Two pieces by Deloitte merit our attention.
The first is Chief Audit Executives: Ready for the Spotlight (PDF).
It makes some interesting points.
- Stop auditing the past. Instead focus on enabling the future (my words).
- Convert the little pieces of information (perhaps individual audit reports) into big picture insights.
This is good advice.
of the valuable new pieces of guidance that came out of the project
(with which I was involved) to develop The IIA's principles for
effective internal auditing was the idea that internal audit:
- Should be forward-looking, and
- Provide insights and advice as well as assurance.
in particular need to be willing to take more risks with their
opinions, telling management and the board about the bigger issues (such
as those I describe in my post on The Real Risks: The Ones Not in the Typical List of Top Risks).
down to the root cause of risk and control problems often leads to
exposure of fundamental problems of leadership and so on.
The valuable CAE is the one who is brave enough to tell (or sing) the story.
respect to "forward looking," we should remember why auditing controls
adds value: when they know the controls are adequate in addressing risk,
the board and management know they can rely on them now and tomorrow as
they drive the organization to success.
We should assess controls
in terms of their effect on today and tomorrow's operations, not on
what might or might not have happened in the past. That is over.
The second Deloitte piece is Internal Audit Insights: High-impact Areas of Focus - 2017 (PDF).
It starts with this honest but alarming point:
… only 28 percent of CAEs believe their functions have strong impact and influence within their organizations.
It goes on to list eleven areas of focus for internal audit:
- Strategic planning.
- Third-party management.
- Internal audit analytics.
- Integrated risk assurance/combined assurance.
- Risk culture.
- Strategic and emerging risks.
- Sustainability assurance.
- Media auditsNew reporting methods.
The last is something I have been pressing for a while, with examples in my book (Auditing that matters). They seem to be quoting me (without attribution) when they say:
Tell stakeholders what they need to know, why they need to know it, and what they should do about it.
I don't condone their suggested use of heat maps (which fail to tell
the true picture of risk) instead of using plain English!
Say what you mean to say (Bareilles). Honestly!
Instead of a list of areas to focus, let me suggest one. A simple one.
to provide an opinion on the overall management (via controls) of the
risks that matter to the success of the organization. Now, how can you
get to that point? What work needs to be done?
OK, do it in 2017 and deliver the valuable information your board and executives need.