Does Your Organization’s Cyber Culture Make You #Wannaaudit?
May 15, 201710 Things Not to Say in an Audit Report
May 30, 2017Organizations face risks today that are as varied and challenging as ever. Cybersecurity, technology, big data, social and geopolitical dynamics, and other factors are contributing to a complex and evolving risk landscape.
As boards and C-suite executives struggle to manage such risks, they are increasingly turning to internal audit for assurance and advice that fall outside of the more traditional engagements with which many internal auditors are comfortable — assurance on financial reporting and compliance. Higher demands amid limited time and resources, developing new skills, and nurturing out-of-the-box thinking are sure to pose significant challenges for internal audit functions. Indeed, keeping up with growing expectations while delivering high-quality service may be the single biggest threat facing the profession.
All this could easily appear overwhelming, but there are two important points that should give every practitioner comfort: First, the profession has a proud history of evolving to meet new challenges. Second, we already have a strong model for meeting this latest one.
The challenges that small internal audit functions have always dealt with are similar to what the profession as a whole is facing today. When I assumed my first role as a chief audit executive (CAE), I took over an internal audit department with only three full-time auditors. Based on the size and complexity of the enterprise, the staff size should have been at least 30. But I learned early and often to play the hand I was dealt. I keenly understood that the only path to more resources was to address the audit needs of the organization in an outstanding manner that captured the attention of management. Within a year, my staffing was doubled. The lessons I learned in managing a small audit department would pay even bigger dividends when I would later lead an audit staff of hundreds.
Regardless of the size of your audit department, there are valuable lessons that can be learned by examining some of the tried-and-tested strategies routinely employed by outstanding smaller functions. I believe any internal audit function can make a significant impact if it follows six strategies I outlined in two earlier blog posts: Generating a Big Impact With a Small Audit Staff, Part 1 and Part 2.
Those blog posts go into deeper detail, and I encourage you to read them, but let me briefly outline the strategies here and tell you how they relate to today’s internal audit challenges.
Strategy #1: Follow the Risk
If you can’t audit everything, then you had better audit the systems, processes, controls, or risks that can inflict the most damage. Regular readers of this blog know that “follow the risks” is one of my mantras, especially in an era when we must audit at the speed of risk. It is basic, but today’s Pandora’s box of emerging risks can overwhelm and sometimes obscure the basics. In a rush to complete engagements, the engagement planning phase can be shortchanged, or the audit team will simply deploy last year’s audit program. Don’t let this happen.
Strategy #2: Be Innovative in Leveraging Resources
Simply put, CAEs need to bone up on different ways to leverage resources if they are going to keep up with growing stakeholder expectations. Over more than four decades in the profession, I found the most powerful are: a) relying on the work of others, b) using functional experts, c) augmenting the internal audit staff, and d) co-sourcing.
A word of caution: Each of these techniques has its pros and cons and, if not fully understood, can potentially damage the function’s credibility or erode its independence. Make certain the function’s integrity is not exposed in the rush to leverage resources.
Strategy #3: Benchmark for Success
If your function is facing particular challenges, it is likely that others are doing the same. By benchmarking — the process of comparing the performance or practice of one internal audit function to another — a CAE can find best practices and leverage the work of others (see above).
The IIA’s Audit Executive Center is an excellent resource to connect CAEs who oversee functions of similar size or those facing similar challenges.
Strategy #4: Improve Internal Audit Processes
This is a strategy that I have been touting around the world in my Poised for the Futurepresentation, which looks at how the profession should be adapting to 21st century challenges. Ineffective and inefficient processes can be a major drag on internal audit productivity in functions of all sizes. Even today’s largest internal audit staffs no longer have the luxury of inefficiency.
Quality assurance reviews can help identify where processes can be improved for annual and engagement planning; conducting engagements; documenting, reporting, and monitoring results; and quality controls.
Happily, technology has provided us the wherewithal to improve, expand, and streamline many of our processes. Data analytics, continuous auditing, and artificial intelligence already are proving to be important tools. But, as with the previous discussion on leveraging resources, CAEs need to understand the pros and cons of every effort to improve efficiency and efficacy.
Strategy #5: Measure Results
Understanding what is working and what is not becomes more important when demands are high. Measuring our own performance provides CAEs a clearer picture of how resources are leveraged, whether it is tracking ROI, cycle time, client satisfaction, or the percentage of internal audit recommendations that are successfully implemented.
Strategy #6: Advisory or Consulting Engagements
Interestingly, the blog posts I mentioned earlier had to make a case that advisory or consulting engagements could yield significant benefits for an organization. This is now well understood and is partly feeding the growing demands on the profession. Stakeholders are turning to internal audit more than ever for their insight and foresight. These engagements can add value to the organization and help it meet its goals. Of course, the caveat that providing such services could create conflicts of interests down the road should be engrained into every CAE’s psyche.
These are, by no means, the only approaches or options for CAEs struggling to meet growing stakeholder requirements. I’m eager to hear what strategies you believe will work to meet demand and add value to your organizations.
I welcome your comments via LinkedIn or Twitter (@rfchambers).