Internal audit in a changing world
In a fast-changing landscape, what does Internal Audit need to do to demonstrate its value to stakeholders?
In a fast-changing landscape, internal audit needs to demonstrate the agility, integration, transparency and prognostic approach that together prove its continuing value to stakeholders. Speakers at the 2018 annual ACCA Internal Audit conference – Internal Audit in a changing world – explored the challenges this presents.
What keeps CEOs up at night? Stuart Wooldridge, a partner in KPMG's insurance investment management sector, told his Birmingham audience that the firm’s UK 2017 CEO Outlook report reveals that reputational risk is high on the list with CEOs believing that reputational damage will have the second biggest impact on their organisation’s growth in the next three years.
A changing geopolitical climate and a ‘notable dip’ in confidence in the global economic outlook from last year are also on their mind. And to meet the challenge of remaining relevant and forward-looking, 65% of CEOs see disruption as an opportunity rather than a threat, with 74% saying their business is aiming to be the disruptor in its sector.
As CEOs grapple with these new challenges and uncertainties, findings from KPMG’s 2017 Global Audit Committee Pulse Survey pinpoint risk management as a top concern for audit committees. This creates opportunities for internal audit to maximise its value to organisations by focusing on key areas of risk and the adequacy of its risk management processes.
Stuart noted a migration of the internal audit function from hindsight, through insight to foresight. Foresight requires a focus on strategy and the market, he said, which in turn means understanding the global megatrends, the resulting disrupting forces on the industry sector and how they will affect the way the market looks in the future.
‘To do this, audit functions will need to free up some time and space. Automation of control testing, the use of data analytics and having the right skillset can increase efficiency of standard internal audit work but, more importantly, we need to move our audit plans from a focus on traditional risks to focus more on the drivers of strategy – the mega-trends that are affecting our economies and businesses now.’
Stuart suggested that if internal audit is agile and flexible enough in facilitating management to predict what major external and uncontrollable factors might be crystallising to affect the organisation’s performance and outcome delivery, it can influence management’s decision-making and support its ability to take advantage of, or protect itself from, upside and downside risk.
However, he concluded with a warning: ‘Audit functions are going to have to audit the things that scare them – strategy and business models.’
What should a CEO look for from IA?
Internal auditors know that they must pay close attention to what organisations’ boards and executive management look for from them and whether these expectations are being met.
One of the big questions that need to be asked in conversations with the CEO and chair of the board is around whether they actually want assurance, according to Robin Pritchard, chief executive at Gateway Assure. ‘Where does it get that assurance from? Is internal audit the appropriate assurance provider? Is there a board assurance framework that is effectively embedded? There should be.’
Communication challenges centre on the profile of internal audit and how it is sold. Is the board and senior management interested in what it has to say? ‘There are too many internal auditors that that never actually get near a board and, if they do, are frightened to tell it what they’ve been looking at,’ Robin said.
‘One of the problems, particularly with the outsourcing of internal audit, is that you’re only on site a couple of times a year. In the past you’d knock on a door and have a conversation about what matters. Emails changed that. Sometimes you are not saying things you want to because you are committing yourself in writing.’
Robin emphasised the importance of good communication and engagement with the audit committee is critical. ‘We are a partner in the assurance process,’ he said. ‘You can’t dodge that.
‘I think if we can have communication throughout the organisation with the people that matter and come to a common understanding of what could bring the organisation down and then provide assurance in those areas, it would be to the benefit of all our organisations.’
CEOs can be very different characters – including those who like to ‘throw a pebble in the water and see what happens’ to the ‘growlers’ who always bite back and are determined that whatever is in an internal audit report isn’t going to go any further, to the busy bees that are too busy to spare internal auditors time.
So, what makes an effective head of internal audit? According to the IAA (2006), it is a person of integrity, committed to highest ethical and professional standards, who is dynamic and inspirational, capable of leading the function and be an ambassador, and a flexible pragmatist, who understands the organisation and can therefore transform its needs into a cohesive internal audit plan.
The key features a CEO/chair might expect to see from internal are summed up in the three ‘Ps’: which Robin said he wanted to be the ‘take home’ of his presentation:
- Perception (do clients understand what the International Professional Practices Framework (IPPF) says)
- People (are the right people engaged with internal audit on both sides of the fence)
‘I’d been working for many years before I realised there is a fourth “P”’, he said. ‘Passion. When they open me up at the post mortem, they’ll find internal audit and risk management running through my blood!’
Exploring the nature of relationships and the link to the status of internal audit in an organisation, Robin pinpointed the signs that it’s trusted: reports are accepted at audit committee unchallenged; the audit committee discusses the whole of the report; and business unit managers act on recommendations made by internal audit. If it’s valued, internal audit is seen to be using its expertise to the benefit of their client through an open and collaborative approach; reports provoke directed discussion by the executive team and audit committee; and there is a continuous service delivery.
He left his audience to ponder over a 2003 quote from Donald Rumsfeld, then US Defence Secretary of State: ‘There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.’
Jill Wyatt, business journalist