Extraordinary events can disrupt businesses and rapidly cause significant financial losses globally, as the COVID-19 pandemic has so painfully shown. When the crisis unfolded, board members, executive management, and internal audit teams had to innovate and embrace technology to manage essential change for long-term survival. Being able to respond quickly and adapt effectively to the challenges determined which organizations thrived and which struggled.
A practical, responsive approach, emphasizing product and service quality, is critical as organizations adapt to changing business conditions resulting from the pandemic. Fortunately, responsiveness is an essential component of what internal auditors do every day.
Responsiveness and adaptability require agility, excellent communication, and collaboration between internal audit and functional managers. To help the organization accomplish strategic goals by auditing what matters, internal audit must work closely with the board, management, and other stakeholders while balancing its audit and advisory responsibilities to maintain objectivity and independence.
Value and Responsiveness
Internal audit can add value by helping to make the organization become more responsive. Answers to three questions can explain why:
- What must management achieve for the organization to succeed? According to The IIA’s 2020 North American Pulse of Internal Audit report, despite staffing growth reflecting continued stakeholder support, many organizations do not fully leverage internal audit services for certain key risks.
- What key risks stand in the way of management achieving objectives and meeting performance targets? The Pulse report highlights differences between how chief audit executives (CAEs) view risks and how internal audit resources are allocated to support the board and executive leadership.
- Is it possible for internal audit to improve responsiveness, help management succeed, and solve problems that the board and leadership view as necessary, if internal audit and enterprise priorities are not aligned? While most CAE respondents rate their internal audit functions as mature to support strategic risk management, long-term planning, and continuous improvement, 3% rate their department at the lowest, initial stage, and 17% rate themselves at the second-lowest, infrastructure stage, the Pulse notes.
Internal audit must be able to maintain its independence, continue to drive accountability and transparency, and enhance and protect organizational value by providing risk-based assurance, advice, and insight. At the same time, the department needs to adopt an end-to-end internal audit value chain (IAVC) mindset that enables auditors to help management create, capture, and sustain value (see “Understanding the Internal Audit Value Chain,” below).
|Understanding the Internal Audit Value Chain|
An organization’s objectives are centered around optimal use of people, technology, processes, and corporate culture to achieve strategic goals, sustain performance, and drive profitability. The Internal Audit Value Chain (IAVC) is an end-to-end framework that provides a simple, flexible, and agile structure to connect the organization’s goals with the internal audit support objectives. The IAVC and its key components are defined as the enterprisewide initiatives impacting business functions.
Internal audit’s role in the value chain requires an understanding of the organization’s:
- Strategic alignment and direction.
- Risk management and monitoring.
- Operational efficiencies.
- Quality and compliance.
- Financial management and corporate governance.
- Responsiveness and ability to adapt to the constantly changing business, political, and economic environments.
The IAVC can enable the CAE to collaborate with the board, leadership, and management to:
- Create value — Determine the starting point toward an overarching objective and not the endpoint.
- Capture value — Identify problems the organization is solving and how they are reflected in the strategy.
- Sustain value — Retain factors that allow the organization to create and capture value over time.
A responsive organization is agile in the ever-changing business environment, learns during strategy formulation, and enhances its capabilities as it executes those strategies. When organizations are not responsive, they fail to: 1) identify and mitigate risks impacting strategy; 2) follow up to validate that critical findings were resolved satisfactorily; and 3) address compliance issues, customers, or clients’ complaints timely and effectively. These failures can result in financial losses and reputational damage.
To become responsive, the board, leadership, and management, with support from the CAE, need a simple view of strategy planning, formulation, and execution as an ongoing process. Internal audit can help by:
- Analyzing the current environment and identifying new risks, opportunities, and metrics.
- Facilitating meaningful collaboration with management and stakeholders and learning during strategy formulation.
- Providing tools and support as needed for management to execute the strategy successfully.
This assistance not only can help the organization build responsiveness, it can demonstrate internal audit’s value as a trusted advisor to management, the board, and other stakeholders. In this role, internal audit must show adequate capabilities and always demonstrate integrity, competence, and due professional care.
To assess some of the challenges the organization faces in being responsive, internal auditors should consider these questions as they relate to business operations:
- What are the challenges encountered by the business operations supported by internal audit?
- What are some of the problems internal audit is helping management solve?
- Do these problems impact strategy or address critical challenges faced by management?
- What is the best way for internal audit to help management resolve problems and prevent reoccurrence while maintaining the function’s independence and objectivity?
- What additional skills will internal audit need to plan and execute audits and reviews that matter to management?
In planning and executing risk-focused audits, internal auditors gain visibility of potential threats and fraud, critical risks — including emerging and rapidly evolving risks — and unmitigated findings that may impact the organization’s ability to achieve strategic objectives. If ignored because of a lack of responsiveness, the organization may struggle to respond to catastrophic events. Unresolved findings can result in embarrassing publicity, fines, and severe reputational damage.
Escalating significant issues to executives, the board, and appropriate committees timely is essential for responsiveness. Internal audit cannot wait to complete an assessment and issue a final audit report involving sensitive topics such as fraud, regulatory violations, and the inability to identify emerging threats and evolving risks. It must provide information and actionable insights that management and the board can use to make appropriate real-time decisions.
Using the IAVC as a guide, the CAE needs to develop and implement a simple, adaptable, and scalable framework to monitor and evaluate the progress of organizational goals, including six components:
- Strategic alignment. Internal audit must provide insights based on an understanding of the enterprise strategy and challenges that stand in the way of achieving objectives. This includes making timely changes to adjust to the dynamic environment.
- Risk assessment. Internal audit needs to leverage its experience and lessons learned from performing reviews linked to core risks that impact the achievement of goals.
- Operational efficiencies. Internal audit should promote organizational improvement and optimizing technology.
- Quality and compliance. Internal audit should help management across business operations and locations meet and exceed product and service quality consistently.
- Financial management. Internal audit should help improve financial management and governance and continuously embrace change.
- Responsiveness. Internal audit must connect all the IAVC components and support management in responding and adapting to create, capture, and sustain value.
Ultimately, each organization will have different priorities, and internal audit must continuously evaluate and update its framework to align with the organization’s strategic goals and mission objectives.
Audit Steps for Improvement
There are eight steps internal audit teams can apply, in collaboration with stakeholders, to improve the organization’s ability to anticipate, respond to, and adapt to changing business conditions and mitigate business risks.
1. Staff Flexibly With Subject Matter Experts Demonstrating adequate internal audit capabilities to management comes down to consistently solving problems and helping to mitigate risks that management considers important. By assigning auditors with the right blend of functional and technical skills — along with industry and consulting experience — to perform reviews that matter, internal audit can quickly earn management’s trust.
A combination of in-house staff members working alongside external subject matter experts can enable internal audit and management to promptly speak a common language and transition to providing value-added activities during reviews. Additionally, these experts can probe beyond the obvious issues to uncover the problems management might not be aware of. The right cosourcing arrangements can:
- Provide expertise to help management solve fundamental problems quickly.
- Enable learning and knowledge transfer as internal auditors develop and apply new skills to help management sustain the organization’s performance.
- Increase comfort levels and limit inappropriate pressures from management on audit planning and findings, as well as resistance to accepting recommendations and implementing corrective actions.
Using experts to solve the right problems creates positive outcomes for internal audit, the board, and management without a substantial personnel investment. As a result, the CAE can address the root causes of significant problems quickly and provide solutions that can enable management to succeed, respond, and adapt to changing conditions.
2. Track Remediation of Findings and Resolution of Issues and Complaints An organization cannot be responsive and adapt to changing internal and external constraints if it does not identify and mitigate emerging and evolving risks. The organization’s responsiveness is impacted when management ignores audit findings — including fraud red flags. To be responsive, internal audit needs a method to track the timely and appropriate remediation of all audits and findings by management, including independent validation of critical corrective action plans.
3. Escalate Issues to the Board and Committees Timely Delays encountered from remediation of findings associated with significant risks or fraud must be escalated to the board timely. Internal audit can enhance responsiveness by remaining objective and free from undue influence.
4. Assess Corporate Culture and Leadership Tone Internal audit should evaluate the current corporate culture, tone at the top, and effectiveness of the whistleblower and ethics programs.
- Does the corporate culture encourage employees and stakeholders to report fraud or violations without fear?
- How has the organization addressed and resolved previous complaints?
- What are the elements of culture impacting responsiveness and adaptability to evolving customer expectations, risks, and the business environment?
5. Evaluate the Effectiveness of the Crisis Management Strategy The ability to quickly evaluate the severity and impact of negative publicity and communicate the appropriate responses to the public (customers and regulators) is imperative. For example, companies such as Amazon responded quickly to the COVID-19 disruptions and succeeded at meeting and even exceeding customers’ expectations throughout the pandemic.
Information travels fast in the digital environment, and the public perceptions of initial responses often become a permanent reality that impacts the organization’s reputation. Internal audit should perform readiness reviews, including evaluations of previous crisis management incidents to validate that management not only fulfilled all promises communicated, but delivered more than it promised to regain public confidence. Did the crisis management campaigns reviewed achieve the intended effect? If not, what enhancements can internal audit recommend?
6. Periodically Review Policies and Procedures for Alignment With Objectives Businesses create policies and procedures to guide how they perform routine tasks. Employees may perceive that management has documented and approved all formal policies and procedures, but this is not always the case.
Internal auditors can help management by routinely evaluating policies and procedures and ensuring they align with established goals, strategy, and the current business environment. Such reviews also can validate that policies and procedures are achieving the intended effect. How are corporate policies and procedures understood and applied across business functions and locations to help the organization respond and adapt? The validation steps can include clear messaging, understanding, adequate oversight, continuous monitoring, and appropriate execution.
7. Minimize Turnover of Qualified Internal Auditors It can be difficult to replace internal auditors who have gained substantial knowledge from working closely with outside experts through cosourcing arrangements. Also, skilled auditors may leave the organization if they lack challenging assignments. Hiring and training replacement staff has opportunity costs for the audit function, including lost value creation and the inability to help management respond and adapt to changes. To retain staff, internal audit should reward excellent performance by giving auditors a varied workload of fulfilling, challenging, and high-profile reviews that impact strategy.
8. Develop Appropriate Responsiveness Metrics Organizations cannot manage what they are not able to measure. There are a variety of relevant key performance indicators, key risk indicators, risk events, and other metrics for measuring the effectiveness of the organization’s responsiveness and adaptability. Internal audit should collaborate with the board and management to determine the appropriate metrics for the organization.
In a time when responsiveness has never been so critical, organizations need an internal audit function that can help the board, management, and stakeholders solve pressing problems. That requires internal audit to change its business-as-usual skills and mindsets to gain stakeholders’ trust and communicate and collaborate with the board and management.
Continuous evolution is required for internal audit to function as management consultants when necessary by helping solve unique problems, support crisis management, and drive results. Auditors’ knowledge and solutions are what management needs to become responsive and adaptive in a time of constant change.