A few months ago, I got the opportunity to be on a panel that was part of a virtual conference. After the presentation was over, attendees provided some additional questions, and we panelists were asked to write up our answers. I was involved in three of those questions. While the themes are unrelated, they all say something about the current state of internal audit and how we do our work. Following are edited versions of the questions and edited versions of my answers.
Q1: Do you think management should be involved in risk assessment processes? To what extent? What if management has other motivations like Wells Fargo's management had?
Let's start with the easy part first. Performing risk assessments without management involvement is like trying to julienne vegetables using a Ginsu knife without turning on the lights. You might get the job done, but you and the environment are going to be a mess afterward.
The only … THE ONLY … expertise we bring to the table in risk assessment is understanding risk, the role it plays in achievement of objectives, and how to approach the mitigation of those risks. We may have some knowledge of the business and its operations, but management will have the details necessary for us to make informed and intelligent decisions about the related risks. Management must be involved, it must be involved often, and it must be involved deeply. Without management we have a surface with no substance.
Now, let's address the last part of the question. And I'll be honest, I almost left out the reference to Wells Fargo. But I realized that there was an implication in this question that I didn't necessarily like, one that needs to be addressed.
There are next to none of us who know what internal audit's role was with Wells Fargo. And I have a little trouble with people who make judgments about what they think happened. Wells Fargo is just one example. We can all point to other organizations' management, executive, or board failures as an example of how things went wrong. But we have no idea what internal audit's role was — if they were complicit, if they were fighting it tooth and nail, or if they were trying to find the best way to navigate the issue. Unless you know the intimate details of any of these issues, leave internal audit out of it.
With that out of the way, the question of misaligned motivations is valid. Management may or may not have different motivations than internal audit. But that is why the final risk assessment is not management's, it is not the executives', it is not the board's. It is ours. We take their input and work closely with them on the final assessment. But we use our professional judgment and expertise to come to our own conclusions about overall risks and risk responses.
Q2. What themes do you see as defining the future of internal audit? Data analytics and robotic process automation (RPA) are here, and their use will continue to grow for obvious reasons (they certainly add value when used correctly). But I'm thinking about things such as the intersection of second/third lines of defense, regulatory/quality assurance (QA) requirements that use resources and demand more time be spent on administrative work rather than actually identifying and helping address risk, etc.
Bots, RPA, and artificial intelligence should be a significant influencer on the way we work. That's a sermon I've preached innumerable times. (Most recently, here.) But I think the second part of the question may show a misunderstanding of what internal audit should be doing for a living. Yes, there can be extra work involved with the things we are asked to do (coordination of lines of defense, regulatory/QA requirements, etc.). But the audit department needs to determine if these activities are a valuable use of the department's resources. If such administration duties take us away from evaluating real risks, then those tasks must be put in someone else's inbox. We are not administrators; we are professionals who cannot afford to waste our time on trivialities.
With that being said, I think streamlining operations and focusing on bigger risks are two themes that will define the future of internal audit. (And, yes, nothing new here; the kind of things we've been talking about for a while.)
Q3. As the role of audit changes, do the skill sets need changing?
Quick answer. No.
Okay, guess I should explain. The important skill sets for internal auditors have always been the soft skills — skills that make a good auditor, manager, executive, and leader. When chief audit executives list the top skills for internal auditors, communication and critical thinking are usually tied for No. 1 with a bullet. Throw in creativity, initiative, empathy, conflict management, team-building, listening (listening!), the ability to function without ever holding a meeting … Sorry, a little off-track. But you get the idea. Hard skills are important, but they are not the most important thing for internal auditors. It is the soft skills.
That has always been true, and it will continue to be true in the future.
And two related references every auditor should read, although they are not specifically about internal audit. First, read up on emotional intelligence (EQ), starting with Daniel Coleman's Working with Emotional Intelligence. Any auditor who understands EQ and learns to apply it to themselves and in the way they work with others will be successful. The second book is Tom Peters' latest, The Excellence Divide. In fact, check out any of Tom's books. Tom is a major thought leader in the business world and has always been a proponent of soft over hard skills. His latest is a great place to start
And there you have it — three questions, three answers, and three different areas where internal auditors can provide better value to the organization, the department, and themselves.