Internal audit: getting in early on strategic planning
At a time when data breaches, social media gaffes and careless due diligence of third-party service providers are causing members of board audit committees to lose sleep, risk management has become an enterprise-wide concern that more than ever demands collaboration between a variety of skill sets.
In a recent Pulse of the Profession survey, the Institute of Internal Audit (IIA) finds that 39 percent of respondents from Fortune 500 companies have increased their focus on strategic business risks, with 59 percent of them reporting no change. For all respondents, 31 percent report an increase, while 65 percent say their focus on such risks remains the same.
Traditionally the internal audit department has played an assurance role, weighing in late in the process to validate exercises that are most often related to financial reporting. As risk management becomes a more pressing concern for many companies, however, internal audit is increasingly being asked not only to provide assurance on non-financial matters but also to offer input earlier in the process, while business strategies are still being formulated. This emerging advisory role is calling on different skill sets and requiring improved efficiency as internal audit teams do their best to manage a fuller plate of duties.
In Protiviti’s ninth ‘Internal auditing around the world report, released last year, General Mills says that while assurance accounts for most of its global internal audit function’s work, the department also takes on two or three advisory projects per year.
Most organizations conduct a ‘visioning exercise’ around their annual strategic plans, but they may also consider longer-range strategies, including expansion into new products and services, raising fresh capital to support the business with new IT systems, manufacturing plants or other critical infrastructure, and innovation via acquisitions, says Brian Christensen, an expert on internal audit at Protiviti.
‘When internal audit can be privy to and part of that conversation, it can clearly participate on the front side to coach the organization on what are prudent and acceptable controls, in order to avoid the pitfalls of discovering those down the road,’ he explains.
In a survey of more than 500 chief audit executives and audit committee members that was conducted in 2013, EY and Forbes Insights find that advisory services already account for some portion of the internal audit work plans of 96 percent of respondents, up 6 percentage points from the 2012 survey. The results also show that advisory reviews now comprise at least a quarter of the internal audit function’s efforts for 52 percent of those polled.
Despite the increased focus on compliance risk with all the new regulations that have been passed, Richard Chambers, president and chief executive of the IIA, says he’s seen internal audit departments focus more in recent years on how effective their companies’ risk management is. Thanks to rules mandated by the Dodd-Frank Act and new proxy disclosure rules from the SEC, there’s now greater emphasis on boards executing their oversight responsibilities around risk management. If the board is looking to someone within the company for an objective perspective on how well risk is being managed, the internal audit function is in the best position to provide that, Chambers notes.
Since November 2012, when the IIA launched a new certification in risk management assurance for internal auditors, 14,000 people worldwide have received the qualification, 4,400 of whom are in the US. ‘It’s because internal audit is being asked more and more to provide that assurance to management and to the board,’ says Chambers. ‘The point is that internal auditors themselves recognize this is a skill they need to demonstrate their proficiency in.’
The demand for this certification also indicates the direction in which internal audit coverage is moving, he adds – and the IIA’s spring 2013 survey results appear to confirm this. Around 30 percent of respondents say they’re providing more coverage in business strategy, while 35 percent say they expect to boost their coverage in risk management effectiveness in the year ahead. Several companies’ 10K filings cite work that internal audit has done on behalf of the board to provide risk management assurance, Chambers says.
Michael O’Leary, a partner and global internal audit leader at EY, believes the shift away from assurance audits and toward advisory audits is largely due to added pressure from boards and their audit committees. Given greater awareness of the implications of not being more proactive in addressing some emerging risk areas, ‘the whole notion of internal audit playing more of an advisory role will continue to increase in prominence, particularly when you think of the complexity of the business environment for so many companies that might be entering into more emerging markets in some cases,’ he says. And that’s not to mention the rising complexity of IT environments, cyber-security threats and the overall level of transformative initiatives that many companies are pursuing.
The COSO 2013 Framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Framework, which updates the original framework implemented in 1992, is also spurring internal auditors to expand their role to include risk management assurance, says Chambers. Companies are expected to embrace the revised framework by the end of 2014.
The new framework includes an explicit requirement for board oversight of internal controls. Christensen believes boards will be eager to involve the internal audit function in the design process. ‘What boards will look to internal audit for is feedback and advice as to whether the design and execution of an internal control environment is adequate,’ he says.
Christensen cites enterprise resource planning (ERP) as an example. If a company is installing new software or revising an existing platform, incorporating internal audit into that multi-step process takes advantage of expertise within the company and provides immediate feedback to management, where traditionally internal auditors did all their testing well after implementation had occurred, he explains.
Internal audit won’t be expected to design the internal control environment, but it will be able to offer advice and direction. That’s an essential distinction professionally because internal audit wouldn’t be able to be objective and critical about something that it has created and put in place, Christensen stresses.
The COSO 2013 Framework also requires firms to increase their focus on fraud and its causes. Historically, internal controls regarding fraud prevention have concentrated on daily business processes, with scant consideration given to identifying red flags that could alert managers to conditions potentially enabling fraud, says Christensen.
‘The [heightened] consideration of fraud, I think, introduces an awareness and facilitates a discussion with management around fraud and its implications,’ he states. ‘The COSO 2013 Framework has addressed that, and by adding that to a discussion [about internal controls] at the beginning, it increases the knowledge and awareness of all parties of the possibilities and potentially the existence of fraud within any process or reporting function.’
Christensen expects new technical tools to be made available that will enable auditors to scour large data sets for signs of potential for fraud.
Reaping the benefits
In addition to change management such as revisions to ERP, Christensen points to two other scenarios in which companies can benefit from internal audit’s expanded responsibility. The first is when integrating the operations of a business that the company has recently bought or merged with. The internal auditor’s familiarity with the details of the company he or she serves ‘may be pertinent to help map directionally where the integration and assimilation of the acquisition can occur,’ Christensen explains.
The second scenario concerns the handling of emerging risks such as cyber-security. Cyber-attacks require immediate and precise responses, especially in large-scale global companies that are operating around the clock. When a data breach occurs, questions like who’s responding, what the plan is and where resources should be applied are better addressed when internal audit is represented ‘on the front end through a council or a broader management team that is multi-disciplined,’ Christensen says. ‘This enables the response to be more accurate and ultimately to reduce the exposure the company may have.’
Internal audit is an under-used resource when it comes to addressing social media-related risk, which can trigger other risks, including financial risks associated with disclosures that violate SEC rules and information leaks that can harm a company’s reputation, Deloitte says in a Wall Street Journal story published last August.
Cindy Fornelli, executive director of the Center for Audit Quality, says including internal audit in strategic planning around social media is a great idea. ‘Internal audit is going to understand the company’s risk profile in a way that others might not, and understand what those disclosures might look like,’ she explains. ‘To have the department help monitor social media and understand the potential consequences of certain media posts’ would be very useful.
For Fornelli, the quasi-independent status of the internal audit function, designed to be ‘a check on management, a third line of defense’, is what places it in a unique position to contribute to conversations around strategic business risk. It’s also considered a best practice for internal audit to report directly to the board’s audit committee, and even in companies where lines of communication aren’t structured that way, the audit committee typically has an interest in internal audit and uses it as a resource.
Internal audit is ‘in this kind of bull’s-eye, if you will, of understanding what’s going on at a company and being able to give the audit committee information and comfort about what’s going on at the company, as well as working closely with the external auditor,’ Fornelli says.
Addressing strategic risk
Only 28 percent of respondents to the EY/Forbes Insights survey say internal audit currently plays a truly strategic role at their companies, but nearly twice as many (54 percent) say they expect strategic advisory services to become their primary mandate within the next two years, signaling a radical shift in their purview.
O’Leary believes the small degree of participation in strategic risk planning reflects the lingering effect of aligning the internal audit function with financial or compliance risks. Chambers attributes the limited coverage of strategic business risks to the fact that internal audit departments are still retooling the skill sets required to address some of these risks.
The companies that seem to be moving fastest to give their internal audit functions more responsibility are those with a rotational component in their staffing model, says Chambers. Home Depot and Chrysler are among the firms that have adopted this rotational model and are using internal audit as a training platform for other functions throughout the company, he notes. General Electric has used this model for a long time, bringing people into the internal audit department who have extensive knowledge of the firm’s businesses or the broader industry. It’s more natural for such departments to address a broader portfolio of risks, Chambers adds.
Conversely, companies that are struggling most to broaden internal audit’s role succeeded in flushing out all the non-accountants a while ago, leaving an audit staff that lacks institutional knowledge extending back many years, he says.
The profile of the Canadian Imperial Bank of Commerce (CIBC) in Protiviti’s report echoes Chambers’ observations. CIBC encourages sharing knowledge of risk and controls across the company through ‘seeding’ members of the internal auditor team in critical positions throughout the company, while also recruiting internal auditors from other functions within the company. It has also created a governance and control committee to serve as a forum that facilitates discussion and knowledge-sharing on risk and control matters, including trends and thematic issues.
Changing skill sets
Less than seven years ago, internal audit’s assurance work centered almost entirely on financial controls and required an accounting background more than any other skill, says Chambers. These days that portfolio of coverage has dramatically shifted, to the point where financial controls now comprise less than 25 percent of internal audit’s efforts. Because of this ‘change in the genetic makeup of internal audit departments’, they are now recruiting for different skill sets, including analytical and critical thinking and communications, Chambers observes.
Complementing this is the fact that the expanded responsibility is making internal audit attractive to ‘non-traditional hires’ such as those with MBA degrees or broad IT skills, who are able to speak the same language as managers responsible for strategic business planning, says Christensen.
To be truly effective, however, the internal audit function must have a seat at the table, says Fornelli. ‘The head of internal audit has to be seen as a C-suite executive, just like the others,’ she explains. ‘He or she needs to be seen as a peer of the chief financial officer, the general counsel and the corporate secretary. This is increasing – I do think you see it more, certainly at larger companies. As I talk to internal auditors, I think the important role they play is being appreciated more and more. This helps to make sure they have a voice and a seat at the table.’
Having a seat at the table means full participation in strategic planning meetings, not just being invited, and that’s something the board of directors needs to be aware of and understand, Fornelli adds.
A holistic approach
For companies that lack a central body responsible for bringing risk stakeholders together, it’s critical that internal audit proactively co-ordinate its efforts with other risk managers to ensure the company has the appropriate level of risk coverage, that there’s no duplication of efforts and that the department is avoiding the risk of gaps, recommends O’Leary.
‘It’s a matter of making sure that, on a holistic, company-wide level, there’s clear consensus as to what the responsibilities of the respective functions are and how they manage those in order to be efficient and get the right coverage,’ he explains.
Even if the different functions’ risk assessments disagree, the head of the internal audit function must at least understand why before he or she reports to the board, warns Chambers. ‘It’s not that they necessarily have to adopt each other’s views of risk, but it’s frustrating for the board to have two different risk assessments handed to it’ that are contradictory, he explains. He adds that he has seen an audit committee throw out all the assessments and say, ‘Come back with something we can use.’
Chambers believes companies will be willing to embrace a more holistic model of risk management only where the internal audit department can demonstrate its ability in this area.
Risks need to be assessed continuously if a company hopes to avoid trouble. A decade or more ago, annual assessment may have worked, but ‘we’ve entered an era of such dynamic risk that the old approach is no longer sufficient’, according to Chambers.
‘Audit committees want internal audit to help them avoid landing on the front page of the New York Times,’ he concludes. ‘That’s a pretty high bar for internal audit to clear if you think about it.’