform for making a significant difference in the organizations in which I have worked.
I moved from being senior vice chair to global chair of the IIA Global Board of Directors in July 2020. I am currently CEO of the Independent Regulatory Board for Auditors (IRBA). The IRBA is a public protection statutory body established to protect the financial interests of the public by ensuring registered auditors and their firms deliver services of the highest quality.
Recognized as “South Africa’s Internal Auditor of the Year” in 2014, I have overcome my fear of public speaking by addressing conferences around the globe on a variety of topics, such as corporate governance, risk management, auditing, combined assurance, women in leadership, and the impact of AI and robotics on industries. In addition, I participate in mentoring circles, panel discussions, and networking sessions throughout the world, and I strongly believe in developing young minds.
I participated on the King IV Corporate Governance technical committee before its release in November 2016. I am also one of the contributing authors to the seventh edition of Sawyer’s Internal Auditing. This book is used globally at universities to teach internal auditing. Most recently, I chaired a global working group spearheading The IIA’s Three Lines Model, which is an update of The Three Lines of Defense and was released in early July.
I continue to reside in South Africa. And with my supportive husband, we are raising two teenage daughters and a Maltese poodle.
Use Technology Strategically
Technology enables internal auditors to be strategic and focus on the bigger picture. With the holistic view technology can provide, auditors can help accelerate smarter ways of working and improve decision-making within the organization.
For example, at one stage in my career, I worked in a bank as chief audit executive (CAE). My team was given the job of evaluating different governance, risk, and compliance platforms that would be rolled out across the enterprise. We wanted to use the same platform to create a holistic view of the risk and control environment. Thus, we developed common taxonomies for the organization so we were consistent in our reports to governance committees. This eliminated the common problem of partitioning risks within individual business units, and it added value to reporting to governance committees because the first, second, and third lines could talk consistently about any particular risk.
Few technology implementations run smoothly from day one, and there will be frustrations along the way. If the organization is lagging technologically, internal audit will need to encourage management to speed up its implementations. Internal audit departments with few automated processes should start small and build over time. Where the business has been at a more advanced technological state than the internal audit department, for instance, internal audit should leverage the business’s expertise and experience to develop smarter audit techniques. This will enable internal audit to align its capabilities with the enterprise.
Be Agile to Address Priorities
For internal auditors, being agile means ensuring their teams are aligned with organizational priorities and can respond quickly. Aside from just embracing agility in the audit process or methodology, internal auditors must provide relevant insights and advice that foster innovation and improvements within organizations. Too many audit departments are locked into an annual audit planning cycle that stifles creativity and flexibility. CAEs need to be confident that their planning process gives them the power to frequently realign and change their audit program so it reflects their understanding and anticipation of emerging issues.
Taking such an approach elevates the creation of the annual audit plan into an exercise in combined assurance. In my time as a CAE, for example, the process was underpinned by holding an annual audit planning workshop with key stakeholders. As part of such a workshop, the CAE should ask the CEO, chief risk officer, nonexecutive directors, and others how they see the risk and control environment and whether they think internal audit has missed anything important. The CEO has an opportunity to directly articulate the key risk and control areas internal audit should address. That may include new corporate activities or mergers and acquisitions, where an internal audit exercise could add value. The CAE can list these critical activities and build them into the internal audit plan.
While the annual plan retains its importance in the agile audit process, it is equally important to engage more regularly with the audit committee and other board committees. A quarterly meeting can be effective in sharing which audit activities are in progress and which have been suspended because they have ceased to be key priorities for the organization. Agility enables the audit department to be risk-based in its planning. It enables the CAE to use his or her seat at the table to listen to what’s happening and align the audit plan to reflect the organization’s most important priorities.
Collaborate to Communicate
Collaboration is critical to internal audit’s success. While some internal auditors have specialist knowledge of particular audit techniques or business areas, most are not specialists — those specialists are most likely sitting in the first and second lines. Internal auditors must leverage the knowledge and expertise in those lines without crossing the line of objectivity. In fact, CAEs must see collaboration as a strategic role for the internal audit function. Collaboration creates alchemy across the three lines — that magical process of transformation and combination that happens when people work with each other and respond to, anticipate, and reshape what is taking place in the organization.
Strong relationships within the business also can help auditors better understand the nuances and dynamics of the risk landscape. In my roles as a CAE, every audit engagement began with a facilitated audit planning workshop with the managers in the target area and the risk and compliance people. That enabled the team to create a risk and control matrix that was reflected in the audit process and in the reporting.
Using this approach, the audit’s stakeholders receive regular communication from the audit team, and during the closing process the same participants come together in an issue-remediation workshop. The same players that were there at the planning stage discuss with internal audit the exposures that the organization faces if the risk manifests, the root cause of those risks, and the agreed management action to address them. Not only is the whole process done faster through collaboration, it also avoids internal auditors making best practice recommendations that may not be pragmatic for their particular organizations. Management actions are firmly owned by the very people who have helped identify them.
Hire the Right Talent
Effective talent management enables internal auditors to achieve the optimum mix of skills and experience to serve their organizations well. Internal auditors at every level of the profession must be committed to continuous professional development. That entails both understanding what is happening in their own industries and in the internal audit profession at large. The IIA globally has been enhancing its services to help internal auditors achieve their potential as professionals who can become trusted advisors with a holistic outlook.
Traditional internal auditors are fast becoming obsolete. Today, all auditors need to have the knowledge and skills to audit the entire value chain. Recruiting the right new people, sometimes with nontraditional audit skills — those with different ways of thinking, who embrace change and are willing to adopt new ways of working — has become even more essential. CAEs must ensure they work with human resources (HR) so the recruitment and selections processes do not reflect outmoded stereotypes of attracting the right internal audit talent. By working with the head of HR, CAEs can ensure they communicate what the business needs and that the right skills are developed within the team.
CAEs must use all the tactics available to build talent, including hiring secondments from the first and second lines and cosourcing from a third party. Staff must be equipped with the right IIA qualifications and training. CAEs can boost skills by creating networking forums in specialist areas to spread knowledge among the entire team. They should consider using The IIA’s Global Internal Audit Competency framework alongside the audit plan to identify gaps and plan for the future skills needed in the team.
Individuals and organizations that are not tenacious are not resilient. Tenacity enables internal auditors to change challenges into opportunities. That requires having the courage to share views on the risk landscape that business leaders may not want to acknowledge nor accept. That is what it takes to have a seat at the top table.
Looking at the challenges posed by D2C5, tenacity becomes a vital resource. In some respects, I am fortunate enough to have a bold personality — I am naturally able to voice my opinions, accept criticism, and learn from my mistakes. But I also live by a certain motto that says competency builds confidence. If internal auditors commit to lifelong learning and are able to demonstrate their competence to themselves and others, they will develop the courage necessary to understand, learn, speak up, and open themselves to new challenges.
On a very practical level for CAEs, that means using their seat at the table to invite constructive criticism. I have always used customer satisfaction reviews as part of my internal audit routine. After every audit and also biannually, I issued a report card to stakeholders. Any criticism is a good starting point for improving the audit process. Sometimes it is going to be difficult to retain one’s composure, but internal auditors must be able to navigate corporate politics. As I often say, persistence pays profits.
If that all sounds like too much to take on, internal auditors should remember they are not alone. They are part of a global profession that is working together to achieve excellence in organizations. The Global IIA is a treasure trove of resources — whether it is the formal qualifications, training, webinars, and conferences, or the informal networks and special interest groups. For example, Global IIA has been very active during the pandemic, putting together the COVID-19 Resource Exchange where members can freely tap into the different ways of auditing during this time. Working with the Global IIA team has been fantastic for me, personally, because it has allowed me to network with like-minded individuals.
I urge all internal auditors in this difficult time to reimagine resilience, both in their own professional lives and in the internal audit functions in which they work. Be enthusiastic, commercially aware, and not afraid of moving into uncharted territory. If internal auditors can learn to better shape the destinies of the organizations that we serve, we can help those organizations bounce forward as they emerge from the crisis.