Assessing the Expectations of Internal Audit Stakeholders at The IIA GAM Conference

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.


Panel Session at the 2017 IIA GAM Conference:
Stakeholder Expectations (Updates from CBOK Stakeholder Studies)

Today at The IIA 2017 GAM Conference, Brian Christensen, Executive Vice President, Global Internal Audit for Protiviti, participated in a panel discussion before more than 1,000 conference attendees, on the expectations of internal audit stakeholders and how internal audit can continue to improve its performance. The panel was moderated by Paul Sobel, Vice President and Chief Audit Executive, Georgia-Pacific LLC. Panelists were Angela Witzany, Chair, IIA Board of Directors and Head of Internal Audit at Sparkassen Versicherung AG; Larry Harrington, Vice President, Internal Audit at Raytheon Company; and Brian Christensen, Executive Vice President, Global Internal Audit at Protiviti.

Following are some highlights from Brian’s comments:

  • Are we in the so-called “golden age” of internal audit? Membership in The IIA is at an all-time high. Conferences and programs are near capacity. As internal auditors, we are part of the conversation in the boardroom and management circles. And internal audit has been rated one of the 10 best professions to start a career. But, it’s important to ask, what can we do better? How do we remain relevant and serve our constituents better? Answering these questions was the goal of the 2016 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study.
  • Stakeholders agree that internal audit is focused on the most significant areas in their organizations. Internal audit is keeping up with changes in the business and is communicating well with management and the board.
  • Internal audit needs to further leverage its positive reputation for quality in other areas of the business where it can add value.
  • Management and the board want internal audit to “move beyond its comfort zone” to help organizations bring internal audit perspective on strategic initiatives and changes – digitalization, cybersecurity, Internet of Things and more. Change is all around us. In light of these many changes, what are new and emerging risks that organizations need to understand and manage? Internal audit can and is expected to provide information and insights to board members and management on these new risks.

Brian also offered some calls to action:

  • As internal auditors, we need to rise up to the expectations of our stakeholders. We’ve been told we’re doing a great job, but we can do more, and our stakeholders want us to do more.
  • We need to break out of historical thinking and approaches. We’ve earned a solid reputation – we now need to build on it.
  • We need to focus on and embrace the four C’s – Culture, Compliance, Competitiveness, Cybersecurity.
  • We need to ask ourselves: Where do we want to be in five years? In 10 years? How do we continue our “golden age”? The answer: Take on bold ideas and new concepts.
  • Finally, we need to own the discourse to fulfill the expectations of our stakeholders.

We have a great opportunity – not just for ourselves, but to create a path for those behind us. Stakeholders have given us a road map to success. Let’s fulfill our destiny and continue our golden age.

Listen to Brian Christensen summarize the highlights:

Share on Twitter

FSI CBOK Study: Effective Assurance Alone Is No Guarantee of Internal Audit Success

mike-thorBy Mike Thor, Managing Director
Leader of Protiviti’s North American Internal Audit practice



This year the internal audit agenda for the financial services industry is more than a little crowded. Global macroeconomic uncertainty, rock-bottom interest rates, soaring regulatory expectations, cybersecurity threats and attacks, legacy information technology (IT) systems, fintech, blockchain and other disruptive innovations — and that’s before we even get to fulfilling the core mission of delivering effective assurance.

The message of the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study is clear: Assurance alone is no longer enough. Assurance remains at the core of the internal audit function — value-added work for stakeholders cannot detract from that. But survey respondents, which included executives and board members who work closely with internal auditors, indicated they want more. Specifically:

  • Consulting on business process improvements
  • Alerting operational management to emerging issues and changing regulatory and risk scenarios
  • Facilitating and monitoring effective risk management practices by operational management
  • Detecting shifts in the organization’s implicit risk appetite
  • Identifying known and emerging risk areas

More than 70 percent of board members and executives believe internal audit should take a more active role in assessing and evaluating strategic risks. This is a mandate for chief audit executives and internal auditors to think more strategically when evaluating risks and ensuring their audit plans are sufficiently risk based.

Implicit in all of these value-added functions is the importance of maintaining objectivity. Such consulting approaches a fine line that regulators tend to review closely. And, of course, all of that is in addition to assurance, which remains internal audit’s primary objective. The good news is that respondents gave internal audit high marks for assurance activities, and especially for establishing audit plans to assess areas or topics that are significant and highly relevant to the organization and consistent with organizational goals. There were five assurance areas, however, that respondents agreed could use improvement, including:

  • Effectively validating that executive management promotes appropriate ethics and values within the organization
  • Communicating which risks or activities of the organization are not covered by the internal audit plan
  • Assessing the adequacy and effectiveness of governance
  • Demonstrating sufficient knowledge of key IT risks and controls in performing audit engagements, and
  • Demonstrating sufficient knowledge of fraud and corruption to identify red flags indicating possible fraud or corruption when planning and conducting audit engagements

Looking ahead, executives and directors said they are increasingly turning to internal audit for advice on business process improvements and see opportunities for auditors to add even more value through data analysis and so-called “soft” skills, including change management and facilitating interdepartmental communication.

For more detailed analysis and survey results, you can download the report here.

Global CAEs Seeing Regulatory Convergence

Frederick MagliozziFrederick Magliozzi, Managing Director
Internal Audit and Financial Advisory



At The Institute of Internal Auditors International Conference in New York this July, I had the privilege of moderating a panel of CAEs on global audit issues, emerging risks and challenges in the financial services industry.

We had a large international group, including hundreds of CAEs, who were eager to hear from our panelists representing some of the world’s largest financial institutions. Among the panelists were Mark Carawan, CAE of Citi; Naohiro Mouri, Chief Internal Auditor of AIG Japan Holdings; Nicola Rimmer, General Manager Audit at ANZ Bank; and Stephan Schenk, Executive Vice-President and Chief Auditor at TD Bank.

Panelists began with a discussion of the evolving risk landscape. As you might imagine, fraud, reputation and cybersecurity topped the risk list, with cloud risk rising in response to growing demand for mobile banking and big data analytics.

Although those risks are not necessarily new, the conversation focused on ways the internal audit function is evolving to stay ahead of the risk curve. Panelists emphasized the importance of continuous monitoring and the need for audit automation, digitization and more sophisticated tools to support the ascendancy of internal audit into a more strategic role as risk advisor across all lines of defense.

The need for the implementation of new audit technology and ongoing training in how to make the most of these new and sophisticated tools was a recurring theme, echoed in a subsequent question about the future of the internal audit function. Our panelists all emphasized the critical need for internal auditors to be able to anticipate and identify potentially disruptive risks and work closely with first-line managers to bring value-added mitigation recommendations to the table.

For me, the biggest takeaway from the discussion was the consensus among both panelists and CAEs in attendance, that regulators around the globe are beginning to align their efforts particularly in areas such as anti-money-laundering (AML) and the Bank Secrecy Act (BSA).

There seems to be a growing acknowledgement that money knows no borders. Regulators from various geographies around the globe are in much closer communication than ever before. They communicate regularly and they are creating a lot of pressure for financial institutions to make sure they are addressing risks — not only strategic risks, but local regulatory risks. And they are interested in the credentials of the people assigned to watch over these risks, to ensure technical competency.

From an internal audit perspective, this future state of increased regulatory cooperation and scrutiny demands robust risk assessments and risk training, to ensure that stakeholders understand all of the significant risks institutions face. Current regulatory hot buttons include: vendor risk management, AML/BSA, and cybersecurity to name a few.

In closing, I’d emphasize again that when it comes to internal audit, the tendency is toward unification – this includes ability to see the big picture, connect the dots, articulate interdependencies and collaborate. Regulators increasingly practice the same. For a more in-depth analysis of global regulation, I’d recommend our recently published white paper, The Challenges of Running a Global AML Program. Your thoughts and comments are appreciated, as always.