May is International Internal Audit Awareness Month. We are celebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.
In my last post, I argued that internal auditors should go beyond assurance to serve as strategic advisers to executive management and directors.
This begs the question: Which risks do we focus on? CBOK survey respondents were adamant that they want to see internal audit more directly involved in advising on strategic risks – more than half said so. What they didn’t say is that they want internal auditors to take their eyes off the operational, financial and compliance risks. It’s just that strategic risks are the focus of both senior management and the board, and so it makes sense that, as the internal audit function aligns with the needs of these key constituents, it includes strategic risks in its line of sight.
Traditionally, auditors have done a good job analyzing financial risks. Recent years have seen the move into operational and compliance risk assurance as well. Compliance is a very hot topic with serious reputational underpinnings, so, unsurprisingly, there is a resounding affirmative that we need to continue to respond to that. Where there’s room for growth is in the strategic risk arena: If a company is going through a large ERP implementation, for example, the internal audit function can best add value and demonstrate its understanding of strategic risks by serving in a proactive consultative capacity to the project planning committee.
Not only are stakeholders expecting internal auditors to weigh in on a broader variety of risks, but they are increasingly looking for more timely and, sometimes, even real-time feedback. Audit plans need to be dynamic and audit processes agile enough to adapt on the fly to changes in the risk landscape.
That means that audit tools need to be equally agile. We’re seeing an increased demand for data analytics. A lot of great tools have come out in recent years that enable auditors to mine and report on entire data sets, instead of testing limited samples.
Internal audit’s role in identifying and analyzing risk has become a corporate imperative, even at companies with a separate risk management infrastructure, such as a chief risk officer or chief privacy officer. The difference between these “chiefs” and the chief audit executive (CAE) is that, in most organizations, the CAE reports to the board but also has more frequent face time with directors. This underscores how critical it is for the internal audit function to demonstrate an understanding of strategic risk and be an engaged, familiar face around the company, particularly with its leaders.
So how do we do that? We knock on executives’ doors, ask questions about the company’s direction, inquire about new markets and products, stay curious and informed, and connect the information received from different sources so that executives trust our “big picture” acumen and intuition and engage in this conversation with us. This, in turn, gets us invited more often to the table.
Relationships are key, and I will pick up the topic in my next post. You can access our April 6 webinar here.