Disruption Brings More Calls to Action for Internal Audit

This time of year is typically slow for the release of thought leadership in the internal audit profession. The IIA, internal audit service providers, technology firms, and others normally unleash a wealth of white papers and reports earlier in the year, then there’s a lull before a bevy of fresh new ideas and perspectives once again flows. But 2020 has been anything but typical, with insightful and topical content not ebbing as we navigated the pandemic from our home offices. 

At least three publications released in just the past few weeks warrant every internal auditor’s perusal. My old colleagues at PwC published a timeless report in July titled Engaging With the Audit Committee: Five Ways for Chief Audit Executives to Stand Out. If you haven’t read it, I encourage you to do so, because it is full of great insights. Earlier in August, our friends at AuditBoard published a fascinating piece titled Audit Leadership During Crisis: A CAE’s First 90 Days During COVID. The article is authored by Sabrina Abramson, chief audit executive (CAE) at Wyndham Hotels & Resorts, and chronicles her journey as a CAE since taking over the role in a highly disrupted industry at the beginning of the pandemic. I have always believed personal stories are the most compelling, and Sabrina doesn’t disappoint.

Most recently, our colleagues at Protiviti offered yet another installment in an excellent series from their Internal Audit Capabilities and Needs Survey. This edition is titled Exploring the Next Generation of Internal Auditing, and it is chock-full of insights on the progress and prognosis when it comes to internal audit transformation. As Brian Christensen, Protiviti’s executive vice president, Global Internal Audit, notes in his introductory remarks for the publication:

“Innovation and transformation require more than just a series of discrete activities. They necessitate a fundamental rethinking of the design and capabilities of internal audit. Granted, most internal audit functions don’t have the luxury of starting from scratch. But that does not preclude them from being innovators; it just means they have to be open to new ideas. Innovation in internal audit is driven by a next-gen, trailblazer mindset, along with a willingness to make bold decisions, learn from mistakes, and never stop asking, ‘How can we get even better?'” 

Protiviti has been surveying on the extent and effectiveness of adopting a “next-generation internal audit mindset” for several years. They believe the “foundation of next-generation internal auditing lies in principles such as agility, real-time risk and controls monitoring, dynamic risk assessment, and the effective leveraging of data and advanced technologies.” Based on Protiviti’s survey results and the insights of its practice leaders, the report highlights four key findings.

“Next-generation internal audit competencies need to be prioritized rather than marginalized — especially enabling technologies.” Protiviti notes that CAEs and internal auditors assess their competency levels as “remarkably low” in next-generation governance, methodologies, and enabling technologies. The report correctly observes that, in the current era of disruption, “these capabilities should be priority areas for growth and development.”

“Fewer internal audit groups are undertaking some form of innovation or transformation, but the maturity of these capabilities has increased.” In a glass-half-full observation, Protiviti commends those internal audit functions that are making progress, but notes that it is “imperative for internal audit groups not currently undertaking some form of innovation or transformation to get moving — or risk falling too far behind.” From my point of view, “falling too far behind” is an existential threat for many internal audit functions. Those who are not innovating and transforming in the face of COVID-19 risk complete irrelevance or worse.

“Audit committees want CAEs to communicate how their transformation and innovation efforts are resulting in more coverage of risks and deeper audit reviews.” In a call to action, Protiviti notes that audit committees are becoming more interested in how internal audit is innovating and transforming. It is essential for “internal audit leaders to enhance the risk relevance, visual appeal, and conciseness of their communications to the board.”

“In addition to next-generation internal audit competencies, top audit plan priorities include cyber threats, enterprise risk management, fraud, and third-party risks.” While Protiviti’s survey was conducted several months ago, the disruptive effects of the pandemic have served to only enhance the priorities highlighted in the report.  When responses from CAEs were isolated, the top five priorities for 2020 were:

• Cybersecurity risk/threat.
• Fraud risk management.
• Enterprise risk management.
• Vendor/third-party risk management.
• Internal audit strategic vision.

While those priorities remain relevant, I suspect that today’s priorities for CAEs would also include:

• Business continuity.
• Supply-chain management.
• Health and safety of employees and customers.
• Cost/expense reduction/containment.
• Global macroeconomic instability.

The IIA is currently gathering perspectives on internal audit risks and priorities as part of its annual OnRisk survey. Expect the OnRisk 2021 report in November.

The internal audit profession is propelled by knowledge. In fact, for generations, The IIA’s motto has been “Progress Through Sharing.” I can’t thank our friends and partners at PwC, AuditBoard, and Protiviti enough for making the investments and taking the time to share the insights highlighted in this blog. They, along with Crowe, Deloitte, EY, Galvanize, Grant Thornton, KPMG, Refinitiv, Wolters Kluwer, and Workiva make up The IIA’s network of Principal Partners. The IIA couldn’t begin to serve its members around the world without each of these important allies.

As always, I welcome your comments.