Internal auditors are being challenged to do more than ever before, often in areas beyond the typical audit plan prepared each year. Stakeholders are looking for greater insight and knowledge into their organizations. Deft internal audit organizations have been able to engrain the importance of their role and reaffirm value.
In November 2018, Protiviti published a white paper that was a call to action for chief audit executives (CAEs). Titled The Next Generation of Internal Auditing – Are You Ready?, the paper advised CAEs that if they did not become more proactive in adapting their functions to a volatile and changing economy, they would risk becoming irrelevant. This observation was based on the new technologies and digital transformations that were remaking entire industries.
Most internal audit (IA) organizations were only beginning their transformation to next-generation capabilities, such as agile auditing. CAEs saw the need to adapt to the new realities and were engaged in the process of doing so.
The pandemic has accelerated additional change, and CAEs are reporting that their responsibilities have become more proactive, more advisory, and more central to the resilience and continued wellbeing of their companies. These findings comprise the essence of Protiviti’s Volume XVII of Internal Auditing Around the World, published in July 2021.
This latest volume reveals that even IA organizations that had made only their first forays into evolving their functions benefited significantly from these efforts. Whether it was automating critical processes or encouraging an innovative mindset, these forward-looking changes enabled IA teams to play integral roles in helping their organizations cope with unprecedented disruption. And as for the IA groups that had fully embraced next-generation practices, they were the most effective in helping their companies thrive under difficult circumstances.
IA’s pivoting role
CAEs had to pivot in their roles as they responded to the dynamic changes brought upon during the pandemic, often multiple times, to provide independent assurance that their organization’s risk management, governance and internal control processes were operating effectively under fast-changing conditions. In some instances, the survival of the company depended on their contributions.
Taken as a whole, the changes in the IA model at various organizations are as instructive as they are encouraging. Consider the creative disruption of IA functions at the following companies:
At one of the world’s top-rated banks based in the Far East, the IA team traditionally scheduled audits a year in advance, and then reviewed the bank’s status in such areas as regulatory compliance, system processes and financial reporting. Nowadays, under a new digital initiative, the IA team is using a data-driven operating model (DDOM) to discover and highlight risks well before the audit. The aim behind the DDOM model is not to produce reports after the fact but to lower these risks proactively. The bank’s CAE regards such work as “the future of audit.”
In the case of a leading provider of financial technology solutions, the company’s board of directors approached the CAE to provide quarterly updates on the impact of COVID-19 from the perspective of IA. This formal request capped a number of ad hoc audits that the IA team performed to examine the many pandemic-related challenges faced by the company, such as work-from-home (WFH) requirements. As a result of these specialized audits, IA has become central to the organization’s evolving resilience practices. The IA team now plays a key role in disaster recovery exercises in various business units, providing in-depth analyses of the quality of the recovery plans.
At a major producer of semiconductors, the IA team performs a much larger role in manufacturing than it did before the pandemic, focusing on business continuity management (BCM) and operational resilience. The new engagement is part of a larger resilience program in which IA has taken a deeper look at broad-based policies, procedures and activities related to production. Through its new responsibilities, the IA team is zeroing in on ways to enhance BCM at specific manufacturing plants by analyzing recovery strategies, product testing, personnel training and crisis communication.
Facing new reality market
At a leading online travel services company, the IA team found itself in the thick of the fray during the pandemic. The audit team played a key role in helping management to stabilize the business, which included a major resizing for a “new reality” market. Currently, the internal auditors are closely following the risks they have identified as the most disruptive to the company’s well-being. These include burgeoning competition, digital services taxation, increased regulation and a growing number of consumer protection laws.
In a similar vein, the pandemic forced the IA team at an audio technology company to shift their auditing approach from overall enterprise concerns to emerging risks. Accordingly, they maintain a special focus on the production supply chain and monitor how the potential risk of customer liquidity might impact the organization. They also have increased their focus on cybersecurity and cyber resilience in the face of an attack. To this end, the IA team has employed a road map they developed prior to the pandemic.
And at a multinational healthcare enterprise that runs dozens of clinics and medical centers throughout the US and abroad, the IA team played a large role in keeping critical call centers operational and transferring tens of thousands of employees to WFH status. These efforts were helped in no small part by the IA team’s examinations of the corporation’s “pain points” during the pre-pandemic years. Today, the IA team has a central role in enterprise risk management (ERM). Moreover, the wide-ranging knowledge of the IA staff is so highly regarded that team members are regularly recruited by other departments.
Seizing the momentum
When all is said and done, the profiles of these and other companies featured in Protiviti’s Internal Auditing Around the World highlight the significant role of internal audit in driving business resilience. The stories told in the book also demonstrate how businesses define and perceive “resilience” differently, and show that resilience can take many forms, including strategic, cyber and operational responsiveness.
Despite these differences, internal audit leaders tend to hold similar views on the meaning of resilience: being agile and flexible to adapt to rapid change, pivoting swiftly and decisively to respond to unexpected disruptions, and being open to new thinking and processes to help the business endure and thrive.
Without a doubt, the challenges of COVID-19 have put IA teams to the test. But the pandemic has also opened up new opportunities and showcased how essential IA can be, especially in a crisis. CAEs would be well-advised to seize on the momentum and continue to push for creative disruption, both within their own ranks and their companies as a whole. For insight on how to proceed, please see this recent post, 5 Strategies to Help Internal Audit Functions Accelerate Their Next-Generation Transformation.