It is an amazing and exciting time to be an internal auditor. This is not a facetious statement. Stakeholder expectations are rising, creating opportunities for internal auditors to expand beyond their traditional role of policing internal control frameworks and consult at a high level in the organization and on a wide range of executive and board priorities.
Audit plans are becoming increasingly qualitative, requiring auditors to make forward-looking recommendations within a cone of uncertainty. They have most certainly evolved from reviews of historic operations to cultural barometers and predictive assessments of probable risks and competitive analysis.
Most people are uncomfortable going into areas that may challenge or push them to new frontiers. But the fact is that internal auditors need to get comfortable being uncomfortable, mirroring the disruption which defines the business world today. That’s one of the key messages that emerged out of Protiviti’s 2018 Internal Audit Capabilities and Needs Survey. My colleague Andrew Struthers-Kennedy, Managing Director and Global IT Audit leader, recently kicked off a discussion of those findings, and I wanted to elaborate specifically on some of the action items for CAEs related to strategy, risk and culture.
Internal auditors, because of the unique cross-organizational nature of their work, are in the privileged position of not being siloed — a position that gives them a view into processes and procedures across all departments, from IT to finance and operations. Few other functions, if any, are in a position to observe culture and tone at the bottom, middle and top of the organization.
This unique perspective, which I referred to as an “all-access hall pass” in a previous post, provides a platform from which auditors can map and analyze enterprise risk management processes, determine whether proper oversight and resources are devoted to critical risk management concerns, and determine whether the organization’s culture supports “doing the right thing.”
This evolution is evident in the 2018 survey results, which show that CAEs are currently focused on aligning ERM with strategy and performance, and implementing practices outlined in The IIA’s Practice Guide on Assessing Fraud Risks. Auditing corporate culture, with a self-reported competency score of 2.9 on a 5-point scale in the survey, ranks among the highest priorities for improvement, along with digital transformation (analytics) and flexible (agile) risk and compliance controls, both with competency scores of 2.7.
I should point out that by agile controls, I mean more responsive, timely and flexible controls, not necessarily a technology solution. When it comes to auditing culture, it’s really the strength of relationships and understanding the pressures and motives that contribute to fraud and other misconduct that are likely to add the most value.
Executives and directors are looking to CAEs to open lines of communication and initiate and cultivate those relationships. Nontraditional capabilities that just a few years ago were called “soft skills” — things like communication, critical thinking, relationship building and cultural sensitivity — have become core competencies. CAEs need to be evaluating their audit teams and recruiting now to ensure the right mix of talent.
I want to leave behind the following food for thought: In September 2017, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated ERM framework, Enterprise Risk Management — Integrating Strategy with Performance (www.coso.org). The framework focuses on integrating ERM with the core processes that matter. Its concept of integration is embodied within its definition of ERM, which COSO defines as “the culture, capabilities and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.” This is, in a nutshell, our territory — and it is nothing short of exciting.