The more things change,” as the saying goes, “the more they stay the same.” And few professions have experienced as much change over the years as internal audit — a trend that’s certain to continue moving forward. In some ways the practice of internal audit will look different in 2020. Yet at the end of the day, internal auditing seven years from now will essentially involve the same fundamental service: assessing organizational activity. Internal audit departments are in flux at many organizations, rapidly expanding their portfolio of services and widening their audience of clients in the process. But in many ways they’re performing the same core activities they always have, albeit in new areas of the enterprise.
Carolyn Saint, Dallas-based vice president, internal audit, at 7-Eleven, sees internal audit growing deeper rather than broader. “Perhaps these are famous last words,” she comments, “but I don’t think companies’ expectations of internal audit departments will be wildly different in seven years.” Expectations are already high, she points out, specifically citing the U.S. Sarbanes-Oxley Act of 2002, the recent global financial crisis, regulators’ demands, and the growing complexity of markets everywhere. Indeed, internal auditors are already expected to think strategically while being tactical and detail-oriented, to generate business insights and provide assurance on controls and risk coverage.
Nonetheless, demands on practitioners show no signs of diminishing. “As we continue to meet the challenges thrown at us every day,” Saint adds, “the expectations bar ratchets higher and higher.” Other experts agree that internal auditors need to be ready for these growing challenges, and gear up for what lies ahead.
Focus on Risk
One aspect of internal audit that’s virtually certain to change — and keep changing — is its attention to risk. “We will likely see less emphasis on controls and more emphasis on risk management and governance,” says IIA President and CEO Richard Chambers. Too much focus on controls can lead practitioners to lose sight of the fact that they’re a means, not an end, he says; controls are designed to mitigate risk, so they need to be kept in perspective.
Recent data from The IIA, Chambers adds, shows that perhaps 80 percent of what internal audit does is provide assurance around control effectiveness. “But that’s not necessarily where the most lethal risks to the business are,” he says, “so internal audit must strike a better balance between a focus on controls and a focus on risk management and corporate governance.”
Internal auditors often stay away from the most vexing strategic and operational risks because they don’t have the experience and confidence to address them, adds Paul Sobel, vice president and chief audit executive (CAE) at Georgia-Pacific LLC in Atlanta. “That will need to change,” he says. But that change, while seemingly dramatic on the outside, will on the inside simply continue the fundamental function of internal audit as it exists today. “The topics internal auditors address will change, because risks shift over time,” notes Jason Pett, U.S. internal audit services leader in the Risk Assurance Services practice at PricewaterhouseCoopers, Baltimore. “But the basic tenets of finance, operations, compliance, and strategic risks will stay — and internal audit will go where the risks lie within those four areas. That’s not going to change.”
Pett foresees at least one specific scope modification: internal audit’s role in third-party, or vendor, risk management. “It’s going to continue to grow,” he says. “It’s a focus for internal audit now, but not a major focus.” Currently, the internal audit function focuses on how the company manages vendor risk, but in the future, more and more, internal auditors will go on-site at those third parties, Pett adds, “to understand the risk profiles of their vendors and to look at things in a much more detailed way.” The ongoing outsourcing of risk is pushing enterprises’ risk profiles to third-party providers, including cloud providers and similar vendors. To date, outsourcing has focused on services; now, it’s shifting to technology, which brings with it the loss of some control — around, say, the security of key data. “Outsourcing risks are changing so dramatically that internal audit is being forced to do more around vendor risk management,” he says.
This imperative to do more is reflected in other areas. Internal audit’s scope is expanding because the expectations that boards and management place on it grow more numerous every day. And that’s not going to change by 2020. “One of the expectations of boards in the future will be for internal audit to help avoid surprises — the idea of being able to identify emerging risks, or to see around the corner, so to speak,” Chambers says. “If all you’re doing is telling management what you see, that probably is what they see as well. But if you leverage your knowledge and experience, you can provide perspective management hasn’t thought of. That will characterize internal audit in the future.”
The year 2020 also holds changes for the way internal audit is positioned in the organization. “There will be a shift in where the internal audit function reports, with more functions reporting to the CEO as opposed to the chief financial officer as audit committees stress independence for the function,” predicts John Wszelaki, director of audit at the Commonwealth of Virginia Department of Alcoholic Beverage Control in Richmond. CAEs will likely have a seat at the table in the C-suite, he says, and audit committees will push for greater audit independence. Chambers points out that perhaps 75 percent of internal audit functions currently report functionally to an audit committee; that number could rise to 90 percent by 2020.
Pett foresees an interesting twist on this prediction: risk committees will be formed under boards, rather than audit committees. “I can see a scenario where they become more common, and maybe even represent a majority,” he says. “That would be a pretty significant shift.” In some companies, internal audit will operate under a hybrid reporting structure, he adds. “I do not see the trend of internal audit reporting to the CEO taking over the world,” he emphasizes. Rather, when there’s a change in reporting, it will more likely comprise the formation of a chief risk officer function that would oversee internal audit.
There’s a lot of duplication in risk management at many organizations, Pett adds. “We’re having the checkers check the checkers, who are then checking the checker checkers,” he says. “There may be a better way to do it, by aligning and integrating risk management activities and leveraging advanced strategies such as data analytics to optimize risk management across them.”
Any industrywide changes in reporting structure will likely be the result of external forces, according to Saint, “namely, if regulators or exchange rule-makers strongly recommend or dictate it.” Otherwise, she sees each company creating a reporting structure that it believes best suits its requirements, risk profile, and what it sees as value-creation from the internal audit function.
Expect internal audit competencies to look different in 2020, too. “As the focus on internal audit’s role with risk mitigation continues to expand,” Wszelaki says, “I foresee the more typical internal auditor coming from the operations side of the business. The profession will look for people who understand the business and know how to mitigate risk, who understand the distinction between efficiency and effectiveness, and who know how the supply chain operates.”
That’s a tall order, but one that’s already in place in many organizations. Chambers notes, “As we diversify where we focus in this profession, the skills have to diversify, too.” Indeed, he reveals, The IIA’s latest survey data indicate that accounting skills now rank no higher than sixth for recruiting. “There was a time when that was the No. 1 skill,” he points out. Now, roughly 20 percent of internal audit resources are dedicated to auditing financial controls and risks.
“If only 20 percent of your time goes into that, why does everyone need that skill?” Chambers asks. The new No. 1 skill for recruitment? Analytical and critical thinking, followed by communications skills, followed by risk management assurance. Numbers four and five are IT skills and data mining capability, respectively.
Audit department heads, Pett says, will need to focus on the skill sets their shops need to be effective. “As the world grows more global and technological, relying on the same old skill set will mean internal audit functions will be devalued,” he says. CAEs increasingly realize they need “really deep industry capability; they need people to understand the business and not just finances.”
Sobel sees additional skill requirements for audit leaders. “CAEs will be leaders of teams,” he says, “where the teams are specialists that bring to the table skills and experiences the CAE does not have. This requires the CAE to exhibit more CEO capabilities than today, where many CAEs are simply more experienced audit leaders.” (See “The CAE as CEO.”)
Of course, the biggest change to the internal audit workforce moving forward is the same change offices everywhere are undergoing: the rise of the millennials — those born late in the last century. There may be as many as 80 million in the United States alone. They approach work differently than their older colleagues, statistically at least, and expect to communicate using advanced technology. Picking up the phone sometimes seems old-fashioned to them, and anything short of instantaneous is simply too slow. Their use of texting, tweeting, and social media “flows over into their desire to do that in audit activities,” says J. Michael Peppers, CAE at the University of Texas System, Austin.
Millennials tend to be comfortable emailing or texting to get information from audit clients. “There’s absolutely a role for that,” Peppers adds, “but we have to balance it with ensuring that all of our staff realize the importance of the personal connection when doing audits.” Establishing an ongoing rapport with clients requires an in-person connection; in addition, there are audit benefits that come from asking questions and interacting face-to-face, he emphasizes, such as “seeing the response, the body language, the real-time feedback that gets exchanged when you’re talking face-to-face versus sending an email.”
Millennials also seek a fair degree of latitude in their work options. “In the past several years, we have seen many entities move to workforce telecommuting, flexible schedules, and virtual offices,” Wszelaki says. “The movement with younger staff coming into the profession is toward a work-life balance where flexibility is key.” His operation uses remote access, data analytics, webinars, and virtual meetings to effect the work-life balance that employees seek; moving forward, he calls on CAEs to stay attuned to what specifically motivates employees and ensure they have “current knowledge” needed to motivate and retain staff and keep them productive.
Assuming internal audit management can find common ground with millennials — even though, as Chambers puts it, “every new generation is viewed as incredibly strange by the generation that preceded it” — they should prove to be a good match with the profession in 2020. They tend to be very practical, he says, but at the same time they can be impatient about being given responsibilities and opportunities. “If we don’t provide them,” he cautions, “they’ll grow weary of internal audit and move on to greener pastures.” Those who stay will bring a lot of capability around technology that will be incredibly relevant; they’re also, statistically, looking for flexibility and variation in the assignments they take on.
“I think internal audit functions are going to be much more attractive to millennials,” Pett says. “They’ll see they have the opportunity to do different things, understand different risks, and be able to change with the business. Those leading-practice functions that get out in front of analytics especially will attract the top talent.” He adds that the next generation, post-millennials, will also soon begin impacting the talent pool. “Millennials will be old and worried about their tax bracket soon. It’s going to be very interesting to watch the next group and their inclinations.”
One characteristic setting apart the next generation is that they’ll have grown up 100 percent with advanced technology. And that’s significant considering technology plays an increasingly important part in the way internal audit is practiced today, and will even more so in the future. “By 2020, internal audit is going to be driven much more by data — in the risk assessment phase, in planning and scoping an internal audit, and in executing it,” Pett predicts. Specifically, he foresees visual analytics rising dramatically on the back end, plus more technology-enabled communications and more tablet-based reporting.
Analytics will be especially important to the future of internal audit, Chambers adds. “We’re going from a period of ‘Big Data’ to a period of ‘Mega Data,’ of ‘Bigger Than Big Data,’” he says. “As internal auditors, we can leverage technology into the kinds of tools that will let us analyze vast amounts of data on emerging trends and anomalies.”
Michael O’Leary, partner and global internal audit leader at Ernst & Young, sees three key areas of future technological change. One is very comprehensive GRC platforms. “Internal audit is going from automated workpaper technology to more comprehensive GRC software,” he says. Another is what he calls “dramatic expansion in the use of analytics in individual audits and the internal audit life cycle, using analytics to drive efficiencies in the audit process and provide much more compelling and powerful data to stakeholders.” The third is a move to continuous auditing so internal audit serves as a real-time monitor to detect control or other issues.
It could go much further than that. Sobel sees inventions that go beyond Google Glass and other portable devices — all the way to chips embedded in people, bringing data and other capabilities to internal auditors wherever they are, including the warehouse floor, the CEO’s office, or flying on an airplane. “I’m not sure what technology will bring,” he says, “but I do believe it will have cosmic effects on internal audit.”
Technology will undoubtedly contribute toward shaping internal audit’s future, as will an emerging trend in organizations that several experts point to — a shift toward cross-functional assurance. Thought leaders say that internal audit is poised to play a key role in this area, and that it will require evolution in the relationship between internal audit and ethics and compliance. “I see a move toward more combined assurance,” Sobel says, “where most organizations leverage the synergies of different assurance activities to more efficiently and effectively optimize assurance.”
It’s important for internal audit to not just be a part of those integrated activities, but to actually lead them. Compliance departments are growing dramatically, Pett says, as organizations realize that their risk profiles are changing quickly. “If internal audit doesn’t integrate into that landscape and add value beyond what compliance does,” he says, “there’s a risk of internal audit becoming less relevant and compliance rising in relevance.”
Peppers calls the integrated approach “knowledge management,” and like Pett, he urges internal auditors to make sure they’re leading the effort. Otherwise, he warns, the future of internal audit could be characterized by the loss of the profession’s hard-earned influence in the C-suite and the boardroom. “We have a lot of different areas in our organizations that are doing some overlapping things, including internal audit, ethics and compliance, risk management, and legal,” he says. “Audit committees and management that see scattered, potentially duplicative efforts are going to get frustrated. We’ve been experts for decades, so it seems like we should take the lead.”
The future belongs to internal audit, in other words, but it is also internal audit’s to lose. Some of the services internal audit departments perform are exactly those on which many organizations are focusing more efforts and resources. But internal audit departments aren’t the only areas that want a piece of that action. For the internal audit function to be viable and effective,” O’Leary says, “it’s going to be imperative to raise the bar on how it contributes to an organization’s goals.” Not all departments will draft the same list of initiatives, of course, but failing to embrace the increasing risks creates another: loss of the function’s effectiveness and relevance over time. Internal auditors in 2020, then, will be more critical to companies’ success than ever, if they’re up to the task. The good news is they’re already on a developmental path to meet the challenges the future will present.
See "Tomorrow's Best Practices" for more about emerging internal audit techniques.