Assessing the Expectations of Internal Audit Stakeholders at The IIA GAM Conference

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.


Panel Session at the 2017 IIA GAM Conference:
Stakeholder Expectations (Updates from CBOK Stakeholder Studies)

Today at The IIA 2017 GAM Conference, Brian Christensen, Executive Vice President, Global Internal Audit for Protiviti, participated in a panel discussion before more than 1,000 conference attendees, on the expectations of internal audit stakeholders and how internal audit can continue to improve its performance. The panel was moderated by Paul Sobel, Vice President and Chief Audit Executive, Georgia-Pacific LLC. Panelists were Angela Witzany, Chair, IIA Board of Directors and Head of Internal Audit at Sparkassen Versicherung AG; Larry Harrington, Vice President, Internal Audit at Raytheon Company; and Brian Christensen, Executive Vice President, Global Internal Audit at Protiviti.

Following are some highlights from Brian’s comments:

  • Are we in the so-called “golden age” of internal audit? Membership in The IIA is at an all-time high. Conferences and programs are near capacity. As internal auditors, we are part of the conversation in the boardroom and management circles. And internal audit has been rated one of the 10 best professions to start a career. But, it’s important to ask, what can we do better? How do we remain relevant and serve our constituents better? Answering these questions was the goal of the 2016 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study.
  • Stakeholders agree that internal audit is focused on the most significant areas in their organizations. Internal audit is keeping up with changes in the business and is communicating well with management and the board.
  • Internal audit needs to further leverage its positive reputation for quality in other areas of the business where it can add value.
  • Management and the board want internal audit to “move beyond its comfort zone” to help organizations bring internal audit perspective on strategic initiatives and changes – digitalization, cybersecurity, Internet of Things and more. Change is all around us. In light of these many changes, what are new and emerging risks that organizations need to understand and manage? Internal audit can and is expected to provide information and insights to board members and management on these new risks.

Brian also offered some calls to action:

  • As internal auditors, we need to rise up to the expectations of our stakeholders. We’ve been told we’re doing a great job, but we can do more, and our stakeholders want us to do more.
  • We need to break out of historical thinking and approaches. We’ve earned a solid reputation – we now need to build on it.
  • We need to focus on and embrace the four C’s – Culture, Compliance, Competitiveness, Cybersecurity.
  • We need to ask ourselves: Where do we want to be in five years? In 10 years? How do we continue our “golden age”? The answer: Take on bold ideas and new concepts.
  • Finally, we need to own the discourse to fulfill the expectations of our stakeholders.

We have a great opportunity – not just for ourselves, but to create a path for those behind us. Stakeholders have given us a road map to success. Let’s fulfill our destiny and continue our golden age.

Listen to Brian Christensen summarize the highlights:

Share on Twitter

Internal Audit at Financial Institutions Is Evolving

Mike ThorBy Mike Thor, Managing Director
Internal Audit Practice Leader for Financial Services in North America




Financial firms’ risk profiles are continually challenged by new regulatory requirements and heightened expectations from supervisors requiring firms to advance their risk management processes. At the same time, advances in technology are driving consumer demand for more mobile services, even as new entrants, the so-called fintech companies, are transforming the competitive landscape. All this means that demands on chief audit executives (CAEs) and internal audit departments at financial institutions are increasing in proportion to these new challenges.

Under the heightened standards for large financial institutions, a set of guidelines issued by the U.S. Office of the Comptroller of the Currency (OCC), the role of internal audit is defined as opining on the readiness and design of the risk management systems and corporate governance structures of the institution, including its risk culture and risk appetite. To fulfil this role, auditors at financial services firms need to improve their technical knowledge in several areas, according to Protiviti’s latest Internal Audit Capabilities and Needs Survey, a comprehensive survey of internal audit professionals conducted in the fourth quarter of 2015.

A special industry-focused publication derived from the larger survey’s results, Top Priorities for Internal Audit in Financial Services Organizations, zooms in on the concerns and outlook of internal audit leaders within the financial services industry. In summary: The list of internal audit priorities for financial services firms is only getting longer, and internal auditors are noting the need to improve their knowledge in key areas, specifically cybersecurity, mobile applications, model risk, and the challenge of integrating risk appetite and risk culture within an agile risk management philosophy.

In addition, as the last line of defense, internal auditors need to streamline their processes to foster a more agile and efficient internal audit approach. The survey makes clear that during the past year, internal audit executives have advanced in their efforts to connect with the lines of business and management as part of collaborative efforts to improve oversight and to help the organization understand its risks and achieve its strategic objectives. Such collaboration improves communication between the three lines of defense while also helping organizations become more efficient and optimize existing resources – an important goal, since difficulties in hiring and retaining talent have become more acute in recent years.

In light of this talent shortage, internal audit functions are increasingly considering investment in technology-enabled auditing approaches and tools, which can help them meet two important objectives: 1) address their growing list of priorities more efficiently, and 2) stay current and effective in their approach to risk, as banks continue to adopt emerging technologies in an effort to remain competitive in a rapidly evolving marketplace.

By improving their efficiency, knowledge and effectiveness, internal audit functions will be able to better assist their organizations in their continued growth. The improved skill set also will help position internal audit for its growing role of a key strategic partner in the broader enterprise – a role very much in demand, according to the recently published North American results of the 2016 Common Body of Knowledge (CBOK) Stakeholder Survey (with global results coming soon).

Finally, the reports on internal audit priorities, both the overall findings and the financial services edition, provide more than just a snapshot of the areas internal audit executives are most concerned about. The publications also offers real, practical advice from Protiviti experts from a variety of subject areas on how internal audit functions can achieve their goals and objectives. They discuss hot topics and changes that have occurred over the past 12 months in the financial services industry, and their impact on the work of internal audit. Download the two reports here and here.

Wanted: A New, Soft Set of Skills for Internal Auditors

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.



Brian ChristensenBy Brian Christensen
Global Leader, Internal Audit and Financial Advisory




What I described in my previous posts, here, here and here, is a new kind of internal auditor – a well-connected and socially savvy strategist equally capable of understanding and explaining complex analytics and of winning the right to be heard. So what are the characteristics and traits that this kind of internal auditor will need to possess to be successful?

This is a topic we will revisit over the next 18 months or so, as we pore over the mountain of information we’ve gathered in the CBOK Stakeholder Survey. It is critically important, because while the basics of a financial and accounting background remain fundamental to our mission of assurance, it will be our success as communicators that will drive our transformation, as a profession, into the trusted advisers we aspire to be.

Think of the chief audit executives you know. What made them valuable contributors? Communication? Flexibility? Adaptiveness? Are those characteristics that you would normally use to describe yourself or members of your team? If you are a director or senior executive reading this, are these characteristics that describe your chief auditor?

The traditional education gained coming up through an audit, finance, IT or accounting  background remains pertinent, but what about those other skills, especially the ability to communicate? What does that mean? Think about the effective communicators whom you’ve seen interact with the C-suite. What makes them successful? First, they listen and, second, they ask focused questions to discover the real issues and problems that merit solving. They are able to get to the point quickly and articulate complex issues and relevant ideas and solutions in a way others can understand. That makes them relevant. To top it off, they likely have a very good notion about when to speak up, picking up on non-verbal cues as necessary.

Augmenting the communications side, today’s internal auditor needs to be flexible and agile enough to be comfortable with change. As an auditor, how dynamic is your audit plan? Are you willing to take things off and redirect your focus when a major unusual transaction or event occurs?  What happens when management decides to circle the wagons when a major supply chain disruption occurs, or a significant product recall? Are you engaged with management and the board to take into consideration these types of situations?

As I mentioned before, we, as the internal audit function, can help give a common language to assist in guiding the organization, both the business leaders and the board, around this conversation. Boards want to understand what’s going on. Because of the direct reporting relationship of  auditors to boards of directors, they can be that liaison who reports and provides information going forward.

And that wraps up my recap of the 2016 CBOK Survey. I look forward to hearing about all the ways you are evolving your internal audit function, developing and strengthening stakeholder relationships. To access the webinar discussion, click here and sign in to view the archived version.

Prioritizing Risks and Demonstrating Strategic Risk Savvy

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.


Brian ChristensenBy Brian Christensen
Global Leader, Internal Audit and Financial Advisory




In my last post, I argued that internal auditors should go beyond assurance to serve as strategic advisers to executive management and directors.

This begs the question: Which risks do we focus on? CBOK survey respondents were adamant that they want to see internal audit more directly involved in advising on strategic risks – more than half said so. What they didn’t say is that they want internal auditors to take their eyes off the operational, financial and compliance risks. It’s just that strategic risks are the focus of both senior management and the board, and so it makes sense that, as the internal audit function aligns with the needs of these key constituents, it includes strategic risks in its line of sight.

Traditionally, auditors have done a good job analyzing financial risks. Recent years have seen the move into operational and compliance risk assurance as well. Compliance is a very hot topic with serious reputational underpinnings, so, unsurprisingly, there is a resounding affirmative that we need to continue to respond to that. Where there’s room for growth is in the strategic risk arena: If a company is going through a large ERP implementation, for example, the internal audit function can best add value and demonstrate its understanding of strategic risks by serving in a proactive consultative capacity to the project planning committee.

Not only are stakeholders expecting internal auditors to weigh in on a broader variety of risks, but they are increasingly looking for more timely and, sometimes, even real-time feedback. Audit plans need to be dynamic and audit processes agile enough to adapt on the fly to changes in the risk landscape.

That means that audit tools need to be equally agile. We’re seeing an increased demand for data analytics. A lot of great tools have come out in recent years that enable auditors to mine and report on entire data sets, instead of testing limited samples.

Internal audit’s role in identifying and analyzing risk has become a corporate imperative, even at companies with a separate risk management infrastructure, such as a chief risk officer or chief privacy officer. The difference between these “chiefs” and the chief audit executive (CAE) is that, in most organizations, the CAE reports to the board but also has more frequent face time with directors. This underscores how critical it is for the internal audit function to demonstrate an understanding of strategic risk and be an engaged, familiar face around the company, particularly with its leaders.

So how do we do that? We knock on executives’ doors, ask questions about the company’s direction, inquire about new markets and products, stay curious and informed, and connect the information received from different sources so that executives trust our “big picture” acumen and intuition and engage in this conversation with us. This, in turn, gets us invited more often to the table.

Relationships are key, and I will pick up the topic in my next post. You can access our April 6 webinar here.