A confluence of increased regulation, intense focus on corruption, and heightened scrutiny of risk management is changing the role of the internal auditor.
From evaluating and mitigating fraud and corruption risks, to improving IT and business operations, the internal audit function must evolve to meet the expanding needs of management and other stakeholders—so said industry leaders during a panel discussion at the Institute of Internal Auditors' annual conference in Boston earlier this month.
“As internal auditors, we have a great challenge to push executive management and the board to respond to those changes,” said Mark Carawan, chief audit executive for Citigroup.
Linda Zecher, president and chief executive officer of publishing company Houghton Mifflin Harcourt, agreed that internal audit must play a role in guiding senior management to heed the risks that need the most attention, and to what the company can do differently. “I look at internal audit more as a partnership,” she said.
Not all CEOs, however, are as welcoming of the idea of giving internal audit a proverbial seat at the table. According to a recent survey by Thomson Reuters, internal auditors believe they generally don't get the visibility and vocal support that they need to play the larger role they want. Of more than 1,500 internal auditors surveyed across six countries, 83 percent of respondents said they currently apply most time and resources to assurance over internal controls. Forty-four percent of respondents listed IT risk and security as the second priority.
Those realities don't align with where internal auditors would like to focus their attention. A full 38 percent said strategic-level risk management should be a top issue. Nearly one-third said resources needed to be focused on corporate governance, although far fewer said they actually spend much time on it.
The survey also suggested that internal auditors still have room to grow in their interactions with those in the compliance and risk-management functions. More than 40 percent of respondents said their interactions with both departments are ad hoc, or they weren't sure how frequently they meet.
In the case of internal audit working with risk-management teams, only 21 percent of respondents said the two sides meet on a weekly basis. The numbers for internal audit working with compliance departments were similar with 24 percent of respondents reporting that they meet weekly with their compliance counterparts.
“The cloud is already here. We are beyond the hype. The challenge now is, ‘how do we exploit it? How do we reduce the risk?'”
—Rebecca Rhoades,
VP, Chief Information Officer,
Raytheon
Neil Jacobsohn, CEO of global business think tank FutureWorld South Africa, said during the panel discussion that part of the challenge among internal auditors has to do with mind-set. Only until internal auditors as individuals really believe that they can add value to their organizations will they start to identify where the opportunities exist to make those changes, he said. “If that doesn't happen, I don't believe you will change.”
Maturity of Business Processes
Such increasing responsibilities, coupled with the need to adapt to changing business models, have many internal audit departments looking for new processes and tools to help address these challenges.
Even the most basic audit processes still call for some improvements. In the case of the management of audit workpapers, only 28 percent of respondents described their process as robust or mature. Another 49 percent indicated that, while they have a workpaper process in place, it still needs, well, work.
“Moving from an ad hoc to a more robust automated workpaper management process is a trend we are seeing with many audit departments,” Thomson Reuters stated. “Many audit executives are re-evaluating their reliance on spreadsheets as their primary solution for managing internal audit processes and moving to a more structured and purpose-built solution.”
The survey also found that 74 percent said they had either a robust issue tracking program, or at least implemented one. “This high maturity level on issue tracking is a good indicator for organizations moving toward the disciplines of GRC,” the survey noted. How so? Because, the Thomson report said, tracking by issue allows internal audit, compliance teams, and business process owners all to move in lockstep to correct problems affecting the company.
Advances in technology mean that internal auditors “have to change our paradigm quite a lot,” said Carawan. The challenge is how to give assurance to directors and other stakeholders “not only about what we do internally, but what we ask others to do for us and what they ask others to do for them,” he said.
INTERNAL AUDIT CHALLENGES
The following chart from Thomson Reuters ranks key issues for internal auditors in the coming year.
Source: Thomson Reuters.
Greater opportunity also exists for IT and internal audit to come together as more companies shift to a cloud computing infrastructure. Rebecca Rhoades, chief information officer for defense contractor Raytheon, commented during the panel discussion that IT and internal audit are “connected in a lot of ways,” because usually the functions come together to address the risks around technologies.
Rhoades cited cloud computing as one example. “The cloud is already here. We are beyond the hype,” she said. The challenge now is, “How do we exploit it? How do we reduce the risk?”
Call for Transparency
The panel also discussed how advances in technology are driving businesses to become more transparent in the public eye—willingly or not—and how internal audit fits in that role. Anything discussed during a meeting behind closed doors could now end up on the front page of the paper, tweeted, or blogged, Zecher said. “There is no internal versus external information anymore,” she said.
Rhoades agreed: Informal conversations that once took place around a water cooler or within corporate hallways now live on forever. “They become a lasting record,” she said. “We're babes in the woods in terms of having good intuition and good skills on managing that as leaders.”
>> Subscribe | Try a risk-free 10-day trial subscription to Compliance Week and enjoy a host of benefits.
In situations where corporate misconduct becomes part of the public record, the more open and honest senior management is willing to be upfront, the faster the company will rebuild trust, Zecher said. From a CEO perspective, that means communicating to stakeholders, both internal and external, as soon as the facts are readily available, she said.
Even if a CEO isn't at liberty to answer specific questions, at least explain where the company is in the process and when you expect to communicate additional facts, and then follow through with that, Zecher said. If you choose not to respond, especially in the age of social media, “misinformation will just proliferate through the system,” she said. “In the absence of information, people tend to make up their own.”
Carawan said audit executives play a role in fostering and repairing that trust, because internal audit is in a “unique position” as an independent function reporting to the board to validate facts and prioritize what one should be reporting on a matter. “We are in a fantastic position … to stand up and say, ‘This is the way it really is.'”
No comments yet